While audits of qualified retirement plans have become commonplace, audits of health and welfare plans have historically been much less common. Only a select group of “lucky” employers was subjected to health and welfare plan audits, and the scope of those audits was somewhat limited. Unfortunately, it appears that trend is ending. We are seeing a notable increase in the frequency of health and welfare plan audits, and the scope of these audits is becoming much broader. Employers have rights, and the agencies have rules the auditors are required to follow. We encourage employers who receive a phone call or letter regarding a plan audit to immediately notify their third-party administrators and consult with their legal counsel regarding strategies to minimize the business disruption and potentially substantial penalty exposure associated with an audit.
For those who frequently peruse the Department of Health & Human Services (“HHS”) website—which is probably a “Favorite” on every employer’s computer—this may not come as a huge surprise. In November 2011, the HHS Office for Civil Rights announced an initiative to audit covered entities (including health and welfare plans) for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. See this link at HHS’ website for a description of the audit program protocol. Thus, there was some warning that the HHS would be examining health and welfare plan operations, at least with respect to HIPAA compliance.
However, the HHS is not the only agency that is knocking on health and welfare plan sponsors’ doors. The Department of Labor (the “DOL”) also appears to be increasing the frequency of audits. And, unlike the limited scope HHS audits, the DOL is casting a very broad net. The typical DOL audit requests a wide variety of plan-related documents and examines compliance with a broad range of issues including HIPAA, the Newborns’ and Mothers’ Health Protection Act, the Women’s Health and Cancer Rights Act, the Mental Health Parity and Addiction Equity Act, and the Genetic Information Nondiscrimination Act. Even more significant is the DOL’s recent focus on compliance with the various Patient Protection and Affordable Care Act (“Affordable Care Act”) requirements. DOL requests related to the Affordable Care Act fall into three primary categories: (1) requests for plans claiming grandfathered status; (2) requests for plans not claiming grandfathered status; and (3) requests for all plans (regardless of grandfathered status).
While the agencies are often willing to work with employers in resolving compliance issues, employers should be cognizant of the stiff penalties associated with non-compliance. For example, the Alaska Department of Health and Human Services recently agreed to pay the HHS $1.7 million to settle potential violations of the HIPAA Security Rule (see this link at HHS’ website for more information on this settlement). And, as explained in one of our previous blog postings, Sections 4980B, 4980D, 4908E, and 4980G of the Internal Revenue Code impose excise taxes for various failures of health care coverage requirements, including a $100 per day per affected individual tax for failure to comply with group health plan requirements.
Given the recent upswing in health and welfare plan audits and the potentially stiff penalties for noncompliance, plan sponsors are encouraged to engage in their own audits of plan documents and procedures so they can resolve any problems in a more cost-effective manner. At Porter Wright, we have developed comprehensive self-assessment tools designed to ensure compliance with the myriad of rules while maintaining attorney-client privilege for such materials.