If the employer sponsors a group health plan that is provided through an insurance contract and does not maintain or receive protected health information (PHI) outside of enrollment or summary health information, it is exempt from many of the Health Insurance Portability and Accountability Act (HIPAA) privacy requirements, including the notice of privacy practices. The insurance carrier issuing the policy is responsible for creating and distributing the notice to participants. However, the sponsoring employers should be aware of the requirement and work closely with insurers to understand the privacy practices of the insurer.
If the employer has a self-insured health plan or maintains or receives PHI other than enrollment or summary health information, it must comply with the notice requirements. The notice of privacy practices must be provided to individuals covered by the plan. A single notice to a health plan’s named covered individual is effective for all dependents covered through that insured employee. This means that a separate notice of privacy practices does not need to be provided to each spouse or dependent covered under the plan. In addition to the general notice requirement, all covered entities must make the notice of privacy practices available to anyone who requests it (not just current enrollees).
The notice must be provided upon an individual's enrollment in the plan, within 60 days of a material change to the notice and on request by any person. In addition, every three years a health plan must also notify individuals who are covered by the plan that the notice of privacy practices is available, including how to obtain the notice. Many covered entities simply send the notice of privacy practices at least every three years (assuming no material changes have been made), rather than send a notice that the notice of privacy practices is available.
If a covered entity maintains a website, the notice must be posted on that website (and the notice must be available electronically through the website). To meet the general notice requirements outlined above, the notice of privacy practices may be provided by e-mail, so long as the recipient has agreed to receive an electronic notice. In addition, the notice may be included with a summary plan description (SPD) or with open enrollment materials (so long as either is distributed timely and properly). The notice may also be distributed by first-class, second-class or third-class mail.
The U.S. Department of Health and Human Services (DHHS) has developed several versions of a model notice of privacy practices.
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.