UBP blog


One very costly ERISA mistake most 100+ employee companies are making

Most U.S. employers with 100 or more workers don’t comply with ERISA regulations, which can result in some very steep federal fines that add up fast.

The Employee Retirement Income Security Act (ERISA) has strict requirements for employers that sponsor 401(k), group life, medical, dental and disability plans to report certain financial information on these plans to the Department of Labor (DOL) using Form 5500.

However, public records reveal that of the approximately 110,000 businesses that employ 100+ individuals, roughly 60,000 (or 55%) have not filed Form 5500.  These findings are according to a study done by Atlanta-based ERISA Pros.

What this means for employers:

If your company is one of the many that fails to file Form 5500 on time, the DOL can fine you up to $1,100 for every day that it’s late. This $1,100 applies separately for each of your benefit plans, is not subject to the statute of limitations and is not tax deductible. In other words, you could end up owing a lot of money.

For instance, an employer that sponsors a 401(k), medical plan, dental plan, group life and disability plan could owe the DOL over $100,000 for filing Form 5500 just 30 days late.

Also, beginning in 2010, employers are required to file all Plan Year 2009 and subsequent Form 5500s electronically using the Department of Labor’s EFAST2 system. This will make it a lot easier for the DOL to ensure compliance and enforce penalties.

Summary Plan Descriptions:

Last but not least, as many employers know, ERISA requires all employers sponsoring any of the benefit plans mentioned above to disclose benefit-related information to Plan participants via Summary Plan Descriptions.  Many ERISA specialists believe that the rate of employer compliance for this requirement is even lower than that of filing Form 5500.

The Department of Labor is slated to hire 1,000 new employees for 2010, 678 of whom will be investigators. So employers, start taking all the necessary steps for ERISA compliance now before the DOL comes knocking at your door.


Could the encryption law go nationwide?

As many employers know, Massachusetts Regulation 201 CMR 17.00—enforceable as of March 1, 2010 requires all businesses that “own, license, store or maintain” personal information on Massachusetts residents to:

  1. Digitally encrypt all records containing personal information
  2. Create and implement a Written Information Security Plan (WISP) outlining administrative, technical and physical safeguards for personal information protection
  3. Update all firewalls and system security measures on all computers that store and process personal information

Although Massachusetts’ identity theft law is the strictest in our nation to date, there could soon be a Federal law not too unlike 201 CMR 17.00—although the details of this law haven’t quite been ironed out yet.

The Personal Data Privacy and Security Act of 2009:

Senator Patrick Leahy, a Vermont Democrat, is sponsoring a bill called the Personal Data Privacy and Security Act of 2009.

The bill contains the following provisions:

  • New Data Protection Standards: Private and government entities that keep personal data would be required to establish effective programs for ensuring that it’s kept confidential. These requirements include risk assessment and vulnerability testing as well as measures for controlling access to sensitive information, detecting and logging unauthorized personal information access, and protecting personal data both in transit and at rest.
  • New Federal Breach-Notification Standard: If a breach were to happen, companies would not only need to notify all individuals whose data was compromised, but in some cases, credit reporting agencies and the United States Secret Service as well.
  • An Office of Federal Identity Protection would be established as part of the Federal Trade Commission (FTC) to monitor data breaches and enforce identity theft law.
  • Breach notification exemptions: The law would provide private and government entities that have taken adequate measures to protect sensitive data (i.e. encryption) some exemptions from data breach notification requirements. Also, companies would not be required to immediately make a data breach notification if it gets in the way of a criminal investigation. However, both of these exemptions will need to be vetted by the US Secret Service.
  • Criminal penalties for executives that willfully conceal a data breach: Executives of companies that experience a data breach and willfully avoid notifying affected parties would be subject to criminal penalties under this new law.

Federal ID theft law will likely pre-empt state laws:

One major point to note about this bill is that if passed, it would pre-empt (i.e. nullify) state identity theft and data breach notification laws. This means that the rules of data security could change quite a lot for Massachusetts employers, although it hasn’t been established quite how much they’d change.

The Personal Data Privacy and Security Act of 2009 was approved November 2009 by the Senate Judiciary Committee and is currently under consideration by the full Senate.

We will keep very close tabs on Congress’ progress with this law and keep you posted on any major changes that occur.


“Important Tax Document Enclosed”, now what?: FAQs on the 1099-HC and how to use it

Massachusetts requires all residents to have Minimum Credible health insurance Coverage or face a tax penalty. That’s why every year all employees covered on your health plan in the past year receive a 1099-HC.

Employees will get their 1099-HC forms in the mail this month and will use them to report their health insurance coverage on the Schedule HC form.

