As we bid farewell to 2024 and look ahead to the new year, we reflect on the many evolving compliance obligations that health and welfare plan sponsors tackle each year. Although this list is by no means exhaustive, it highlights four items and associated deadlines that have recently emerged on the health and welfare scene. Plan sponsors should review their routine compliance checklists and update as necessary to ensure a smooth transition into 2025.

  1. Gag Clause Attestations

The Consolidated Appropriations Act of 2021 generally prohibits the use of gag clauses in certain agreements and requires group health plans and health insurance issuers to annually submit a Gag Clause Prohibition Compliance Attestation. A fully insured group health plan’s responsibility is satisfied if the issuer submits an Attestation on behalf of the plan. Similarly, a self-insured plan may delegate the task of submitting the Attestation to a third-party administrator (TPA) via a written agreement if the TPA will accept this responsibility. The Attestation must be submitted to the Departments of Labor, Health & Human Services, and the Treasury by December 31st.  See this link for further details and instructions on submission.

  1. Mental Health Parity – Fiduciary Certification

In September, the Departments of Labor, HHS, and the Treasury issued new final rules amending regulations implementing the Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) and adding new regulations implementing the nonquantitative treatment limitation (NQTL) comparative analyses requirements. Consistent with the proposed rules, the final rules strengthen consumer protections by aiming to achieve parity between mental health/substance use disorder (MH/SUD) benefits and medical/surgical (M/S) benefits. The final rules generally apply to group health plans and group health insurance coverage for plan years beginning on or after January 1, 2025, although many provisions will not apply until 2026.

The final rules require that, in addition to the NQTL comparative analysis, each plan or issuer must prepare and make available to the Secretary, upon request, a written list of all NQTLs imposed under the plan or coverage. In addition, for ERISA-covered plans, this written list must be given to the named plan fiduciaries, who are required to include a certification as part of the comparative analysis. At least one of these named fiduciaries will certify they have engaged in a prudent process to select one or more qualified service providers to perform and document a comparative analysis in connection with the imposition of any NQTLs that apply to MH/SUD benefits under the plan in accordance with applicable law and regulations and have satisfied their duty to monitor those service providers as required by part 4 of ERISA. At a minimum, the certifying fiduciary should review the comparative analysis, ask questions, and discuss the findings and conclusions with the service provider responsible for performing and documenting the comparative analysis, and obtain assurance from the service provider that, to the best of its ability, the NQTL and associated comparative analysis complies with MHPAEA and its implementing regulations.

Plans subject to MHPAEA should update their existing comparative analyses to reflect the new certification requirement by the first day of the 2025 plan year.

  1. Reproductive Health Care Updates to HIPAA Policies, Procedures, and Notice of Privacy Practices

In response to the decision in Dobbs v. Jackson Women’s Health Organization that effectively overturned Roe v. Wade, the Biden-Harris Administration, through OCR, issued a final rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support privacy in reproductive health care. The rule places limitations on the use and disclosure of reproductive healthcare information by healthcare providers and group health plans. The rule also requires several updates to HIPAA policies and procedures concerning health plans and operations of health care providers. Although most of those changes went into effect on December 23, 2024, HIPAA-covered entities have until February 16, 2026, to update their Notices of Privacy Practices. For more information about this change, see our blog posts: New HIPAA Final Rule Imposes Added Protections for Reproductive Health Care Privacy and HIPAA Final Rule For Reproductive Health Care Privacy with December 23, 2024, Compliance Deadline.

  1. ACA Section 1557 Notices of Nondiscrimination and Availability

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) enforces Section 1557 of the Affordable Care Act (Section 1557), which prohibits discrimination on the basis of race, color, national origin, age, disability, or sex (including pregnancy, sexual orientation, gender identity, and sex characteristics), in covered health programs or activities. Last spring, OCR issued a final rule under Section 1557 advancing protections against discrimination in health care. Under the final rule, covered entities (i.e., health programs and activities that receive HHS funding or are administered by HHS) must provide an annual notice of nondiscrimination to participants, beneficiaries, enrollees, applicants of their health programs and activities, and members of the public. This notice must be provided within 120 days of July 5, 2024, under the requirements of 45 CFR § 92.10. Similarly, covered entities must provide, within one year of July 5, 2024, a notice of the availability of language assistance services and auxiliary aids and services, stating at a minimum that these are free of charge when necessary for compliance with Section 1557. See 45 CFR § 92.11.

