This newsletter provides updates employers should be aware of heading into 2024, including an outline of the updated 2024 retirement and welfare plan limits, instructions related to the “gag order” attestation requirements for group health plans, a summary of the DOL’s new proposed rule on investment advice fiduciaries, and HIPAA and data privacy law updates for employers and plan sponsors.

2024 Retirement and Welfare Plan Limits

The Internal Revenue Service has released cost of living increase numbers for many retirement and welfare plan limits for plan years commencing in 2024. Elective deferrals to 401(k) and 403(b) plans increased from $22,500 to $23,000, and the catch-up contribution limit remained unchanged at $7,500. The Social Security Wage Base increased from $160,200 in 2023 to $168,600 in 2024.

These changes will be effective for plan years that begin on or after Jan. 1, 2024.

Complying with the Gag Clause Attestation Requirement by Year End

The Consolidated Appropriations Act, 2021 (the “Act”), passed at the end of 2020, added new transparency requirements for group health plans. These rules, in part, prohibit a group health plan from making certain types of agreements that directly or indirectly restrict transparency (known as “gag clauses”). For example, a plan may not agree with a provider that the plan will not make available provider-specific cost or quality information through a consumer engagement tool to referring providers or plan participants. The rules also require the group health plan to annually submit an attestation to the federal government that the plan is in compliance with the prohibition on gag clauses.

Group health plan sponsors, as fiduciaries, have a responsibility to ensure that all gag clauses are removed from the contracts that the plan has directly or indirectly (e.g., through a third-party administrator or vendor such as a Pharmacy Benefit Manager, Independent Practice Association, or Behavioral Health Manager) entered into with its health care providers, network or association of providers, third-party administrators, or other service providers offering access to a network of providers. In addition, sponsors should ensure that their plans annually submit the required attestation.

The first annual Gag Clause Prohibition Compliance Attestation (“Attestation”) is due at the end of this year:

• Plans must annually submit an Attestation to the Departments of Labor, Health and Human Services, and the Treasury (collectively, the “Departments”). The Centers for Medicare & Medicaid Services (“CMS”) is collecting the Attestations on behalf of the Departments.
• The first Attestation is due by December 31, 2023. The first Attestation covers the period beginning December 27, 2020, or the effective date of the applicable group health plan, if later, through the date of attestation.
• Subsequent Attestations are due by December 31 of each year thereafter and cover the period since the previous Attestation.

Plan sponsors submit the Attestation online on the CMS website. Instructions are available here.

The attestation requirement applies broadly to almost all group health plans, including insured and self-funded ERISA plans, non-federal governmental plans, church plans, grandfathered plans, and grandmothered plans. It does not apply to excepted benefits (including dental and vision), and it is not being enforced against account-based plans like health reimbursement arrangements.

Service providers may attest on behalf of self-funded plans, but the plan is required to enter a written agreement with the service provider providing for this, and the legal requirement to attest remains with the plan. If a plan uses multiple service providers, each provider may attest on the plan’s behalf with respect to the subset of benefits that it administers; however, if any of these providers fails to submit the Attestation, the plan violates the attestation requirement.

In preparation for the upcoming deadline, plan sponsors should gather all health care provider agreements and vendor contracts that might contain gag clauses, including Pharmacy Benefit Manager contracts and network provider agreements. Plan sponsors should identify gag clauses in existing contracts, negotiate the removal of these clauses, and amend non-compliant contracts. For new contracts, plan sponsors should add language to clearly define expectations around gag clauses.

Finally, plan sponsors should prepare to complete the attestation by December 31, 2023. Plans that fail to comply may face a civil penalty of up to $100 per day for each individual to whom the failure relates.

Proposed Retirement Security Rule: DOL’s Investment Advisor Fiduciary 3.0 Rule

The Department of Labor (DOL) recently proposed a new ERISA definition of investment advice fiduciary to extend ERISA compliance obligations to investment advisors who provide investment advice or make an investment recommendation to a retirement investor for a direct or indirect fee or other compensation. A retirement investor includes an ERISA plan, an ERISA plan fiduciary, an ERISA plan participant or beneficiary, an IRA, an IRA owner or beneficiary, or IRA fiduciary.

Under the proposed fiduciary rule, an “investment advice fiduciary” must act in the best interest of the retirement investor when:

1. Acting with discretionary authority or control with respect to purchasing or selling securities or other investment property for the retirement investor;
2. Making investment recommendations to investors on a regular basis as part of their business and under circumstances indicating that the recommendation is based on the particular needs or individual circumstances of the retirement investor and may be relied upon by the retirement investor as a basis for investment decisions that are in the retirement investor’s best interest; or
3. Representing or acknowledging that they are acting as a fiduciary when making investment recommendations.

According to the DOL, the proposed ERISA compliance obligations are “generally consistent with the best interest obligations” set forth in the Securities and Exchange Commission (SEC) Regulation Best Interest (Reg BI) and the related SEC interpretations. The DOL intends to extend ERISA fiduciary protections to transactions that are not currently covered by Reg BI or existing ERISA fiduciary protections, including:

1. Recommendations to rollover assets from an employer retirement plan to an IRA;
2. Investment recommendations to purchase retirement annuities, such as fixed index annuities, by ERISA retirement plans; and
3. Investment recommendations to ERISA plan fiduciaries.

