There have been two important developments in the law applicable to the privacy and cybersecurity of group health plan participants’ health information. Plan sponsors must review plan policies and procedures, provider agreements and plan operations and make necessary changes as soon as possible to comply with these changes.

• The U.S. Department of Labor (DOL) has clarified in informal guidance that previously released recommendations on cybersecurity retirement plans covered by the Employee Retirement Income Security Act (ERISA) also apply to ERISA group health plans. (See our previous article on the DOL cybersecurity guidance for retirement plans.) In its new guidance, the DOL has simply confirmed that the recommended framework to protect retirement plan participants’ personal information applies to participant information held by group health plans.

As was the case for 401(k) plans and other retirement plans covered by ERISA, plan sponsors should consider the cybersecurity recommendations with respect to their group health plans and confirm that participant health information is protected consistent with DOL recommendations. Among other things, this may require a review of service provider agreements to ensure that adequate safeguards and remedies are in place.

• The U.S. Department of Health and Human Services (HHS) has issued a final rule clarifying and expanding privacy protections for reproductive health care under HIPAA. These protections include a new attestation process that will apply to certain requests for the disclosure of protected health information that may relate to reproductive health care.

The final rule requires action on the part of group health plan sponsors to implement certain documentary and operational changes no later than December 23, 2024. At a minimum, group health plan sponsors must:

1. Revise policies and procedures to describe how plans will comply with the final rule and train responsible workforce members on the new policies and procedures;
2. Implement operational changes to provide for the new attestation process, including development of an attestation form (HHS has provided a model for this purpose); and
3. Confirm that business associates such as third-party administrators have in place the required framework to comply with the new rule. On this point, business associate agreements may need to be re-visited specifically to ensure that health plan business associates will comply with the final rule on behalf of the group health plan.

Eventually, notices of privacy practices will need to be revised to include these protections; however, this prong of the final rule is not effective until February 16, 2026. Also, as is the case with many regulatory changes these days, legal challenges to the final rule are pending. Plan sponsors should stay tuned for further developments in this area.