COVID Vaccines: When is an Employee’s Vaccination Status HIPAA-Protected?

Whether an employee’s vaccination status is protected by HIPAA has been (or should be) on the minds of all human resources personnel as of late. This is especially true in the wake of the Department of Labor’s Occupational Safety and Health Administration (“OSHA”) impending rule that will likely require employers with 100+ employees to ensure their workforce is either vaccinated or regularly tested. While waiting for the OSHA rule to be finalized and released, employers should ensure they are familiar with the Privacy Rule’s application to vaccination status by asking questions like:

  1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking their customers whether they have been vaccinated? 
  2. Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

Fortunately, the Department of Health and Human Services (“HHS”) recently addressed these and other frequently asked questions in new guidance. Below is a quick refresher on the HIPAA privacy rule, as well as the HHS response to these common questions. 

PRIVACY RULE REFRESHER

The HIPAA Privacy Rule generally applies to information categorized as protected health information (“PHI”). PHI includes almost all health information that identifies an individual – generally, information that relates to the past, present, or future physical or mental health condition of an individual, the provision of healthcare to an individual, or payments for healthcare. PHI can include not only traditional healthcare information, but even names, addresses, ages, etc. when connected to healthcare information.

However, not all healthcare information constitutes PHI. PHI generally only encompasses health information that is created, received, maintained, or transmitted by a covered entity or a business associate. So that begs the question – what entities are covered entities? Health plans are generally covered entities. HIPAA defines this broadly to include any individual or group plan that pays for the cost of medical care. So, when in the hands of a covered entity, an individual’s vaccination status will likely constitute PHI and be protected under the Privacy Rule. 

Importantly, HIPAA specifically excludes from PHI information held by the employer in its employment records. An employer who sponsors a group health plan generally wears two separate hats – it has different responsibilities when acting as an employer and when acting as a covered entity, i.e. the health plan. 

Even if certain information may not be PHI and protected by HIPAA, employers should also consider whether state law provides a stricter rule. While state laws may not be less restrictive than HIPAA requirements, they can provide additional restrictions. 

HHS ANSWERS OUR COMMON QUESTIONS

Given those basic rules, HHS answered these common questions for employers:

1. Does the HIPAA Privacy Rule prohibit businesses or individuals from asking their customers whether they have been vaccinated? 

No. HHS clarified that the Privacy Rule does not prohibit anyone from simply asking another whether he or she is vaccinated. When a business asks customers whether they are vaccinated, the business is likely not acting as a covered entity, i.e. the health plan. When the employer is not acting as the health plan, the Privacy Rule generally does not apply. 

Additionally, the Privacy Rule does not prohibit covered entities from simply requesting health information. Instead, the Privacy Rule is concerned with the manner in which covered entities use and disclose PHI in their possession. HHS gave some examples. The Privacy Rule does not apply when an individual:

  • is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual;
  • asks another individual, their doctor, or a service provider whether they are vaccinated;
  • asks a company, such as a home health agency, whether its workforce members are vaccinated.

The Privacy Rules also does not prohibit a person from disclosing his or her own vaccination status. HIPAA of course permits a person to disclose his own health status as he or she wishes. When an individual is discussing his own health information, he is most likely not acting as a covered entity or a business associate. 

2. Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

No. Remember that the Privacy Rule does not apply to information held by the employer in its employment records – in contrast to information held by the health plan. The Privacy Rule does not prohibit an employer from requesting an employee’s vaccination status as part of the terms and conditions of employment. HHS also gave some examples here. The Privacy Rule does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

  • provide documentation of their COVID-19 or flu vaccination to their current or prospective employer;
  • sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer;
  • wear a mask – while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location;
  • disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

Although these examples are generally permitted under the Privacy Rule, employers should be aware that other federal or state laws may also come into play when requiring employees to obtain vaccinations as a condition of employment and how employers must handle that information. For example, documentation on an employee’s vaccination status must be kept confidential and stored separately from the employee’s other personnel files pursuant to the Americans with Disabilities Act.

New Health Plan Guidance Regarding Transparency Regulations and Last Year’s Budget Act

Late last Friday afternoon, the Departments of Labor, Health and Human Services, and the Treasury, issued some new frequently asked questions (FAQs) regarding implementation of the transparency in coverage (TIC) regulations and the Consolidated Appropriations Act of 2021 (CAA).

