Skip to Main Content

insightsarticles

Oxymoron of the month: Outsourced accountability

By: Dan Vogt
07.20.20

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

  • What metrics will be monitored, specifically?
  • Why do the metrics being monitored matter to our own business objectives?
  • What thresholds must be met to notify us or produce an alert?
  • What does exceeding a threshold mean to our business?
  • Who on our team will be notified if an alert is warranted?
  • What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Related Services

Consulting

Related Professionals

Principals

BerryDunn experts and consultants

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

  1. People: Create and maintain a vigilant workforce
    Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
     

    According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

    Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.

    So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.
  1. Plan: Implement a disaster recovery and incident response plan 
    Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.

    It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
     
    1. How will we communicate internally with our staff about the incident?
    2. How will we communicate with our clients? Our patients? Our community?
    3. When should we call our insurance company? Our attorney?
    4. Is reception prepared to describe what is going on if someone visits our office?
    5. Do we have the technical expertise to diagnose the issue?
    6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
    7. When the press gets wind of the situation, who will communicate with them and what will we share?
    8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

  1. Practice: Prepare your team with table top exercises  
    Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.

    A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.

    Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Article
The three P's of improving your company's cybersecurity soft skills

Read this if you are an IT Leader, CFO, COO, or other C-suite leader responsible for selecting a new system.

Vendor demonstrations are an important milestone in the vendor selection process. Demonstrations allow you to validate what a vendor’s software is capable of, evaluate the usability with your own eyes, and confirm the fit to your organization’s objectives.

Our client found itself in a situation where, after many months of work developing requirements, issuing a request for proposal, and reviewing vendor proposals they were ready to conduct demonstrations. Despite a governor’s executive order for social distancing and limitations on non-essential travel, our client needed to conduct demonstrations to achieve an important project milestone. This presented an opportunity to help them plan, test, and facilitate remote vendor demonstrations with great success.

This brief case study shares some of the key success factors we found in conducting remote demonstrations and some lessons learned after they were complete.

  1. Prepare 
    Establish a clear agenda, schedule, script, and plan in advance of the demonstrations. This helps keep everyone coordinated throughout the demos.
  2. Test
    It is important to test the vendor’s video conference solution from all locations prior to the demonstrations. We tested with both vendors a week ahead of demos.
  3. Establish Ground Rules
    Establishing ground rules allows the meetings to go better, be more efficient, and stay on time. For example, is a moment of silence a consensus to move on or must you wait for someone to unmute their line to verbally confirm to proceed.
  4. Have clear roles by location
    Clear roles help to facilitate the demonstration. Designated time keepers, scribes, and local facilitators help the demonstration go smoothly, and decreases communication issues.
  5. Be close to the microphone
    Essential common sense, but when you can’t see everyone, loud, clear questions and answers make the demos more effective.
  6. Ask vendors to build in pauses to allow for questions
    Since vendors may not be able to see a hand raised, asking vendors to build specific pauses into their demonstrations allows space for questions to be asked easily.
  7. Do a virtual debrief 
    At the end of each vendor demonstration we had our own videoconferencing meeting set up to facilitate a virtual debrief. This allowed us to capture the evaluation notes of the day prior to the next demo. Planning these in advance and having them on people’s calendars made joining the meetings quick and seamless.

Observations and other lessons learned

Following the remote demonstrations we identified a few observations and lessons learned:

  1. Visibility was better
    By not having everyone crowded into one room, people were able to see the screen and the vendor’s software clearly.
  2. Different virtual platforms required orientation
    We wanted vendors to use the tools they were accustomed to using. This led to us using different products for different demonstrations. This was not insurmountable, but required orientation to get used to their tools at the start of each demo.
  3. Video helped debriefing
    Given the quick planning we did not have video capability from all locations for our virtual debrief. It was helpful to see the people sharing their comments following each demonstration. We will plan for video capabilities at all locations next time.
  4. Having a set order for people to provide feedback helped
    During the first debriefing, we established a set order for people to speak and share their thoughts. This limited talking over each other and allowed everyone to hear the thoughts of their peers clearly.
  5. Be patient with slowness
    For the most part we had successful demos with limited slowness. There were a couple points where slowness was encountered. We remained patient, adjusted the schedule, and in the worst case, added an extra break for people.
  6. Staying engaged takes effort
    Sitting all day on a remote demo and paying attention took effort to stay engaged. Building in specific times for Q&A, calling on people by name, and designing it so it wasn’t eight hours straight of presentation helped with engagement.

