Had Enough Of COBRA Subsidies? Well, ARRA Amends HIPAA, Too  

The primary focus of the American Recovery and Reinvestment Act (ARRA) has been on the 65% COBRA subsidy, which is available to employees who are involuntarily terminated between September 1, 2008, and December 31, 2009. However, ARRA also amends the Health Insurance Portability and Accountability Act's (HIPAA) privacy and security provisions. Beware: These HIPAA amendments have varied effective dates, so the sooner you become familiar with them, the better. Here are highlights of the ARRA amendments.

Notifications In Case Of Breaches

HIPAA's privacy and security provisions have their own nomenclature. Covered entities (i.e., most group health plans, church plans, government plans, dental plans, vision plans, long-term care plans, health flexible spending accounts, and employee assistance plans) must handle employees' protected health information (PHI) in a secure manner. Prior to ARRA, covered entities had an obligation to mitigate a breach if PHI was handled in an unsecured manner. ARRA toughens this standard.

Under the ARRA amendments, covered entities that handle unsecured PHI must notify each individual of the security breach. Covered entities' business associates must notify covered entities of a breach, including identifying individuals whose unsecured PHI has been involved in the breach. Notice must be provided without unreasonable delay, and in no case later than 60 calendar days after the breach is discovered. Notices may be mailed via first-class mail, or if the individuals specify, via e-mail.

Covered entities that don't have individuals' current postal or e-mail addresses must use substitute notices. If a breach involved at least 10 individuals, covered entities must post the notice on their home page. In lieu of a website posting, covered entities may place the notice in newspapers or broadcast media. The notice must include a toll-free phone number. In urgent cases, covered entities may phone individuals.

If the unsecured PHI of more than 500 individuals in a particular state is involved, covered entities must provide the notice to prominent media outlets. Covered entities must also notify the Secretary of the Department of Health and Human Services (HHS). If the breach involved 500 or fewer individuals, covered entities may maintain logs of breaches. Logs must be submitted to the HHS annually. Notice must be provided immediately if the breach involves at least 500 individuals. The HHS will post a list on its website that identifies each covered entity involved in security breaches.

Regardless of how notice is provided to individuals, to the extent possible, notices must include the following information.

• A brief description of what happened, including the date the breach occurred and the date the breach was discovered, if known.
  
  
• A description of the types of unsecured PHI that were involved in the breach (e.g., names, Social Security numbers, dates of birth, home addresses, account numbers, disability codes).
  
  
• The steps individuals should take to protect themselves from potential harm resulting from the breach.
  
  
• A brief description of what the covered entity is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
  
  
• Procedures for individuals to ask questions or learn additional information (i.e., a toll-free telephone number, an e-mail address, a website, or a postal address).

Restrictions On PHI

Under HIPAA, individuals always have the right to restrict the disclosure of their PHI, but covered entities weren't necessarily required to abide by those requests. Under the ARRA amendments, covered entities must comply with an individual's request to restrict the disclosure of PHI, if the disclosure is to a health plan for purposes of carrying out payment or health care operations, and the PHI pertains solely to a health care item or service for which the individual paid the health care provider in full out of his/her own pocket. For example, a covered dependent who paid for a medical service could prevent the disclosure of PHI to his/her parents.

One way to ensure that employees' electronic health records are protected is to require covered entities to account for their use. Employees already have a right to an accounting when covered entities disclose certain PHI. The ARRA amendments broaden employees' rights to an accounting by creating a new term — electronic health record. An electronic health record is any electronic record of health-related information on an individual that's created, gathered, managed, and consulted by authorized health care clinicians and staff. Employees will have the right to an accounting if covered entities disclose electronic health records to carry out treatment, payment, and health care operations. Current users of electronic records generally have until January 1, 2014, to comply; others generally have until January 1, 2011, to comply.

Penalties

Pre-ARRA, the amount of a civil monetary penalty was generally $100 for each violation. This $100 amount (capped at $25,000 for multiple violations) increases to $1,000 per violation for a violation due to reasonable cause and not to willful neglect (with a maximum penalty of $100,000); $10,000 for each violation that was due to willful neglect and is corrected (subject to a $250,000 maximum penalty); and $50,000 for each violation if the violation is not corrected properly (subject to a maximum penalty of $1,500,000 during a calendar year).

In addition, by 2012, regulations must allow private individuals to recover a portion of any civil penalty or civil settlement as compensation for the breach. Finally, state attorneys general are specifically authorized to bring civil suits against violators. State attorneys generals can also seek attorneys' fees from violators.

 Take My Advice...Please

The events of the last nine months or so highlight how important retirement advice can be. Final regulations, which become effective May 22, 2009, allow, but don't require, 401(k) plans to arrange for outside financial advisors to provide in-person or computer-modeled advice to plan participants. Plan sponsors who exercise prudence in selecting outside advisors can't be held liable to participants if the advice doesn't pan out, or if the outside advisor doesn't comply with the standards these regs set. Although these regs are primarily concerned with setting standards for outside financial advisors, plan sponsors should become familiar with them.