Although the rule was scheduled to go into effect on July 5, 2024, certain provisions have been stayed or enjoined pending multiple lawsuits. For example, under the final rule, a notice of nondiscrimination states in part that the covered entity does not discriminate on the basis of sex, which includes discrimination based on gender identity. However, in Tennessee v. Becerra, No. 1:24cv161-LG-BWR (S.D. Miss.), the court stayed nationwide several regulations to the extent they “extend discrimination on the basis of sex to include discrimination on the basis of gender identity”. The case is currently pending appeal.

Covered entities must continue to provide notices of nondiscrimination and availability unless specific provisions are stayed or enjoined. OCR’s sample notice of nondiscrimination currently characterizes as optional the inclusion of a statement of nondiscrimination based on gender identity. Still, covered entities should be prepared to adjust their notices if the stay is lifted. Sample notices are available on OCR’s website. For more information, see Section 1557 of the Patient Protection and Affordable Care Act | HHS.gov.

The new year often presents an opportunity to renegotiate or terminate existing service provider agreements, so now is a perfect time to reanalyze contracts before renewal. For an overview of health plan fiduciary compliance issues and strategies, see our five-part blog series, Health Plan Hygiene.

If you have questions, please contact a member of the Jackson Lewis Employee Benefits Practice Group or the Jackson Lewis attorney with whom you regularly work.

In a win for plan sponsors, the recently enacted Employer Reporting Improvement Act and the Paperwork Burden Reduction Act (the Acts), among other things, introduce several significant changes to the reporting and enforcement rules of the Affordable Care Act (ACA). 

The Current Rules

Forms 1095-B and 1095-C:  Under the ACA, plan sponsors, specifically Applicable Large Employers (ALEs), must report information about the health coverage they offer to their employees.  This ACA reporting is done through Forms 1095-B and 1095-C, which must be filed with the IRS and provided to all full-time employees and employees receiving employer-sponsored coverage. (This is the case, even though the ACA’s individual mandate is currently set to $0, and therefore functionally isn’t being enforced.)

Key aspects of ACA enforcement also include:

  • A Tight Turnaround to Respond to Proposed Assessments: The IRS may assess employer shared responsibility payments (ESRP) based on a plan sponsor’s reporting.  Before making this assessment, the IRS will send a letter with a proposed ESRP, to which sponsors can respond with corrected coding and other mitigating information.  Plan sponsors currently have only 30 days to respond to these letters.  This can be particularly challenging, as the letters are sent via US mail and often take time to get to the right person.  A late response can result in an ESRP assessment when one isn’t warranted, and additional penalties.
  • No Statute of Limitations: The period for assessing and collecting ESRPs has generally been open-ended, with no statute of limitations to potentially limit liability for aged amounts.

Changes Introduced by the Acts

The Acts introduce several changes which will improve the reporting and enforcement process for sponsors:

  • Forms 1095-B and 1095-C:  Plan sponsors (and health insurance providers for fully insured plans) are no longer required to send these Forms to all full-time employees and covered individuals. Instead, these Forms must only be sent in response to an employee/covered individual’s request.  If requested, the applicable Form must be provided by the later of January 31 or 30 days after the date of the request. One big caveat – in order to take advantage of this change, sponsors must provide notice to employees, telling them about their right to ask for a Form.  Further guidance on the form and requirements for this notice is likely forthcoming. Meanwhile, a good faith interpretation may suffice when drafting the notices.
  • Extended Response Time for Proposed ESRPs: Plan sponsors will now have at least 90 days to respond to a proposed ESRP before further action is taken. This extension provides plan sponsors more time to open their mail! (With more time to gather necessary information and respond appropriately, which may result in fewer ESRP assessments and other penalties.)
  • Statute of Limitations on Penalty Assessment: There will now be a six-year period for collecting ESRPs, counting from the due date for filing the applicable Forms 1095-B and 1095-C or the actual filing date, whichever is later. This extension provides clarity and predictability for plan sponsors, capping potential assessments and allowing sponsors to better manage their compliance efforts.

The Jackson Lewis Employee Benefits Practice Group members can assist if you have questions or need assistance with these latest changes. Please contact a Jackson Lewis employee benefits team member or the Jackson Lewis attorney with whom you regularly work.

