September 23, 2013 was the deadline for distributing revised HIPPA Notices of Privacy Practices and the Department of Health and Human Services (HHS) published model Notices for providers and health plans. HIPPA requires covered entities, including group health plans, to provide a Notice of Privacy Practices Notice, outlining the uses and disclosures of project health information (PHI) that the covered entity legal obligations and individual rights with respect to their PHI.
The HHS Office for Civil Rights (OCR) released model Notices for both health care providers and group health plans. You can access the model notices here.
Employer To Do List:
- Employers (that have not already done so) should identify which of their health and welfare plans and programs are covered entities subject to HIPAA and required to distribute a Notice.
- Employers that sponsor and maintain both self-funded health programs and either insured health programs or individual account arrangements (such as health flexible spending accounts) should ensure that a Notice is distributed for each covered entity.
- If the model notice is to be used, some customization should be done, such as adding language identifying the covered entity plans and, if self-funded, reflecting that status.