compliance and regulationsBenefit plan regulators were active in the period leading up to the Federal government’s June 30 fiscal year-end. Significant new rules and regulations were proposed for retirement plans, deferred compensation plans and group health plans.

It’s not a walk on the wild side, but some of the dry regulatory pronouncements will impact most benefit plan sponsors and administrators. So, let’s get down in the weeds – here is the good news and the bad news:

Tax-Exempt Organizations/New Deferred Compensation Rules

IRS proposed regulations, which can be relied on at this time, clarify the nature of plan subject to Section 457 of the Internal Revenue Code and provide useful exceptions. Section 457 generally imposes special tax rules for deferred compensation plans of tax-exempt entities such as governmental bodies and not-for-profit organizations.

Code Section 457(b) postpones tax on qualifying benefits until they are actually “paid or made available” to the recipient (these are “eligible” plans with a limit on annual deferrals, currently $18,000). Code Section 457(f) requires taxation on benefits of “ineligible” deferred compensation plans (covered plans that do not qualify as eligible plans) when they are no longer subject to a substantial risk of forfeiture and, as a result, are “vested.”

Here is a link to the  new rules on Section 457 exceptions for severance pay and short term deferral arrangements as well as new vesting options.

PEOs Get Respect

Professional employer organizations (PEOs) and other employee leasing organizations that act as co-employers with their clients can now apply for IRS recognition as “certified professional employer organizations,” or CPEOs. The IRS certification will recognize the legitimacy of the PEOs undertaking payroll tax reporting and withholding obligations in its own name on behalf of leased employees performing services for PEO clients.

New regulations govern the voluntary certification program which began accepting applications on July 1 with respect to wages paid on or after January 1, 2016. To qualify for certification, PEOs must assume liability for payroll taxes payable with respect to its leased employees and meet tax status, background, experience, business location, financial reporting standards, IRS bonding and other requirements.

 HIPAA Privacy and Ransomware

The Department of Health and Human Services Office for Civil Rights (OCR) recently announced guidance on “ransomware” attacks and the HIPAA privacy provisions that protect personal health information (PHI).  Ransomware is a type of malicious software (malware) that denies access to a user’s data by encrypting that data with a key known only to the hacker until a ransom payment is made.

If a covered entity (medical service provider or self-funded group health plan) or a business associate with access to PHI is subject to a ransomware attack, and the OCR reports there are 4,000 such attacks daily since early 2016, the presence of such ransomware (or any malware) on the computer system of a covered entity or business associate is a security incident under the HIPAA security rule and likely also will be a breach of PHI confidentiality triggering the HIPAA breach notification provisions.

Group Health Coverage and Gender Transition

The OCR has also published final regulations under the ACA prohibition of discrimination on the basis of race, color, national origin, sex or disability. The regulations prohibit the denial of health benefits on the basis of “gender identity” and “sex stereotyping.”  The regulations also prohibit categorized exclusions of services related to “gender transition.”

The new rules apply to covered entities such as health care providers that accept Medicare, insurance companies and plans offered through the ACA marketplace. For employers with fully insured group health plans, the insurer will be responsible for compliance. For sponsors of self-funded group health plans, a third party administrator (TPA) that is an insurance company will be responsible for observing the new rules. Self-funded group health plans that use a TPA which is not an insurance company may have no mandated compliance assistance but will be subject to claims by aggrieved participants and beneficiaries for damages for non-compliance.

Although the new rules are effective now, responsive changes to plan documents are not required until the first day of the first plan year beginning on or after January 1, 2017 (that’s a 2016 year-end project for calendar year plans). Required non-discrimination notices must be posted no later than October 17, 2016 (sample language can be found online here.

Determination Applications for Individually Designed Retirement Plans

…are eliminated effective January 1, 2017! The IRS has abolished this program in Revenue Procedure 2016-37 in an effort to streamline its regulatory operations and control costs.  There will generally be no more favorable determination letters issued for individually designed retirement plans except on initial adoption and plan termination.

It will be up to the sponsors of such plans, their document providers and legal counsel to assure compliance with an annual Requirement Amendments List to be issued by the IRS. At the same time, preapproved plans (prototype and volume submitter documents) continue to be updated and reviewed for compliance by the IRS on a six year cycle.

Sponsors of individually designed plans are expected to migrate to preapproved plans although certain plans (such as cash balance plans) cannot do so at this time. Defined contribution plans that move to a preapproved plan document by April 30, 2017 will be able to rely on the plan’s national office determination letter for the following amendment and review cycle.

So, for retirement plans that can move to a preapproved plan document it’s time to think about making that change. For individually designed “Cycle A” plans (generally plans sponsored by employers with Employer Identification Numbers ending in “1” or “6”), determination applications can still be filed through December 31, 2016.

Andrew S. Williams has practiced in the employee benefits and ERISA arena since ERISA was passed in 1974. He has been recognized by his peers through a survey conducted by Leading Lawyers Network as among the top 5 percent of Illinois lawyers in Small, Closely and Privately Held Business Law and Employee Benefit Law. He maintains a website,, with additional updates, commentary and analysis on benefits and employment topics.

The above material is intended for general information purposes and should not be relied on or construed as professional advice. Under the applicable Illinois Rules of Professional Conduct, the contents of this e-mail may be considered to be attorney advertising. The transmission of this information is not intended to create, and receipt of it does not create a lawyer-client relationship.