Local: (805)-371-3680 | Toll Free: (800) 240-CHIV
By Tim Marlin, Private Company D&O and Fiduciary Product Manager
& Tom Kang, Cyber Liability Product Manager
Over the last year there have been many high profile, highly publicized cyber-attacks on a multitude of different types of companies. National retail chains, banks, electronics brands and most recently health insurers have been among the targets of cyber-attacks where personal information was stolen by hackers. While each of these attacks resulted in issues for the companies and individuals involved, breaches involving health insurers raise broader issues for the plan sponsors who used their services.
These breaches are not just notable because of their size, which could affect a combined 90 million Americans, but also the reach of the obligations as a result of the breaches. Because the target was a provider of health insurance plans, the attack raises the fiduciary issues under the Employee Retirement Income Security Act (ERISA) as well as potential privacy issues under the Health Insurance Portability and Accountability Act (HIPAA).
As a starting point, plan sponsors should determine whether either breach affects their beneficiaries and if so, take all steps necessary to protect those beneficiaries, including meeting all state and federal requirements and disclosure obligations.
ERISA fiduciary obligations of plan sponsors
Under ERISA, fiduciaries must act in the best interest of the plan participants and ensure that the plan complies with all applicable statutes and regulations. As noted by the U.S. Department of Labor, “fiduciary status is based on the functions performed for the plan, not just a person’s title.”
As such, a multitude of entities or individuals can be considered a fiduciary under ERISA and thus may be responsible for meeting certain obligations in the event of a data breach involving firms that provide healthcare or other employee benefits, as well as firms that provide administrative services to a 401(k) plan or any other type of retirement, healthcare or employee benefit plan. These obligations include the plan sponsor’s responsibility to act prudently to protect the personal information of its plan beneficiaries and to minimize harm in the event of a breach.
Other statutory obligations
In addition to fiduciary obligations under ERISA, a breach involving any benefit plan or plan provider may trigger other statutory obligations. For example, HIPAA requires “covered entities” and their “business associates” to ensure the privacy and security of Protected Health Information (PHI).
However, the fiduciary’s responsibilities under HIPAA may vary depending on its contractual relationship with the provider. If a provider is merely administering the group health plan, the plan may be considered a “covered entity” under HIPAA and ultimately responsible for the protection of PHI and notifying affected individuals in the event of a breach.
Alternatively, if the group health plan is a fully insured by either company, the plan could be a “business associate”, which may not have any notification obligations beyond notifying the covered entity.
It is imperative that the fiduciary and plan sponsor understand the contractual relationship with the benefits provider, so that it can appropriately comply with applicable privacy statutes. In addition to HIPAA, there are 47 state breach notification statutes that may impose notification requirements even if HIPAA does not apply.
Responding to a breach
Given complex nature of these issues, health insurance plan sponsors affected by this type of breach should consult with their insurance plan provider, plan administrators, and with legal counsel in order to fully understand their responsibilities and obligations, including those under ERISA & HIPAA, and to determine the best course of action in order to protect plan beneficiaries. Finally, plan sponsors should properly document all the actions they take in the event they are questioned regarding their breach response.
