Search the News Archive

DOL Brings Back Self Audit Settlement Option for Employers

"Employees are not compelled to accept the proposed payment, and can pursue private litigation ... A company cannot explore participation anonymously, but must self-identify and provide information about its non-compliance.... USDOL may not agree with the employer's proposed monetary remedy, but may demand more unpaid wages.... The program can also now be used to correct mistakes in the administration of the Family and Medical Leave Act [FMLA]."

Audits Heat Up HIPAA Liability: What to Do Now to Mitigate Risk

In November 2011, the Office for Civil Rights (OCR) began audits to assess compliance with the HIPAA Privacy, Breach Notice, and Security Rules. The OCR compliance audits will be conducted by KPMG LLP and generally will consist of an initial document request, an onsite visit by the auditors, and then negotiation of an audit report.

Cafeteria Plan Claims Substantiation

"[Chief Counsel Advice Memorandum 202317020] suggests that the following methods are not sufficient to fully substantiate claims: [1] Self-certification method  ... [2] Sampling method  ... [3] De minimis method ... [4] Favored providers method  ... [] Anticipated DCA expenses method."

DOL Changes Participant Count Methodology for Plan Audit Threshold

"[T]he new rule will count only the number of participants and beneficiaries with account balances at the beginning of the plan year.... DOL expects this change to reduce the number of plans that must file as large plans by nearly 19,500 filings.... This is effective immediately for plan years beginning on or after January 1, 2023."

SECURE 2.0 Timeline

List of SECURE 2.0's major retirement plan provisions, organized by effective date.

Employer Avoids 'Cat's Paw' Liability in FMLA Retaliation Case Through Independent Review

"While assuming that a cat's paw theory can be applied in FMLA cases, the Tenth Circuit rejected [the employee's] arguments that the evidence supported a finding of liability under that theory.... The court found no evidence to demonstrate that the manager's investigation was influenced by the supervisor's alleged bias, or that the manager failed to conduct an independent review of the evidence presented." [Parker v. United Airlines, Inc., No. 21-4093 (10th Cir. Sep. 26, 2022)]

EEOC Conciliation Agreement Highlights Employer Compliance Obligations Under GINA Regarding COVID-19 Policies

"Consistent with its Technical Assistance, the EEOC determined that [a Florida employer] violated GINA by requesting its employees to disclose information about the COVID-19 testing of employees' family members. The EEOC concluded that seeking such testing results constituted impermissible medical questions about the 'manifestation of a disease or disorder of an individual's family members.' The EEOC's investigation apparently did not reveal that [the employer] had otherwise discriminated against its employees on the basis of any genetic information which had been collected. But ... an employer engages in unlawful conduct merely by impermissibly requesting such information."

Plan Cybersecurity Guidance: DOL Enforcement Warrants Plan Sponsor Action

"Although the most detailed piece of the package -- the best practices summary -- is framed as applying to plan service providers (such as recordkeepers and administrators), enforcement actions already implemented suggest that these standards likely also apply to plan-related information maintained by the plan fiduciary.... [P]lan sponsors and fiduciaries should be aware that this cybersecurity guidance likely applies to all plans governed by ERISA, not just retirement plans."

Plan Administrators, (Re)start Your Timers: Deadlines Extended by COVID Have One-Year Limit

"[P]erhaps more importantly than the deadline guidance, [EBSA Disaster Relief Notice 2021-01] notes that plan fiduciaries must make 'reasonable accommodations' to minimize the possibility of individuals losing benefits/rights because of a failure to comply with deadlines."

Million Dollar Laptop: The Perils of HIPAA, Encryption, and Mobile Devices

"[HHS] has closed an investigation into a Rhode Island health system stemming from a 2017 breach.... The incident is a reminder to all HIPAA-regulated organizations, whether covered entities or business associates, of the necessity of encrypting all mobile data devices.... [A]ccess to encrypted data does not constitute a breach."