🗓️ October 2024
Keeping HR pros updated with important compliance, benefits, and human resources information.
Deadline for Submitting Gag Clause Attestation is Dec. 31, 2024
Health plans and issuers must annually submit an attestation of their compliance with the CAA’s prohibition of gag clauses to the Departments. The first attestation was due on Dec. 31, 2023, covering the period beginning Dec. 27, 2020, through the date of the attestation. Subsequent attestations are due on Dec. 31 of each following year, covering the period since the last attestation. The deadline for submitting the next attestation is Dec. 31, 2024.
According to the Departments’ FAQs, health plans and issuers that do not submit their attestations by the deadline may be subject to enforcement action.
Covered Health Plans
The attestation requirement applies to fully insured and self-insured group health plans, including ERISA plans, nonfederal governmental plans and church plans. Additionally, this requirement applies regardless of whether a plan is considered “grandfathered” under the ACA. However, plans that provide only excepted benefits and account-based plans, such as health reimbursement arrangements (HRAs), are not required to submit an attestation.
Relying on Issuers/TPAs to Submit Attestation
With respect to fully insured group health plans, the health plan and the issuer are each required to submit a gag clause compliance attestation annually. However, when the issuer of a fully insured group health plan submits a gag clause compliance attestation on behalf of the plan, the Departments will consider the plan and issuer to have satisfied the attestation submission requirement.
Employers with self-insured health plans can satisfy the gag clause compliance attestation requirement by entering into a written agreement under which the plan’s service provider, such as a TPA, will provide the attestation on the plan’s behalf. However, even if this type of agreement is in place, the legal requirement to provide a timely attestation remains with the health plan. Also, some service providers have indicated they are unwilling to submit attestations for their self-insured groups. In this case, employers need to submit the attestations for their health plans.
Submitting Attestations
Gag clause attestations must be submitted electronically by completing a CMS web form. The Departments have provided instructions for submitting the attestation, a system user manual and FAQs, all of which are available here.
Summary Annual Report Due
The Summary Annual Report (SAR) is a disclosure requirement under ERISA. The SAR acts as a narrative of the Form 5500 for employee benefit plans. It includes financial statements, funding requirements, and participants’ rights. The SAR must be provided to participants and enrolled beneficiaries within nine months after the end of the plan year, or two months after the due date for filing Form 5500.
Employer Considerations:
Plan administrators can distribute the SAR using the following methods:
- By hand
- By mail
- In a company newsletter or other company publication for employees
Electronically, but only if the participant has consented to electronic delivery and has the option to receive a paper copy upon request.
All plan participants also have the right to request a copy of the SAR at any time.
Failing to distribute the SAR is a violation of ERISA regulations. However, there is no specific penalty for employers failing to provide the SAR as required. If a plan participant or beneficiary requests a copy of the SAR and doesn’t receive it within 30 days of that request, a fine of $110 per day until you provide the SAR may apply.
Michigan ESTA Update: What You Need to Know
As we approach the effective date, Feb. 21, 2025, of the Michigan Employee Sick Time Act (ESTA), it’s essential for employers to be fully prepared to comply with this important legislation. The ESTA mandates that employees accrue paid sick leave for their time worked, offering vital protections for their health and well-being. This new requirement means that all eligible employees can earn and utilize paid sick leave for various reasons, including personal illness, preventive care, or caring for a family member.
At Nulty Insurance, we understand that navigating the complexities of the ESTA can be overwhelming. Our team is here to support you every step of the way, ensuring you have the necessary resources and strategies in place to implement these changes effectively. Whether it’s reviewing your current policies, educating your team, or assisting with compliance strategies, we are committed to helping you create a supportive and compliant workplace.
Don’t wait until the last minute!
Email us at to discuss how we can help you prepare for the Michigan ESTA and ensure that your organization is ready to meet the new requirements by the effective date.
Mental Health Parity – Final Rules Released
In a recent move that will impact health plans, the U.S. Departments of Health and Human Services, Labor, and Treasury released final rules on September 9, 2024, aimed at strengthening the implantation of the Mental Health Parity and Addiction Equity Act (MHPAEA). These new rules focus on ensuring that mental health and substance use disorder (MH/SUD) benefits are treated equitably compared to medical and surgical (M/S) benefits.
