1. You Ought To Know: September 20, 2013 – HIPAA Privacy FAQs
The issuance of final HIPAA Privacy Rules has necessitated changes to employee benefit plans
and the internal privacy policies used by plans. In addition, significant changes were required
within most plans’ Notice of Privacy Practices. As employers have focused on these updates,
many questions have been raised concerning plan design, HIPAA requirements, and how to best
use the model HIPAA materials that Willis has created. This FAQ addresses some of the most
common HIPAA Privacy questions.
Question 1: My plan is insured. Do I need to send out a Notice of Privacy Practices?
Answer 1: It depends. The specifics of which plans need to send a Notice of Privacy Practices
are included within two Employer Guides which are available on Willis Essentials. The relevant
Employer Guides are named the HIPAA Privacy Long Route: An Employer Guide and the HIPAA
Privacy Shortcut Route: An Employer Guide. Within Willis Essentials, you can access these
materials by clicking on the “NLRG” tab and then clicking on “HIPAA” in the drop-down menu.
Plans that qualify for the compliance shortcut need not have or send a Notice of Privacy Practices.
Plans that are fully-insured, but do not qualify for the shortcut must have a Notice of Privacy
Practices, but they need not send it to plan participants unless requested.
The compliance shortcut is available to group health plans that meet two conditions:
n All health benefits under the plan are provided only through an insurance contract or a
similar contract with a health maintenance organization (HMO) (that is, the benefits are
“fully insured”); and
n Neither the plan nor the sponsoring employer creates, maintains, or receives protected
health information (PHI) other than summary health information.
If any health benefits under the plan are not provided solely through a health insurance policy
and/or a similar contract with an HMO, the compliance shortcut is not available at all for that plan.
Example: Employer A maintains an ERISA welfare benefits plan that includes a fully-
insured PPO, an HMO, and a health care flexible spending account (HFSA). This plan will
not qualify for the shortcut because the plan includes the self-funded HFSA.
Considering the requirements for shortcut HIPAA compliance, plan sponsors may choose to
restructure their benefits so that, to the extent that fully-insured HIPAA-subject benefits are
offered, they are provided under a plan that does not include self-insured HIPAA-subject benefits.

2. Example: Employer A, from the previous example, amended its plan to split it into two
separate ERISA plans, one for the insured PPO and HMO and one for the HFSA. The plan
including the PPO and HMO would be considered fully insured for purposes of the
compliance shortcut. The HFSA plan would be considered self-funded, for this purpose.
Splitting the plan in this manner probably will ease the employer’s compliance burden
because compliance without the shortcut will be much easier for the HFSA alone than it
would be for the HFSA, PPO and HMO together.
Question 2: I am updating our company’s HIPAA materials using the Willis templates that
are available within the HIPAA Employer Guides. There are bracketed areas that ask us to
indicate the date that the plan became subject to HIPAA Privacy. The date options provided
as suggested answers are dates from 2003 or 2004. What does this mean, and which date
should we choose?
Answer 2: The original compliance date for the Privacy Rules was April 14, 2003, except that it
was one year later (April 14, 2004) for small plans (those with annual receipts of $5 million dollars
or less).
Unfortunately, the EDI and Privacy Rules did not define “annual receipts.” HHS said however,
that plans under which total payments for health insurance premiums, and total claims payments
for self-insured benefits, totaled $5 million or less would qualify as small plans. For most
employer plans, this guidance meant that some fairly large plans qualified as small plans for this
purpose. Based on an annual, per-employee coverage or claims cost of less than $10,000, most
health plans covering up to 500 employees would qualify as small plans.
Using this above guidance, plans that existed when the HIPAA Privacy rules were created should
choose the 2003 or 2004 date that applied to the plan sponsor. Obviously, plans that came into
existence after 2003 or 2004 would not have HIPAA Privacy rules applying until the plan that was
subject to HIPAA was actually created.
Question 3: What benefits are subject to the HIPAA Privacy rules?
Answer 3: More information on this topic is included within two Employer Guides which are
available on Willis Essentials. The relevant Employer Guides are named the HIPAA Privacy Long
Route: An Employer Guide and the HIPAA Privacy Shortcut Route: An Employer Guide.
If a plan number includes benefit options from both columns in the chart below, then that plan will
be subject to HIPAA Privacy compliance, and because there are HIPAA-subject and non-HIPAA-
subject benefits under the same plan, a Hybrid Entity will exist, and the plan sponsor will need to
include a “Hybrid Designation Form” within its HIPAA compliance materials. This form is not
distributed to employees, but it is used in the event of an audit in order to indicate that the plan
sponsor is aware that some of its benefits are subject to the HIPAA Privacy rules but that other
benefits are not subject to the HIPAA Privacy rules. A Hybrid Designation Form is available
within both HIPAA Privacy Employer Guides.

