Under final rules issued September 5, 2012 by the Department of Health and Human Services under HIPAA, nearly all employer group health plans are required to obtain a unique health plan identification number (HPID) by November 5, 2014. (We summarize the final rules briefly here.) Health plans with less than $5 million in annual receipts have until November 5, 2015 to comply. With less than three weeks to go until the deadline, employers still have questions about the requirements and the application process. From what we have heard from some clients, the application process can take at least a couple of days so don’t wait until November 5 to get started.
Entries in Plan Administration (43)
Employer group health plans and other covered entities that have not already amended business associate agreements (BAAs) to incorporate changes required by the Final Omnibus Rule must do so by September 22, 2014. (You can read our prior blog post on the Final HIPAA Omnibus Rule here.)
In January 2013 the Department of Health and Human Services published the Final HIPAA Omnibus Rule. Among other things, the Final Omnibus Rule expanded the scope of entities considered “business associates,” extended direct liability to business associates who fail to comply with certain HIPAA requirements, and required the addition of certain language to new and existing BAAs. Specifically, the Final Omnibus Rule required that existing BAAs be amended and new BAAs be drafted to include (among other things) provisions requiring a business associate to:
- Comply with applicable provisions of the HIPAA security rule;
- Ensure that any subcontractor creating, receiving, maintaining, or transmitting protected health information (PHI) on behalf of the business associate agrees in writing to the same restrictions and conditions that apply to the business associate with respect to such information;
- Report to the covered entity breaches of unsecured PHI as required by the breach notification rules; and
- To the extent the business associate carries out a covered entity’s obligations under the privacy rule, comply with the requirements of the privacy rule that apply to the covered entity in the performance of such obligations.
New and existing BAAs were required to comply with the Final Omnibus Rule by September 23, 2013, though parties with a BAA in place prior to January 25, 2013 were given the opportunity to delay amending the BAA for an additional year. Specifically, if, prior to January 25, 2013 (the publication date of the Final Omnibus Rule), the covered entity and the business associate were parties to a BAA that complied with the prior provisions of the HIPAA rules and the BAA was not renewed or modified after March 25, 2013, the parties could delay amendment of the BAA until September 22, 2014.
Employers who sponsor self-funded group health plans should review their existing BAAs to ensure that they comply with the Final Omnibus Rule. (HHS has provided sample language.) One final thought. Since the Final Omnibus Rule makes clear that covered entities may be liable for the acts of their business associates functioning in an agent capacity, employers should consider adding language to their BAAs to affirmatively disavow any agency relationship with a business associate in appropriate cases. This type of protective provision does not appear in the model language published by HHS, but competent legal counsel certainly can provide it.
In Part 1 of this two-part series we suggested that the key to compliance with the fiduciary requirements of ERISA can be boiled down to a simple proposition: follow a prudent process and document it. We used that proposition as a basis for offering five foundational steps that a fiduciary committee charged with overseeing the administration of an ERISA retirement plan should take, especially when the committee has responsibility for the investment of plan assets. One of those foundational steps involves the preparation of minutes of committee meetings. In this second part of the series we focus entirely on the preparation of meeting minutes. The goal is make sure your fiduciary committee gets the most mileage out of meeting minutes from a compliance standpoint and avoids stubbing its toe in the event that the minutes find their way into the hands of someone seeking to hang the committee by its own documentation.
Even in areas of law where the landscape of rules, regulations, and risks seems constantly to be changing, certain core concepts and basic principles hold fast. In the case of fiduciary responsibility under ERISA, the core concepts and basic principles can be boiled down to three key elements: (1) establish a prudent process; (2) adhere to the process; and (3) document the process. These principles apply no matter what kind of benefit plan is involved (if it is governed by ERISA) and no matter what role the fiduciary plays in the operation of the plan. And courts have affirmed the strength and validity of these principles time and time again even when the decisions made by fiduciaries look really bad in hindsight. In this first part of a two-part series we will highlight five best practices that we recommend to any employer who maintains a retirement plan is subject to ERISA. These practices apply to both defined contribution plans where participants typically control the investment of their individual accounts (such as 401(k) plans and 403(b) plans that include employer contributions) and defined benefit pensions plans (where the investment risk is essentially on the employer). The key fiduciary responsibility requirements of ERISA do not vary based on the size or sophistication of the employer. Therefore, while the implementation of these best practices may vary to some extent based on the size and sophistication of the employer, the efficacy of the practices will not.
IRS Notice 2014-01, issued yesterday, provides helpful guidance for the administration of cafeteria plans after the U.S. Supreme Court’s decision in the Windsor case. The guidance provides answers to a number of questions that employers and plan administrators have been asking, including the following:
May a participant who was married to a same-sex spouse as of the date of the Windsor decision (June 26, 2013) be treated as if he or she experienced a change in legal marital status? Yes. The decision to recognize same sex marriages for federal law purposes for the first time amounts to change in legal marital status. Accordingly, a cafeteria plan may permit such a participant to revoke an existing election and make a new election in a manner consistent with the change in legal marital status.
Would a change in the tax treatment of a benefit offered under a cafeteria plan be considered a significant change in the cost of coverage? No. The fact that same sex married couples can be covered without the imputation of income (and pre-tax dollars can be used to purchase benefits) does not constitute a significant cost change for purposes of permitting a status change. For periods between June 26 and December 31, 2013, however, a cafeteria plan will not be treated as having failed to meet the cafeteria plan requirements if the plan permitted a participant with a same-sex spouse to make a mid-year election change based on a significant change in the cost of coverage.
At what point must an employer begin to allow pre-tax salary reductions for same sex married couples? If an employer receives notice before the end of the cafeteria plan year including December 16, 2013 (the publication date of the IRS Notice) that a participant is legally married, then the employer must begin treating the amount that the employee pays for the spousal coverage as a pre-tax salary reduction under the plan no later than the later of (a) the date that a change in legal marital status would be required to be reflected for income tax withholding purposes under Code Section 3402, or (b) a reasonable period of time after December 16, 2013.
At what point may a cafeteria plan permit a participant's flexible spending account to reimburse covered expenses for a same sex spouse? A cafeteria plan may permit FSA reimbursements for the covered expenses of a same-sex spouse, or of a same-sex spouse's dependent, that were incurred during a period beginning on a date that is no earlier than (a) the beginning of the cafeteria plan year that includes the date of the Windsor decision or (b) the date of marriage, if later. This would include a health, dependent care, or adoption assistance FSA to reimburse covered expenses of the participant's same-sex spouse.
Much more post-Windsor guidance is expected early next year to deal with a variety of issues under retirement plans as well as, in general, the possible retroactive effect of the invalidation of Section 3 of the Defense of Marriage Act.