Employee Benefits Developments April 2009
COBRA Subsidy Update
On March 31 the Internal Revenue Service (IRS) released Notice 2009-27, providing additional guidance on the premium subsidy available for continuing health care under the Consolidated Omnibus Budget Reconciliation Act of 1986 (COBRA). Issued in question-and-answer format, the notice covers a range of topics, including guidance on what constitutes involuntary termination for purposes of the subsidy, what types of coverage are eligible for the premium reduction, which entity is entitled to the reimbursement credit for the 65% of the premium that is not paid by the individual, and some cost-saving planning opportunities related to severance from employment.
The Employee Benefits Practice Group has developed a comprehensive package of COBRA notices, forms and information designed to help our clients meet their obligations under the new COBRA subsidy provisions. If you would like help complying with your COBRA obligations, please contact any member of the practice group.
ARRA Makes Significant Changes to HIPAA
The American Recovery and Reinvestment Act of 2009 (ARRA) made several significant changes to the privacy and security regulations of the Health Insurance Portability and Accountability Act (HIPAA). These changes include tighter restrictions on the use and disclosure of protected health information (PHI), broadening HIPAA’s reach by applying HIPAA’s provisions directly to business associates, increased enforcement, and greater penalties for violations.
Business Associates. Effective February 17, 2010, business associates will be directly subject to HIPAA’s privacy and security rules, including administrative, physical and technical safeguards. Previously, only covered entities (i.e., group health plans, healthcare providers, and clearinghouses) were directly subject to these rules. Business associates were required to comply with HIPAA’s security provisions only to the extent mandated by a business associate agreement with a covered entity. Now, in addition to any contractual liability, failure to comply with HIPAA’s privacy and security requirements will directly expose business associates to the same fines, penalties, and civil liabilities as covered entities.
Breach Notification. Before ARRA, except to the extent necessary to mitigate harm, covered entities were not required to notify individuals if their PHI was inappropriately disclosed. Under ARRA, covered entities and business associates must notify individuals when a security breach occurs. All notifications must be made “without unreasonable delay" and within 60 calendar days after discovery of the breach. In addition, if the breach involves 500 or more individuals, the Department of Health and Human Services (HHS) and a “prominent media outlet” must be notified. These breach notification provisions will be effective 30 days after the date
of publication of interim final regulations. ARRA requires HHS to publish interim final regulations by August 16, 2009.
Increase Individual Rights. ARRA also provides individuals with greater rights regarding their PHI. For example:
Although HIPAA previously allowed individuals to receive an accounting of disclosures of their PHI, there was an exception for disclosures made for purposes of treatment or to carry out healthcare operations. Under ARRA, individuals will have a right to receive an accounting of these types of previously excluded disclosures for the three-year period that preceded the individual’s request.
Individuals will also be able to bar healthcare providers from disclosing PHI to their health plans if the individuals paid for the healthcare service. Previously, a covered entity was not required to comply with such a request.
In addition, under ARRA, a covered entity or business associate will not be permitted to receive direct or indirect compensation in exchange for disclosing PHI unless it first obtains valid authorization from the individual whose PHI is being disclosed.
Enforcement and Penalties. Effective immediately, ARRA has increased enforcement of HIPAA and penalties for violations. Rather than merely being authorized to investigate, the HHS will now be required to conduct a formal investigation if a HIPAA complaint is received. ARRA also gives state attorneys general the authority to bring actions to obtain injunctive relief or damages on behalf of state residents who have been harmed by HIPAA violations. Penalties will be structured according to severity and can be as high as a minimum of $50,000 per violation, and up to $1,500,000 a year for uncorrected willful violations.
Action. Covered entities and business associates should review and revise their HIPAA privacy and security policies, employee training practices, and business associate agreements to comply with these changes to HIPAA.
IRS Publishes Final Rules for Automatic Contribution Arrangements
In February, the Internal Revenue Service (IRS) issued final regulations (T.D. 9447; 74 Fed. Reg. 8200) on automatic contribution arrangements under the rules enacted by the Pension Protection Act (PPA). An automatic contribution arrangement (ACA) is a cash or deferred arrangement under which an eligible employee, in the absence of an affirmative election, is treated as having made an election to have a specified contribution made on his or her behalf under the plan. The final ACA regulations provide rules on the use and operation of ACAs in 401(k) plans, 403(b) tax-sheltered annuities, or 457(b) governmental plans.
