The Health Insurance Portability and Accountability Act (HIPAA) requires certain notices be delivered to employees, so they are informed of their rights under HIPAA. Read more about those notices here.
The health plan must provide all employees eligible to enroll in the employer's group health plan with a notice of special enrollment, at or before the time an employee is initially offered the opportunity to enroll in the plan. The notice must fulfill the following requirements:
Model notices are also available here.
Employers who operate "health-contingent" wellness programs, where participants are required to satisfy specific health-related standards in order to receive a reward (e.g., diet and exercise programs), must meet the following non-discrimination requirements under HIPAA:
*A program is considered "reasonably designed" to reduce disease or promote health if it is has a reasonable chance or accomplishing these aims, is not overly burdensome, or used as a means of discrimination based on health factors.
Model notices are available here.
In August 2017, the U.S. District Court for the District of Columbia remanded EEOC regulations regarding financial incentives for wellness programs, and sent them back to the agency for redrafting. Since the decision did not vacate the rules, the existing regulations are in effect until the EEOC releases revised guidance.
A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, that creates or receives protected health information (PHI) in addition to summary health information, must maintain a notice that informs individuals of their rights regarding their personal health information and the privacy practices of their plans and providers. The notice must be provided to any person upon request.
Other covered entities must provide the privacy notice as follows:
A covered entity that maintains a website that provides information about the covered entity's customer services or benefits must post its notice on the website and make the notice available through the website. A covered entity may provide notice through e-mail only if the individual agrees.
A health plan also must notify individuals covered by the plan of the availability of, and how to obtain, the notice at least once every 3 years, and make it available to any person who asks for it.
If there are any material changes to the notice, health plans must:
Model notices are also available here.
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to provide a notification following a breach of unsecured protected health information, or PHI. A breach occurs when impermissible use, access or disclosure of protected health information compromises the security or privacy of the protected health information.
If there is a breach of unsecured protected health information, covered HIPAA entities must provide a notification of the breach to each affected individual and the Secretary. Additionally, a covered entity is required to notify media outlets if the breach of unsecured protected health information affects more than 500 individuals.
If a breach occurs, the required notification must include, to the extent known, a description of:
• What happened, including the date of the breach and the date of the discovery;
• The types of unsecured protected health information that were involved in the breach;
• Any steps individuals should take to protect themselves;
• What the covered entity is doing to investigate the breach, mitigate the harm, and prevent future breaches;
• Where and how individuals can learn additional information about the breach (e.g. toll-free number, website, or email address).
Once a breach occurs, the notice to affected individuals must occur without unreasonable delay after the breach but no later than 60 days after the discovery of the breach.
The deadline for notifying the Secretary of a breach of unsecured protected health information depends on the size of individuals affected. If the breach affected more than 500 individuals, a covered entity must notify the Secretary of the breach immediately and no later than 60 days from the discovery of the breach. If the breach affected less than 500 individuals, a covered entity must notify the Secretary within 60 days after the end of the calendar year in which the breach was discovered.