Compliance Recap MH - 7.30.24

Compliance Recap | March 2025

By United Benefit Advisors (UBA),
  Apr 3, 2025 2:32:12 PM

In March, employers submitted their electronic filings to the Internal Revenue Service for the Affordable Care Act reporting requirement. Medicare Part D disclosure to CMS, certain reporting on HIPAA breaches, and MEWA Form M-1 were due in March.


ACA REPORTING

Affordable Care Act (ACA) reporting for applicable large employers (those with 50 or more employees) was due for the 2024 plan year in March.

Reporting to Employees – due March 3, 2025

Form 1095-C: For Applicable Large Employers (ALEs) to report health coverage offered to full-time employees.
Form 1095-B: For employers with self-funded plans to report coverage information.

Reporting to the IRS – due March 31, 2025, for electronic filing

Form 1094-C: Transmittal form for Form 1095-C.
Form 1095-C: Reports health coverage information for full-time employees.


Employer Considerations
  • Distribution of Forms: Employers are no longer required to automatically distribute Forms 1095-C or 1095-B to all full-time employees. Instead, they must post a notice on their website informing employees that these forms are available upon request.
  • Use of Birth Dates: For reporting on self-insured plans, employers can use an individual's full name and date of birth if a Social Security Number (SSN) or Taxpayer Identification Number (TIN) is not available.
  • Response Time for IRS Penalty Letters: Employers now have 90 days to respond to IRS Letters 226J proposing employer shared responsibility payments, an increase from the previous 30-day period.

 

MEDICARE PART D DISCLOSURE FOR PLAN SPONSORS

Employers offering prescription drug coverage through a group health plan must meet annual disclosure requirements for Medicare Part D, stating whether prescription drug coverage is creditable or non-creditable. For calendar-year plans, this includes submitting a disclosure to the Centers for Medicare & Medicaid Services (CMS) by March 1 each year.

Coverage is considered to be creditable when it is expected to pay at least as much Medicare Part D.

This is separate from the Part D notice to individuals, which must be given each year before October 15 (the start of Medicare open enrollment).

Failing to meet this deadline can result in:

  • Loss of eligibility for the Medicare retiree drug subsidy
  • Potential ERISA fiduciary responsibility claims
  • Late enrollment penalties for Medicare-eligible employees

If there are changes to a plan’s prescription drug coverage or if coverage is terminated, a new disclosure must be submitted to CMS within 30 days of the change.

Coming in 2026, CMS has proposed a simplified determination methodology that would specify that coverage must be designed to pay, on average, at least 72% of a participant’s drug expenses—an increase from 60% under the current methodology—to be considered creditable coverage. This may impact how plan creditability is assessed, especially for high deductible health plans (HDHPs).


Employer Considerations
  • Check with insurance carriers or third-party administrators (TPAs) to verify if your prescription drug plan is creditable or non-creditable.
  • Complete the required online disclosure form within 60 days of the plan year’s end (by March 1, 2025, for calendar-year plans). CMS provides instructions for completing the online disclosure on its website.
  • Keep records of your submission for audit or compliance purposes.
  • Ensure Medicare-eligible employees receive their annual notice by October 14 for calendar-year plans.

 

HIPAA BREACH REPORTING

When a breach occurs that compromises the confidentiality, integrity, or availability of protected health information (PHI), the Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities and their business associates report the breach to affected individuals, to the Department of Health and Human Services (HHS), and in some cases, to the media.

If a breach occurs within a business associate (such as a third-party vendor handling PHI), they must notify the covered entity promptly, as the covered entity is ultimately responsible for reporting the breach.

Steps and Requirements for Reporting a HIPAA Breach

Determine if a breach occurred
A breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. Not all incidents that involve PHI are considered breaches (for example, unintentional access by an employee within their scope of employment).

The Risk Assessment process is required to assess if the breach poses a significant risk of harm to the individuals. This includes evaluating the nature of the PHI involved, whether it was acquired or viewed, and the likelihood of re-identification of the data.

Notify Affected Individuals
Individuals must be notified within 60 days of discovering the breach. The notification should include:

  • A description of the breach
  • The types of PHI involved
  • Steps affected individuals can take to protect themselves
  • Actions taken to investigate and mitigate the breach
  • Contact information for further inquiries

Notify the Department of Health and Human Services (HHS)
If the breach affects 500 or more individuals, the breach must be reported to the HHS within 60 days. The report is made using the HHS breach portal.

For breaches involving fewer than 500 individuals, the covered entity can submit an annual summary of all breaches by March 1 of the following year.

Notify the Media
If a breach involves more than 500 residents of a state or jurisdiction, the entity must notify prominent media outlets serving that area. This is also to be done within 60 days of discovering the breach.

