Best Practices for Organizing ERISA Materials

Whether the reason is to respond to a DOL audit, a participant’s request, a lawyer’s inquiry, or just a new HR manager taking over a new set of tasks, having the ERISA compliance materials easily accessible and up to date can make all the difference.  Case in point…

Recently a client presented to us a list of what was requested from them for a DOL audit (the documents needed spanned over several years). The list is standard and has been more or less the same for years. Nevertheless, when it comes across your desk it can take your breath away at the amount of detail needed, especially when the DOL typically allots just 10 business days. As a result, we feel it serves as the standard on what to keep in check to be the most prepared for all situations:

DOCUMENTS TO BE SUBMITTED

PLEASE SUBMIT COPIES OF THE ITEMS IDENTIFIED BELOW:

Unless otherwise indicated, the review period is from the start date set by DOL through the present. Please indicate if any of the below items do not apply to your plan.

1. Plan document(s) including the following:
   1. Summary plan description
   2. Wrap document
   3. Benefits booklets
   4. Evidence of coverage (EOCs) and Certificates of coverage for each medical option
   5. Enrollment package provided to participants at open enrollment and new hire including front and back of all enrollment forms
   6. Documents describing Plan coverages, rules, costs, or changes to any of the above documents

Please provide only those documents that are currently in effect.

2. Summary of Benefits and Coverage (SBC), Notices of Metrical Modifications, and Uniform Glossary

Please provide only those documents that are currently in effect.

3. All contracts, service agreements, engagement letters, and fee schedules with service providers, including brokers, consultants, third-party administrators, record-keepers, and claims processors possessing or processing Plan data. Contracts should indicate any performance agreements and any attachments, side letters riders.
   1. If self-insured/self-funded, all contracts for claims processing, administrative services, and reinsurance
   2. If fully insured, all contracts with insurance companies for the provision of health benefits

Please provide only those documents that are currently in effect. 

4. Documents describing the cost of coverage, including employees vs. employer share of cost of coverage, monthly premiums by plan by coverage level, and annual total employer out-of-pocket cost.
5. Fidelity bond, including declarations page, riders/endorsements, and cyber security coverage
6. Fiduciary liability policy, including cybersecurity coverage and stop-loss policy, if applicable

Please provide only those documents that are currently in effect.

7. Form 5500 Annual Report filings with all attachments

CLAIMS LAG REPORTS (E.G. REPORT DETAILING THE AMOUNT OF TIME FROM CLAIM FILING TO CLAIM PAYMENT).

1. Stale-dated check report, if applicable
2. Plan sponsor organization chart that identifies, at a minimum, executives responsible for each functional area
3. Listing of all Board of Trustees and their tenure during the period under review
4. Listing of all individuals (name, position, contact information) directly or indirectly responsible for the operation, administration, and/or oversight of the plan. This includes trustees, administrative or oversight committee members, and accounting or human resources personnel who process plan paperwork, such as enrollment, claims, participant inquiries, and premium payments.
5. Documents identifying those individuals with signatory authority for each of the Plan’s and Trust’s accounts. Include those authorized to: 1) execute checks; 2) initiate or approve wire transfers; initiate or approve distributions and transfers of Plan assets at the Plan or account level; and 3) approve the investment of plan assets
6. If the plan has any assets and/or trust:
   1. All trust agreements and governing documents
   2. All bank account statements where monies are held to fund payment of claims, expenses, or administrative fees; and
   3. Documents sufficient to show the Plan’s income, expenses, assets, and liabilities quarterly for the period of review.
7. Specimen samples of all COBRA notices, including general notice, election notice, qualifying event notice, notice of unavailability of continuation coverage, and notice of early termination of coverage.
8. Documents describing any wellness programs (such as smoking cessation, weight loss, or disease management programs) offered by the plan, including a description of any reward offered as part of the program and any alternative means of participating in such a program, if not included in response to Request #1 above.
9. For all rebates (including medical loss ratio rebates, experience-rated contract rebates, and any other rebate from an insurer) received by the plan or plan sponsor in relation to plan coverage:
   1. Documents detailing the amount, receipt date, source, and handling of each rebate
   2. Specimen sample of notice to participants about rebates, if applicable
   3. Documents demonstrating the allocation of rebated amounts to the employer and/or employees

1. Correspondence regarding how rebates are to be used or allocated

10. If the plan is claiming or has claimed grandfathered health plan status within the meaning of Section 1251 of the Affordable Care Act, please provide the following
    1. Grandfathered health plan status disclosure statement included in plan materials provided to participants
    2. Records necessary to verify, explain, or clarify grandfathered status, including plan terms in effect as of March 23, 2010, any changes to cost-sharing provisions, changes to employer or employee contributions towards the cost of coverage, changes to annual or lifetime limits, and change in health insurance issuers.
11. Documents sufficient to describe all administrative expenses paid by the Plan for the period of review.
12. All minutes of meetings of any Plan committee, Board of Trustees/Directors, or other entity where the Plan’s health benefits and/or cybersecurity readiness were discussed.

PARTICIPANT COMPLAINTS and CLAIMS PROCESSING

1. All participant complaints regarding claims processing and payment, including complaints regarding denials and appeals.
2. All policy and procedure manuals that govern the operation and administration of the Plan. This shall include, but is not limited to, claims processing policies and procedures, accounting policies and procedures, Plan staff expense reimbursement policies, investment policies, and customer service policies.
3. Copies of any training materials and/or guidance provided to Plan staff regarding eligibility determinations, claims processing procedures, benefit determinations, and Plan administration.
4. External and/or internal auditors’ reports of plan operations, including claims audits completed by a service provider or consulting firm including any cybersecurity audits.

CYBERSECURITY

1. Written policy statements, guidelines, and documents governing the operation or administration of the sponsor’s, plans, and service provider’s information technology systems that handle plan information.
2. Cybersecurity breach response plan (or disaster recovery plan if it addresses a potential cybersecurity breach).
3. All correspondence and notes from meetings with internal and external auditors regarding internal controls of the Plan, including but not limited to management letters and reports, whether issued to the Sponsor or the Plan
4. Reports of third-party audits of information technology systems. Such as SOC 1 or SOC 2 reports.
5. Schedule of systems critical to the maintenance and protection of participant data and assets. Provide information sufficient to:
   1. Describe the critical data used by the plan (i.e., payroll records, elections, and beneficiary forms; electronic personal records, plan data maintained in-house or with custodians, etc.)
   2. Identify where the data resides
   3. Show which systems (and data) are outsourced to service providers (e.g. cloud email)
   4. Describe any spreadsheets that are used as critical systems (e.g. census data)
   5. Describe file-sharing systems (e.g. shared folders on a network)
   6. Describe how email is used to administer the plan
6. For each system identified in the schedule requested above, provide information sufficient to describe:
   1. Access controls (e.g., who has administrator privileges to the email server?)
   2. Physical controls over key systems (e.g., locked server room).
   3. Third-party vendors providing outsourced systems and oversight (e.g., cloud provider)
7. If applicable, for internally developed systems, copies of system development lifecycle controls are required by the organization.
8. Documents (e-mails, minutes, etc.) that mention or discuss any plans or efforts to consider, address, develop, implement, or negotiate cybersecurity problems, procedures or protections.
9. Documents showing any communications about cybersecurity events about unauthorized access or suspicious activity, such as participant inquiries or complaints or internal or external communications with company staff and vendors

Wrangle is here to assist with the Form 5500 reporting needs and Wrap Plan Document and SPDs. If you have any questions, feel free to reach out to Ann McAdam at amcadam@wrangle5500.com