The notices can be found here:

http://www.dol.gov/ebsa/COBRAmodelnotice.html

The letter indicates an employer’s requirement that employees participate in a health risk assessment in order to obtain coverage under the employer’s self-funded health plan violates the ADA.  The circumstances that the EEOC official assessed were where the employer had employees take an assessment that involved answering a short health-related questionnaire, taking a blood pressure test, and providing blood for use in a blood panel screen.  Information from the assessment went directly and exclusively to the employee, and the employer received only aggregate information.  Employees who declined to participate in the assessment and their family members became ineligible for coverage under the health plan.

The ADA requires disability-related questions or medical examinations to be job-related and consistent with necessity or, part of a voluntary wellness program.  The EEOC stated that in the above instance, the HRA was neither job-related nor consistent with necessity.  As part of a wellness plan, refusing to participate in an HRA would penalize an employee, violating ADA.

However, the letter did reaffirm that disability-related inquiries and medical examinations are permitted as part of a voluntary wellness program, and that a wellness program is voluntary if employees are neither required to participate nor penalized for non-participation.  In the case the EEOC considered, employees were both required to participate and were penalized for non-participation.  The opinion letter may be found here.

This is important guidance in clarifying what an employer can and cannot do with regarding to its wellness efforts.  Please contact us if you have any questions or need more information on this letter or other wellness guidance.

The new law gives provides for added flexibility in order to cover children whose annual family income exceeds 200% of the federal poverty level ($22,050 for a family of four in 2009).  In addition to the income changes, the new law also includes a provision allowing legal aliens to participate in CHIP.  These changes will result in up to 4 million additional children being covered by CHIP.

In order to encourage more cost-effective coverage of CHIP-eligible individuals, the new law permits (but does not require) states to provide premium assistance to qualifying children (and, in some cases, their employed parents) to help pay employer group health plan premiums.  It is unknown how many states will adopt such a program or when the programs will be operational.  According to a recent Kaiser Family Foundation study, currently six states have state assistance programs – Florida, Idaho, Illinois, Oregon, Utah, and Virginia.

Qualified Coverage

CHIP applies to “qualified employer-sponsored coverage”, which is defined as group health plan or health insurance coverage offered through the employer which meets the following requirements:

• The coverage must be “creditable coverage” for Health Insurance Portability and Accountability Act (HIPAA) purposes;
• The employer contribution toward the cost of any premium for the coverage must be at least 40%; and
• The coverage must be available to individuals in a manner that would be considered to be a nondiscriminatory group for eligibility purposes under Internal Revenue Code’s Section 105(h) rules.

Qualified employer-sponsored coverage does not include:

• A health flexible spending arrangement (such as a Health Flexible Spending Account or a Medical Reimbursement Account); or
• A high deductible health plan (for Health Savings Account purposes).

Premium Assistance

The permitted premium assistance available for employers to offer to qualifying children is the incremental difference in cost to the employee between the cost of enrolling only the employee under the employer sponsored coverage and the cost of enrolling the employee and the low-income child under the employer-sponsored coverage.  If premium assistance is also provided to the parent of a low-income child, the amount of the subsidy is increased to take into account the cost of enrollment of the parent (or the family, if allowed by the state) in the employer-sponsored coverage.  A state is allowed to provide the premium assistance subsidy either as a direct reimbursement to an employee for out-of-pocket expenditures, or as a reimbursement to the employee’s employer.

Under the new law, employers are allowed to opt-out of being reimbursed for the premium subsidy.  If an employer chooses to opt-out, the employer is effectively removed from the subsidy process, and the state will then make its reimbursement for the subsidy directly to the employee.  This opt-out option will allow the employer to continue to withhold the full amount of the employee contribution required for coverage of the employee and the low-income child under the employer’s group health plan.

Special Enrollment Period

The new law also creates a new HIPAA special enrollment period to allow employees and dependents to enroll in an employer group health plan when they either lose Medicaid or CHIP eligibility or first become eligible for state premium assistance.  Employers will have to notify employees of the availability of state premium assistance and respond to state agency requests for information about an employee’s or a family member’s plan coverage.  The special enrollment provisions take effect April 1, 2009.  However, the premium assistance notice and disclosure provisions won’t be effective until model notices and forms are issued.

Under existing HIPAA rules, most group health plans (whether insured or self-insured) are required to allow employees to enroll themselves and certain family members in employer plan coverage under certain circumstances (such as loss of other coverage or adding dependents due to marriage, birth, adoption or placement for adoption).  Group health plans must notify employees of these special enrollment rights either before or at the time of enrollment in the plan.

