The Consolidated Appropriations Act, 2021 (CAA) amended the Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) to include substantial new compliance requirements. The Department of Labor (DOL), Health and Human Services, and the Treasury (collectively, the Departments) have released much-anticipated guidance for group health plans necessitating action from plan sponsors. More…
The Ninth Circuit Court of Appeals recently addressed several issues of first impression in Bafford v. Northrop Grumman (9th Cir. April 15, 2021), a lawsuit involving retirees who received vastly overstated pension benefit estimates from the plan’s recordkeeper reminds employers of the importance of careful administration. The case highlights the need to ensure that electronic recordkeeping systems and tools align with the plan terms. Participant requests for plan or benefit information using online portals or other electronic means still demand timely and accurate responses as required by ERISA’s disclosure requirements.
Northrop Grumman sponsored a defined benefit plan and delegated administration of the plan to an Administrative Committee, which contracted with a recordkeeper to produce benefit statements for participants. Two participants used the recordkeeper’s online benefits portal to calculate their monthly pension benefits. Unfortunately, the online tool produced statements that grossly overstated the monthly pension benefits. After the participants retired and began receiving the monthly pension benefits they were told they would receive, the recordkeeper notified them of the error and dramatically reduced their monthly benefits.
The participants sued the company, the plan administrator, and the recordkeeper, alleging that:
- The company and the Administrative Committee violated the pension benefit statement requirements of ERISA and breached their fiduciary duties by providing incomplete and inaccurate benefit statements; and
- The recordkeeper was liable for professional negligence and negligent representation under state law.
On appeal from the district court, the Ninth Circuit agreed that the participants’ ERISA fiduciary claims should have been dismissed, aligning with the First and the Fourth Circuit’s view that a named fiduciary is only liable for a fiduciary breach if they are performing a fiduciary function. The court said that calculating pension benefits using a pre-set formula is a ministerial function, not a fiduciary function. So a miscalculation error would not create a breach of fiduciary duty claim.
The Ninth Circuit also dismissed the pension benefit statement claim because of a procedural matter but used the opportunity to address a question of first impression among the circuit courts. The question being whether a request for a pension benefit statement using an online tool would be treated the same as one made “in writing” under ERISA Section 105(a). Citing the definition of “writing” in Black’s Law Dictionary (11th ed. 2019) as the “intentional recording of words in a visual form,” the Ninth Circuit rejected the notion that an online pension benefit statement request could never trigger the fiduciary obligation to respond.
Finally, addressing an issue of particular concern to plan service providers, the Ninth Circuit found that ERISA does not preempt the state law claims of professional negligence asserted against the recordkeeper. The court was concerned that a finding of preemption would leave the plaintiffs without a remedy. Under the existing two-pronged preemption analysis in the Ninth Circuit, a state law has a reference to ERISA plans if it acts immediately and exclusively on ERISA plans or if the existence of ERISA plans is essential to the law’s operation. The court held that state negligence laws satisfied neither requirement. To be preempted by ERISA under the second (connection with) prong, the claim must “bear on an ERISA-regulated relationship.” Because the participants’ claims only arose out of the relationship between the recordkeeper and the participants, not an ERISA-regulated relationship, ERISA did not preempt the law under this prong of the test.
This case has important practical implications for plan fiduciaries and plan recordkeepers and their relationship to each other. These concepts are not limited to pension plans. Electronic systems, portals, and online tools are now the primary way employee benefits are offered and administered and need to be closely managed for compliance with the requirements of ERISA and the plan. We recommend plan administrators address these important compliance measures and review the Department of Labor’s cybersecurity guidance with their recordkeepers.
Please contact a team member or the Jackson Lewis attorney with whom you regularly work if you have questions or need assistance.
Today, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued much anticipated cybersecurity guidance for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal Department of Labor some considerations concerning cybersecurity. The essence of today’s guidance:
Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.
What that obligation means at this point is at least what EBSA set out in the following materials on its website, although the “Online Security Tips” are directed more to plan participants than plan fiduciaries:
- Cybersecurity Program Best Practices
- Tips for Hiring a Service Provider with Strong Security Practices
- Online Security Tips
Acknowledging ERISA-covered plans hold “millions of dollars or more in assets and maintain personal data on participants,” EBSA’s guidance lists a range of best practices for use by plan recordkeepers and service providers responsible for plan-related IT systems and data, as well as plan fiduciaries having the duty to make prudent decisions when evaluating and selecting plan service providers. Some of the EBSA’s best practices include:
- Maintain a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Implement a reliable annual third-party audit of security controls.
