United States: Drinker Biddle’s HIPAA Compliance Update for Employee Benefit Plans

Last Updated: April 15 2013
Article by Bruce L. Ashton

With this issue, we are launching the Drinker Biddle Employee Benefits Plan Sponsor Newsletter. Our objective is twofold: to provide information that will be helpful to companies that sponsor retirement plans -- both qualified and non-qualified; and to help the employees who work on the plans in either a fiduciary or administrative capacity. We anticipate covering topics ranging from fiduciary obligations, investment related issues, plan operations and reporting and disclosure issues to dealing with IRS and DOL plan examinations and more. When appropriate, we may also address the implications for plan sponsors and fiduciaries of recent court decisions.

Our focus will generally be to address matters we have handled for clients and to provide practical, relevant solutions to common problems: what we sometimes call the "moral of the story." We will also be identifying the audience for which we have written each article, though we hope it will be of value to other readers as well. For example, in this issue, we have the following articles:

  • Based on their extensive work with plan committees, the first article is "Five Practical Tips for Plan Committees to Avoid Fiduciary Liability," by Dave Wolfe and Josh Waldbeser in our Chicago office. This article is written with plan committees in mind.
  • The second, "Check Your Plan Loan Administration," by Summer Conley, in our Los Angeles office, is written for employees who handle plan administrators, but the message applies across the board. Summer's message to plan sponsors is to make sure you keep an eye on your service providers.
  • Third, Brad Campbell, in our DC office, provides an update on recently released guidance from the DOL in "DOL 'Tips' for Selecting Target Date Funds," which should be reviewed by committee members who select investments for participant directed plans.
  • Heather Abrigo's article on "What Plan Sponsors Need to Know About a 'Limited Scope Review'," focuses on DOL investigations. Heather is in our Los Angeles office.
  • Fred Reish, in our Los Angeles office, has provided an article for sponsors of large plans on "Accountant's Audits of Retirement Plans," pointing out that the accountants who audit retirement plans will be asking questions about the process used by plan committees to review the 408(b)(2) disclosures and the steps they took to evaluate the disclosed information.

Finally, we have included a note about the recent Court of Appeals decision in Tibble v. Edison International that highlights the importance of selecting the right share class of investments offered in a participant-directed plan.

Five Practical Tips for Plan Committees to Avoid Fiduciary Liability

By David L. Wolfe and Joshua J. Waldbeser

In recent years, plan committees have become targets of ERISA litigation. This places a premium on meeting their fiduciary obligations. While this may seem daunting, committee members need to recognize that it is not "results," such as investment performance, that determine whether a fiduciary breach has occurred. Rather, it is following (and documenting) a prudent and deliberative decision-making process that allows fiduciaries to avoid liability. The following are some of the steps committees should follow:

1. Observing Formality. Regular committee meetings should be held (preferably quarterly, if possible), with a heavy focus on formal procedures and keeping of minutes.

  • Circulate an agenda and all related materials (such as vendor and adviser reports) reasonably in advance of each meeting.
  • Use the agenda during the meeting as a roadmap for deliberations. A person familiar with the issues should take detailed notes in order to prepare the meeting minutes. Formal votes should be taken as appropriate.
  • After the meeting, the notes should be used to draft detailed minutes. The format should be consistent from meeting to meeting, and should highlight the deliberative process followed at the meeting, with a focus on capturing the decisions reached and the key reasons for each, rather than conversational details. The minutes should be approved by all members soon after each meeting.

2. Emphasizing Expert Advice. When acting on the input of an independent expert, such as an investment adviser, the minutes should reflect the specific advice given and include copies of reports from the adviser. If the committee elects not to follow the advice, the reasons should be thoroughly documented.

3. Receiving Fiduciary Training. Requirements and industry standards for retirement plans are dynamic and constantly evolving. Committee members should be familiar with their basic obligations under ERISA, and should continue to receive regular fiduciary education regarding legal and regulatory developments, litigation trends and other matters that may impact their role. While this is not mandated by ERISA, it is an important facet of a prudent process. The Department of Labor has begun requesting that fiduciaries turn over evidence of fiduciary training as part of its plan investigations, so receipt of such training should be documented in committee records.

