QUESTION: Our company has run out of storage space for paper records, including those relating to our employee benefit plans. Can we retain these records solely in electronic form and destroy the paper records for our ERISA plans?
ANSWER: ERISA plan records generally may be maintained electronically so long as you comply with applicable rules, summarized below.
Based on the shrinking storage space in your HR department, you probably already know that your company, as plan sponsor or as ERISA plan administrator, must maintain numerous records to comply with ERISA, the Code, and other laws. For example, ERISA § 107 requires records necessary to substantiate information reported on Form 5500 (or, for plans exempt from filing Form 5500, that would be reported absent the exception), and ERISA § 209 (applicable to pension plans) requires records sufficient to determine pension benefits due to employees; the Code imposes various recordkeeping requirements; and the HIPAA privacy and security rules impose their own record retention rules for health plans. In addition, records relating to plan administration may be needed in the event of litigation, which (depending on applicable deadlines for filing legal claims) may occur years after the fact.
Fortunately, you are permitted to retain most plan-related records electronically in accordance with agency guidance on benefit plan recordkeeping. (Also, as a general matter, electronic recordkeeping is permitted under the Electronic Signatures in Global and National Commerce Act (E-SIGN), which provides federal standards for the use of electronic records in a broad array of transactions.) While requirements vary somewhat from agency to agency and some special rules may apply, those imposed by the DOL for the use of electronic recordkeeping under ERISA §§ 107 and 209 are illustrative, and include the following:
-
Safe and Accessible. The electronic records must be maintained in reasonable order in a safe and accessible place, and in a manner in which they can be easily inspected, examined, and reproduced. Good indexing and retrieval capabilities must be part of the system. Electronic records must be readily convertible into readable paper copies, and electronically displayed documents must also be legible and readable. Any records that cannot be clearly, accurately, or completely transferred to the electronic recordkeeping system should be retained on paper.
-
Reasonable Controls. The electronic recordkeeping system must have reasonable controls to ensure the confidentiality, integrity, accuracy, authenticity, and reliability of the electronic records, and adequate records of the management practices for the electronic system must be established and implemented. The system’s quality assurance program should include elements such as secure primary and off-site storage, regular evaluations of the system, periodic checks of electronic records, and reliable backups in case the primary records are unavailable. Also, remember that transfers of data may be necessary when operating systems or software versions change. And the electronic recordkeeping system must not be subject to any agreement or restriction that would compromise or limit your ability to comply with ERISA’s obligations.
-
Destruction of Paper Records Is Generally Permitted. Paper records may be destroyed at any time after they are transferred to an electronic recordkeeping system that complies with the requirements of the regulations. However, it is not permissible to discard an original record if the electronic record would not constitute a duplicate or substitute record under the terms of the plan or applicable federal or state law. Thus, you should carefully review the plan documents to make sure that any requirements to use “original” documents, and any prohibitions on the use of copies of documents, will not interfere with the contemplated electronic recordkeeping.
Keep in in mind that, If the electronic records contain protected health information (PHI, as defined by HIPAA), then the system must comply with the HIPAA security rule. And it should be capable of producing, tracking, and transmitting records containing PHI as necessary to comply with individuals’ rights under HIPAA.
When considering destroying paper records remember that, depending on the jurisdiction, there may be documents (such as notarized documents, stock certificates, or documents executed under a seal) that are effective only if the original is produced. Also, privacy and confidentiality concerns may require particular destruction methods. For example, ERISA fiduciary obligations and HIPAA privacy considerations may require shredding or some other method that permanently obliterates individual information about plan participants and beneficiaries.
Finally, keep in mind that, in the event of a dispute in court or with a regulatory agency, your ability to successfully rely on electronic records may depend on your ability to prove compliance with these sorts of requirements. Given the complexity of the legal rules and technical considerations, a plan sponsor should always consult experienced legal counsel when developing any electronic records retention system or policy.
For more information, see EBIA’s ERISA Compliance manual at Section XXVI.E (“How Must Records Be Maintained?”); EBIA’s 401(k) Plans manual at Section XXVIII.F (“Using Electronic Plan Administration”); EBIA’s Self-Insured Health Plans manual at Section XXX (“Recordkeeping for Self-Insured Health Plans”); and EBIA’s HIPAA Portability, Privacy & Security manual at Section XXIII (“How the Privacy and Security Rules Affect Group Health Plans and Plan Sponsors”). You may also be interested in our webinar “Learning the Ropes: An Introduction to ERISA Compliance for Group Health Plans” (recorded 7/15/2020).
Contributing Editors: EBIA Staff.
