The deadline has passed for the Trump Administration to appeal the district court decision vacating the HIPAA Privacy Rule to Support Reproductive Health Care that went into effect at the end of 2024. However, the court's decision left intact the final rule amending privacy protections for substance use disorder treatment records under 42 CFR Part 2 (the Part 2 Regulations). As a result, many group health plan sponsors will still need to revise their plan's HIPAA Notice of Privacy Practices (Privacy Notice) to account for the Part 2 Regulations and redistribute it by February 16, 2026.
In this "how‑to guide," we provide a brief overview of the Privacy Notice requirements for health plan sponsors seeking to comply with their obligations under the HIPAA Privacy Rule.
Who Must Provide the Privacy Notice?
The HIPAA Privacy Rule requires most "covered entities" (health plans, health care clearinghouses and health care providers) to prepare and maintain a Privacy Notice that informs individuals of their rights with respect to Protected Health Information (PHI), the covered entity's permitted and required uses and disclosures of PHI, and the covered entity's legal duties with respect to PHI.
For group health plans, the Privacy Notice obligations differ depending on whether the plan is self‑insured or fully insured. If self‑insured, the plan must maintain and provide its own Privacy Notice. If fully‑insured, the Privacy Notice obligation depends on whether the plan has access to PHI. If the fully-insured plan creates or receives no PHI (other than summary health information and enrollment information), the Privacy Notice obligation falls solely on the plan's health insurer(s). If the fully insured plan has access to PHI, then the plan must maintain its own Privacy Notice and provide a copy to any person upon request.
When and to Whom Must the Privacy Notice Be Provided?
Health plans must provide the Privacy Notice to new enrollees at the time of enrollment. For this purpose, a single notice provided to the covered employee or named insured is sufficient and the plan need not provide a separate notice to the employee's covered dependents. Additionally, the plan must provide the Privacy Notice to anyone upon request.
At least once every three years, the plan must notify covered individuals of the availability of the Privacy Notice and how to obtain a copy.
A health plan must also revise and redistribute its Privacy Notice whenever there is a material change to the uses or disclosures of PHI, individual rights, the plan's legal duties or other privacy practices stated in the notice. The timing for redistribution depends on whether the plan maintains a website describing plan services and benefits.
If the plan maintains a website, it must prominently post the change or the revised notice to the website by the effective date of the change. Thereafter, the plan must provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing.
If the plan does not maintain a website, then it must provide the revised notice, or information about the material change and how to obtain the revised notice, to covered individuals within 60 days of the effective date of the change.
How Must the Privacy Notice Be Delivered?
The Privacy Notice may be delivered via email for individuals who have agreed to electronic delivery, but paper copies must be provided to anyone who does not agree or if the plan knows that an email transmission has failed. If the plan maintains a website, then the Privacy Notice must also be prominently posted there.
What Content Must Be Included in the Privacy Notice?
The Privacy Notice must be written in plain language and contain specific content elements, including:
- Descriptions of the types of uses and disclosures of PHI that the plan is permitted or required to make, with examples;
- A statement of the individual's rights with respect to PHI and a description of how the individual can exercise those rights; and
- Information regarding the plan's legal duties with respect to PHI, such as maintaining the privacy of PHI and notifying individuals following a breach of unsecured PHI.
The U.S. Department of Health and Human Services previously issued several model Privacy Notices for health plans and health care providers in 2014. However, plans that make use of the models will need to revise them as necessary to account for the plan's internal policies and procedures, as well as other applicable laws, such as the changes required under the Part 2 Regulations.
Conclusion
Although the Privacy Notice is only a small part of a health plan's compliance obligations under HIPAA, its detailed content and distribution requirements can pose a trap for unsuspecting plan sponsors. As we approach the February 16, 2026, compliance deadline for the Part 2 Regulations, plan sponsors should begin working with qualified legal counsel now to ensure that their Privacy Notice remains compliant.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
