DOL Plan Audits Updated to Include Several Questions About Compliance with Its Cybersecurity Guidelines

In April, we posted about the U.S. Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issuing cybersecurity guidance for employee retirement plans. That is, April 14, 2021. Shortly thereafter, the DOL updated its audit inquiries to include probing questions for plan fiduciaries about their compliance with “hot off the press” agency guidelines.

So, what do those inquiries look like?

In short, the DOL is asking plan sponsors to produce:

all documents relating to any cybersecurity or information security programs that apply to the data of the Plan, whether those programs are applied by the sponsor of the Plan or by any service provider of the Plan

For plan fiduciaries that are new to cybersecurity and have not received a DOL audit in the last few months, it may not be clear what documents or materials the DOL is expecting. The DOL fleshes out its general inquiry with a laundry list of items. Here are some examples of those more specific requests:

  • All policies, procedures, or guidelines relating to such things as:
    • The implementation of access controls and identity management, including any use of multi-factor authentication
    • The processes for business continuity, disaster recovery, and incident response.
    • Management of vendors and third party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties.
    • Cybersecurity awareness training.
    • Encryption to protect all sensitive information transmitted, stored, or in transit.

The list above is not complete, but it makes clear the DOL is looking for information about what plan fiduciaries are doing to safeguard their own information and systems to address privacy and security, not just that of their service providers. Some plan fiduciaries might be wondering what should policies, procedures, or guidelines look like to protect plan data. There are many frameworks to consider when adopting reasonable safeguards. Examples include guidance published by the National Institute of Standards and Technology, the New York SHIELD Act, the Massachusetts data security regulations, the privacy and security standards under HIPAA, etc.

In addition to policies, procedures, and guidelines summarized above, the DOL also seeks in its audit request copies of other materials, some of which are listed below.

  • “All documents and communications relating to any past cybersecurity incidents.”

So, evidently, the DOL would like to discover whether the plan had a prior cybersecurity incident. It is unclear whether this request refers only to “breaches of security” or similar terms as defined under state breach notification laws which require notification, or mere “incidents” that do not rise to the level of a reportable breach.

  • “All documents and communications describing security reviews and independent security assessments of the assets or data of the Plan stored in a cloud or managed by service providers.”

Here the DOL makes a distinction between plan “assets” and plan “data,” seeking security reviews and assessments relating to both. Recent litigation called into question whether plan data could be considered a “plan asset.” In one of the most recent cases, Harmon v. Shell Oil Co., 2021 WL 1232694 (S.D. Tex. Mar. 30, 2021), the U.S. District Court for the Southern District of Texas rejected the argument that plan assets include plan data.

  • “All documents describing security technical controls, including firewalls, antivirus software, and data backup.”

An important note here is that it may not be enough to say, “we are doing this,” or “we have implemented antivirus and firewalls to protect our information systems.” The DOL is looking for documents that describe those safeguards and controls.

  • “All documents and communications from service providers relating to their cybersecurity capabilities and procedures.”
  • “All documents and communications from service providers regarding policies and procedures for collecting, storing, archiving, deleting, anonymizing, warehousing, and sharing data.”
  • “All documents and communications describing the permitted uses of data by the sponsor of the Plan or by any service providers of the Plan, including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services.”

The DOL would like to see how plan fiduciaries are communicating with their service providers to assess service provider cybersecurity risk, as well as the documents and other materials from service providers concerning the processing of plan data. Importantly, the DOL is not just looking for cybersecurity related information. The agency apparently wants to know how service providers are permitted to use plan data. Plan fiduciaries will want to think carefully about their current practices, including their communications, when selecting and working with service providers.

No plan fiduciary wants to experience a DOL audit of their retirement plans, or any other audit for that matter. But cybersecurity clearly is a new and important area of interest for the DOL and plan fiduciaries need to be prepared to respond. Feel free to contact us if you would like to discuss audit readiness concerning cybersecurity for your plans.