Employer Considerations
  • Timeliness: Timely reporting is critical. Failure to report breaches within the required time frames can lead to penalties and fines.
  • Documentation: Covered entities should keep detailed documentation of the breach and the actions taken to mitigate it. This is essential in the event of an audit or investigation by HHS.
  • Penalties: The penalties for non-compliance with breach reporting requirements can be substantial, ranging from $100 to $50,000 per violation, with a maximum annual penalty of $1.5 million for willful neglect cases.

 

MEWAS FILE FORM m-1 WITH dol

MEWAs (Multiple Employer Welfare Arrangements) are group health plans that provide benefits to the employees of two or more employers. These plans are typically formed by small businesses or associations to offer health benefits to their members. Since MEWAs are often self-funded, they are subject to certain regulations and reporting requirements under federal law. One of the key requirements for MEWAs is the filing of Form M-1 with the Department of Labor (DOL).

What is Form M-1?

Form M-1 is used to report information about the operation of a MEWA to the DOL including financial details, the number of participants, and the benefits offered. It is primarily used to ensure that MEWAs comply with the provisions of the Employee Retirement Income Security Act (ERISA), HIPAA, and other applicable laws.

The following entities must file Form M-1 with the DOL:

  • MEWAs providing health benefits to two or more employers
  • Self-insured MEWAs offering health benefits to employees of multiple employers
  • Multiple employer arrangements that provide group health plans to small businesses or associations, including certain trade groups

However, not all group health plans are considered MEWAs. Plans that are fully insured or that fall under certain exceptions (like union plans or governmental plans) are not required to file Form M-1.

Key Filing Requirements and Deadlines

  • Initial Filing: Form M-1 must be filed by the end of the first month after the first day of the plan year in which the MEWA begins offering health benefits.
  • Annual Filing: After the initial filing, Form M-1 must be filed annually within 90 days after the end of each plan year.
  • Late Filings: If the filing deadline is missed, MEWAs may be subject to penalties for late or non-filing.

How to File

Form M-1 is filed electronically through the Employee Benefits Security Administration’s M-1 online filing system.

Failure to file Form M-1 or filing it inaccurately can result in penalties of up to $1,100 per day for each day the filing is late. The DOL strictly enforces these penalties to ensure that MEWAs comply with reporting requirements.

Information Required on Form M-1:

  • Basic Plan Information: The MEWA's name, address, and identification number.
  • Employer Information: Details about the participating employers and their eligibility to be part of the MEWA.
  • Plan Operations: Information about the MEWA’s operations, such as whether it is self-insured, the types of benefits offered (e.g., medical, dental, vision), and the funding arrangements.
  • Financial Information: Financial reports detailing the funding of the MEWA, including whether it is fully insured or self-insured.
  • Covered Employees: The number of individuals covered under the MEWA and other data on plan participants.

Employer Considerations

Some MEWAs may be exempt from filing Form M-1, such as those that are fully insured or those that provide benefits only to specific groups (government entities, for example). Confirm whether the arrangement qualifies as a MEWA under ERISA and other relevant laws before determining filing requirements.

MEWAs that fail to comply with the filing requirements may face significant penalties, so plan sponsors should be sure to meet the deadlines and requirements for filing Form M-1.

 

Question of the Month

Q: Can an employee still participate and receive reimbursements in the dependent care FSA if their spouse is a stay-at-home mom? Can they still contribute up to the $5,000 maximum as they are married and filing taxes jointly?

A: An employee cannot contribute to a dependent care FSA if the spouse is a stay-at-home mom. The only exceptions would be if the mom is actively searching for gainful employment, a full-time student, or physically/mentally incapable of self-care.

An employee who is married and filing jointly is limited to $5,000 per year in a dependent care FSA. But this is only available if the spouse is working or meets one of the limited exceptions above.

 

Answers to the Question of the Week are provided by Kutak Rock LLP. Kutak Rock provides general compliance guidance through the UBA Compliance Help Desk, which does not constitute legal advice or create an attorney-client relationship. Please consult your legal advisor for specific legal advice.


This information is general in nature and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

©2025 United Benefit Advisors

About UBA
United Benefit Advisors® (UBA) is the nation's leading independent employee benefits advisory organization with more than 200 offices throughout the United States and Canada. UBA empowers 2,000+ advisors to maintain independence while capitalizing on each other's shared knowledge and market presence to provide best-in-class services and solutions.

The content contained in this website, including but not limited to all text, images, trademarks, and logos, is owned by United Benefit Advisors® (UBA) except as otherwise expressly stated or provided by third parties. 
 
UBA Partner Firms must keep all copyright, trademark, and copy intact. All others may link directly to the UBA website to share UBA copyrighted material; they may not duplicate, distribute, create derivative works, or otherwise use this site's content.