April 2024

Let our team help you navigate the ever-changing benefits compliance landscape each month. Check out this month’s latest alerts, additional updates, and resources hot off the press:

Employee Benefits Compliance Alerts

This month’s Compliance Matters newsletter provides a comprehensive review of the following topics. To obtain your copy, please use the form below to download.

• Fiduciary Duties Include Broker Compensation Disclosures
• Employer Options for Offering Retiree Coverage
• 2024 State Regulation Series: San Francisco HCSO

Additional Updates & Resources

IRS Provides Clarification on Spending Accounts and Medical Expenses

On March 6, 2024, the Internal Revenue Service (IRS) released IR 2024-65, a news alert to remind taxpayers and health plan spending account administrators that personal expenses for “health and wellness” are not medical expenses as defined by the Internal Revenue Code (IRC). This means that these types of expenses are not reimbursable under health flexible spending accounts (FSAs), health reimbursement arrangements (HRAs) or health savings accounts (HSAs). In the alert, IRS commissioner Danny Werfel states, “Legitimate medical expenses have an important place in the tax law that allows for reimbursements…But taxpayers should be careful to follow the rules amid some aggressive marketing that suggests personal expenditures on things like food for weight loss qualify for reimbursement when they don’t qualify as medical expenses.” 

The IRS specifically names self-reported health information to be insufficient to satisfy the requirement related to a targeted diagnosis for a health treatment or activity. This is true even with a doctor’s note when that note is based on self-reported information. 

The IRS provides the following example: “A diabetic, in his attempts to control his blood sugar, decides to eat foods that are lower in carbohydrates. He sees an advertisement from a company stating that he can use pre-tax dollars from his FSA to purchase healthy food if he contacts that company. He contacts the company, who tells him that for a fee, the company will provide him with the ‘doctor’s note,’ that he can submit to his FSA to be reimbursed for the cost of food purchased in his attempt to eat healthier. However, when he submits the expense with the ‘doctor’s note,’ the claim is denied because food is not a medical expense and plan administrators are wary of claims that could invalidate their plans.” 

The IRS encourages taxpayers to review the frequently asked questions on the IRS website for more information on medical expenses related to nutrition, wellness and general health and to determine whether a food or wellness expense is a qualified reimbursable medical expense. 

OCR Issues Letter on Cyberattack

Change Healthcare, a healthcare technology company owned by United Health Group (UHG), experienced a major cyberattack in February 2024, that impacted healthcare facilities, providers and patients across the country. On March 5, 2024, the Department of Health and Human Services (HHS) issued a statement about the cyberattack. 

In response to the cyberattack, the HHS Office for Civil Rights (OCR), the division of HHS that enforces the Health Insurance Portability and Accountability Act (HIPAA) issued a letter, announcing that given the “unprecedented magnitude” of the attack, OCR will begin an investigation on the incident. According to the letter, the investigation will focus on whether a breach of protected health information (PHI) occurred, and whether Change Healthcare and UHG were in compliance with HIPAA’s privacy, security, and breach notification rules. The letter provides a list of HHS resources to help covered entities and business associates protect themselves from cyberattacks. 

The letter states, “OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules. Safeguarding protected health information is a top priority.” 

EPIC is continuing to monitor developments with the cyberattack and will provide updates as needed. 

EBSA Enforcement

The Employee Benefits Security Administration (EBSA), a division of the Department of Labor (DOL), recently released a summary of 2023 enforcement activities. Learn more in the news release and fact sheet. The fact sheet outlines EBSA’s efforts for complaint resolution and states that $1.4 billion was recovered for workers in 2023.