Restricted travel in response to COVID-19 has led our clients and our teams to be creative and agile in achieving objectives. The remote demonstrations proved highly successful, accomplished the goals, and met our client’s critical timing milestone. At the end of four days of demos, our client commented that the remote demos were perhaps even better than if they had been conducted onsite. As we look at the long view, we may find that clients prefer remote demonstrations even when social distancing and travel restrictions are lifted.

Article
Social distancing case study: Hosting remote vendor demonstrations

Texting has become a simple, convenient, and entrenched component of our everyday lives. We use it with family, friends, coworkers—and clients. My wife and I text to coordinate day care pickup and drop off of our kids every day. It is a quick and easy alternative to our large, and sometimes overwhelming, volume of email.

And with that convenience comes the temptation for clinicians, care teams, and healthcare providers to communicate sensitive content via text in the workplace. The ability to take a photograph of a wound and share with a colleague for a consult is convenient and effective. The number of patients who want to text a non-urgent question to their providers is also growing, particularly with younger patient populations. Population health teams who want to better engage patients may see texting as an easy format to achieve that.

The problem? Texting is not a secure communication method. The native SMS (short message service) used by many phones, including iPhones (at times), is not encrypted, and messages are sent in plain text over cellular networks. SMS messages are vulnerable to “man-in-the-middle” attacks, in which a third-party eavesdrops or potentially manipulates a conversation. The native message format of iPhones has security risks, too. And when a text message contains protected patient information or images, these risks become significant.

On December 28, 2017 CMS released clarification on text messaging. The highlights:

  • Texting is permissible between care team members if accomplished through a secure platform.
  • Texting of orders: prohibited.
  • Computerized Physician Order Entry (CPOE) is the preferred method of provider order entry.

The first bullet allows some consideration of text messaging but with an important caveat: you must use a secure platform. The last two bullets steer providers to using their EHR systems.

What should you do if you find yourself in a position where text messaging has crept into your culture?

  • Establish a policy to govern the use of text messaging and update your mobile device policy.
  • Determine whether you will implement (and allow your care team to use) a secure texting platform or prohibit texting all together.
  • Consider how secure texting impacts your policies and procedures related to data retention, discovery, and the legal health record. 
  • Educate your patients about secure messaging available on your patient portal.
  • Assess your organization’s usage and level of risk.

  • Stop using unsecure text messaging for patient related communications.

For more information, contact me.

Related content:

Watch our video on adopting technology for success
Read Dan's article on soft cybersecurity skills.

Article
Texting in healthcare? Best be secure.

Read this if you are a small retailer in Massachusetts.

If you are a small retailer in Massachusetts, it’s likely you are already making efforts to prepare for the upcoming sales tax holiday that’s set to occur on August 14 and 15. Perhaps you have been advertising the savings to your customers, in an effort to generate more foot traffic, or putting additional signage on your door, next to your register, or on the cash wrap.  

All good steps to take, and another essential step is to educate your staff on the additional measures that need to be taken to ensure all generated sales are recorded properly.  

Larger retailers have the ability to program these types of events into their point-of-sale systems, including assigning dates and times of the promotion, types of products effected, and many more. This is nothing new for your local box store, for example. However, for the small retailer, this type of event requires much more manual intervention.  

Small retailer approaches, tips, and tricks

Turning sales tax on and off for your complete inventory is easy for most POS systems. But what if only some of the products you offer are eligible for the sales tax exemption? What is the best approach to take?

