Under the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule, covered health plans were required to deliver a privacy notice to plan participants by April 14, 2003, for large entities (i.e., plans with annual receipts exceeding $5 million) and by April 14, 2004, for small entities (i.e., plans with annual receipts of $5 million or less). Thereafter, health plans are required to remind participants of the availability of the privacy notice, as well as how to obtain a copy, no less frequently than once every three years.
Large entities that haven't provided this reminder since April 14, 2006, have until April 14, 2009, to do so; small entities that haven't provided a reminder since April 14, 2007, have until April 14, 2010.
The Department of Health and Human Services provides these methods for meeting the reminder requirement:
- mailing a copy of the actual privacy notice;
- mailing a reminder concerning the availability of the privacy notice and information on how to obtain a copy; or
- including a reminder in a plan-produced newsletter or other publication.
A plan satisfies its obligation by furnishing the reminder to the "named insured"; the reminder does not have to be sent to spouses and dependents.
Heads up: Health plans may have already satisfied the reminder requirement if they:
- adopted the practice of sending the privacy notice to plan participants annually;
- recently, substantially amended their privacy notice, and, thus, sent the revised privacy notice to participants; or
- included information regarding the availability of the privacy notice in annual communications sent to participants.