DOL Confirms Cybersecurity Guidance Covers All Employee Benefit Plans
The DOL’s Employee Benefits Security Administration (EBSA) confirms that the cybersecurity guidance it issued in April 2021 applies to all employee benefit plans, including health and welfare plans. Here’s what you need to know:
Bottom Line First
EBSA confirms that its cybersecurity guidance covers all ERISA plans, including health and welfare plans.
Updated Guidance
EBSA has clarified that the 2021 guidance applies to all types of ERISA plans. The guidance includes:
-
-
- Hiring a Service Provider: Guidance for plan sponsors and fiduciaries to select service providers with robust cybersecurity measures, as required by ERISA.
- Cybersecurity Program Best Practices: Recommendations for fiduciaries and record-keepers to handle risks effectively.
- Online Security Tips: Basic advice for plan participants to protect themselves when accessing benefit information online.
-
Additional Guidance
The Department of Health and Human Services offers publications to help health plans and their service providers maintain strong cybersecurity practices, including:
- Health Industry Cybersecurity Practices: Strategies for managing threats in healthcare.
- Technical Volume 1: Guidance for small healthcare organizations.
- Technical Volume 2: Guidance for medium and large healthcare organizations.
Background
In 2021, EBSA published guidance to assist plan sponsors, fiduciaries, service providers, and participants in protecting sensitive plan data and personal information. Since then, confusion arose about whether the guidance applied exclusively to retirement plans, prompting a recommendation from the ERISA Advisory Council in 2022 for EBSA to clarify its stance. Over the years, health and welfare plan service providers have told EBSA investigators that they believe this guidance only applies to retirement plans.
In 2022, the Department of Labor’s ERISA Advisory Council recommended that EBSA clarify the guidance to include health benefit plans. This clarification emphasizes the importance of comprehensive cybersecurity measures across all employee benefit plans. This ensures that sensitive data, whether for retirement or health and welfare plans, is safeguarded.
Leverage this guidance to gain a deeper understanding of your cybersecurity obligations. Ensure you review its guidelines to strengthen your security measures and protect sensitive health information.
Start today by integrating HIPAA10 into your cybersecurity strategy to protect both your health and welfare plans and its members.