Attention Employers: See the latest COVID relief, including COBRA subsidy and DCFSA changes here →
  • LinkedIn
  • Twitter
  • Facebook

Compliance Briefing Center

Regulatory Updates

Making it Easier for You
to Manage Benefits

HIPAA Notice of Privacy Practices Under Scrutiny

As we reported in March, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is currently conducting Phase 2 HIPAA audits. About 167 employers have received notifications, with more audits to come. The audits review the policies and procedures adopted and used by health plans (covered entities); however, the Phase 2 Audit guidance suggests a focus on the Notice of Privacy Practices (NPP).


The HIPAA Privacy Rule requires health plans to develop and distribute a notice that provides a clear, user friendly, explanation that describes the privacy practices of health plans and how individuals can exercise their individual rights.

There are also specific requirements for notice content. This includes how the covered entity may use and disclose protected health information about an individual, the individual’s rights with respect to the information, and how individuals can exercise their rights including how the individual may complain to the covered entity.

Providing the Notice

The notice must be made available to any new enrollees at the time of enrollment or at any time upon request. It also must contain an effective date and be made available on any website that provides information about the plan’s benefits. If revised, notices must be provided to currently covered individuals within 60 days of any material revisions. If no material revisions occur, the health plan must notify participants in the plan of the availability of the updated notice and how to obtain the notice at least once every three years. 

Many employers will send the notice of availability every year to simplify this compliance requirement.

Review and Update Your Notice Now

Although HHS provides a model notice, notices are a reflection of employer practices. Make certain those practices align with the notice. Also confirm you have internal procedures to manage the actions stated in the notice. The notice should be reviewed now. Some specific areas to review include the following:

  • Are the health plan name, address, and website on the notice accurate?
  • Does the notice include the Privacy Official's phone, email address, and other contact information?i>
  • Is there an effective date on the notice?
  • Is there a list of individual rights included and do you have internal procedures to respond to an individual request (for example, how you handle an individual's right to request confidential communications)? 
  • Are the health plan’s uses and disclosures of health information correctly described? This may require you to survey the uses and disclosures within the health plan as well as those entities outside of the health plan that may receive plan information. There are, of course, permitted uses and disclosures so your review needs to confirm if the uses and disclosures are accurate and permitted under the Privacy Rule. 
  • Did you describe any state or other laws that require greater limits on disclosures? For example, “We will never share any substance abuse treatment records without your written permission.” If no laws with greater limits apply to your health plan, no additional information needs to be included. 
  • Did you ever market or sell personal information with written permission? An area to review includes your wellness program including any mobile or fitness devices provided.  
  • Did you include how individuals will be provided a new notice or how they can request a notice or file a complaint? 

Keep in mind that the notice is a reflection of your practices and internal procedures for each of your welfare benefit plans. Make certain it contains all required elements since it seems to be a focus point of the Phase 2 Audits Take time now to review and update your notice to reflect all aspects of your privacy practices.

Download a copy of this Alert.