Skip to main content
U.S. flag

An official website of the United States government

Return to Search

FAQ 1065 Is a health plan required to notify enrollees about NPP?

This is information regarding the HIPAA Notice of Privacy Practices.

Final

Issued by: Office for Civil Rights (OCR)

Is a health plan required to periodically notify enrollees about the availability, and how to obtain a copy, of its Notice of Privacy Practices?

Answer:

Yes. The Privacy Rule requires a health plan to remind enrollees of the availability of its Notice of Privacy Practices, as well as how to obtain a copy, no less frequently than once every 3 years. See 45 CFR 164.520(c)(1)(ii).

Health plans may satisfy this requirement in a number of ways, including by:

  • Sending a copy of their Notice of Privacy Practices.
  • Mailing only a reminder concerning the availability of the Notice of Privacy Practices and information on how to obtain a copy.
  • Including in a plan-produced newsletter or other publication information about the availability of the Notice of Privacy Practices and how to obtain a copy.

Health plans already may have satisfied the reminder requirement in a number of ways. For instance, a health plan may have adopted the practice of sending its Notice of Privacy Practices to subscribers and enrollees annually. Or, a health plan may have substantially amended its Notice of Privacy Practices recently, and thus, sent the revised Notice to its subscribers and enrollees as required by the Privacy Rule. See 45 CFR 164.520(c)(1)(i)(C). Moreover, a plan may have included information regarding the availability of its Notice of Privacy Practices in annual communications sent to subscribers and enrollees of the plan.

A health plan can satisfy the requirement by providing the reminder notice to the named insured of a policy under which coverage is provided to that named insured and one or more dependents. See 45 CFR 164.520(c)(1)(iii). For instance, if an employee of a firm and her three dependents are covered under a single health plan policy, that health plan can satisfy the reminder requirement by sending information concerning the availability of the Notice of Privacy Practices to just the employee, rather than to the employee and each dependent.

This information is especially timely as the third anniversary of the compliance date of the HIPAA Privacy Rule nears. Health plans, other than small health plans, were first required to distribute their Notice of Privacy Practices to subscribers and enrollees by April 14, 2003. Thus, those health plans that have not already reminded subscribers and enrollees in some manner of the availability of their Notice of Privacy Practices and how they may obtain a copy, must do so no later than April 14, 2006. For small health plans, which had until April 14, 2004, to first distribute their Notices of Privacy Practices, the compliance date for the triennial reminder notice requirement is April 14, 2007. These plans can begin to prepare now to meet this requirement using the most efficient means, such as including the reminder notice of the availability of the Notice of Privacy Practices in open enrollment materials, a group health plan newsletter provided to all members, or similar all-member mailings.

 

Created 3/6/06

 

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.