HIPAA Privacy, Transportation Benefits, Pension Funding, Exec Comp Q1 Issues

Focus On Employee Benefits

Health & Welfare: Changes to the HIPPA Privacy and Security Rules

Susan Relland

In addition to the dramatic changes to the COBRA rules detailed in our client alert dated February 13, 2009, the American Recovery and Reinvestment Act of 2009 (“ARRA”) includes provisions affecting the privacy and security provisions of the Health Insurance Portability and Accountability Act (“HIPPA”). These provisions are included in the ARRA’s Health Information Technology for Economic and Clinical Health Act (“HITECH”). The HITECH provisions are generally effective February 17, 2010, although the changes in the security provisions of HIPAA are generally effective 30 days after applicable regulations are issued. The changes to the enforcement provisions are effective for violations occurring after February 17, 2009.

Expanded Business Associate Responsibilities

HITECH subjects “business associates” to HIPPA’s security rules. Under current law, a business associate is any person or entity who performs or helps to perform a function or activity involving the use or disclosure of PHI (“PHI”) and the function or activity is being performed on behalf of a HIPAA covered entity. Lawyers, health information exchange organizations, regional health information organizations, and accountants are among the entities who are considered HIPPA business associates. The change to subject business associates to the HIPAA security rules means that these entities will be required to appoint a security official, develop written HIPPA policies and procedures, and train their workforce on HIPPA and how to protect PHI. Additionally, business associates will need to implement physical and technical safeguards, such as limiting access to PHI, and encrypting computers, e-mails and other documents maintained electronically that contain electronic PHI. Finally, all business associate contracts will need to be reviewed to determine what changes, if any, are needed to reflect the changes made by this law. These provisions take effect February 17, 2010.

Notification of Privacy or Security Breaches

The HITECH changes also require that each individual affected by a breach of the privacy or security of his or her PHI be notified of the breach. Before, there was no requirement that individuals whose information was involved in a breach be notified. Notification is now required when there is a reasonable belief that a breach has occurred, as well as when there is a known breach. The notification can be done by mail or, if the individual specifies that he or she prefers electronic notice, by email. In the case of a breach involving more than 500 individuals, the business associate must notify the Department of Health and Human Services (“HHS”). If the 500 or more affected individuals live in the same geographic area, the breach must also be reported to the local media. Notice of a breach must be given to the provider or health plan with which the individual is associated, including the identity of the individual whose PHI was accessed, acquired, or disclosed. Vendors that provide or maintain PHI must also notify the Federal Trade Commission of any breach arising from their products or services. These heightened notice rules will apply to security breaches discovered 30 days after interim final regulations are issued by the Secretary of HHS on this subject, which are required to be issued within 180 days after enactment.

Disclosures for Electronic Health Records

Covered entities that use electronic health records will be required to provide individuals with an accounting of disclosures from those records that are made for treatment, payment, or health care operation purposes in the three years preceding the request. This provision will not be effective before January 1, 2011 and is subject to regulations being promulgated.

Individuals May Restrict Disclosure of their PHI

Individuals may prohibit disclosure of their PHI to their health plans if the individual pays for the health care item or service, in full, with his or her own funds.

Expanded Remedies and Penalties

Among the changes in HITECH is the ability of State attorney generals to institute a private cause-of-action on behalf of State residents who have been, or are threatened or adversely affected by, HIPPA violations. Previously HIPAA enforcement was limited to HHS and there was no individual cause-of-action. HITECH also expands the types of damages to include monetary damages. The amount of the civil penalties for HIPPA violations have been increased, and range from $100 per violation (with a maximum of $25,000 per year), to a maximum of $50,000 per occurrence (with a maximum penalty of $1.5 million per year). A portion of any penalty assessed under HIPPA will be distributed to individuals harmed by the violation.

Payroll Tax & Fringe Benefits: Changes to Withholding Tables and Qualified Transportation Fringe Benefit Limit

Thomas Cryan

In addition to the COBRA and HIPAA changes discussed above, the American Recovery and Reinvestment Act of 2009 (“ARRA”) will impact the withholding table used by employers for the remainder of the calendar year. Rather than separate special checks mailed to taxpayers, the “Making Work Pay Tax Credit” of 2009, $400 for individuals and $800 for couples, will show up in the form of reduced withholding amounts. The phase-out for the credit is $75,000 for individuals and $150,000 for couples. The amount of additional money in each bi-weekly paycheck will depend on exactly when the IRS amends the withholding tables used by employers.