Among the provisions of SECURE 2.0 (effective December 29, 2022) welcomed by plan sponsors were the additions to the Internal Revenue Code that allow qualified plans to refrain from trying to recoup an “inadvertent benefit overpayment” (referred to here as an IBO), and from having to restore such payments to the plan.  In addition, the Code was amended to permit the treatment of such overpayments as eligible rollover distributions for certain purposes.

The IRS has now addressed, via interim guidance in Notice 2024-77 issued and generally effective October 15, 2024, some of the many questions that arise under the new Code IBO relief provisions. Before that date, a reasonable good faith compliance standard applies, and after that date following the guidance in the Notice will be considered compliance. Comments on the new guidance may be made to the Treasury Department by December 16, 2024.  The following is a general summary of the major points of guidance in the Notice:

IBO definition. An IBO is defined by the Notice as an “eligible inadvertent failure” consisting of a payment from a qualified plan that either (A) exceeds the amount that should have been payable under the terms of the plan or (B) exceeds a Code or regulatory limitation. The requirement that the overpayment be an eligible inadvertent failure means it must have occurred despite the existence of established practices and procedures as described in Revenue Procedure 2021-30, the current IRS EPCRS plan correction standards, and that it not be egregious, relate to diversion or misuse of plan assets nor be directly related to an abusive tax avoidance transaction.  An IBO also encompasses payments made before a proper distribution date under the plan and Code, excluding any overpayments made to “disqualified persons” as defined in the prohibited transaction provisions of the Code or to any owner-employee. The term also excludes any payment made as part of a correction for another failure under the EPCRS correction procedures.

Coordination with EPCRS. The EPCRS plan correction standards are amended to be consistent with the Notice. But note that if a plan opts to forego recoupment of an overpayment any related operational failures must still be corrected. These could include scenarios in which the overpayment resulted from incorrect account allocations, resulting in the underpayment of benefits to other participants, or where the overpayment causes an impermissible forfeiture under Code Section 411.

Recoupment compliance. If, despite the available recoupment relief, a plan still seeks recoupment of an IBO, it must do so under the EPCRS overpayment correction standards and the provisions of ERISA (as amended by SECURE 2.0) regarding the limitations on recoupment.

Eligible rollover treatment of IBOs. An IBO transferred to an eligible retirement plan will be treated as an eligible rollover distribution under the Code (with corresponding excise tax relief for early withdrawals and excess contributions) if the payor plan does not seek recoupment of the overpayment and if the payment otherwise qualifies as an eligible rollover distribution. In such cases, the overpayment cannot have resulted from a compensation limit failure under Section 401(a)(17) or an annual additions failure under Section 415. Eligible rollover distribution treatment also applies if the payor plan attempts to recoup the overpayment, and the overpayment is repaid to that plan. If the plan does seek recoupment, it must notify the payee that any amount not returned to the plan will not be eligible for tax-free rollover treatment.

Other portions of the Notice clarify plan corrections when an overpayment results from violations of Code Sections 436, 401(a)(17), or 415 and states that a plan may not correct an IBO by retroactively amending the plan to increase benefit payments already made if that amendment would result in a violation of Sections 401(a)(17) or 415 for a past year. Similar guidance applies to any retroactive amendments that increase past benefit payments in a way that violates Code Section 436 for the past year.

Please contact your Jackson Lewis Employee Benefits Attorney for more detailed advice on dealing with IBOs in light of this interim guidance. 

The Internal Revenue Service recently announced its cost-of-living adjustments applicable to dollar limitations on benefits and contributions for retirement plans generally effective for Tax Year 2025 (see IRS Notice 2024-80). Most notably, the limitation on annual salary deferrals into a 401(k) or 403(b) plan will increase to $23,500, and the dollar threshold for highly compensated employees will increase to $160,000. This year’s notice also includes the optional SECURE 2.0 Super Catch-up amounts for participants ages 61-63.  The more significant dollar limits for 2025 are as follows:

