The Employee Benefits Security Administration (“EBSA”) of the U.S. Department of Labor confirmed in Compliance Assistance Release No. 2024-01 that cybersecurity guidance issued in 2021 applies to all ERISA-covered health and welfare plans. This guidance goes beyond what is required under HIPAA for health plans, and includes “Tips for Hiring a Service Provider,” “Cybersecurity Program Best Practices,” and “Online Security Tips,” which were updated to reflect this clarification.
In April 2021, EBSA issued cybersecurity guidance for benefit plan fiduciaries and service providers, regarding best practices for maintaining cybersecurity. Recognizing that ERISA requires plan fiduciaries to take appropriate precautions to mitigate cybersecurity risks, EBSA’s guidance came in three forms, directed at benefit plan sponsors, fiduciaries, record keepers, and participants.
The language in the original guidance led to confusion as to whether the guidance applied solely to retirement plans. With this new guidance, EBSA clarifies that its cybersecurity guidance does, in fact, also apply to ERISA-covered health and welfare plans.
Cybercrime is a constant and growing risk across the globe, and employer-based benefit plans have not escaped falling victim to these crimes. Health and welfare benefit plans carry some risk of financial loss to plan sponsors and participants, but they generally carry significantly more risk of disclosure of personally identifiable information (“PII”) and sensitive health information of plan members, as well as their covered family members, over multiple benefits and across multiple service providers.
The Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) is designed to, among other things, impose extensive privacy and security requirements to employer-provided group health plans to secure protected health information (“PHI”) and electronic PHI secure. Plan sponsors, fiduciaries, and business associates of group health plans, such as third-party administrators (“TPAs”), who take significant steps in ensuring compliance with HIPAA, will have already made strides in complying with EBSA’s ERISA cybersecurity guidance. However, it is important to note that various ERISA-covered welfare benefits are not group health plans subject to HIPAA, including group-term life insurance, disability coverage, and accident-only coverage. Such benefits would generally be subject to ERISA and to which the EBSA cybersecurity guidance would apply.
Both the original 2021 guidance and the recent guidance provide links to three separate pieces. The first two are oriented towards plan fiduciaries and service providers, and the degree to which fiduciaries adopt the detailed suggestions may depend on the size and complexity of their plans, particularly the amount of plan assets and data that they may handle.
EBSA provides six tips directed at a plan fiduciary as recommendations to support prudent selection and monitoring of service providers and recommends requesting the following information:
Health and welfare plan fiduciaries should keep these suggestions in mind for all plan service providers. Though this would mainly pertain to an insurer, TPA, or PBM, it extends to consultants, wellness vendors, data analysts, trustees, etc. as well.
EBSA provides a highly detailed summary of best practices for ERISA plan services providers cybersecurity program. Health and welfare benefit plan fiduciaries may also use this piece to evaluate the extent to which such providers are applying best practices. There are twelve different recommendations, including:
Lastly, the EBSA guidance provides 9 basic rules oriented to plan members when they are accessing online health, welfare, or retirement accounts, specifically:
EBSA has made clear that cybersecurity relating to plan assets and PII should be a point of emphasis for ERISA plan sponsors and fiduciaries, as well as plan service providers. This goes beyond the requirements of HIPAA (applies only to group health plans) and applies to all service providers, whether business associates or not. Employers who sponsor ERISA-covered health and welfare benefit plans, should review the EBSA guidance, confirm current safeguards, and implement additional safeguards, as appropriate, primarily to protect data and to include holding service providers to high standards.
Actions to consider, include:
This document is designed to highlight various employee benefit matters of general interest to our readers. It is not intended to interpret laws or regulations, or to address specific client situations. You should not act or rely
on any information contained herein without seeking the advice of an attorney or tax professional. © My Benefit Advisor. All Rights Reserved. CA Insurance License #0G33244
Additional Info
Categories
Our Advisors offer in-depth analysis and are ready to help you successfully navigate employee benefits and health insurance.
Our website uses cookies. Click here to view our privacy policy.