Statutory Exemption

Normally, it would be a conflict of interest for any plan fiduciary to provide advice to participants. However, the 2006 Pension Protection Act (PPA) allows plan sponsors to choose between in-person advice provided by an outside investment advisor, or advice driven by computer models. The final regs implement this provision.

Under the final regs, your fiduciary obligation doesn't stop with prudently selecting an outside advisor. You have some minimal supervisory duties over the advisor.

• Prior to their dispensing any in-person advice or firing up any computer model, advisors must make certain disclosures to plan participants. Tip: When evaluating disclosures, put on your plan participant hat. If you're confused, odds are participants will be, too.
  
  
• Outside advisors must undergo annual audits by independent auditors, and plans must be provided with a copy of the audit report within 60 days.
  
  
• Outside advisors must provide, without charge, accurate, up-to-date information to participants at least annually, and provide them with information regarding material changes to advice they previously gave.

Retirement advice may be provided in-person or strictly by computer model. Regardless of how it's provided, the advice must meet these minimal standards.

• Advice must be based on generally accepted investment theories that account for the historic returns of different asset classes over a defined period of time. To the extent provided by the plan or participants, advice must account for information relating to participants' age, time horizons (e.g., life expectancy and retirement age), risk tolerance, current plan investments, other assets or sources of income, and investment preferences.
  
  
• Advice must take into account investment management fees and other fees and expenses related to the recommended investments.

Outside advisors who provide in-person advice must also comply with restrictions on their fees. The compensation and fees (including salaries, bonuses, awards, promotions, and commissions) received by employees, agents, or registered representatives who provide investment advice can't vary with the advice given. Also, fees (including commissions or other compensation) received by advisors with respect to a disposition of any security can't vary. This is called fee-leveling.

Outside advisors who provide advice through computer models must have their models certified by independent investment experts. These experts must also provide plan sponsors with written certification that the computer model meets regulatory standards. In addition to securing this certification, plan sponsors should ensure that computer models meet these minimal standards.

• Models must utilize appropriate objective criteria to provide asset allocation portfolios comprising investment options available under the plan.
  
  
• Models must be designed and operated to avoid investment recommendations that inappropriately favor investment options offered by the investment advisor, or inappropriately favor investment options that may generate greater income for the advisor.

An Appendix to the final regs includes a model notice outside advisors can use to satisfy their disclosure obligations. Plan sponsors should carefully scrutinize any notice that deviates from this model.

Class Exemption

The regs also incorporate a class, or administrative, exemption that complements the statutory exemption. Under the class exemption, outside advisors must meet all the criteria for the statutory exemption. The class exemption allows outside advisors to provide in-person investment advice to participants who received their initial investment advice via computer modeling.

Click here to read the final regs, including the Appendix. Note, however, that the original effective date of March 23, 2009, was changed in a subsequent regulatory notice to May 22, 2009.

And The Survey Says....

MetLife's Annual Employee Benefits Trends Study indicates that employees value retirement advice. According to the study, 51% of employees surveyed said that they were interested in receiving retirement advice, but only 37% of employers said that they're responsible for providing it. Older baby boomers — those born between 1946 and 1955 — are more interested in retirement advice than their co-workers; 55% said that they were interested in receiving retirement advice.

 Office Perks Ripe For The Trimming    

If your company is cutting back on office perks — free coffee and donuts, social events, and other little niceties employees have come to know and love — you're not alone. According to the results of a survey conducted by CareerBuilder.com, 38% of employers said that the current economy is forcing them to make administrative cuts.

What's On The Chopping Block

Employers are cutting back across the board, and no benefit seems to be immune. The CareerBuilder.com survey noted the following.

• 25% of employers expect to cut back on health benefits.
  
  
• 11% said that wellness programs will feel the pinch.
  
  
• 34% said they're planning on cutting coffee, ice machines, and discounted vending.
  
  
• 61% will trim business travel.

There is some good news tucked into this survey, too. Thirty-nine percent of employers offer more opportunities for employees to telecommute, which helps employees save money on commuting costs. Other employers are subsidizing employees' commuting costs. Note that the American Recovery and Reinvestment Act allows you to subsidize employees' commuting costs, up to $230 a month. For employees who take mass transit and also pay to park their cars, the maximum monthly exclusion is $460. These benefits may be provided on a pre-tax basis.

 Ask The Experts 

Q. Does an employee who has been called to active military service experience an involuntary termination, so that he/she is qualified to elect the COBRA subsidy? You seem to have omitted this contingency from your article in last month's issue.

A. We couldn't address this situation because the IRS's guidance didn't address this situation. However, during a webcast, the IRS noted informally that the termination is involuntary — the federal government is taking the action and is also picking up the subsidy, so the employee would be eligible for the subsidy.