The DOL has also released proposed amendments to the exemptions from the prohibited transaction rules that apply to ERISA fiduciaries. Under these proposed rules, an investment advice fiduciary will generally need to ensure that covered advice is in the retirement investor’s best interest, charges only reasonable fees or other compensation, avoids conflicts of interest, and does not include any misleading statements.

The comment period for the proposed DOL rules ends on January 2, 2024. Official comments may be submitted online here.

The Quarles Employee Benefits Group will continue to monitor the development of these proposed DOL rules and their effect on ERISA plan fiduciaries, plan sponsors and investment advisors.

HIPAA & Data Privacy: Top 5 Things to Consider for Employers and Plans

Employers and plans should take note of these top 5 HIPAA/privacy compliance considerations from the Quarles Privacy Team, which stem from new laws, hot enforcement / litigation risks, and business priorities we are working on with our clients.

1. HIPAA Applicability. “You are violating my HIPAA rights” – we see this phrase a lot from disgruntled plan dependents and employees. While individuals (including dependents and employees) have privacy rights, it is important to remember that HIPAA only applies to “covered entities” – generally those are healthcare providers, health plans, and healthcare clearinghouses. In fact, HIPAA specifically excludes employment records from its jurisdiction. So, when acting in your capacity as an employer, the employment records you hold are not subject to HIPAA even though they may be health-related (though they are likely subject to other federal and state privacy/confidentiality laws). Best practice may be to keep these employee health records segregated from other employment records. However, be careful if your company operates a self-funded health plan (which we address below).

   It is important for your team to know whether your company sponsors an insured or self-funded health plan. For example, when we assist clients with data breaches, it is not uncommon for clients to uncover that protected health information (“PHI”) subject to HIPAA is involved, even when the client did not think it was subject to HIPAA. Self-funded health plans, in which employers assume the financial risk of providing health benefits for employees (typically up to a stop loss threshold), are subject to HIPAA. As a HIPAA covered entity, self-funded plans are required to have a full HIPAA compliance program in place (e.g., appointing a dedicated Privacy and Security Officer who oversee the plan’s compliance with HIPAA, maintaining policies and procedures that address the HIPAA Privacy and Security Rules, implementing an incident response plan, training new hires and current employees on HIPAA compliance, performing a risk analysis, implementing required technical, administrative and physical safeguards, etc.). A sponsor of a self-funded health plan must take steps to separate employee information that it holds in its capacity as a “plan” from information that it holds in its capacity as an “employer.” Many businesses contract out the administration of their plans and assume that the responsibility for HIPAA compliance is shifted to the third party administrator as well. However, the ultimate responsibility for HIPAA compliance of a self-funded health plan remains with the plan sponsor, your business.

2. Employer Sponsored Wellness Programs. Many employers offer workplace wellness programs that may involve collecting health-related data from employee-participants. Whether HIPAA applies to workplace wellness programs depends on the way in which those programs are structured. Where a workplace wellness program is offered as part of a group health plan, the health information collected from or created about employee-participants in the wellness program is PHI and must be protected per HIPAA. This is the case because the group health plan is subject to HIPAA (see discussion on self-funded health plans above). A wellness plan offered directly by an employer (not a part of a group health plan) would not be subject to HIPAA. However, state privacy laws may apply (see below).
3. State Privacy Laws. Do not forget about state law. Employee, vendor, and other personal information (e.g., customer data) collected and maintained by businesses is likely subject to state privacy laws. These state laws require employers to extend certain data rights to customers, employees, and others. Businesses should confirm that website privacy notices and internal policies are up to date (and updated at least annually). A business’s website privacy notice is the easiest thing for regulators and plaintiffs’ attorneys to check for low hanging fruit. A business’s privacy and security posture can also be a key factor in valuation in the M&A setting. State laws continue to evolve, and it is important to stay on top of state law requirements.
4. Biometric Data Collection. In an increasingly technology-driven world, employers are taking advantage of technology that processes biometric identifiers (e.g., fingerprints, face scans, etc.) to verify attendance, clock in, authenticate technology sign-on, and other activities. Employers must be aware of biometric privacy laws, as these laws are ripe for class action lawsuits. For example, Illinois enacted the Biometric Information Privacy Act, which received attention earlier this year for a case that went to the Illinois Supreme Court involving an employer’s collection of employee fingerprints and disclosure to a third party without appropriate consent. While the state laws that address biometric data may differ, these laws generally address employers’ obligations to provide employees with a privacy notice detailing collection and use of such information, obtaining employee consent prior to collection, and maintaining appropriate safeguards to protect this data.
5. Artificial Intelligence (AI). AI seems to be all folks can talk about these days. While AI presents a number of opportunities for businesses, adoption of AI in the workplace setting can present a number of privacy and security risks. Take some time to develop an AI governance program, consider the AI partners you choose, and get a good privacy and IP review of that contract to address important issues, including bias in hiring practices, implications on company mission, workforce training, and IT infrastructure.

Many businesses are not aware of the scope of data they collect and use, particularly on the employer and plan side. Understanding the data your business processes is key to understanding the various applicable federal and state data privacy laws.