Let our team help you navigate the ever-changing benefits compliance landscape each month. Check out this month’s latest alerts, additional updates, and resources hot off the press:

Employee Benefits Compliance Alerts

This month’s Compliance Matters newsletter provides a comprehensive review of the following topics. To obtain your copy, please use the form below to download.

Compliance newsletter previews
  • Next Round of PCORI Fees Due July 31, 2024
  • Form 5500 Frequently Asked Questions
  • Recent Updates on Pharmacy Benefit Manager (PBM) Legislation
  • Medicare Secondary Payer Considerations for Small Employers
  • UNUM & DOL Reach Settlement in Life Insurance Investigation
  • 2024 State Regulation Series: State-Mandated Short-Term Disability

Download this month’s alerts

Additional Updates & Resources

OCR Updates Change Healthcare Breach FAQs

On May 31, 2024, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) updated its set of frequently asked questions (FAQs) addressing the investigation into the cyber attack on Change Healthcare that occurred in February 2024. See our related alert and article.

Since the cyber attack, OCR has released various letters and FAQs about the pending investigation and the responsibilities of business associates under the Health Insurance Portability and Accountability Act (HIPAA). The most recent set of FAQs addresses breach notifications, including the delegation of notifications. One of the key questions addresses whether both a covered entity and a business associate are responsible for the notification and other various notice obligations. In FAQ number seven, OCR states:

Q. May a covered entity delegate its breach notification obligations to Change Healthcare/UHG?A. Yes, a covered entity may delegate to its business associate the tasks of providing the required HITECH Act and HIPAA Breach Notification Rule breach notifications on the covered entity’s behalf. Only one entity – which could be the covered entity itself or its business associate – needs to complete notifications to affected individuals, the HHS Secretary, and where applicable the media. As such, if covered entities affected by this breach ensure that Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, those covered entities would not have additional HIPAA breach notification obligations.

Additional FAQs confirm that while the breach notification may be delegated to a business associate, the covered entity remains responsible for its receipt and ensuring that the notification is provided to affected individuals no later than 60 days from the date of breach discovery. Find more information about the Change Healthcare cyber attack.

IRS Releases Guidance on Transportation Refunds

The IRS recently released Information Letter 24-0004, addressing the distribution of unused qualified transportation funds due to the COVID-19 pandemic. The issue in the letter hinges on a constituent requesting to retrieve unused funds because the pandemic prevented her from commuting, and changed her routine so she no longer had reimbursable commuting expenses.

The letter reminds readers that qualified transportation fringe benefits are not qualified benefits under a cafeteria plan and are not part of a flexible spending arrangement, and further explains that unused salary reduction amounts under an employer’s qualified transportation plan can be carried over to subsequent periods and used for future qualified transportation fringe benefits offered under the plan, so long as the employee does not receive benefits that exceed the maximum excludable amount in any month. However, refunds not based on qualifying commuting activity are not permitted. The letter states, “funds designated as qualified transportation fringe benefits must be used on qualifying commuting activity and cannot be refunded to an employee for any other reason.”

While the IRS provided various relief for certain tax-advantaged programs during the COVID-19 pandemic, no relief was extended for commuter programs. These programs already offer benefits in a manner more flexible than other spending accounts and cafeteria plans; therefore, no additional relief is needed.

Building with Columns in Front

More Compliance Resources

side view of columns with line graphic overlay

Sign up for the monthly newsletter.