HIPAA privacy regulations require health plans to remind participants about their existing privacy notice every three years. For small plans (those with annual receipts that do not exceed $5 million) that were first subject to the privacy rule as of April 14, 2004, the deadline for this reminder is April 14, 2007.
Employers are not required to distribute the privacy notice in its entirety. The Department of Health and Human Services (“HHS”) also will permit plan sponsors to satisfy this reminder requirement by mailing a reminder and information about how to obtain a copy of the full privacy notice or by adding a short notice to another communication or newsletter that will be mailed to plan participants. Generally, notice to the employee will be sufficient to provide notice to other covered dependents.
Small plans should prepare to meet this reminder requirement in the most efficient way available.