RETIREMENT PLAN DEVELOPMENTS

IRS Updates and Expands Correction Program for Retirement Plans

The Internal Revenue Service ("IRS") issued Revenue Procedure ("Rev. Proc.") 2019-19, which updates and expands the Employee Plans Compliance Resolution System ("EPCRS"), the IRS's correction program for qualified plans. Rev. Proc. 2019-19 replaces Rev. Proc. 2018-52, the most recent consolidated version of EPCRS. Rev. Proc. 2019-19 expands the EPCRS' Self-Correction Program ("SCP") by allowing plan sponsors to correct more plan failures without involving the IRS or paying a user fee. Under Rev. Proc. 2019-19, the SCP allows—through the adoption of retroactive plan amendments—the self-correction of (1) certain plan document failures, (2) certain plan loan failures, and (3) additional categories of operational failures.

  • Plan Document Failures. Plan document failures are plan provisions that facially or, by their absence, violate the qualification requirements of the Internal Revenue Code (the "Code"). A plan document failure includes a nonamender failure, a failure to adopt good faith amendments, or a failure to adopt interim amendments. Plan document failures are considered to be significant failures. Therefore, to be eligible for self-correction, the failure must be corrected within a two-year correction period (the end of the second plan year following the plan year wherein the failure occurred), and the plan must have a "favorable letter" at the time of correction (defined as a determination letter, opinion or advisory letter). However, SCP is not available to correct a failure to timely adopt a qualified plan document or initial written 403(b) plan.
  • Plan Loan Failures. A participant's failure to repay a loan in accordance with plan terms (a defaulted loan) may be corrected by the participant repaying all missed payments in a single lump sum with interest, re-amortizing the outstanding loan balance and interest over the remaining period of the loan, or a combination of both. If a defaulted loan is not corrected, a plan may treat the loan as a deemed distribution in the year of correction instead of the year of failure without needing permission from the IRS. The IRS cautions, however, the Department of Labor ("DOL") still requires the inclusion of a Voluntary Correction Program compliance statement (not SCP) to qualify for defaulted loan relief under the DOL's Voluntary Fiduciary Correction Program.

    A failure to obtain spousal consent for a plan loan in accordance with plan terms may be corrected by notifying the affected participant and his or her spouse and thereupon obtaining spousal consent. If the plan cannot obtain spousal consent, SCP is not available to correct the failure.

    If the number of loans to a participant exceeds the number of loans permitted by the plan terms, a plan may correct this failure by adopting a retroactive plan amendment to conform the written plan document to the plan's operation. To be eligible for this self-correction relief, (1) the plan, as amended, must satisfy the Code's plan amendment requirements, (2) the amendment must satisfy the Code's qualification requirements, and (3) the plan loans, including excess loans, must have been available to all participants or solely to one or more non-highly compensated employees.

  • Operational Failures. Operational failures are qualification failures that arise solely from the failure to follow plan terms. Under the expanded SCP, a plan may correct operational failures by adopting a retroactive plan amendment to conform the written plan document to the plan's operation. To be eligible for this relief, the following conditions must be satisfied: (1) the plan amendment would result in an increase of a benefit, right or feature; (2) the increase in the benefit, right or feature would be available to all eligible employees; and (3) providing the increase in the benefit, right or feature is permitted under the Code and satisfies the correction principles of EPCRS section 6.02.

HEALTH AND WELFARE PLAN DEVELOPMENTS

HHS Issues Final Notice of Benefit and Payment Parameters for 2020

The Department of Health and Human Services ("HHS") has issued the final Notice of Benefit and Payment Parameters ("Notice") for 2020, providing regulatory and financial parameters applicable to qualified health plans on the Exchanges, plans in the individual, small group, and large group markets, and self-insured group health plans. HHS notes the changes finalized in the Notice are aimed at lowering premiums, increasing market stability, reducing regulatory burdens, enhancing the consumer experience and reducing federal expenditures.

With respect to self-insured plans, highlights include:

  • Annual Cost-Sharing Limits. The 2020 maximum out-of-pocket limit that non-grandfathered plans may impose on in-network essential health benefits will increase from $7,900 to $8,150 for self-only coverage, and from $15,800 to $16,300 for family coverage, representing an approximately 3.16% increase over the 2019 parameters. The final 2020 limits are less than those initially proposed by HHS in January
  • Generic Drugs. To encourage participants' use of lower-cost generic drugs, plans do not need to count drug manufacturer coupons toward the maximum out-of-pocket limit on cost sharing for specified brand-name prescription drugs when a medically appropriate generic equivalent is available. However, HHS declined to finalize another proposal that would allow plans that cover both a brand-name prescription drug and its generic equivalent to considering the brand-name drug to not be an essential health benefit, which, by extension, would have allowed plans to impose annual or lifetime dollar limits on brand-name prescription drugs with generic equivalents.