The expanded CHIP law gives employees and their dependents who are eligible for but not enrolled in an employer group health plan a special enrollment period if either of two events occurs:

• They lose Medicaid or CHIP coverage because they are no longer eligible, or
• They become eligible for a state’s premium assistance program.

Unlike the existing HIPAA special enrollment rights, which allow a 30-day enrollment period after a qualifying event, under the new CHIP requirements, employees have 60 days from the date of the Medicaid/CHIP event to request enrollment in the employer’s group health plan.  In order to qualify for this midyear enrollment right, individuals must experience a Medicaid/CHIP qualifying event and provide the plan timely notice of the event and an enrollment request.

Current HIPAA rules require plans to provide notice of employees’ special enrollment rights at or before the time they can enroll in the plan.  CHIP does not address how or when employers should provide notice of the new special enrollment rights.  However, because the new Medicaid/CHIP qualifying event amends the HIPAA special enrollment provisions, it is believed that employers must revise their current notices of special enrollment to describe the new Medicaid/CHIP provisions – including the 60-day period to request enrollment.  At the very least, employers should include updated notices in enrollment materials for newly eligible employees beginning on April 1, 2009.  Additionally, employers may wish to notify all employees about their new special enrollment rights on or before the provision’s April 1, 2009 effective date.

Many employers that sponsor group health plans offer Section 125 cafeteria plans.  Under current cafeteria plan rules for electing benefits paid with pretax contributions, plans may allow employees to make midyear elections if they (or their family members) experience certain life events or status changes, such as gaining or losing Medicare or Medicaid eligibility or losing CHIP coverage.  Cafeteria plan rules also permit midyear elections for events triggering any mandated HIPAA special enrollment right, which will now include Medicaid/CHIP triggering events.

However, in contrast to the mandatory special enrollment period triggered by HIPAA-specified events, midyear cafeteria plan elections are completely optional – employers may choose to include some, all or none of the IRS-approved status change events in their cafeteria plans.  Therefore, an employee could have a HIPAA special enrollment right to join an employer’s health plan, but unless the employer’s cafeteria plan recognizes eligibility for HIPAA special enrollment as a status change allowing midyear elections, the employee will have to pay for health coverage using after-tax contributions.  Employers that already include HIPAA special enrollment events as grounds to permit midyear cafeteria plan elections may need to update their existing documentation and communication materials to make the scope of these events clear.  Employers that do not currently allow employees to make midyear pretax election changes for HIPAA special enrollments may want to consider adding them now.

Employer Notice and Disclosure Obligations

CHIP requires employers to notify employees about the availability of state premium assistance.  Additionally, employers must respond to any requests from state agencies about the group health plan coverage provided to specific employees and family members.  However, it appears that neither of these requirements is immediately effective.

The Departments of Labor and Health and Human Services must jointly develop and issue model national and state-specific notices within one year of CHIP’s enactment (February 4, 2009) for employers’ use.  Employers must provide the notice to employees starting with the first plan year beginning on or after the date the model notices are issued in final form.  Once the notice obligations become effective, employers may include these notices when distributing certain other benefits information to employees, such as:

• Plan materials informing employees that they are eligible for group health plan coverage;
• Annual open enrollment materials; and
• Summary plan descriptions (SPDs).

Under the new law, employers will be required to respond to state agency requests for information about an employee’s or a family member’s plan coverage.  There is currently no deadline for when the model form for such responses will be issued.  However, once the model form is issued, employers must use it for any state agency requests in the first plan year starting on or after the issue date of the model form.

Once issued, the model form will require the following information from the group health plan:

• Employee/dependent eligibility for group health plan coverage;
• The plan administrator’s name and contact information;
• A description of the plan’s benefits;
• Premiums and cost-sharing amounts for plan coverage; and
• Other relevant plan information.

Unfortunately, the law does not address how employers should respond to state requests for information prior to the model form being issued.

Penalties

CHIP does provide for non-compliance penalties.  Employers that fail to provide the required employee notice may be subject to a penalty of $100 per day for each violation.  Each employee who does not receive the notice is considered a separate violation.  Additionally, plan administrators that do not respond to state information requests face similar penalty assessments.

Next Steps for Employers

Because the new Medicaid/CHIP special enrollment right’s effective date is just around the corner, employers need to take several steps immediately.

1.    Confirm with vendors that qualifying employees and family members will be able to enroll in group health plans.

2.    Revise existing HIPAA special enrollment rights notices to include Medicaid/CHIP triggering events by the April 1, 2009 effective date.

3.    Revise any other employee communications that describe HIPAA special enrollment rights (such as SPDs and open enrollment materials).