3. Subject to HIPAA Privacy Not Subject to HIPAA Privacy
Government-sponsored health plans Life Insurance
Church-sponsored health plans
Accidental Death & Dismemberment
Insurance
Small health plans of small employers Adoption Assistance
Self-insured health plans
n Health Reimbursement
Arrangement (Code Section
105 medical reimbursement)
n Health FSA
Disability income coverage
Fully-insured health plans
n HMO
n PPO
n EPO
n Traditional Indemnity
n Open Access HMO
n POS
n Minimum Premium
On-site medical clinics (not deemed
to be a health plan, but clinics may be
covered under the Privacy Rules as
“health care providers” – this
discussion is beyond the scope of this
article).
Dental benefits
n Indemnity Dental
n DMO
Medical leave programs
Vision benefits Automobile Liability coverage
Prescription drug benefits Workers’ compensation
Executive Physical Program Credit-only insurance
Employee Assistance Plan General Liability coverage
Retiree Medical Legal services
Voluntary medical benefits – see
below to determine which entity is
responsible for HIPAA Privacy
compliance
Dependent Care FSA
Wellness program Adoption Assistance
Long-term Care Education Assistance

4. Question 4: Within the Willis template HIPAA compliance materials, there are bracketed
areas where “Name of Plan” should be inserted. What is the name of the Plan?
Answer 4: For plan sponsors subject to ERISA, the name of the Plan would be the name that has
been designated within the ERISA plan document. For instance, a plan sponsor may have a legal
plan document that wraps together its medical, dental, and vision benefits under Plan Number 501,
and the plan name that has been chosen might be “XYZ Company Welfare Benefit Plan.” That
plan name is what would be entered within the brackets in the HIPAA compliance materials. If a
plan sponsor subject to ERISA does not have legal plan documents, then it should immediately put
plan documents in place. Willis has recorded a webcast on the topic of Plan Documents. That
webcast is available here.
For plan sponsors which are not subject to ERISA or that sponsor health benefits programs with
respect to which no Form 5500 is filed, the boundaries of a particular plan may not be well
defined. In that case the available documents regarding the health benefits (for example insurance
policies, benefits booklets, and enrollment forms) will determine which health benefits are
associated with which plan. Absent other documentation, each health benefits program generally
should be treated as a separate plan for purposes of the Privacy Rules. For example, an employer
that offers an HMO and a health flexible spending account should treat them as two separate plans,
absent documentation showing that they have been combined into a single plan. In that instance, a
Notice of Privacy Practices should be issued for each single plan that is subject to HIPAA, and
each Notice would include the name of one of the HIPAA-subject “plans.”
Question 5: On September 16, 2013 the Department of Health and Human Services issued a
“Model Notice of Privacy Practices” that may be used by entities required to distribute the
Model Notice of Privacy Practices. Willis also has a “Model Notice of Privacy Practices”
which is different from the HHS Notice. May we use either Notice?
Answer 5: Yes. HHS indicated that its Notice is a “baseline” for compliance, and there was no
indication that covered entities or insurers were required to use the HHS Notice. So, Willis
believes that either Notice may be used. Willis’ “Model Notice of Privacy Practices” is available
within the HIPAA Privacy Long Route: An Employer Guide, and the HHS Notice is available at
http://www.hhs.gov/ocr/privacy/hipaa/npp_health_plan-text_version.docx
Question 6: For covered entities which must distribute the Notice of Privacy Practices, how
is that distribution accomplished?
Answer 6: The answer to this question is included within the HIPAA Privacy Long Route: An
Employer Guide. If the covered entity maintains a website including benefits information, the
revised Notice of Privacy Practices must be posted on the website by September 23, 2013. In
addition, the Notice of Privacy Practices must also be delivered to individuals. This delivery can

5. be made by email (if the individual has agreed to receive electronic distribution of such notices) or
the notice may be mailed (first class mail) or it may be delivered by hand. Delivery of the Notice
does not require a special mailing, and the covered entity may choose to include the Notice within
the SPD or annual enrollment materials.
If the covered entity does not have a website with benefits information, then the revised Notice of
Privacy Practices must be distributed to individuals within 60 days of the material revision of the
Notice.
The information in this publication is not intended as legal or tax advice and has been prepared
solely for informational purposes. You may wish to consult your attorney or tax adviser
regarding issues raised in this publication.