- Follow strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
The EBSA fleshes out each of these best practices to give recordkeepers, service providers, and plan fiduciaries more guidance when developing their own policies and procedures. It is worth noting these best practices are not dissimilar to other, well-known frameworks designed to protect personal data. So, organizations that have engaged in efforts to comply with, for example, the HIPAA privacy and security rules for group health plans, the Massachusetts data security regulations, or the NY SHIELD Act will have a head start taking similar steps concerning their retirement plans and/or their services to plans.
Selecting ERISA plan service providers has long been an important fiduciary function for plan fiduciaries. In its guidance, EBSA offers key cybersecurity issues to account for when selecting service providers, including the following:
- Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions. Plan sponsors may assume that a service provider referred from a trusted source with compelling marketing materials would have put in place appropriate cybersecurity safeguards. As the saying goes, “Trust, but verify.” This also applies to all third-party plan providers, even large, well-known organizations.
- Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
- Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded. As these incidents are often reported, consider reviewing news accounts of the service provider’s response to the incident.
- Investigate whether the service provider might have cyber insurance that would cover losses caused by cybersecurity and identity theft breaches, including misconduct by the service provider’s own employees or contractors, or a third party hijacking a plan participant’s account.
- Consider the willingness of the service provider to include contract terms requiring ongoing compliance with cybersecurity, clear rules concerning use and disclosure of personal information, responsibility for security breaches, and other key terms addressing exposure to the plan, plan sponsor, and participants.
It is important to note that no set of safeguards will prevent all data breaches and no amount of due diligence will result in the selection of a flawless service provider. In many cases, a data breach experienced by a plan service provider may not warrant moving away from that provider. Here are some reasons why.
Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA’s guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors’ trusted counsel and other advisors.
The Biden administration reportedly has called for all people at least 18 to be eligible for the COVID-19 vaccine by April 19, 2021, two weeks earlier than its prior goal of May 1, and less than a week away. Most states have already done so. Without the barriers created by state-by-state priority rules, the rate of vaccinations is likely to increase, hopefully helping to contain a fourth wave in COVID-19 cases observed in recent weeks.
No more confusing rules, President Biden
A BenefitsPro article cites a 2017 survey from the Society for Human Resource Management (SHRM) that found almost 60 percent of employers offer on-site flu vaccinations. Naturally, with expanding availability of COVID-19 vaccination doses and widespread eligibility, organizations are asking whether setting up an on-site COVID-19 vaccination program is more involved than one offering flu shots. The short answer is yes.
The country continues to operate under a national emergency due to a pandemic, not present during a typical flu season. Accordingly, concerns about safety and minimizing spread are significantly amplified. Individuals tend to be familiar with flu vaccines, not so with the current COVID-19 vaccines. Concerns over the emergency use authorization status of the COVID-19 vaccine, privacy, individual rights, school openings and childcare, effects on continued employment, liability, and so on are apparently not as prominent when getting an annual flu shot.
Taking those and other concerns into account, organizations considering setting up an on-site COVID-19 vaccination program have several issues to consider. Some of my colleagues and I assembled a nonexhaustive list of some of those issues (see our complete article here):
- Getting Organized
- Vaccine Administration and Reporting
- Facility Suitability and Preparedness
- Employment Issues
- Privacy and Data Security
You can access our complete discussion here.
There is quite a bit to think about when setting up a COVID-19 vaccination program. While flu vaccination programs likely differ, prior experience with health fairs and flu vaccination offerings can be helpful reference points. Having a good team in place, careful planning, and the support and collaboration of an LHD or TPHCP, among other things, will help lead to a successful program.
Providing incentives for employees to get the COVID-19 vaccine continues to be on the minds of organizations as vaccinations pick up speed. However, concerns about privacy and the shifting positions on wellness program regulation has left many employers wary about implementing more robust incentives. According to Bloomberg, two GOP members of Congress are urging the Equal Employment Opportunity Commission (EEOC) to provide some clarity.
Employer-sponsored wellness programs come in many forms, such as:
- An education campaign to inform employees about healthier eating habits.
- A gym membership subsidy.
- A health risk questionnaire to help employees be more informed about their health risks.
- A walking program designed to decrease sedentary lifestyles.
- Making health coaches available for engagement on general wellness and/or chronic health issues.
- Satisfaction of key health-related measures – heart rate, cholesterol level, body mass index (BMI).
