DOL Confirms Cybersecurity Guidance Covers All Employee Benefit Plans

By Brooke Salazar, JD Sr. Director of Compliance

on September 19, 2024

Share:

The DOL’s Employee Benefits Security Administration (EBSA) confirms that the cybersecurity guidance it issued in April 2021 applies to all employee benefit plans, including health and welfare plans. Here’s what you need to know:

Bottom Line First

EBSA confirms that its cybersecurity guidance covers all ERISA plans, including health and welfare plans.

Updated Guidance

EBSA has clarified that the 2021 guidance applies to all types of ERISA plans. The guidance includes:

1. 1. Hiring a Service Provider: Guidance for plan sponsors and fiduciaries to select service providers with robust cybersecurity measures, as required by ERISA.
  2. Cybersecurity Program Best Practices: Recommendations for fiduciaries and record-keepers to handle risks effectively.
  3. Online Security Tips: Basic advice for plan participants to protect themselves when accessing benefit information online.

Additional Guidance

The Department of Health and Human Services offers publications to help health plans and their service providers maintain strong cybersecurity practices, including:

Health Industry Cybersecurity Practices: Strategies for managing threats in healthcare.
Technical Volume 1: Guidance for small healthcare organizations.
Technical Volume 2: Guidance for medium and large healthcare organizations.

Background

In 2021, EBSA published guidance to assist plan sponsors, fiduciaries, service providers, and participants in protecting sensitive plan data and personal information. Since then, confusion arose about whether the guidance applied exclusively to retirement plans, prompting a recommendation from the ERISA Advisory Council in 2022 for EBSA to clarify its stance. Over the years, health and welfare plan service providers have told EBSA investigators that they believe this guidance only applies to retirement plans.

In 2022, the Department of Labor’s ERISA Advisory Council recommended that EBSA clarify the guidance to include health benefit plans. This clarification emphasizes the importance of comprehensive cybersecurity measures across all employee benefit plans. This ensures that sensitive data, whether for retirement or health and welfare plans, is safeguarded.

Leverage this guidance to gain a deeper understanding of your cybersecurity obligations. Ensure you review its guidelines to strengthen your security measures and protect sensitive health information.

Start today by integrating HIPAA10 into your cybersecurity strategy to protect both your health and welfare plans and its members.

More From the Blog

View all

A Timeline of the AHP Final Rule and Recent Litigation

On June 21, 2018, the Department of Labor (“DOL”) published an Association Health Plan Final Rule (“AHP Final Rule” or “Final Rule”) expanding the definition of “employer” under ERISA Section 3(5) for purposes of determining…

DOL Releases Second Guidance on Recent AHP Litigation

In response to the recent litigation surrounding association health plans (“AHPs”), the Department of Labor (“DOL”) released its second guidance on May 13, 2019, regarding the United States District Court for the District of Columbia’s…

$3 million settlement, HIPAA breach affects 300,000 individuals’ PHI

On May 6, 2019, the U.S. Department of Health and Human Services (“HHS”) announced a $3 million settlement with Touchstone Medical Imaging (“Touchstone”) for potential violations under the Health Insurance Portability and Accountability Act (“HIPAA”)…

Products

Products by Name

Solutions by Role

Solutions by Need

Solutions by Industry

About

Resources

Terms of Use Privacy Policy

2025 State of Workplace Empathy Report

Schedule a 20-minute demo