The IRS Adds Helpful New Features to Its Correction Program

Every few years, the IRS enhances its popular correction program for qualified retirement plans (the Employee Plans Compliance Resolution System, or EPCRS) to continue to encourage plan sponsors to correct any plan failures and bring their plans into compliance.  Revenue Procedure 2021-30 reflects this latest enhancement of IRS correction guidance.  Here is a summary of some of its helpful changes:

Anonymous Submissions.  The IRS will replace its anonymous Voluntary Correction Program (VCP) submission process with a no-fee VCP pre-submission conference, effective January 1, 2022.  Many practitioners already bypass the cumbersome anonymous VCP submission process by having informal discussions about a proposed correction with IRS VCP staff before deciding whether to use the VCP.  The new revenue procedure entirely eliminates the anonymous VCP submission in favor of an anonymous no-fee pre-submission conference.  The sponsor’s representative will receive verbal feedback from the IRS about the failure and proposed correction method.  Although the new, less formal process is helpful, there are drawbacks — the pre-submission conferences are granted at the IRS’s discretion and the guidance is advisory and non-binding.

Self-correction — Extended Correction Period for Significant Failures.  The Self-Correction Program (SCP) allows plan sponsors to correct significant operational failures without filing with the IRS, but only until the end of the second plan year following the plan year in which the failure occurred.  After that, the sponsor would have to correct the failure under the VCP.  The new revenue procedure extends the SCP deadline for significant operational failures until the end of the third plan year following the year in which the failure occurred.  (Most insignificant failures can still be self-corrected at any time.) It also extends by three years (until December 31, 2023), the period during which certain “elective deferral failures” in plans with an automatic contribution features are correctable without requiring the employer to make contributions for “missed deferrals” on behalf of affected participants.  This popular safe harbor provision for plans with automatic contributions was originally set to expire on December 31, 2020.

Plan Amendments Under SCP.  The new revenue procedure also relaxes the rules about when a plan sponsor may use the SCP to correct certain failures by retroactive plan amendment.  Under Rev. Proc. 2021-30, self-correction by retroactive plan amendment is available if the amendment increases a benefit, right, or feature in the plan, even if the amendment does not apply to all employees eligible to participate in the plan (as was previously required to use the SCP).

Recoupment of Pension Plan Overpayments.  Certain operational failures cause overpayments to participants, and plan sponsors may find it difficult or unpleasant to recoup those payments.  Under the new guidance, the IRS clarifies and expands the options for recoupment available to defined benefit plan sponsors.

Although plan sponsors may have wished for more, these changes to the IRS correction program are welcome and likely to be highly utilized.  The Employee Benefits group at Jackson Lewis remains available to help navigate the new guidance and any other retirement plan issues that may arise.   Please contact a team member or the Jackson Lewis attorney with whom you regularly work if you have questions or need assistance.

PBGC Issues Interim Rule On Multiemployer Pension Bailout; Impact On Employers Unclear

On July 9, 2021, the PBGC issued its interim final rule (the “Rule”) on the process for eligible troubled Multiemployer Pension Plans (“MEPPs”) to apply for and obtain Special Financial Assistance (“SFA”) under the American Rescue Plan Act of 2021 (“ARPA”). The Rule was posted on PBGC’s website and became effective as guidance on July 9, 2021.

The PBGC expects the SFA to directly (via the restoration of previously reduced benefits) and indirectly (by providing enhanced retirement security) help more than three million MEPP participants and beneficiaries. PBGC’s multiemployer insurance program is also expected to prosper; more than 100 plans that would have otherwise become insolvent during the next 15 years will instead forestall insolvency as a direct result of receiving SFA.  More…

Butch Lewis Brings No Good News for Contributing Employers

In the clamor that surrounded the current administration’s adoption of the American Rescue Act of 2021 (ARPA), quietly tucked in as Subtitle H is the Butch Lewis Emergency Pension Plan Relief Act of 2021 (Butch Lewis). Butch Lewis has been unsuccessfully bouncing around Congress since 2019. While Butch Lewis is long on rhetoric, at this juncture it is lacking in details or controls.  Pension Benefit Guarantee Corporation (PBGC) regulations will be issued sometime in July. In the interim, it is important for employers to remain vigilant about actions by the PBGC.