Such programs are often tied to group health plans and the incentives for satisfying program requirements come in the form of cash payments, reduced contributions toward premiums, points that can later be redeemed, and other creative arrangements. A key compliance challenge for many of these programs is the size of the incentive – the underlying issue being whether the size of the incentive causes a loss of voluntariness. Programs that are part of group health plans generally are subject to regulations issued under the Affordable Care Act (ACA) and the Health Insurance Portability and Accountability Act (HIPAA), although other rules including those referred to below may apply. The ACA/HIPAA regulations are relatively clear on incentive limits and are not what GOP members of Congress and business leaders have expressed concerns about.
Under the Americans with Disabilities Act, disability-related inquiries of employees generally must be job-related and consistent with business necessity, unless made in connection with a voluntary wellness program. It is that exception, specifically whether the program is voluntary, that is causing much of the concern about vaccination incentive programs. We outlined a brief history of the EEOC’s position on voluntariness here.
Depending on the design of a COVID-19 vaccination incentive program, disability-related inquiries may be involved, raising the question about voluntariness. Is a $50 gift card too much, what about $500, will that render the program involuntary? How about 2 days off with pay? It is worth noting that, according to the EEOC,
“[s]imply requesting proof of receipt of a COVID-19 vaccination is not likely to elicit information about a disability and, therefore, is not a disability-related inquiry.”
On January 7, 2021, the EEOC proposed a new approach that might wind up providing employers some certainty, but those regulations have been withdrawn following a regulatory freeze issued by the White House on January 20, 2021. Under those proposed rules, however, incentives are permitted under such programs provided they are de minimis.
Sen. Richard Burr (R-N.C.) and Rep. Virginia Foxx (R-N.C.) observed to the EEOC in a letter obtained by Bloomberg, looking for a response by April 20, 2021:
“Employers actively working to protect their employees by increasing the number of workers receiving vaccinations through incentive programs are seeking assurance this action is allowable and does not violate important labor laws such as the Americans with Disabilities Act (ADA) and other statutes within the jurisdiction of the EEOC”
Additionally, the data privacy, confidentiality, security, and record retention of the information needed to administer such programs also raises compliance issues under federal and state law. This includes the confidentiality rule under the ADA, the HIPAA privacy and security regulations for programs that are part of group health plans, OSHA record retention requirements, and state reasonable safeguard and breach notification requirements.
Many organizations have moved forward offering a variety of incentive programs to spur employees to get a COVID-19 vaccine. The level of legal risk, if any, for those programs is a function of several factors – does the program include a disability-related inquiry, how large is the incentive, is the program part of a group health plan, how is the program administered and enforced, and how is the privacy and security of the data maintained.
It remains to be seen whether the EEOC will provide greater clarity on the voluntariness of incentives for COVID-19 vaccination programs. In the meantime, employers will need to think carefully about the design and implementation of their programs.
On April 7, 2021, the U.S. Department of Labor (DOL) issued eagerly anticipated guidance on administering COBRA subsidies under the American Rescue Plan Act of 2021 (ARPA). The guidance includes Frequently Asked Questions (FAQs) and various Model Notices and election forms implementing the COBRA Premium Assistance provisions under ARPA, while also announcing the launch of a page dedicated to COBRA Premium Subsidy guidance on its website.
Since ARPA was enacted, employers have been preparing to comply, albeit with many open questions. ARPA requires that full COBRA premiums be subsidized for “Assistance Eligible Individuals” for periods of coverage between April 1, 2021, through September 30, 2021. While this guidance answers important questions on the administration of the subsidies, it does not address many other details on the minds of employers. For example, this guidance does not cover important nuances such as what is an “involuntary termination” in order to qualify for subsidized coverage, how existing separation agreement commitments to subsidize COBRA should be viewed, or details on how the corresponding payroll tax credit will work.
The FAQs are largely directed to individuals and focus on how to obtain the subsidy and how subsidized coverage fits with other types of health coverage that may be available, including Marketplace, Medicaid, and individual plan coverage. We hope that employer directed guidance will follow to fill in the gaps.
Employers will be happy to know that the FAQs confirm a few points that will impact administration. First, eligibility for coverage under another group health plan, including that of a spouse’s employer, will disqualify the employee from the subsidy. Employees must certify on election forms that they are not eligible for such coverage and will notify the employer if they subsequently become eligible for coverage (individual coverage, such as through the Marketplace or Medicaid, will not disqualify an otherwise eligible individual from subsidized COBRA). Failure to do so will subject the individual to a tax penalty of $250, or if the failure is fraudulent, the greater of $250 or 110% of the premium subsidy. The availability of other coverage (which the employer may not know about) does not impact the employer’s initial obligation to identify potential Assistance Eligible Individuals and provide the required notices and election forms.