LIMIT20242025
401(k)/403(b) Elective Deferral Limit (IRC § 402(g)) The annual limit on an employee’s elective deferrals to a 401(k) or 403(b) plan made through salary reduction.$23,000$23,500
Government/Tax Exempt Deferral Limit (IRC § 457(e)(15)) The annual limit on an employee’s elective deferrals concerning Section 457 deferred compensation plans of state and local governments and tax-exempt organizations.$23,000$23,500
401(k)/403(b)/457 Catch-up Limit (IRC § 414(v)(2)(B)(i)) In addition to the regular limit on elective deferrals described
above, employees over the age of 50 generally can make an additional “catch-up” contribution not to exceed this limit. (See special rule below for those aged 60–63)
$7,500$7,500
SECURE 2.0 Super Catch-up Age 60-63 (IRC  § 414(v)(2)(E)(i)) Other than Plans described in 401(k)(11) or 408(p).Not applicable$11,250
Defined Contribution Plan Limit (IRC § 415(c)) The limitation for annual contributions to a defined contribution
plan (such as a 401(k) plan or profit sharing plan).
$69,000$70,000
Defined Benefit Plan Limit (IRC § 415(b)) The limitation on the annual benefits from a defined benefit plan.$275,000$280,000
Annual Compensation Limit (IRC § 401(a)(17)) The maximum amount of compensation that may be taken into account for benefit calculations and nondiscrimination testing.$345,000 ($505,000 for certain gov’t plans)$350,000 ($520,000 for certain gov’t plans)
Highly Compensated Employee Threshold (IRC § 414(q)) The definition of an HCE includes a compensation threshold for the prior year. A retirement plan’s discrimination testing is based on coverage and benefits for HCEs.$155,000 (for 2024 HCE determination)$160,000 (for 2025 HCE determination)
Highly Compensated Employee (“HCEs”)  (SECURE 2.0 Sec. 603 – IRC § 414(v)(7))    Catch up contributions for HCEs earning above this limit in FICA wages for the preceding year MUST be ROTH contributions.   Not Required for Plan Years beginning in 2025$145,000$145,000
Key Employee Compensation Threshold (IRC § 416) The definition of a key employee includes a compensation threshold. Key employees must be determined for purposes of applying the top-heavy rules. Generally, a plan is top-heavy if the plan benefits of key employees exceed 60% of the aggregate plan benefits of all employees.$220,000$230,000
SEP Minimum Compensation Limit (IRC § 408(k)(2)(C)) The mandatory participation requirements for a simplified employee pension (SEP) includes this minimum compensation threshold.$750$750
SIMPLE Employee Contribution (IRC § 408(p)(2)(E)) The limitation on deferrals to a SIMPLE retirement account.$16,000$16,500
SIMPLE Catch-up Limit (IRC § 414(v)(2)(B)(ii))) The maximum amount of catch-up contributions that individuals age 50 or over may make to a SIMPLE retirement account or SIMPLE 401(k) plan. (See special rule below for those aged 60-63)$3,500$3,500
SECURE 2.0 Super Catch-up Age 60-63 (IRC  § 414(v)(2)(E)(ii)) The maximum amount of catch-up contributions that individuals aged 60–63 may make to a SIMPLE retirement account or SIMPLE 401(k) plan.Not Applicable$5,250
Social Security Taxable Wage Base See the Social Security Contribution and Benefit Base site. This threshold is the maximum amount of earned income on which Social Security taxes may be imposed (6.20% paid by the employee and 6.20% paid by the employer).$168,600$176,100

Please contact a team member or the Jackson Lewis attorney with whom you regularly work if you have questions or need assistance.

As we conclude our “Health Plan Hygiene” blog series, we reflect on the important insights shared about fiduciary responsibilities under the Employee Retirement Income Security Act of 1974 (ERISA) and highlight the risk posed by recent group health plan fiduciary litigation and offered strategies for mitigating these risks by meeting ERISA obligations. We have explored best practices for evaluating, selecting, and contracting with third-party administrators, emphasizing the importance of cybersecurity protocols for health plan data, and discussed the proactive review of third-party vendor fee arrangements, including pharmacy benefit managers and broker compensation structures.

As health and welfare plan fiduciaries prepare for the year ahead, how can they remain vigilant in identifying and executing their responsibilities in a climate of increasing compliance demands and associated risk?  

