Health Law Bulletin
Deadline For Health Plans To Notify Enrollees Regarding
Notice of Privacy Practices Under HIPAA Is Fast Approaching
By Christopher J. Scott
The third anniversary of the Privacy Rule compliance date under the Health Insurance Portability and Accountability Act (“HIPAA”) will occur on April 14, 2006 . The HIPAA Privacy Rule requires certain health plans to remind enrollees of the availability of the plans’ Notice of Privacy Practices, as well as how to obtain a copy, no less frequently than once every 3 years. Health plans under HIPAA are defined as individual or group plans that provide, or pay the cost of, medical care. Such plans may include a group health plan, a health insurance issuer, an HMO, or an employee welfare benefit plan, among others. The Privacy Rule protects from disclosure individually identifiable health information (i.e., protected health information) without prior authorization. The Notice of Privacy Practices defines how a health plan will use and protect a covered individual’s protected health information. Fully insured health plans that do not receive protected health information other than for enrollment or disenrollment purposes do not need to send participants a Notice of Privacy Practices.
When the Privacy Rule first went into effect, most health plans were required to distribute their Notice of Privacy Practices to subscribers and enrollees by April 14, 2003. Therefore, health plans, other than the fully insured plans described above, that have not already reminded subscribers and enrollees in some manner of the availability of their Notice of Privacy Practices and how they may obtain a copy, must now do so no later than April 14, 2006. For small health plans, meaning health plans with annual receipts not exceeding $5 million (measured by premiums paid for a fully-insured plan and by claims paid for a self-insured plan), which had until April 14, 2004, to first distribute their Notices of Privacy Practices, the compliance date for the triennial reminder notice requirement is April 14, 2007. Health plans that have not already provided a reminder to its subscribers and enrollees should act quickly to meet this requirement using the most efficient means, such as including the reminder notice of the availability of the Notice of Privacy Practices in open enrollment materials, a group health plan newsletter provided to all members, or similar all-member mailings.
Health plans may have already satisfied the reminder requirement in a number of ways. For instance, a health plan may have adopted the practice of sending its Notice of Privacy Practices to subscribers and enrollees annually. Or, a health plan may have substantially amended its Notice of Privacy Practices recently, and thus, sent the revised Notice to its subscribers and enrollees as required by the Privacy Rule. Further, a plan may have included information regarding the availability of its Notice of Privacy Practices in annual communications sent to subscribers and enrollees of the plan. In these cases, the health plan should not be concerned by the April 14, 2006 deadline.
A health plan can satisfy the requirement by providing the reminder notice to the named insured of a policy under which coverage is provided, without having to also provide the reminder notice to any covered dependents of the insured. For example, if an employee of a firm and her three dependents are covered under a single health plan policy, that health plan can satisfy the reminder requirement by sending information concerning the availability of the Notice of Privacy Practices to just the employee, rather than to the employee and each of her dependents.
For questions regarding compliance with the Privacy Rule or any other HIPAA-related issues, please contact Christopher J. Scott, Esq., a member of the Health Law Practice Group, or Kelly A. McCarthy, Esq., coordinator of the Health Law Practice Group at Bulkley, Richardson and Gelinas, LLP, at 413-781-2820.