HIPAA Notice of Privacy Practices Notice of Availability

Summary

This template is a notice of availability for a group health plan's notice of HIPAA privacy practices notice, which is required to be provided to covered individuals under the Health Insurance Portability and Accountability Act (HIPAA). This template includes practical guidance, drafting notes, and optional clauses. The HIPAA Privacy Rule requires employer-sponsored group health plans (or the underwriting insurer) to make available to all participants the plan's HIPAA Notice of Privacy Practices, which sets forth certain information regarding the plan's use of protected health information (PHI) and certain rights of the participant regarding their PHI held by the plan. The information must be furnished upon becoming enrolled in the plan and as necessary to reflect material changes to the notice. In addition, a follow-up communication must be issued at least once every three years. The follow-up may consist of an up-to-date version of the Notice of Privacy Practices itself or a Notice of Availability of the Notice of Privacy Practices that includes specific instructions on how to obtain a copy, such as set forth in this template. 45 C.F.R. § 164.520(c)(1)(ii). For insured plans where the plan sponsor does not handle any PHI, the notice requirements fall solely on the insurer. See 45 C.F.R. § 164.520(a)(2). As for the Notice of Privacy Practices itself, the Notice of Availability requirement is satisfied for a participant and all of their participating dependents if the participant receives the notification. 45 C.F.R. § 164.520(c)(1)(iii). HHS posts model notices of privacy practices at their website. Both the privacy practices and availability notice may be furnished by e-mail, but only if (1) the individual has agreed to electronic notice (and not subsequently rescinded such agreement), and (2) the individual is able to receive a paper copy upon request. In any case, a paper copy must be provided if the plan believes the e-mail has not reached the individual. 45 C.F.R. § 164.520(c)(3)(ii). The privacy practices and availability notices must be written in plain language and provided in a clear, concise, and easy to understand manner. Additionally, to the extent a covered entity is obligated to comply with Title VI of the Civil Rights Act of 1964, the covered entity must take reasonable steps to ensure meaningful access for Limited English Proficient persons to the services of the covered entity, which could include translating the Privacy Notice into frequently encountered languages. See 78 Fed. Reg. 5566, 5625 (Jan. 25, 2013). Under a Notice of Proposed Rulemaking, HHS is considering changes to the Notice of Privacy Practices requirements. These include enhanced information for the header and contact information and the section on obtaining access to PHI. The agency also solicited suggestions for improving other aspects of the notice. See 86 Fed. Reg. 6446 (Jan. 21, 2021). Separately, among several changes to Public Health Service Act rules governing the confidentiality of substance use disorder (SUD) records (see 42 U.S.C. § 290dd-2)., Section 3221(i)(2) of the CARES Act (Pub. L. No. 116-136) requires HHS to amend the HIPAA Notice of Privacy Practices regulation to specifically address certain issues relating to SUD records. Although regulations were required to be issued by March 27, 2021, no action has yet been taken. For a full listing of key content covering HIPAA considerations, see HIPAA Resource Kit. For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy. For more information on HIPAA privacy notice requirements, see HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules and HIPAA Notice of Privacy Practices. For privacy practices notice templates, see HIPAA Notice of Privacy Practices and HIPAA Privacy Notice Clause (Summary Plan Description).