  1. Set up a fiduciary committee. Where a health and welfare plan document permits delegation, a named fiduciary, such as the plan administrator, may wish to delegate some of its fiduciary duties to a health and welfare plan fiduciary committee. Fiduciary committees are designed to act solely in the best interests of plan participants and beneficiaries by ensuring prudent policies and procedures are in place. A fiduciary committee typically includes designated decision-makers and at least one person with intimate knowledge of the plan’s written terms, day-to-day operations, and the plan sponsor’s participant population, such as an HR professional with a benefits background. While the delegator shares responsibility for ensuring that the committee executes its duties properly, the committee can help the delegator stay abreast of evolving compliance requirements and best practices. The committee may want to adopt a charter that addresses, at a minimum, the committee’s purpose, scope of authority and responsibilities, meeting frequency, and committee membership, including appointment and removal procedures.
  1. Document decision-making. Establish and consistently use internal recordkeeping procedures for all fiduciary decisions and actions taken regarding the plan. For example, the fiduciary committee should take minutes during all meetings to reflect on the topics discussed and the reasoning behind its decisions. Clear documentation of the decision-making process promotes transparency and becomes critical if a plan is audited or sued.
  1. Mindfully negotiate and monitor service provider contracts. Health and welfare plan fiduciaries may want to establish and use prudent processes when selecting service providers. For example, the fiduciary might request proposals from multiple service providers to assess whether the terms are appropriate for the current market. Once a service provider is selected, the fiduciary is wise to stay updated on all contracts and operations regarding the plan to ensure the terms are written and performed in the best interest of plan participants and beneficiaries. Fiduciaries may also reassess and re-negotiate fees when appropriate.
  1. Ensure plan expenses are reasonable. The fiduciary has a duty to ensure plan expenses are reasonable, including any compensation paid to experts and third-party service providers.
  1. Conduct an internal audit. ERISA requires certain employee benefit plans to submit to an annual independent audit, a report of which is filed with the Department of Labor. However, some welfare plans, such as those that covered fewer than 100 participants at the beginning of the plan year if the plan is fully insured, unfunded, or a combination of fully insured and unfunded, are excluded from this requirement. Regardless of whether an audit is required, voluntarily conducting an independent audit facilitates proper plan governance and often helps identify opportunities to improve compliance.

For questions, please contact a Jackson Lewis Employee Benefits Practice Group member or the Jackson Lewis attorney with whom you regularly work.

With just a couple of weeks before election day, the Biden Administration announced on October 21, 2024, that it was issuing proposed rules designed, in part, to require health plans to cover over-the-counter contraception without cost sharing, including birth control, the morning-after pill, and the male condom.  The proposed rules are the latest in a series of pronouncements that post-date the Dobbs decision overturning Roe v. Wade, which are aimed at providing access to reproductive health.  However, the tri-agencies’ earlier reproductive health guidance has been subject to a legal challenge, with a pending request for review by the Supreme Court.  Time will tell how these efforts to mandate contraception coverage without cost-sharing will be resolved.

At the heart of the guidance is the Affordable Care Act’s preventive care mandate, which in part requires non-grandfathered group health plans and issuers offering group health insurance coverage to cover, without cost-sharing, both preventive items or services, including those rated “A” or “B” by the United States Preventive Services Task Force (PSTF), and preventive care and screenings for women not recommended by PSTF, but that are included in guidelines issued by the Health Resources and Services Administration (HRSA).

To further this preventive services mandate and with reference to the HRSA’s most recent Women’s Preventive Services Guidelines that “recommends that adolescent and adult women have access to the full range of contraceptives and contraceptive care to prevent unintended pregnancies and improve birth outcomes” and now omits any reference to prescribed contraception, the proposed rule in part:

  • Requires non-grandfathered health plans and health insurance issuers to cover, without cost-sharing and without a prescription, the cost of all types of contraception, including the first-ever Food and Drug Administration (FDA) approved over-the-counter birth control pill.  This is a significant step from prior guidance that required a prescription;
  • Mandates disclosures to covered persons so they are aware and can take full advantage of the newly available coverage; and
  • Enhances the “exceptions process” for medical management techniques whereby coverage can be sought for preventive health items or services that generally are not covered by the plan if the individual’s provider determines it is medically necessary for an individual.

If finalized, the proposed rule would impose new administrative processes on employer-sponsored plans, mandate employee disclosures, and require plan amendments.  The government recognizes that the proposed rule has the potential to drive up the cost of contraception and is likely to impact the gross premiums and out-of-pocket costs of all covered persons, even those who do not obtain over-the-counter contraception.  Therefore, in lieu of also implementing other over-the-counter coverage mandates it is evaluating, such as coverage for tobacco cessation products, the proposed rule takes an incremental approach to guidance, starting only with the contraception mandate. 

