Tag: ERISA

Attorney Erwin Kratz Named to the Best Lawyers in America© 2017

ERISA Benefits Law attorney Erwin Kratz was recently selected by his peers for inclusion in The Best Lawyers in America© 2017 in the practice area of Employee Benefits (ERISA) Law. Mr. Kratz has been continuously listed on The Best Lawyers in America list since 2010.

Since it was first published in 1983, Best Lawyers® has become universally regarded as the definitive guide to legal excellence. Best Lawyers lists are compiled based on an exhaustive peer-review evaluation. Lawyers are not required or allowed to pay a fee to be listed; therefore inclusion in Best Lawyers is considered a singular honor. Corporate Counsel magazine has called Best Lawyers “the most respected referral list of attorneys in practice.”

HHS Announces Two More Significant HIPAA Privacy and Security Settlements

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has announced two more significant settlements in cases of alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). These settlements highlight the need for HIPAA covered entities and their business associates to:

  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of their ePHI;
  • Implement policies and procedures and facility access controls to limit physical access to their electronic information systems;
  • Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
  • Assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI;
  • Reasonably safeguard laptops with unencrypted ePHI (or better yet, secure all ePHI);
  • Implement policies and procedures to prevent, detect, contain, and correct security violations; and
  • Obtain satisfactory assurances in the form of a written business associate contract from their business associates that they will appropriately safeguard all ePHI in their possession.

In addition, if it has been more than a few years since you conducted a security and privacy assessment and adopted privacy and security policies and procedures under HIPAA, you should be working on updating that assessment and the resulting policies and procedures. As in many areas, making a good faith effort at compliance is half the job.

Details

In the first case, Advocate Health Care Network (Advocate) agreed to a settlement with OCR for multiple potential HIPAA violations involving ePHI pursuant to which Advocate agreed to pay a $5.55 million settlement and adopt a corrective action plan. This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country. OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to:

  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
  • Implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
  • Obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
  • Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

Read the Advocate Health Care Network resolution agreement and corrective action plan.

In the second case, the University of Mississippi Medical Center (UMMC) agreed to settle multiple alleged violations of HIPAA. OCR’s investigation of UMMC was triggered by a breach of unsecured ePHI affecting approximately 10,000 individuals. During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight. UMMC will pay a resolution amount of $2,750,000 and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules. On March 21, 2013, OCR was notified of a breach after UMMC’s privacy officer discovered that a password-protected laptop was missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC’s investigation concluded that it had likely been stolen by a visitor to the MICU who had inquired about borrowing one of the laptops. OCR’s investigation revealed that ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password. The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008. Further, OCR’s investigation revealed that UMMC failed to:

  • implement its policies and procedures to prevent, detect, contain, and correct security violations;
  • implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
  • assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI; and
  • notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

University of Mississippi is the state’s sole public academic health science center with education and research functions. In addition it provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the state. Its designated health care component, UMMC, includes University Hospital, the site of the breach in this case, located on the main UMMC campus in Jackson.

Read the University of Mississippi resolution agreement and corrective action plan.

Significant Changes Proposed for Form 5500

On July 21, 2016 the Department of Labor (DOL), the Internal Revenue Service (IRS) and the Pension Benefit Guaranty Corporation (PBGC) published proposed rules that would make significant revisions to the Form 5500 Annual Return/Report as of the 2019 filing year.

DOL explains in a Fact Sheet that the proposed form revisions and the DOL’s related implementing regulations are intended to address changes in applicable law and in the employee benefit plan and financial markets, and to accommodate shifts in the data the DOL, IRS and PBGC need for their enforcement priorities, policy analysis, rulemaking, compliance assistance, and educational activities.

The major proposed changes are summarized below:

  • Retirement Plan Changes– The new Form 5500 will request more information about participant accounts, contributions, and distributions. It will also ask about plan design features, including whether the plan uses a safe harbor or SIMPLE design and whether it includes a Roth feature. The form will also ask about investment education and investment advice features, default investments, rollovers used for business start-ups (ROBS), leased employees, and pre-approved plan designs. Schedule R will include new questions about participation rates, matching contributions, and nondiscrimination.
  • Group Health Plan Changes– The most significant change for health plans is that all ERISA group health plans, including small plans that are currently exempt from filing, will be required to file a Form 5500. The new filing requirement includes a new Schedule J (Group Health Plan Information), which will list the types of health benefits provided, the plan’s funding method (self insured or fully insured), information about participant and employer contributions, information about COBRA coverage, whether the plan is grandfathered under health care reform, and whether it includes a high deductible health plan, HRA, or health FSA. In addition, most filings (except those for small fully insured plans) would have to provide financial and claims information, disclose stop-loss carriers, third party administrators and other plan service providers, and provide details regarding compliance with HIPAA, GINA, health care reform and other compliance issues.
  • Other Changes– The proposed changes affect many of the existing Form 5500 schedules, including:
    • Schedule C would be revised to coordinate with the service provider fee disclosure rules.
    • Schedule C would be required from some small plans currently exempt from filing it.
    • Schedule H would be expanded to include questions on fee disclosures, annual fair market valuations, designated investment alternatives, investment managers, plan terminations, asset transfers, administrative expenses and uncashed participant checks.
    • Schedule I would be eliminated.
    • Small plans that currently file Schedule I would generally need to file Schedule H.

