To many group health plan sponsors, the distribution of the “Notice of Privacy Practices” required by HIPAA’s privacy regulations (the “Privacy Rule”) may be no more than a distant memory. Well, dust off those HIPAA privacy notices because, according to the Privacy Rule, “No less frequently than once every three years, the health plan must notify individuals then covered by the plan of the availability of the notice and how to obtain the notice.” Thus, those “small plans” that were originally subject to the Privacy Rule as of April 14, 2004, must comply with this “reminder” requirement by April 14, 2007.
The Privacy Rule does not actually require the plan to redistribute the privacy notice in its entirety. Instead, the plan must simply remind participants of its availability. Some plan sponsors may decide that it’s just as easy to redistribute the notice. For those who do not, there are a number of potential methods for distributing the privacy reminder. One possibility is to add a short notice to any other communication that is scheduled to be sent to plan participants. For example, if the plan sponsor will be distributing a new summary plan description, the reminder could be included with the SPD.
The Department of Health and Human Services has indicated informally that health plans may arrange to have another person or entity – for example, a group administrator – distribute the reminder notice on its behalf. If the other person or entity fails to distribute the reminder to the plan’s enrollees, however, the plan may be in violation of the Privacy Rule. Thus, plan sponsors should be certain to clarify whether they or their administrator will be responsible for sending this reminder.