4. Separation of Roles. Corporate officers and employees serving on plan committees should avoid commingling deliberations on fiduciary issues (such as selecting and monitoring investments and other service providers) with non-fiduciary issues (such as plan design considerations). All fiduciary issues should be resolved with an eye solely toward the best interests of plan participants, rather than those of the employer, to avoid conflicts of interest.

5. Permanent Record Retention. Committee minutes and records should be incorporated into the employer's permanent record retention program. In the event of litigation, the events giving rise to the claim may be years removed, and committee members should not be forced to rely on their memories to recollect details.

Following and thoroughly documenting a prudent and deliberative fiduciary process is the single most important thing a plan committee can do to insulate itself from potential liability. There are numerous "best practices" that should be followed, but adhering to these five key steps is a good start.

Check Your Plan Loan Administration

By Summer Conley

We recently handled an issue for a client that highlights the importance of overseeing plan service providers. You may ask why that is true, since service providers are in the business of helping administer retirement plans. A plan sponsor can just assume the plan is being administered correctly, right? The short answer is no -- even reputable companies make mistakes.

In this case, the issue related to the administration of participant loans. Many, if not most, 401(k) plans permit plan participants to take loans from their accounts. While plan loans are permitted by the Internal Revenue Code (the "Code"), there are a number of restrictions that apply. If the loan fails to comply with these restrictions, it can result in a "deemed" taxable distribution to the participant and potentially to a qualification error for the plan.

Generally, plan loans must be issued for a term that is 5 years or shorter. There is an exception, however, if the loan is "used to acquire a dwelling unit which will within a reasonable time be used as a principal residence of the participant." Where the loan is used for that purpose, the term may be for a longer period set by the plan or the loan policy; often, the term can be as long as 30 years. But if a residential loan is made, what evidence or documentation should be obtained to establish that the loan is being used for that purpose, and, equally as important, who should obtain it? Is a representation by a participant sufficient?

In the case involving our client, the agreement with the plan service provider indicated that it would obtain documentation necessary to verify the purpose of the loan. Unfortunately, when the IRS questioned whether the loans were, in fact, proper residential loans, neither the plan sponsor nor the service provider had detailed records, such as a copy of the purchase agreement or other similar documents. (While there is no explicit requirement for such proof in the Code regulations or other IRS guidance, we are aware of several instances in which the IRS raised this issue, indicating that such documentation was necessary to demonstrate that the loan was proper.) It is not surprising that the plan sponsor lacked the records, since it thought it had delegated the job of obtaining proper documentation to the service provider. At the same time, the plan sponsor did not know that the service provider also lacked the information.

There are two morals to this story, one of which is obvious and the other of which is less so. The first is that plan sponsors should check their loan practices and procedures to make sure that appropriate evidence (beyond a participant representation) is being obtained in connection with residential loans. Plan sponsors may address loan procedures in one of two main ways. The plan sponsor may develop policies and procedures that it follows in-house in administering loans. Alternatively, the plan sponsor may rely upon a third party administrator to adopt and implement policies and procedures for administering loans. The second moral is that even if it is relying on the third party administrator, the plan sponsor should monitor the administrator periodically to ensure that the policies and procedures are actually being followed.

DOL "Tips" for Selecting Target Date Funds

By Bradford P. Campbell

Target Date Funds (TDFs) are simple by design - at least from the perspective of the plan participant. The participant decides when he or she will retire, selects a fund that targets this retirement year (or one close to it), and then forgets about it. The fund does the rest, reallocating the investments in the fund to become more conservative as the targeted retirement date approaches. From the perspective of the plan fiduciary, however, prudently selecting and monitoring a particular target date or lifecycle fund to use as a Qualified Default Investment Alternative (QDIA) or as a plan investment option is a more complex process. The plan fiduciary must investigate and assess a number of features of the available TDFs in making its decision as part of a thorough and well-documented process. The Department of Labor (DOL) recently issued guidance designed to help plan fiduciaries identify some of the key relevant factors for TDFs. We suggest that plan fiduciaries incorporate this guidance into their plans' Investment Policy Statements (IPS) and prudent selection processes.

