Skip to main content




Explaining the Health Insurance Portability and Accountability Act (HIPAA)

For Administrators and Employees

Health Insurance Portability and Accountability Act (HIPAA) Notices

The Health Insurance Portability and Accountability Act (HIPAA) requires certain notices be delivered to employees, so they are informed of their rights under HIPAA. Read more about those notices here. 

Notice of Special Enrollment Rights

The health plan must provide all employees eligible to enroll in the employer's group health plan with a notice of special enrollment, at or before the time an employee is initially offered the opportunity to enroll in the plan. The notice must fulfill the following requirements:

  1. The notice must describe the employee's spcial enrollment rights. For model language please see 29 C.F.R. § 2590.701-6( c ).
  2. If applicable, the special enrollment notice must also include a notice to individuals declining coverage, that the health plan requires a reason for coverage declination in writing.

Model notices are also available here.

Wellness Program Disclosure

Employers who operate "health-contingent" wellness programs, where participants are required to satisfy specific health-related standards in order to receive a reward (e.g., diet and exercise programs), must meet the following non-discrimination requirements under HIPAA:

  1. All eligible individuals must have the opportunity to qualify for the reward at least once a year.
  2. The total reward for the wellness program in exchange for satisfaction of a health requirement, may not exceed 30% (or 50% for programs reducing tobacco use) of the price of employee-only coverage under the plan.
  3. The plan must make the reward available to all similarly situated individuals. It must also make a "reasonable alternative standard" available to individuals for whom it is unreasonably difficult, due to health conditions, to satisfy the existing health standard and obtain the reward during that period.
  4. The aim of the program must be reasonably designed* to reduce disease, or promote health.
  5. In all materials that describe the wellness program and its terms, the plan must also disclose the means of qualifying for the reward and the availability of a reasonable alternative standard, and this must be provided to all group health participants and beneficiaries eligible to participate in the program. The disclosure must include any information necessary for obtaining the alternative standard. However, if the materials only mention the availability of the wellness program, and do not describe the terms, the disclosure is not required.

*A program is considered "reasonably designed" to reduce disease or promote health if it is has a reasonable chance or accomplishing these aims, is not overly burdensome, or used as a means of discrimination based on health factors.

Model notices are available here.

In August 2017, the U.S. District Court for the District of Columbia remanded EEOC regulations regarding financial incentives for wellness programs, and sent them back to the agency for redrafting. Since the decision did not vacate the rules, the existing regulations are in effect until the EEOC releases revised guidance.

Notice of Privacy Practices

A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, that creates or receives protected health information (PHI) in addition to summary health information, must maintain a notice that informs individuals of their rights regarding their personal health information and the privacy practices of their plans and providers. The notice must be provided to any person upon request.

Other covered entities must provide the privacy notice as follows:

  • To new enrollees: at the time of enrollment
  • To individuals covered by the plan: within 60 days of a material revision to the policy (special rules apply for website notice postings)
Requirements for Electronic Notice

A covered entity that maintains a website that provides information about the covered entity's customer services or benefits must post its notice on the website and make the notice available through the website. A covered entity may provide notice through e-mail only if the individual agrees.

A health plan also must notify individuals covered by the plan of the availability of, and how to obtain, the notice at least once every 3 years, and make it available to any person who asks for it.

If there are any material changes to the notice, health plans must:

  • post the change or revised notice on their website, if applicable, by the effective date of the material change, and provide information about the change and how to obtain the revised notice in its next annual mailing to covered individuals, OR
  • provide information about the change, or the revised notice itself to covered individuals within 60 days of the material

Model notices are also available here.

What is the Breach Notification Rule?

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to provide a notification following a breach of unsecured protected health information, or PHI. A breach occurs when impermissible use, access or disclosure of protected health information compromises the security or privacy of the protected health information.

If there is a breach of unsecured protected health information, covered HIPAA entities must provide a notification of the breach to each affected individual and the Secretary. Additionally, a covered entity is required to notify media outlets if the breach of unsecured protected health information affects more than 500 individuals.

What does a notification need to contain?

If a breach occurs, the required notification must include, to the extent known, a description of:
• What happened, including the date of the breach and the date of the discovery;
• The types of unsecured protected health information that were involved in the breach;
• Any steps individuals should take to protect themselves;
• What the covered entity is doing to investigate the breach, mitigate the harm, and prevent future breaches;
• Where and how individuals can learn additional information about the breach (e.g. toll-free number, website, or email address).

Deadline for notifying affected individuals about a breach

Once a breach occurs, the notice to affected individuals must occur without unreasonable delay after the breach but no later than 60 days after the discovery of the breach.

Deadline for notifying the Secretary about a breach

The deadline for notifying the Secretary of a breach of unsecured protected health information depends on the size of individuals affected. If the breach affected more than 500 individuals, a covered entity must notify the Secretary of the breach immediately and no later than 60 days from the discovery of the breach. If the breach affected less than 500 individuals, a covered entity must notify the Secretary within 60 days after the end of the calendar year in which the breach was discovered.

  • Was this article helpful?