HIPAA Privacy Notice Clause
(Summary Plan Description)

Summary

These clauses can be inserted into a group health plan's summary plan description (SPD) to satisfy the Health Insurance Portability and Accountability Act (HIPAA) requirement for covered entities to provide individuals with a Notice of Privacy Practices (NPP) that complies with HIPAA Privacy Rule regulations. This template contains practical guidance, drafting notes, and an optional clause. HIPAA generally provides that an individual has a right to adequate notice of the uses and disclosures that a HIPAA covered entity may make of the individual's protected health information (PHI) and of the individual's rights and the covered entity's legal duties regarding PHI. For covered entities that are group health plans, the responsibility for providing the notice is borne by: • Self-funded or fully insured group health plans where the plan creates or receives PHI –and/or– • Insurers issuing the coverage for an insured plan See 45 C.F.R. § 164.520(a)(2)(ii). The insurer is solely responsible if a fully insured plan does not create or receive PHI other than summary health information (as defined in § 164.504(a)) or enrollment information. (Also, a small self-funded plan (sponsor has fewer than 50 eligible employees) may qualify for an exemption from HIPAA covered entity status if it does not use a third-party administrator, but this is fairly rare.) The NPP must be furnished upon an individual's enrolment in the plan and as necessary to reflect material changes to the notice. In addition, a follow-up communication must be issued at least once every three years. The follow-up may consist of an up-to-date version of the NPP itself or a notice of availability that includes specific instructions on how to obtain a copy of the NPP. 45 C.F.R. § 164.520(c)(1)(ii). Note that this can be more frequent than SPD distribution requirements under the Employee Retirement Income Security Act (ERISA), so if the SPD is the sole manner of distribution, it will need to be distributed at least once every three years. The NPP must contain the contents set forth in 45 C.F.R. § 164.520(b) (note that content requirements differ for health care provider notices). For a detailed discussion on the content and delivery requirements for health plans, see HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules. The Department of Health and Human Services (DHHS) has developed Model Notices of Privacy Practices which are available on its website, in both Spanish and English. This template is based in part on the sample notice but adapted for inclusion in an SPD. Also see HIPAA Attestation for Reproductive Health Care Related PHI Disclosures. Modifications to these requirements were finalized in 2024 that pertain to coordination with regulations governing substance use disorder (SUD) records under 42 C.F.R. Part 2 and new limitations on use or disclosure of PHI for purposes of investigating or imposing liability on persons for lawfully seeking or providing reproductive health care. 89 Fed. Reg. 32,976 (April 26, 2024) (2024 Rules), The compliance date for the 2024 Rules pertaining to the NPP is February 16, 2026. HHS is considering furnishing model language that reflect these changes. The 2024 Rules changes are not yet reflected in this template, but are described in the drafting notes. For a full listing of related HIPAA content, see HIPAA Resource Kit. For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy. For a full listing of data security content that applies to federal government agencies, see Data Security & Privacy for Government Agencies Resource Kit. For additional information about SPD requirements, see Summary Plan Description Rules for ERISA Benefit Plans and the Summary Plan Description Resource Kit. For a stand-alone notice, see HIPAA Notice of Privacy Practices. For more information on the Privacy Rule notice requirement and HIPAA generally, see HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules and the HIPAA Resource Kit. For additional information about SPD requirements, see Summary Plan Description Rules for ERISA Benefit Plans and the Summary Plan Description Resource Kit.