The final regulations prescribe rules for a safe harbor mechanism by which plans with ACAs may automatically satisfy the ADP and ACP tests – this is generally accomplished by making a prescribed level of matching or nonelective contribution. ACAs that adopt the safe harbor are called qualified automatic contribution arrangements or QACAs.
The final ACA regulations also prescribe rules under which participants who are automatically enrolled in a 401(k) plan, a 403(b) plan, or a 457(b) plan may elect, without being subject to the early distribution tax, to receive a distribution equal to the amount of any default elective contributions (and related earnings). The election to withdraw automatic contributions must be made within 90 days after the first automatic contribution is made. ACAs that comply with the rules for withdrawing automatic contributions within the first 90 days are called eligible automatic contribution arrangements or EACAs.
Notable changes in the final ACA regulations include the following:
- QACAs and EACAs must apply a minimum contribution percentage uniformly to all employees. A QACA or EACA meets this requirement even if the minimum percentage varies with the number of years the eligible employee had participated in the QACA/EACA. The final regulations expand this exception to the uniformity requirement. Under the final regulations, the default percentage may also vary based on the portions of years since that date. Thus, the plan may provide for the increase of the default percentage mid-year, as long as the percentage is uniform based on the number of years or portions of years since an employee first had contributions made pursuant to a default election and satisfies the minimum percentage requirement throughout the plan year.
- The regulations generally require a QACA/EACA notice to be issued to employees no later than the date they become eligible to participate in the plan. The final regulations, however, provide that if it is not practicable to provide the notice on or before an employee’s initial eligibility date, the notice will be treated as provided
timely if it is provided as soon as practicable after the initial eligibility date and the employee is permitted to elect to defer from all types of deferrable compensation under the plan that he or she earns beginning on the initial eligibility date. Accordingly, notice must be provided before the pay date for the payroll period that includes the employee’s initial eligibility date.
- Automatic contributions under a QACA or EACA must begin no later than the earlier of the pay date for the second payroll period beginning after the date the employee receives the initial written notice, or the first pay date that occurs at least 30 days after receipt of the initial written notice.
- The Internal Revenue Code sets forth a series of minimum default contribution percentages that an ACA must satisfy to be a QACA. The minimum percentage is generally determined based on the number of years since the date the employee first had default contributions made under the QACA. In response to concerns raised by commentators regarding rehired employees, the final regulations also provide that a plan is permitted to treat an employee who for an entire plan year did not have contributions made pursuant to a default election under the QACA, as if the employee had not had such contributions for any prior plan year as well. Thus, if an employee is rehired following a termination that lasted longer than a full plan year, the plan may provide that a new initial period begins on rehire and may use the minimum contribution percentage applicable to an employee’s initial period.
- An EACA need not invest automatic contributions in a qualified default investment alternative (QDIA).
- An EACA need not cover all employees eligible to make pre-tax deferrals under the plan. The plan may designate those employees who are covered by one or more distinct EACAs under the plan. If an EACA covers fewer than all the eligible employees under the plan, however, the plan sponsor will be unable to take advantage of the extended six-month period for correcting excess contributions and excess aggregate contributions without incurring an excise tax.
The final regulations for QACAs are applicable to plan years beginning on or after January 1, 2008. The final regulations for EACAs are applicable to plan years beginning on or after January 1, 2010.
Investment Advice Regulations Delayed
The Department of Labor has been working on a set of regulations to implement the Pension Protection Act of 2006 authority to allow qualified plan sponsors to create “eligible investment advice arrangements.” Under these rules, plan participants in participant-directed individual account plans (typically 401(k) plans) may be provided with investment advice paid for out of the participant’s account balance. The rules are an exception to the prohibited transaction rules because the fee arrangements otherwise would result in payments from plan accounts to parties in interest. The arrangements can be based on computer models or must conform to an arrangement whereby the investment advisor does not receive differing fees depending on the investment options selected by the participant. The regulations implementing eligible investment advice arrangements were finalized and otherwise would have become effective on March 23, 2009. An extension of this effective date, until at least May 22, has occurred following the decision of the new administration to reconsider any regulations that were not yet in effect. Given statements by some in Congress that the regulations overstepped statutory authority and that further legislation should be adopted, these rules could be delayed further. Until there is a more settled view on how plans might provide investment advice to participants, it is advisable for plan sponsors to remain cautious about setting up any investment advice arrangements that are financed out of plan assets.
