July 08, 2020

How to stay health-care compliant as a small business

Offering restaurant health care benefits can help you attract and retain loyal staff. Yet these benefits come with many regulations that are important for small businesses to know.

As you begin the process of rehiring employees, learn about common mistakes — and how to avoid compliance penalties.

1) Ask only limited health questions, even with COVID-19

If you have 15 or more employees, you are covered under the Americans with Disabilities Act (ADA). You cannot ask employees about disabilities or medical exams unless it’s related to their ability to perform essential job functions.

However, while the ADA and Rehabilitation Act rules continue to apply in the current pandemic, they do not prevent you from following the COVID-19 guidelines made by the Centers for Disease Control & Prevention (CDC) or state/local public health authorities.

  • You may send employees home if they have COVID-19 or similar symptoms.
  • You may ask employees who report feeling ill at work, or who call in sick, questions about their symptoms to determine if they may have COVID-19.
  • You may take their temperature.
  • Only in a pandemic, you may ask about disabilities or require medical exams of employees who do not have symptoms, to identify those at a higher risk of complications.
  • If an employee returns from travel, you may ask questions about his or her exposure during the trip.

All symptoms would be subject to ADA confidentiality requirements.

2) Protect employees’ information under HIPAA

If you offer an employer-sponsored health plan or benefits such as an Employee Assistance Program, you may be a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). Use this tool to find out if HIPAA applies to you.

Under HIPAA, you must safeguard protected health information (PHI), such as your employee’s name, date of birth, and medical information. PHI includes data collected from employee wellness programs, flexible spending accounts, workers’ comp claims, and the like.

If you're not a covered employer, it's a good idea to respect privacy in the same way, to establish trust with your employees.

3) Make a cybersecurity plan

Small businesses often overlook the technical safeguards that the HIPAA Security Rule requires. Put in place a strong cybersecurity plan to protect employee data. Encrypt data whenever it goes beyond your firewall. Have a disaster recovery plan in place in case of a breach.

Remember to physically secure electronic PHI from unauthorized access, in your data center, server, cloud, workstations, and on mobile devices. Lock everything.

Strengthen your administrative security too, with risk management policies and assessments, contingency plans, and restrictions on who can access data. Train employees in HIPAA compliance each year. Report any data breaches to employees.

For more, see this HIPAA Security Checklist from

4) Track hours and classify employees correctly

If you don’t pay for all hours worked or misclassify employees, you could violate the Fair Labor Standards Act (FLSA).

Track employee hours, and always pay overtime when employees work more than 40 hours a week. Do not give time off in return for overtime. Pay for training time and for breaks. You do not have to pay for mealtimes. Keep timecards for two years.

Classify employees properly; do not designate them as independent contractors to skirt overtime and benefits responsibilities.

Learn and comply with the federal tip laws. Your state's minimum wage for tipped employees may be higher.

5) Count employee hours carefully to make health insurance decisions

Under the Affordable Care Act, if you employ 50 or more full-time-equivalent employees (FTEs), you must offer minimum essential health care coverage to at least 95% of them and their dependents. Otherwise, you will have to pay a penalty to the IRS called the employer shared responsibility payment.

If even one of your full-time employees gets a federal tax subsidy to buy a health plan through a Health Insurance Marketplace on, the IRS can fine you $2,000 per for each of your eligible employees (although the IRS excludes the first 30 full-time employees from the count).

Under the ACA’s adjusted community rating (ACR) laws, you cannot use employees’ health status or claims experience to set premiums for your group or the individual employee. You can only adjust premiums in the individual and small group market for age, family size, geographic location, and tobacco use. The ACR can result in higher premiums.

Count your employee hours carefully. If you are not required to provide insurance under the ACA, you can consider self-funded or level-funded plans. With these plans, you must report the Minimum Essential Coverage (MEC) you offer employees each year using 1094-B and 1095-B forms. If your employees do not enroll in MEC, they may have to pay the individual mandate tax.

6) Send the right notifications to employees about welfare benefit plans

Did you know that your group health plans — plans with major medical benefits plus health flexible spending accounts, health reimbursement arrangements, dental and vision plans, and wellness programs — have disclosure and reporting requirements as welfare benefits under the Employee Retirement Income Securities Act (ERISA)?

If you have two or more employees and offer a group health plan, you must automatically send an easy-to-understand summary plan description (SPD) to all plan members, including those receiving COBRA. SPDs should go to new participants within 90 days of coverage and within 120 days for new plans.

You may also need to file Form 5500 each year.

7) Notify employees they can continue health insurance under COBRA

If you have 20 or more employees, when covered employees lose coverage under your health plan through a qualified event, they are eligible to continue health insurance under the Consolidated Omnibus Budget Reconciliation Act (COBRA).

Qualifying events include a reduction in hours and termination. COBRA can apply to health insurance, certain wellness programs, flexible spending accounts, health retirement accounts, and other plans.

To avoid a common small business mistake, you must notify the employee and covered adult dependents of their right to COBRA. Send a notice that describes how to choose COBRA, application dates, costs, etc., within 44 days of the qualifying event.

8) Manage eligibility for pre-tax cafeteria plans

A Section 125 cafeteria plan lets your employees choose to receive benefits such as health savings accounts and dependent care assistance pre-tax.

To stay compliant, if you offer a simple cafeteria plan, manage employee eligibility very carefully. You must ensure that enough employees can get into the plan who are not highly compensated employees or key employees. The plan cannot provide more than 25% of the total plan benefits to key employees.

You also must have a written document before taking out pre-tax deductions, so that the IRS knows you are withholding the correct amount of taxes.