How often must a HIPAA Notice of Privacy Practices be updated?

"May 20, 2022 by" Zeitlin & Associates, CPAs

Employers that sponsor a health care plan know they must comply with various provisions of the Health Insurance Portability and Accountability Act (HIPAA).

One of these is that you must notify all persons from whom you collect medical information — whether directly or indirectly (such as when filling a prescription) — of their rights to privacy. This notification is generally carried out by distributing a “Notice of Privacy Practices,” which is sometimes also referred to as a “Notice of Information Practices.”

A couple common questions that arise regarding a HIPAA Notice of Privacy Practices are: 1) How often should it be updated? 2) When should an updated notice be distributed to plan participants?

Material changes

The good news is you don’t need to update a notice according to an annual deadline. However, the most current notice must accurately describe:

Your plan’s uses and disclosures of protected health information (PHI),
Participants’ HIPAA rights, and
The plan’s legal duties with respect to PHI.

Thus, you must promptly revise the notice whenever there’s a “material” change to any of the information or privacy practices stated therein. Except when required by law, material changes to a plan cannot be implemented until they’re reflected in the notice.

Unfortunately, HIPAA regulations don’t define when a change is material. In the preamble to the 2000 privacy rule, the U.S. Department of Health and Human Services (HHS) encouraged HIPAA-covered entities to refer to other notice laws to understand the concept of materiality. One example given was how material changes are typically defined for summary plan descriptions under the Employee Retirement Income Security Act. Also, the HHS considered changes made by the 2013 omnibus regulation to be material and required updated notices at that time.

Evaluate amendments to the HIPAA rules carefully when they occur to determine whether they’re material and require changes to your notice. Revisions to plan operations, such as new procedures for giving someone access to PHI in a designated record, could require an updated notice as well.

Deadlines for updates

HIPAA rules establish deadlines by which your plan must distribute updated notices that incorporate material changes. The requirements vary depending on whether your plan maintains a website.

If your plan has a website, then you can satisfy the requirement to distribute an updated notice by posting it on the plan website by the effective date of the material change. You must then provide a hard copy of the updated notice — or information about the material change and how to obtain the revised notice — in the plan’s next annual mailing to participants.

If your plan doesn’t have its own dedicated website, you must furnish the revised notice — or information about the material change and how to obtain the revised notice — to participants within 60 days after the revision.

Note: Mailing a hard copy is always required unless a participant has consented to receiving electronic notices only.

Important component

The HIPAA Notice of Privacy Practices is an important component of every health care plan. However, it’s easy to overlook. We can help you assess the costs and risks of any employee benefit offered or considered by your organization.