When Does an Employer Have to Provide a HIPAA Privacy Notice?

Sometimes our clients ask if NEO sends a HIPAA Privacy Notice to their employees who are enrolled in the Health FSA or Health Reimbursement Account (HRA) plan that we manage.  In the case of a self-funded plan like an FSA or HRA, the employer is the Covered Entity responsible for issuing the Privacy Notice. As a Business Associate of the plan, NEO has many HIPAA Privacy and Security obligations, but those do not include issuing a Privacy Notice to participants.


If you need help understanding this requirement and how to provide the Notice, read on:


How the Rule Works


The HIPAA Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information (PHI) about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information. Most covered entities must develop and provide individuals with a notice describing their privacy practices. A full summary of the Notice guidelines can be found here, and we have summarized the points that apply to self-insured health plan sponsors below.


Covered Entity Defined.


Individual and group health plans that provide or pay the cost of medical care are covered entities. Thus, an insurance carrier that provides group health coverage is a covered entity. The plan sponsor (employer) is the covered entity if the health plan is self-insured (such as an FSA or HRA).


Health Plan Defined.


Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. Exception:  a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.


Content of the HIPAA Privacy Notice.


Covered entities are required to provide a notice in plain language that describes:

  • How  the covered entity may use and disclose PHI about an individual.
  • The individual’s rights with respect to the information and how the individual may exercise these rights; including how the individual may complain to the covered entity.
  • The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of PHI.
  • Whom individuals can contact for further information about the covered entity’s privacy policies.


Providing the Notice.

  • A covered entity must make its notice available to any person who asks for it.
  • A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits.
  • Health Plans must also:
    • Provide the notice to individuals* covered by the plan (if not already provided previously) and to new enrollees at the time of enrollment.
    • Provide a revised notice to individuals then covered by the plan within 60 days of a material revision.
    • Notify individuals then covered by the plan of the availability of and how to obtain the notice at least once every three years.
  • A  covered entity may e-mail the notice to an individual if the individual agrees to receive an electronic notice.

* A health plan satisfies its distribution obligation by furnishing the notice to the “named insured,” that is, the subscriber for coverage that also applies to spouses and dependents. Also keep in mind that one Notice can cover all health plans.


HHS has developed model HIPAA Privacy Notices that are easy to use and customizable. Just click the link, and fill in the blanks for an appropriate Notice for you to use with your health plan.


As always, if you have questions about your compliance obligations related to COBRA, FSA, HRA or HSA benefit you provide to your employees, do not hesitate to contact NEO and we will be happy to help or point you in the right direction!