You might recall that the TIC regulations require group health plans to publish three machine-readable files for plan years beginning on or after January 1, 2022.  The TIC regulations also require an online shopping tool in plan years beginning on or after January 1, 2023.  Please see this blog article for a quick reminder of the TIC regulations:  https://erisalinc.com/more-details-on-transparency-rules-that-apply-in-2022-and-beyond/.

You might also recall that the CAA imposes significant requirements on group health plans, including the No Surprises Act (NSA).  The NSA applies for plan years beginning on or after January 1, 2022.  Please see this blog article for a quick reminder of the CAA:  https://erisalinc.com/last-weeks-government-funding-bill-significant-new-benefit-plan-rules/.

Last Friday’s FAQs provide important guidance regarding the TIC regulations and the CAA.  Here is a quick summary of some of the major points:

  1. Enforcement of Machine-Readable File Requirements.  The government intends to enforce the requirement that plans publish the three machine-readable files for plan years beginning on or after January 1, 2022 – subject to two exceptions:
    1. No Enforcement of Machine-Readable File Requirement Related to Prescription Drugs.  The third machine-readable file that must be disclosed under the TIC regulations requires disclosure of information related to prescription drugs.  The FAQs indicate that the government recognizes the overlapping requirements (issued after the TIC regulations) contained in the CAA – and intends to evaluate whether the prescription drug machine-readable file requirement remains appropriate.
    2. July 1, 2022 Delayed Enforcement Date for Machine-Readable File #1 and File #2.  The TIC regulations require disclosure of machine-readable files for in-network rates and out-of-network allowed amounts and billed charges, for plan years beginning on or after January 1, 2022.  The government is basically delaying enforcement of this rule until July 1, 2022.  For plans that have a plan year in 2022 that begins after July 1, 2022, this is not helpful.
  2. Self-Service Price Comparison Requirements.  The government recognizes that the TIC regulations require an online shopping tool for plan years beginning on or after January 1, 2023 – and the CAA also has similar-but-separate  requirements.  The government believes these requirements are duplicative except the CAA imposes an additional requirement that pricing information be available by telephone also, upon request.  The government intends to propose rulemaking requiring the same pricing information that is available online and in paper form (under the TIC regulations) will also be required by telephone.  Additionally, the government will not enforce the CAA price comparison requirements until the plan year beginning on or after January 1, 2023 – to align the compliance date of the TIC regulations with the compliance date of the CAA.
  3. ID Card Requirements Applicable to Plan Years On or After January 1, 2022.  The CAA requires plans to include on any physical or electronic ID card issued to participants and beneficiaries any applicable deductibles, any applicable out-of-pocket maximums, and a telephone number and a website address for individuals to seek consumer assistance.  These requirements apply for plan years on or after January 1, 2022.  The FAQs provide:
    1. No Regulations Coming.  The government does not intend to issue regulations addressing the ID card requirements prior to the effective date.
    2. Good Faith Is the Standard.  Until such guidance is ultimately issued, the government expects a good-faith, reasonable interpretation of the law.  This means:
      1. The information on ID cards must be reasonably designed and implemented to provide the required information to all participants, beneficiaries, and enrollees.
      2. The government will consider each of the specific data elements included on relevant ID cards; whether any data element required, but not included on the face of an ID card, is made available through information that is provided on the ID card, as well as the mode by which any information absent from the card is made available; and the date by which a plan makes required information available on ID cards.  As an example, the government would deem a plan to be in good-faith compliance where the plan includes on any physical or electronic ID card the following:
        1. the applicable major medical deductibles and out-of-pocket maximum;
        2. telephone number;
        3. website address for individuals to seek consumer assistance and access additional applicable deductibles and maximum out-of-pocket limits (additional limits could also be provided on a website accessed through a Quick Response code on the ID card or through a hyperlink in the case of a digital ID card).
  4. Advanced EOBs Effective Date Delayed.  The CAA requires an advanced EOB in certain circumstances for plan years on or after January 1, 2022.
    1. No Regulations Coming.  The government does not intend to issue regulations addressed the advanced EOB requirement prior to the effective date.
    2. But No Enforcement.  Because the government understands the complexity involved in the advanced EOB and related requirements, the government will not enforce this rule – so plans do not need to provide an advanced EOB for plan years beginning on or after January 1, 2022.
  5. No Gag Clauses.  As to the CAA requirements that generally prohibit plans from entering into an agreement that restricts the plan from disclosing cost and quality of care information, which were effective December 27, 2020, the government does not intend to issue regulations anytime soon – but does expect compliance.
  6. Provider Directory Requirements.  The CAA requires plans to establish a process to update and verify the accuracy of provider directory information, among other things.  These provisions apply for plan years beginning on or after January 1, 2022.  The government does not intend to issue regulations on these requirements any time soon.  Plans are expected to implement these provisions using a good faith, reasonable interpretation of the requirements, but this appears to require plans to financially stand behind any incorrect information given to plan participants.
  7. Deferred Disclosure Deadline for Pharmacy and Other Information.  The CAA requires plans to report certain prescription drug expense and other information to the government (e.g., 50 most frequently dispensed drugs; total number of paid claims for each drug; etc.) by December 27, 2021 – and then annually by June 1 (beginning June 1, 2022).  The government is not going to enforce the first deadline of December 27, 2021 or the second of June 1, 2022.  The government encourages plans to be working towards compliance by December 27, 2022 (for 2020 and 2021 data).

