Background

Most health plans were required to send an initial Notice of Privacy Practices to participants by April 14, 2003. This Notice describes how the health plan uses and discloses protected health information (PHI) and important federal rights that individuals have with respect to their own PHI.¹

The privacy rule also requires health plans to provide participants with a reminder about the availability of this Notice (and how to obtain the Notice) at least once every three years. This means that health plans must provide the first such reminder no later than April 14, 2006, if they have not already done so.

The actual deadline would vary depending on when the plan sent its initial Notice. For example, if a plan sent its initial Notice on March 14, 2003 (a month early), the reminder would need to be provided no later than March 14, 2006.

New OCR Guidance on Compliance with the Reminder Requirement

On March 6, 2006, OCR released guidance in the form of an answer to a Frequently Asked Question (FAQ).² This FAQ addresses the various ways that plans can comply with the reminder requirement. The FAQ confirms that plans are not required to re-send the actual Notice of Privacy Practices, but may choose to comply with the reminder requirement by doing so. The FAQ also states that the following would be acceptable methods of complying with the requirement:

• Including a reminder in a plan-produced newsletter (or similar publication) distributed to all participants;
• Including a reminder in annual communications sent to all participants (for example, open enrollment materials); or
• Mailing a separate reminder to all participants.

The FAQ does not explicitly address including the reminder in the plan's summary plan description (SPD), but this should be sufficient as long as the SPD is (or was) distributed to participants within the required three-year time frame. Nor does the FAQ address whether plans may provide the reminder electronically. Consequently, plans that want to provide the reminder electronically (e.g., via e-mail) will need to consult with counsel. The privacy rule itself permits the actual Notice to be sent electronically provided several important conditions are satisfied, including the requirement that the recipient agree to receive the Notice electronically.

Other important points discussed in the FAQ include:

• The reminder does not need to be sent to beneficiaries/
  dependents. It is sufficient to send the reminder to each participant.
• A health plan that revised its initial Notice of Privacy Practices and sent the revised Notice to its participants within the three-year period would not need to provide a reminder until three years after the revised Notice was sent.
• Small health plans (i.e., those with annual receipts of $5 million or less) have as much as an additional year (no later than April 14, 2007) to comply with the three-year-reminder requirement. The actual deadline would depend on when the small plan actually sent its initial Notice.

1	For more information about the privacy rules, see The Segal Company's October 2002 Bulletin, "Final HIPAA Privacy Rules" (To return to the Capital Checkup text, click here.)
2	To see the answer to this FAQ, click here (To return to the Capital Checkup text, click here.)