Welcome to the December 2023 issue of the Baldwin Bulletin – a monthly guide to important legal news and employee benefits-related industry happenings, designed to keep you abreast of the latest developments.
This month’s issue of the Baldwin Bulletin is our last in 2023 and focuses on providing you with important year-end compliance deadlines and preparing you for 2024.
Upcoming Compliance Deadlines
Employers must comply with numerous reporting and disclosure requirements in connection with their group health plans. Please note significant deadlines for the remainder of 2023 are as follows:
We have also included our compliance calendar for the coming year, available here.
2024 Health and Welfare Benefits Limits Released
The IRS recently released Revenue Procedure 2023-34, which provides increased limits for health care flexible spending account (FSA) contributions and related carryover amounts of $3,200 and $640, respectively, for the 2024 plan year (up from the 2023 limits of $3,050 and $610, respectively). For more information, including a chart of significant annual limits impacting health and welfare plans, please refer to our Alert, available here.
2024 Pcori Fees Announced
The Internal Revenue Service (IRS) has issued Notice 2023-70, which increases the Patient-Centered Outcomes Research Institute (PCORI) fee amount for plan years ending on or after October 1, 2023, and before October 1, 2024, to $3.22 times the average number of covered lives under the plan.
This will apply to 2023 calendar year plans (as well as plans with November and December plan years) that are required to file in July 2024. For non-calendar year plan years that end between January 1, 2023, and before October 1, 2023, the PCORI fee amount is $3.00 multiplied by the average number of lives covered under the plan. For further information, read here.
ACA 023 Reporting Forms and Instructions Finalized
The Internal Revenue Service (IRS) has released the final 2023 forms for reporting under Internal Revenue Code Sections 6055 and 6056 (Forms 1094-B, 1095-B, 1094-C, and 1095-C), along with related final instructions.
Employer Action Items
Employers should become familiar with these forms and instructions for the 2023 calendar year reporting and, if necessary, begin to explore options for filing ACA reporting returns electronically (e.g., work with a third-party vendor to complete the electronic filing). As a reminder, not only are applicable large employers required to file on the coverage offered to its full-time employees, but small employers with level or self-funded health plans also have a filing requirement under IRC Section 6055 to report coverage information.
Furnishing and Electronic Filing Deadlines
Beginning with filings on or after January 1, 2024, the electronic filing threshold for information returns has been decreased to 10 or more returns (originally, the threshold was 250 or more returns). Accordingly, individual statements for 2023 must be furnished to employees by March 1, 2024, for most employers, and electronic IRS returns for 2023 must be filed by April 1, 2024.
Several states, including California, Massachusetts, New Jersey, Rhode Island, as well as the District of Columbia, have their own reporting requirements to evidence an employee’s compliance with the individual mandate. Deadlines may differ from the federal law requirements noted in the previous paragraph.
See the accompanying links for final Forms 1094-B and 1095-B and Forms 1094-C and 1095-C. Final instructions are available here, and here, respectively. Also, read our article “ACA Electronic Filing Reminder” below in this issue of the Baldwin Bulletin for additional information regarding the new electronic filing threshold.
Aca Electronic Filing Reminder
As noted in the previous article, the 2023 instructions to the Forms 1094 and 1095 include information on the new electronic filing threshold for information returns required to be filed on or after January 1, 2024, which has been decreased to 10 or more returns (originally, the threshold was 250 or more returns). Specifically, the instructions provide the following clarifications and reminders:
- The requirement to file 10 or-more returns electronically applies in the aggregate. Thus, a reporting entity may be required to file fewer than 10 of the applicable Forms 1094 and 1095, but still have an electronic filing obligation based on other kinds of information returns they will be filing (e.g., Forms W-2 and 1099).
- The IRS may grant waivers to the electronic filing requirement upon request, but only in limited circumstances. The IRS still encourages electronic filing even if a reporting entity is filing fewer than 10 returns.
- Employers can use the AIR System to electronically file ACA information returns with the IRS. This system is separate from the system used to file other information returns like Forms W-2.