As currently structured, Butch Lewis is a “logical” successor to Congress’ previously flawed efforts to “cure” the funding ills of the multi-employer benefit system. Those efforts began in 1980 with Congress’ passage of the Multi-employer Pension Plan Amendments Act of 1980 (MPPAA) and has continued through the passage of the Multiemployer Pension Reform Act of 2014 (MPRA).  More…

Musings of Retirement Plan Fiduciaries on Cybersecurity: Episode One

By now, plan fiduciaries and their service providers likely have heard about the DOL’s cybersecurity guidance. The Department of Labor’s stepping into cybersecurity in this way – a posting of best practices on the agency’s website – has left plan fiduciaries with some questions. Here are a few:

  • “When is this effective?”
  • “Does this apply to me?”
  • “Could I be liable if a service provider has a data breach?”
  • “We are halfway through the term of our services agreement with our recordkeeper, do we need to do something now?”
  • “This is IT’s problem, right?”
  • “What exactly do we have to do to be ‘prudent’?”
  • “Do we have to communicate anything to plan participants?”
  • “If our service provider had a data breach, do we have to terminate the relationship?” “What factors should we considering in making that decision?”

So, what are plan fiduciaries actually thinking? Fortunately, we’ve been able to obtain snippets of conversations between plan fiduciaries that may provide some insight into that question. Here is our first installment, and, of course, we redacted the text to protect the privacy of the individuals.

Retirement Plan Committee Chair: So, what did you think of your first retirement plan committee meeting?

New Committee Member: Well it sounds like it will be really interesting…though, I’m a little bit nervous about the personal responsibility part and I’m not much of a technology person. I keep hearing about these breaches in the news, ransomware, you know, and I was one of the people on the gas line due to the Colonial Pipeline incident.

Retirement Plan Committee Chair: I know what you mean. During the time we were out of the office for COVID, if it weren’t for my 13-year-old, I don’t think I would have been able to get onto any conference calls! But I think we have a good team and good procedures. There is a fiduciary training coming up and I believe they will cover this.

New Committee Member: Yea, that will be good. I am not sure I know all the service providers we have for the plans. We spoke a lot about the 401(k) plan’s recordkeeper tonight, are there others?

Retirement Plan Committee Chair: That is a good question. We definitely will need to identify all of our service providers, particularly those handling plan data. I know we have an auditor, and then there is our investment advisory firm…

New Committee Member (interrupting): …and what about the financial wellness vendor?

Retirement Plan Committee Chair: Yes, them too. Well, we should probably regroup after the training and come up with a plan. I have to run, see you next week.

New Committee Member:  OK, bye.

It looks like this organization takes its retirement plan administration seriously and has some thoughtful people on the team. Retirement committees generally are not required under ERISA but they can be a valuable tool for organizing the administrative responsibilities of an employee benefit plan.

Getting more educated on “cybersecurity” is a good initial step for a committee or plan fiduciaries generally. Done right, training will help fiduciaries better understand the threats and vulnerabilities to data generally (not just from criminal hackers) and gain more insight into the DOL’s best practices. Such training also can help plan fiduciaries (and personnel on virtually all levels of plan administration) appreciate more of the ways data may be accessed or transmitted in the course of operating a plan. Looking at plan operations from that perspective, where data lives and how it moves, can help plan fiduciaries identify the service providers they need to be thinking about.

Perhaps the most important nugget from the exchange above for addressing the DOL’s guidance is from the Retirement Plan Committee Chair – come up with a plan!

Multiemployer Pension Plan Reform/Bailout May Be Greater Than Expected; Guidance Still Forthcoming

The Emergency Pension Plan Relief Act of 2021 (EPPRA), enacted as part of the American Rescue Plan Act of 2021 (ARPA), contained unprecedented financial relief for the most troubled multiemployer pension plans (MEPPs). The MEPPs community is eagerly awaiting guidance from the Pension Benefit Guaranty Corporation (PBGC) on the requirements for MEPPs to apply for the special financial assistance under the ARPA. New Section 4262(c) of ERISA provides that the PBGC will issue this guidance no later than 120 days after enactment or by July 9, 2021. Also, more guidance is anticipated on the impact of this funding windfall on employer’s obligations for withdrawal liability.

In the interim, the Congressional Research Service (CRS) (Multiemployer Defined Benefit Pension Plans Potentially Eligible for Special Financial Assistance Under the American Rescue Plan Act (congress.gov)) indicated that both the universe of plans potentially eligible for ARPA relief and the amount of such relief may be greater than initially anticipated. For example, just one MEPP, the Central States, Southeast & Southwest Areas Pension Plan, reported a funding shortfall of approximately $43.6 billion. While there is no specific amount appropriated under the new law, pre-enactment projections estimate expenditures to qualifying plans of approximately $86 billion. The CRS’s report, issued on May 28, 2021, indicates that the $86 billion figure may be overly optimistic. The number of MEPPs eligible for assistance and the actual amount of assistance may well exceed original estimates. We are closely monitoring how this expansive federal assistance program might provide some relief to contributing employers.

