Benefits Monthly Minute
The September Monthly Minute highlights the DOL’s extension of existing cybersecurity guidance to health and welfare plans and also addresses the new HIPAA reproductive health privacy rule.
DOL Extends Existing Cybersecurity Guidance to Health & Welfare Plans
It’s not déjà vu. And your eyes don’t deceive you. As reported in the April 2021 Monthly Minute, the DOL previously issued cybersecurity guidance to help plan sponsors, fiduciaries, service providers, and participants safeguard retirement plan data, personal information, and plan assets. Through its new Compliance Assistance Release No. 2024-01, the DOL extends its 2021 cybersecurity guidance to all types of ERISA plans -- including health and welfare plans – and not just retirement plans. To this end, the prior three-part compliance guidance has been re-released with minor adjustments to reflect its applicability to health and welfare plans. As a reminder, the three-part guidance consists of the following --
- Tips for Hiring a Service Provider: These tips are designed to help plan sponsors and fiduciaries prudently select service providers with strong cybersecurity practices and to help monitor their activities.
- Cybersecurity Program Best Practices: The best practices are geared towards use by recordkeepers and other service providers responsible for plan-related IT systems and data, and are intended to help plan fiduciaries make prudent decisions with respect to hiring service providers and managing cybersecurity risks.
- Online Security Tips: This guidance offers plan participants and beneficiaries security tips and basic rules to help reduce the risk of fraud and loss of personal data and assets.
After more than three years in circulation, applying the DOL cybersecurity guidance to health and welfare plans hopefully involves a less steep learning curve than its initial retirement plan implementation.
KMK Comment: It’s important to note that by extending its cybersecurity guidance, the DOL is reaching not just health plans, but also dental, vision, life, disability and other ERISA welfare plans. This seemingly minor adjustment significantly increases the scope of coverage, far beyond the guidance’s initial reach and also beyond HIPAA’s coverage of group health plans (and other covered entities). Furthermore, while HIPAA focuses on compliance by covered entities and business associates, the DOLs cybersecurity guidance targets plan sponsors and fiduciaries, and suggests a corresponding duty to monitor service providers’ cybersecurity practices. Plan fiduciaries should give priority to reviewing this guidance with service providers and legal counsel to promptly apply it to health and welfare plans.
New HIPAA Privacy Rule Requires Action Before Year End
Earlier this year, HHS issued the HIPAA Privacy Rule to Support Reproductive Health Care Privacy which significantly strengthens privacy protections relating to reproductive health care (which is not limited to abortions). This Final Rule prohibits the use or disclosure of protected health information (PHI) by a covered entity – including an employer-sponsored group health plan – or its business associate (collectively called “regulated entities” in this guidance), for either of the following activities:
- To conduct an investigation into or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
- The identification of any person for the purpose of conducting such investigation or imposing such liability.
The prohibition generally applies where a regulated entity has reasonably determined that at least one of the following conditions exists:
- The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
- The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
- The reproductive health care was provided by a person other than the regulated entity that receives the request for PHI and the presumption described below applies.
- Reproductive health care provided by a person other than the regulated entity receiving the request is presumed to be lawful under the circumstances in which it was provided unless --
- The regulated entity has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or
- The regulated entity receives factual information from the requesting party that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.
- Reproductive health care provided by a person other than the regulated entity receiving the request is presumed to be lawful under the circumstances in which it was provided unless --
The Final Rule notably adds an attestation requirement for permissible uses and disclosures of PHI for purposes of health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners. If the requested PHI potentially relates to reproductive health care for these types of requests, then the regulated entity must receive a valid attestation (subject to specific content requirements) from the requesting party.
Importantly, the Final Rule also requires Notice of Privacy Practices (NPP) revisions to support reproductive health care privacy and requires NPP revisions to address Confidentiality of Substance Use Disorder (SUD) Patient Records (“Part 2 NPRM”), as required under the CARES Act.
KMK Comment: Compliance with the new Final Rule is required by December 23, 2024 (except with respect to NPP updates which are not required until February 2026). This means regulated entities (including group health plans) will want to take action now to ensure business associate agreements, HIPAA policies and procedures, as well as HIPAA trainings adhere to the Final Rule requirements addressing enhanced privacy for reproductive health matters.
The KMK Law Employee Benefits & Executive Compensation Group is available to assist with these and other issues.
Lisa Wintersheimer Michel
513.579.6462
lmichel@kmklaw.com
John F. Meisenhelder
513.579.6914
jmeisenhelder@kmklaw.com
Antoinette L. Schindel
513.579.6473
aschindel@kmklaw.com
Kelly E. MacDonald
513.579.6409
kmacdonald@kmklaw.com
Rachel M. Pappenfus
513.579.6492
rpappenfus@kmklaw.com
KMK Employee Benefits and Executive Compensation email updates are intended to bring attention to benefits and executive compensation issues and developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.