The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced a HIPAA enforcement action against an employer-sponsored group health plan. The action resulted in a payment to HHS of $245,000 and a two-year corrective action plan. While HIPAA enforcement is common in the healthcare sector, actions directly against employer-sponsored group health plans are not as common. This case, coupled with DOL guidance for ERISA fiduciaries concerning cybersecurity, underscores a growing regulatory focus not only on traditional healthcare entities, but also on the plans and ecosystems maintained by employers under ERISA.

Check out the full post in our Benefits Law Advisor.