As part of the underlying “Green Initiative” contained in ARRA, Section 1151 of Title 1 of the Act increases the limit applicable to employer-provided transit passes (currently $120) so that the transit pass limit equals the limit for qualified parking benefits (currently $230). Commuters have complained for years that this benefit failed to cover most commuters’ monthly subway expense. This significant increase in the exclusion for employer-provided transit passes goes into effect in March of this year and ends on December 31, 2010. Employers that would like to take advantage of this increase should take steps now to amend their payroll and benefit procedures.

Qualified Plans: 2009 Compliance Issues Related to Pension Funding

Elizabeth Drake, Veronica Rouse, Garrett Fenton

Companies with defined benefit plans are facing two relatively new compliance issues -- an ERISA disclosure and a new tax-qualification requirement -- in the early part of 2009. ERISA requires companies with calendar-year plans to distribute a detailed funding notice to participants and beneficiaries by April 30, 2009. The tax-qualification rules restrict lump sums and other “accelerated” payments, plan amendments, and possibly, benefit accruals under plans that are not fully funded in accordance with the pension protection act requirements. Both the funding notice and the funding-based limits involve highly technical and nuanced concepts for which there is very little guidance. Companies must nonetheless make decisions and communicate with participants in a relatively short timeframe, and need to prepare for the inquiries that will inevitably arise.

New ERISA Participant Notice Requires Detailed Funding-Related Disclosures

ERISA Section 101(f) requires plan administrators to distribute a funding notice within 120 days after the close of each plan year (special timing rules apply to small plans) beginning after December 31, 2007. This means that for calendar-year plans, a funding notice must be provided by April 30, 2009 for the 2008 plan year.

In an ideal world, the Department of Labor (“DOL”) would have issued final regulations with respect to the notice requirement before plans were required to distribute the notice. To date, the only guidance is a series of Q&A’s in Field Assistance Bulletin 2009-01, which includes model notices. While helpful, the FAB highlights some of challenges companies face in order to comply with the new notice requirement.

The annual funding notice must disclose, among other things, information about the plan's funded status for the two previous plan years, the value of the plan's assets and liabilities, the number of plan participants, statements of the plan's funding and investment policies, and an explanation of any amendment or scheduled benefit increase or reduction, or other known event taking effect for the current year and having a material effect on plan liabilities or assets. At first glance, some of this information may appear to be straightforward, but this is not necessarily the case. Because many of the funding concepts are new, the FAB directs plans to provide certain information in accordance with proposed IRS funding regulations (for which there are a number of unresolved questions) and DOL enforcement policies "pending further guidance."

ERISA requires the notice to be written in a manner that can be understood by the average plan participant. The FAB contains model notices for single-employer and multiemployer plans. Plan administrators are not required to use the model notice, but the DOL will treat the notice requirement as satisfied if the administrator has complied with the guidance in the FAB and generally acted in good-faith. The FAB does not explicitly allow plan administrators to modify the model notice, but it does allow administrators to add any information they believe to be necessary or helpful to understanding the required information.

The funding notice must be provided to each participant and beneficiary, each labor organization representing plan participants, each contributing employer (in the case of multiemployer plan), and the PBGC. A plan administrator that fails to provide the annual funding notice to a participant or beneficiary may be liable for a penalty of up to $100 a day from the time of the failure and for such other relief as a court may deem proper.

Funding-Based Limits Present Implementation Challenges

When the PPA's funding-based limits became effective in 2008, few would have anticipated the number of plans likely to become subject to those limitations in 2009. As a result of the economic downturn, large numbers of plans must now cope with these limitations and do so without the benefit of final regulations. While plans can rely on the proposed regulations, they are highly technical and leave a number of unanswered questions.

As background, if a plan provides for the payment of lump sums or certain other "accelerated" benefits, and its adjusted funding target attainment percentage ("AFTAP") is at least 60% but less than 80%, the maximum lump sum that can be paid to a participant is generally the lesser of (1) 50% of the benefit, or (2) 100% of the present value of the PBGC maximum guaranteed benefit for that year. If a benefit payment is restricted by this rule, proposed regulations generally require the plan to allow affected participants to elect to either defer the payment or bifurcate the payment based on the unrestricted and restricted portions (e.g., payment of 50% as a lump sum and 50% as an annuity). Benefits with a present value of $5,000 or less are exempt from these restrictions. If a plan's AFTAP is less than 60%, the plan may not pay any lump sums and must freeze benefit accruals.