Soon after enactment, there were also questions circling about whether ARPA applied to small employer plans not subject to COBRA, but rather state “mini-COBRA” laws. The FAQs confirm that the subsidy also applies to any continuation coverage required under state mini-COBRA laws but also notes that ARPA does not change time periods for elections under State law. Further guidance would be welcome on obligations related to small insured plans. The FAQs also confirm that plans sponsored by State or local governments subject to similar continuation requirements under the Public Health Service Act are covered by the ARPA subsidies.
One area that has caused great confusion is how the right to retroactively elect COBRA coverage (to the date active coverage was lost) due to the DOL’s extended deadlines fits with this new election right. While there is more to come on this, the DOL helpfully confirmed that these are two separate rights and thankfully, the FAQs note that the extended deadlines do not apply to the 60-day notice or election periods related to the ARPA subsidies.
The most significant part of the guidance (that we knew was coming but are still happy to see sooner rather than later) are the Model Notices and election materials. The guidance package confirms that employers have until May 31, 2021, to provide the notices of the opportunity to elect subsidized coverage and individuals have 60 days following the date that notice is provided to elect subsidized coverage. Individuals can begin subsidized coverage on the date of their election, or April 1, 2021, as long as the involuntary termination or reduction in hours supporting the election right occurred before April 1, 2021. As previously noted, in no way do these timeframes extend the otherwise applicable 18-month COBRA period.
The Notices include an ARPA General Notice and COBRA Continuation Coverage Election Notice, to be provided to all individuals who will lose coverage due to any COBRA qualifying event between April 1 and September 30, 2021, and a separate Model COBRA Continuation Coverage Notice in Connection with Extended Election Periods, to be provided to anyone who may be eligible for the subsidy due to involuntary termination or reduction in hours occurring before April 1, 2021 (i.e., generally involuntary terminations or reductions in hours occurring on or after October 1, 2019).
Plans will also have to provide individuals with a Notice of Expiration of Period of Premium Assistance 15-45 days before the expiration of the subsidy — essentially explaining that subsidies will soon expire, the ability to continue unsubsidized COBRA for any period remaining under the original 18-month coverage period and describing the coverage opportunities available through other avenues such as the Marketplace or Medicaid. Employers are highly encouraged to use the DOL’s model notices without customization except where required to insert plan or employer specific information.
With the release of the model notices, employers and COBRA administrators now largely have the tools to administer this new election right. The FAQs remind us that the DOL will ensure ARPA benefits are received by eligible individuals and employers will face an excise tax for failing to comply, which can be as much as $100 per qualified beneficiary (no more than $200 per family) for each day the employer is in violation for the COBRA rules. Accordingly, employers will want to begin or continue conversations with COBRA administrators to ensure notices are timely provided to the right group of individuals. We will continue to update you on developments. Meanwhile, please contact a member of the Jackson Lewis Employee Benefits Practice Group if you have questions or need assistance.
Aligning itself with other circuit courts that have ruled on the issue, the Ninth Circuit recently held that ERISA does not bar forum selection clauses in benefit plans. The background of the case and the Ninth Circuit’s ruling are straightforward. Plaintiff filed a putative class action in the Northern District of California challenging the management of Wells Fargo’s 401(k) plan. Wells Fargo moved to transfer venue to the District of Minnesota under the 401(k) plan’s forum selection clause. The California district court granted the motion to transfer and Plaintiff sought a writ of mandamus to stop the transfer.
The Ninth Circuit unequivocally affirmed the transfer. The Court reasoned that the permissive “may” in ERISA’s venue provision provides three options for a proper venue but mandates none of them. Moreover, policy considerations support permitting contractual forum selection clauses: the clause at issue does not impinge on “ready access” to the courts (instead, it mandates it) and confining plan-related lawsuits to one jurisdiction furthers ERISA’s goal of uniform administration of benefit plans.
While the Ninth Circuit is certainly not the first to enforce a benefit plan’s forum selection clause (indeed, the Court recognized “near universal” agreement on the issue), this case is significant in two respects. First, it dampens recent efforts in the lower courts to challenge forum selection clauses in ERISA plans. It chips away further at prior case law disfavoring such clauses. Echoing its conclusions in Dorman v. Charles Schwab – a 2019 decision enforcing a mandatory arbitration clause in an ERISA plan – the Court here classified judicial skepticism of forum selection clauses as a “relic” of a past era.
