Recent regulatory changes require that employers update their HIPAA Privacy Notices no later than February 16, 2026.
Background on Privacy Notice
Unless an exception applies, the HIPAA Privacy Rule requires covered entities to maintain and provide a Privacy Notice that meets specific content and distribution requirements. Specifically, the notice must outline how the covered entity may use/disclose protected health information (PHI) and explain how the covered entity must safeguard an individual’s PHI.
The responsibility for distributing Privacy Notices depends on the type of funding of the health plan:
Self-Funded Plans:
Fully Insured Plans:
-
Plan sponsors can typically rely on their insurance carriers to fulfill the notice distribution obligation, as carriers are usually responsible for providing the Privacy Notice to plan participants. However, employers who create or receive PHI beyond summary health information or information related to enrollment and disenrollment would be responsible for distributing their own Privacy Notice in addition to the carrier.
What Changed?
The Department of Health and Human Services (HHS) issued a ruling known as the 2024 Final Rule. This rule modified how entities can use and disclose Substance Use Disorder information. This ruling aligns the Privacy Notice requirements with the 42 C.F.R. Part 2, which is why it is sometimes referred to as the “Part 2.” Under the new guidance, Substance Use Disorder treatment records carry stricter confidentiality and consent-driven protections by comparison to standard PHI. The new requirements also limit how Substance Use Disorder information may be used, disclosed, or relied upon in civil, criminal, administrative, or legislative proceedings, unless there is specific authorization from the individual or a court order. This heightened standard has triggered the need for an update to existing Privacy Notices.
What Needs to be Updated?
Updated Privacy Notices must clearly explain the enhanced confidentiality protections that apply to Substance Use Disorder treatment records, including the fact that these records generally cannot be used or disclosed for civil, criminal, administrative, or legislative proceedings without the individual’s specific authorization or a court order.
Distribution Requirements and Employer Responsibilities
Acceptable distribution methods follow standard ERISA guidelines. These include distribution by:
- Electronic delivery, assuming federal electronic delivery and consent requirements are met.
- Posting the notice on a benefits website, coupled with appropriate participant notification.
- Hard-copy delivery, typically through first-class mail.
For Vita Clients
Vita includes the Privacy Notice as an addendum to the Summary Plan Description (SPD). The Privacy Notice is also available on a standalone basis. Required action depends on the plan type.
Self-Funded and Level-Funded Plans:
- Vita has updated the SPD/Privacy Notice to reflect the newly required Substance Use Disorder privacy protections. The revised copy of the SPD Disclosure Document/Privacy Notice should be posted on the benefits website where plan participants access the ERISA SPD, plan certificates, and other plan information. If no benefits website is maintained, the updated document should be mailed to plan participants within 60 days. A push notification with a link to the updated SPD/Privacy Notice should be sent to plan participants as part of the regular open enrollment cycle.
Fully-Insured Plans:
- As outlined above, fully insured carriers hold the primary responsibility for distributing the Privacy Notice, thus there is no specific action required for employers with only fully insured plans. However, an updated copy of the Vita SPD Disclosure Document with Privacy Notice will be provided to keep all plan documentation current. The revised notice should be posted on the benefits website where plan participants access the ERISA SPD, plan certificates, and other plan information. A standard push notification with a link to the SPD/Privacy Notice should be sent to plan participants as part of the regular open enrollment cycle.
If you have any questions, please contact your Vita Account Manager.
References