Nevertheless, the Affordable Care Act Persisted

On June 17, 2021, the U.S. Supreme Court issued its ruling in California v. Texas on a challenge to the constitutionality of the Affordable Care Act (“ACA”). This was the third major challenge to the ACA since it was enacted in 2010.

In this case several states and two individual plaintiffs alleged that the individual mandate penalty, which was reduced to zero dollars under the Tax Cuts and Jobs Act of 2017, was unconstitutional, and, as a result, the entire ACA should fall. By a vote of 7-2, the justices held that the plaintiffs did not have legal standing to challenge the individual mandate because they did not show a past or future injury that would be traceable to any allegedly unlawful Government conduct in enforcing the individual mandate.

Because the case was dismissed for a lack of standing, the U.S. Supreme Court did not review or decide whether the penalty-less individual mandate or the rest of the ACA is constitutional.  Accordingly, the ACA remains in full effect, and this decision has no practical impact on individuals, plan sponsors, insurers, the health care system and beyond.

Coming Soon to a 401(k) Near You: SECURE 2.0

On May 5, 2021, the Ways and Means Committee in the U.S. House of Representatives showed a rare sign of bipartisanship by unanimously passing the Securing a Strong Retirement Act of 2021 – more commonly known as SECURE 2.0. The bill builds on a number of items that were included in the SECURE Act that passed in late 2019 and also includes many new retirement plan features. While a number of similar bills have been proposed since the original SECURE Act was passed, the fact that this bill unanimously passed committee is a good indicator that this one has legs.

The bill contains a number of provisions to encourage employees to save more, but it also contains a number of important revenue-raising changes (i.e. changes that accelerate taxation of retirement benefits). Below is a list of some important changes included in SECURE 2.0 that may make their way into law should the bill continue to progress so smoothly.

  1. Student Loan Repayments

SECURE 2.0 builds on the student loan relief that was included in the CARES Act in 2020 and more recently in the American Rescue Plan Act that passed earlier this year.

When employees make payments on student loans, SECURE 2.0 allows employers to treat those payments as if they were elective deferrals to the 401(k) plan and make “matching” contributions to the participant’s 401(k) account. Special nondiscrimination testing is permitted in the event too many non-highly compensated employees stop making traditional elective deferrals to the plan and instead make student loan payments.

The match would be permitted on “qualified student loan payments.” The student loan payments, plus actual elective deferrals to the 401(k) plan, cannot exceed the existing annual limit on deferrals ($19,500 in 2021), and student loan payments must be made for “qualified higher education expenses,” which is essentially the cost of attendance. Matching contributions for student loan payments must be made at the same rate as traditional elective deferrals, and the employees must otherwise be eligible to receive the match if they instead chose to make elective deferrals. Finally, the matching contributions for student loan payments must vest under the same schedule as other matching contributions.

  1. Expanding Automatic Enrollment

Automatic enrollment features would be required for new plans – any plans existing when the bill becomes law (if and when that may happen) would be grandfathered and not required to implement automatic enrollment. The automatic enrollment feature must be an EACA, meaning it would require permissible withdrawals by participants and be subject to the uniformity rule.

