Employer Faces $2M FLSA Lawsuit For Alleged Worker Misclassification

December 26, 2013

Health Care Reform Adds Fuel To Enforcement Fire

Employers must ensure they can defend their treatment of workers as as independent contractors or otherwise exempt from wage and hour and overtime requirements and take other steps to manage wage and hour risks that can arise under the Fair Labor Standards Act (FLSA) and other laws to when caught misclassifying workers.  That’s the clear message the U.S. Department of Labor (Labor Department) is sending to employers by filing lawsuits against employers like the one it recently announced against Wang’s Partner Inc., doing business as Hibachi Grill and Supreme Buffet in Jonesboro, and its owner, Shu Wang, to recover $1,997,726 in back wages and liquidated damages for 84 employees.

The FLSA requires that covered employees be paid at least the federal minimum wage of $7.25 for all hours worked, plus time and one-half their regular rates, including commissions, bonuses and incentive pay, for hours worked beyond 40 per week. The requirements generally apply to any workers that the employer who receives its services cannot prove is not its common law employee or an exempt employee within the meaning of the FLSA.  In general, “hours worked” includes all time an employee must be on duty, or on the employer’s premises or at any other prescribed place of work, from the beginning of the first principal work activity to the end of the last principal activity of the workday. Additionally, the law requires that accurate records of employees’ wages, hours and other conditions of employment be maintained. These requirements generally apply for all workers who the facts and circumstances reflect are common law employees and otherwise do not qualify as exempt employees under the FLSA.  Violations of these requirements can result significant backpay and other damage awards to private plaintiffs, backpay and penalties assessments or settlements from Labor Department suits, and, if the violation is found willful, criminal liability.

Wang’s Partner Inc. Suit

The lawsuit against Want’s Partner Inc. shows employers the importance of avoiding improperly classifying workers as independent contractors for purposes of the FLSA. Employers that inappropriately classify workers as independent contractors often fail to maintain appropriate time and other records, pay minimum wage and overtime and violate other FLSA requirements.  In general, a business receiving services of a worker generally bears the burden of providing that the worker is not its common law employee under the applicable facts and circumstances test applicable under the FLSA.

As in many other enforcement areas, the Labor Department Wage and Hour Division in recent years has stepped up its scrutiny of employer relationships with workers treated as independent contractors.  The Labor Department and many other agencies increasingly view the misclassification of workers as something other than employees, such as independent contractors, as a serious problem for affected employees, employers and to the entire economy.  According to the Labor Department, misclassified employees are often denied access to critical benefits and protections, such as family and medical leave, overtime, minimum wage and unemployment insurance and other rights.  The Labor Department also says employee misclassification also generates substantial losses to state and federal treasuries, and to the Social Security and Medicare funds, as well as to state unemployment insurance and workers compensation funds. To address these and other concerns, the Labor Department has joined other agencies like the Internal Revenue Service increasingly is challenging employers’ treatment of workers as exempt from FLSA and other legal obligations as independent contractors or otherwise.

The lawsuit in the Northern District of Georgia against Wang’s Partner, Inc. illustrates this trend.  One of the growing number of lawsuits and other enforcement actions resulting from this trend, the suit shows the significant exposures that an employer risks by misclassifying workers as independent contractors or otherwise exempt from the FLSA. The Labor Department says an investigation revealed that Wang’s Partner Inc. misclassified workers as independent contractors and engaged in numerous violations of the FLSA.  The Labor Department seeks $1,997,726 in back wages and liquidated damages for 84 employees.

The Labor Department says investigators from the division’s Atlanta district office found that the employer misclassified servers as independent contractors, failed to pay servers and kitchen staff at least the federal minimum wage of $7.25 per hour and failed to pay overtime compensation at time and one-half employees’ regular rates for hours worked beyond 40 in a work week. Additionally, the employer did not maintain accurate records of hours worked and wages paid.

In announcing the Wang’s Partner Inc. lawsuit, the Labor Department warned employers against similar misclassification of workers.  “The U.S. Department of Labor is committed to ensuring that all workers receive the wages to which they are legally entitled,” said Secretary of Labor Thomas E. Perez. “We will not stand by while employers use business models that hurt workers, their families and law-abiding employers. This lawsuit illustrates that the department will use every enforcement tool necessary to resolve cases where employees are unlawfully treated as independent contractors, and vulnerable workers are not paid the minimum wage.”

