Privacy Notice in Plan Document

[Guest deacon]

What are the requirements for including privacy provisions in a plan document or summary plan description for a self-funded welfare plan? Is there a model notice that can be incorporated into the document?

[Guest BenefitsLawyer]

The HIPAA privacy requirements take effect as of April 14, 2003, and before then there is no specific requirement for a privacy notice in a self-funded ERISA health plan. Under the HIPAA privacy requirements, the plan will need a notice of privacy practices, a number of policies and procedures (between 30 and 50, depending on which ones are combined), business associate agreements with other entities that perform services on behalf of the plan, perhaps trading partner and chain of trust agreements, authorizations for uses or disclosures other than as otherwise permitted by the HIPAA privacy regs, and, if the plan will disclose info to the sponsor, plan amendments and a certification from the sponsor, and the sponsor will have to create an info barrier between its employees who have access to protected health information and its other employees. The HIPAA privacy regs include a list of the elements that must be included in the notice of privacy practices. There's a model notice in "HIPAA and Other Federal Mandates for Group Health Plans, published by Employee Benefits Institute of America.