Federal Benefits Developments - Audits Abound: Are You Ready?

192
-1

Published on

From Benefits Law Journal, Summer 2014 Issue. This article covers:

- What Triggers a Plan Audit?
- DOL Audits of Health and Pension Plans
- IRS Audits of Pension and Retirement Plans
- HIPAA Privacy and Security Audits
- How Can a Plan Sponsor Best Be Fortified
to Withstand an Audit?
- What Should a Plan Sponsor Do?

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
192
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Federal Benefits Developments - Audits Abound: Are You Ready?

  1. 1. Federal Benefits Developments BENEFITS LAW JOURNAL VOL. 27, NO. 2 SUMMER 2014 Audits Abound: Are You Ready? Karen R. McLeese With this column, we welcome Karen R. McLeese, the Vice President of Employee Benefit Regulatory Affairs for CBIZ Benefits & Insurance Services, Inc., a division of CBIZ, Inc. She serves as in-house counsel, with particular emphasis on monitoring and interpreting state and federal employee benefits law. Ms. McLeese is based in the Leawood, Kansas, CBIZ office. Whether it is the Department of Labor or the Internal Revenue Service and Treasury Department reviewing your health or retirement plan, or the Office of Civil Rights reviewing your HIPAA privacy compliance, there are many agencies interested in making sure your plans and processes are compliant. Read on for some tips on how to make certain your benefit abode is clean and tidy should the government pay you a visit. What Triggers a Plan Audit? An audit is an inspection or examination to evaluate or improve the appropriateness, efficiency, accuracy, prudence, or the like of a par- ticular process. Put in an ERISA plan perspective, an audit, whether self-imposed or commenced by a regulatory agency, is for the pur- pose of ensuring that the plan is operated in accordance with, and in compliance with, the law. Of utmost importance is ensuring that the plan is administered for the exclusive benefit of plan participants and beneficiaries. Federal Benefits Developments
  2. 2. BENEFITS LAW JOURNAL 2 VOL. 27, NO. 2, SUMMER 2014 Federal Benefits Developments To that end, an audit most typically focuses on ensuring that the terms and conditions of the plan are, first and foremost, written with the intent of benefitting plan participants and beneficiaries, and sec- ond, that the plan is so administered. Of paramount importance is ensuring that plan assets are used for the exclusive benefit of plan participants and, in particular, that participant contributions are timely contributed to the trust, paid to an insurer, or otherwise used in accor- dance with the terms and conditions of the plan. A number of events can trigger an audit, such as plan filings or random selection. One of the most common events generating an audit is a complaint by a plan participant or a perceived injured party. DOL Audits of Health and Pension Plans An audit initiated by the Department of Labor’s Employee Benefit Security Administration (EBSA) to investigate a health plan or pension plan may be any of the following: 1. Limited review (no specific issue);1 2. Fiduciary investigation;2 or 3. Prohibited person investigation.3 In conducting an audit of these types of plans, EBSA will request and review many documents4 including: • Form 5500 filings and related summary annual reports; • The plan document and related disclosures; • All related insurance and reinsurance contracts, third-party agreements, and administrative services agreements; and • Documents describing employer or plan sponsor responsi- bilities regarding payment of associated plan costs. Additional items that may be requested include: • Collective bargaining agreements (if applicable); • Lag reports of participant claims filed; • The plan’s accounting records (bank or trust statements); • Documents identifying plan assets, liabilities, revenue, and expenses; • Fiduciary liability bond;
  3. 3. BENEFITS LAW JOURNAL 3 VOL. 27, NO. 2, SUMMER 2014 Federal Benefits Developments • Fidelity (fraud and dishonesty) bond; and • Identity and contact information of service providers (attor- ney, accountant, actuary, insurance agent, third-party admin- istrator, and trustee) In addition, a health plan might be required to produce documents showing compliance with laws5 such as: • Consolidated Omnibus Budget Reconciliation Act (COBRA); • Health Insurance Portability and Accountability Act (HIPAA); • Mental Health Parity Laws (MHPA and MHPAEA); • Genetic Information Nondiscrimination Act (GINA); and • Patient Protection and Affordable Care Act (Affordable Care Act or ACA). The direction the EBSA would follow in a pension or retirement plan audit generally depends upon whether there is a potential viola- tion of participant’s rights under the plan, whether there are prohib- ited individuals serving as fiduciaries or service providers of the plan, or whether the investigation focuses on a fiduciary violation. Several years ago, EBSA commenced a three-prong effort to enhance plan sponsor and participant awareness of retirement plan fees. As part of its initiative, the service provider fee disclosure rules6 