For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.
Administration November 20, 2020
Rules for Retaining Benefit Plan Records
Electronic filing is popular, but benefit plan sponsors need to know the rules about what documents can be stored digitally and how.
Reported by Amanda Umpierrez
When paper documents are overwhelming, electronic records can be a safe and convenient fix—as long as employers follow proper guidelines.
Employers are required to follow rules on electronic documentation under two sections of the Employee Retirement Income Security Act (ERISA). Under Section 107, plan sponsors are required to keep records, including plan and trust documents, annuity contracts, 5500 forms and more, for at least six years from the report filing date.
Carol Buckmann, an ERISA attorney and founding partner of Cohen & Buckmann, recommends plan sponsors hold onto these documents longer than required and establish a written record retention statement. “This is important if you are using electronic records and destroying paper records,” she says.
Alison J. Cohen, a partner with the Ferenczy Benefits Law Center, shares a similar idea. Because every document has different deadlines, it’s imperative to have a written procedure that ensures best practices, she adds. “Having that type of written procedure for record retention is really important so that everybody knows how long you have to keep the documents, since they’re not all on the same deadline,” she says.
According to a McKonly & Asbury report, Section 209 of ERISA requires employers to save specific paper records indefinitely and leaves it up to the states to permit electronic storage. These records include employee demographic information, participant compensation information, contribution election/change form(s), loan documents, a participant’s designated beneficiary, records of any distribution requested by the participant and qualified domestic relations orders (QDROs) that assign part or all of a participant’s account to an alternate payee.
The section also issues rules for electronic filing. These rules include ensuring that records are safe, secure, manageable and properly ordered; controls are in place to ensure accurate, reliable and authentic information; electronic versions can be easily converted to paper copies; documents are legible and viewable on a screen format; and no ERISA reporting or disclosure requirements are violated in the operation of the system, the report states.
Buckmann adds that if a copy has a diagram or attachment that can’t be converted to a digital format, it’s best to keep the paper version as a precautionary measure. Other documents, such as QDRO notices can be filed electronically. Otherwise, she recommends consulting with ERISA counsel to ensure the plan is following best practices when filing e-documents, even if more employers are turning to the practice. “If you have any doubt, call your ERISA counsel or keep it. For any questions, consult the experts,” she advises.
Stephen Ferszt, an ERISA attorney and partner at Olshan Frome Wolosky LLP, recommends keeping determination letters, advisory opinion letters, plan census data, calculations, elections of participants and committee minutes as paper copies as well. “Paper records are very important to have. You want that redundancy,” he says.
HIPAA-Related Practices
It’s critical to note that there are separate electronic storage requirements under the Health Insurance Portability and Accountability Act (HIPAA) for employers that offer an ERISA welfare benefit plan. “They need to be accessible; you need to be able to readily convert them into paper copies,” Buckmann says. “They need to be legible. You have to have control with confidentiality—it has to be secure.”
The American Institute of Certified Public Accountants (AICPA) published a report last year highlighting specific requirements for HIPAA-related plans, including, but not limited to, establishing that the electronic recordkeeping system has reasonable controls in place to ensure the integrity, accuracy, authenticity and reliability of the records kept in electronic form; that the records are maintained in reasonable order and in a safe and accessible place; that the system has established and implemented adequate records management practices; and more.
Ferszt points out that any businesses partnering with HIPAA-related plans will also be subject to these requirements. “It’s like this: If you hire a third-party administrator [TPA], and the TPA now gets Social Security information and other personal info, they now have an obligation to protect that information as well.”
Have a Backup
Employers continued to largely use paper documents in the early days of computer, web and mobile usage—a stark difference from the widespread embrace of electronic storage today, especially during COVID-19.
“There was a period of time when the IRS required wet signatures on everything, and the rule was you had to keep every plan document in paper copy format until the end of time,” notes Cohen. “The IRS has understood at this point that there is DocuSign, there are professional electronic services, and, especially in the land of COVID, that there are clearly electronic signatures. While the prior life of plans was that everything needed to be on paper, that has changed dramatically over the past five years.”
However, it’s smart to keep a paper copy in place, should a hard drive be destroyed, a USB misplaced or a cloud storage system hacked. All it takes is a soda to spill on a hard drive, a USB to be lost or a hacker steaking personal information for an ERISA malpractice claim to arise, Cohen says.
“It is also important that any type of electronic retention system be somehow backed up, retained, not easily lost,” she adds. “There has to be prudence to how you’re saving the documents, where you’re saving them, and that you have the very easy ability to get them retrieved. To post this out there on a non-secure site is a problem, not for record retention issues, but for cybersecurity and identity issues.”
Buckmann adds that consulting with your company’s information technology (IT) staff about its practices can ensure privacy and security for the sensitive data. “It’s very important to have adequate security backing,” she says.
Additionally, consider having a backup plan for paper records, Cohen says. Paper copies could always be lost in unfortunate turn of events such as a fire, so keep a USB with a scanned drive somewhere offsite in a lockbox, along with other important certificates and documentation.