DOL Releases Q&As on Association Health Plans

In response to the recent decision in State of New York, et al. v. U.S. Dep't of Labor, et al. vacating portions of the DOL final rule expanding association health plans, the DOL has announced it will appeal the decision to the D.C. Circuit Court of Appeals. In the interim, the DOL has released a series of questions and answers ("Q&As") and a position statement directed at insurers, employers, participants and other parties who may be affected by the decision. In this guidance, the DOL indicates it will work with all affected parties, HHS, and the individual states to mitigate any disruptions and hardships resulting from the decision. Accordingly, the guidance includes a nonenforcement policy providing that the DOL will not pursue enforcement against parties for actions taken in good faith reliance on the final rule, as long as parties meet their responsibilities to association members and their participants and beneficiaries to pay claims as promised. Nor will the DOL or HHS pursue enforcement against existing association health plans for continuing to provide benefits to members who enrolled in good faith reliance on the final rule before the decision, through the remainder of the applicable plan year or contract term. The DOL states the Q&As will be updated as the matter evolves.

HHS Lowers Penalties for HIPAA Violations

On April 30, 2019, HHS published a Notification of Enforcement Discretion ("Notification") to announce it is revising how it applies the penalty provisions under the Health Insurance Portability and Accountability Act ("HIPAA"). HIPAA, as most recently amended by the Health Information Technology for Economic and Clinical Health ("HITECH") Act, provides four categories of violations based on an increasing level of culpability associated with the respective violation. The four categories and corresponding penalty tiers are:

  • The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision (Tier 1);
  • The violation was due to reasonable cause, and not willful neglect (Tier 2);
  • The violation was due to willful neglect that is otherwise timely corrected (Tier 3); and
  • The violation was due to willful neglect that is not timely corrected (Tier 4).

Despite the varying levels of culpability, HHS regulations have adopted the same cumulative annual penalty limit of $1.5 million across all four categories of HIPAA violations. In the Notification, HHS has determined a "better reading" of the HITECH Act is to apply a sliding scale to the cumulative annual penalty. The minimum/maximum penalties per violation in each category remain unchanged. Thus, until further notice, HHS will use the following penalty tier structure, as adjusted for inflation:

Culpability Minimum Penalty
per Violation
Maximum Penalty
per Violation
Annual Limit
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect – Corrected $10,000 $50,000 $250,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

HHS expects to engage in future rulemaking to update the penalty tiers as stated in the Notification.

CMS Announces HIPAA Electronic Transactions Standards Compliance Review Program

The Centers for Medicare & Medicaid Services ("CMS") is launching an Administrative Simplification Compliance Review Program to assess covered entities' compliance with HIPAA's electronic transaction standards. CMS indicates it will randomly select nine covered entities—a mix of health plans and health care clearinghouses—for compliance reviews. Any covered entity may be selected for review, not just those who work with Medicare or Medicaid. CMS initially piloted the program in 2018 with health plan and clearinghouse volunteers. Unlike its longstanding reactive practice of investigating individual complaints against covered entities, CMS indicates the Compliance Review Program is "proactive enforcement" that uses a progressive penalty structure, with remediation as the end result of a review. If HHS uncovers a violation, depending on the level of culpability, HHS may enter into a corrective action plan or, in cases of egregious or willful noncompliance, HHS may impose monetary penalties. To help covered entities prepare for a review, CMS has published two informational documents entitled "What to Expect: Q&A" and "Prep Steps You Can Take."

OCR Publishes Spring 2019 Cybersecurity Newsletter

In its Spring 2019 Cyber Security Newsletter, HHS's Office for Civil Rights ("OCR") warns of two formidable cybersecurity threats targeting covered entities and business associates: advanced persistent threats and "zero-day" attacks. In the past few years, both of these cybersecurity attacks have been used against the health care sector with severe consequences. As its name implies, an advanced persistent threat is a long-term cybersecurity attack that continuously attempts to find and exploit vulnerabilities in a target's system to steal or corrupt information or otherwise disrupt business operations. A zero-day attack exploits previously unknown hardware, firmware, or software vulnerability. A hacker employing a zero-day attack learns of a security flaw and exploits it before the manufacturer can issue an appropriate fix, patch or anti-virus update. Some recent high-profile attacks have been a combination of an advanced persistent threat and zero-day attack.

