QUESTION: Our company sponsors a self-insured health plan. We maintain a HIPAA Notice of Privacy Practices. How often do we need to update the Notice? When must we distribute the updated Notice to plan participants?
ANSWER: Your Notice does not need to be updated according to any particular timeline, but it must accurately describe your plan’s uses and disclosures of protected health information (PHI), individuals’ HIPAA rights, and the plan’s legal duties with respect to PHI. Thus, you must promptly revise the plan’s Notice whenever there is a material change to any of the information or privacy practices stated in the Notice. Except when required by law, material changes cannot be implemented until they are reflected in the plan’s Notice.
The HIPAA regulations do not define when a change is “material.” In the preamble to the 2000 privacy rule, HHS encouraged HIPAA covered entities to refer to other notice laws, such as ERISA’s requirements for summary plan descriptions, to understand the concept of materiality. HHS considered the changes made by the 2013 omnibus regulation to be material and required updated notices at that time (see our Checkpoint article). Future amendments to the HIPAA rules should be evaluated to determine whether they require changes to your Notice. Also, changes in your plan operations, such as changes to the plan’s procedures for giving an individual access to PHI in a designated record set, may require an updated Notice.
The HIPAA rules establish deadlines by which your plan must distribute updated Notices that incorporate material changes. The requirements vary depending on whether your plan maintains a website. If your plan does not maintain a website, then the revised Notice (or information about the material change and how to obtain the revised Notice) must be furnished to participants within 60 days after the material revision to the Notice. Mailing a hard copy is required unless a participant has consented to receiving electronic notice.
If your plan has a website, then it may satisfy the requirement to distribute an updated Notice by posting the updated Notice on its website by the effective date of the material change and then providing a hard copy of the updated notice (or information about the material change and how to obtain the revised notice) in the plan’s next annual mailing to participants.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXVII.G (“Right to Receive Notice of Privacy Practices”) and the manual’s Sample Notice of Privacy Practices.
Contributing Editors: EBIA Staff.