GRCWatch
Sign inStart free trial

OR-2.1: Requirements for Group Health Plans to Safeguard ePHI

Group health plans must contractually require plan sponsors to safeguard all ePHI created, received, maintained, or transmitted on their behalf. This control establishes the legal and operational framework for protecting patient health information at the plan sponsor level. Non-compliance exposes your organization to HIPAA violations, audit findings, and potential breach liability.

What this means

OR-2.1 mandates that group health plans implement safeguards through plan documents requiring plan sponsors to reasonably and appropriately protect ePHI in their custody. This applies to all ePHI exchanges except those falling under specific limited disclosure exceptions (§164.504(f)(1)(ii) or (iii)). The control shifts accountability to plan sponsors while keeping the health plan responsible for ensuring those safeguards are documented and enforced.

How to comply

  1. 1.Review all group health plan documents and identify ePHI handling provisions
  2. 2.Add explicit language requiring plan sponsors to implement safeguards consistent with HIPAA Security Rule standards
  3. 3.Document the list of ePHI types that plan sponsors will access, create, or maintain on behalf of the plan
  4. 4.Identify and document any ePHI disclosures that qualify for exceptions under §164.504(f)(1)(ii) or (iii)
  5. 5.Establish a process to communicate safeguard requirements to plan sponsors during onboarding
  6. 6.Conduct annual reviews of plan documents to ensure safeguard language remains current and compliant
  7. 7.Maintain evidence of plan sponsor acknowledgment and acceptance of safeguard obligations

Evidence auditors look for

  • Signed group health plan documents with safeguard requirements sections
  • Plan sponsor agreements or Business Associate Agreements referencing ePHI protection obligations
  • Documentation of ePHI data flows between plan and plan sponsors
  • Records of plan sponsor training or certification on ePHI handling requirements
  • Annual plan document reviews with dates and evidence of safeguard requirement verification
  • Exception documentation for any ePHI disclosures under §164.504(f)(1)(ii) or (iii)
  • Communications to plan sponsors outlining specific safeguard expectations and timelines

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch's control mapping engine automatically tracks OR-2.1 language across your plan documents, flags gaps in safeguard requirements, and generates audit-ready evidence of plan sponsor acknowledgment—eliminating manual document reviews.

See how GRCWatch handles this control automatically

Start free trial

Related controls

OR-1.1 — Authorization and/or Supervision of ePHIOR-2.2 — Adequate Separation between Group Health Plan and Plan Sponsor§164.504(f) — Use and Disclosure of PHI by Plan Sponsors