From Benefits Law Journal, Summer 2014 Issue. This article covers:
- What Triggers a Plan Audit?
- DOL Audits of Health and Pension Plans
- IRS Audits of Pension and Retirement Plans
- HIPAA Privacy and Security Audits
- How Can a Plan Sponsor Best Be Fortified
to Withstand an Audit?
- What Should a Plan Sponsor Do?
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
Federal Benefits Developments - Audits Abound: Are You Ready?
1. Federal Benefits Developments
BENEFITS LAW
JOURNAL
VOL. 27, NO. 2 SUMMER 2014
Audits Abound: Are You Ready?
Karen R. McLeese
With this column, we welcome Karen R. McLeese, the Vice President
of Employee Benefit Regulatory Affairs for CBIZ Benefits & Insurance
Services, Inc., a division of CBIZ, Inc. She serves as in-house counsel,
with particular emphasis on monitoring and interpreting state and
federal employee benefits law. Ms. McLeese is based in the Leawood,
Kansas, CBIZ office.
Whether it is the Department of Labor or the Internal Revenue
Service and Treasury Department reviewing your health or
retirement plan, or the Office of Civil Rights reviewing your HIPAA
privacy compliance, there are many agencies interested in making
sure your plans and processes are compliant. Read on for some tips
on how to make certain your benefit abode is clean and tidy should
the government pay you a visit.
What Triggers a Plan Audit?
An audit is an inspection or examination to evaluate or improve the
appropriateness, efficiency, accuracy, prudence, or the like of a par-
ticular process. Put in an ERISA plan perspective, an audit, whether
self-imposed or commenced by a regulatory agency, is for the pur-
pose of ensuring that the plan is operated in accordance with, and in
compliance with, the law. Of utmost importance is ensuring that the
plan is administered for the exclusive benefit of plan participants and
beneficiaries.
Federal Benefits Developments
2. BENEFITS LAW JOURNAL 2 VOL. 27, NO. 2, SUMMER 2014
Federal Benefits Developments
To that end, an audit most typically focuses on ensuring that the
terms and conditions of the plan are, first and foremost, written with
the intent of benefitting plan participants and beneficiaries, and sec-
ond, that the plan is so administered. Of paramount importance is
ensuring that plan assets are used for the exclusive benefit of plan
participants and, in particular, that participant contributions are timely
contributed to the trust, paid to an insurer, or otherwise used in accor-
dance with the terms and conditions of the plan.
A number of events can trigger an audit, such as plan filings or
random selection. One of the most common events generating an
audit is a complaint by a plan participant or a perceived injured
party.
DOL Audits of Health and Pension Plans
An audit initiated by the Department of Labor’s Employee Benefit
Security Administration (EBSA) to investigate a health plan or pension
plan may be any of the following:
1. Limited review (no specific issue);1
2. Fiduciary investigation;2
or
3. Prohibited person investigation.3
In conducting an audit of these types of plans, EBSA will request
and review many documents4
including:
• Form 5500 filings and related summary annual reports;
• The plan document and related disclosures;
• All related insurance and reinsurance contracts, third-party
agreements, and administrative services agreements; and
• Documents describing employer or plan sponsor responsi-
bilities regarding payment of associated plan costs.
Additional items that may be requested include:
• Collective bargaining agreements (if applicable);
• Lag reports of participant claims filed;
• The plan’s accounting records (bank or trust statements);
• Documents identifying plan assets, liabilities, revenue, and
expenses;
• Fiduciary liability bond;
3. BENEFITS LAW JOURNAL 3 VOL. 27, NO. 2, SUMMER 2014
Federal Benefits Developments
• Fidelity (fraud and dishonesty) bond; and
• Identity and contact information of service providers (attor-
ney, accountant, actuary, insurance agent, third-party admin-
istrator, and trustee)
In addition, a health plan might be required to produce documents
showing compliance with laws5
such as:
• Consolidated Omnibus Budget Reconciliation Act (COBRA);
• Health Insurance Portability and Accountability Act (HIPAA);
• Mental Health Parity Laws (MHPA and MHPAEA);
• Genetic Information Nondiscrimination Act (GINA); and
• Patient Protection and Affordable Care Act (Affordable Care
Act or ACA).
The direction the EBSA would follow in a pension or retirement
plan audit generally depends upon whether there is a potential viola-
tion of participant’s rights under the plan, whether there are prohib-
ited individuals serving as fiduciaries or service providers of the plan,
or whether the investigation focuses on a fiduciary violation. Several
years ago, EBSA commenced a three-prong effort to enhance plan
sponsor and participant awareness of retirement plan fees. As part of
its initiative, the service provider fee disclosure rules6
require service
providers of qualified retirement plans to provide certain plan infor-
mation, in writing, to plan fiduciaries who, in turn, provide fee-related
information to plan participants.7
These types of disclosures would
also be reviewed during an EBSA audit.
