The HIPAA Privacy Rule requires covered entities (including group health plans and issuers) to provide a Notice of Privacy Practices (or Privacy Notice) to each individual who is the subject of protected health information (PHI). Health plans are required to send the Privacy Notice at certain times, including to new enrollees at the time of enrollment. Also, at least once every three years, health plans must either redistribute the Privacy Notice or notify participants that the Privacy Notice is available and explain how to obtain a copy. Self-insured health plans must maintain and provide their own Privacy Notices. However, special rules apply for fully insured plans, where the health insurance issuer, not the plan itself, is primarily responsible for the Privacy Notice.