Although governmental health and retirement plans are not subject to ERISA fiduciary rules or DOL requirements, the DOL guidance on cybersecurity practices provides recommendations and best practices, which can serve as practical and valuable guidance to governmental plans.

Health plans are already governed by the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the breach notification requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Group health plan sponsors now must ensure that their cybersecurity practices meet the requirements of both HIPAA/HITECH and the updated DOL guidance.

The guidance

The three pieces of guidance are:

• Cybersecurity Program Best Practices — Assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
• Tips for Hiring a Service Provider with Strong Cybersecurity Practices — Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
• Online Security Tips — Offers plan participants and beneficiaries who check their employee benefit plan information online basic rules to reduce the risk of fraud and loss.

We discussed this guidance in our April 21, 2021 insight, “DOL Guidance on Cybersecurity Covers Best Practices and Tips.”

The updates

The updated guidance is the same as that issued for retirement plans in 2021, with a few additions that apply to all ERISA plans:

• Cybersecurity best practices require strong access control procedures.
• The DOL has added several new requirements concerning multi-factor authentication (MFA), which will enhance and expand use of MFA on plan networks.
• The guidance also adds a best practice for strong and unique employee passwords.
• With respect to the best practice of responsiveness to cybersecurity incidents or breaches, the DOL adds a requirement to notify participants of unauthorized acquisition of their personal data, including protected health information (PHI) and personally identifiable information (PII) without unreasonable delay.
• The best practices now also include references for security requirements from HHS and the Cybersecurity and Infrastructure Security Agency.

In its Online Security Tips guidance, the DOL emphasizes use of strong and unique passwords, adding recommendations to not use common passwords and to change passwords annually or if there is a security breach. It notes that the National Institute of Standards and Technology (NIST) suggests favoring longer passwords instead of requiring regular and frequent password resets.

HIPAA and the updated DOL cybersecurity guidance

Group health plan sponsors are already subject to HIPAA and HITECH, which require that plans protect the privacy and security of PHI and report breaches of unsecured PHI to HHS. The ERISA Advisory Council studied whether additional DOL cybersecurity was necessary in 2022. Its report noted that HHS can audit health plans for compliance, resolve compliance failures through agreements with covered entities and business associates and impose civil monetary penalties. Individuals may also file complaints against covered entities with HHS.

Nevertheless, the ERISA Advisory Council recommended that the DOL clarify that the “Cybersecurity Program Best Practices and Tips for Hiring a Service Provider with Strong Cybersecurity Practices” applies to health benefit plan fiduciaries. Additionally, the ERISA Advisory Council recommended that the DOL indicate the extent to which compliance with HIPAA and HITECH satisfies any of the recommended practices in Best Practices and Tips. The council noted that this issue is important and requires further study.

There are some significant differences between the updated DOL guidance and HIPAA/HITECH. In general, HIPAA and HITECH are much more detailed in how PHI and ePHI must be protected. Furthermore, under a 2021 law, when enforcing the HIPAA security rule, HHS will consider the extent to which a covered entity (or business associate) has followed “recognized security practices” for (at least) the previous 12 months, including standards, guidelines, best practices, methodologies, procedures and processes developed under the NIST Act.

However, the DOL guidance appears to require plans take additional steps to those required under HIPAA/HITECH. Most importantly, the best practices require annual risk assessments, while HIPAA requires security assessments on a periodic basis or when there is any modification to the use of ePHI, such as a new system, new hardware or use of new mobile devices.

Similarly, the best practices require a reliable annual third-party audit of security controls. HIPAA does not require that an audit be conducted by a third party. Additionally, HIPAA requires service providers to sign business associate agreements that bind them to the same security rules as the health plan. The DOL’s Tips for Hiring a Service Provider appear to require plans to ask additional questions of service providers in addition to assuring that a business associate agreement is in place.

Health plan sponsors have not received guidance from the DOL regarding how to best reconcile the dual obligations between the detailed HIPAA and HITECH rules and DOL’s cybersecurity guidance.

Implications for plan sponsors

Plan sponsors that are accustomed to addressing security in the HIPAA/HITECH framework must now add an additional layer for compliance with the DOL cybersecurity guidance. While it is unclear to what extent compliance with HIPAA/HITECH would meet the DOL guidance, it does appear that DOL is requiring additional steps, including annual risk assessments, third-party security audits and questions to service providers in addition to the existing business associate agreements.

It is likely that when auditing health plans, the DOL will expect compliance with its best practices guidance, regardless of the plan’s HIPAA/HITECH compliance. Consequently, plan sponsors may wish to review their current practices to bring them into compliance with the practices the DOL has identified. Meanwhile, plans now face dual enforcement oversight since health plans could also be audited by HHS for HIPAA/HITECH compliance.

Health plan sponsors must continue to ensure that their plan is in compliance with the HIPAA privacy and security rules and HITECH, including implementing new rules concerning access to reproductive health PHI, which we discussed in our May 16, 2024 insight, “New HIPAA Rule Will Require Updates to Policies and Notices.” Important parts of HIPAA compliance include adopting policies and procedures, issuing a HIPAA Notice of Privacy Practices, and assuring that all individuals in the workforce who use or disclose PHI are trained on the plan’s practices.

Additionally, plan sponsors should review existing insurance policies and determine whether cybersecurity insurance would be appropriate.