Your Compliance Edge

Notice Requirements for Group Health Plans—HIPAA Privacy and Security-Related Notices I In This Section HIPAA Notice of Privacy Practices for Protected Health Information  HIPAA Notice of Breach of Unsecured Protected Health Information Who Must Comply N Notice Requirements Document Type of Information   Provide To Provided By When Due  HIPAA Notice of Privacy Practices for Protected Health Information (Fully insured group plans that do not create or receive PHI—other than summary health information and enrollment information—are not required to develop this notice.) Describes how a covered entity, including a group health plan, may use and disclose an individual's protected health information (PHI), and the individual's rights and the plan's legal duties with respect to that information Individuals enrolled in group health plan coverage Covered entities, including group health plans, unless a specific exception applies Fully insured group plans that create or receive PHI in addition to summary health information and enrollment information must maintain a notice and provide it to any person upon request. Other health plans must provide the notice as follows: To new enrollees: At the time of enrollment To individuals covered by the plan: Within 60 days of a material revision to the policy (special rules apply for website notice postings) A health plan also must notify individuals covered by the plan of the availability of, and how to obtain, the notice at least once every 3 years, and make it available to any person who asks for it. Back to Top    Document Type of Information Provide To Provided By When Due HIPAA Notice of Breach of Unsecured Protected Health Information Provides certain information related to the discovery of a breach of unsecured protected health information, including: A description of the breach; The types of information that were involved in the breach; Steps affected individuals should take to protect themselves from potential harm; A brief description of what the covered entity is doing to investigate, mitigate the harm, and prevent further breaches; and Contact information for the covered entity   Affected individuals, the U.S. Department of Health and Human Services, and prominent media outlets (for a breach affecting more than 500 residents of a state or jurisdiction) Covered entities, including group health plans (business associates also have certain responsibilities for providing notice of a breach) To affected individuals: No later than 60 calendar days after the discovery of a breach (notice must be provided by first-class mail, or alternatively, by email if the affected individual has agreed to receive such notices electronically) To HHS Secretary (submitted electronically): Breaches affecting fewer than 500 individuals–annual report required no later than 60 days after the end of the calendar year in which the breaches were discovered Breaches affecting 500 or more individuals–no later than 60 calendar days after discovery To media (breaches affecting more than 500 residents of a state or jurisdiction): No later than 60 calendar days after discovery of a breach Back to Top  


FREE Labor Law Penalties
by Company Size Chart

Alerts you to the penalties associated with key federal laws such as
COBRA and discrimination.

 

 

Download HR360

 

Request a Demo and Receive Free Trial Access 

or Log In