The recent changes to HIPAA brought about by the American Recovery and Reinvestment Act (ARRA) and its Health Information Technology for Economic and Clinical Health  (HITECH) Act have received a lot of attention, as of late.  In the meantime, however, an "old" HIPAA notice obligation has crept up, and must by complied with by April 14th!

Under the HIPAA Privacy Rule, covered entity health plans are required "no less frequently than once every three years . . . [to] notify individuals then covered by the plan of the availability of the [health plan’s Notice of Privacy Practices] and how to obtain the notice."  See 45 CFR 164.520(c)(1)(ii).  For "large" health plans with an original compliance deadline of April 14, 2003, this 3-year "Reminder Notice" must be released by April 14, 2009. 

A "large" health plan is one that has five million or more in annual gross receipts or claims paid.  Although health insurers (e.g., HMOs, PPOs etc) will generally make up the majority of "large" health plans, employers that sponsor health plans that meet the 5 million dollar threshold will need to comply.

The Reminder Notice does not require large health plans to redistribute its Notice of Privacy Practices, however this is one way that the requirement can be satisfied.  Other ways that the requirement can be met include by mailing a separate "Reminder Notice" stating only that the plan’s Notice of Privacy Practices is "available" and how a copy can be obtained.  Such a reminder can also be included in a health plan-produced newsletter, or other plan-produced publication.  The government has posted a FAQ regarding the reminder notice requirement which may offer additional guidance.