HIPPA: Notice of Privacy Practices
July 6, 2017
HIPAA requires that group health plans distribute to participants the Notice of Privacy Practices describing current privacy practices regarding protecting personal health information (PHI). The Notice of Privacy Practices must describe three things:
- The uses and disclosures of PHI that may be made by the group health plan;
- Plan participants’ privacy rights;
- The group health plan’s legal responsibilities concerning handling PHI.
All employers must distribute HIPAA Privacy Notices if the plan is self-funded or if the plan is fully insured and the plan has access to PHI. The notice must be provided to all participants upon enrollment, upon request, and at least every 3 years—sooner in the case of material changes to the plan’s privacy practices.
A common mistake employers make is to rely on the notice of privacy practices (NPP) provided by their health insurance company when they offer various plans subject to HIPAA. For example, if an employer offers medical, dental, and a Health FSA, and the only NPP that is sent is from the health insurance company, then the employer has not provided a notice related to the dental and the HFSA.