A critical area of focus in these regulations is Nonquantitative Treatment Limitations (NQTLs), which are the criteria that plans use to manage access to benefits. These can range from pre-authorization requirements to step therapy or even network participation rules. The new rules mandate that health plans must not only analyze how these NQTLs are applied to MH/SUD benefits but also compare them to how they are applied to M/S benefits. The goal? To close any gaps that might make it harder for people to access mental health and substance use disorder care.
What’s required of health plans? Plans must perform a comparative analysis detailing how they design and apply these NQTLs. The analysis must explain the factors they use, how the NQTLs are applied, and what conclusions they draw from these comparisons. The hope is that by thoroughly analyzing and documenting their processes, plans will ensure that MH/SUD benefits are on par with M/S benefits – creating more accessible, fair care for all members.
New Definitions to Know:
- Evidentiary Standards: Any evidence or sources a plan considers when designing or applying NQTLs
- Factors: The processes and strategies (but not evidence) used in designing or determining the application of an NQTL.
- Processes: The specific actions or procedures used to apply NQTLs.
- Strategies: Practices or metrics a plan considers when designing NQTLs.
These definitions will be important as health plans prepare to submit their comparative analysis for review. If a plan’s submission doesn’t meet the new standards, they’ll have a chance to correct it. However, if they fail to comply, participants must be notified, ensuring accountability and transparency.
What Employers Need to Do. The final rules take effect for group health plans starting on or after January 1, 2025, with some provisions extending to 2026. Now is the time for employers to start reviewing their health plans, ensuring they are compliant with current MHPAEA standards, and working closely with third-party administrators to prepare for these upcoming changes. Employers can also take advantage of the Department of Labor’s MHPAEA Self-Compliance tool, which includes a step-by-step guide to help conduct the required comparative analyses on NQTLs.
By getting ahead of these new requirements, employers can ensure their health plans are MHPAEA-compliant and prepared for the upcoming regulatory shifts.
2025 ACA Affordability Threshold Announced
On September 16, 2024, the IRS announced the adjustment to the ACA affordability threshold for employer-sponsored health coverage. For plan years beginning in 2025, the affordability percentage will increase to 9.02% up from 8.39% in 2024. This means that Applicable Large Employers (ALEs) can charge employees annual premiums that do not exceed 9.02% of their household income will still meeting the ACA’s affordability requirements. If this threshold is met, employees will not be eligible for federally subsidized coverage through the ACA Marketplace.
Why This Matters for Employers. The employer-shared responsibility mandate under the ACA requires ALEs to provide minimum essential coverage (MEC) to at least 95% of their full-time employees. Failing to do so may result in substantial penalties, particularly if an employee receives a premium tax credit through an ACA Marketplace.
For 2025, the penalties for not complying with the mandate are as follows:
- $241.67 per employee per month (or $2,900 annually per employee) for not offering coverage.
- $362.50 per employee per month (or $4,350 annually per employee) if the coverage is deemed unaffordable or does not meet minimum value requirements.
Given the increase in the affordability percentage, employers have some flexibility to adjust employee contributions without risking penalties. However, it’s critical to ensure that health plans remain affordable and provide the required minimum value.
Safe Harbor Options for Employers. To assist employers in calculating affordability, the IRS has provided three safe harbor options, which allow employers to avoid using household income for the affordability calculation:
- Form W-2 Wages Safe Harbor: The affordability threshold can be based on the employee’s Form W-2 wages for the year, applying the 9.02% affordability rate.
- Rate of Pay Safe Harbor: Employers can calculate affordability based on the employee’s hourly rate of pay, assuming the employee works 130 hours per month.
- Federal Poverty Line (FPL) Safe Harbor: Under this safe harbor, the employee contribution cannot exceed $113.20 per month for mainland U.S. employees in 2025, based on the federal poverty line.
These safe harbor options provide flexibility for employers in ensuring that their health plans meet affordability standards, even if household income data is unavailable.
Planning for 2025. ALEs should take this opportunity to:
- Review their ALE status to determine if they must comply with ACA mandates.
- Assess current health plan affordability under the new threshold to avoid penalties.
- Evaluate the 2025 safe harbor options to determine the most effective method for calculating affordability.
- Prepare for ACA information reporting requirements, which are due in early 2025, ensuring all employee coverage data is accurately reported.
A Broader Context: The ACA in 2025. This affordability threshold increase marks a shift in the ACA’s landscape, reflecting the ongoing adjustments to the law as healthcare costs continue to evolve. Employers should be mindful of the Privacy Rule amendments that went into effect in 2024, which strengthen protections for highly sensitive personal health information (PHI). These regulations add another layer of responsibility to employers, especially those offering health plans. Staying informed about changes in privacy laws and ACA mandates is critical to maintaining compliance.
