[firm] blog logo

Guidance on Benefit Plan Cybersecurity Best Practices

Plan participants now enroll, change elections, review benefits, apply for plan loans and hardship distributions, and access account information through websites and cellphone apps. As electronic access to plan information has increased, so has the interest of hackers in obtaining the wealth of information stored electronically. Recently, the DOL’s Employee Benefits Security Administration (the “EBSA”) issued the following cybersecurity guidance documents to help plan sponsors comply with their duties to protect plan information: Tips for Hiring a Service Provider with Strong Cybersecurity Practices: These tips are intended to help plan sponsors and plan fiduciaries meet their duties under ERISA to prudently select and monitor service providers. They include a list of questions to ask and considerations to make when evaluating potential service providers. Cybersecurity Program Best Practices: This guidance provides a list of 12 best practices intended to help plan fiduciaries mitigate cybersecurity risks and make prudent decisions when selecting… Continue Reading

OCR Provides Informal HIPAA Guidance Regarding Disposal of Electronic Devices and Media Containing PHI

In a July 2018 newsletter, the Office of Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”), the federal agency responsible for enforcement of the HIPAA privacy, security, and breach notification regulations (collectively, the “HIPAA Rules”), provided informal guidance to HIPAA “covered entities”, such as employer-sponsored group health plans (“Covered Plans”), regarding the disposal of electronic devices and media that house “protected health information” (“PHI”). Examples of such devices and media include desktop and laptop computers, tablets, copiers, servers, smart phones, hard drives, USB drives, and other electronic storage devices. Employer-sponsors of Covered Plans should take note of the following key points raised by the newsletter’s guidance: A covered entity’s performance of a “risk analysis” (which is a required step to comply with the HIPAA Rules) plays a critical role in determining how best to protect PHI stored on electronic devices and media that has reached… Continue Reading

June 2021
S M T W T F S
« May    
 12345
6789101112
13141516171819
20212223242526
27282930  

Archives