As with most aspects of the ARPA multiemployer subsidy, a myriad of questions remains unanswered. We will report future developments as they occur; please contact the authors with any questions in the interim.

Incentives: From Water Bottles to “Not so Substantial”

For years (and we do mean years), the EEOC has waffled about whether incentives were permissible in connection with a medical inquiry under a voluntary wellness program.  Friday, the EEOC issued its most recent pronouncement on the topic, this time related to incentives for COVID-19 vaccinations.

The ADA prohibits employers from requiring medical examinations or making “disability-related inquiries” except in very limited circumstances.  One such exception is in the case of a voluntary wellness program.  But it has never been clear what voluntary means in this situation. Is it voluntary if an incentive is provided?

A Brief Primer on Incentives and “Voluntary” Wellness Programs Under The ADA

The EEOC stated its position on voluntariness in 2000, in its Enforcement Guidance on Disability-Related Inquiries and Medical Examinations of Employees Under the Americans with Disabilities Act: a wellness program is “voluntary” as long as an employer “neither requires participation nor penalizes employees who do not participate.”  In 2014, the EEOC sued several employers claiming they had crossed the line in terms of when a penalty connected with a wellness plan makes the wellness plan involuntary.  But in oral argument the EEOC refused to identify what the particular line was. See Court Denies EEOC’s TRO Motion Seeking to Halt Employer’s Wellness Program | Benefits Law Advisor

In other contexts, the Affordable Care Act (ACA) permitted incentives, significant incentives, under group health plans. The other federal agencies, the IRS, HHS, and DOL issued joint implementing regulations for such programs.  Acknowledging congressional intent for some form of incentivized wellness programs, the EEOC then issued regulations which generally allowed employers to offer an incentive of up to 30% of the total cost of self-only insurance coverage.  But, its rules were quickly challenged in the United States District Court for the District of Columbia.  The court ordered the incentive provisions vacated, concluding the EEOC did not provide sufficient reasoning to justify the incentive limit adopted, even though the limit was largely based on the ACA’s approach.  As a result, the EEOC revised the regulations by removing the section permitting incentives, but leaving in place the remaining portions:

An employee health program that includes disability-related inquiries or medical examinations (including disability-related inquiries or medical examinations that are part of a health risk assessment) is voluntary as long as a covered entity:

(i)     Does not require employees to participate;

(ii)    Does not deny coverage under any of its group health plans or particular benefits packages within a group health plan for non-participation, or limit the extent of benefits (except as allowed under paragraph (d)(3) of this section) for employees who do not participate;

(iii)   Does not take any adverse employment action or retaliate against, interfere with, coerce, intimidate, or threaten employees within the meaning of Section 503 of the ADA, codified at 42 U.S.C. 12203; and

(iv)    Provides employees with a notice that:

(A) Is written so that the employee from whom medical information is being obtained is reasonably likely to understand it;

(B) Describes the type of medical information that will be obtained and the specific purposes for which the medical information will be used; and

(C) Describes the restrictions on the disclosure of the employee’s medical information, the employer representatives or other parties with whom the information will be shared, and the methods that the covered entity will use to ensure that medical information is not improperly disclosed (including whether it complies with the measures set forth in the HIPAA regulations codified at 45 CFR parts 160 and 164).

29 CFR 1630.14(d)(2).  See Has the Grinch Stolen Wellness Plans this Christmas? | Disability, Leave & Health Management Blog (disabilityleavelaw.com)

Then in January of this year the EEOC proposed new regulations allowing only de minimis incentives, unless the wellness program was connected to a group health plan.  See Wellness Programs and Water Bottles, the EEOC Proposes New Rules under the ADA and GINA | Benefits Law Advisor

To help guide employers on “voluntariness,” the agency provided examples of what would and would not meet the test. For what would be considered de minimis, the EEOC provided two examples: a water bottle or gift card of modest value. A quick online search reveals an approximate price range for water bottles is between $5 and $50. On the other end of the voluntariness continuum, the EEOC observed that charging an employee $50 per month more for health insurance (or, the “carrot” approach, offering a $50 per month reduction in the charge for health insurance, either way totaling $600 per year), would be too great an incentive and violate the ADA.  Similarly, paying for an employee’s annual gym membership or rewarding an employee with airline tickets would be considered more than de minimis. Of course, these examples provide little insight about the incentive’s value.  So, assuming a $25 or even $50 gift card would meet the “a water bottle or gift card of modest value” test, and $600 incentive clearly would not, what about incentives with a value in the middle, say $100? It is worth noting that the EEOC’s proposed rule would permit more liberal incentives for wellness programs structured as part of a group health plans, provided they follow the ACA rules referenced above.

