ERISA Forfeitures Lawsuit Against Honeywell Dismissed Without Prejudice

On December 19, 2024, a putative class action pending in the District of New Jersey against Honeywell International, Inc. (Honeywell) alleging an ERISA fiduciary duty breach arising out of plan forfeitures, among other claims, was dismissed in full without prejudice. Barragan v. Honeywell International, Inc., No. 24-cv-4529 (EP) (JRA) (D.N.J. Dec. 19, 2024). The complaint alleged that Honeywell had improperly used forfeitures to reduce employer contributions rather than pay administrative costs, notwithstanding language in the plan that permitted forfeitures to be applied to reduce employer contributions. 

In rejecting the case as pled, the court relied on the "context and circumstances of the fiduciary's actions" — i.e., the plain language of the plan, citing Hutchins v. HP Inc., No. 23-cv-05875-BLF, 2024 WL 3049456, at *6 (N.D. Cal. June 17, 2024) — for the principle that a theory that "a fiduciary is always required to choose to pay administrative costs" is flawed because "it is not limited to any particular circumstances that may be present in this case." Id. 

As we track the rise of plan forfeiture cases being filed across the country, including a similar suit filed against Amazon on December 30, 2024, in the Western District of Washington, it is interesting to note that the case against Honeywell was transferred from the Northern District of California to the District of New Jersey, demonstrating that a change in venue, at least in part, resulted in a different outcome here than in other recently filed cases pending in California, including Rodriguez v. Intuit Inc., No. 5:23-cv-05053 (N.D. Cal.), and Perez-Cruet v. Qualcomm, No. 3:23-cv-01890 (S.D. Cal.). In these cases, the same types of claims were allowed to proceed to discovery in accordance with Fifth Third Bancorp v. Dudenhoeffer, 573 U.S. 409, 421 (2014) (holding that fiduciary duties under ERISA "trump[] the instructions of a plan document"). 

HHS Proposes Changes to Cybersecurity Standards for Electronic Protected Health Information

On December 27, 2024, the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Security Standards for the Protection of Electronic Protected Health Information (Proposed Security Rule). According to HHS, the changes would increase cybersecurity for electronic protected health information (ePHI) by addressing "changes in the environment in which health care is provided," "significant increases in breaches and cyberattacks," "common deficiencies" in the cybersecurity practices of regulated entities, other cybersecurity best practices, and court decisions regarding the Security Rule.

The Security Rule, first published in 2003, implements the protections of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) as related to ePHI held by health providers, plans, clearinghouses, and their business associates (regulated entities). HHS and the Department of Labor (DOL) have intermittently issued guidance related to cybersecurity for health plans – most recently earlier this year – but the Security Rule itself has not been modified since 2013. As the preamble to the Proposed Security Rule notes, "[a]lmost every stage of modern health care relies on stable and secure computer and network technologies," even more so than in it did in 2013. With the Proposed Security Rule, HHS seeks to update the standards for regulated entities to match the current environment, in which large-scale cybersecurity breaches have become commonplace.

The Proposed Security Rule would substantively alter the text of the existing rule, though HHS claims that a regulated entity's underlying obligations would not substantively change, as the Rule "would explicitly codify those activities that are critical to protecting the security of ePHI as requirements and provide greater detail for such requirements in the regulatory text." The Proposed Security Rule contains a number of updates, summarized in the Fact Sheet HHS issued concurrently. Some notable requirements in the Proposed Security Rule include:

• Requiring the development and revision of a technology asset inventory and a network map illustrating the movement of ePHI through the regulated entity's information systems at least once every 12 months
• Additional express requirements for conducting risk assessments, including an assessment of the risk level for each identified threat and vulnerability to the confidentiality of ePHI and requirements to test security measures at least every 12 months
• Additional requirements for responding to security incidents, including by establishing written procedures for restoring certain processes and data within 72 hours
• Requiring encryption of ePHI and use of multi-factor authentication in almost all situations, with limited exceptions
• Requiring group health plans to include requirements for plan sponsors in plan documents, stating the plan sponsors and their agents handling ePHI will comply with the administrative, physical, and technical safeguards of the Security Rule and will notify their group health plans within 24 hours after activation of their contingency plans

Comments on the Proposed Security Rule are due 60 days after it is published in the Federal Register, which is scheduled to occur on January 6, 2025. It is uncertain whether this proposal will be retained by the upcoming Trump administration.

Tri-Agencies Withdraw Proposed Rule on Contraception Coverage

On December 23, 2024, DOL, HHS, and the U.S. Department of the Treasury (collectively, the Departments), withdrew the NPRM entitled "Coverage of Certain Preventive Services Under the Affordable Care Act" (ACA) issued February 2, 2023 (the Proposed Rule). The Proposed Rule sought to increase access to no-cost contraceptive services for women enrolled in plans or coverage offered or sponsored by entities subject to religious or moral exemption from the ACA's contraceptive coverage requirement. The Departments explained that they "determined it appropriate to withdraw the proposed rules at this time to focus their time and resources on matters other than finalizing these rules." 

The Proposed Rule would have modified the exemptions and accommodations related to section 2713 of the Public Health Service Act (PHS Act), incorporated into ERISA through ERISA section 715, 29 U.S.C. §1185(d), which mandates coverage of certain contraceptive items and services without cost-sharing. The Proposed Rule, if enacted, would have eliminated the "moral exemption" created by 2018 regulations without disturbing the parallel religious exemption. Further, it would have established an "individual contraceptive arrangement" to allow enrollees of coverage subject to the religious exemption to access no-cost contraception without any action required of the objecting entity, thus avoiding the requirement that an objecting entity opt in to an accommodation in order for their enrollees to access no-cost contraceptive coverage.

In its notice of withdrawal, the Departments note that they received almost 45,000 comments on the Proposed Rule "from a range of interested parties, including employers, health insurance issuers, State Exchanges, State regulators, unions, and individuals." The withdrawal notice states that the Departments wish to engage with the proposals in the comments before moving forward with new rulemaking implementing section 2713. It remains to be seen how the Departments may approach rulemaking in this highly litigated area after the upcoming change of administration.

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.