OR-2.1: Requirements for Group Health Plans to Safeguard ePHI
Group health plans must contractually require plan sponsors to safeguard all ePHI created, received, maintained, or transmitted on their behalf. This control establishes the legal and operational framework for protecting patient health information at the plan sponsor level. Non-compliance exposes your organization to HIPAA violations, audit findings, and potential breach liability.
What this means
OR-2.1 mandates that group health plans implement safeguards through plan documents requiring plan sponsors to reasonably and appropriately protect ePHI in their custody. This applies to all ePHI exchanges except those falling under specific limited disclosure exceptions (§164.504(f)(1)(ii) or (iii)). The control shifts accountability to plan sponsors while keeping the health plan responsible for ensuring those safeguards are documented and enforced.
How to comply
- 1.Review all group health plan documents and identify ePHI handling provisions
- 2.Add explicit language requiring plan sponsors to implement safeguards consistent with HIPAA Security Rule standards
- 3.Document the list of ePHI types that plan sponsors will access, create, or maintain on behalf of the plan
- 4.Identify and document any ePHI disclosures that qualify for exceptions under §164.504(f)(1)(ii) or (iii)
- 5.Establish a process to communicate safeguard requirements to plan sponsors during onboarding
- 6.Conduct annual reviews of plan documents to ensure safeguard language remains current and compliant
- 7.Maintain evidence of plan sponsor acknowledgment and acceptance of safeguard obligations
Evidence auditors look for
- Signed group health plan documents with safeguard requirements sections
- Plan sponsor agreements or Business Associate Agreements referencing ePHI protection obligations
- Documentation of ePHI data flows between plan and plan sponsors
- Records of plan sponsor training or certification on ePHI handling requirements
- Annual plan document reviews with dates and evidence of safeguard requirement verification
- Exception documentation for any ePHI disclosures under §164.504(f)(1)(ii) or (iii)
- Communications to plan sponsors outlining specific safeguard expectations and timelines
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch's control mapping engine automatically tracks OR-2.1 language across your plan documents, flags gaps in safeguard requirements, and generates audit-ready evidence of plan sponsor acknowledgment—eliminating manual document reviews.
See how GRCWatch handles this control automatically
Start free trial