The proposed rule is the latest in a series of guidance issued by the Biden Administration following the Dobbs decision that may get folded into impending legal challenges.  Those challenges focus on the authority of the PSTF that is issuing these preventive service mandates. 

Specifically, prior preventive care guidance, which includes mandatory coverage for prescribed contraception, HPV vaccines, and drugs preventing the transmission of HIV, has been challenged under the Administrative Procedures Act.  The assertion is that those serving on the PSTF and issuing these preventive care mandates are “principal officers” of the United States who have not been validly appointed under the Appointments Clause of Article II of the Constitution.  As a result, the challengers assert that the preventive care mandates the PSTF has issued are unlawful.  These arguments have gained traction in the courts.  A writ of certiorari filed by the Biden Administration on September 19, 2024, is still pending before the Supreme Court.  It is unclear whether the Supreme Court will agree to hear the case. 

Employer-sponsored health plans, therefore, are in a holding pattern to see how these reproductive health mandates will resolve.  In this particularly partisan environment, employers should be on the lookout for forthcoming guidance. 

The Jackson Lewis Employee Benefits Practice Group members can assist if you have questions or need assistance. Please contact a Jackson Lewis employee benefits team member or the Jackson Lewis attorney with whom you regularly work.

Our “health plan hygiene” series has focused on steps that fiduciaries of employer-sponsored group health plans can take to ensure they meet their fiduciary responsibilities.  This issue has been brought to the forefront recently due to a wave of class action lawsuits that have been brought against group health plan fiduciaries.  In our last post, we discussed the importance of a thorough RFP process and an overview of important contractual provisions.  This post will address the issue at the center of those class action lawsuits:  the fees.   

Third-Party Vendor Fee Arrangements

Health plan fiduciaries have the duty to ensure that the fees paid to third-party vendors are reasonable.  This can feel like an overwhelming task because health plans, especially self-insured health plans, can hire multiple third-party vendors to keep the plan running.  For example, third-party administrators (“TPAs”), network providers, repricing servicers, claims auditors, pharmacy benefit managers (“PBMs”), telehealth providers, and behavioral health providers may all be involved in the administration of a single health plan.  

Health plan fiduciaries should educate themselves on the potential pricing methods and fee arrangements with each of the third-party service providers.  For example:

  • “Bundled” Services and Fee Arrangements Because of the seemingly endless number of third-party vendors that may be required for health plan administration, fiduciaries will often rely on one TPA to manage and contract with the other third-party vendors.  While this can ease the burden of tracking multiple vendors, it remains the fiduciaries’ duty to ensure that the fees are reasonable for each vendor.  That means that the fiduciaries must understand the services provided by each vendor, and the fees charged by each vendor.  Fiduciaries should not rely on the TPA to manage the overall fees or to provide one total billed amount for all vendors without a breakdown.
  • Pharmacy Benefit Managers.  The recent class action lawsuits have focused heavily on PBM fees.  PBM fee structures have historically been complex and not particularly transparent, so it is essential that plan fiduciaries understand PBM pricing models. 
    • Pass-Through Pricing.  Under the pass-through pricing model, the PBM charges the plan the drug acquisition cost (the amount paid to the drug manufacturer).  Any negotiated rebates are also passed through to the plan.  The PBM receives compensation from the plan via a per-employee or per-month rate to the plan.  Proponents of the pass-through pricing model argue that pass-through pricing provides the most transparency and consistency for the plan.
    • Spread Pricing.  Under the spread pricing model, the PBM and the plan set the price that the plan pays for prescription drugs by reference to a specific benchmark price.  The PBM then negotiates a lower price with the drug manufacturer, and the PBM receives compensation on the difference (the “spread”) between the PBM’s acquisition cost and the benchmark price.  PBMs in this arrangement are financially motivated not to make formulary decisions based on which drugs have the lowest cost to the plan and beneficiaries but rather based on which drugs have the most significant spread.
    • Rebates.  PBMs negotiate rebates from drug manufacturers. The PBM may keep all or a portion of the rebate instead of paying the rebate back to the plan. 
  • Brokers Fiduciaries will often hire brokers to help identify and retain service providers for a health plan.  Brokers can provide an important service.  However, some brokers enter into commission or other compensation arrangements with service providers.  It is essential that plan fiduciaries are aware of any compensation or commission arrangements between a broker and other third-party vendors to ensure that the broker is providing the best objective recommendations, not recommendations motivated by financial gain. 