IRS Audits of Pension and Retirement Plans
Audits of pension and retirement plans can also be initiated by the
Internal Revenue Service (IRS).8
An IRS examination would generally
focus on plan data and operations to confirm compliance. The main
areas of an IRS examination could include:
1. Review of plan documents and amendments, as well as trust
documents
2. Plan qualification substantiation relating to:
• Coverage and nondiscrimination tests
• Minimum distribution requirements
• Verification of compensation limits
4. BENEFITS LAW JOURNAL 4 VOL. 27, NO. 2, SUMMER 2014
Federal Benefits Developments
• Eligibility requirements and plan entry dates
• Vesting provisions
3. Potential prohibited transaction matters: plan rules relat-
ing to participant loans, transactions between the plan and
employer, or any self-dealing by the plan’s fiduciary(ies)
4. Plan operation matters: review of allocations and general
compliance with the terms of the plan, including eligibility,
distributions, deferral elections, and automatic enrollment
features
5. Review of plan asset matters: investments held by trust,
whether contributions are timely transmitted, and payment
of expenses by plan assets and investment elections
6. Tax review: prohibited transaction excise tax, tax on deemed
distributions due to defaulted loans or Internal Revenue
Code 72(p) noncompliance, deduction limits, shortfalls
under minimum distribution rules, proper withholding, and
timing of income on corrective distributions
7. Review of reporting documents to the IRS such as Forms
1099s, 5500s, and W-2s
HIPAA Privacy and Security Audits
The administrative simplification standards required under the
HIPAA law9
include three components: health care privacy rules, elec-
tronic data interchange rules, and security of health data rules:
• The health care privacy rules govern how individually iden-
tifiable medical information must be protected.
• HIPAA requires national standards for electronic health care
transactions; code standards; and national identifiers for health
care plans, providers, and clearinghouses. The intent of these
standards is to improve the efficiency and effectiveness of the
nation’s health care system by encouraging the widespread
use of electronic data interchange (EDI) in health care.
• HIPAA requires that security standards be established for
the protection of electronic health information. In addition,
covered entities (health care providers, health care clear-
inghouses, and health plans) are required to notify affected
individuals in the event of a breach of their unsecured health
information.
5. BENEFITS LAW JOURNAL 5 VOL. 27, NO. 2, SUMMER 2014
Federal Benefits Developments
The Department of Health and Human Services’ Office for Civil
Rights (OCR) is responsible for enforcing the privacy and security
rules.10
According to the OCR, the increased use of health informa-
tion technology, while beneficial, also carries new risks to consumer
privacy. Thus, the Administrative Simplification Rules enacted under
HIPAA and the Health Information Technology for Economic and
Clinical Health Act (HITECH)11
include national standards for the
privacy of protected health information (PHI), the security of elec-
tronic protected health information (e-PHI), and breach notification
to consumers.
The types of information that may be requested during an OCR
audit12
include the following:
1. Substantiation of compliance with the privacy rule require-
ments relating to:
• Implementation of ongoing administrative requirements,
such as appointment of a privacy and security officer,
maintenance of written policies and procedures, entering
into business associate agreements, providing privacy
training to the workforce, maintenance and certification
of plan documents, and record retention
• Maintenance and distribution of the entity’s notice of
privacy practices
• Ongoing monitoring of the use and disclosure of PHI by
the covered entity
• Honoring individual rights, including the right to request
privacy protection of PHI, the right to access and amend
PHI, and the right to an accounting of disclosures
2. Substantiation of compliance with the security rule require-
ments for implementing administrative, physical, and techni-
cal safeguards in the protection of PHI and e-PHI, as well as
mobile device security
3. Substantiation of satisfying the requirements of the Breach
Notification Rules
Audits could also be initiated by the Centers for Medicare and
Medicaid Services (CMS), which administers and enforces other
aspects of the HIPAA Administrative Simplification Rules, including
standards relating to transactions and code sets and the employer
and national provider identifiers.13
In addition, the HITECH law
authorized enforcement of privacy violations by state attorneys
general.
6. BENEFITS LAW JOURNAL 6 VOL. 27, NO. 2, SUMMER 2014
Federal Benefits Developments
How Can a Plan Sponsor Best Be Fortified
to Withstand an Audit?
One of the best ways a plan sponsor can be prepared to withstand
an audit is to regularly engage in a bit of spring cleaning. An employer
should, for example, regularly review its plans to ensure compliance
with all of the policies and procedures governing those plans. This is
particularly important in the current environment of constant change.
The three governing agencies mentioned in this article provide
manuals, compliance tools, checklists, and other information to assist
plan sponsors in determining whether their plans are compliant.
Following are some of these sources that may be helpful.
