In general, when maintaining group health plan records, an employer must consider ERISA, HIPAA, and ACA guidelines. Included below is a high-level overview of retention requirements related to these applicable federal laws.
ERISA
The recommendation is to maintain ERISA-related documents for eight years. Records required to be maintained under ERISA include documents such as vouchers, worksheets, receipts, applicable resolutions, claims records, plan documents, summary plan descriptions, copies of filed Form 5500s and schedules, accountants' reports, enrollment materials, requests for reimbursement for health FSA plans, lists of covered employees, and records of payroll deductions. The ERISA record retention period for group health plans is six years, measured from the date of filing Form 5500. Because Form 5500 is often filed many months after the end of the plan year, the six-year retention period is actually closer to seven years when measured from the end of a plan year. When considering the possibility of a filing extension, many group health plans use eight years as a rule of thumb for ERISA document retention. Benefit plans not subject to Form 5500 filing requirements may still want to consider retention for eight years, adopting a conservative approach to retention.
Many items may be kept electronically rather than in paper form. According to DOL regulations, records may be maintained electronically if the electronic recordkeeping system meets certain requirements:
- The system must have reasonable controls to ensure the integrity, accuracy, authenticity, and reliability of the records and should not allow the modification of documents.
- The system must maintain the records in a reasonable order. It should have some type of filing system so the records could be retrieved or inspected as necessary.
- The system must maintain the records in a safe manner and should be backed up properly.
- The system needs to be able to print a readily legible paper copy of the documents.
HIPAA
Covered entities and business associates must retain documentation for HIPAA's Privacy Rule for six years from the date the documentation is created or the date it was last in effect, whichever is later. The documentation under the Privacy Rule includes any action, activity, or designation that the Privacy Rule requires to be documented. Group health plan brokers and employers of fully insured plans are generally considered to be business associates.
If the documents include protected health information (PHI), then HIPAA requires that the information be safeguarded. Any PHI should be kept in files separate from personnel files or files with expanded staff access. Only those who require the information to perform their job duties should be granted access.
ACA
The PCOR fee is considered an excise tax under the Internal Revenue Code. As such, the Form 720 instructions indicate that tax returns, records, and supporting documentation must be maintained for at least four years from the date the tax became due, the date the claim was filed, or the date the tax was paid, whichever was later. However, with respect to the documents and records substantiating the enrollment count that was reported, those records must be maintained for at least 10 years. The IRS generally accepts electronic records. However, they retain the right to examine any books, papers or records which may be relevant to a filing.
Interestingly, the regulations do not specifically address record retention for documents related to satisfaction of the employer mandate (which applies to employers with 50 or more employees).
The general interpretation is that the same IRS rule that applies to the PCOR filing may also apply to the employer mandate. In other words, records related to offers of coverage and enrollment in the medical plan must generally be kept for four years. The IRS again retains the right to examine books, papers, or records relevant to the filing.
Conclusion
Storage and retention of summary plan descriptions (SPDs), enrollment information, claims information, and so on would likely fall under ERISA and HIPAA’s requirements to maintain claims records and may include PHI (which HIPAA requires be properly safeguarded). Therefore, the most conservative time frame would be to retain group health plan records for at least eight years, measured from the date of filing Form 5500. In other words, an employer would need to retain past documents for at least eight years based on the date of filing Form 5500. Additionally, retention of PCOR fee filings and employer mandate forms and records likely falls under the IRS’s requirements to maintain records for at least four years, but records substantiating those filings should be kept for at least 10 years. Employers should review their own internal record retention policy to ensure it meets the minimum standards described above.