4.    Amend cafeteria plan documents as necessary to reflect the new Medicaid/CHIP special enrollment right and the 60-day period to request plan enrollment.

5.    Establish procedures to respond to state requests for information about coverage provided to specific employees and family members.

Please contact our office for more information or to speak with benefits counsel about the new Medicaid/CHIP law and its impact on your business.

The legislative changes that affect HIPAA create many new requirements, enforcement provisions and penalties for covered entities, business associates, vendors and others.  Many changes are focused on HIPAA’s privacy and security requirements and will require businesses to change the way they currently do business.  There are significant changes to all Covered Entities (defined under HIPAA as health care providers that conduct certain electronic transactions, health care clearinghouses, and health plans), but are most challenging for Business Associates (individuals or corporate persons that perform ANY function or activity involving the use of Protected Health Information (PHI), who now face a host of new requirements.

Business Associates Required to Comply with HIPAA Privacy and Security Rules

Under HIPAA, Business Associates were not directly regulated and were not subject to HIPAA’s penalty provisions.  Because HIPAA only required a contract between the Business Associate and the HIPAA-covered entity, the only sanctions Business Associates faced for failure to protect health information was a breach of contract claim.  However, ARRA makes significant changes to the way Business Associates are treated under HIPAA.

ARRA specifies that any entity that engages in health information exchanges or provides data transmission of PHI (including Personal Health Record (PHR) vendors and health information exchanges) is considered a Business Associate.  As such, these entities must enter into a business associate contract with the covered entity and will be subject to ARRA’s civil and criminal penalty provisions.

Additionally, ARRA requires that the administrative, physical and technical safeguards and the policy, procedure and documentation requirements of HIPAA’s security rule apply to Business Associates of a covered entity in the same manner as they apply to the covered entity.  These additional requirements must be incorporated into Business Associate contracts and agreements and include notification provisions for a breach and the application of ARRA’s criminal and civil penalties.   With regard to HIPAA’s privacy rules, Business Associates are prohibited from using or disclosing any PHI in a manner which is not in compliance with the Business Associate contract or agreement required terms under HIPAA.  These changes become effective February 17, 2010 (one year after the enactment of ARRA).

Notice to Individuals of Privacy and Security Breaches

ARRA also imposes certain notification requirements on covered entities and Business Associates in the event of a breach of “unsecured protected health information.”  A breach is defined as “the unauthorized acquisition, access, use, or disclosure of protected health information which comprises the security or privacy of such information, except where an authorized person to whom such information is disclosed would not reasonably have been able to retain such information”.  Unsecured protected health information is defined as protected health information that the covered entity or Business Associate has not secured via standards approved by the Secretary of Health and Human Services (Secretary). 

Generally, the notification of a breach must be provided “without unreasonable delay”, but in no case later than 60 days after the discovery of the breach or when the breach should reasonably have been discovered.  Since the 60 days is the outer limit for notification, if the full 60 day window is used, the covered entity or Business Associate involved in the breach must be prepared to justify their reasons for not providing notification of the breach sooner.  However, notice of a breach may be delayed provided that notification would hinder a criminal investigation and/or injure national security (as determined by a law enforcement official).

For Business Associates that discover a breach, the Business Associate must notify the covered entity of the breach or potential breach and the identify of all individuals affected or potentially affected.  For covered entities, notification must be made to individuals whose unsecured protected health information has been accessed, acquired or disclosed or is reasonably believed to have been accessed, acquired or disclosed as a result of a security or privacy breach.  In general, notification to affected individuals must be sent via first class mail.  However, where a breach involves 10 or more individuals whose contact information is out-of-date or deficient, notification must be posted to the covered entity’s website or published in major print or broadcast media. For a breach that involves 500 or more individuals, the covered entity involved in the breach must also give notice to prominent media outlets in the applicable jurisdiction or state.

Notice of all breaches must be provided to the Secretary.  If the breach affects 500 or more individuals, the covered entity involved in the breach must immediately notify the Secretary.  For breaches that affect less than 500 individuals, the covered entity involved in the breach may notify the Secretary of any breaches on an annual basis.

To the extent possible, all notices must contain:

A brief description of what happened, including the date of the breach and the date of the discovery of the breach (if known);

• A description of the types of unsecured protected health information involved in the breach (e.g., social security number, date of birth);
•  The steps individuals should take to protect themselves from potential harm as a result of the breach;
•  A brief description of what the entity involved is doing to investigate the breach, to mitigate losses and to protect against further breaches; and
•  Contact procedures for individuals to ask questions or receive additional information, including a toll-free telephone number and an e-mail address, web site or postal address.

