The ERISA consultants at the Retirement Learning Center Resource regularly receive calls from financial advisors on a broad array of technical topics related to IRAs, qualified retirement plans and other types of retirement savings plans. We bring Case of the Week to you to highlight the most relevant topics affecting your business.
A recent call with a financial advisor from Oklahoma is representative of a common inquiry related to 401(k) plan notices. The advisor asked:
“One of my clients who sponsors a 401(k) plan asked about the timing of sending a recordkeeper privacy notice to plan participants. Does such a notice exist and, if so, when is the due date for delivery?”
Highlights of the Discussion
At this time, there is no federal requirement for recordkeepers of qualified retirement plans to issue privacy notices to plan participants. However, a similar requirement could be coming down the pike as regulators become more concerned over retirement plan cybersecurity issues. In practice, research has found that some third-party administrators that administer both health plans regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and retirement plans regulated by ERISA have adopted similar security protection practices for both areas, including sending out privacy notices.[1]
As you may know, HIPAA the is a federal law that resulted in the creation of national standards for the protection of sensitive patient health information from being disclosed without the patient’s consent or knowledge. The HIPAA privacy rule requires health plans and covered health care providers (“covered entities”) to distribute a notice that provides a user-friendly explanation of an individual’s rights with respect to their personal health information and the privacy practices of the covered entities.
Covered health care entities must give the notice at enrollment and send a reminder at least once every three years explaining that individuals may request the notice at any time. The privacy notice must appear on the entity’s website and be posted in a conspicuous location as well.
With respect to qualified retirement plans, the Department of Labor currently has not created definitive cybersecurity rules or regulations. Instead, in April 2021, it issued cybersecurity tips and best practices for plan sponsors, recordkeepers and participants:
- Tips for Hiring a Service Provider—helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices—assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
- Online Security Tips—offers plan participants and beneficiaries who check their accounts online basic rules to reduce the risk of fraud or loss.
Despite the lack of formal directives from the DOL, there is an understanding under DOL Regulation Section 2520.104b-1(c) and other pronouncements related to the electronic delivery of plan information that a plan sponsor must ensure that the plan recordkeeping system it uses keeps participants’ personal information relating to their accounts and benefits confidential.
Conclusion
Currently, there is no HIPAA-like privacy notice required for retirement plan participants. However, DOL regulators continue their conversations over what rules should be developed.
Any information provided is for informational purposes only. It cannot be used for the purposes of avoiding penalties and taxes. Consumers should consult with their tax advisor or attorney regarding their specific situation.
©2021, Retirement Learning Center, LLC. Used with permission.