By proactively evaluating coverage offerings, leveraging safe harbor options, and staying updated on changes in both the ACA and privacy regulations, employers can mitigate risks and better manage the cost of compliance in 2025 and beyond.
U.S. Department of Labor Updates Cybersecurity Guidance for ERISA Plans
The U.S. Department of Labor (DOL) has recently updated its cybersecurity guidance, reaffirming that these best practices apply to all plans governed by the Employee Retirement Income Security Act (ERISA). This updated guidance isn’t limited to retirement benefit plans; it now also applied to health and welfare plans, bringing a wider scope under scrutiny for cybersecurity compliance.
The guidance, issued through a Compliance Assistance Release by the Employee Benefits Security Administration (EBSA), outlines best practices for plan sponsors, fiduciaries, recordkeepers, and participants. The key takeaway? Every ERISA-covered plan must adopt rigorous cybersecurity practices to protect sensitive participant and beneficiary data from cyber threats.
What Does the Guidance Cover? The updated cybersecurity guidelines aim to help ERISA-governed plans across industries tighten their defenses. Some of the highlights include:
- Selecting Cyber-Security Service Providers: Employers and plan sponsors must carefully vet any third-party service providers, ensuring they have adequate cybersecurity in place.
- Best Practices for Cybersecurity Programs: The guidance provides steps for implementing strong internal cybersecurity measures to safeguard the sensitive data associated with these benefit plans.
- Security Tips for Participants: The DOL has also provided online security tips for participants aimed at reducing the risk of unauthorized access to retirement accounts and other sensitive plan-related data.
ERISA-Covered Plans: The Numbers at Risk. The stakes are high: ERISA governs approximately 2.8 million health plans and nearly 765,000 private pension plans, covering 153 million Americans and representing around $14 trillion in assets. Without robust cybersecurity protections, sensitive information such as participant data, beneficiary details, and plan assets could be exposed to cyber-attacks, making the plans and their participants prime targets for hackers.
This updated guidance highlights that protecting these vast pools of data isn’t just a recommendation – it’s a fiduciary responsibility. Under ERISA, fiduciaries must take every reasonable step to protect the data and assets of their participants and beneficiaries. The EBSA will continue to monitor compliance and encourages all plans to enhance their cybersecurity programs to meet these new standards.
What Employers Need to Know. In light of the updated guidance, employers – particularly plan fiduciaries – are advised to take immediate action. Here are a few steps to consider:
- Cybersecurity Self-Audit: Conduct an internal audit of your current cybersecurity practices and safeguards. This should include reviewing how your organization protects sensitive plan data and identifying areas for improvement.
- Gap Analysis: Identify any vulnerabilities or gaps in the current cybersecurity measures of both your health and welfare plans, as well as retirement plans. Understanding where you fall short is the first step towards improvement.
- Service Provider Audits: Review the DOL’s Tips for Hiring a Service Provider, then conduct a cybersecurity audit of your current vendors and recordkeepers to ensure they meet the new standards.
- Online Security Education: Provide online security tips to employees and plan participants, ensuring they understand how to protect their personal data when accessing their accounts online.
- Document Cybersecurity Practices: It’s crucial to document every step taken to comply with these new guidelines. This should be part of your fiduciary governance process and cover all oversight of health, welfare, and retirement plans.
Why This Matters: With more platforms moving to remote or electronic service providers, the risk of cyberattacks targeting benefit plans is at an all-time high. In 2023 alone, cybersecurity attacks on healthcare organizations, recordkeepers, and financial service providers increased significantly, putting countless participants at risk. The DOL’s updated guidance is a timely reminder for employers to review, enhance, and document their cybersecurity efforts – not just for compliance, but for the safety of their employees and their hard-earned benefits.
By taking these proactive steps, employers can help mitigate the risks of cyber threats and protect both their plans and participants from the growing risk of data breaches. As this landscape continues to evolve, staying up to date on cybersecurity best practices is no longer optional – it’s essential.
Question of the Month
Q. Can an employee enrolled in Medicare contribute to a medical flexible spending account (FSA) or would it have to be a limited purpose FSA?
A. The employee can contribute to an FSA. It does not have to be a limited purpose FSA.