An Ounce of Prevention – DOL Welfare Plan Self Compliance Tools and Other Tips to be ‘Audit Ready’

Vol. 10 No. 11

AuthorWith the growing emergence of ever-changing and complex rules and regulations applicable to group health and welfare plans,1 the government is, understandably, reviewing health and group plans for various compliance issues at an increasingly frequent rate.2  Plan sponsors may face audits from a number of entities, including but not limited to: the Department of Labor (DOL) targeting the Employee Retirement Income Security Act (ERISA),3 the Health Insurance Portability and Accountability Act (HIPAA),4 and reforms required by the Patient Protection and Affordable Care Act (PPACA);5 the Department of Health and Human Services (HHS)6  targeting compliance with the HIPAA Privacy, Security, and Breach Notification Rules; and the Internal Revenue Service (IRS) targeting various failures of healthcare coverage requirements and Consolidated Omnibus Budget Reconciliation Act (COBRA) failures.7 A violation of HIPAA, PPACA, or the other federal mandates, if identified by one of the agencies, will potentially subject the violator to enforcement action by another agency since investigations are often coordinated. For example, a DOL audit could cause the IRS to become aware of violations.8

The DOL May Come Knocking
Of greatest concern to most health and welfare plan sponsors is an audit by the DOL. Virtually all ERISA welfare benefit plans are subject to these investigations.9 The Employee Benefits Security Administration (EBSA) is the arm of the DOL responsible for enforcing Title I of ERISA, and EBSA civil investigations (“audits”) of health and welfare plans are the most common investigation type. However, the DOL also has direct authority to investigate criminal matters relating to employee benefit plans, including health and welfare plans. Additionally, the DOL has broad authority to request documents relating to an ERISA-covered plan — even if no investigation is underway or contemplated.10 The DOL may commence an investigation and require records whether or not it has reasonable cause to believe any particular violation exists.11 In some cases, the DOL may also physically enter places, inspect books and records, and question persons to determine the facts relevant to an investigation.12

These DOL enforcement activities are conducted primarily by the more than 400 investigators/auditors working out of EBSA's field offices located in 15 cities throughout the United States.13 The DOL now routinely conducts enforcement review audits that include issues under federal healthcare reform, and sample audit “inquiry” letters and accompanying lists of requested items highlight the scope of these newly expanded reviews.14

DOL Targeting Techniques
A DOL audit can be triggered for a variety of reasons, and in most cases the employer will not know why its health plan was selected. The EBSA’s targeting techniques use various sources of information to identify the plans considered to have the highest potential for violations.15  Sources of information include reports required under ERISA (e.g., the plan’s annual Form 5500 report on status of activity), information obtained from other government agencies (e.g., IRS and state insurance regulators), information obtained from nongovernmental sources (e.g., newspapers and trade journals), and participant complaints.

DOL Compliance Assistance Tools
The DOL makes available a compliance guide for health benefits coverage16 which includes a two-part self-compliance tool17 presented in a question-and-answer format. These self-compliance tools are intended to assist plan sponsors in determining whether a plan is in compliance with HIPAA or other healthcare-related requirements, including certain elements of PPACA. Plan sponsors can use these self-compliance tools as part of their plan to gauge their readiness for an EBSA audit. As evidenced by these compliance tools, investigations by EBSA may cover many compliance concerns, such as those under COBRA, rules relating to wellness programs, the Genetic Information Nondiscrimination Act (GINA),18 PPACA, HIPAA, the Mental Health Parity and Addiction Equity Act (MHPAEA),19 the Newborns’ and Mothers’ Health Protection Act (NMHPA),20 and the Women’s Health and Cancer Rights Act (WHCRA).21

Penalty Assessments
Not being compliant with the plethora of rules regulating welfare plans can put an organization at risk, and failure to comply with the legal requirements targeted in an audit can result in significant penalties for plan sponsors and fiduciaries. The DOL has authority to assess penalties for numerous ERISA violations, including failures to file Form 5500, failures to timely respond to requests for information, and other breaches of fiduciary duty.22 Violations of PPACA’s group health plan standards can result in penalties under the Public Health Services Act23 and ERISA fiduciary liabilities, including civil fines, lawsuits and potential DOL penalties. In addition, failure to comply with group health plan standards under PPACA, HIPAA, PHSA, COBRA, or other relevant laws can trigger IRS excise taxes of $100 per affected person for each day of noncompliance.24 The DOL may refer violations uncovered in its audits to the IRS for resolution of any tax issues. Employers must self-report violations and any excise taxes due on IRS Form 8928 – Return of Certain Excise Taxes Under Chapter 43 of the Internal Revenue Code.25

