Model Notices of Privacy Practices Available to Meet Fast Approaching Deadline
On Monday, Sept. 16, 2013, the Department of Health and Human Services Office for Civil Rights released model Notices of Privacy Practices (NPPs) for health plans to use to communicate with their covered employees. The model NPPs reflect recent changes made by the final regulations addressing the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A "covered entity," including an employer-sponsored group health plan, is generally required to update the NPP that it posts on its website and provides to covered employees by Sept. 23, 2013. Employers and governmental sponsors of self-funded group health plans may use the model NPPs to satisfy this obligation.
This Ice Miller e-alert reminds employers and governmental sponsors of group health plans of the distribution and timing rules for the Notice of Privacy Practices, including the deadline by which a revised NPP must be provided.
Health Plans to Which the NPP Applies
An employer is required to provide a NPP with respect to all of the self-insured benefits in the group health plans it sponsors that pay for the cost of, or provide, health, prescription drug, dental, vision or medical flexible spending benefits. Other benefits, such as life insurance, disability benefits or accidental death and dismemberment insurance, are not subject to the HIPAA Privacy Rule, and therefore employers are not required to provide a NPP with respect to these benefits. An employer is not required to develop or send a NPP with respect to its fully-insured group health plans.
Initial Distribution of Revised NPP
The required changes to the NPP under the final regulations constitute a "material change" to the NPP, and, accordingly, the revised NPP must be distributed by the following deadlines:
(i) If the employer currently posts its NPP on its website, the revised NPP must be posted to
the website by Sept. 23, 2013, and the employer must provide the revised NPP in its next
mailing to all employees then covered by the plan, such as at the beginning of the plan
year or during the open enrollment period. An employer is required to post its NPP online if
it maintains a website that provides customer services for its health plan. Such posting
must be prominently displayed on the website.
(ii) If the employer does not currently post its NPP on its website, the revised NPP must be
provided to all employees then covered by the plan by Nov. 23, 2013.
Subsequent Distribution of NPP
Following this initial distribution of the revised NPP, and until the NPP is next modified by a "material change," the NPP is only required to be provided to employees at the time of their enrollment in the health plan. At least once every three years thereafter (unless there is another material change), all employees then covered by the plan must be notified of the availability of the NPP and how to obtain a copy. There is no annual requirement to distribute the NPP to all covered employees, although including the NPP in annual open enrollment materials satisfies the obligation to notify employees of the availability of the notice.
Electronic Distribution of NPP
An employer may provide the NPP to covered employees by email, but only if the employee agrees to receive the notice electronically and such agreement is not withdrawn. If the employer knows that the email transmission has failed, it must provide a paper copy. A paper copy must also be provided to any covered employee who requests one, even if that individual has agreed to electronic receipt. The deadlines for emailing the NPP are the same as provided above.
The employer must document its compliance with the requirement to provide the NPP by retaining a copy of the NPPs it issues for at least six years.
Other Changes to the HIPAA Privacy Rule
Plan sponsors should be aware that the final regulations addressing the HIPAA Privacy Rule also affect:
(i) business associate agreements (BAAs) maintained between an employer, on behalf of its
group health plan, and the business associates that use or disclose the plan's protected
(ii) the HIPAA privacy policies and procedures an employer maintains with respect to its group
The general applicability date of the final regulations is Sept. 23, 2013, and the rules must be followed in operation as of such date. BAAs must generally be updated to reflect the new rules by Sept. 23, 2013. However, a special transition rule applies for BAAs already in place as of Jan. 25, 2013, and for which the underlying contract between the plan and business associate is not renewed between March 26, 2013, and Sept. 23, 2013. Those BAAs must be updated by the earlier of (i) the next renewal after Sept. 23, 2013, or (ii) Sept. 23, 2014.
If you have any questions or would like additional information regarding a plan sponsor's obligations under the HIPAA Privacy Rule, please contact Chris Sears, Tara Sciscoe, Mary Beth Braitman, Shalina Schaefer, or any member of Ice Miller's Employee Benefits Group.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.