The DOL guidance, "Target Date Retirement Funds - Tips for ERISA Plan Fiduciaries" is the latest of several DOL initiatives to help plans and participants better understand TDFs. As the performance differences among the 2010 class of TDFs during the market gyrations of 2008-2009 highlighted, even target date funds with the same target date may vary significantly in their investment philosophy and strategies. The recent DOL guidance is intended to help fiduciaries ask the right questions to understand the funds they are reviewing, and to select prudent TDFs for their plans.

The DOL "Tips"

The "Tips" explain some of the basic facts about TDFs, including the fund's so-called "glide path." The glide path is the projected investment plan for changing the asset allocation over time. A "to" fund is intended to reach its most "conservative" asset allocation strategy at or near the target date, while a "through" fund is not intended to reach its most conservative asset allocation strategy until some years after the target date. Either of these approaches might have advantages for a particular plan, but the plan fiduciary has to understand the differences and purposefully select one or the other. DOL suggests that fiduciaries consider some related issues in making this choice, such as plan demographics and whether the participants are covered by a defined benefit plan.

Other relevant factors identified by the guidance include:

  • Investment strategy - separate from "to" vs. "through," do you understand the principal strategies and risks of the fund and its underlying assets? Have you considered part performance and other standard investment metrics?
  • Fees and expenses - do you understand the fees associated with the investment? If there are administrative service payments, such as 12b-1 fees, do you understand who is receiving them and for what services?

The guidance also advises fiduciaries to understand the differences between "proprietary" and "non-proprietary" funds, and to inquire about the availability of "custom" TDFs. A proprietary TDF is one in which the underlying investments are funds offered by the same investment provider offering the TDF, whereas non-proprietary TDFs utilize funds from other investment providers. A custom TDF is one in which the underlying investments are the core funds from the plan's own investment menu. All of these product variations are factors fiduciaries should consider, but deciding which is prudent for your plan is an individualized decision taking into account all of the other relevant factors, from fees to glide path.

Finally, the guidance suggests that fiduciaries consider reviewing their plan's participant communications to ensure participants have the information they need to understand the TDFs available to them, and to ensure compliance with the participant disclosure regulations.


When DOL issues guidance on how to prudently select an investment option, it is advisable to review the guidance and incorporate it into your plan's investment policy statement and fiduciary process. Your Drinker attorney will be happy to assist you in this process.


Plan Sponsor Webinar on May 15, 2013

On May 15, 2013, Joe Faucher and Heather Abrigo in our Los Angeles office will be conducting a webinar titled "Lessons from Defendants: How Plan Committees can Avoid Being Sued for Fiduciary Breach under ERISA." This webinar will address some of the latest ERISA fiduciary decisions and what Plan Committees can do to avoid getting sued. If you would like to receive an invitation to this webinar, please click here: http://www.drinkerbiddle.com/Register/Lessons- From-Defendants-Webinar

What Plan Sponsors Need to Know About a "Limited Scope Review"

By Heather Bader Abrigo

In 2012, we saw the Department of Labor ("DOL") increase the number of investigations relative to previous years, a trend we expect to continue in 2013. Although most DOL investigations are "limited scope reviews," such characterization is a misnomer. As some of our clients have experienced, these reviews are anything but limited in scope. Based on our experience in working with clients on these "reviews," here are some tips for how to handle them.

First, review any documents and/or information before providing it to the DOL. Despite the "limited scope" characterizations, the DOL will request voluminous materials. Plan sponsors should review the request carefully and provide the information that has been requested, but only after it has been reviewed to see if it reflects potential errors. If there have been errors, the information cannot be withheld...it must still be provided, but we have found that it is good practice to bring the error to the attention of the reviewing agent along with an explanation about what the plan is doing to correct it. For example, during one investigation, a client, noticed that certain transactions were coded in the record keeper's records as "mistakes of fact." It became concerned and asked us for our advice. After researching these entries, it appeared that salary deferrals for terminated employees were being sent to the custodian. Ultimately, we assisted the plan sponsor not only with the DOL investigation, but also with its internal procedures to avoid a repetition of this problem.

