HIPAA Privacy - Provisions of Notice - Health Plans 164.520(c)(1)

Overview:
§164.520(c)
Implementation specifications: Provision of notice.
A covered entity must make the notice required by this section available on request to any person and to individuals as specified in paragraphs (c)(1) through (c)(3) of this section, as applicable.
(1) Specific requirements for health plans. (i) A health plan must provide the notice: (A) no later than the compliance date for the health plan, to individuals then covered by the plan; (B) thereafter, at the time of enrollment, to individuals who are new enrollees. (ii) No less frequently than once every three years, the health plan must notify individuals then covered by the plan of the availability of the notice and how to obtain the notice.
(iii) The health plan satisfies the requirements of paragraph (c)(1) of this section if notice is provided to the named insured of a policy under which coverage is provided to the named insured and one or more dependents.
(iv) If a health plan has more than one notice, it satisfies the requirements of paragraph (c)(1) of this section by providing the notice that is relevant to the individual or other person requesting the notice.
(v) If there is a material change to the notice:
(A) A health plan that posts its notice on its web site in accordance with paragraph (c)(3)(i) of this section must prominently post the change or its revised notice on its web site by the effective date of the material change to the notice, and provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan.
(B) A health plan that does not post its notice on a web site pursuant to paragraph (c)(3)(i) of this section must provide the revised notice, or information about the material change and how to obtain the revised notice, to individuals then covered by the plan within 60 days of the material revision to the notice.

Action Items:
1) Obtain and review the policies and procedures in place regarding the provision and posting of the notice of privacy practices.
2) Has the health plan provided the notice of privacy practices to individuals as required? For a sample of individuals, obtain and review documentation of when and how notices were provided.

Related Documents:
1) Policies and procedures in place regarding the provision and posting of the notice of privacy practices.
2) Documentation of when and how notices were provided.

Additional Guidance:
Individual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity. Two types of government-funded programs are not health plans: (1) those whose principal purpose is not providing or paying the cost of health care, such as the food stamps program; and (2) those programs whose principal activity is directly providing health care, such as a community health center,5 or the making of grants to fund the direct provision of health care. Certain types of insurance entities are also not health plans, including entities providing only workers’ compensation, automobile insurance, and property and casualty insurance. If an insurance entity has separable lines of business, one of which is a health plan, the HIPAA regulations apply to the entity with respect to the health plan line of business.