Unfortunately, these proposed regulations were quickly pulled back under the new administration, leaving once again a black hole in terms of what, if any, incentive an employer could provide in connection with voluntary disability-related medical inquiries or medical examinations in connection with a voluntary wellness program.

New “Very Large” and “So Substantial” Guidance

Last week the EEOC updated the technical assistance it maintains on its website with respect to COVID-19 issues.  See EEOC UPDATES ITS GUIDANCE ON VACCINATIONS | Disability, Leave & Health Management Blog (disabilityleavelaw.com)  The EEOC, which had already opined that the pre-vaccination screening questions may be a disability-related medical inquiry, stated that if an employer offers to vaccinate employees on a voluntary basis, the employer does not have to show the pre-vaccination screening questions are job-related and consistent with business necessity. “However, the employee’s decision to answer the questions must be voluntary.”   The EEOC then went on to explain what type of incentive could be offered in connection with vaccination provided by the employer or its agent.  According to the EEOC, the incentive (which includes both rewards and penalties) must not be “so substantial as to be coercive.”  “[A] very large incentive could make employees feel pressured to disclose protected medical information.”  Although this particular guidance is related to COVID-19, presumably the same analysis would apply to other voluntary inquiries where employers seek to take advantage of the voluntary wellness program exception.

While it is nice to see some explanation as to the EEOC’s position on this topic, the EEOC’s language: “not so substantial as to be coercive” or not “very large” as to make employees feel pressured, is certainly not the epitome of clarity.  What does “substantial” or “very large” mean in practice?  Does it allow more than a water bottle?  The EEOC did not provide examples this time, presumably because it is being pulled in two directions.  On the one hand the government has made clear that it does not want to say anything that would discourage vaccinations (and is also looking to encourage vaccinations), at the same time what it says here may be used in other settings with respect to wellness programs.

Incentives Related to the COVID-19 Vaccine

The good news for employers, at least with respect to incentives offered in connection with COVID-19 vaccinations, is that the EEOC has stated that merely asking whether an employee has been vaccinated is not a disability-related medical inquiry under the ADA and, therefore, does not need to meet the voluntary wellness program exception.  The EEOC made this clear in its guidance last week: “Requesting documentation or other confirmation showing that an employee received a COVID-19 vaccination in the community is not a disability-related inquiry covered by the ADA.  Therefore, an employer may offer an incentive to employees to voluntarily provide documentation or other confirmation of a vaccination received in the community.”

However, if the employer is offering the vaccine or having an agent offer the vaccine, the pre-vaccination inquiries may be disability-related medical inquiries. In that case, the incentive offered must comply with the voluntary wellness program regulations.  In that regard, the EEOC reiterated that the amount of the incentive is not the only issue of compliance with respect to vaccinations offered by employers or its agents.  In order to be voluntary, the “ADA prohibits taking an adverse action against an employee, including harassing the employee, for refusing to participate in a voluntary employer-administered vaccination program.  An employer also must keep any medical information it obtains from any voluntary vaccination program confidential.”  Indeed, presumably, all of the requirements of 29 CFR 1630.14(d)(2) (referenced above) continue to apply.

Some employers also have expressed interest in incentivizing employees’ family members to get the vaccine. The EEOC’s recent COVID-19 technical assistance addressed this as well. Remember that under the Genetic Information Nondiscrimination Act, family medical history information, in general, constitutes genetic information of the employee. As a result, the EEOC’s guidance confirmed that an employer may not offer an incentive to an employee in return for an employee’s family member getting vaccinated by the employer or its agent because the pre-vaccination questions of a family member would constitute family medical history of the employee. However, employers may offer an incentive to employees to provide documentation or other confirmation that their family members received a vaccination from their own health care provider.

