Group Health Plans and Cybersecurity: DOL and OCR Guidance - Bim Group

Group Health Plans and Cybersecurity: DOL and OCR Guidance

News

Share this post:

Linkedin

READ TIME: 7 MINUTES

In response to this heightened activity, the U.S. Department of Labor (DOL) recently issued its first ever formal cybersecurity guidance that includes best practices for ERISA fiduciaries to consider in guarding against cyber threats. For many group health plan sponsors, much of the guidance addresses issues and items that have long been required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA imposes stringent security rules to safeguard group health plan participants’ protected health information (PHI) and electronic protected health information (ePHI). Many of HIPAA’s requirements mirror recent DOL guidance, and group health plan sponsors should understand how a plan’s HIPAA responsibilities differ and whether they will need to adopt any new policies or procedures to address the
DOL guidance.

DOL Cybersecurity Guidance
The DOL guidance generally targets retirement plans, but it is based on ERISA fiduciary principles that also apply to employer plan sponsors of ERISA group health plans. ERISA requires those responsible for administering plans (i.e., fiduciaries) to do so prudently and for the exclusive benefit of plan participants and beneficiaries, and the DOL notes that it considers this to include appropriately addressing and safeguarding against threats (including cyber threats) to their plans.

DOL guidance addresses three areas:

  • Tips for hiring a plan service provider
  • General cybersecurity best practices for plan service providers
  • Additional online security pointers for plan participants

The DOL guidance is not formal rulemaking, but it could signal items the DOL will look for as it addresses future participant claims that a plan sponsor breached its fiduciary duty by failing to properly assess the cybersecurity of plan service providers. Thus, group health plan sponsors might wish to incorporate the stated standards and best practices in selecting plan service providers. HIPAA already requires covered plans to enter Business Associate Agreements (BAA) with plan service providers who access or use PHI and ePHI, and much of what the DOL suggests is already required to be in the BAA (and is also addressed in a plan’s general compliance with the Security Rule).

The DOL further provides some rather commonsense pointers to help limit cyber threats. These pointers target individual participants, but
plan sponsors also might wish to consider providing the information to participants so that they better understand their role in limiting cybersecurity risks.

At a minimum, group health plan sponsors should view the new DOL guidance as a roadmap for creating a potential defense to any participant claim of an ERISA fiduciary breach based on failure to adequately address threats to participants’ electronic data. The good news is that group health plan sponsors that comply with HIPAA’s Security Rule and BAA requirements should be able to demonstrate to the DOL, if needed, that they have properly addressed cyber threats against their plans.

HIPAA Privacy and Security Rules

HIPAA’s Privacy Rule contains administrative safeguard requirements that effectively amount to mini-security obligations for certain group health plan sponsors. HIPAA also includes a complex and detailed Security Rule with which self-funded group health plans and insured group health plans who handle ePHI have had to comply for years.

The Office for Civil Rights (OCR) has previously provided tools and guidance that outline steps to comply with HIPAA’s rules based on a cybersecurity framework set forth by the National Institute for Standards and Technology (NIST). The NIST guidance directly addresses many of the items denoted in the new DOL guidance. Thus, a group health plan that builds its HIPAA compliance on NIST standards likely will satisfy most of the DOL’s newly stated best practices.

For example, HIPAA requires group health plans that are covered entities to execute BAAs with service providers who are business associates. HIPAA specifically mandates that the BAA include requirements that a business associate must:

  • ensure the confidentiality, integrity, and availability of all ePHI the business associate creates, receives, maintains, or transmits;
  • comply with the Security Rule’s administrative, physical and technical safeguards; and
  • satisfy the Security Rule’s policies and procedures and documentation requirements.

Further, if a business associate delegates any of its functions to a subcontractor that creates, receives, maintains, or transmits ePHI on behalf of the business associate, the business associate must enter into a written contract with the subcontractor to ensure that the subcontractor will agree to comply with the Security Rule. Again, following these HIPAA requirements should provide evidence that a group health plan sponsor has fulfilled its fiduciary duty relevant to the items set forth in recent DOL cybersecurity guidance.

The Security Rule further requires group health plans and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI that they create, receive, maintain, or transmit and to implement security measures sufficient to reduce those identified risks. So, many of the items the DOL cites in its recent guidance should already be part of a plan service provider’s (i.e., business associate) best practices and should help insulate a group health plan from DOL scrutiny under its new guidance.