In addition to the benefit restrictions, a plan is generally prohibited from implementing any amendment that has the effect of increasing plan liabilities (e.g., by increasing benefits or establishing new benefits) during any year in which its AFTAP, counting the cost of the amendment, is less than 80%. Benefits payable solely because of a plant shutdown or other unpredictable contingent event are prohibited in any year that the plan's AFTAP is less than 60%, counting the cost of those benefits.

Until the plan's actuary certifies the current year's AFTAP, certain presumptions apply for purposes of determining whether the funding-based limits apply. For the first three months of 2009, calendar-year plans can look back to their 2008 certified AFTAP. From April 1 through September 30, the plan's presumed AFTAP is equal to the 2008 certified AFTAP minus 10%. If the current year's AFTAP is not certified by October 1, the plan is presumed to have an AFTAP of less than 60%. Therefore, if a plan with a 2008 certified AFTAP of less than 90% is unable to obtain a 2009 certified AFTAP by April 1, the plan may be subject to at least partial restrictions on accelerated payments starting April 1, 2009.

The proposed regulations offer several ways to avoid the benefit restrictions. These rules are highly technical and require actuarial analysis to determine when to use credit balances, the proper amount to contribute or provide for security for a particular purpose, and the consequences of such decisions.

Companies with plans that were funded at the lower percentages last year may have already developed strategies to deal with this year's funding-based limits, but the end-of-year downturn in the markets may cause many other plans, unexpectedly, to be subject to at least the partial restrictions on accelerated payments. Companies should plan now whether they will take steps to avoid these restrictions or, in the alternative, how the restrictions will be communicated to participants.

Exec Comp: Executive Compensation Action Items for the First Quarter of 2009

Anne Batter

This article provides practical tips as to steps that companies should consider taking in the first quarter of 2009 (for calendar year taxpayers) in order to avoid issues under Code Sections 162(m) and 409A.

Section 162(m)

Inevitably, Compensation Committees will be establishing performance goals this quarter for their annual and longer term performance-based bonuses and performance-based equity awards (such as restricted stock units (“RSUs”)). In establishing these goals this quarter, companies may want to give more attention, particularly this year, to how the company intends to account for extraordinary events that might negatively impact achievement of performance goals. Some companies specifically list what types of such extraordinary events will not be taken into account in evaluating performance and others rely on general principles. To the extent the current economic conditions are making bonus goals more challenging, the treatment of these extraordinary items may be more important than usual to the company’s ability to meet the goals set forth in this year’s grants.

Another Section 162(m) item to review this quarter is the shareholder re-approval requirements. If your plan contains a list of general business criteria, and permits the Compensation Committee to establish targets based on any of those criteria, the material terms of the plan must be reapproved by shareholders at least every five years. If a change in the material terms of the plan (meaning the eligible employees, business criteria on which goals are based, and the maximum award or formula for calculating compensation payable) are changed, that will also need to be approved by shareholders. It is worth double checking, as we move into the annual shareholder meeting season, whether the company’s Section 162(m) plans need to be re-approved by shareholders either because it has been five years since the last approval or because a material term has been or is being changed. This includes the annual bonus plan, long-term bonus plan, and equity plans that allow for grants of performance-based compensation, such as performance-based RSUs.

Section 409A

Many companies have decided to allow employees to defer annual and long-term bonuses and performance-based RSUs as late as six months before the end of the performance period under the special election rules in Section 409A(a)(4)(B)(iii) applicable to “performance-based compensation.” However, not all companies have reviewed those bonus plans and equity awards carefully to assure they qualify as performance-based compensation for Section 409A purposes. The fact that a bonus plan or equity award is performance-based compensation for Section 162(m) purposes does not mean it qualifies as performance-based compensation for Section 409A purposes. Specifically, if a bonus or a performance-based RSU pays a target amount, rather than an amount based on actual performance against goals, in the event of disability or change in control, to qualify as performance-based compensation under Section 409A, disability and change in control must be defined in a Section 409A compliant manner. For a more technical discussion of this issue, see our Focus on Employee Benefits newsletter dated September 18, 2008. Although this is not clear from the Section 409A regulations, the Treasury Department has indicated informally that plans must be made compliant with the Section 409A definition of performance-based compensation during the first 90 days of the performance period in order for deferral elections to be allowed in June.

For further information, please contact any of the following lawyers:

Elizabeth Drake, edrake@milchev.com, 202-626-5838

Garrett Fenton, gfenton@milchev.com, 202-626-5562

Related Files
Related Links

The information contained in this newsletter is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information about these issues, please contact the author(s) of this newsletter or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This newsletter is protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this newsletter without prior written consent of the copyright holder.