Employers that sponsor a health care plan know they must comply with various provisions of the Health Insurance Portability and Accountability Act (HIPAA).
One of these is that you must notify all persons from whom you collect medical information — whether directly or indirectly (such as when filling a prescription) — of their rights to privacy. This notification is generally carried out by distributing a “Notice of Privacy Practices,” which is sometimes also referred to as a “Notice of Information Practices.”
A couple common questions that arise regarding a HIPAA Notice of Privacy Practices are: 1) How often should it be updated? 2) When should an updated notice be distributed to plan participants?
Material changes
The good news is you don’t need to update a notice according to an annual deadline. However, the most current notice must accurately describe:
Thus, you must promptly revise the notice whenever there’s a “material” change to any of the information or privacy practices stated therein. Except when required by law, material changes to a plan cannot be implemented until they’re reflected in the notice.
Unfortunately, HIPAA regulations don’t define when a change is material. In the preamble to the 2000 privacy rule, the U.S. Department of Health and Human Services (HHS) encouraged HIPAA-covered entities to refer to other notice laws to understand the concept of materiality. One example given was how material changes are typically defined for summary plan descriptions under the Employee Retirement Income Security Act. Also, the HHS considered changes made by the 2013 omnibus regulation to be material and required updated notices at that time.
Evaluate amendments to the HIPAA rules carefully when they occur to determine whether they’re material and require changes to your notice. Revisions to plan operations, such as new procedures for giving someone access to PHI in a designated record, could require an updated notice as well.
Deadlines for updates
HIPAA rules establish deadlines by which your plan must distribute updated notices that incorporate material changes. The requirements vary depending on whether your plan maintains a website.
If your plan has a website, then you can satisfy the requirement to distribute an updated notice by posting it on the plan website by the effective date of the material change. You must then provide a hard copy of the updated notice — or information about the material change and how to obtain the revised notice — in the plan’s next annual mailing to participants.
If your plan doesn’t have its own dedicated website, you must furnish the revised notice — or information about the material change and how to obtain the revised notice — to participants within 60 days after the revision.
Note: Mailing a hard copy is always required unless a participant has consented to receiving electronic notices only.
Important component
The HIPAA Notice of Privacy Practices is an important component of every health care plan. However, it’s easy to overlook. We can help you assess the costs and risks of any employee benefit offered or considered by your organization.
If you have any questions about the content of this publication, or if you would like more information about HoganTaylor's Employee Benefit Plans practice, please contact Gwen Mazzola, Employee Benefit Plans Practice Lead.
INFORMATIONAL PURPOSE ONLY. This content is for informational purposes only. This content does not constitute professional advice and should not be relied upon by you or any third party, including to operate or promote your business, secure financing or capital in any form, obtain any regulatory or governmental approvals, or otherwise be used in connection with procuring services or other benefits from any entity. Before making any decision or taking any action, you should consult with professional advisors.