DOL Statement on Fiduciary Duties in Light of Madoff Investment Losses
In light of recent events surrounding Bernard L. Madoff Investment Securities LLC, the Department of Labor’s Employee Benefits Security Administration (EBSA) released
a brief statement in February advising employee benefit plan fiduciaries of the steps they should be taking for plans they believe may have exposure to losses as a result of plan assets being invested with Madoff entities. Fiduciaries were advised that where material losses are likely to result from those investments, fiduciaries should take action to assess and protect the interests of plan participants and beneficiaries. Suggested steps include: (1) requesting disclosures from investment managers, fund managers, and other investment intermediaries regarding the plan’s potential exposure to Madoff-related losses; (2) seeking advice regarding the likelihood of losses due to investments that may be at risk; (3) making appropriate disclosures to other plan fiduciaries and plan participants and beneficiaries; and (4) considering whether the plan has claims that are reasonably likely to lead to recovery of losses that should be asserted against responsible fiduciaries or other intermediaries who placed plan assets with Madoff entities, as well as claims against the Madoff bankruptcy estate. The statement also cautions that fiduciaries must ensure that claims are filed in accordance with applicable filing deadlines such as those applicable to bankruptcy claims and for coverage by the Securities Investor Protection Corporation (SIPC). The web site of the court-appointed trustee for the Madoff liquidation contains the liquidation notice, claim forms, claims information, and deadlines for the filing of claims with the trustee (www.madofftrustee.com). In a related statement, the Pension Benefit Guaranty Corporation reminded plan sponsors that they are required by Section 4043 of the Employee Retirement Income Security Act to report to the agency if they are unable to pay benefits when due as a result of the Madoff case. (23 PBD, Feb. 6, 2009)
Revenue Sharing Approved in Participant Lawsuit. Even before the recent bear market, several lawsuits were filed to challenge revenue-sharing arrangements that are typical in 401(k) plans. These arrangements may allocate all or a portion of 12b-1 fees, management fees, distribution fees or other mutual fund fees through fee-sharing, sub-advisory fees, or other revenue-sharing devices. The complexity of these arrangements, as well as the lack of fully “transparent” disclosures to plan participants, is the subject of proposed Department of Labor regulations that will require more comprehensive fee disclosures in participant-directed plans to the plan participants. Participant lawsuits have challenged the revenue-sharing arrangements as violations of fiduciary duty, based on allegations that the fees are excessive and are inadequately disclosed. In the first Federal appeals court ruling in these cases, a 401(k) arrangement established by Deere & Co. was held to have met fiduciary standards by a district court, and that decision has been upheld on appeal. The 401(k) plan in question used common revenue-sharing agreements to pay for recordkeeping and other administrative expenses. The nature and amount of revenue sharing was not disclosed to plan participants. The mutual fund fees in the Deere & Co. plan were principally with Fidelity, and the trial court had found that the fees in question were generally consistent with industry standards and not unreasonable as a matter of law. The court concluded that specific disclosures of the revenue-sharing arrangements are not required by current ERISA regulations. The court noted the proposed Department of Labor rules that would change this in the future. While noting that plan fiduciaries must prudently act to select plan investment options, the court stated that plan fiduciaries are under no obligation to choose investment funds with the lowest cost. It also rejected the proposition that the practice of revenue sharing for qualified plans violates ERISA fiduciary rules. While this case vindicates a common administrative and operational arrangement, it serves as a reminder that the choosing of investment options, as well as the financial arrangements established to pay for plan administrative costs, are fiduciary decisions and should be handled prudently. Periodic review of plan costs and investment options will provide the sort of administrative due diligence that protected the fiduciaries in this case. Hecker v. Deere & Co. (7th Cir. 2009).