Smaller companies without a substantial, experienced human-resources team may risk overlooking some fundamental requirements for complying with health-care-related laws and regulations. The firms might get away with such an oversight for a while, but could be subject to significant fines if they’re randomly selected for an audit.

Even something as simple as maintaining required plan documents — a technical document that details plan compliance with Employee Retirement Income Security Act (ERISA) rules for such things as claims procedures and eligibility provisions, as well as a summary plan document for participants — can fall through the cracks.

“These documents have been required since the 1970s, yet many of my clients think they are in compliance because they have insurance contracts. In 99% of the cases, that is not enough to meet ERISA’s standards for plan documents,” said Benjamin Lupin, director of compliance at health-care program broker Corporate Synergies Group, at this week’s CFO Leadership Summit in Orlando.

Evidence that insurance contracts aren’t sufficient showed up in an audit letter from the Department of Labor that some of Lupin’s clients received recently. The letter specified that the DoL would be looking at plan documents and contracts with insurance carriers.

Not supplying such documents within 30 days of a written request from an employee can result in a fine of up to $110 a day. “This is an unnecessary liability,” said Lupin. “Putting these documents in place is not that costly.”

Smaller companies also may fail to retain plan-related documents — including amendments to original plans and open-enrollment materials — for enough time after a plan year ends, Lupin noted. ERISA requires that employers keep them for at least six years. But some states, like Texas, have longer statutes of limitation on claims against health-benefits plans. Corporate Synergies recommends that clients hang on to documents for 8 to 10 years.

Failure to file Form 5500 each year can be even costlier. The form, required for plans with more than 100 participants, contains basic information such as the number of people covered under the plan, the amount of assets in the plan, and identification of plan providers. The fine for noncompliance is a maximum $1,100 a day.

For attendees at the session in Orlando, Lupin pulled data showing that in Florida alone, between 2000 and 2012, 10 employers paid between $50,000 and $100,000 for Form 5500 noncompliance, and 46 employers paid between $10,000 and $50,000. “And those were just the unlucky ones that were audited,” he pointed out. “It doesn’t mean everyone else was compliant.”

Meanwhile, the DoL is becoming more vigilant about enforcing compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The department recently started a pilot program in which it’s auditing 150 randomly selected employers. Auditors come to a company’s offices for 3 to 10 days and go over its HIPAA documentation with whomever is responsible for monitoring compliance with standards under the law. Penalties are up to $2,500 per incident of noncompliance per standard.

In a high-profile case in 2009, CVS Caremark was fined $2.25 million for violating standards of privacy for participants in health-care plans after the company’s human-resources leader left a laptop computer loaded with customers’ HIPAA-protected information in a taxicab. CVS was also required to submit to an audit of its health-care program every other year for 20 years.

Lupin also addressed some aspects of the two-year-old health-care reform law that are relevant to 2012. For one, starting next year employers with at least 250 employees must report on each person’s Form W-2 all prior-year costs for health insurance paid by both employer and employee.

“That might not seem like a big deal if you have a fully insured plan, because the cost is essentially just the premium dollars you’re spending,” he said. “But here’s the problem: things happen. Say an employee joined a company in February. He gets married in March and adds his wife to the plan. She has a baby in November and now they go to a family plan. That’s got to be tracked, and the numbers have to be accurate.” Reporting the information incorrectly will subject the employer to the same $200 fine per Form W-2 that already applies for errors on the form.

Although the information is to be reported on a tax form, the plan costs will not be taxable — for now, at least. Many observers have suggested that the government will use that information to identify companies subject to the “Cadillac tax” for lucrative plans that is scheduled to take effect in 2018.

Second, a new plan document is required for plan years with open enrollment taking place after September 23 of this year. Called Summary of Benefits and Coverages (SBC), it’s a mini-summary plan document. Failure to provide the SBC may result in an excise tax equal to $100 per plan participant per day of noncompliance. Should the DoL deem the noncompliance to be “willful,” an additional $1,000 fine per violation may be assessed.

“All these things may not be high priorities for CFOs,” said Lupin. “But they should not be an afterthought. For years the DoL focused mostly on retirement plans. But now, because of health-care reform and other issues, health-benefit plans have become much more of an issue.”