Expansion of Accounting of Disclosures

ARRA changes the existing limitations on accounting for disclosures of health information to individuals who request the disclosure.  If a covered entity uses or maintains an Electronic Health Record (EHR), then individuals will be allowed to receive an accounting of the disclosures of PHI for treatment, payment and health care operations made from the EHR.  The period of mandated disclosure is limited to the 3 year period prior to the individual’s request.  A reasonable fee may be charged to the requesting individual, provided the fee is not greater than the labor costs involved in complying with the request.

The Secretary is required to adopted regulations that specify the information to be contained in the accountings within 6 months of ARRA’s enactment.  Covered entities that began using EHR prior to January 1, 2009 will be required to provide the accounting upon request effective January 1, 2014.  Covered entities that begin using EHR after January 1, 2009 will be required to provide the accounting upon request effective January 1, 2011.

Clarification of and Limits on Marketing and Fundraising

ARRA clarifies that marketing communications are not health care operations unless the communications:

• Describes a health-related product or service that is provided by, or included in a plan of benefits of, the communicating covered entity;
•  Is made for the treatment of the individual; or
•  Is made for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers or settings of care to the individual.

ARRA also limits the ability of a covered entity to receive remuneration for making non-marketing communications except for communications describing only a drug or biologic that is currently being prescribed for the individual receiving the communication, and any payment received by the covered entity in exchange for making the communication is reasonable (as defined by the Secretary), provided that:

• The communication is made by the covered entity and the covered entity has a valid authorization from the individual receiving the communication, or
• The communication is made by a Business Associate on behalf of the covered entity and the communication is consistent with the Business Associate contract or agreement between the covered entity and the Business Associate.

Individuals must be allowed to elect not to receive any fundraising communications, and must be allowed to “opt out” of having their information used by a covered entity for the purpose of fundraising.

Sale of Protected Health Information

Under ARRA, a covered entity or Business Associate is prohibited from directly or indirectly receiving payment in exchange for any protected health information unless the covered entity or Business Associate acquired a valid authorization from the individual.  The authorization must include the specification that the PHI may be sold or exchanged for remuneration.  Exceptions to this provision are made for:

• Public health activities;
• Research activities (provided the price reflects the reasonable costs related to the preparation and transmittal of data for such purposes);
• Treatment of an individual;
• The sale, transfer, merger or consolidation of a covered entity;
• Certain Business Associate agreements where a covered entity provides remuneration to a Business Associate;
• A request by an individual for a copy of that individual’s PHI; and
• As otherwise allowed by the Secretary.

The Secretary must issue final regulations within 18 months of ARRA’s final enactment date and the prohibitions are effective 6 months after the issuance of the final regulations.

Notification Provisions Apply to Other Personal Health Record Vendors

ARRA extends its notification provisions to vendors of PHRs and their service providers should the vendor or service provider experience a breach of security or privacy, regardless of whether the vendor or service provider is considered a covered entity.  In the instance of a breach of privacy or security of PHI, PHR vendors and their service providers are required to notify each affected individual who is a U.S. Citizen or resident of the U.S. as well as the Federal Trade Commission.  Failure to provide the required notice will be deemed as an unfair and deceptive trade practice or act under the Federal Trade Commissions Act.

Because PHR vendors are not covered by HIPAA, ARRA requires that the Federal Trade Commission issue interim final regulations which will provide guidance for PHR vendors on the requirements for breaches of PHI.

Mandatory Restrictions on Disclosure of PHI when Requested by Individuals

Under ARRA, individuals are given the right to restrict the disclosure of PHI related to treatment, payment and health care operations provided:

• The restriction relates to disclosure for purposes of payment or health care operations;
• The restriction does not relate to disclosure for purposes of treatment; and
•  The PHI relates only to an item or service for which the provider has already received payment in full.

Right of Individuals to Receive Electronic Records

If a covered entity maintains EHRs that contain PHI, ARRA provides individuals with the right to obtain a copy of their records in an electronic format or to request that the record be transmitted to a third party.  The covered entity may not charge the individual requesting the copies more than the total cost of labor incurred by the entity in transmitting the copies.

Clarification of the Minimum Necessary Standard

Pending additional guidance from the Secretary, a covered entity will be considered to be in compliance with the minimum necessary standard if, to the extent possible, the covered entity limits the disclosure to a limited data set or to the minimum data necessary to accomplish the intended purpose of the disclosure or use of the information.  The Secretary is required to issue guidance within 18 months of ARRA’s enactment.

