What are the HIPAA privacy notice requirements for employers that sponsor a group health plan?

April 22, 2014

The HIPAA Privacy Rule went into effect in April 2003 and requires covered entities to provide a HIPAA Notice of Privacy Practices. For employers that sponsor a group health plan, this communication is typically provided in open enrollment packets.

Covered entities are required to provide a notice in plain language that describes:

How the covered entity may use and disclose protected health information (PHI) about an individual.
The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.
The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.
Whom individuals can contact for further information about the covered entity’s privacy policies.
Although these notices have largely remained unchanged since 2003, the 2013 Omnibus Final Rule required employers to make several additions to the privacy notice no later than Sept. 23, 2013, and to redistribute the notice to participants.
The following additions to the privacy notice are required under the 2013 final rule:

The limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes.
The prohibition on the sale of PHI without the individual’s authorization.
A statement about the impermissible use of genetic information for underwriting and employment purposes.
A statement about the obligations of covered entities to maintain the privacy of an individual’s PHI and the right of an individual to be notified if a breach occurs.
An employer should also make any other changes that may have occurred since the privacy notice was last updated—for example, changes in vendors, telephone numbers and privacy officers.

The U.S. Department of Health and Human Services (HHS) has determined that the required changes are considered material and requires distribution of the revised notice to plan participants. If an employer maintains a benefits website, the employer must post the revised notice on the benefits website no later than Sept. 23, 2013. In addition, the employer must also include the revised notice to the employee in the next annual mailing to plan participants. If an employer does not maintain a benefits website, the employer must provide the revised notice within 60 days of the material revision to the notice. The compliance deadline of Sept. 23, 2013, required employers to distribute the notice to the named insurer no later than Nov. 22, 2013. Electronic delivery such as e-mail is permissible as long as the named insurer consents to electronic delivery.

In addition to the distributing notices after a material change, the Notice of Privacy Practices must also be provided as follows:

A covered entity must make its notice available to any person who asks for it.
A covered entity must prominently post and make available its notice on any website it maintains that provides information about its customer services or benefits.
Health plans must also:
Provide the notice to new enrollees at the time of enrollment.
Provide a separate notice to individuals who are covered by the plan at least every three years informing them that the Notice of Privacy Practices is available and how to obtain the notice. Some employers choose to distribute the Notice of Privacy Practices in its entirety each year, or at least every three years, with open enrollment materials to fulfill this requirement.

Thanks to SHRM for this article – Society of Human Resource Management