Is a health plan required to periodically notify enrollees about the availability, and how to obtain a copy, of its Notice of Privacy Practices?
Yes. The Privacy Rule requires a health plan to remind enrollees of the availability of its Notice of Privacy Practices, as well as how to obtain a copy, no less frequently than once every 3 years. See 45 CFR 164.520(c)(1)(ii).
Health plans may satisfy this requirement in a number of ways, including by:
- Sending a copy of their Notice of Privacy Practices.
- Mailing only a reminder concerning the availability of the Notice of Privacy Practices and information on how to obtain a copy.
- Including in a plan-produced newsletter or other publication information about the availability of the Notice of Privacy Practices and how to obtain a copy.
Health plans already may have satisfied the reminder requirement in a number of ways. For instance, a health plan may have adopted the practice of sending its Notice of Privacy Practices to subscribers and enrollees annually. Or, a health plan may have substantially amended its Notice of Privacy Practices recently, and thus, sent the revised Notice to its subscribers and enrollees as required by the Privacy Rule. See 45 CFR 164.520(c)(1)(i)(C). Moreover, a plan may have included information regarding the availability of its Notice of Privacy Practices in annual communications sent to subscribers and enrollees of the plan.
A health plan can satisfy the requirement by providing the reminder notice to the named insured of a policy under which coverage is provided to that named insured and one or more dependents. See 45 CFR 164.520(c)(1)(iii). For instance, if an employee of a firm and her three dependents are covered under a single health plan policy, that health plan can satisfy the reminder requirement by sending information concerning the availability of the Notice of Privacy Practices to just the employee, rather than to the employee and each dependent.
This information is especially timely as the third anniversary of the compliance date of the HIPAA Privacy Rule nears. Health plans, other than small health plans, were first required to distribute their Notice of Privacy Practices to subscribers and enrollees by April 14, 2003. Thus, those health plans that have not already reminded subscribers and enrollees in some manner of the availability of their Notice of Privacy Practices and how they may obtain a copy, must do so no later than April 14, 2006. For small health plans, which had until April 14, 2004, to first distribute their Notices of Privacy Practices, the compliance date for the triennial reminder notice requirement is April 14, 2007. These plans can begin to prepare now to meet this requirement using the most efficient means, such as including the reminder notice of the availability of the Notice of Privacy Practices in open enrollment materials, a group health plan newsletter provided to all members, or similar all-member mailings.