Potential Impacts

Recent class actions have highlighted the complexities and potential liabilities associated with third-party vendor fees. It is essential fiduciaries be well-informed about current third-party vendor contracts or agreements, including their termination or renewal periods. These periods can offer opportunities to reassess and renegotiate fees.

As your representative, the Jackson Lewis Employee Benefits Practice Group members can assist if you have questions or need assistance, especially when selecting service providers. Please contact a Jackson Lewis employee benefits team member or the Jackson Lewis attorney with whom you regularly work.

A health plan’s fiduciaries are responsible for administering the health plan.  Because most employers are not in the business of administering health benefits, they outsource the day-to-day health plan administration to a third-party health plan administrator (TPA).  This outsourcing does not mean the employer is off the hook for their fiduciary obligations under ERISA.  Even the evaluation and selection of a TPA is itself a fiduciary act, and employers must follow a prudent process.

Below, we provide information for employers regarding the selection, evaluation, and contracting with a TPA:

Rely on the Experts

Just as most employers are not in the business of administering health benefits, most employers are not in the business of evaluating and selecting TPAs.  To help ensure this process complies with ERISA’s fiduciary duties, employers often rely on a broker or consultant and legal counsel.  Brokers and consultants will identify TPAs that are appropriate for the employer’s size, industry, and location, provide guidance regarding the reasonableness of the TPA’s fees, and help with fee negotiation.  Legal counsel will help the fiduciary with legal compliance and contract negotiation. 

Conduct a Request for Proposal

The broker/consultant and legal counsel will help conduct a request for proposal (RFP) for a TPA.  The RFP will invite potential TPAs to submit bids and information regarding the health plan’s administration.  With the RFP, the fiduciary should: 

  • Invite several providers to respond to the request for proposal;
  • Prepare specific questions that are relevant and important to the plan’s administration;
  • Make sure the TPA’s fees are reasonable;  
  • Request sample contracts to identify any “dealbreaker” provisions; and
  • Identify potential internal conflicts that could taint the process (e.g., TPAs with other relationships with the employer). 

Thorough Review and Negotiation of Services Agreement

The employer should select a potential TPA well before the implementation date so that there is time for legal counsel and the broker/consultant to negotiate the services agreement and fees and, if necessary, select an alternate TPA if the negotiations fall apart.  Key contractual provisions include: 

  1. Indemnification provisions.  TPAs expect plan fiduciaries to indemnify the TPA against third-party claims, losses, or suits based on the services provided by the TPA to the plan and the participants.  However, the plan fiduciaries should not indemnify the TPA for claims based on the TPA’s negligence, misconduct, or fiduciary breach.  Instead, the TPA should be liable for any claims based on the TPA’s “bad actions,” and the TPA should indemnify the plan against those claims.    
  2. Accepting fiduciary responsibility.  If the TPA is authorized to interpret the plan provisions, for example, if the TPA is delegated the authority to handle claims and appeals under the plan, the TPA is acting as a fiduciary under ERISA.  In that case, the services agreement should expressly state that the TPA acknowledges its fiduciary status. 
  3. Audit rights.  Reserving the right to audit the TPA’s performance under the service agreement is important.  Beware of onerous restrictions on “claims” audits.  To avoid negative findings in audit reports, some service providers limit the number of audits a plan sponsor may undertake, establish long notice periods, or, in extreme cases, provide an exclusive list of auditors or prohibit certain auditors from conducting audits.    
  4. Termination provisions. ERISA generally prohibits fiduciaries from entering into contracts that cannot be terminated without substantial penalties or within a reasonable period. The service agreement should give the employer the flexibility to terminate. 
  5. Claims litigation. Make sure the agreement clearly states which party will handle claims litigation and which party will indemnify the other for any damages.      

Measure Twice, Cut Once

The process of selecting and contracting with a new TPA can seem overwhelming, time-consuming, and exhausting. However, taking the proper steps to ensure that the process is completed in accordance with ERISA’s fiduciary duties can save employers from costly mistakes.  

The Jackson Lewis Employee Benefits Practice Group members can assist if you have questions or need assistance. Please contact a Jackson Lewis employee benefits team member or the Jackson Lewis attorney with whom you regularly work.

A little more than three years ago, the U.S. Department of Labor (DOL) posted cybersecurity guidance on its website for ERISA plan fiduciaries. That guidance extended only to ERISA-covered retirement plans, despite health and welfare plans facing similar risks to participant data.