Effective Date– The new Form 5500 is expected to be required as of the 2019 plan year filings.

Proposed Rule Making Form 5500 Changes

DOL Adjusts ERISA Penalties

The Department of Labor, Employee Benefits Security Administration has issued interim final rules increasing certain DOL compliance penalties effective as of August 1, 2016. The highlights are:

  • The maximum penalty for failure or refusal to file the Form 5500 annual report is increasing from $1,100 per day to $2,063 per day
  • Failure to furnish information to the DOL under ERISA Section 104(a)(6 will now carry penalties equal to $147 per day (up from $110 per day)
  • The maximum penalty for failing to provide a summary of benefits and coverage for a group health plan is increasing from $1,000 to $1,087 per failure
  • Numerous miscellaneous penalties are increasing from $100 per day to $110 per day, including
    • Certain violations of the Genetic Information Nondiscrimination Act (GINA), such as establishing eligibility rules based on genetic information or requesting genetic information for underwriting purposes, and
    • An employer’s failure to inform employees of CHIP coverage opportunities
  • The penalty for failure to provide benefit statements to certain former participants and beneficiaries in a retirement plan are increasing from $11 per employee to $28 per employee
  • The penalties for failure to furnish a blackout notice (when participants are precluded from changing investment instructions, taking a loan or a distribution) are increasing from $100 per day to $131 per day

Why are the Penalties Being Increased Now? In 2015, Congress passed the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (2015 Inflation Adjustment Act) as part of the Bipartisan Budget Act of 2015. The new law directs agencies to adjust their civil monetary penalties for inflation.

Will the Penalties be Adjusted again in the Future? The law requires federal agencies to adjust their civil monetary penalties for inflation by July 1, 2016. After this initial “catch-up” adjustment, the agencies must adjust their civil monetary penalties annually for inflation.

When are the New Penalty Amounts Effective? The new civil penalty amounts are applicable only to civil penalties assessed after August 1, 2016, whose associated violations occurred after November 2, 2015, the date of enactment of the 2015 Inflation Adjustment Act.

More…

The interim final rule

EBSA Fact Sheet, including full chart showing all the new penalty amounts

Plan Administrator Bears Burden to Produce Key Information Regarding Claimant’s Service and Benefits Eligibility

The 9th Circuit Court of Appeals ruled on April 21, 2016 that where a claimant has made a prima facie case that he is entitled to a pension benefit, but lacks access to the key information about corporate structure, or hours worked, needed to substantiate his claim, and the defendant controls this information, the burden shifts to the defendant to produce this information. Estate of Bruce H. Barton v. ADT Security Services Pension Plan (9th Cir., 2016).

The Plan Administrator could not place the burden of producing records establishing which entities participated in the pension plan between 1967 and 1986, and the claimant’s service record, on the claimant where the Plan Administrator had no records of its own.

The Plan Administrator originally denied the claim on the basis of an absence of records establishing eligibility for plan participation, actual participation, or accrual of plan benefits. This was wrong where the Committee rather than the claimant would likely be in possession of such records.

The lesson for Plan Administrators: keep plan documents,service records and contemporary records establishing benefit accruals forever -there is no practical document retention period for these documents.

The lesson for claimants: don’t be deterred from asserting a claim if you have enough evidence to state a prima facie case and the definitive documents or information ought to be in the Plan Administrator’s possession.

Estate of Bruce H. Barton v. ADT Security Services Pension Plan (9th Cir., 2016)

Fiduciaries Ultimately Prevail in Tibble v. Edison

On remand from the United States Supreme Court, which held in May 2015 that ERISA imposes on retirement plan fiduciaries an ongoing duty to monitor investments, even absent a change in circumstances, the 9th Circuit Court of Appeals recently affirmed the district court’s original judgment in favor of the employer and its benefits plan administrator on claims of breach of fiduciary duty in the selection and retention of certain mutual funds for a benefit plan governed by ERISA.

