Employee Benefits and Human Resources:The Year in Review and a Look at What’s Ahead

Presented by: Steve Flores, Rob Newman, Cardelle Spangler,

Christine Matott, and Alessandra Swanson

Today’s eLunch Presenters

Christine MatottOf Counsel

Employee Benefits & Executive Compensation

cmatott@winston.com

Steve FloresPartner

Employee Benefits & Executive Compensation

saflores@winston.com

Cardelle SpanglerPartner

Labor & Employment

cspangler@winston.com

Alessandra SwansonAssociate

Privacy & Data Security

aswanson@winston.com

Rob Newman Partner

Marketing, Advertising & Privacy

rnewman@winston.com

2

Overview

• Retirement Plan Update• DOL Conflict of Interest Rules• Affordable Care Act Developments• HIPAA Enforcement Update• Employee Privacy Law Update• Wage & Hour Developments• Discrimination Law Updates

3

Retirement Plan Update

Cases of Note – Fee Cases Continue

• University Fee Cases• The plaintiff’s firm filed 12 class action lawsuits against fiduciaries of

university 403(b) plans• Suits follow common allegations that have been made against 401(k)

plan sponsors• Allegations generally center around:

• Excessive fees

• Number and type of investment options causing “decision paralysis”

• Recordkeeping fees

• Share classes

5

Cases of Note – Fee Cases Continue

• White v. Chevron: District Court dismissed novel claims against 401(k) plan fiduciaries: • Selection of money market fund instead of stable value fund violated

duty of prudence• Selection of mutual funds instead of separate accounts or collective

trusts violated duty of prudence• Paying recordkeeping fees under asset-based revenue-sharing

arrangement instead of flat-fee-based arrangement

• Other Complaints• Alleged that plan should have used bargaining power to negotiate an

even lower fee on Vanguard fund• Challenge target date funds for including non-traditional asset classes• First Circuit joined Eighth Circuit in holding that float is not a plan

asset 6

Cases of Note – Stock Drop Cases

• Amgen Inc. v. Harris: The Supreme Court reversed the Court of Appeals for the Ninth Circuit in an ERISA stock-drop lawsuit• The Supreme Court concluded that the Ninth Circuit failed to properly

apply the rigorous pleading standards of Fifth Third Bancorp v. Dudenhoeffer for determining whether a complaint in a stock-drop case alleged sufficient facts to state a claim for breach of fiduciary duty under ERISA

• Hill v. Hill Brothers Construction Company: District Court applies Duddenhoeffer “more harm than good” pleading standard in a stock drop claim against fiduciaries of plan in closely held company

7

Cases of Note – Forum Selection Clauses

• Supreme Court declined to review Sixth Circuit Court of Appeals ruling in favor of enforcing a plan’s forum selection clause. Smith v. Aegon Companies Pension Plan, 769 F.3d922 (6th Cir. 2014), cert. denied, 136 S. Ct. 791 (2016)

• Eighth Circuit recently denied appeal to have disability benefits suit removed to state in which participant lived. In re Lorna Clause, No. 16-2607 (8th Cir. Sept. 27, 2016)

• Some recent district court cases have disagreed• Found that such clauses contradict ERISA public policy of providing

plaintiffs ready access to federal courts

8

Determination Letter Program

• Five year remedial amendment program for individually designed plans is coming to an end

• Will need to closely keep track of changes in the law that require amendments

• Plans may seek determination letters if:• The plan has never received a determination letter• The plan is terminating• IRS makes a special exception

• Raises the stakes for errors found on audit—complicates M&A

• Makes individually designed plans less attractive

9

DOL Conflict of Interest Rules

• Fiduciary investment advice – the provision of covered advice by a covered advisor

• Covered advice includes a recommendation regarding:

• The advisability of acquiring, holding, disposing of, or exchanging securities or other investment property

• The management of securities or other investment property, including, among other things, recommendations on investment policies or strategies

• Rollovers, transfers, or distributions from a plan, including whether, in what amount, in what form, and to what destination, the distribution should be made

• Covered advisor includes a person or entity who:

• Acknowledges that he or she is acting as a fiduciary

• Renders advice pursuant to an agreement that the advice is based on the particular investment needs of the recipient

• Directs the advice to a specific recipient regarding the advisability of a particular investment or management decision with respect to securities or other investment property of the plan

• Must be for a fee or other compensation

• “Recommendation” is broadly defined

Expansion of Definition of Fiduciary

11

• An employee who provides investment recommendations to plan fiduciaries is generally not considered an investment advice fiduciary if the employee does not receive a fee or other compensation in connection with the recommendation (other than his/her normal compensation)

