In mid-April, the DOL issued cybersecurity guidance for plan sponsors that set forth its expectations about how to protect the information they maintain for participants in their benefit plans. The guidance is tailored to retirement plans, although it applies to all plan sponsors and fiduciaries regulated by ERISA, which would include plan sponsors of health and welfare benefit plans as well. The guidance is broken into three sections:
- Tips for hiring a Service Provider, which focuses on the security controls and practices that plan sponsors should pay attention to when they contract with vendors for purposes of record-keeping or data storage;
- Cybersecurity Program Best Practices, which is aimed at plan fiduciaries and the vendors they use for record-keeping; and
- Online Security Tips, which gives plan participants tips for how to keep their sensitive information in online accounts secure.
After reviewing the guidance, many employers have wondered what compliance obligations they may have with respect to the recommendations. Officially, the guidance is structured as “best practices,” and while it does not have the force of law or regulation, it seems clear that the DOL is communicating what its expectations are from an oversight perspective. Therefore, plan sponsors should pay attention to the tips for hiring Service Providers and should take appropriate steps to ensure that their vendors are utilizing the types of practices outlined in the first two sections. Plan sponsors may also want to review their own cybersecurity practices in light of these recommendations. Perhaps conveniently, many of the security practices described in the first two sections of the guidance parallel what is already required for covered entities and business associates under HIPAA’s security rules; therefore, for plan sponsors and business associates who already have HIPAA compliance programs in place, many of the requirements should look familiar to existing security controls. For example, in the guidance for Service Providers, the DOL sets expectations that service providers will have documented cybersecurity programs, conduct risk analyses, develop disaster recovery/business continuity plans, implement access control procedures, and establish defined roles and responsibilities – all requirements under HIPAA. However, although similar, the DOL cybersecurity best practices do differ in some ways from HIPAA security obligations, so employers should be sure that they are addressing both sets of requirements in full.
In addition, employers have wondered whether there are any distribution requirements with respect to the third section, which is aimed directly at plan participants. There is nothing in the guidance that mandates employers to distribute the notice, but from a practical perspective, communicating this information to plan participants would be prudent and helpful. And we have an idea about a relatively simple way for employers to accomplish this.
Again, leveraging what many employers likely already have in place to comply with HIPAA’s security requirements, it may make sense for plan sponsors to leverage their existing HIPAA Security Awareness Training programs (which should be provided to all employees) and incorporate the DOL’s best practices into that delivery mechanism.
The DOL’s guidance includes the following tips for participants:
- Register, set up and routinely monitor their online account (Note: In the health plan world, this could refer to online accounts with providers; Health Savings Accounts; or online benefits/enrollment systems.)
- Use strong and unique passwords
- Use multi-factor authentication
- Keep personal contact information current
- Close or delete unused accounts
- Be wary of free Wi-Fi
- Beware of phishing attacks
- Use antivirus software and keep apps and software current
- Know how to report identity and cybersecurity incidents
Many of these practices parallel what companies may already be communicating to employees through security awareness training programs and other communications such as Acceptable Use Policies or Work from Home/Remote Work Policies. Therefore, it would be a good idea to review existing communications to ensure that they incorporate the items on the DOL’s list.
For employers who do not already have security awareness training programs in place, this is something to address, as it is a requirement under HIPAA that would apply to any employer sponsoring a medical plan (and/or other health plan) for its employees. For employers that need assistance with HIPAA’s requirements, Benefit Comply offers several products that can help meet this need. For more information, please visit our HIPAA services website at: https://benefitcomply.com/hipaa/.