By Jenny Kiffmeyer, J.D – The Retirement Learning Center
Privacy Notices and Retirement Plans
ERISA consultants at the Retirement Learning Center (RLC) Resource Desk regularly receive calls from financial advisors on a broad array of technical topics related to IRAs, qualified retirement plans and other types of retirement savings and income plans, including nonqualified plans, stock options, and Social Security and Medicare. We bring Case of the Week to you to highlight the most relevant topics affecting your business.
A recent call with a financial advisor from Oklahoma is representative of a common inquiry related to 401(k) plan notices. The advisor asked: “One of my clients who sponsors a 401(k) plan asked about the timing of sending a recordkeeper privacy notice to plan participants. Does such a notice exist and, if so, when is the due date for delivery?”
Highlights of the Discussion
At this time, there is no federal requirement for recordkeepers of qualified retirement plans to issue privacy notices to plan participants. However, a similar requirement could be coming down the pike as regulators become more concerned over retirement plan cybersecurity issues. In practice, research has found that some third-party administrators (TPAs) who administer both health plans [regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)] and retirement plans (regulated by the Employee Retirement Income Security Act of 1974 (ERISA)] have adopted similar security protection practices for both areas, including sending out Privacy Notices.[1]
As you may know, HIPAA the is a federal law that resulted in the creation of national standards for the protection of sensitive patient health information from being disclosed without the patient’s consent or knowledge. The HIPAA Privacy Rule requires health plans and covered health care providers (“covered entities”) to distribute a notice that provides a user-friendly explanation of an individual’s rights with respect to their personal health information and the privacy practices of the covered entities. Covered health care entities must give the notice at enrollment and send a reminder at least once every three years explaining that individuals may request the notice at any time. The Privacy Notice must appear on the entity’s website and be posted in a conspicuous location as well.
With respect to qualified retirement plans, the Department of Labor currently has not created definitive cybersecurity rules or regulations. Instead, in April of 2021, it issued cybersecurity tips and best practices for plan sponsors, recordkeepers and participants:
- Tips for Hiring a Service Provider: This piece helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices: This piece assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
- Online Security Tips: This piece offers plan participants and beneficiaries who check their accounts online basic rules to reduce the risk of fraud or loss.
Despite the lack of formal directives from the DOL, there is an understanding under DOL Regulation Section 2520.104b-1(c) and other pronouncements related to the electronic delivery of plan information that a plan sponsor must ensure the plan recordkeeping system it uses keeps participants’ personal information relating to their accounts and benefits confidential.
Conclusion
Currently, there is no HIPAA-like Privacy Notice required for retirement plan participants at this time. DOL regulators continue their conversations over what rules should be developed.
[1] Advisory Council on Employee Welfare and Pension Benefit Plans, “Privacy and Security Issues Affecting Employee Benefit Plans, 2011