OCR's newsletter reminds covered entities and business associates that the HIPAA Security Rule includes many security measures to prevent or at least mitigate damage caused by advanced persistent threats and zero-day attacks. These measures include: conducting a risk analysis to identify risks and vulnerabilities to electronic protected health information; implementing a corresponding risk management plan to reduce those identified risks and vulnerabilities; regularly reviewing audit and system activity logs to identify abnormal or suspicious activity; maintaining security incident response procedures; establishing and periodically testing contingency plans like disaster recovery and data backup/restoration; encrypting electronic protected health information at rest and in-transit; and providing security training for workforce members.

GENERAL EMPLOYEE BENEFITS

Ninth Circuit Rules Plan Fiduciary Violated ERISA by Setting Own Fees as Recordkeeper

In Acosta v. City National Corporation, No. 17-55421 (9th Cir. April 23, 2019), the U.S. Court of Appeals for the Ninth Circuit ruled that a plan fiduciary engaged in prohibited self-dealing by setting and approving its own fees from plan assets for serving as the plan's recordkeeper. City National Corporation ("City National") sponsored a 401(k) plan for its employees. A subsidiary, City National Bank, was the plan's trustee and recordkeeper. City National Bank was compensated for its recordkeeping services by revenue sharing, (i.e., sharing a portion of mutual fund fees charged to the plan). The DOL filed a lawsuit alleging City National breached its fiduciary duties and engaged in self-dealing under ERISA section 406(b) by setting its own recordkeeping fees and not tracking or documenting time employees spent servicing the plan. The lower district court granted the DOL's motion for summary judgment. On appeal, City National did not contest it had engaged in self-dealing but instead argued it was not liable for the self-dealing because the compensation arrangement was "reasonable" under ERISA section 408(c). The Ninth Circuit disagreed and affirmed the district court's ruling. Citing longstanding precedent, the Ninth Circuit held the "reasonable compensation" exemption with respect to plan assets paid to fiduciaries for services rendered does not apply to prohibited self-dealing under ERISA section 406(b). The Ninth Circuit acknowledged City National's contention that, unlike, in this case, self-dealing often arises in circumstances where the fiduciary receives kickbacks or plan transfers to a personal account or otherwise receives compensation for illegitimate services. However, the Ninth Circuit held that the self-dealing analysis is separate from the reasonable compensation analysis, and self-dealing can indeed occur through payments for legitimate services actually rendered.

UPCOMING COMPLIANCE DEADLINES AND REMINDERS

Form 5500 for Calendar Year Plans. Plan administrators generally have seven months after the end of a plan year to file a Form 5500, including applicable schedules and attachments. Thus, for plan years ending December 31, 2018, the Form 5500 filing deadline is July 31, 2019. Plan administrators can apply for a deadline extension until October 15, 2019, by filing Form 5558 by July 31, 2019.

SMM for Calendar Year Plans. Plan administrators generally have 210 days after the end of a plan year to provide a Summary of Material Modifications ("SMM") of a plan change. Thus, for a plan change adopted in 2018, the deadline is July 29, 2019.

Upcoming Health Plan Compliance Deadlines and Reminder

PCORI Fee. Plan sponsors of self-funded plans must report and pay the annual Patient-Centered Outcomes Research Institute ("PCORI") fee by filing IRS Form 720 by July 31, 2019. For the calendar year plans, this will be the final PCORI fee. For non-calendar year plans that end between January 1, 2019, and September 30, 2019, the final PCORI fee must be paid by July 31, 2020.

Upcoming Retirement Plan Compliance Deadlines and Reminders

Annual Funding Notice. Defined benefit plans with 100 or fewer participants generally must provide the annual funding notice to required recipients by the Form 5500 filing deadline.

Form 8955-SSA. Like the Form 5500, Form 8955-SSA (Annual Registration Statement Identifying Separated Participants With Deferred Vested Benefits) is due seven months after the end of a plan year (July 31, 2019, for the calendar year plans). A plan administrator can receive the same extension for the Form 8955-SSA as is available for the Form 5500, by filing Form 5558 on or before July 31, 2019. Plan administrators must also provide the individual statements to those separated participants identified on the Form 8955-SSA prior to the Form 8955-SSA filing deadline.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.