Tips for Being “Audit-Ready”
Employers can best be “audit-ready” by ensuring documentation and procedures are in place to support group health plan compliance, paying particular attention to PPACA requirements already in effect. The first analysis should always be to identify the plan year and then where the plan is regarding compliance with the various federal mandates, market reforms, and financing provisions. What actually needs to be reviewed and retained by a particular plan sponsor will vary from plan to plan, depending on the type of benefits offered, the laws that apply to those benefits, whether benefits are insured or self-funded, the number of plan participants, and whether third parties provide services. Plan sponsors are best advised to put in the time now to build a system to locate and catalog plan documents.

The old adage “an ounce of prevention is worth a pound of cure” applies when considering the following preventive measures a plan sponsor can implement to minimize risk and ensure that it is ready if (or when) a government agency comes knocking:

  1. Identify and appoint an internal compliance coordinator.
  2. Identify all health and group plans subject to compliance concerns.
  3. Consider the DOL Self-Compliance Tools26 and review, at a high-level, the broad range of compliance issues impacting health and welfare  plans, including medical, dental, vision, life, disability, account-based plans, group legal, adoption, and long-term care programs.
  4. Routinely conduct focused compliance reviews of issues likely to be targeted for audit. Correcting any compliance issues prior to a DOL audit will avoid many penalties and expedite the audit process.
  5. Identify priority areas for correction.
  6. Determine materials that will demonstrate compliance. If certain items are inapplicable (or unavailable), consider creating and retaining a written explanation documenting the reason.
  7. Retain documentation and procedures that support group health plan compliance as a means to prove a diligent governance process, which, in turn, establishes credibility during the audit process (as a general rule, maintain all records for eight years).
  8. Establish one easily-accessible and organized location to house all records relating to the health plans, such as plan documents, amendments, and service provider and insurance contracts; summary plan descriptions (SPDs); notices required under PPACA, HIPAA, COBRA, and other federal laws (for example, WHCRA); and all written plan records.
  9. Respond to participants’ benefit questions and requests for information in a timely basis.
  10. File Form(s) 5500 fully, accurately, and on time.
  11. Distribute participant notices required by law (for example, the Summary of Benefits and Coverage) by the deadline, and keep records showing that participant notices and other required disclosures are provided in a timely fashion.
  12. Make timely updates to plan documents and SPDs to reflect legal and design changes.
  13. Confirm that vendors are following contract terms and administering plans in compliance with federal and other requirements.
  14. Require vendors and internal benefits staff to immediately report instances of potential noncompliance so corrections can be implemented promptly.
  15. Train staff on compliance obligations and implement internal procedures to address violations promptly.
  16. If a violation occurs, work with counsel to determine whether excise tax liability could be reduced or avoided under the exceptions for sponsors exercising reasonable diligence or promptly correcting failures.27
  17. Respond comprehensively and in an organized manner to any governmental inquiry related to health and welfare plans.
  18. If audited, prepare for the investigation, establish a contact person, secure legal counsel for assistance, negotiate or clarify the scope of the document request, and, if necessary, ask for an extension to the response deadline.

The more prepared and organized a plan sponsor is in advance, the more efficiently and swiftly a DOL audit can be resolved. Proactive compliance reviews require some time and effort up front, but will likely pay off in the event a plan is selected for audit.