The court of appeals had previously affirmed the district court’s holding that the plan beneficiaries’ claims regarding the selection of mutual funds in 1999 were time-barred. The Supreme Court vacated the court of appeals’ decision, observing that federal law imposes on fiduciaries an ongoing duty to monitor investments even absent a change in circumstances.

On remand, the panel held that the beneficiaries forfeited such ongoing-duty-to-monitor argument by failing to raise it either before the district court or in their initial appeal. While the fiduciaries ultimately prevailed in this case, the lesson for fiduciaries remains clear: You have an ongoing duty to monitor the investment options in your retirement plans.

Tibble v. Edison International (9th Cir., 2016)

Full Text of the Supreme Court Decision in Tibble v. Edison International (2015)

DOL Finalizes Regulations and Related Exemptions on ERISA Fiduciary Definition and Conflicts of Interest in Investment Advice

The Department of Labor (DOL) has adopted its long-awaited final rule defining who is a fiduciary investment adviser, and has issued accompanying prohibited transaction class exemptions that allow certain broker-dealers, insurance agents and others that act as investment advice fiduciaries to continue to receive a variety of common forms of compensation, as long as they adhere to standards aimed at ensuring that their advice is impartial and in the best interest of their customers.

Going forward, individuals and firms that provide investment advice to plans, plan sponsors, fiduciaries, plan participants, beneficiaries and IRAs and IRA owners must either avoid payments that create conflicts of interest or comply with the protective terms of an exemption issued by the DOL.

Under new exemptions adopted with the rule, firms will be obligated to acknowledge their status and the status of their individual advisers as “fiduciaries.” Firms and advisers will be required to:

  • make prudent investment recommendations without regard to their own interests, or the interests of those other than the customer;
  • charge only reasonable compensation; and
  • make no misrepresentations to their customers regarding recommended investments.

I. What Is Covered Investment Advice Under the Rule?

Covered investment advice is generally defined as a recommendation to a plan, plan fiduciary, plan participant and beneficiary and IRA owner for a fee or other compensation, direct or indirect, as to the advisability of buying, holding, selling or exchanging securities or other investment property, including recommendations as to the investment of securities or other property after the securities or other property are rolled over or distributed from a plan or IRA.

A “recommendation” is a communication that, based on its content, context, and presentation, would reasonably be viewed as a suggestion that the advice recipient engage in or refrain from taking a particular course of action.

II. What Is Not Covered Investment Advice Under the Rule?

The final rule includes some specific examples of communications that would not rise to the level of a recommendation and therefore would not constitute a fiduciary investment advice communication, including:

  • Education about retirement savings and general financial and investment information. For example, education can include specific investment alternatives as examples in presenting hypothetical asset allocation models or in interactive investment materials intended to educate participants and beneficiaries as to what investment options are available under the plan, as long as they are designated investment alternatives selected or monitored by an independent plan fiduciary and other conditions are met. In contrast, because there is no similar independent fiduciary in the IRA context, the investment education provision in the rule does not treat asset allocation models and interactive investment materials with references to specific investment alternatives as merely “education.”
  • General communications that a reasonable person would not view as an investment recommendation
  • Simply making available a platform of investment alternatives without regard to the individualized needs of the plan, its participants, or beneficiaries if the plan fiduciary is independent of such service provider
  • Transactions with Independent Plan Fiduciaries with Financial Expertise. ERISA fiduciary obligations are not imposed on advisers when communicating with independent plan fiduciaries if the adviser knows or reasonably believes that the independent fiduciary is a licensed and regulated provider of financial services (banks, insurance companies, registered investment advisers, broker-dealers) or those that have responsibility for the management of $50 million in assets, and other conditions are met.
  • Employees working in a company’s payroll, accounting, human resources, and financial departments who routinely develop reports and recommendations for the company and other named fiduciaries of the sponsors’ plans are not investment advice fiduciaries if the employees receive no fee or other compensation in connection with any such recommendations beyond their normal compensation for work performed for their employer

III. Best Interest Contract Exemption

The Best Interest Contract Exemption permits firms to continue to rely on many current compensation and fee practices, as long as they meet specific conditions intended to ensure that financial institutions mitigate conflicts of interest and that they, and their individual advisers, provide investment advice that is in the best interests of their customers. Specifically, in order to align the adviser’s interests with those of the plan or IRA customer, the exemption requires the financial institution to:

  • acknowledge fiduciary status for itself and its advisers
  • adhere to basic standards of impartial conduct, including giving prudent advice that is in the customer’s best interest, avoiding making misleading statements, and receiving no more than reasonable compensation.
  • have policies and procedures designed to mitigate harmful impacts of conflicts of interest and
  • disclose basic information about their conflicts of interest, including descriptions of material conflicts of interest, fees or charges paid by the retirement investor, and a statement of the types of compensation the firm expects to receive from third parties in connection with recommended investments.
  • Investors also have the right to obtain specific disclosure of costs, fees, and other compensation upon request.
  • In addition, a website must be maintained and updated regularly that includes information about the financial institution’s business model and associated material conflicts of interest, a written description of the financial institution’s policies and procedures that mitigate conflicts of interest, and disclosure of compensation and incentive arrangements with advisers, among other information.