Last Friday, the DOL’s Employee Benefits Security Administration (EBSA) issued Compliance Assistance Release No. 2024-01. The EBSA’s purpose for the guidance was simple – confirm that the agency’s 2021 guidance generally applies to all ERISA-covered employee benefit plans, including health and welfare plans. In doing so, EBSA reiterated its view of the expanding role for ERISA plan fiduciaries relating to protecting plan data:

“Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.

In 2021, we outlined the DOL’s requirements for plan fiduciaries here, and in a subsequent post discussed DOL audit activity that followed shortly after the DOL issued its newly minted cybersecurity requirements.

As noted in our initial post, the EBSA’s best practices included:

  • Maintain a formal, well documented cybersecurity program.
  • Conduct prudent annual risk assessments.
  • Implement a reliable annual third-party audit of security controls.
  • Follow strong access control procedures.
  • Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  • Conduct periodic cybersecurity awareness training.
  • Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  • Encrypt sensitive data, stored and in transit.

Indeed, the substance of the guidance is largely the same, as indicated above, and still covers three areas – Tips for Hiring a Service Provider, Cybersecurity Program Best Practices, and Online Security Tips (for plan participants). What is different are some of the issues raised by the new plans to which the expanded guidance applies – health and welfare plans. Here are some examples.

  • The plans covered by the DOL’s guidance. As noted, the DOL’s cybersecurity guidance now extends to health and welfare plans. This includes plans such as medical, dental, and vision plans. It also includes other familiar benefit plans for employees, including plans that provide life and AD&D insurance, LTD benefits, business travel insurance, certain employee assistance programs and wellness programs, most health flexible spending arrangements, health reimbursement arrangements, and other benefit plans covered by ERISA. Recall that an “employee welfare benefit plan” under ERISA generally includes:

“any plan, fund, or program…established or maintained by an employer or by an employee organization…for the purpose of providing for its participants or their beneficiaries, through the purchase of insurance or otherwise…medical, surgical, or hospital care or benefits, or benefits in the event of sickness, accident, disability, death or unemployment, or vacation benefits, apprenticeship or other training programs, or day care centers, scholarship funds, or prepaid legal services.

A threshold compliance step for ERISA fiduciaries, therefore, will be to identify the plans in scope. However, cybersecurity should be a significant compliance concern for just about any benefit offered to employees, whether covered by ERISA or not.

  • Identifying service providers. It is tempting to focus on a plan’s most prominent service providers – the insurance carrier, claims administrator, etc. However, the DOL’s guidance extends to all service providers, such as brokers, consultants, auditors, actuaries, wellness providers, concierge services, cloud storage companies, etc. Fiduciaries will need to identify what individuals and/or entities are providing services to the plan.
  • Understanding the features of plan administration. The nature and extent of plan administration for retirement plans as compared to health and welfare plans often is significantly different, despite both being covered by ERISA which includes a similar set of compliance requirements. For instance, retirement plans tend to collect personal information only about the employee, although there may be a beneficiary or two. However, health and welfare plans, particularly medical plans, often cover an employee’s spouse and dependents. Additionally, for many companies, different groups of employees monitor retirement plans versus health and welfare plans. And, of course, more often than not, there are different vendors servicing these categories employee benefit plans.
  • What about HIPAA? Since 2003, certain group health plans have had to comply with the privacy and security regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The DOL’s cybersecurity guidance, however, raises several distinct issues. First, the DOL’s recent pronouncements concerning cybersecurity are directed at fiduciaries, who as a result may need to take a more active role in compliance efforts. Second, obligations under the DOL’s guidance are not limited to group health plans or plans that reimburse the cost of health care. As noted above, popular benefits for employees such as life and disability benefits are covered by the DOL cybersecurity rule, not HIPAA. Third, the DOL guidance appears to require greater oversight and monitoring of plan service providers than HIPAA requires of business associates. In several places, the Office of Civil Rights’ guidance for HIPAA compliance states that covered entities are not required to monitor a business associate’s HIPAA compliance. See, e.g., here and here.  

The EBSA’s Compliance Assistance Release No. 2024-01 significantly expands the scope of compliance for ERISA fiduciaries with respect to their employee benefit plans and cybersecurity, and by extension the service providers to those plans. Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA’s guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors’ trusted counsel and other advisors.