§164.520(c) Implementation specifications: Provision of notice. A covered entity must make the notice required by this section available on request to any person and to individuals as specified in paragraphs (c)(1) through (c)(3) of this section, as applicable.
(1) Specific requirements for health plans. (i) A health plan must provide the notice: (A) no later than the compliance date for the health plan, to individuals then covered by the plan; (B) thereafter, at the time of enrollment, to individuals who are new enrollees.
(ii) No less frequently than once every three years, the health plan must notify individuals then covered by the plan of the availability of the notice and how to obtain the notice.
(iii) The health plan satisfies the requirements of paragraph (c)(1) of this section if notice is provided to the named insured of a policy under which coverage is provided to the named insured and one or more dependents.
(iv) If a health plan has more than one notice, it satisfies the requirements of paragraph (c)(1) of this section by providing the notice that is relevant to the individual or other person requesting the notice.
(v) If there is a material change to the notice:
(A) A health plan that posts its notice on its web site in accordance with paragraph (c)(3)(i) of this section must prominently post the change or its revised notice on its web site by the effective date of the material change to the notice, and provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan.
(B) A health plan that does not post its notice on a web site pursuant to paragraph (c)(3)(i) of this section must provide the revised notice, or information about the material change and how to obtain the revised notice, to individuals then covered by the plan within 60 days of the material revision to the notice.
Audit Inquiry
Does the health plan provide its notice of privacy practices consistent with the established performance criterion?
Obtain and review the policies and procedures in place regarding the provision and posting of the notice of privacy practices.
Has the health plan provided the notice of privacy practices to individuals as required? For a sample of individuals, obtain and review documentation of when and how notices were provided.
As available, for example, as part of a standard mailing sent to new health plan members, review the notice of privacy practices provided to the selected individuals. Was the notice of privacy practices that was provided to the selected individuals the current notice of privacy practices for the time period in which the notice was provided?