• An employee who provides investment and distribution recommendations to other employees is also generally not considered an investment advice fiduciary if: • The employee does not receive a fee or other compensation in

connection with the recommendation• The employee’s job does not require the employee to provide

investment advice• The employee is not registered under state or federal securities or

insurance laws

Employees Involved in Plan Administration

12

Investment Education

• Plan sponsors and service providers may offer investment education without becoming investment advice fiduciaries

• Four categories of non-fiduciary education include: • Plan information• General financial, investment, and retirement information• Asset allocation models (subject to restrictions and disclosures)

Interactive investment materials (subject to restrictions and disclosures)

13

Independent Fiduciary Exception

• A prospective fund manager or investment advisor does not provide fiduciary investment advice to an “independent fiduciary” of the plan with respect to communications during the sales and marketing process if the following conditions are satisfied: • The independent fiduciary is a bank, registered investment advisor, insurance

company, broker-dealer, or other plan fiduciary with assets under management of at least $50 million

• The independent fiduciary is capable of evaluating investment decisions of the type involved in the transaction

• The independent fiduciary is informed that the advisor is not undertaking to provide impartial investment advice

• The independent fiduciary is responsible for exercising independent judgment with respect to the transaction

• The advisor does not receive a fee directly from the plan for providing advice in connection with the transaction

14

Action Items

• Review communications to plan participants• Ensure that communications do not provide investment

recommendations or recommendations about distribution options• If materials are intended to provide investment education, confirm that

no specific investment or distribution recommendations are provided

• Educate employees about the new rules• Review service provider contracts

• Will the new rule change a non-fiduciary service provider into a fiduciary?

15

Affordable Care Act Developments

Post-Election Outlook

• President-elect and Congress have vowed repeal• Tom Price, nominee to head the Department of Health and Human

Services, indicates significant changes to the ACA are on the horizon. Mr. Price has introduced legislation to repeal and replace the ACA

• Concrete alternative proposals have not yet been put forward

• Until further notice, employers should continue to comply with various requirements

17

Employer Health Coverage Obligations

• Affordable Care Act “pay or play” penalties continue to dominate discussion

• There are two types of pay or play penalties:• A penalty for failing to offer coverage to full-time employees and their

dependents• A penalty for offering coverage to full-time employees and their

dependents that is not affordable or does not provide minimum value

• Full-time employee determination still an issue in a variety of contexts

18

Employer Reporting Requirements

• Employers subject to two distinct reporting requirements for 2016• 6056 Reporting:

• In general, Section 6056 requires an applicable large employer subject to the requirements of Section 4980H to report certain health insurance coverage information to the IRS, and to furnish certain related employee statements to its full-time employees

• 6055 Reporting:• Every person who provides minimum essential coverage to an individual

during a calendar year must file an information return and transmittal, and furnish statements to responsible individuals on forms prescribed by the IRS

19

Employer Reporting Requirements

• Employers use 1094-C and 1095-C to report• Recent Notice 2016-70 provides an extension for

distribution to participants: • Previously was January 31, 2017 and now is March 2, 2017• No change to IRS filing deadline—March 31, 2017 (electronic)

• IRS also extended interim good faith compliance standard• IRS will not assess a penalty for incomplete or incorrect information as

long as forms were filed on time and the filer can show that it completed the forms in good faith

• Important because strict compliance is difficult and many employers continue to have problems with certain employee groups

20

Penalties for Reporting Failures

• Each applicable large employer member is required to file 1094-C and 1095-C and provide a statement to full-time employees

• Failure to file with the IRS (or providing incomplete or incorrect information) can result in penalty of $100 (recently increased to $250) per failure up to $1,500,000 (recently increased to $3,000,000)

• Failure to furnish timely or correct statement to employees can result in the same penalty

21

Don’t Forget

• Cadillac Tax• Scheduled to take effect in 2020. Will it?

• Collective bargaining agreements may create issues

• Employers must preserve as much flexibility as possible

• Excise Taxes—ACA still continues to mandate a variety of design-based requirements• Self-reporting required: Excise tax and Form 8928

• $100 per day for each individual to whom failure relates

• Beginning on date failure occurs and ending when failure is corrected

• Exception for reasonable cause failures:• If did not know, or exercising reasonable diligence would not have known failure occurred

• Corrected within 30 days after knew or should have known

• No exception for failures due to willful neglect or on audit

22

Subrogation

• Supreme Court looked at enforcement of subrogation for ERISAPlans in Montanile v. Board of Trustees of National Elevator Industries Health Benefit Plan• Health and welfare plans often contain provisions that allow reimbursement of

benefits paid to participants who subsequently recover from third parties

• Participant was struck by drunk driver, plan paid over $120,000 in medical expenses, and later sought reimbursement when participant obtained a $500,000 settlement

• Supreme Court looked at whether ERISA remedies include plan’s ability to seek recovery from the participant’s general assets when a participant receives a settlement and spends it

• Supreme Court found that such a recovery could only be made against specifically identifiable funds in the participant’s possession or traceable items purchased with the funds (e.g., a car)

• Plan sponsors/service providers must move quickly23

HIPAA Enforcement Update

Brief Overview

• HIPAA is the Health Insurance Portability and Accountability Act of 1996

• HIPAA requires covered entities and, in some instances, business associates, and subcontractors to safeguard against the misuse of protected health information

• Covered entities include health care clearinghouses, health plans, and health care providers

• Business Associates (BAs) are entities that create, receive, maintain, or transmit PHI on behalf of a covered entity

26

What does HIPAA Do?