Each participant would initially be subject to a 3% automatic contribution, and that would increase by 1% each year up to at least 10%, but the employer could choose to increase the cap up to 15%. Of course, an employee could always affirmatively elect a different contribution. There are some exceptions for certain types of plans and employers.

  1. RMD Age Increases

The bill proposes to increase the age for required minimum distributions (“RMDs”) yet again. Recall that the original SECURE Act increased the RMD age from 70.5 to 72. SECURE 2.0 proposes to gradually increase the RMD age from 73-75 over the course of 2021-2032.

  1. Changes to Catch-Up Contributions

Currently, participants over the age of 50 are permitted to contribute elective deferrals in excess of the normal limit (in 2021, an extra $6,500). SECURE 2.0 increases the contribution limit to $10,000 for participants between age 62 and 65, and the limit would continue to be adjusted for cost of living changes. Additionally, catch-up contributions to IRAs would be indexed and increase with cost of living changes.

In a revenue-raising move, SECURE 2.0 requires all catch-up contributions to be designated Roth contributions – presumably to allow the government to reap the income tax benefits sooner than it otherwise would.

  1. Roth Matching Contributions

Participants would be given the opportunity to elect for employer matching contributions to be designated as Roth. While this may help participants in their tax planning strategy, this is also a revenue-raising mechanism (i.e. it requires taxation in the year of contribution rather than when the matching contributions are finally distributed likely years or decades later).

Again, this is just a small sample of the many changes included in SECURE 2.0. While this is not law yet, be on the lookout for this bill, or one very similar, to make its way to the full House, the Senate, and even the President’s desk by late summer or early fall 2021.

And The Hits Just Keep on Coming: New DOL Guidance on Cybersecurity

Today, the DOL announced new guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity, including tips on how to protect retirement benefits.  This is the first time the department’s Employee Benefits Security Administration (EBSA) has issued cybersecurity guidance.

Below is what they released today with web links – and some quick-read bullet points for you below:

  1. Tips for Hiring a Service Provider with Strong Cybersecurity Practiceshttps://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/tips-for-hiring-a-service-provider-with-strong-security-practices.pdf
    • Plan sponsors should use service providers that follow strong cybersecurity practices.
    • Look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity.
    • Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
    • Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account).
    • When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware of contract provisions that limit the service provider’s responsibility for IT security breaches.  You should check to make sure you know what requirements your recordkeeper puts on plan participants in order for the participant’s account to be made whole by the recordkeeper if there is a theft (e.g., do they require two-factor authentication in order for the recordkeeper’s “guarantee” to apply?).
    • They identified a list of contractual provisions that your contract with service providers should contain.
    • I would go over this at your next plan committee meeting with your recordkeeper and any other service providers – and document the review in your minutes.
  2. Cybersecurity Program Best Practiceshttps://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf
    • ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.
    • States that plan service providers should “conduct prudent annual risk assessments” and “[h]ave a reliable annual third party audit of security controls.”
    • Outlines what makes a prudent, well-documented cybersecurity program.
    • Again, ask your recordkeeper to provide a summary of how their program meets these standards – so your plan committee can be aware of that and document it for their minutes.
  3. Online Security Tips for Retirement Plan Participantshttps://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/online-security-tips.pdf
    • I would consider having your recordkeeper send tip sheet to plan participants asap.
  4. DOL Press Releasehttps://www.dol.gov/newsroom/releases/ebsa/ebsa20210414

DOL Issued FAQs and Four Model COBRAs Yesterday – Take Action Right Now

Yesterday (April 7), the Department of Labor issued a series of frequently asked questions (“FAQs”) regarding the COBRA provisions of the American Rescue Plan of 2021 (“ARP”) – along with four model COBRA notices.  The FAQs clarify a number of issues.  Employers need to take action right now.

You might recall that on March 11, 2021, President Biden signed the ARP, which subsidizes the full COBRA premium for certain individuals for periods of coverage from April 1, 2021 through September 30, 2021.  To qualify for this free COBRA, individuals must: (1) have a COBRA-qualifying event that is a reduction in hours or an involuntary termination of employment; (2) elect COBRA coverage; (3) not be eligible for Medicare; and (4) not be eligible for coverage under any other group health plan (e.g., their new employer’s plan or their spouse’s plan).  As discussed in our March 15th blog post, this free coverage is also available to qualifying individuals who already lost coverage and who could have had COBRA coverage during the period from April 1, 2021 to September 30, 2021 (“Expired COBRA Participants”).  Expired COBRA Participants likely include individuals who lost coverage going all the way back to November 2019.