Second, plan sponsors need to be prepared for on-site visits and interviews with the plan fiduciaries. During the interview process, many plan fiduciaries may be surprised by the number of detailed questions that the investigator will ask with respect to plan fees. For example, during another investigation, the DOL investigator asked in-depth questions about the plan's ERISA expense account and evidence as to how the account was being handled. After reviewing the allocation report from the recordkeeper, an issue arose with respect to how the ERISA expense account had been allocated. We worked with the DOL investigator to resolve the issue, and the DOL issued a letter closing the investigation without further action.

Third, in light of the DOL regulations regarding fee disclosures that were issued during 2012, plan fiduciaries should be ready to discuss, in detail, the amount of compensation the various service providers are being paid from the plan and how the fiduciaries have determined that such compensation is reasonable. For example, we have assisted with investigations during which the DOL investigator requested evidence regarding the determination of reasonableness of fees by the plan fiduciaries. In one investigation, our client had obtained a benchmark report and documented the process which led to the determination that the fees were reasonable. This resolved any issues that the DOL investigator had regarding this issue, and the investigation was closed with no further action.

Lastly, we recommend that plan sponsors consider conducting voluntary internal compliance audits. This can include gathering a sampling of information that would normally be requested during an investigation as well as making sure policies and procedures for plan administration are documented and followed. By following these four steps, plan sponsors will help insure that the plan is being operated properly and they are fulfilling their fiduciary responsibilities...and that they will be more equipped to handle a "limited scope review" or a full investigation if one should arise .

Accountant's Audits of Retirement Plans

By Fred Reish

If your plan is large enough to require that its financial statements be audited (which generally means that you have over a 100 eligible employees), in the next month or two your accountants will be asking about your procedures for handling the 408(b)(2) disclosures by your "covered" service providers. That raises an obvious question: what is the "right" answer?

Before answering the question, let me set the context. Your covered service providers are required to give you - as the responsible plan fiduciary, or RPF - written disclosures about their services, status as fiduciaries, and compensation. The "RPF" is the person or persons who have the authority to hire service providers for your plan; typically, that is the plan committee. (For ease of reading, we refer to "plan sponsor".) "Covered" is a defined term in the 408(b)(2) regulation, but for our purpose, the best approach is to assume that all of your plan's service providers are covered, unless you know that they are not. Covered service providers include, for example, your investment advisors, financial advisors, brokers, recordkeepers, bundled providers, investment consultants, and so on. On the other hand, your attorneys, accountants and actuaries are not covered service providers - unless they receive indirect compensation, that is, compensation from anybody other than the plan or the plan sponsor.

Plan sponsors, in their fiduciary capacity, have had two distinct duties related the 408(b)(2) disclosures. The first is to obtain the disclosures and make sure that they are adequate. The second is to review the disclosures and determine that, among other things, the compensation of the service providers is reasonable.

So, what should you say to the accountants? The best answer . . . the disclosures have been compared to the requirements in the 408(b)(2) regulation and, based on that comparison, the committee members have made a reasonable and good faith determination that the disclosures are complete. It would be helpful to provide the accountants with a written copy of the comparison of the disclosures to the requirements of the regulation. To help our clients form that "reasonable and good faith belief ", we have developed a checklist based on the requirements of the regulation and have reviewed the disclosures for a number of clients. In some cases, the disclosures have not been adequate - and we have followed up with the service providers to obtain the needed information. (In most of those cases, the incomplete disclosures were about the indirect compensation that the service providers are receiving - that is, compensation from investments or other providers, as opposed to payments from the plan.) After we made a written request for the missing information in those cases, the service providers immediately sent us additional information - since they are aware of the dire consequences in the regulation for failing to provide adequate disclosures.

Once the information is obtained and the checklist is completed, we recommend that the checklist be presented at a committee meeting and reviewed by the committee members. Those facts should be documented in the committee minutes, together with a determination by the committee members that, based on the checklist and the discussion, they have a reasonable and good faith belief that the required disclosures were made.

The next step is to review the disclosures and determine whether the total direct and indirect compensations being received by the service providers is reasonable - compared to the services they are providing. While a discussion of that process is beyond the scope of this article, one critical factor is that the committee members review market data about compensation paid by similarly situated plans for comparable services. In other words, the marketplace establishes whether compensation for a particular set of services is reasonable or not.

Forewarned is forearmed. Your accountants will be asking about your 408(b)(2) procedures. Be prepared to respond.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Bruce L. Ashton
In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

*** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.