Modify Notice of Privacy Practices


The Department of Health and Human Services recently finalized rules related HIPAA privacy and security. In general, these are changes required by the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Non-Discrimination Act (GINA). There are numerous changes in the rule that will require compliance activities on the part of certain employers. This activity focuses on obligations related to a group health plan’s Notice of Privacy Practices (NPP).

Employers Affected

The changes will affect any employer that sponsors a self-insured health plan subject to HIPAA (our FAQs provide more information about the delicate relationship between employers and their self-insured health plans). This includes major medical plans, dental and vision plans, HRAs and Health FSAs and certain types of wellness programs1. The extent of the changes will depend on the existing language in a plan’s NPP and the nature of the plan’s activities as described below.

Employer Actions
Review existing NPPs and revise as necessary.
Provide notice to plan of any changes in the NPP required by the final rule.

Timing Requirements

The rule is effective September 23, 2013. Any required modifications to an NPP must be made by that date.

A health plan that posts its notice on its web site must prominently post the change or its revised notice on its web site by the effective date of the change. It must also provide the revised notice or information about the change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan.

A health plan that does not post its notice on a web site must provide the revised notice or information about the change and how to obtain the revised notice, to individuals then covered by the plan within 60 days of the revision to the notice.

Summary of HITECH Changes to the Privacy Rule Affecting the Content of NPPs2

The NPP must contain a statement indicating that the following require authorization:

It must also include statements that:

While it is unlikely that a health plan will engage in fundraising activities, should it wish to do so, the NPP must include notice of an individual’s right to opt out of receiving communications related to such activities.

Summary of GINA Changes to the Privacy Rule Affecting the Content of NPPs

Health plans that perform underwriting must include a statement in their NPPs that they are prohibited from using or disclosing genetic information for such purposes.

Here the key activity for an employer will be to assess which of its plans perform underwriting. “Underwriting” is defined very broadly under the final rule. It specifically includes:

Consequently, many common wellness program designs will require amendments to an NPP.

Click here for a sample notice that incorporates these changes.