March 1, 2007

Small Health Plans: Triennial HIPAA Privacy Notice Obligation

Covered entities, including small group health plans (those with fewer than $5 million in receipts), that became subject to the HIPAA Privacy Rules by April 14, 2004, are fast approaching the third anniversary of HIPAA privacy applicability.  This means that it is time to distribute a reminder notice to affected individuals regarding their right to obtain the covered entity’s Notice of Privacy Practices. 

The HHS Office of Civil Rights (OCR) issued clarification about how the reminder notice obligation can be satisfied.  According to this OCR guidance, several options are available to satisfy this triennial reminder requirement: 

  • The entire notice of privacy practices can be provided on a regular basis.
  • A Notice of Privacy Practices, or a reminder statement, can be included in a health plan’s annual enrollment material. 
  • A specific notice can be provided, advising individuals of their right to receive a full copy of the Notice of Privacy Practices. 


The information contained in this Benefit Beat is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations.

As required by U.S. Treasury rules, we inform you that, unless expressly stated otherwise, any U.S. federal tax advice contained in this Benefit Beat is not intended or written to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed by the Internal Revenue Service.



Accelerated Recovery Resources

Access articles and tools to help your business generate cash, improve leverage, and align & transform as you recover from the pandemic.

COVID-19 Resources

Access all COVID-19 related articles to help your business respond to the pandemic.

Insights in Your Inbox