The ARP also imposes new related notice obligations and deadlines on employers.  The model notices issued yesterday are intended to help employers meet their obligations.

You might also recall that in late February, before the ARP, the Department of Labor released EBSA Disaster Relief Notice 2021-01 (“Notice 2021-01”), which extended (among other things) the deadlines for individuals to elect COBRA and pay for COBRA – by essentially giving every COBRA qualified beneficiary their own one-year period to make such an election or payment.  And that notice also has different notice obligations.

All of these rules, requirements, and notices make all of this way too complicated right now.  The following is an attempt to provide a quick summary and some recommendations:

  1. Employees Have One Year to Elect and Pay for COBRA

Notice 2021-01 provides disaster-related relief that extends, among other things, the deadline for qualified beneficiaries to elect and pay for COBRA.  Normally, qualified beneficiaries generally have 60 days to elect COBRA coverage.  For the period beginning March 1, 2020 through the end of the National Emergency (which is ongoing and we have no idea when it will end), Notice 2021-01 disregards the normal 60-day election period, and gives qualified beneficiaries until the earlier of (a) one year from the date they would normally have to elect COBRA, or (b) 60 days after the announced end of the National Emergency (the end of the “Outbreak Period”).  For example, if a qualified beneficiary would have been required to make a COBRA election by March 1, 2020 (the end of the normal 60-day election period), Notice 2021-01 delays that requirement until February 28, 2021, which is the earlier of one year from March 1, 2020 or the end of the Outbreak Period.

This extension works the same way with the COBRA premium payment deadline – and certain other deadlines like the normal 30-day deadline (under HIPAA special enrollment) to notify a plan and elect coverage due to a marriage, birth, or adoption.

  1. You Should Notify Affected Individuals of the One-Year COBRA Extension

For any individual who could benefit from the one-year extension described above, Notice 2021-01 states that plan administrators may need to revise their previously-issued COBRA election notice that was given to the individual before the recent extension – so that affected individuals are aware of their rights.  Thus, you likely need to determine who lost coverage and qualified for COBRA on or after March 1, 2020 and determine who needs to be sent a revised/updated notice that explains the one-year extension.

You need to do the same thing for anyone who could benefit from the same extended deadline to pay their COBRA premiums.

On a related note, Notice 2021-01 also indicates that plans should consider ways to ensure that participants who are losing coverage under their group health plans are made aware of other coverage options that may be available to them, including the opportunity to obtain coverage through the Health Insurance Marketplace in their state.

  1. You Should Consider Sending a General Notice to All Participants Explaining the One-Year Extension

You should consider sending a general notice to all plan participants explaining the one-year extension under Notice 202101 – so that participants understand their rights as it relates to HIPAA special enrollment, COBRA, and claims and appeal deadlines (which also have the same one-year extension).  You likely do not know all of the potential HIPAA special enrollment events that your employees may have already experienced, or will experience, so a general notice would notify a broader group than the targeted COBRA notices mentioned above under #2.

  1. Free COBRA Applies to All Group Health Plans – Except FSAs

The FAQs issued yesterday confirm that the free COBRA applies to all group health plans (except FSAs), including excepted benefits (e.g., dental).

  1. For Those Losing Coverage Between April 1, 2021 – September 30, 2021, You Need to Give Them a Notice Regarding the Free COBRA

The ARP requires employers to send a general notice to all qualified beneficiaries who have a qualifying event that is a reduction in hours or an involuntary termination of employment from April 1, 2021 through September 30, 2021.  This notice may be provided separately or with the COBRA election notice following a COBRA qualifying event.  There are specific requirements regarding what the notice must contain.

The DOL provided a model election notice for this yesterday, which you can find here:  https://www.dol.gov/agencies/ebsa/laws-and-regulations/laws/cobra/premium-subsidy.