- When filing forms electronically, the formatting set forth in the “XML Schemas” and “Business Rules” published on IRS.gov must be followed rather than the formatting directions in the instructions, which are intended to assist paper filers only.
Employer Action Items
Employers who are not currently set up for electronic filing should take steps to do so soon, whether on their own or through a third party. Reporting entities that may be in a position to perform their own electronic reporting can review the IRS’ ACA Information Returns (AIR) Program webpage.
OCR Issues Breach Settlement Agreement with HIPAA Business Associate Over Ransomware Attack
The Health and Human Services’ Office for Civil Rights (OCR) has issued its first settlement agreement involving a ransomware attack, with a Massachusetts-based medical management company (and HIPAA business associate (BA)), to resolve an investigation of a data breach that uncovered multiple potential violations of the HIPAA Security Rule. The agreement requires the BA to pay $100,000 to settle the associated civil monetary penalty, as well as comply with the performance of a three-year corrective action plan (CAP).
Employer Action Items
According to OCR, in the past 5 years, the number of ransomware attacks has increased by a staggering 278%. Employers should ensure they are compliant with the HIPAA Security Rule to assist them in their efforts to ward off these ruthless attacks. Organizations should take steps to identify and address cybersecurity vulnerabilities on an ongoing basis. In particular, employers should:
- Review processes and procedures related to the administration and governance of HIPAA BAs;
- Appropriately analyze associated risks;
- Where needed or overlooked, implement appropriate administrative, physical, and technical safeguards; and
- Educate their workforce on the importance of HIPAA and the risks of noncompliance.
Employers needing guidance should reach out to their broker/consultant or to OCR to discuss the required performance of HIPAA’s suite of administrative simplification tasks.
HHS began their investigation in 2019 after receiving a breach notification that approximately 206,695 individuals were affected when Doctors’ Management Services’ (DMS) network server was infected with GandCrab ransomware. The initial intrusion happened April 1, 2017, and was not detected until December 24, 2018. OCR’s investigation found that DMS failed to:
- Have a proper analysis in place to determine potential risks and vulnerabilities; and
- Have policies and procedures in place to assure compliance respecting the HIPAA Privacy and Security Rules.
In addition to the $100,00 fine, DMS must:
- Review and revise its Security Risk Analysis to identify the potential risks and vulnerabilities to its data for protection of the confidentiality, integrity, and availability of its electronic protected health information (ePHI);
- Review and revise, as necessary, its written policies and procedures to comply with HIPAA’s Privacy and Security Rules;
- Update its enterprise-wide Risk Management Plan strategy to protect the confidentiality, integrity, and availability of ePHI and to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis; and,
- Provide workforce training on HIPAA policies and procedures and submit their training materials (written or electronic certifications including training dates) to HHS for approval.
The resolution of this active investigation brings home the reality of a ransomware attack upon a mid-sized employer and the potential consequences, including a federal agency-imposed “CAP.” Keep in mind, the employer first had to resolve its ransomware infection status before it could even address the elements of OCR’s complaint. Thus, identification and mitigation of harms resulting from such attacks is generally conducted in a multitiered fashion, restoring business as usual operations, and followed up with performing the OCR inquiry and audit process associated with the breach. These operations can lead to significant drains upon fiscal and human resources.
Employers are encouraged to visit the following websites for additional information:
HHS Security Risk Assessment Tool:
OCR Cybersecurity Video: https://www.youtube.com/watch?v=VnbBxxyZLc8
Cybersecurity and Infrastructure Security Agency (CISA) & HHS Cybersecurity toolkit:
2024 HIPAA Privacy and Security Rule Training Calendar
BRCC’s HIPAA training calendar is available here. Please note that all trainings will be broadcast on the first Tuesday of each month (there is no training scheduled for March), beginning at 3:00 pm Eastern, 12:00 pm Pacific time. You will also see that the HIPAA training is divided into four sessions and repeated twice throughout the year. Pre-registration is required. Registration links are embedded in the attachment.