require service providers of qualified retirement plans to provide certain plan infor- mation, in writing, to plan fiduciaries who, in turn, provide fee-related information to plan participants.7 These types of disclosures would also be reviewed during an EBSA audit. IRS Audits of Pension and Retirement Plans Audits of pension and retirement plans can also be initiated by the Internal Revenue Service (IRS).8 An IRS examination would generally focus on plan data and operations to confirm compliance. The main areas of an IRS examination could include: 1. Review of plan documents and amendments, as well as trust documents 2. Plan qualification substantiation relating to: • Coverage and nondiscrimination tests • Minimum distribution requirements • Verification of compensation limits
  4. 4. BENEFITS LAW JOURNAL 4 VOL. 27, NO. 2, SUMMER 2014 Federal Benefits Developments • Eligibility requirements and plan entry dates • Vesting provisions 3. Potential prohibited transaction matters: plan rules relat- ing to participant loans, transactions between the plan and employer, or any self-dealing by the plan’s fiduciary(ies) 4. Plan operation matters: review of allocations and general compliance with the terms of the plan, including eligibility, distributions, deferral elections, and automatic enrollment features 5. Review of plan asset matters: investments held by trust, whether contributions are timely transmitted, and payment of expenses by plan assets and investment elections 6. Tax review: prohibited transaction excise tax, tax on deemed distributions due to defaulted loans or Internal Revenue Code 72(p) noncompliance, deduction limits, shortfalls under minimum distribution rules, proper withholding, and timing of income on corrective distributions 7. Review of reporting documents to the IRS such as Forms 1099s, 5500s, and W-2s HIPAA Privacy and Security Audits The administrative simplification standards required under the HIPAA law9 include three components: health care privacy rules, elec- tronic data interchange rules, and security of health data rules: • The health care privacy rules govern how individually iden- tifiable medical information must be protected. • HIPAA requires national standards for electronic health care transactions; code standards; and national identifiers for health care plans, providers, and clearinghouses. The intent of these standards is to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange (EDI) in health care. • HIPAA requires that security standards be established for the protection of electronic health information. In addition, covered entities (health care providers, health care clear- inghouses, and health plans) are required to notify affected individuals in the event of a breach of their unsecured health information.
  5. 5. BENEFITS LAW JOURNAL 5 VOL. 27, NO. 2, SUMMER 2014 Federal Benefits Developments The Department of Health and Human Services’ Office for Civil Rights (OCR) is responsible for enforcing the privacy and security rules.10 According to the OCR, the increased use of health informa- tion technology, while beneficial, also carries new risks to consumer privacy. Thus, the Administrative Simplification Rules enacted under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH)11 include national standards for the privacy of protected health information (PHI), the security of elec- tronic protected health information (e-PHI), and breach notification to consumers. The types of information that may be requested during an OCR audit12 include the following: 1. Substantiation of compliance with the privacy rule require- ments relating to: • Implementation of ongoing administrative requirements, such as appointment of a privacy and security officer, maintenance of written policies and procedures, entering into business associate agreements, providing privacy training to the workforce, maintenance and certification of plan documents, and record retention • Maintenance and distribution of the entity’s notice of privacy practices • Ongoing monitoring of the use and disclosure of PHI by the covered entity • Honoring individual rights, including the right to request privacy protection of PHI, the right to access and amend PHI, and the right to an accounting of disclosures 2. Substantiation of compliance with the security rule require- ments for implementing administrative, physical, and techni- cal safeguards in the protection of PHI and e-PHI, as well as mobile device security 3. Substantiation of satisfying the requirements of the Breach Notification Rules Audits could also be initiated by the Centers for Medicare and Medicaid Services (CMS), which administers and enforces other aspects of the HIPAA Administrative Simplification Rules, including standards relating to transactions and code sets and the employer and national provider identifiers.13 In addition, the HITECH law authorized enforcement of privacy violations by state attorneys general.
