HIPAA: Notice Requirements

HIPAA: Notice Requirements
January 30, 2020 Erica Manhardt

Who must provide HIPAA Notices?

Covered entities (typically the Health Plan) must provide notice to their members which describe the following:

1. Uses and disclosures of PHI made by the covered entity;

2. Individual rights regarding the PHI; and 3. The covered entities responsibility and legal duties regarding the PHI.

Who must receive the HIPAA Notice?

HIPAA notices must be provided to all individuals who are covered by the plan. If the employee has family coverage, one single notice is sufficient for all dependents covered under that employee.

When must HIPAA notices be provided? A Health Plan must provide the HIPAA Notice of Privacy Practices at the time of an individual’s enrollment in the plan, upon request by any person, and at least once every three years.

Finally, if the covered entity makes a material change to its uses or disclosures, individual rights, legal duties or other privacy practices, the Notice must be revised and re-distributed. In this instance, the new Notice may be posted to the website and then distributed in the entity’s next annual mailing. If there is no website, the Notice must be distributed within sixty (60) days of the revision.

How must the HIPAA Privacy Notice be distributed?

A covered entity must make the Notice available on its website if the website contains information concerning any customer services or benefits which are made available.

The notice must also be delivered to the individuals who are covered by the plan. This can be done via first class mail, delivery with other written materials distributed to their enrollees (i.e. with an SPD or enrollment materials), or delivered electronically.

If a covered entity wishes to deliver the Notice electronically, the electronic distribution rules must be followed which include, but are not limited to, the individual giving consent to receive the notice electronically.

Information to be included in the Privacy Notice

The Department of HHS has issued a model notice which may be used to satisfy the Privacy Notice requirements. However, if a plan does not want to utilize the model notice, the following elements must be present:

Required Header Four Required Uses and Disclosures
Disclosure Statements regarding money raising (if applicable) Individual Rights
Covered Entity’s Duties How to make a complaint
Contact information Limited Use Information
Right to Revise Notice Statement Effective Date

This content is being provided as an informational tool. It is believed to be accurate at the time of posting and is subject to change. It is recommended that plans consult with their own experts or counsel to review all applicable federal and state legal requirements that may apply to their group health plan. By providing this information, Meritain Health is not exercising discretionary authority or assuming a plan fiduciary role, nor is Meritain Health providing legal advice.