  1. You Need to Send A Notice by May 31, 2021 to Qualifying Individuals Who Had A COBRA Event Before April 1, 2021 – Including Expired COBRA Participants

As mentioned above, certain Expired COBRA Participants – who lost coverage prior to April 1, 2021 and who either did not elect COBRA when it was first offered or who elected COBRA but then dropped the coverage – are also entitled to the free COBRA provided by the ARP.  These Expired COBRA Participants must receive a notice of the extended COBRA election period informing them of this free coverage opportunity.

For anyone else who qualifies for the free COBRA and who had a qualifying event before April 1, 2021, they too must receive a notice of their right to the free COBRA.

The notice must be provided to these individuals by May 31, 2021.  These individuals then have 60 days after the notice is provided to elect the free COBRA.

The DOL also provided a model notice for this, which you can also find at https://www.dol.gov/agencies/ebsa/laws-and-regulations/laws/cobra/premium-subsidy.

  1. Free COBRA Reimbursed Directly to the Employer

Individuals who qualify for the free COBRA coverage do not have to pay any of the COBRA premium for the period of coverage from April 1, 2021 through September 30, 2021.  The premium is reimbursed directly to the employer through a COBRA premium assistance credit.

  1. No One-Year Extension of Deadline to Elect Free COBRA

For the individuals described above under #6, as mentioned they have 60 days after receiving the required notice to elect free COBRA.  The guidance issued yesterday makes it clear that this 60-day deadline is a real 60-day deadline, i.e., the one-year extension described above under #1 does not extend the 60-day deadline to elect free COBRA under the ARP.

  1. Don’t Forget to Amend Your Plan for All of the Above

You likely need to amend your plan to reflect all of the above, i.e., the one-year extension and the free COBRA.  Also, please don’t forget that you likely need to amend your plan to provide that COVID vaccinations are provided free with no cost sharing.  We have seen several plans lately that amended their terms last year to reflect free COVID testing but have not yet been amended to reflect the required free COVID vaccine benefit.

New IRS Guidance on COVID-19 Related PPE Expenses

On March 26, 2021 the IRS released Announcement 2021-7, which provides that amounts paid for personal protective equipment for the primary purpose of preventing the spread of COVID-19 are treated as amounts paid for medical care under Section 213(d) of the Internal Revenue Code.  This means that amounts paid for things such as masks, hand sanitizer and sanitizing wipes may be:

  1. eligible to be paid or reimbursed under a health FSA, HSA, or HRA, if the plan terms allow, or
  2. claimed as an itemized deduction on a taxpayer’s income tax return provided that (a) the amounts are not reimbursed by insurance or otherwise, and (b) the taxpayer’s total medical expenses exceed 7.5% of the taxpayer’s adjusted gross income.

This guidance also provides that a health FSA, HSA or HRA that does not currently allow for reimbursement of COVID-19 related PPE expenses may be amended to allow for reimbursement of such expenses incurred on or after January 1, 2020.  Accordingly, employers who sponsor a health FSA, HSA or HRA may want to review their cafeteria plan or other relevant plan documents to determine if an amendment is needed.  Plans may be amended retroactively as long as the amendment is adopted no later than the last day of the first calendar year beginning after the plan year in which the amendment is effective, no retroactive amendment is adopted after December 31, 2022, and the plan is operated consistent with the terms of the amendment.

Contribution Limit for Dependent Care Assistance Programs Temporarily Increased

Earlier this month, the American Rescue Plan Act of 2021 (“ARPA”) became the latest COVID relief package passed by the federal government. ARPA, just like the many COVID relief packages that came before it, contains a number of changes that benefits professionals will want to become familiar with.

Only for 2021, ARPA allows employers to amend their dependent care assistance programs (“DCAPs”) to allow employees to contribute up to $10,500 for the tax year (or $5,250 for individuals married and filing separately). This is undoubtedly welcome relief to parents and caregivers who are likely to be returning to work in 2021 and unable to care for kids who may have not yet returned to school or other family members who continue to stay at home and need assistance. This change allows employees to pay for more of those increased dependent care costs with pre-tax dollars.

Employers generally maintain DCAPs as part of their cafeteria plans, which allow employees to contribute pre-tax dollars to a variety of qualified benefits. These contributions, in turn, reduce the employee’s taxable income. While employees are typically locked into their elections for the entire year, employees may be able to prospectively increase their DCAP election under previous IRS guidance released last month if the plan is so amended.