Increase Use of De-Identifed Information

ARRA requires the Secretary to issue guidance on how covered entities can comply with requirements related to the use of de-identified PHI.  Such guidance must be issued within 1 year of ARRA’s enactment.

Enforcement and Penalties

ARRA authorizes the Secretary to conduct periodic audits of covered entities and Business Associates to ensure compliance with HIPAA and ARRA requirement.  The Secretary is also authorized to utilize civil enforcement provisions even if the action in question violated the criminal provisions, provided no criminal conviction is associated with the conduct.

The Secretary is required to impose civil penalties if a violation is due to willful neglect and to formally investigate any complaint if a preliminary investigation indicates the potential of violation due to willful neglect.  For cases involving violations where the individual did not know of the violation or where the individual would not have known of the violation by exercising reasonable diligence, corrective action rather than penalty may still be used.

Under ARRA, criminal enforcement for certain HIPAA violations is not limited to covered entities.  For purposes of criminal enforcement provisions, ARRA provides that “a person (including an employee or other individual)” is considered to have obtained or disclosed individually identifiable health information in violation of HIPAA if such information is maintained by a covered entity and the individual obtained or disclosed such information without authorization.

The Office for Civil Rights will receive any civil monetary penalties (CMPs) or settlements related to HIPAA security-related offenses.  Such funds will be used to fund the further enforcement of ARRA and HIPAA rules and requirements.

States’ Attorney General may bring a civil action under ARRA on behalf of state residents who have been or are threatened to be harmed by a violation to obtain injunctive relief or damages, as well as attorney fees.  Notice must be given to the Secretary and the Secretary is permitted to intervene.  The States’ Attorney General may not bring an action if a federal action by the Secretary is already pending.  These provisions only apply to violations that occur after February 17, 2009 (the date of enactment).

The Comptroller General must submit a report to the Secretary within 18 months of ARRA’s enactment that provides recommendations for determining a reasonable methodology for calculating an appropriate percentage of CMPs or settlements for individuals who have been harmed by a violation of HIPAA or ARRA.  The Secretary is required to issue regulations based on the Comptroller General’s recommendations within 3 years of ARRA’s enactment.

ARRA expands existing civil penalties into tiers and provides that the determination of the penalty amount must be based on the nature and extent of the violation and the harm caused by the violation:

• Tier 1 applies where the violator did not know of the violation, and would not have known even with reasonable diligence of the violation. In such circumstances, the penalty is $100 per violation, not to exceed $25,000 for all such violations of identical requirement during the calendar year.
• Tier 2 applies where the violation was due to reasonable cause rather than willful neglect. In such circumstances, the penalty is $1,000 per violation, not to exceed $100,000 for all such violations of identical requirement during the calendar year.
• Tier 3 applies where the violation was due to willful neglect but the violation was corrected within 30 days of the violation. The penalty is $10,000 per violation, not to exceed $250,000 for all such violations of identical requirement during the calendar year.
• Tier 4 applies where the violation was due to willful neglect and the violation was not corrected within 30 days of the violation. The penalty is $50,000 per violation, not to exceed $1,500,000 for all such violations of identical requirement during the calendar year.

Additional Guidance and Technical Standards

Within 60 days of the enactment of ARRA, the Secretary is required to issue guidance on what constitutes “unsecured” PHI and which specifies the technologies and methodologies that will render PHI unusable, unreadable or indecipherable to unauthorized individuals.  Guidance on such technologies and methodologies will be updated annually by the Secretary.

Within 180 days of enactment, the Secretary is required to issue interim final regulations which govern ARRA’s notification provisions and must designate an individual in each of the Department’s regional offices who will offer guidance and education on rights and responsibilities of covered entities, Business Associates and individuals with regard to PHI.

Effective Date of Changes

Unless otherwise specified in ARRA, the general effective date for the changes under ARRA is February 17, 2010, one year after the enactment of the law.  While the increased penalty provisions take effect immediately, many of the provisions have other effective dates and some do not have a clear date specified.  Additionally, some provisions will require regulations to be implemented, so these provisions may take two years or longer to take effect.

Unfortunately, during tough times, companies are forced to make hard decisions in order to survive.  One of the largest expenses for most companies is human capital and the associated costs, such as salaries and employee benefits programs.  As companies analyze whether to use terminations and/or layoffs as a means to control or reduce costs, they need to ensure that the analysis includes consideration of legal risks involved and ensure that the ultimate course of action complies with any applicable laws.  Some of the laws that should be taken into consideration include the Family Medical Leave Act (FMLA), the Americans with Disabilities Act (ADA), the Uniformed Services Employment and Reemployment Rights Act (USERRA), the Older Workers Benefit Protection Act (OWBPA), the Employee Retirement Income Security Act (ERISA), Equal Employment Opportunity (EEO) laws and the Consolidated Omnibus .Budget Reconciliation Act (COBRA).