You didn’t know it was a thing? Or maybe, like most, you just lost track of what day it is? Or maybe it ranks somewhere behind New Beer’s Eve (the day before the end of prohibition) and National Tartan Day, both of which are most certainly things and also fall on April 6th.
If there was ever a year to celebrate National Employee Benefits Day, this is the year. The last year needs no introduction, but it is worthwhile to take just a moment to acknowledge the role employee benefits and all the tireless employee benefit professionals have played in getting us through.
Last year showed us how central employer provided benefits are to our daily lives. And in the time of the largest national crisis for most, employers, their benefits providers, and the entire system of employer-provided benefits rose to the occasion to provide flexibility and much-needed support to workers. Whether it was voluntarily extending subsidized health coverage to those who would typically lose coverage because of a reduction in hours or termination, offering needed access to 401(k) assets through coronavirus related distributions and loans through the CARES Act, or allowing flexibility for mid-year changes in health care and flexible spending account elections, employers, vendors, and Washington, D.C. moved rapidly to respond. At the same time, retirement plan fiduciaries weathered the increased threats of class action litigation over plan investment fees, new concerns related to protecting plan data, investment processes related to ESG funds and proxies, and a roller-coaster market. Not to mention responding in real time to the ever expanding state and federal leave requirements.
So far, the year ahead appears to be full of its own twists and turns, albeit of a different vein. As evidenced by the recent COBRA subsidy provisions in the American Rescue Plan Act of 2021, health care will continue to take center stage and the role of employer provided coverage against the backdrop of strengthened ACA Marketplaces, a bright spotlight on pharmacy benefits, transparency requirements, and rollouts of vaccines (and incentives) will keep us on our toes. There will be other areas of focus for employers too—new opportunities to assist employees with student debt, expanding options in 401(k) plans such as withdrawals for birth and adoption assistance, and a new focus on voluntary benefits offerings alongside the traditional core offerings, plus new legislation around the bend on qualified retirement plans. And as some begin the long march back to the office (and others continue to work remotely), we will confront pesky remote worker tax questions, a renewed focus on wellness benefits (including mental health), and a growing demand for financial wellness programs alongside changes that address our new normal, like the ability to pay for face masks, hand sanitizer and disinfecting wipes from our health flexible spending accounts. There is much to do and no offseason for benefits professionals, but great opportunity to reevaluate benefit offerings, given changing employee needs and demands and a changing regulatory landscape under an ambitious new administration.
So, for now, take a minute and raise your copy of ERISA (and, of course, your favorite libation) to appreciate how much has been accomplished over the past year in the face of unchartered demands and stressors. We are all looking forward to the year ahead for so many reasons and the changes (and opportunities) it brings in employee benefits and beyond.
All the way back in 2016, California passed legislation that employers who do not sponsor an employee-retirement plan must participate in a state-run retirement program. This program became known as CalSavers.
While there have been legal challenges to CalSavers, the program persists. The pilot phase of CalSavers launched in 2018 and the phase-in period started in 2020. CalSavers provides an opportunity for employees to defer wages, through payroll deductions by the employer, to a state-run individual retirement savings account program. An employer is not required to participate in CalSavers if it sponsors or participates in a retirement plan such as a 401(k) plan or pension plan. In order to be exempt from CalSavers, an employer may sponsor a retirement plan for any of its employees; California employees need not be covered by the retirement plan in order for the employer to be exempt.
Last year, employers with over 100 employees received a small reprieve and had their deadline to adopt a retirement plan and file an exemption or enroll in CalSavers, extended to September 2020. However, to date, employers with 50 or more employees still have a deadline of June 30, 2021, and employers with 5 or more employees have a deadline of June 30, 2022.
Employers who fail to comply with the requirements of the California mandate may be fined by the California Franchise Tax Board. As such, it is important for employers with employees in California to either adopt a retirement plan and file an exemption or register with CalSavers in order to ensure they are in compliance by the applicable deadline.
If employers have questions about California’s retirement plan mandate or about employee benefits, contact a Jackson Lewis attorney to discuss.
The American Rescue Plan Act of 2021 includes a modified version of the Butch Lewis Act, referred to as the Emergency Pension Plan Relief Act of 2021 (EPPRA), which restores to financial health more than 100 failing multiemployer pension plans. However, the measure falls well short of any meaningful long-term funding reform. More