The years long battle over what is and is not an appropriate incentive in connection with voluntary medical inquiries or wellness programs is far from over.  To avoid “very large” penalties of their own, employers should consult with counsel whenever they are designing a wellness program with incentives (carrots or sticks) attached.

IRS Provides Clarity on ARPA COBRA Subsidy Impact on State “Mini-COBRA” Plans

In our most recent summary of IRS Notice 2021-31, we noted the Internal Revenue Service provided much-needed clarity to looming compliance challenges as employers, insurers, and others race to implement the applicable COBRA premium subsidy provisions of the American Rescue Plan Act of 2021 (ARPA).  While there are many other important clarifications made by the Notice, the substance of this alert focuses mainly on issues related to employers subject to state health continuation coverage laws, otherwise referred to in the guidance as “State mini-COBRA” requirements.

State continuation coverage requirements are not “COBRA” requirements per se, meaning they are not included as part of the Consolidated Omnibus Budget Reconciliation Act of 1985 (otherwise known as “federal COBRA”).  State continuation coverage generally only applies when employers have less than the 20 employee minimum threshold required for federal COBRA to apply or provide coverage for a period exceeding the maximum coverage period provided for under federal COBRA.  Nonetheless, ARPA included “comparable state continuation coverage” within the definition of “COBRA continuation coverage” that is subject to subsidy requirements under ARPA Section 9501.  Until issuing the most recent IRS Notice, there had been some ambiguity about what state continuation coverage programs would be subject to ARPA’s subsidy requirements, or when they were “comparable” to federal COBRA for subsidy eligibility purposes.

Following the Q&As provided in Notice 2021-31, we now know:

  • Generally, the criteria to be an “assistance eligible individual” for ARPA COBRA subsidy eligibility purposes applies equally to plans regardless of whether they are subject to federal COBRA or State mini-COBRA —in both cases, an individual must have previously qualified for federal COBRA or comparable state continuation coverage based on an involuntary termination or reduction in hours and not be eligible for other group coverage or Medicare.
  • Q/A-61 clarifies that the state continuation coverage need not be equal to or exceed the federal COBRA mandates to be “comparable”. The period of state continuation coverage can be significantly less than the maximum federal COBRA period (the example uses a period of just 6 months), and the underlying coverage can allow for coverage for individuals who differ from those entitled to coverage under federal COBRA.
  • State continuation coverage that exceeds the federal COBRA coverage period can still qualify for the ARPA subsidy if the individual was previously enrolled and became eligible for continuation coverage due to an involuntary termination or a reduction in hours (Q/A-17). This is true even in states like New York and Connecticut that provide for state continuation coverage after federal COBRA coverage has been exhausted.
  • Unlike federal COBRA, however, unless the applicable state provides its own extended enrollment opportunity, an individual who previously declined to enroll in State mini-COBRA coverage does not have an extended election opportunity to enroll in COBRA continuation coverage under ARPA, even if they otherwise would qualify as an assistance eligible individual (Q/A-52). The subsidy, therefore, is generally only available for individuals who have either already elected and are paying for state continuation coverage or, who are newly eligible during the ARPA COBRA subsidy period.
  • Employers who voluntarily offer health continuation coverage not mandated under federal COBRA or a covered state continuation plan do not have to provide ARPA COBRA subsidized coverage (Q/A-15). Neither are those employers allowed to claim the ARPA subsidy associated tax credit.  Such voluntary extensions of coverage are common for domestic partners and children of domestic partners who are not considered qualified beneficiaries under federal COBRA or other State mini-COBRA requirements.
  • Although State mini-COBRA requirements may allow for coverage of individuals who are not considered qualified beneficiaries under federal COBRA (e.g., domestic partners and children of domestic partners who are not qualifying dependents of the employee under current IRS definitions), such individuals can still be enrolled in state continuation coverage but would not be eligible for subsidies for any portion of the monthly COBRA premium attributable to that individual (Q/A-19). Correspondingly, the “premium payee” who is eligible to receive the tax credit cannot claim a credit for the portion of the premium attributable to the individual who is not considered a qualifying beneficiary under federal law (Q/A-67).
  • An insurer who provides fully insured health plan coverage to employers subject to State mini-COBRA rules is the “premium payee” who must offer subsidized COBRA coverage during the period from April 1, 2021, through September 30, 2021, and the entity entitled to the tax credit for providing the subsidized coverage. This is true even if the employer is required by the insurer to make monthly premium payments to the insurer during the ARPA COBRA subsidy period.  (Q/A-72(3) and Q/A-62).