For example, when determining which employees will be terminated and/or laid off, companies need to ensure that the criteria used is objective and does not create a disparate impact on a protected class.  One of the most common mistakes companies make is to use compensation as criteria for determining which employees will be reduced.  In many cases, employees with the highest wage rates in positions generally tend to be older because their salaries have increased with their work experience and time in a position.  Employers should ensure that they are using objective, legitimate business criteria to make their selections, so they do not leave themselves open to an age discrimination claim.

Additionally, depending on the size of the employer and the number of employees being laid off, companies may need to comply with The Worker Adjustment and Retraining Notification Act (WARN).  WARN is a federal law that requires that employers with greater than 100 employees (excluding part-time employees) provide 60 calendar days advance notice of mass layoffs.  A mass layoff is defined as a layoff that either (1) involves at least 50 employees who make up at least 33% of the employer’s work force, or (2) involves at least 500 employees.  Additionally, some states have enacted their own versions of the WARN Act that have lower thresholds which trigger a notice period.  This analysis can be complex for employers to determine whether these laws will apply to them, especially if there have been intermittent lay-offs of some workers during periods of slow downs.

Making the decision to reduce headcount in order to help a company survive is probably one of the toughest decisions an employer can make.  Frequently, an employer is focused on its financial situation and can overlook potential legal pitfalls associated with the decision. 

Companies should consult with legal counsel when they face these difficult situations so that they ensure they comply with all applicable laws and that they have as much legal protection as possible.  Please contact our office with any questions you have or for additional information.

During a M&A deal, companies generally perform due diligence across all areas of the target company to identify issues that need to be addressed during the negotiation phase of the deal.  If employee benefits plans are not included in this due diligence, an acquiring company can discover that it has inadvertently become the owner of significant employee benefits plan problems.  While problems that arise in the area of employee benefits plans do not generally become “deal breakers”, ensuring that any and all benefits issues are identified and addressed before the final agreement is signed can avoid major headaches in the future.

Benefit plan issues can vary depending on the type of deal that is being contemplated – either an asset purchase or a stock purchase.  In an asset purchase, the due diligence required for employee benefits plans could be reduced if the agreement does not include the buyer assuming liability for employee benefit plans.  However, even in that situation, due diligence on the benefit plans should still be conducted to ensure that the buyer has a complete picture of the seller’s business.

In a stock purchase deal, or in an asset purchase deal where the buyer is assuming liability for benefit plans, the buyer needs to ensure that significant due diligence is conducted on the existing benefit plans.  Generally, this due diligence should include:

• Identifying all employee benefit plans, programs and practices currently in existence – both formal written plans and informal, unwritten plans.
• Obtaining all pertinent documents for each plan identified (e.g., plan documents, summary plan descriptions, Form 5500s, annual nondiscrimination testing and audits, determination letters, third party administrator contracts).
• Reviewing all documentation to ensure the plans are currently compliant with applicable laws and looking for potential problem areas (e.g., accelerated vesting on change of control, unfunded liabilities, funding arrangements for nonqualified deferred compensation plans).
• Requesting disclosure on currently pending or threatened claims based on benefit plans and on whether any governmental audits have been commenced or are pending.
• Identifying potential problems to be addressed during negotiation of the deal.

As stated earlier, issues identified during the due diligence process for employee benefits plans are generally not severe enough to stop a deal from closing.  However, if properly addressed during the negotiation phase, they can be factored in with all the other components in the decision making process.  Where these issues are not properly addressed, they can become a significant concern for the buyer after the deal has completed. 

Benefits counsel can assist in completing comprehensive due diligence of a target company’s benefit plans to ensure that the acquiring company does not get blind-sided by benefit issues in the future.  Please contact our office for additional information or to talk to an attorney about your particular situation.

Unfortunately, just hoping that your retirement plan operations are working correctly is not enough.  In the ERISA retirement plan world, some of the biggest mistakes made by employers are operational errors rather than errors in the actual structure or documents of the plan.  Because not all operational mistakes are “bad” or harmful to employees, many employers do not feel there is an issue if they make an operational error, provided it is to the benefit of the employee.  However, even errors that result in favor of the employee cause a plan operation issue.