Prior to the ARPA change, the maximum amount that an employee could contribute to a DCAP and exclude from his or her gross income was $5,000 per tax year (or $2,500 for individuals married and filing separately).

A cafeteria plan that adopts these changes will be deemed to comply with the Code §§ 125 and 129 rules governing cafeteria plans and DCAPs. Employers may implement this change operationally now, but plans must be retroactively amended no later than the last day of the plan year in which the amendment is effective, and the plan must be operated consistent with the terms of the amendment on its effective date and ending on the date the amendment is adopted.

COBRA is Now Free and Very Complicated

Late last week, President Biden signed the American Rescue Plan Act of 2021 (“ARPA”), which makes COBRA continuation coverage free for certain qualifying-individuals and their families from April 1, 2021 to September 30, 2021.  This free coverage is available to those who lose group health plan coverage because either:

  1. they are terminated (not including resignations); or
  2. their hours are reduced.

So, all you have to do is remember this for those who become eligible for COBRA for one of these two reasons from April 1, 2021 to September 30, 2021, right?  No, it is not that easy.  This free coverage is also available to those who already lost coverage because of one of these two reasons and who could have had COBRA coverage during the period from April 1, 2021 to September 30, 2021 (“Expired COBRA Participants”).  Expired COBRA Participants would include those who either failed to elect COBRA coverage during their normal 60-day (but now-expired) election period and those who elected COBRA coverage but discontinued that coverage before April 1, 2021.  Expired COBRA Participants would likely include individuals going all the way back to November of 2019.

New Election Period.  Expired COBRA Participants have a new 60-day election period that begins April 1, 2021 to newly-elect COBRA, but this does not extend their normal COBRA period (e.g., if they were entitled to 18 months of COBRA because of a termination of employment that occurred in November of 2019, their coverage would still expire April 2021).

New Notice Requirement.  Employers are required to notify the individuals described above of this new free coverage and its availability, including Expired COBRA Participants.  The ARPA requires the federal government to issue a model notice for this purpose by April 10, 2021.

Bottom Line.  We suggest you immediately get with your COBRA administrator and make sure they are on top of these new rules.  You will want to identify individuals who could have been entitled to COBRA (because of job loss or reduction in hours) during the period from April 1, 2021 to September 30, 2021 – including Expired COBRA Participants – because you are going to have to give them a new notice and a new election period.  Given the very complicated guidance (DOL Notice 2021-01) we received a few weeks ago that basically gives every COBRA-qualifying individual their own one-year extended period to elect COBRA coverage, and that guidance’s own notice requirements (in addition to that described above), COBRA is now free and very complicated.

If you have any questions, including any questions about how the subsidy will be paid to the plan or plan sponsor, please let us know.

New IRS Guidance Provides Even More Flexibility for Cafeteria Plans, FSAs, and DCAPs

You might recall that in December 2020, Congress passed the year-end funding bill known as the Consolidated Appropriations Act, 2021 (“CAA”), which contained provisions that provide significant flexibility for flexible spending accounts (“FSAs”) and dependent care assistance plans (“DCAPs”) in 2020 and 2021.  Last week, on February 18, 2021, the IRS released Notice 2021-15 to clarify certain aspects of the CAA and to provide even more flexibility than that provided in the CAA.  Here is a brief overview of both the CAA and Notice 2021-15:

CAA:

  1. 2020 FSA/DCAP CARRY OVER. For plan years ending in 2020, FSAs and/or DCAPs can allow participants to carryover any unused benefits for contributions remaining from 2020 in to the 2021 plan year.
  2. 2021 FSA/DCAP CARRY OVER. For plan years ending in 2021, FSAs and/or DCAPs can allow participants to carry over any unused benefits or contributions remaining from 2021 into the 2022 plan year.
  3. EXTENDED FSA/DCAP GRACE PERIOD. Employers can extend the FSA or DCAP grace period for the plan years ending in 2020 and/or 2021 to 12 months after the end of the year, with respect to unused benefits/contributions remaining at the end of the year. (This extends the permissible period for incurring claims.)
  4. POST-TERMINATION FSA REIMBURSEMENTS. Employers can allow an employee who ceases participation in the plan during calendar year 2020 or 2021 to continue to receive reimbursements from unused benefits or contributions through the end of the plan year when participation ceased (including any grace period).
  5. SPECIAL DCAP CARRY FORWARD. Typically, expenses may only be reimbursed under a DCAP for a qualifying child who has not attained age 13. Instead of the normal age 13 age limit, the CAA pushes the age limit to age 14 – during the plan year where the end of the regular enrollment period was on or before January 31, 2020 (i.e., enrollment period for 2020 plan year would have been in 2019). AND if there was an unused balance at the end of 2020, age 14 can be used in the 2021 plan year.
  6. PROSPECTIVE MODIFICATION FOR 2021 PLAN YEAR. For the plan year ending in 2021, an FSA or DCAP can allow an employee to make an election to prospectively modify the amount of employee contributions to the arrangement without regard to any change in status.
  7. PLAN AMENDMENT REQUIREMENT. A plan amendment must be adopted by the last day of the first calendar year beginning after the end of the plan year in which the amendment is effective (i.e., if amendment is effective 12/31/20, must adopt an amendment by 12/31/21).

  IRS Notice 2021-15

 IRS Notice 2021-15 restates and clarifies certain aspects of the CAA, and it also provides additional flexibility.  The following outlines most, but not all, of the Notice 2021-15 guidance.

  1. NEW CAFETERIA PLAN FLEXIBILITY. In addition to the CAA changes, this notice provides additional relief for mid-year elections for plan years ending in 2021.  Thus, a plan can allow employees to:
    • NEW ELECTION. Make a new election on a prospective basis, if the employee initially declined to elect coverage.
    • REVOKE ELECITON AND MAKE NEW ELECTION. Revoke an existing election and make a new election to enroll in different coverage prospectively.
    • REVOKE ELECTION IF OTHER COVERAGE. Revoke an existing election on a prospective basis if attest in writing that the employee is enrolled, or immediately will enroll, in other health coverage not sponsored by the employer.  Employer must get attestation.
  2. CAN LIMIT FSA/DCAP CARRYOVER. For the carryover authorized by the CAA (described above), an employer may limit the carryover to an amount less than all unused amounts and may limit the carryover to apply only up to a specified date during the plan year.
  3. EVEN IF HISTORICALLY NO CARRY OVER OR GRACE PERIOD. Even if the plan does not typically allow a carry over or have a grace period, it can be amended to add them, per the discussion above.
  4. IMPACTS HSA ELIGIBLITY. The Internal Revenue Code allows eligible individuals to establish and contribute to health savings accounts (“HSAs”).  To be an eligible individual, the individual must (among other requirements) not be covered under any health plan that is not a high-deductible health plan (“HDHP”).  Notice 2021-15 clarifies that the carryover of unused amounts to the 2021 plan year or the 2022 plan year is an extension of coverage by a plan that is not a HDHP. Thus, an individual cannot make HSA contributions during a month in which the individual participates in a general purpose FSA to which unused amounts are carried over.
  5. CAN ALLOW EMPLOYEES TO OPT OUT OF CARRYOVER. Employers may amend their plans to allow employees, on an individual basis, to opt out of the carryover or grace period to preserve HSA eligibility.
  6. CAN LIMIT GRACE PERIOD. Employer can adopt an extended grace period for incurring claims that is less than 12 months and may choose to adopt a period that ends before the last day of the plan year.
  7. CAN LIMIT POST-TERMINATION AMOUNT. For reimbursements that can occur post-termination (see #4 above under CAA discussion), the employer can limit the reimbursement available to only those salary reduction contributions made from the beginning of the plan year to the date the employee ceased to be a participant.
  8. GRACE PERIOD AND POST-TERMINATION. An employer that adopts the extended grace period may also allow employees who ceased participation earlier in the year (see #4 above under CAA discussion) to further extend the period for incurring claims, e.g., John terminated employment in 2020 and his employer extends the grace period for 2020 to the end of 2021 – which would allow John to also incur claims through the end of the extend grace period. But if the employer instead adopted the carryover (and not the extended grace period), John could not take advantage of the carryover.
  9. NORMAL RULES APPLY FOR CARRYOVERS AND GRACE PERIODS IN 2022 OR LATER. After 2022, the normal rules apply for carryovers and grace periods, e.g., the most that an employee may carryover from the 2022 plan year to 2023 is $550.