By continuing to access our website, you agree to our privacy policy and use of cookies.

Learn More
Skip to Main Content

Press "Enter" to search

US MX

Compliance

Triennial HIPAA Privacy Notice Requirement

Self-funded employers that have not distributed their privacy notice in the last three years should do so now.

August 27, 2025

Under the HIPAA Privacy Rule, employers that sponsor self-funded group health plans—including health reimbursement arrangements (HRAs) and health flexible spending accounts (health FSAs)—must take action at least once every three years to remind participants of their privacy rights and how protected health information (PHI) is used. This is done by developing and distributing a Notice of Privacy Practices (NPP), often referred to as the privacy notice, to plan participants.

Therefore, self-funded employers that have not distributed their privacy notice in the last three years should do so now to meet the triennial requirement.

When the Notice Must Be Provided

Notice must be provided at the following times:

  • At enrollment – to all new enrollees when they first join the plan.
  • On request – anytime a participant asks for a copy.
  • After material changes – redistribute within 60 days of any significant updates.
  • Every three years – plans must either re-distribute the notice or notify participants how to obtain a copy. Note that if the benefit guide includes the HIPAA Privacy Notice and informs employees where to request a copy, this satisfies the triennial obligation.

Who Must Provide the Notice

The following plans must provide notice.

Self-funded plans (including HRAs and FSAs):

  • Employers must maintain and distribute their own privacy notice.

Fully insured plans:

  • The carrier/insurer is generally responsible for the NPP.
  • If the employer does not access PHI for plan administration, it has no independent notice obligations.
  • If the employer does access PHI for plan administration, it must maintain a privacy notice but only needs to provide it upon request.
  • Access to enrollment information, summary health information and PHI provided under a HIPAA authorization does not count as plan administrative access.

Additional Considerations

To ensure compliance, consider these additional steps and resources:

  • If the health plan maintains a website, the current privacy notice must be prominently posted and updated with revisions.
  • HHS provides customizable model notices in three formats for employers to access.
  • Employers may want to provide refresher HIPAA training if they haven’t done so in a while.

Reach out to your Hylant representative for further information. Don’t have one? Contact us here.

The above information does not constitute advice. Always contact your employee benefits broker or trusted advisor for insurance-related questions.

Authored by

Lorenna Siegrist
Lorenna Siegrist

EB Compliance Practice Leader

Orlando

Contact

With more than 32 years of industry experience, Lorenna helps clients understand and keep abreast of complex healthcare plan requirements and the ever-changing regulatory environment. She supports both clients and Hylant teams by delivering tailored communication materials, hosting seminars, and providing strategic insights that empower exceptional service delivery.

Don’t Miss Out on the Latest HR News & Tools

Get trusted updates on industry trends, compliance changes, webinars and tools designed to make benefits management easier. Subscribe to Benefits Insider and receive expert insights every month.

By entering your contact information and submitting the form, you understand that Hylant may send similar information in the future. You can unsubscribe anytime by using the link at the bottom of any Hylant email.