Requirements for Group Health Plans
164.314(a)(2)
Organizational Requirements
High Risk
Moderate
Except when the only ePHI disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as permitted under 164.508(a)(3)(i), a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard ePHI.
Implementation Guidance
Develop and implement group health plan security procedures including plan document requirements and sponsor responsibilities.
NIST References
NIST SP 800-66 Rev. 2: Section 3.4.2
Best Practices
Comprehensive plan document requirements, clear sponsor responsibilities, effective security procedures.
Testing Procedures
Review plan document requirements, verify sponsor responsibilities, test security procedures.
Frequently Asked Questions
Q: What are the requirements for group health plans? A: Group health plans must ensure plan sponsors reasonably and appropriately safeguard ePHI.
Control Information
Control ID:
164.314(a)(2)
164.314(a)(2)
Category:
Organizational Requirements
Organizational Requirements
Subcategory:
Group Health Plans
Group Health Plans
Risk Level:
High
High
Implementation Difficulty:
Moderate
Moderate
Estimated Cost:
Medium
Medium
Implementation Timeframe:
2-4 months
2-4 months
Views:
3
3
Last Updated:
Oct 1, 2025
Oct 1, 2025
Related Controls
Additional Resources
NIST SP 800-66 Rev. 2: Group Health Plan Guidance, HHS Group Health Plan Guidance, Plan Document Templates