Happy Holidays! The December Monthly Minute includes a fiduciary checkup reminder and a look at HHS’ recent settlement stemming from a phishing attack that impacted ePHI of nearly 35,000 individuals.

Year End Fiduciary Checkup       

As 2023 comes to a close and a new year is around the corner, it’s a good time for a fiduciary checkup. Recall that ERISA’s fiduciary rules incorporate a broad definition of the term “fiduciary.”  It is a functional definition that sweeps in those with control over plan assets as well as those who exercise discretion as to plan administration. The standard of conduct for plan fiduciaries is very high, and a reasonable expert (rather than a reasonable person) standard often applies. Moreover, ERISA plan fiduciaries may be personally liable for breaches of fiduciary duties.

With these thoughts in mind, it is important to review fiduciary status among ERISA plan administrators and service providers, confirm that responsibilities have been appropriately allocated or delegated, and that contracts specify the extent to which fiduciary status is assumed and the responsibilities attendant to said status. Other important aspects of a fiduciary checkup include monitoring plan service providers and others to whom fiduciary responsibilities have been allocated, evaluating cybersecurity and related risks, assessing plan expenses (including the reasonableness of plan costs and participant fees, as well as conducting medical plan claim audits), and considering whether or not a request for proposals (RFP) should be conducted.

In addition, plan fiduciaries must pay close attention to the latest developments in ERISA plan compliance (ranging from long-term part-time employee status to health plan transparency requirements), monitor trends in ERISA litigation (e.g., 401(k) fee cases and defective COBRA notice class actions), and ensure compliance with a multitude of reporting and disclosure requirements (Form 5500, SPDs, SBCs, SARs, etc.). Of course, the best laid plans are of little use without clear documentation, making it essential for fiduciaries to document their compliance with fiduciary duties.

KMK Comment: While certain fiduciary duties only arise every several years such as contract negotiations and RFPs, many other duties entail regular attention and ongoing review such as regularly monitoring the performance of investment funds and diligently keeping minutes of fiduciary actions. ERISA plan fiduciaries should work with counsel to ensure fiduciary duties are appropriately delegated, satisfied and well documented.

HHS Reels in Phishing Attack Settlement

Earlier this month, HHS announced a settlement with a Louisiana medical group resolving an investigation following a phishing attack that affected the electronic protected health information (ePHI) of nearly 35,000 individuals. For those arriving late to the cybersecurity party, phishing is a type of cybersecurity attack that tricks individuals into disclosing sensitive information by impersonating a trustworthy source. This is the very first settlement HHS has resolved involving a phishing attack under the HIPAA Rules.

The HHS investigation was launched following a May 2021 breach report filed with HHS stating that a successful phishing attack in March 2021 led to unauthorized access to an email that contained ePHI. The investigation revealed that, prior to the 2021 reported breach, the medical group failed to conduct a risk analysis to identify potential threats or vulnerabilities to ePHI as required by HIPAA, and further, the medical group had no policies or procedures in place to review information system activity to thwart cyberattacks. The noteworthy settlement requires the medical group to pay $480,000 and to implement a corrective action plan that includes establishing and implementing security measures to reduce security risks to ePHI, developing and revising policies and procedures to comply with the HIPAA Rules, and providing training to all staff who have access to PHI. The medical group’s corrective action plan will be monitored by HHS for two years.

KMK Comment: Through its privacy and security provisions, HIPAA provides benefit plans with a general framework to identify vulnerabilities and protect the security of health information. It is imperative for group health plans to periodically review their HIPAA policies and procedures and ensure its workforce is adequately trained in order to protect against cyberattacks and demonstrate compliance to HHS investigators in the event of a breach-related investigation.