Compliance assistance is a high priority for governmental agencies. Some experts suggest the agencies will likely be expanding resources for compliance efforts in order to increase collection of supplemental revenue through fines and penalties, which, in turn, can be used to fund the hiring of more auditors to increase the number of audits.  But for now, at least for PPACA compliance purposes, the agencies are working together with employers, issuers, states, providers, and other stakeholders to help them come into compliance with the new law and are working with families and individuals to help them understand the new law and its intended benefits. The DOL recently stated that its approach to implementation is and will continue to be designed to assist (rather than impose penalties on) plans, issuers, and others who are working diligently and in good faith to understand and comply with the law.28



ERISA Section 3(1) defines an "employee welfare benefit plan" (or welfare plan). Welfare benefits include group health, accident, disability, death or unemployment benefits. Some welfare benefits are designed as vacation programs, training programs, scholarship funds or legal services.


Established in FY 2012, the Health Benefits Security Project (HBSP) is EBSA’s comprehensive national health enforcement project, combining EBSA’s established health plan enforcement initiatives with the new protections afforded by PPACA. The HBSP involves a broad range of healthcare investigations, including examinations for compliance with ERISA Part 7 and PPACA. See list of ERISA National Enforcement Projects at


Pub.L. 93–406, enacted September 2, 1974.


Pub. L. 104-191, enacted August 21, 1996.


Pub. L. 111–148, as amended by Pub. L. 111-152, enacted March 23, 2010.


See HHS Audit Program Protocol at


Pub. L 99-272, enacted April 7, 1986. See IRS Audit Techniques and Tax Law to Examine COBRA Cases at


Memorandum of Understanding between the DOL, HHS & IRS, 64 Fed. Reg. 70164 (Dec. 15, 1999) at


Investigations are conducted in accordance with established procedures published in the EBSA Enforcement Manual (see  See also the DOL Fact Sheet on FY 2013 enforcement activity at


ERISA Section 104.


See Donovan v. Nat'l Bank of Alaska, 696 F.2d 678, 3 EBC 2513 (9th Cir. 1983) (reasonable cause requirement does not apply to investigative power under ERISA Section 504(a)(1)).


ERISA Section 504(a)(2).


EBSA's regional offices are located in Atlanta, Boston, Chicago, Cincinnati, Dallas, Kansas City, Los Angeles, New York, Philadelphia, and San Francisco. EBSA's district offices are located in Detroit, Miami, Seattle, St. Louis, and Washington, D.C. See the EBSA Organizational Chart (at for contact information and a state-by-state chart of EBSA offices.


See sample inquiry letters at


See DOL Health Plan Investigations – Case Opening and Initial Review at


See the DOL Compliance Assistance Guide: Health Benefits Coverage Under Federal Law at


The DOL Self-Compliance Tool (available at comes in two parts: the “Self-Compliance Tool for Part 7 of ERISA: HIPAA and Other Health Care-Related Provisions,” and the “Self-Compliance Tool for Part 7 of ERISA: Affordable Care Act Provisions.”


Pub.L. 110–233, enacted May 21, 2008.


Pub. L, 110-343, enacted October 3, 2008.


Pub. L. 104-204, enacted September 26, 1996.


Pub. L. 105-277, enacted October 21, 1998.


ERISA Section 502(c)(2).


Pub. L. 78−410, enacted July 1, 1944. The PHSA outlines a policy framework for federal/state cooperation in public health. Market reforms (e.g., prohibition on lifetime limits, coverage of adult children to age 26, coverage of participation in government-approved clinical trials) were incorporated by PPACA into the PHSA. Non-federal governmental plans and church plans are governed by the PHSA, not ERISA. The PHSA is administered by portions of the Centers for Medicare & Medicaid Services (CMS) within HHS.


Internal Revenue Code Section 4980D. PPACA amended several existing statutes, including the Internal Revenue Code, ERISA, and the PHSA. The consequences of noncompliance vary depending on which statute is in play.


See IRS Form 8928 at, and instructions at


See the DOL Self-Compliance Tools at


The tax may not apply if the entity otherwise liable for the tax can demonstrate that it did not know (and, in exercising reasonable diligence, would not have known) that there was a compliance failure. Likewise, the tax may not apply if the entity can demonstrate that the failure was due to reasonable cause rather than willful neglect and was corrected within 30 days after the responsible entity first knew (or, in exercising reasonable diligence, should have known) that the failure existed. Code Section 4980D(c)(2).


See DOL FAQs About the Affordable Care Act Implementation Part I, question 1 at



  • Health eSource