Certain fully insured plans that neither create nor receive PHI (except for summary health information and enrollment information) are exempt from many of the Privacy Rule and Security Rule requirements for protecting electronic information. Even these plan sponsors still must:

  • Appoint a security officer
  • Conduct a risk analysis to show that all electronic PHI is in the hands of business associates or the plan sponsor
  • Develop risk management procedures to include responding to breaches of unsecured ePHI
  • Periodically evaluate whether anything has changed that would require a change in the risk analysis or risk management procedures
  • Ensure they have the appropriate business associate agreements and any necessary plan amendment that comply with the Security Rule

OCR also notes that group health plans that are subject to the HIPAA Security Rule must adopt security measures that include:

  • Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to ePHI and implementing security measures to mitigate or remediate those identified risks.
  • Employing procedures to guard against and detect malicious software.
  • Training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections.
  • Instituting access controls to limit access to ePHI to only those persons or software programs requiring access.

Taking the foregoing measures will help avoid potentially hefty HIPAA noncompliance penalties. Moreover, doing so should go a long way to
meeting the suggestions DOL includes in its cybersecurity guidance.

OCR Ransomware Guidance

OCR has also released guidance for HIPAA covered entities to follow if besieged by a ransomware attack, and instructs that a compliant security incident response should determine:

  • The scope of the incident to identify what networks, systems, or applications are affected
  • The origination of the incident (who, what, where, when)
  • Whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment
  • How the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited)

These initial steps should allow the relevant entity to prioritize subsequent incident response actions and guide it in further analyzing the incident and its impact. Subsequent security incident response activities should include:

  • Containing the impact and propagation of the ransomware
  • Eradicating the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and
    propagation
  • Recovering from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations
  • Conducting post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations due to the incident (such as providing notification of a breach of PHI), and incorporating any lessons
    learned into the overall security management process to improve incident response effectiveness for future security incidents Part of a deeper analysis should involve assessing whether a breach of PHI resulted from the security incident.

Finally, OCR notes that the presence of ransomware (or any malware) is a security incident under HIPAA that may also result in an impermissible disclosure of PHI in violation of the Privacy Rule and a breach, depending on the facts and circumstances of the attack.

Conclusion
Group health plans have become increasingly more reliant on technology, particularly as workforces and workplaces have shifted to allow for more remote access through a greater number of channels during the COVID-19 pandemic. Amid escalating cyberattacks in this environment, the agencies tasked with enforcing ERISA fiduciary rules and HIPAA privacy and security rules have stepped up their efforts to ensure that plan sponsors know about, and are equipped to address, potential threats to sensitive and private participant information. The fines and
costs of a breach involving ePHI can be high, so group health plan sponsors would be wise to revisit their responsibilities under HIPAA and to ensure that their required compliance measures address recent DOL guidance.

 

Recent Insights

April 22, 2024
News

Do You Know Where Your Employees Are? Managing Taxes for a Growing Remote Workforce

READ TIME: 5 MINUTES Remote work remains a growing focus of employers with employees increasingly seeking jobs that permit remote or hybrid work arrangements. Though the flexibility and benefits of remote work for employees is highly desired, it comes with some additional considerations and potential tax complications for the employer. State Income Tax Withholding Considerations […]
Read more
April 22, 2024
COBRA, Compliance Alert

Group Health Plan Guide to COBRA

The Consolidated Omnibus Budget Reconciliation Act (COBRA) gives workers and their families who lose their health benefits due to job loss, reduction in hours, death, divorce, and other life events the right to choose to temporarily continue health benefits provided by their group health plan. This guide includes: Employers required to offer COBRA Plan types […]
Read more
April 8, 2024
HIPAA

Timely Responses Required for Requests under HIPAA’s Right of Access Rule

READ TIME: 4 MINUTES On December 15, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), announced a settlement under the Health Insurance Portability & Accountability Act (HIPAA) Right of Access Rule. This penalty illustrates that the Right of Access Rule remains a focus of HHS and that health […]
Read more
April 8, 2024
Compliance Alert

March 2024 Compliance Recap

READ TIME: 7 MINUTES ACA reporting is in its first year of the required electronic reporting for employers filing ten or more returns annually. Employers and employees must make changes to HSAs by the April 15 deadline. Employers of all sizes continued to prepare for the June 1 RxDC Reporting using the newly released instructions. […]
Read more