Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
Focused on weathering the blizzard of amendments to business associate agreements required by the HITECH Act, employers understandably could lose sight of the April 14, 2010 deadline for providing the “triennial reminder” required by the HIPAA Privacy Rule. Under that regulation, employers who sponsor one or more HIPAA-covered plans must, no less frequently than once every three years, “notify individuals then covered by the plan of the availability of the [plan’s] notice [of privacy practices] and how to obtain the notice.” For small health plans, i.e., those with annual receipts of $5 million or less, the original HIPAA compliance date was April 14, 2004, meaning that 2010 is a triennial reminder year. HIPAA-covered plans for which an employer would be required to provide the triennial reminder include self-insured group health, dental or vision plans; a health care reimbursement flexible spending account; a pharmacy benefits plan; a long-term care (not long-term disability) plan; and an employee assistance program.
Employers are required only to explain how current plan participants can obtain a copy of their HIPAA notice of privacy practices. Employers are not required to redistribute their privacy notice, although they can do so to satisfy the requirement. Employers also can provide the triennial reminder through an e-mail blast with a link to the notice on the corporate intranet or with contact information for an internal employee or a business associate’s representative who can provide a paper copy of the notice. Another alternative would be to include information about the privacy notice with enrollment information that is distributed during the employer’s annual open enrollment season.
This entry was written by Philip L. Gordon.