For the platform that offers inventory file uploads, a wise approach would be to export your current inventory list, adjust the sales tax as needed in Excel, and then import the new file back into the system. This will ensure the appropriate sales tax is captured for the holiday weekend. Don’t forget to do this once more, after the sales tax reprieve has ended.  

Overriding your products individually as a sale occurs may also be necessary for some POS systems. This option will require your sales associates to intervene on each individual transaction. There is great potential for increased human error, particularly in a fast-paced retail environment.  

Making a list and checking it twice

Another good idea to reduce your chance of errors is to meet with your employees at the start of each applicable shift and remind them of the sales tax holiday. Simple but effective, as is adding a simple note to your register. This can offer an additional layer of accountability.

Any sales tax collected in error during this holiday weekend will require payment to the Mass DOR, which will need to be reported on your sales tax return. If a customer discovers they paid unnecessary sales tax during the tax holiday weekend the retailer will be required to refund the customer for the tax collected. In turn, an amended sales tax return will need to be filed, for the month in question. 

When it comes time to reconcile your sales tax for the month of August, you can expect to see a bump in the exempt sales tax you will be required to report. Setting a reminder about the infrequent holiday event on your calendar can speed up your reconciliation process. Again, by writing a quick little note to remind you that you will see unusual activity could alleviate the need for any undue research.

If you have any questions about the upcoming tax holiday, please don’t hesitate to contact our Outsourced Accounting team. We’re here to help.
 

Article
Massachusetts annual sales tax holiday: Small retailer considerations

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer—or if you work on a State Medicaid Enterprise System (MES) certification or modernization efforts.

You can listen to the companion podcast to this article, Organization development: Shortcuts for states to consider, here: 

Over the last two years, the Centers for Medicare and Medicaid Services (CMS) has undertaken an effort to streamline MES certification. During this time, we have been fortunate enough to be a trusted partner in several states working to evolve the certification process. Through this collaboration with CMS and state partners, we have been in front of recent certification trends. The content we are covering is based on our experience supporting states with efforts related to CMS certification. We do not speak for CMS, nor do we have the authority to do so.

What organization development (OD) shortcuts can state Medicaid agencies consider when faced with competing priorities and challenges such as Medicaid modernization projects in flight, staffing shortages, and a retiring workforce?

The shortcuts include rapid development and understanding of the “why”. This requires the courage to challenge assumptions, especially around transparency, to allow for a consistent understanding of the needs, data, environment, and staff members’ role in impacting the health of the people served by a state’s Medicaid program. To rapidly gain an understanding of the “why”, state Medicaid agencies should:

  1. Accelerate the transparency of information and use of data in ways that lead to a collective understanding of the “why”. Accelerating a collective understanding of the why requires improved communication mechanisms. 
  2. Invest time to connect with staff. The insistence, persistence, and consistency of leaders to stay connected to their workforce will help keep the focus on the “why” and build a shared sense of connection and purpose among teams.
  3. Create the standard that planning involves all stakeholders (e.g., policy, operations, systems staff, etc.) and focus on building consensus and alignment throughout the organization. During planning, identify answers to the following questions: What are we trying to achieve, what are the outcomes, and what is the vision for what we are trying to do?
  4. Question any fragmentation. For example, if there is a hiring freeze, several staff are retiring, and demand is increasing, it is a good idea to think about how the organization manages people. Question boundaries related to your staff and the business processes they perform (e.g., some staff can only complete a portion of a business process because of a job classification). Look at ways to broaden the expectations of staff, eliminate unnecessary handoffs, and expect development. Leaders and teams work together to build a culture that is vision-driven, data-informed, and values-based.

What are some considerations when organizations are defining program outcomes and the “why” behind what they are doing? 

Keep in mind that designing system requirements is not the same as designing program outcomes. System requirements need to be able to deliver the outcomes and the information the organization needs. With something like a Medicaid Enterprise System (MES) modernization project, outcomes are what follow because of a successful project or series of projects. For example, a state Medicaid agency looking to improve access to care might develop an outcome focused on enabling the timely and accurate screening and revalidation for Medicaid providers. 