• HIPAA has three subparts that provide standards for the treatment of Protected Health Information (PHI):• The Privacy Rule (Subpart E)

• Establishes individual rights; permitted, required, and prohibited uses and disclosures of PHI; general administrative requirements

• The Security Rule (Subpart C)• Establishes safeguards for Electronic PHI

• The Breach Notification Rule (Subpart D)• Establishes definition of “breach” and notification requirements

27

Why HIPAA Matters

• Self-insured health plans are required to comply with HIPAAto the extent that their employees interact with PHI

• In particular, health plans are required to establish written policies and procedures for each subpart of the regulation

• Most HIPAA Resolution Agreements cite the subject entity’s lack of policies and procedures as support for the enforcement action

28

2016 HIPAA Developments

• The U.S. Department of Health and Human Services –Office for Civil Rights (OCR) is the primary HIPAA regulator

• This year, OCR:• Significantly ramped up formal enforcement actions for HIPAA

violations• 13 enforcement actions (100% increase over 2015) and approximately

$23.5M in settlements (400% increase over 2015)

• Launched Phase II of its HIPAA audit program• Released a number of guidance documents

29

2016 HIPAA Enforcement Highlights

• The perennial “most popular” violation is the failure to conduct accurate and thorough risk analyses

• 2016 settlements demonstrated an increased emphasis on business associate agreements and continued emphasis on policies and procedures requirements

• While earlier enforcement cases focused on entities that lacked HIPAA infrastructure, recent cases reveal that established compliance measures are now being closely scrutinized

30

Lessons Learned from Enforcement Actions

• OCR pays attention to breach filings and keeps tabs on multiple “offenders”

• “Addressable” does not mean “optional”• A breach may bring the regulators to an entity’s door, but

once they get there, the entire compliance program is fair game

• A full list of enforcement actions is available here

31

HIPAA Audit Program – Phase II

• Audits began in early July and will be carried out in three waves, with approximately 200-250 audits in total• The first wave launched this summer, and consists of desk audits of

covered entities• As part of the audits, the covered entities have been asked to identify their

business associates

• The second wave, also in progress, consists of desk audits of business associates• OCR has indicated it would select the business associate auditees based in

part on the business associates identified during the first wave

• The third wave, scheduled to roll out in 2017, will involve a small number of comprehensive on-site audits• OCR noted it could opt to conduct an on-site audit for an entity that had

already undergone the desk audit process32

Audit Specifications for Covered Entities

• OCR released the HIPAA protocols that are being examined during the first wave of audits• Privacy Rule Provisions:

• Notice of privacy practices content requirements

• Notice of privacy practices provision of electronic notice

• Access to PHI

• Security Rule Provisions:• Risk analysis

• Risk management

• Breach Notification Provisions:• Timeliness of individual notification

• Content of individual notification

33

Guidance Documents

• Cloud Computing Guidance• Reveals cloud providers that create, receive, maintain, or transmit PHI

are business associates, even if the PHI is encrypted

• Cyber-Awareness Monthly Update• OCR launched monthly newsletters to help those under HIPAA’s

purview understand common security threats to PHI and how to take steps to prevent them from occurring

• Includes guidance on ransomware, security incident preparedness, insider threats, and authentication controls

34

Employee Privacy Law Update

Employee-Focused Privacy Law Updates

• Preparing for Stricter EU Privacy Laws• Trans-Atlantic Data Transfers: What Lies Ahead• Changes to State Data Breach Notification Laws• Lessons Learned from 2016 Breaches: Employee Training

and Vendor Management

36

Preparing for Stricter EU Privacy Laws

• Final GDPR is set for May 2018 • Significant changes include:

• Creates obligation – in most circumstances – for data controllers to provide data breach notification without undue delay, and when possible, no later than 72 hours after becoming aware of the breach

• Scraps requirement for companies to register with national data protection authority in favor of requiring businesses to maintain detailed business records

• Requires more opt-in consent requirements from EU data subjects to conduct any sort of data processing

• Requires companies that systematically monitor data subjects to have in-house data protection officers

• Will be directly applicable across the EU37

Trans-Atlantic Data Transfers: What Lies Ahead• Privacy Shield went live in August 2016 as the successor to Safe

Harbor• Significant changes include:

• Greater oversight and enforcement mechanisms

• Requirement to provide comprehensive privacy notice outlining rights and obligations

• Requirement to arbitrate related claims by EU individuals

• Requirement that third-party contracts include same data use obligations as Privacy Shield imposes on company itself

• Alternatives to Privacy Shield• Model contractual clauses

• Binding Corporate Rules

• Consent/Exceptions

38

Changes to U.S. State Data Breach Notifications Laws

• Expanded Definitions of Triggering “Personal Information”• Illinois • Nebraska• Rhode Island

• Encryption Exemption Modifications• California, Illinois, Tennessee, and Nebraska’s new laws now treat

encrypted information as triggering if the encryption key is also acquired; previously exempted encrypted information from notification requirements

• Changes to Notification Timelines• Tennessee• Rhode Island• Nebraska

39

Lessons Learned from 2016 Breaches:Employee Training and Vendor Management

• Implement better employee training to help prevent security incidents

• Ensure third-party vendors share the same commitment to data security

40

Wage & Hour Developments

DOL Final Rule on Overtime Exemptions for “White Collar Employees”

The DOL’s Final Rule: Background

• Issued in May to update the “white collar” exemptions under the Fair Labor Standards Act (FLSA)

• Salary level increase to $47,476/year• Almost double the current level

• Effective December 1, 2016

43

State of Nevada et al. v. U.S. DOL et al.

• September 20, 2016 • 21 states and 50+ business groups sue to block the rule• Emergency preliminary injunction and summary judgment

• November 22, 2016• District Court judge grants emergency preliminary injunction• National scope

• December 1, 2016• DOL files Notice of Appeal in 5th Circuit

44

What’s Next?

• The Appeals Process• Expedited hearing requested by DOL• Process, nevertheless, could take months• Potential Action by Trump Administration

• Employer Actions• Option 1: Continue with some or all of planned changes

• Option 2: Wait-and-see approach• Messaging to employees who may have expected salary increase is key

45

Discrimination Law Updates

EEOC & Discrimination Based OnSexual Orientation and Gender Identity

Title VII: Sexual Orientation and Gender Identity

• EEOC Position:• Sexual orientation and gender identity discrimination are included

under Title VII’s prohibition against unlawful sex bias

• Possible Clarity from the 7th Circuit • Kimberly Hively v. Ivy Tech Community College (pending)

48

Actions Filed in 2016

• Sexual Orientation Discrimination• EEOC v. Scott Medical Health Center, P.C.(pending)• EEOC v. Pallet Companies d/b/a IFCO Sys. North Am., Inc. (settled)

• Gender Identity Discrimination• EEOC v. Bojangles Restaurants, Inc.(pending)• EEOC v. Rent-A-Center East, Inc. (pending)

49

“Ban-the-Box” and “Fair-Chance” Policies

On the Rise: Ban-the-Box and Fair-Chance

• Currently, 24 states, the District of Columbia, and over 150 cities and counties have adopted regulations

• Regulations vary from state-to-state and city-to-city• Regulations typically require delay of inquiry into criminal

history and/or timing of criminal background checks during employment application process

51

2016 State Legislation/Application

• Connecticut House Bill 5237 Public and Private• Vermont House Bill 261 Public and Private• Louisiana House Bill 266 Public• Missouri Executive Order 16-04 Public• Oklahoma Executive Order 2016-03 Public• Tennessee Senate Bill 2440 Public• Wisconsin Assembly Bill 373 Public

52

2016 Local Ban-the-Box and Fair-Chance Policies

• Austin, TX• Kalamazoo, MI• Blacksburg, VA• Asheville, NC• Montgomery County, VA• Dutchess County, NY• Birmingham, AL• Staunton, VA• Cherokee County, GA• Bethlehem, PA

• Mecklenburg County, NC• Wake County, NC• Buncombe County, NC• Sarasota, FL• Johnson County, KS• Broward County, FL• Pulaski County, AR• Tompkins County, NY• Sacramento, CA

53

Exemptions from Ban-the-Box and Title VII Preemption

• Title VII does not preempt federal bans on employees with criminal records working in certain industries• Security screeners at airports• Federal law enforcement officers• Bank employees• Insurance industry

• Title VII does not preempt federal restrictions on eligibility for occupational licenses and registrations• Transportation industry• Import/Export activities

54

Questions?

Thank You.

Christine MatottOf Counsel

Employee Benefits & Executive Compensation

cmatott@winston.com

Steve FloresPartner

Employee Benefits & Executive Compensation

saflores@winston.com

Cardelle SpanglerPartner

Labor & Employment

cspangler@winston.com

Alessandra SwansonAssociate

Privacy & Data Security

aswanson@winston.com

Rob Newman Partner

Marketing, Advertising & Privacy

rnewman@winston.com

57