 FLSA Violations Generally Costly;  Enforcement Rising

The Labor Department’s prosecutions against employers arising from misclassification of workers document the Labor Department is acting in accordance with this warning.  In recent years, misclassification of workers increasingly has become an element in its FLSA and other enforcement actions.  According to the Labor Department, misclassified employees are often denied access to critical benefits and protections, such as family and medical leave, overtime, minimum wage and unemployment insurance and other rights.  The Labor Department also says employee misclassification also generates substantial losses to state and federal treasuries, and to the Social Security and Medicare funds, as well as to state unemployment insurance and workers compensation funds. To address these and other concerns, the Labor Department has joined other agencies like the Internal Revenue Service increasingly is challenging employers’ treatment of workers as exempt from FLSA and other legal obligations as independent contractors or otherwise.Whether due to mischaracterization of workers as independent contractors or as common law employees that qualify as exempt under the FLSA rules, the Labor Department increasingly is acting on its promise to go after employers that violate the FLSA based on worker misclassifications.

In 2012, for instance, First Republic Bank paid $1,009,643.93 in overtime back wages for 392 First Republic Bank employees in California, Connecticut, Massachusetts, New York and Oregon after the Labor Department found the San Francisco-based bank wrongly classified the employees as exempt from the FLSA’s overtime and recordkeeping requirements, resulting in violations of the Fair Labor Standards Act’s overtime and record-keeping provisions.  The Labor Department announced the settlement resulting in the payment on November 27, 2012.

The settlement came after an investigation by the Labor Department’s Wage and Hour Division found that the San Francisco-based bank wrongly classified the employees as exempt from overtime, resulting in violations of the FLSA’s overtime and record-keeping provisions.

In announcing the settlement with First Republic Bank, the Labor Department warned employers to confirm the appropriateness of their classification of workers.  “It is essential that employers take the time to carefully assess the FLSA classification of their workforce,” said Secretary of Labor Hilda L. Solis in the Labor Department’s announcement of the settlement. “As this investigation demonstrates, improper classification results in improper wages and causes workers real economic harm.”

The Wang’s Partner Inc and First Republic Bank enforcement actions are not unique.  The Labor Department and private plaintiffs alike regularly target employers that use aggressive worker classification or other pay practices to avoid paying minimum wage or overtime to workers.  Under the Obama Administration, DOL officials have made it a priority to enforce overtime, record keeping, worker classification and other wage and hour law requirements.  See e.g.,  Boston Furs Sued For $1M For Violations Of Fair Labor Standards Act; Record $2.3 Million+ Backpay Order; Minimum Wage, Overtime Risks Highlighted By Labor Department Strike Force Targeting Residential Care & Group Homes; Review & Strengthen Defensibility of Existing Worker Classification Practices In Light of Rising Congressional & Regulatory Scrutiny; 250 New Investigators, Renewed DOL Enforcement Emphasis Signal Rising Wage & Hour Risks For EmployersQuest Diagnostics, Inc. To Pay $688,000 In Overtime Backpay

In an effort to further promote compliance and enforcement of these rules,  the Labor Department is using  smart phone applications, social media and a host of other new tools to educate and recruit workers in its effort to find and prosecute violators. See, e.g. New Employee Smart Phone App New Tool In Labor Department’s Aggressive Wage & Hour Law Enforcement Campaign Against Restaurant & Other Employers.    As a result of these effort, employers violating the FLSA now face heightened risk of enforcement from both the  Labor Department and private litigation.

Health Care Reform Adds Risks, Fuels More Enforcement

The rollout of new health benefit mandates as part of the sweeping reforms enacted under the Patient Protection and Affordable Care Act (ACA) is further expanding the liability of misclassification and the risk of enforcement against employers.

Among other things, the employer mandates of ACA, now delayed until 2015, generally will require employers of 50 or more full-time employees either to provide health coverage meeting the requirements of ACA or pay the “employer penalty” established under Internal Revenue Code Section 4980H.  While the rule now is delayed until 2015, the employment data for 2014 will be used to determine what employees that an employer must take into account for purposes of this rule.  ACA generally relies on the common law employment tests used under the FLSA to make this determination.  It also requires employers provide other rights to workers who are considered common law employees under these rules.

Employers Should Strengthen Practices For Defensibility

 To minimize exposure under the FLSA, employers should review and document the defensibility of their existing practices for classifying and compensating workers under existing Federal and state wage and hour laws and take other actions to minimize their potential liability under applicable wages and hour laws.  Steps advisable as part of this process include, but are not necessarily limited to:

  • Audit of each position current classified as exempt to assess its continued sustainability and to develop documentation justifying that characterization;
  • Audit characterization of workers obtained from staffing, employee leasing, independent contractor and other arrangements and implement contractual and other oversight arrangements to minimize risks that these relationships could create if workers are recharacterized as employed by the employer receiving these services;
  • Review the characterization of on-call and other time demands placed on employees to confirm that all compensable time is properly identified, tracked, documented, compensated and reported;
  • Review of existing practices for tracking compensable hours and paying non-exempt employees for compliance with applicable regulations and to identify opportunities to minimize costs and liabilities arising out of the regulatory mandates;
  • If the audit raises questions about the appropriateness of the classification of an employee as exempt, self-initiation of proper corrective action after consultation with qualified legal counsel;
  • Review of existing documentation and record keeping practices for hourly employees;
  • Exploration of available options and alternatives for calculating required wage payments to non-exempt employees; and
  • Re-engineering of work rules and other practices to minimize costs and liabilities as appropriate in light of the regulations and enforcement exposures.

