Recent Changes to HIPAA Notice Require Immediate Action by Health Plans to Avoid Penalties
Overview: HIPAA violations can apply to healthcare providers, healthcare clearinghouses, health plans, and other covered entities, as well as their business associates. Any of these parties may face penalties if they fail to comply with the HIPAA Privacy, Security, or Breach Notification Rules.
One area of HIPAA involves the timely distribution of HIPAA Notices and the civil penalties for failure to timely distribute them by Employers/Plan Sponsors of ERISA Group Health Plans (i.e., medical plans, Flexible Spending Accounts and Health Reimbursement Arrangements) (“Health Plans”). In this regard, the Department of Health and Human Services (“HHS”) issued on February 16, 2026, an updated HIPAA Model Notice to be distributed by Employers/Plan Sponsors within 60 days (e.g., April 17, 2026) to avoid potentially substantial penalties from the HHS. This Notice has been updated for required Substance Use Disorder (“SUD”) disclosures. Basically, it limits SUD information/data disclosure to anyone without prior approval by the individual affected.
Please note that an Employer/Plan Sponsor is not required to use the HHS Model Notice so long as its notice includes the required language. Also note that there are special HIPAA disclosures required for Part 2 Programs generally sponsored by healthcare entities for the benefit of their patients. We are not addressing those issues but are restricting our observations to Health Plans for plan sponsor’s employees. Finally, note that with respect to fully-insured health plans, this HIPAA Notice obligation generally would be the responsibility of the health insurance carrier. Employers/Plan Sponsors may wish to confirm with their carriers that such carriers are responsible for distributing this important Notice.
Penalties: The civil penalties are listed below. (Criminal Penalties can also be imposed in certain circumstances.)
| Tier | Level of Culpability | Minimum Fine per Violation | Maximum Fine per Violation | Annual Cap |
|---|---|---|---|---|
| Tier 1 | Did Not Know / Lack of Awareness | $145 | $73,011 | $2,190,294 |
| Tier 2 | Reasonable Cause | $1,461 | $73,011 | $2,190,294 |
| Tier 3 | Willful Neglect (Corrected ≤30 days) | $14,602 | $73,011 | $2,190,294 |
| Tier 4 | Willful Neglect (Not Corrected) | $73,011 | $2,190,294 | $2,190,294 |
Small Plan Exception: Companies with under 50 participants (employees/former employees) in a Health Plans may be exempt, but only if such plan(s) are self-administered, self-insured Health Plans. Note that most small businesses using insurers (fully insured plan) or third-party administrators (TPAs) are not excluded. Even if exempt from HIPAA, small employers must still comply with other privacy laws regarding employee health information.
The penalty for late distribution can be substantial and has an extremely broad range, which is in the discretion of the HHS. To avoid such issues and penalties, it appears advisable that every Employer/Plan Sponsor of a Health Plans that is not clearly covered by the Small Plan Exception obtain the Model Notice from the HHS’s website (Model Notices of Privacy Practices | HHS.gov) and complete and/or modify the information necessary in such Notice and distribute it to the appropriate persons as soon as possible. It also appears advisable that a record be retained of that Notice, when it was distributed and who received it.
Summary: In summary, unless the Small Plan Exception described above applies, if the Employer’s/ Plan Sponsor’s Wrap Plan includes a health plan component, HRA, or medical FSA within a cafeteria plan, we recommend you move forward to distribute the Model Notice to participants of those plans as soon as possible.
The Plan Sponsor may distribute the Model Notice by hand delivery or first-class mail. It can also be distributed by email if the employee has agreed to receive electronic notice under HIPAA. This Notice does require the insertion of certain limited information by the Plan Sponsor prior to distribution. While it may be possible to also provide the Model Notice on a website, due to the more limited website posting date rules, it appears the safest course would be to distribute it by hand delivery or first-class mail. Employers/ Plan Sponsors may wish to contact your HIPAA service provider or legal counsel for addressing this and any other issues.
As part of our Wrap Plan services, ERISAPros attempts to keep Employers and Plan Sponsors updated on recent developments that may affect any Wrap Plan and SPD documents, including federal government notices relating to those documents. While we do not provide services involving HIPAA compliance, we do provide you with optional HIPAA language that may be included in the Plan Sponsor’s Wrap Plan and SPD documents.