Since many Massachusetts employers will be entertaining employees’ questions on what to do with this “Important Tax Document Enclosed”, we’ve put together a few 1099-HC FAQs to help them out.

What is the 1099-HC form?

The 1099-HC is a required document for adult Massachusetts residents. It serves as proof that they had Minimum Credible Coverage* health insurance in the past year. 

*Effective January 1, 2009, all health plans sold in Massachusetts are required to meet the Minimum Credible Coverage standards set forth by the Commonwealth Connector.

Who will receive the 1099-HC?

All Massachusetts adult health insurance plan subscribers who had Minimum Credible Coverage in 2009 will receive the 1099-HC.  Medicare recipients automatically meet the requirements for qualifying health insurance and will not receive the 1099-HC.

Why will I receive the 1099-HC?

Using a Schedule HC form, Massachusetts residents are required to report on their health care coverage when filing their 2009 income tax returns. The 1099-HC contains all the information adult Massachusetts residents need to complete the Schedule HC.

When will I receive my 1099-HC and how will I know I’ve received it?

Health plan subscribers’ 1099-HC forms will be postmarked by January 31, 2010. The form will come directly from your health insurance carrier and the envelope will have the words “Important Tax Document Enclosed” written on the front.

What information will be printed on the 1099-HC for the 2009 tax year?

Your 1099-HC form will contain the following information:

  • Name of your Health Insurance Company
  • Federal Tax ID for your Health Insurance Company
  • Subscriber Name
  • Subscriber Date of Birth
  • Subscriber Member ID
  • Subscriber’s Address
  • Full-year coverage or monthly coverage designation *
  • Dependent (s) Name (s)  
  • Dependent (s) Date (s) of Birth
  • Dependent (s) Member ID (s)
  • Full-year coverage or monthly coverage designation for each listed subscriber and dependent*

*If you and your dependent(s) had Minimum Credible Coverage for the full year of 2009 the “Full Year Minimum Credible Coverage” box will be checked on the 1099-HC for you as well as all of your dependents. Otherwise, a check mark will appear next to each month that you or any of your dependents had Minimum Credible Coverage for 15 days or more.

What must I do with my 1099-HC?

If you are filing a hard copy (paper) return, your 1099-HC should be included in your tax return mailing. You should also keep a copy of it for your records.

If a tax advisor is preparing your 2009 income tax return, he or she should be provided the 1099-HC form along with your other records.

When and where can I get a copy of my Schedule HC tax form? Also, how do I complete the Schedule HC?

All Massachusetts residents should receive a Schedule HC as part of the resident tax package mailed to them. If any of your employees need an additional copy, they can visit the Massachusetts Department of Revenue’s website (http://www.state.ma.us/dor) where they’ll also find instructions on how to complete the form.


Recent anti-discrimination laws make rules on wellness program questionnaires a lot tougher

A new year is under way and companies everywhere are getting started with their 2010 resolutions. Given the rising health care costs that have plagued us all lately, it’s no surprise that improving employee wellness is a popular one.

Many employers are beginning to incorporate wellness programs and initiatives into their overall group health plan design. When implementing a wellness program, health risk assessments (HRAs) are a great tool employers can use to track employee progress and generate plan effectiveness metrics.

However, for employers that use HRAs in wellness programs, there are quite a few Federal rules to follow. Recent Federal laws such as the Americans with Disabilities Act Amendment (ADAA) and Genetic Information Nondiscrimination Act (GINA) have only made the rules tougher.

The new, tougher anti-discrimination rules as they stand:

ADA (and ADAA amendment):

Health risk assessments included in a group health plan’s wellness program (even if they are HIPAA compliant) still run the risk of being non-compliant with the ADA.

As amended by the ADAA, the ADA prohibits employers from requiring employees to undergo medical examinations or inquiries unless they are made on a post-job offer basis and they’re either job-related or designed to meet a specific business need. Also, medical examinations and questionnaires that are voluntary and part of a worksite wellness program do not violate the ADA.

So, essentially, if employees can opt-in to or opt-out of taking your wellness program’s HRA and their incentive/penalty does not violate HIPAA (i.e. the value of the incentive or penalty cannot exceed 20% of the cost of an employee’s coverage on the group health plan), then your group should be fine with ADA compliance.


Effective the first of the plan year following December 7, 2009, employers must comply with the Genetic Information Nondiscrimination Act (GINA). But, how does GINA affect wellness program HRAs?

The GINA Act’s interim final rule prohibits (in most cases) the use of an HRA in conjunction with a wellness program if “genetic information” (i.e. result’s of an employee’s genetic tests or information on family medical history) is collected for “underwriting purposes”.

