Triennial HIPAA Privacy Notice Requirement

Under the HIPAA Privacy Rule, employers that sponsor self-funded health plans must develop and distribute a privacy notice to all enrollees in the following circumstances:

• To new enrollees at the time of enrollment
• Within 60 days of a material change to the notice
• Any time upon a participant’s request

Additionally, at least once every three years health plans must provide the privacy notice or notify participants that the privacy notice is available and include instructions for how to obtain a copy. Therefore, self-funded employers that have not distributed their privacy notice in the last three years should do so now in order to meet the triennial requirement.

The privacy notice requirements for a health plan vary depending on whether the plan is self-funded or fully insured. Sponsors (frequently employers) of self-funded health plans are required to maintain and provide their own privacy notices.

However, if the plan is fully insured, the health insurance issuer or carrier, and not the health plan itself, is primarily responsible for the privacy notice. If the sponsor of a fully insured plan does not have access to protected health information (PHI) for plan administrative functions, it is not required to maintain or provide a privacy notice at all. If the sponsor of a fully insured plan does have access to PHI for plan administrative functions, it is required to maintain a privacy notice and to provide the notice, but only upon request.

Note that a plan sponsor’s access to enrollment information, summary health information and PHI that is released pursuant to a HIPAA authorization does not qualify as having access to PHI for plan administration purposes.

Reach out to your Hylant representative for further information. Don’t have one? Contact us here.

The above information does not constitute advice. Always contact your employee benefits broker or trusted advisor for insurance-related questions.