Under the HIPAA Privacy Rule, employers who sponsor self-funded health plans must develop and distribute a privacy notice to all enrollees at least once every three years, or notify participants that the privacy notice is available and explain how to obtain a copy.
Due to guidance issued by the Department of Health and Human Services in January 2013, most employers updated their health plan privacy notice in September 2013 and distributed it to enrollees in the fall of 2013. Another notice should have been provided three years later, in the fall of 2016. If a third privacy notice has not been distributed since 2016, now is the time to do so in order to meet the triennial requirement.
The privacy notice requirements for a health plan vary depending on whether the plan is self-funded or fully insured. Sponsors (frequently employers) of self-funded health plans are required to maintain and provide their own privacy notices.
However, if the plan is fully insured, the health insurance issuer or carrier, and not the health plan sponsor, is primarily responsible for the privacy notice. If the sponsor of a fully insured plan does not have access to protected health information (PHI) for plan administrative functions, it is not required to maintain or provide a privacy notice at all. If the sponsor of a fully insured plan does have access to PHI for plan administrative functions, it is required to maintain a privacy notice and to provide the notice, but only upon request.
Note that a plan sponsor’s access to enrollment information, summary health information and PHI that is released pursuant to a HIPAA authorization does not qualify as having access to PHI for plan administration purposes.
If you have questions, contact your Hylant representative for assistance.
The above information does not constitute advice. Always contact your employee benefits broker or trusted adviser for insurance-related questions.