In the context of GINA, collecting information for “underwriting purposes” does not just mean you’re collecting it for the purpose of setting rates, the definition is very broad.  The Act’s “underwriting” exclusion restricts employers from collecting, requesting and requiring genetic information in connection with an incentive (i.e. premium discount or rebate, reduction in co-pays or deductibles). So, if you have an incentive-based wellness program, it’s better to be safe than sorry and leave genetic information out of your questionnaires.

What employers need to do:

To avoid costly excise taxes and civil penalties, employers that have or are considering incentive based HRAs for HIPAA-compliant wellness programs should consider the following:

  1. Partner up with your legal counsel and perform an objective review of your current wellness program. From this review you should determine whether or not your plan complies with GINA and ADA as amended. Also, if your plan’s not compliant, know what steps you’ll need to take to bring it into compliance.
  2. Keep the lines of communication open with your legal counsel on new developments related to HRAs in incentive-based wellness programs.
  3. Involve your service providers in developing HRAs, employee communication and wellness plan features that will comply with GINA and the ADA.


Starting January 1, there’s a new penalty for failing to report payments to Medicare beneficiaries

Starting January 1, 2010, any Responsible Reporting Entity (RRE) that fails to comply with a new requirement for reporting Medicare payments to Medicare-eligible individuals for resolution of medical expense claims could face a steep penalty–$1,000 per-day the expenses go unreported.

Background on Medicare and reporting requirements:

As many of us know, Medicare is a government-funded health insurance program for individuals ages 65 and up but is not intended to be their primary health insurance (i.e. Medicare should be a “secondary payer”).  In December of 2007, then President Bush signed into law the “Medicare, Medicaid and SCHIP Extension Act of 2007” (MMSEA) to determine when Medicare beneficiaries had received reimbursements for medical expenses which Medicare could recoup.

The act requires an RRE to register with the Centers for Medicare and Medicaid Services (CMS) Coordination of Benefits Contractor (COBC) and electronically file the following information on third-party claims involving payments to Medicare-eligible claimants:

  • Identifying information about the individual (i.e. Social Security Number)
  • The amount paid to the individual to resolve all or part of the claim

The RRE’s payment is called the Total Payment Obligation to Claimant (TPOC).

Why employers need to know about this:

On or after January 1, any employer that is self-insured for all or part of any claim for medical expenses becomes an RRE and is subject to the new reporting requirements. This includes personal injury claims and can include claims for discrimination or harassment.

Employers, if the above applies to you and you employ any Medicare-eligible individuals, take the following 4 steps to help you ensure your compliance and avoid costly fines.

  1. Consult with your insurance carriers and attorneys that handle your insured liability claims. The purpose of this is to make sure everything is in place for you to report all necessary information for TPOC claims made on or after 1/1/2010.
  2. Examine your claims history to see if any demands could be made against your company for personal injury. If there have been, you should register with COBC and begin the process of filing claims information. If there have not been any such claims, you should still keep a watchful eye out for any that come in the future.
  3. If there are any claims pending against you for which you may be required to make a payment, you’ll need to determine whether or not the individual making the claim is a Medicare beneficiary.
  4. Whenever you make a payment to a Medicare-eligible individual settling a claim for personal injury or medical expenses, you’ll need to report all necessary information to COBC promptly.


Identity theft in the workplace is more common than you think

And it can come from many different people, from a dishonest co-worker, to a temp working in HR, even a visitor to your office building.  If you’re not careful, any of these people can have access to your personal information—and who knows what they’ll do if they get their hands on it.

To keep sensitive information from falling into the wrong hands, here are 3 steps employers and employees both should take:

  1. Keep your personal property in a safe place: Don’t leave your personal belongings such as purses, wallets and laptops unattended. Either have them on your person at all times or keep them in a locked place to which  only you have the key. Also, make sure all documents you have containing personal  information are either on an encrypted computer or stored in a locked file cabinet. When you’re away from your desk, make sure you never leave one of these files open on your computer or one of these cabinet drawers open.
  2. Always assume your work computer is being monitored:  That’s because many employers will routinely scan the content of employees’ email and monitor their Internet use. Because of this, employees should never use their work computers to access password-protected personal accounts, do online banking, send non work-related emails containing personal information or store documents with personally identifying information.
  3. Maintain strict information security policies at your workplace: Among many other things, employers should restrict access of employee personnel data to authorized individuals only and make sure all files containing personal information are stored on encrypted computers, locked file cabinets or secure offsite facilities.

They should also educate employees on all information security measures they’re taking, train employees on their data security responsibilities and require them (as part of their jobs) to obey the data security policy.

Create a free website or blog at WordPress.com.