EBSA Resources
Health and welfare benefit plans:
• HIPAA & Other Health Care-Related Provisions Tool14
• Affordable Care Act Provisions Tool15
• EBSA Enforcement Manual—Health Plan Investigations16
Pension and retirement plans:
• EBSA Enforcement Manual—Participant’s Rights,17
Prohibited
Persons,18
and Fiduciary Investigations Program19
• Voluntary Correction Programs20
IRS Qualified Pension and Retirement Plan Resources
• Employee Plans Examination Guidelines21
• Checklists22
containing Fix-it Guides23
on an array of retire-
ment plans such as 401(k) and 403(b) plans, Simple IRAs,
SEPs and SARSEPs
• Three programs for correcting plan errors:24
• Self-Correction Program (SCP)
• Voluntary Correction Program (VCP)
• Audit Closing Agreement Program (Audit CAP)
HIPAA Privacy and Security Resources
• OCR’s Audit Program Protocol25
provides compliance assis-
tance to covered entities relating to privacy, security, and
breach rules.
7. BENEFITS LAW JOURNAL 7 VOL. 27, NO. 2, SUMMER 2014
Federal Benefits Developments
• Workgroup for Electronic Data Interchange (WEDI) has
developed compliance tools such as a breach risk assess-
ment tool, a security risk assessment tool, and Health IT
Compliance Guide.26
• The CMS Web site provides educational materials and com-
pliance tips.27
In Summary: What Should a Plan Sponsor Do?
1. Establish and maintain practices and procedures to ensure
compliance with all applicable laws.
2. Periodically engage in an internal audit of relevant practices,
procedures, and documents.
3. If an audit request is received:
• Make any audit requests a high priority;
• Engage legal counsel immediately;
• Create a positive, cooperative relationship;
• Assign a point person and coordinate with all players;
• Brief management on relevant issues;
• Respond timely to all requests; and
• Don’t panic.
Notes
1. EBSA Enforcement Manual, Chapter 53, Targeting and Limited Reviews.
2. Id., Fiduciary and Part 7 Investigations, Program 48.
3. Id., Chapter 47, Prohibited Person.
4. Id.
5. Id., Chapter 50, Health Plan Investigations.
6. 29 C.F.R. Part 2550, Reasonable Contract or Arrangement Under Section 408(b)(2)—
Fee Disclosure.
7. 29 C.F.R. Part 2550, Fiduciary Requirements for Disclosure in Participant-Directed
Individual Account Plans.
8. Internal Revenue Manual, Part 4, Examining Process, Chapter 72. Employee Plans
Technical Guidelines.
9. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law
104-191, 45 C.F.R. Parts 160, 162, and 164.
8. BENEFITS LAW JOURNAL 8 VOL. 27, NO. 2, SUMMER 2014
Federal Benefits Developments
10. 45 C.F.R. Part 160, Subparts C, D, and E.
11. Health Information Technology for Economic and Clinical Health (HITECH) Act,
enacted February 17, 2009, as part of the American Recovery and Reinvestment Act
of 2009 (Public Law 111-5).
12. 45 C.F.R. Part 160, Subparts C, D, and E.
13. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law
104-191, 45 C.F.R. Parts 160, 162, and 164.
14. HIPAA & Other Health Care-Related Provisions Tool, http://www.dol.gov/ebsa/pdf/
part7-1.pdf.
15. Affordable Care Act Provisions Tool, http://www.dol.gov/ebsa/pdf/part7-2.pdf.
16. EBSA Enforcement Manual, Chapter 50, Health Plan Investigations.
17. Id., Chapter 53, Participant’s Rights.
18. Id., Chapter 47, Prohibited Person.
19. Id., Fiduciary and Part 7 Investigations, Program 48.
20. EBSAVoluntaryCorrectionsPrograms,http://www.dol.gov/ebsa/compliance_assistance.
html#Section8.
21. IRS Employee Plan Examination Process Guide, http://www.irs.gov/Retirement-
Plans/EP-Examination-Process-Guide.
22. IRS Checklists, http://www.irs.gov/Retirement-Plans/Have-You-Had-Your-
Retirement-Plan-Check-Up-This-Year.
23. IRS Fix-it Guides, http://www.irs.gov/Retirement-Plans/Plan-Sponsor/Fix-It-
Guides-Common-Problems-Real-Solutions.
24. IRS Employee Plans Compliance Resolution System (EPCRS), http://www.irs.
gov/Retirement-Plans/EPCRS-Overview); Correcting Plan Errors, http://www.irs.gov/
Retirement-Plans/Correcting-Plan-Errors.
25. OCR’s Audit Program Protocol, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/
audit/protocol.html.
26. Workgroup for Electronic Data Interchange (WEDI), Privacy and Security, http://
www.wedi.org/topics/privacy-security.
27. Centers for Medicare and Medicaid Services, HIPAA—General Information,
http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/
HIPAAGenInfo/index.html.