IV. Additional Exemptive Relief

In addition to the Best Interest Contract Exemption, the DOL issued a Principal Transactions Exemption, which permits investment advice fiduciaries to sell or purchase certain recommended debt securities and other investments out of their own inventories to or from plans and IRAs. As with the Best Interest Contract Exemption, this requires, among other things, that investment advice fiduciaries adhere to certain impartial conduct standards, including obligations to act in the customer’s best interest, avoid misleading statements, and seek to obtain the best execution reasonably available under the circumstances for the transaction.

V. Effective Date

Compliance with the new rule is required as of April 2017. The exemptions will generally become available upon the applicability date of the rule. However, the DOL has adopted a “phased” implementation approach for the Best Interest Contract Exemption and the Principal Transactions Exemption. Both exemptions provide for a transition period, from the April 2017 applicability date to January 1, 2018, under which fewer conditions apply. This period is intended to give financial institutions and advisers time to prepare for compliance with all the conditions of the exemptions while safeguarding the interests of retirement investors.

During this transition period, firms and advisers must adhere to the impartial conduct standards, provide a notice to retirement investors that, among other things, acknowledges their fiduciary status and describes their material conflicts of interest, and designate a person responsible for addressing material conflicts of interest and monitoring advisers’ adherence to the impartial conduct standards. Full compliance with the exemption will be required as of January 1, 2018.

VI. More…

Regulations and Related Exemptions

DOL Fact Sheet

DOL FAQs

OCR Launches Phase 2 of HIPAA Audit Program

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information. An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

The OCR’s detailed audit protcol is available here.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

To learn more about OCR’s Phase 2 Audit program, click on one of the links below:

When Will the Next Round of Audits Commence?

Who Will Be Audited?

On What Basis Will Auditees Be Selected?

How Will the Selection Process Work?

How Will the Audit Program Work?

What if an Entity Doesn’t Respond to OCR’s Requests for Information?

What is the General Timeline for an Audit?

What Happens After an Audit?

How Will Consumers Be Affected?

Will Audits Differ Depending on the Size and Type of Participants?

Will Auditors Look at State-Specific Privacy and Security Rules in Addition to HIPAA’s Privacy, Security, and Breach Notification Rules?

Who is Responsible for Paying the On-Site Auditors?

7th Circuit Holds Only a Church Can Establish an ERISA-Exempt Church Plan

On March 17, 2016 the 7th Circuit Court of Appeals joined the 3rd Circuit in holding that a network of hospitals and health care locations that is affiliated with a church cannot establish an ERISA-exempt church plan. Stapleton v. Advocate Health Care Network (7th Cir. 2016).

In Stapleton, several current and former employees of the church-affiliated hospital claimed that the organization failed to comply with ERISA’s vesting, reporting and disclosure, funding, trust, and fiduciary rules. The 7th Circuit Curt of Appeals agreed.

This issue is bubbling up all over the country. District Court cases have decided the question both ways. There is a case pending before the Ninth Circuit that held at the District Curt level that an affiliate cannot establish a church plan. Rollins v. Dignity Health, 19 F. Supp. 3d 909, 917 (N.D. Cal. 2013), appeal filed, No. 15-15351 (9th Cir. Feb. 26, 2016). The employer in Rollins faces up to $1.2 billion in funding obligations if it loses the case.

District court cases in several other states have help the other way – that affiliated organizations can establish a church plan. The only two Court of Appeals cases to decide the question have ruled that the affiliated organization cannot establish a church plan. See Stapleton and Kaplan v. St. Peter’s Healthcare Sys., 810 F.3d 175 (3d Cir. 2015).

If you an organization affiliated with a church that is relying on the church plan exemption from ERISA’s vesting, reporting, disclosure, funding, trust, and fiduciary rules, you ought to review that decision with ERISA counsel.

Plan Imposed Limitations Period Must be in Benefit Denial Notice

The First Circuit recently ruled that it will not enforce a plan-imposed deadline for filing a lawsuit because the deadline was not set forth in the plan’s benefit denial notices. Santana-Diaz v. Metropolitan Life Ins. Co. (1st Cir. 2016). This case reiterates the importance of including any plan specific limitations period for filing suit in the Summary Plan Description and in all benefit denial notices and appeal determinations.