While insurance carriers likely will be providing more clarity on their coverage requirements and subsidy eligibility to all affected individuals following these most recent updates from the IRS, employers need to understand how ARPA’s requirements apply to their specific plan and be prepared to respond to questions from individuals.  Our Employee Benefits attorneys remain available to assist in addressing questions related to eligibility for ARPA subsidies or continuation coverage requirements generally.  Please contact a team member or the Jackson Lewis attorney with whom you regularly work if you have questions.

Washington Steps Up Insurance Protections for Gender Affirming Treatments

As some states make headlines for so-called “anti-trans” laws, the Washington state legislature rejected a bill designed to limit youth participation in sports based on their gender as assigned on a birth certificate and passed the new Gender Affirming Treatment Act.  This Act prohibits health insurers from denying or limiting coverage for gender affirming treatment when that care is prescribed to an individual based on a protected gender expression or identity, is medically necessary, and is prescribed under accepted standards of care.

The Gender Affirming Treatment Act stops insurers from excluding the most commonly prescribed gender affirming treatments by classifying such procedures as cosmetic.  Under the new law, beginning January 1, 2022, private insurers, the Health Care Authority (HCA), managed care plans, and providers through Medicaid programs may not deny or limit coverage for gender affirming treatment that is prescribed relating to the person’s gender expression or identity, is medically necessary, and is prescribed per accepted standards of care.  The law also forbids insurers from applying categorical cosmetic or blanket exclusions to gender affirming treatment and excluding as cosmetic specified examples of medically necessary gender affirming treatment.  And a health care provider with experience prescribing or delivering gender affirming treatment must review and confirm the appropriateness of an adverse benefit determination denying or limiting access to gender-affirming services.

The law generally defines “gender affirming treatment” as a service or product that a health care provider prescribes to treat any condition related to gender identity under generally accepted standards of care.  It also clarifies that gender affirming treatment can be prescribed for “two spirit, transgender, nonbinary, intersex, and other gender diverse individuals.”

In line with the recent urging of the American Medical Association to provide minors with gender-affirming care to avoid tragic health consequences, Washington’s Gender Affirming Treatment Act includes no age restrictions.

The new law does not apply to self-insured medical plans; ERISA preempts any law that imposes these types of requirements on self-insured medical plans.  But some large insurance companies have announced expanded coverage for breast augmentation and other related procedures for some trans women.  And because these companies often also provide administrative services to self-insured plans, their clients may choose to expand coverage for other gender affirming treatments under their self-insured plans even absent a legal requirement to do so.

The new law also raises federal tax issues because although the IRS agreed to abide by a tax court decision that hormone therapy and gender reassignment surgery are appropriate “medical expenses” under Code Section 213(d), the tax court reached the opposite conclusion regarding breast augmentation surgery.  In its 2020 version of Publication 502 (Medical and Dental Expenses), the IRS reaffirms its long-standing position that cosmetic surgery is not a deductible medical expense.  But the IRS doesn’t clarify how that position aligns with its previous positions related to gender reassignment surgery.  It is therefore unclear whether covering the state mandated gender affirmation treatments will or will not be considered qualifying medical expenses and thus whether payments by the insurer and premiums paid by the employer for these mandated benefits can be excluded from the employee’s wages.  Employers should consult with tax counsel on this issue.  Please contact a team member or the Jackson Lewis attorney with whom you regularly work if you have questions or need assistance.

IRS Answers to Your American Rescue Plan Act COBRA Subsidy Questions

In much-anticipated guidance, the Internal Revenue Service has offered its insight on the implementation of the COBRA temporary premium subsidy provisions of the American Rescue Plan Act of 2021 (ARPA) in Notice 2021-31.

Spanning more than 40 pages, the IRS-answered frequently asked questions (FAQs) finally resolve many issues relating to temporary premium assistance for COBRA continuation coverage left unanswered in the Department of Labor’s publication of model notices, election forms, and FAQs.

The practical implications of the guidance for employers are many. Significantly, employers must take action prior to May 31, 2021, to ensure compliance with some of the requirements under ARPA and related agency guidance.  More

LexBlog