Significant new rules and regulations have been recently proposed for retirement plans, deferred compensation plans and group health plans. Here is a snapshot of the good news and the bad news:

PEOs Get Respect

Professional employer organizations (PEOs) and other employee leasing organizations that act as co-employers with their clients can now apply for IRS recognition as “certified professional employer organizations,” or CPEOs. The IRS certification will recognize the legitimacy of the PEOs undertaking payroll tax reporting and withholding obligations in its own name on behalf of "leased employees" performing services for PEO clients.

New regulations govern the voluntary certification program which began accepting applications on July 1 with respect to wages paid on or after January 1, 2016. To qualify for certification, PEOs must assume liability for payroll taxes payable with respect to its leased employees and meet tax status, background, experience, business location, financial reporting standards, IRS bonding and other requirements.

Tax-Exempt Organizations & New Deferred Compensation Rules

IRS proposed regulations, which can be relied on at this time, clarify the nature of plans subject to Section 457 of the Internal Revenue Code and provide useful exceptions. Section 457 generally imposes special tax rules for deferred compensation plans of tax-exempt entities such as governmental bodies and not-for-profit organizations. Code Section 457(b) postpones tax on qualifying benefits until they are actually “paid or made available” to the recipient (these are “eligible” plans with a limit on annual deferrals, currently $18,000). Code Section 457(f) requires taxation on benefits of “ineligible” deferred compensation plans (covered plans that do not qualify as eligible plans) when they are no longer subject to a substantial risk of forfeiture and, as a result, are “vested.”

HIPAA Privacy and Ransomware

The Department of Health and Human Services Office for Civil Rights (OCR) recently announced guidance on “ransomware” attacks and the HIPAA privacy provisions that protect personal health information (PHI). Ransomware is a type of malicious software (malware) that denies access to a user’s data by encrypting that data with a key known only to the hacker until a ransom payment is made.

If a covered entity (medical service provider or self-funded group health plan) or a business associate with access to PHI is subject to a ransomware attack, and the OCR reports there are 4,000 such attacks daily since early 2016, the presence of such ransomware (or any malware) on the computer system of a covered entity or business associate is a security incident under the HIPAA security rule and likely also will be a breach of PHI confidentiality triggering the HIPAA breach notification provisions.

Non-Discrimination Group Health Coverage and Gender Transition

The OCR has also published final regulations under the ACA prohibition of discrimination on the basis of race, color, national origin, sex or disability. The regulations prohibit the denial of health benefits on the basis of “gender identity” and “sex stereotyping.” The regulations also prohibit categorized exclusions of services related to “gender transition.” The new rules apply to covered entities such as health care providers that accept Medicare, insurance companies and plans offered through the ACA marketplace. For employers with fully insured group health plans, the insurer will be responsible for compliance.

For sponsors of self-funded group health plans, a third party administrator (TPA) that is an insurance company will be responsible for observing the new rules. Self-funded group health plans that use a TPA which is not an insurance company may have no mandated compliance assistance but will be subject to claims by aggrieved participants and beneficiaries for damages for non-compliance. Although the new rules are effective now, responsive changes to plan documents are not required until the first day of the first plan year beginning on or after January 1, 2017 (that’s a 2016 year-end project for calendar year plans).

The final regulations also require written notice of the law’s non-discrimination provisions. Required non-discrimination notices must be posted no later than October 17, 2016. (Sample language is online at http://www.hhs.gov/sites/default/files/sample-ce-notice-english.pdf ).

Determination Applications for Individually Designed Retirement Plans

Determination applications for individually designed retirement plans are eliminated effective January 1, 2017! The IRS has abolished this program in Revenue Procedure 2016-37 in an effort to streamline its regulatory operations and control costs. There will generally be no more favorable determination letters issued for individually designed retirement plans except on initial adoption and plan termination. It will be up to the sponsors of such plans, their document providers and legal counsel to assure compliance with an annual Requirement Amendments List to be issued by the IRS.

At the same time, preapproved plans (prototype and volume submitter documents) continue to be updated and reviewed for compliance by the IRS on a six-year cycle. Sponsors of individually designed plans are expected to migrate to preapproved plans although certain plans (such as cash balance plans) cannot do so at this time. Defined contribution plans that move to a preapproved plan document by April 30, 2017 will be able to rely on the plan’s national office determination letter for the following amendment and review cycle.

So, for retirement plans that can move to a preapproved plan document it’s time to think about making that change. For individually designed “Cycle A” plans (generally plans sponsored by employers with Employer Identification Numbers ending in “1” or “6”), determination applications can still be filed through December 31, 2016.