ARTICLE
6 November 2024

Benefits Monthly Minute

KM
Keating, Meuthing & Klekamp

Contributor

Keating Muething & Klekamp PLL is a nationally recognized law firm of approximately 130 lawyers in Cincinnati, Ohio. We deliver sophisticated legal solutions to individuals and businesses of all sizes — from start-up companies to Fortune 50 corporations. While the firm has primarily built its reputation in the tri-state area, including Ohio, Kentucky, and Indiana, our unwavering client-first approach has helped us establish a national and international presence.

Since 1954, KMK Law has been a pillar of the Cincinnati community. The attorneys and staff at KMK Law have dedicated themselves to serving as trusted advisors for private and public companies, nonprofits, charity-focused organizations, and individuals from every walk of life. Whether our counsel is to a multi-billion dollar company, or an individual working to make sure their life’s work is protected for their family and the organizations they support, we are proud and honored to help those clients achieve their aspirations, every time.

The September Monthly Minute highlights the DOL's extension of existing cybersecurity guidance to health and welfare plans and also addresses the new HIPAA reproductive health privacy rule.
United States Employment and HR

DOL Extends Existing Cybersecurity Guidance to Health & Welfare Plans

It's not déjà vu. And your eyes don't deceive you. As reported in the April 2021 Monthly Minute, the DOL previously issued cybersecurity guidance to help plan sponsors, fiduciaries, service providers, and participants safeguard retirement plan data, personal information, and plan assets. Through its new Compliance Assistance Release No. 2024-01, the DOL extends its 2021 cybersecurity guidance to all types of ERISA plans -- including health and welfare plans – and not just retirement plans. To this end, the prior three-part compliance guidance has been re-released with minor adjustments to reflect its applicability to health and welfare plans. As a reminder, the three-part guidance consists of the following --

  • Tips for Hiring a Service Provider: These tips are designed to help plan sponsors and fiduciaries prudently select service providers with strong cybersecurity practices and to help monitor their activities.
  • Cybersecurity Program Best Practices: The best practices are geared towards use by recordkeepers and other service providers responsible for plan-related IT systems and data, and are intended to help plan fiduciaries make prudent decisions with respect to hiring service providers and managing cybersecurity risks.
  • Online Security Tips: This guidance offers plan participants and beneficiaries security tips and basic rules to help reduce the risk of fraud and loss of personal data and assets.

After more than three years in circulation, applying the DOL cybersecurity guidance to health and welfare plans hopefully involves a less steep learning curve than its initial retirement plan implementation.

KMK Comment: It's important to note that by extending its cybersecurity guidance, the DOL is reaching not just health plans, but also dental, vision, life, disability and other ERISA welfare plans. This seemingly minor adjustment significantly increases the scope of coverage, far beyond the guidance's initial reach and also beyond HIPAA's coverage of group health plans (and other covered entities). Furthermore, while HIPAA focuses on compliance by covered entities and business associates, the DOLs cybersecurity guidance targets plan sponsors and fiduciaries, and suggests a corresponding duty to monitor service providers' cybersecurity practices. Plan fiduciaries should give priority to reviewing this guidance with service providers and legal counsel to promptly apply it to health and welfare plans.

New HIPAA Privacy Rule Requires Action Before Year End

Earlier this year, HHS issued the HIPAA Privacy Rule to Support Reproductive Health Care Privacy which significantly strengthens privacy protections relating to reproductive health care (which is not limited to abortions). This Final Rule prohibits the use or disclosure of protected health information (PHI) by a covered entity – including an employer-sponsored group health plan – or its business associate (collectively called "regulated entities" in this guidance), for either of the following activities:

  • To conduct an investigation into or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of conducting such investigation or imposing such liability.

The prohibition generally applies where a regulated entity has reasonably determined that at least one of the following conditions exists:

  • The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
  • The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
  • The reproductive health care was provided by a person other than the regulated entity that receives the request for PHI and the presumption described below applies.
    • Reproductive health care provided by a person other than the regulated entity receiving the request is presumed to be lawful under the circumstances in which it was provided unless --
      • The regulated entity has actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided, or
      • The regulated entity receives factual information from the requesting party that demonstrates a substantial factual basis that the reproductive health care was not lawful under the circumstances in which it was provided.

The Final Rule notably adds an attestation requirement for permissible uses and disclosures of PHI for purposes of health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners. If the requested PHI potentially relates to reproductive health care for these types of requests, then the regulated entity must receive a valid attestation (subject to specific content requirements) from the requesting party.

Importantly, the Final Rule also requires Notice of Privacy Practices (NPP) revisions to support reproductive health care privacy and requires NPP revisions to address Confidentiality of Substance Use Disorder (SUD) Patient Records ("Part 2 NPRM"), as required under the CARES Act.

KMK Comment: Compliance with the new Final Rule is required by December 23, 2024 (except with respect to NPP updates which are not required until February 2026). This means regulated entities (including group health plans) will want to take action now to ensure business associate agreements, HIPAA policies and procedures, as well as HIPAA trainings adhere to the Final Rule requirements addressing enhanced privacy for reproductive health matters.

The KMK Law Employee Benefits & Executive Compensation Group is available to assist with these and other issues.

Originally published September 2024.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More