October is Cybersecurity Awareness Month. It is a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions by the public to reduce online risk, and to generate discussion on cyber threats on a national and global scale.
Employer Action Items
- Employers and plan sponsors should hire a consultant to assist in prudently selecting a service provider with strong cybersecurity practices, and subsequently monitoring the activities of any engaged provider.
- Employers should develop a cybersecurity program, along with essential best practices for privacy and security inside and outside their walls.
- Employers should also develop written privacy and security assuredness policies and procedures, governing the administration of confidential and protected health information, and to mitigate related, interconnected, and arising security risks.
- Employers should contemplate and explore cybersecurity insurance offerings, ideally underwriting such coverage prior to the occurrence of a cybersecurity event affecting the organization’s operations or data.
Summary
Employees are often targeted by cyberattacks. While it is important and beneficial for employers to foster a strong cybersecurity culture, the HIPAA Security Rule actually requires it!
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the performance of certain security preparedness operations by covered entities (“CE’s”). Performance of these preemptive preparedness operations is mandated by US Department of Health and Human Services (“HHS”) and The U.S. Department of Labor (“DOL”) regulations. A HIPAA covered entity’s failure to assure and provide evidence of the performance of these essential requirements is enforced by the cumulative efforts of the DOL and the Office for Civil Rights (“OCR”), the investigative and enforcement division of HHS charged with enforcement of HIPAA Privacy and Security, as well as enforcement of Title VII of the Civil Rights Act. The Security Rule requires that HIPAA Covered Entities:
- Ensure the confidentiality, integrity and availability of electronic personal information (e-PHI);
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
In September of 2024, the DOL updated current cyber security guidance previously released in 2021. This guidance applies to all types of plans governed by the Employee Retirement Income Security Act (“ERISA”), including health and welfare plans.
The release updates the 2021 guidance of the Employee Benefits Security Administration (“EBSA”) and includes the following:
- Tips for Hiring a Service Provider: helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices to monitor their activities, as ERISA requires.
Below we have provided an additional resource to assist CEs in creating and improving security preparedness operations and ensuring they are following the Security Rule.
Additional Resources
To obtain additional support for performance of these and other HIPAA requirements, as mandated by the Security and Privacy Rules, please reach out to your local service colleague or your client advisor. The Baldwin Group maintains an extensive suite of support solutions such as HIPAA Complete and advisory guidance capabilities respecting a covered entity’s performance of the HIPAA administrative simplification mandates. The BRCC also offers a carefully curated range of consultative and advisory support solutions related to the administration of US-based employee benefit plans, program, and other offerings.
For more information
We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.