For example, a plan document provides that employees are eligible to participate only after 1 year of service, but the employer generously allows newly hired employees to participate immediately upon employment.  This generosity on the part of the employer, while beneficial rather than harmful to employees, is a failure to follow the terms of the plan and would constitute an operational failure that could create problems for the plan’s qualification if not corrected.

According to the IRS, some of the reasons employers give to explain why their plans are not operationally compliant include:

• Not knowing how to identify and fix any errors.
• Not wanting to have any unnecessary contact with the IRS.
• Assuming that the required annual financial audit identifies any errors that need to be addressed.
• Assuming that auditing the plan for operational compliance would be too expensive.

Employers should routinely self-audit their retirement plans for operational compliance.  This self-audit should be performed at least annually or more often if there are any significant change in demographics or if the employer is involved in a merger or acquisition.  Unfortunately, the annual financial audit performed by your CPA won’t necessarily catch all operational issues that might exist.

If operational mistakes are found, employers need to use the tools available to them to correct the errors quickly and with the minimum of expense.  The IRS recently released the “401(k) Fix-It Guide”, available on the IRS’ website, which provides employers with a list of the most common plan errors and advice on how to fix mistakes for 401(k) plans.

Additionally, one of the best tools available to employers in their quest to correct operational plan errors is the IRS’ Employee Plans Compliance Resolution System (EPCRS).  The EPCRS is a comprehensive system of correction programs offered by the IRS to employers who offer qualified retirement plans.  This program allows employers/plan sponsors to correct plan failures through three separate components:

• The Self-Correction Program (SCP),
• The Voluntary Correction Program (VCP), and
• The Audit Closing Agreement Program (Audit Cap).

The EPCRS was recently updated to assist employers in their voluntary compliance efforts.  The changes are effective as of September 2, 2008 and include:

• Standardized application forms,
• Reduced filing fee for some plan loan failures, and
• Expanded situations where waiver of income and excise taxes are allowed.

Everyone knows that mistakes happen.  Under ERISA, the trick is to identify and correct those mistakes quickly and cost-effectively.  Contrary to popular opinion, the IRS is more interested in ensuring plans are compliant than in “catching” employers doing something wrong.  Benefits counsel can assist your organization in self-auditing your plan to help identify any errors and working with you and any necessary governmental agency to resolve issues.  Please contact our office with any questions or for more information.

Generally, severance release and waivers are held to be enforceable, provided they comply with specific provisions required by laws such as the Older Workers Benefit Protection Act (OWBPA). However, with regards to waiving ERISA rights, a couple of recent cases indicate that employers need to evaluate their release and waiver language and procedures to ensure that they are getting the maximum protection against ERISA claims by former employees.

In March 2006, the U.S. District Court for the District of Connecticut ruled on Linder v. BYK-Chemie USA Inc. In this case, an executive executed a release and waiver upon termination of employment. However, after termination, he brought suit against his former employer based on the calculations used in the executive’s supplemental executive retirement plan (SERP). The court ultimately found that, in this specific case, the executive was barred from bringing suit by the executed release. However, in its ruling, the court adopted the position that the release of ERISA/benefit claims should require a greater scrutiny than the release of general claims. Therefore, the totality of the circumstances surrounding the release should be reviewed to ensure that the employee’s waiver of claims was voluntary and knowing.

In September 2007, the U.S. District Court for the District of Minnesota ruled on Groska v. Northern States Power Co. Pension Plan. In this case, two employers merged and employees were offered a choice of either competing for remaining positions or terminating employment with severance benefits. The plaintiff, Groska, opted to terminate employment and accept severance benefits, which required the execution of a release and waiver. Groska subsequently filed suit under ERISA, alleging improper claim denial and breach of fiduciary duty. With regard to the improper claim denial allegation, the court found that Groska had knowingly and voluntarily signed the release and waiver, so it was enforceable and barred the claim for improper denial. However, the court did not dismiss the breach of fiduciary claim as barred by the release and waiver. The court held that because ERISA recognizes the plan as a separate and distinct legal entity from the employer/plan sponsor, the release and waiver in favor of the employer did not automatically release the plan. Therefore, participants were still able to bring a claim against the plan itself under ERISA.

These decisions should prompt employers to review their “standard” release and waiver language and their processes for obtaining the executed release from former employees. Since the waiving of ERISA claims can be seen as needing a greater level of scrutiny than general contract claims, employers should evaluate whether the language currently being used provides the greatest shield possible. Additionally, since an employer’s release and waivers may not extend protection to the ERISA plan, the language should be updated to ensure the plan itself is afforded the greatest degree of protection available through the employer’s release and waiver. Benefits counsel can assist employers in reviewing the existing release and waiver language. Please contact our office with any questions or for additional information on how our attorneys can assist you.