Next, keeping with the improving access to care example, state Medicaid agencies should define and communicate the roles technology and staff play in helping achieve the desired outcome and continue communicating and helping staff understand the “why”. In Medicaid we impact people’s lives, and that makes it easy to find the heart. Helping staff connect their own motivation and find meaning in achieving an outcome is key to help ensure project success and realize desired outcomes. 

Program outcomes represents one of the six major categories related to organizational health: 

  1. Leadership
  2. Strategy
  3. Workforce
  4. Operations and process improvement 
  5. Person-centered service
  6. Program outcomes

Focusing on these six key areas during the analysis, planning, development, and integration will help organizations improve performance, increase their impact, and achieve program outcomes. Reach out to the BerryDunn’s Medicaid and Organization Development consulting team for more information about how organization develop can help your Medicaid agency.
 

Article
Outcomes and organization development, part II

Read this if you are a plan sponsor of employee benefit plans.

This article is the seventh in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here.

The COVID-19 pandemic has challenged individuals and organizations to continue operating during a time where face-to-face interaction may not be plausible, and access to organizational resources may be restricted. However, life has not stopped, and participants in your employee benefit plan may continue to make important decisions based on their financial needs. 

To help you prepare for a potential IRS examination, we’ve listed some requirements for participants to receive Required Minimum Distributions (RMD), hardship distributions, and coronavirus-related distributions, recommendations of actions you can perform, and documentation to retain as added internal controls. 

Required Minimum Distributions

Recently, the IRS issued a memo regarding missing participants, beneficiaries, and RMDs for 403(b) plans. If an employee benefit plan is subject to the RMD rules of Code Section 401(a)(9), then distributions of a participant’s accrued benefits must commence April 1 of the calendar year following the later of 1) the participant attaining age 70½ or 2) the participant’s severance from employment. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, RMDs was temporarily waived for retirement plans for 2020. This change applied to defined contribution plans, such as 401(k), 403(b), 457(b) plans and IRAs. 

In addition, RMDs were waived for IRA owners who turned 70½ in 2019 and were required to take an RMD by April 1, 2020 and have not yet done so. Do note the waiver will not alter a participant’s required beginning date for purposes of applying the minimum distribution rules in future periods. Although you may be applying this waiver during 2020, it is important you prepare to make RMDs once the waiver period ends by verifying participants eligible to receive RMDs are not “missing.”

There are instances in which plans have been unable to make distributions to a terminated participant due to an inability to locate the participant. In this situation, the responsible plan fiduciary should take the following actions in applying the RMD rules:

  1. Search the plan and any related plan, sponsor and publicly available records and/or directories for alternative contact information;
  2. Use any of the following search methods to locate the participant: a commercial locator service, a credit reporting agency, or a proprietary internet search tool for locating individuals; and
  3. Attempt to initiate contact via certified mail sent to the participant’s last known mailing address, and/or through any other appropriate means for any known address(es) or contact information, including email addresses and telephone numbers.

If the plan is selected for audit by the IRS and the above actions have been taken and documented by the plan, the IRS instructs employee plan examiners not to challenge the plan for violation of the RMD rules. If the plan is unable to demonstrate that the above actions have been taken, the employee plan examiners may challenge the plan for violation of the RMD rules.

We typically recommend management review plan records to determine which participants have attained age 70½. Based on the guidelines outlined above, we recommend plans document the actions they have taken to contact these participants and/or their beneficiaries.

Hardship distribution rules

A common issue we identify during our employee benefit plan audits is that the rules for hardship distributions are not always followed by the plan sponsor. If the plan allows hardship withdrawals, they should only be provided if (1) the withdrawal is due to an immediate and heavy financial need, (2) the withdrawal must be necessary to satisfy the need (you have no other funds or ways to meet the need), and (3) the withdrawal must not exceed the amount needed. You may have noted we did not add the plan participant must have first obtained all distribution or nontaxable loans available under the plan to the list of requirements above. This is due to the recently enacted Bipartisan Budget Act of 2018 (the Act), which removed the requirement to obtain available plan loans prior to requesting a hardship. Thus, the removal of this requirement may increase the number of eligible participants to receive hardship withdrawals, if the three requirements noted are satisfied. The plan sponsor should maintain documentation the requirements for the hardship withdrawal have been met before issuing the hardship withdrawal.