  6. 6. BENEFITS LAW JOURNAL 6 VOL. 27, NO. 2, SUMMER 2014 Federal Benefits Developments How Can a Plan Sponsor Best Be Fortified to Withstand an Audit? One of the best ways a plan sponsor can be prepared to withstand an audit is to regularly engage in a bit of spring cleaning. An employer should, for example, regularly review its plans to ensure compliance with all of the policies and procedures governing those plans. This is particularly important in the current environment of constant change. The three governing agencies mentioned in this article provide manuals, compliance tools, checklists, and other information to assist plan sponsors in determining whether their plans are compliant. Following are some of these sources that may be helpful. EBSA Resources Health and welfare benefit plans: • HIPAA & Other Health Care-Related Provisions Tool14 • Affordable Care Act Provisions Tool15 • EBSA Enforcement Manual—Health Plan Investigations16 Pension and retirement plans: • EBSA Enforcement Manual—Participant’s Rights,17 Prohibited Persons,18 and Fiduciary Investigations Program19 • Voluntary Correction Programs20 IRS Qualified Pension and Retirement Plan Resources • Employee Plans Examination Guidelines21 • Checklists22 containing Fix-it Guides23 on an array of retire- ment plans such as 401(k) and 403(b) plans, Simple IRAs, SEPs and SARSEPs • Three programs for correcting plan errors:24 • Self-Correction Program (SCP) • Voluntary Correction Program (VCP) • Audit Closing Agreement Program (Audit CAP) HIPAA Privacy and Security Resources • OCR’s Audit Program Protocol25 provides compliance assis- tance to covered entities relating to privacy, security, and breach rules.
  7. 7. BENEFITS LAW JOURNAL 7 VOL. 27, NO. 2, SUMMER 2014 Federal Benefits Developments • Workgroup for Electronic Data Interchange (WEDI) has developed compliance tools such as a breach risk assess- ment tool, a security risk assessment tool, and Health IT Compliance Guide.26 • The CMS Web site provides educational materials and com- pliance tips.27 In Summary: What Should a Plan Sponsor Do? 1. Establish and maintain practices and procedures to ensure compliance with all applicable laws. 2. Periodically engage in an internal audit of relevant practices, procedures, and documents. 3. If an audit request is received: • Make any audit requests a high priority; • Engage legal counsel immediately; • Create a positive, cooperative relationship; • Assign a point person and coordinate with all players; • Brief management on relevant issues; • Respond timely to all requests; and • Don’t panic. Notes 1. EBSA Enforcement Manual, Chapter 53, Targeting and Limited Reviews. 2. Id., Fiduciary and Part 7 Investigations, Program 48. 3. Id., Chapter 47, Prohibited Person. 4. Id. 5. Id., Chapter 50, Health Plan Investigations. 6. 29 C.F.R. Part 2550, Reasonable Contract or Arrangement Under Section 408(b)(2)— Fee Disclosure. 7. 29 C.F.R. Part 2550, Fiduciary Requirements for Disclosure in Participant-Directed Individual Account Plans. 8. Internal Revenue Manual, Part 4, Examining Process, Chapter 72. Employee Plans Technical Guidelines. 9. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 45 C.F.R. Parts 160, 162, and 164.
  8. 8. BENEFITS LAW JOURNAL 8 VOL. 27, NO. 2, SUMMER 2014 Federal Benefits Developments 10. 45 C.F.R. Part 160, Subparts C, D, and E. 11. Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted February 17, 2009, as part of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5). 12. 45 C.F.R. Part 160, Subparts C, D, and E. 13. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 45 C.F.R. Parts 160, 162, and 164. 14. HIPAA & Other Health Care-Related Provisions Tool, http://www.dol.gov/ebsa/pdf/ part7-1.pdf. 15. Affordable Care Act Provisions Tool, http://www.dol.gov/ebsa/pdf/part7-2.pdf. 16. EBSA Enforcement Manual, Chapter 50, Health Plan Investigations. 17. Id., Chapter 53, Participant’s Rights. 18. Id., Chapter 47, Prohibited Person. 19. Id., Fiduciary and Part 7 Investigations, Program 48. 20. EBSAVoluntaryCorrectionsPrograms,http://www.dol.gov/ebsa/compliance_assistance. html#Section8. 21. IRS Employee Plan Examination Process Guide, http://www.irs.gov/Retirement- Plans/EP-Examination-Process-Guide. 22. IRS Checklists, http://www.irs.gov/Retirement-Plans/Have-You-Had-Your- Retirement-Plan-Check-Up-This-Year. 23. IRS Fix-it Guides, http://www.irs.gov/Retirement-Plans/Plan-Sponsor/Fix-It- Guides-Common-Problems-Real-Solutions. 24. IRS Employee Plans Compliance Resolution System (EPCRS), http://www.irs. gov/Retirement-Plans/EPCRS-Overview); Correcting Plan Errors, http://www.irs.gov/ Retirement-Plans/Correcting-Plan-Errors. 25. OCR’s Audit Program Protocol, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/ audit/protocol.html. 26. Workgroup for Electronic Data Interchange (WEDI), Privacy and Security, http:// www.wedi.org/topics/privacy-security. 27. Centers for Medicare and Medicaid Services, HIPAA—General Information, http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/ HIPAAGenInfo/index.html.
  9. 9. Copyright © 2014 CCH Incorporated. All Rights Reserved. Reprinted from Benefits Law Journal Summer 2014, Volume 27, Number 2, pages 71–78, with permission from Aspen Publishers, Wolters Kluwer Law & Business, New York, NY, 1-800-638-8437, www.aspenpublishers.com

×