However, the Sarbanes-Oxley Act (SOX) of 2002 dramatically increased these penalties.  Under SOX, the penalties for individuals were increased to a maximum of $100,000 and with potential imprisonment of up to ten years.  Criminal fines for entities other than individuals went from a maximum of $100,000 to a maximum of $500,000.  These increased penalties apply not only to black-out notices, but also to ERISA’s other plain-vanilla reporting and disclosure requirements.

While it is hard to picture the term “criminal penalties” in conjunction with mundane things like SPDs, SARs, Form 5500 filings and other run-of-the-mill benefit plan documents, there is potential liability when fiduciaries fail in their duties under the plan.

When the Department of Labor (DOL) uncovers egregious behavior involving benefit plans, they have historically brought criminal charges under three sections of ERISA and three sections of the United States Criminal Code.  ERISA’s three most common criminal provisions are aimed at the following:

• Preventing Criminals from Overseeing Benefit Plans. This provision is aimed at preventing those convicted of certain crimes (robbery, bribery, extortion, embezzlement, perjury, murder, certain drug offenses, labor union violations, and other ERISA offenses) from serving as a fiduciary or service provider of an employee benefit plan.

• Preventing Violations of Reporting and Disclosure Requirements.  This provision punishes those who commit willful violations of ERISA’s reporting and disclosure requirements in Part 1 of Title 1.  These reporting and disclosure requirements are designed to disclose significant information about the plan and its transactions, provide rights and benefits data to participants and detail the responsibilities for fiduciaries.

• Preventing the Coercive Interference with Rights to Benefits. This provision is designed to keep employers from terminating or harassing employees to prevent them from getting their vested pension rights.  Criminal sanctions are available where such interference involves willful use of actual or threatened fraud, force, or violence.

In the past, the DOL has taken action and convicted plan administrators and others for failure to file the Form 5500, Annual Return/Reports, or to provide participants with summary plan descriptions, summary annual reports and accrued benefits statements.  Additionally, they have aggressively pursued those fiduciaries that have violated the prohibited transactions rules.

With the new higher criminal penalties which are available, the DOL may become even more aggressive in seeking criminal penalties.  Those that may be fiduciaries of a plan – plan sponsors, plan administrators, service providers and their advisors – need to understand these potential criminal penalties and should consider them when taking action.

Plan sponsors need to ensure they exercise care in the appointment of fiduciaries and ensure there are checks and balances put in place in operating and maintaining a plan.  Additionally, third-party administrators, advisors and other service providers need to be vigilant regarding the actions of their clients and the clients’ plans to which they provide service.

Benefits counsel can assist by discussing potential risks in current plan administration, reviewing compliance with respect to ERISA requirements, and providing training for plan fiduciaries.  Please contact our office for more information on fiduciary liability or other ERISA questions.

Among the provisions of the PPA that affect DC plans, some of the most significant changes are effective for the 2008 plan year.  Highlights of a few of the PPA provisions effective for the 2008 plan year include:

Testing Changes

• Prior to the PPA, employers were required to calculate interest on the gap period for average deferral percentage (ADP) and annual contribution percentage (ACP) test failures. This requirement has been eliminated for ADP and ACP test failures, but is still required for excess deferrals.

Safe Harbor for Automatic Enrollment

• The PPA provides a safe harbor which allows employers to avoid ADP, ACP and top-heavy testing through an automatic deferral provision and employer match.

Rollovers to Roth IRA

• Prior to the PPA, Roth IRAs could only accept rollovers from a designated Roth account, a different Roth IRA or a non-Roth IRA (i.e. qualified rollover contributions). The PPA amended the definition of a qualified rollover contribution to Roth IRAs to include amounts distributed from other qualified plans under §401(a), §457(b), and §403(a) and (b) annuities.

Returned Contributions

• If an employer chooses to institute an automatic enrollment provision, under certain circumstances an automatically enrolled participant may withdraw from participation by requesting withdrawal from the plan within 90 days of the first contribution. The normal penalty for early withdrawal (10% tax) would not be applicable to these withdrawals.

While some of the PPA changes are mandatory, a number of them are discretionary. Employers that sponsor DC plans need to review their plan documents to determine which, if any, of the mandatory changes are applicable and have their plan documents updated accordingly.  Additionally, employers should assess the discretionary provisions of the PPA to determine whether they wish to implement any of the allowed changes.  Benefits counsel can assist you by detailing the allowed and mandatory changes, reviewing plan documents to determine which apply to your specific situation, and preparing any necessary amendments to the plan.  Please contact our office for more information.