Imminent HIPAA Notice Obligation for Small Health Plans

The privacy rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that a health plan remind participants of the availability of its Notice of Privacy Practices, as well as how to obtain a copy, at least once every three years. Small health plans, defined under Department of Health and Human Services (DHHS) regulations as those with annual receipts of $5 million or less, were initially required to provide participants with a Notice of Privacy Practices by April 14, 2004 (all other health plans by April 14, 2003). Therefore, the small health plan deadline for complying with this requirement is April 14, 2007. (All other health plans were required to comply by April 14, 2006.)

Methods for Satisfying this Requirement

Under DHHS guidance, this notice requirement may be satisfied in any of the following ways:

  1. Sending a copy of the health plan's actual Notice of Privacy Practices to all participants;
  2. Sending a simple reminder of the availability of the Notice of Privacy Practices to participants, as well as information on how to obtain a copy; or
  3. Including information in a newsletter or other plan publication on the availability of the plan's Notice of Privacy Practices and how to obtain a copy.

Regardless of which method is chosen, it is important to note that a plan's Notice of Privacy Practices should be updated on an ongoing basis to reflect any changes to the health plan's privacy practices. In addition, HIPAA mandates that plans with a website keep the Notice of Privacy Practices posted on the website and make it available to participants electronically through the website.

Individuals Who Must Receive the Reminder or the Notice

All plan participants must receive the Notice of Privacy Practices or the reminder. Notification to a participant is sufficient; no separate notice or reminder need be made to covered dependents. The Notice or reminder must also be made available to anyone covered by the plan who requests a copy.

Please note, however, that certain plans may have, in the last three years, prepared and forwarded a revised Notice to participants reflecting the changes that had been implemented in their privacy practices. These plans will already have satisfied their three year requirement. They will then have three years from the date of the most recent Notice mailing in which to send another Notice or a reminder.

Sample Reminder

The following is a model that is intended to satisfy the reminder requirement through either individual participant mailing, or publication in a newsletter or other plan material, for those plans choosing not to send the actual Notice of Privacy Practices. Should you have any questions with regard to implementing this requirement for your health plan, please contact your Littler attorney.

HIPAA Notice of Privacy Practices Reminder

This letter is to remind you of the availability of the Notice of Privacy Practices for the [Plan name] ("Plan"). This Notice was originally sent to you in 2004 when the Plan implemented the privacy requirements of the Health Insurance Portability and Accountability Act of 1996.

The Notice of Privacy Practices describes how medical information about you on file with the Plan may be used and disclosed, as well as how you can access your medical information. In general, your individual health information may be used and disclosed for treatment, payment and operations purposes of the Plan, as well as other uses and disclosures allowed and/or required by law.

In order to obtain a copy of the Plan's Notice of Privacy Practices, which specifically outlines these uses and disclosures, please contact:

[Privacy Officer and/or other contact Name]
[Fax and Phone Information]

The privacy of participant information is of the highest priority to us. Should you have any questions regarding this notice or the Notice of Privacy Practices, you may contact the above named Privacy Official during normal business hours.

Lisa A. Taggart is an Associate in Littler Mendelson's Philadelphia office. If you would like further information, please contact your Littler attorney at 1.888.Littler,, or Ms. Taggart at

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.