HIPAA requires "covered entities" (a defined term) to maintain, follow and distribute a notice of privacy practices (NPP). An employer's group health plan, which is separate and distinct from the employer itself, is a covered entity. Thus, generally speaking, it is the plan that must maintain, follow and distribute the NPP. The content requirements for NPPs are extensive. HHS has published a number of model notices, but they require extensive customization. It is advisable to get help when preparing a NPP.

The full NPP must be distributed once at the time of an employee’s first-ever enrollment in the plan. Given that the vast majority of first-time enrollees are new hires, many employers choose to provide the NPP as part of the new hire process. Note, however, that this is under-inclusive, as there are likely other employees who transfer or are promoted from non-benefits-eligible positions to benefits-eligible positions. HHS may not consider distribution of the NPP during those employees’ new hire process to be “at the time of enrollment.”

The full NPP must also be distributed to all current plan employee-participants if there are material changes to the NPP. The revised notice must be redistributed within 60 days of the effective date of the change.

NPPs must be individually delivered. HHS advises that mere posting to an intranet site is not sufficient. The NPP need not have its own special distribution; it can be combined with other notice or disclosure materials, such as in an open enrollment packet, provided that the distribution method otherwise complies with HIPAA. Importantly, HIPAA, which is under the jurisdiction of HHS, has different electronic distribution rules than ERISA, which is under the jurisdiction of DOL. Under HIPAA, electronic delivery requires affirmative consent. ERISA only requires consent from employees whose integral job duties do not include use of a computer.

There is a separate and distinct requirement for posting of the NPP to a website. Under that rule, if there is a website maintained specifically for the benefit plan, such as a benefit plan page of an HR intranet site, then the NPP must be posted to that site.

HIPAA requires that the NPP be given to “enrollees.” HHS guidance states that, for employer-sponsored group health plans, this refers to the employee-participant. Notice to the employee-participant is deemed notice to the named insured and all of his/her dependents.