The IRS considers the following as acceptable reasons for a hardship withdrawal:

  1. Un-reimbursed medical expenses for the employee, the employee’s spouse, dependents or beneficiary.
  2. Purchase of an employee's principal residence.
  3. Payment of college tuition and related educational costs such as room and board for the next 12 months for the employee, the employee’s spouse, dependents, beneficiary, or children who are no longer dependents.
  4. Payments necessary to prevent eviction of the employee from his/her home, or foreclosure on the mortgage of the principal residence.
  5. For funeral expenses for the employee, the employee’s spouse, children, dependents or beneficiary.
  6. Certain expenses for the repair of damage to the employee's principal residence.
  7. Expenses and losses incurred by the employee as a result of a disaster declared by the Federal Emergency Management Agency (FEMA), provided that the employee’s principal residence or principal place of employment at the time of the disaster was located in an area designated by FEMA for individual assistance with respect to the disaster.

Prior to the enactment of the Act, once a hardship withdrawal was taken, the plan participant would not be allowed to contribute to the plan for six months following the withdrawal. The Act repealed the six-month suspension of elective deferrals, thus plan participants are allowed to continue making contributions to the plan in the pay period following the hardship withdrawal. Prior to the Act we had seen instances where the plan participant was allowed to continue making contributions after the hardship withdrawal was taken. Now we would expect participants who received a hardship distribution to continue making elective deferrals following receipt of the distribution.

Coronavirus-related distributions

Under section 2202 of the CARES Act, qualified participants who are diagnosed with coronavirus, whose spouse or dependent is diagnosed with coronavirus, or who experience adverse financial consequences due to certain virus-related events including quarantine, furlough, or layoff, having hours reduced, or losing child care, are eligible to receive a coronavirus-related distribution. 

Distributions are considered coronavirus-related distributions if the participant or his/her spouse or dependent has experienced adverse effects noted above due to the coronavirus, the distributions do not exceed $100,000 in the aggregate, and the distributions were taken on or after January 1, 2020 and on or before December 30, 2020.  Such distributions are not subject to the 10% penalty tax under Internal Revenue Code (IRC) § 72(t), and participants have the option of including their distributions in income ratably over a three year period, or the entire amount, starting in the year the distribution was received. Such distributions are exempt from the IRC § 402(f) notice requirement, which explains rollover rules, as well as the effects of rolling a distribution to a qualifying IRA and the effects of not rolling it over. Also, participants can be exempt from owing federal taxes by repaying the coronavirus-related distribution. 

Participants receiving this distribution have a three-year window, starting on the distribution date, to contribute up to the full amount of the distribution to an eligible retirement plan as if the contribution were a timely rollover of an eligible rollover distribution. So, if a participant were to include the distribution amount ratably over the three-year period (2020 – 2022), and the full amount of the distribution was repaid to an eligible retirement plan in 2022, the participant may file amended federal income tax returns for 2020 and 2021 to claim a refund for taxes paid on the income included from the distributions, and the participant will not be required to include any amount in income in 2022. We recommend the plan sponsor maintain documentation supporting the participant was eligible to receive the coronavirus-related distribution. 

There is much uncertainty due to the current status of the COVID-19 pandemic, and this has forced many of our clients to review and alter their control environments to maintain effective operations. With this uncertainty comes changes to guidance and treatment of plan transactions. We have provided our current understanding of the guidance the IRS has provided for the treatment surrounding distributions, specifically RMDs, hardship distributions, and coronavirus-related distributions. If you and your team have any additional questions which may be specific to your organization or plan, an expert from our Employee Benefits Audit team will be gladly willing to assist you. 
 

Article
Defined contribution plan distributions: Considerations and recommendations