Categories: Employee Benefits, Technology

Today, Law360 published our article “Considering Best Data Practices for ERISA Fiduciaries.” (Download the full article in PDF format.)

In this article, we outline steps that ERISA plan fiduciaries can take to develop a policy concerning protection of plan data and prudent selection and monitoring of plan service providers who handle PII.  Benefit plan service providers, including technology-based outsourcing companies, should also consider these important guidelines and implement the appropriate safeguards to protect against infringement of plan and participant data.  These issues must be addressed in service arrangements and will continue to evolve.

Following is an excerpt:

Employee benefit plan fiduciaries are charged with meeting a prudence standard when discharging their duties solely in the interest of plan participants and beneficiaries. With increasing regulation of benefit plans, these duties and associated responsibilities are mounting. With advancements in technology, online enrollment and access to account information, as well as benefit plan transaction processing, participant identifiable information and data have become increasingly more vulnerable to attack as it travels through employer and third-party systems.

Earlier this year, the attack on Anthem Inc.'s information technology system, which compromised the personal information of individuals under numerous health plans (including personally identifiable information, bank account and income data, and Social Security numbers), raised questions of privacy and security under the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act, and there have been other similar attacks.

These cases remind us that in today’s world, plan participant information, whether it be protected health information, personally identifiable information or retirement savings account information, is vulnerable to theft. Employee Retirement Income Security Act plan fiduciaries must not only act prudently in responding to a breach of their plan participants’ PHI, but should also consider developing prudent policies and procedures with respect to the handling and transmission of all PII and participant data in the regular course.

In 2011, the Advisory Council on Employee Welfare and Pension Benefit Plans studied the importance of addressing privacy and security issues with respect to employee benefit plan administration. The council examined issues and concerns about potential breaches of the technological systems used in the employee benefit industry, the misuse of benefit data and PII and the impact on all parties, including plan sponsors, service providers, participants and beneficiaries. The council recognized several potential causes of breaches relating to benefit plan information, including hacking into retirement plan financial data, and recommended that the U.S. Department of Labor provide guidance on the obligation of plan fiduciaries to secure PII and develop educational materials. To date, the the Department of Labor has issued no such guidance.

Tags: Advisory Council on Employee Welfare and Pension Benefit Plans, August Emil Huelle, data privacy, ERISA Fiduciaries, HIPAA, Michelle Capezza, PHI, PII
Back to Workforce Bulletin Blog

Search This Blog

Blog Editors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.