There has been much confusion surrounding the Health Insurance Portability and Accountability Act (HIPAA) notices; specifically whether they have to be distributed every year or not. That answer is “no”, but if you are self insured, or fully insured and see protected health information (PHI), you have to make sure they are distributed every third year. As such, most employers do it every year so they do not forget - I agree with that approach.
The HIPAA Privacy Rule established a set of national standards to protect certain health information (Privacy Standards). These Privacy Standards apply to specific entities (Covered Entities) including health care providers, health plans, and health care clearinghouses. The Privacy Standards give individuals certain rights over how their health information may be used or disclosed - these individuals have a right to know about their rights.
Protected Health Information
Not only must Covered Entities abide by the Privacy Standards, but they are also required to let covered individuals know about these standards by providing a notice. This notice communicates what the Privacy Standards are and is referred to as the Notice of Privacy Practices. Self-insured Health Plans (and fully-insured health plans that get PHI) are responsible for providing this notice to covered individuals at the time of enrollment, all newly eligible participants, and within 60 days of a material change to the notice. If your plan is fully insured and you do not have any exposure to PHI, the insurer is likely handling this notice distribution.
In addition to the Notice of Privacy Practices, a reminder notice must be distributed every three years notifying individuals covered by the health plan that the Notice of Privacy Practices is available and how they can obtain a copy of it. Basically you are sending a notice to participants that they have the right to receive a HIPAA notice of privacy practice. The notice will have contact information for who to request the form from. This notice may be sent electronically.
When to Send Plans
When final regulations were released they required that all health plans send an updated Notice of Privacy Practices by November 23, 2013. You may recall that date is clearly stated in the notice itself. That is probably the last time the format of the business associate agreements were modified. Based on this date, the 3 year reminder requirement would be coming up this month (November 23, 2016) and plans would need to send out this reminder notice.
But as stated, many employers who have health plans provide the Notice of Privacy Practices each year as part of their open enrollment process which eliminates the need to provide a three year reminder. If you are uncertain whether you have provided this notice each year, use caution and send out a notice this month.