2024 BRCC Educational Webinar Calendar
The BRCC’s monthly webinar calendar for 2024 has been released and is available here. Note that the webinar series is scheduled for the last Wednesday of every month at 1:00 pm Eastern, 10:00 am Pacific time. Program participants who attend a live BPEC webcast presentation are eligible to apply for HRCI or SHRM professional continuing education credits. Pre-registration is required. Registration links are embedded in the attachment.
Question of the Month
Question: Our employer has just terminated participation in a professional employee organization (PEO) and will now be providing medical benefits to its employees through a stand-alone group health plan that it sponsors. Do we need to prepare a plan document if we are subject to ERISA?
Answer: In short, yes. ERISA requires that every benefit subject to ERISA have a plan document, which is the legal instrument governing the plan. A summary plan description (SPD) must also be provided to each participant within 90 days of enrolling in the plan, regardless of the number of participants. The SPD summarizes the terms of the plan in laymen’s language. For additional information regarding these documents and additional disclosure requirements under ERISA, including a Summary of Material Modification (SMM) to amend an SPD and a Summary of Benefits and Coverage (SBC), please refer to the Department of Labor’s Reporting and Disclosure Guide for Employee Benefit Plans, available here. The plan document and SPD requirements are briefly summarized below.
Written Document Requirement
Under ERISA, welfare benefit plans must “be established and maintained pursuant to a written instrument.” Thus, an employer’s welfare benefit plans must be described in a written plan document. There is no small employer exception to ERISA’s plan document requirement.
ERISA does not require that a plan document be in any particular format. However, there are several topics that must be addressed in the document for a welfare benefit plan. For example, the plan document must address benefits and eligibility, funding, procedures for allocating and delegating plan responsibilities, plan amendment and termination procedures, the designation of the named fiduciary, as well as specific required provisions for group health plans, such as COBRA rights, and certification of its compliance with HIPAA.
In general, the detailed coverage document (or certificate of coverage) provided by an insurance carrier for a welfare benefit does not contain all of the information required by ERISA for a plan document. For example, while carrier certificates include detailed benefit information, they generally do not designate plan fiduciaries or provide procedures for amending or terminating the plan. Thus, the carrier’s certificates, on their own, are not ERISA-compliant plan documents. Benefit booklets provided by the third-party administrator (TPA) for self-insured welfare benefits may also fail to include the ERISA-required information for plan documents.
A wrap document is a relatively simple document that supplements existing documentation for a welfare benefit plan (for example, an insurance certificate or benefit booklet). This document is called a wrap document because it essentially wraps around the certificate or booklet to fill in the missing ERISA-required provisions. Because the wrap document incorporates the insurance certificate or benefits booklet by reference, the plan’s benefit provisions continue to be governed by the terms of those documents.
When a wrap document is used, the ERISA plan document is comprised of two pieces (1) the insurance certificate or benefits booklet, reflecting many of the plan’s important terms and requirements; and (2) the wrap document that fills in the ERISA-required information that is missing from the insurance certificate or benefits booklet. Thus, the wrap document and the carrier certificate (or TPA booklet), together, make up the legal plan document.
Virtually all welfare benefit plans that are subject to ERISA must provide participants with an SPD, regardless of the size of the sponsoring employer. An SPD is a document that is provided to plan participants to explain their rights and benefits under the plan document. ERISA also includes detailed content requirements for welfare benefit plan SPDs.
As with the plan document requirement, in general, a carrier’s insurance certificate will not include all the information that must be included in an SPD under ERISA. A benefit booklet prepared by a TPA may also fail to include the ERISA-required information for SPDs. To create an SPD in this situation, an employer can use a wrap document (wrap SPD) that includes the ERISA-required information that the certificate or booklet prepared by the insurer or TPA does not include. In this scenario, the wrap SPD and the insurance certificate or booklet, together, make up the plan’s SPD. To comply with ERISA, both the wrap SPD and the insurance certificate or booklet must be distributed to plan participants by the appropriate deadline.