Because of the potentially significant liability exposure, employers generally will want to consult with qualified legal counsel before starting their risk assessment and assess risks and claims within the scope of attorney-client privilege to help protect the ability to claim attorney-client privilege or other evidentiary protections to help shelter conversations or certain other sensitive risk activities from discovery under the rules of evidence.

For Help With Investigations, Policy Updates Or Other Needs

If you need help in conducting a risk assessment of or responding to an IRS, DOL, Justice Department, or other federal or state agencies or other private plaintiff or other legal challenges to your organization’s existing workforce classification or other labor and employment, compliance,  employee benefit or compensation practices, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469) 767-8872 .

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 23 years of work helping employers; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit  and management policies and practices. The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer often has worked, extensively on these and other workforce and performance related matters.   She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For more information about Ms. Stamer and her experience or to get access to other publications by Ms. Stamer see here or contact Ms. Stamer directly.

About Solutions Law Press, Inc.

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested in exploring other Solutions Law Press, Inc. ™ tools, products, training and other resources here and reading some of our other Solutions Law Press, Inc.™ human resources news here including the following:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2012 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press, Inc.™  All other rights reserved.


New Final FLSA Rule Gives Home Workers Minimum Wage, Overtime, Other FLSA Protections

September 18, 2013

Health care and other parties employing or otherwise engaging the services of home care workers should review and update their policies and  practices for scheduling, tracking hours worked and paying these workers to ensure that they comply by January 1, 2015 with a new final rule announced by the U.S. Department of Labor’s Wage and Hour Division today (September 18, 2013). Today’s announcement of the regulatory changes means employers of home care workers can expect to see costs rise and also will join most other U.S. businesses that must worry about getting caught in minimum wage and overtime enforcement traps.

New Home Care Worker Rules Effective January 2015

Under the new final rule, the Labor Department extends the Fair Labor Standards Act’s minimum wage and overtime protections to most of the nation’s direct care workers who provide essential home care assistance to elderly people and people with illnesses, injuries, or disabilities beginning January 1, 2015.

The new final rule generally will require that the approximately two million home care workers such as home health aides, personal care aides, and certified nursing assistants will qualify for minimum wage and overtime.  Employers engaging these services also generally will need to keep records and comply with other FLSA requirements with respect to these workers as well.

In anticipation of the rollout of these new protections, the Labor Department is kicking off a public outreach campaign to educate home care workers and their employers about the rule change. The Department will be hosting five public webinars during the month of October and has created a new, dedicated web portal here with fact sheets, FAQs, interactive web tools, and other materials.

The Labor Department’s focus on home workers is an extension of its expanded regulation and enforcement efforts targeting a broad range of health care industry employers. Home care and other health industry employers should act to manage their rising exposures to minimum wage, overtime and other federal and state wage and hour law risks.

The impending change in the treatment of home care workers is part of a larger commitment by the Obama Administration to both expansion and enforcement of the FLSA’s minimum wage and overtime provisions, and a specific program targeting employers in health care and related services industries.

The Obama Administration since taking office has conducted an aggressive campaign seeking to significantly increase the minimum wage under the FLSA and expand other protections.  Along with this proactive regulatory agenda, the Obama Administration also specifically is aggressively targeting health care and other caregiver businesses in its enforcement and audit activities. See, e.g. Home health care company in Dallas agrees to pay 80 nurses more than $92,000 in back wages following US Labor Department investigation; US Department of Labor secures nearly $62,000 in back overtime wages for 21 health care employees in Pine Bluff, Ark.; US Department of Labor initiative targeted toward increasing FLSA compliance in New York’s health care industry; US Department of Labor initiative targeted toward residential health care industry in Connecticut and Rhode Island to increase FLSA compliance; Partners HealthCare Systems agrees to pay 700 employees more than $2.7 million in overtime back wages to resolve U.S. Labor Department lawsuit; US Labor Dnda epartment sues Kentucky home health care provider to obtain more than $512,000 in back wages and damages for 22 employees; and Buffalo, Minn.-based home health care provider agrees to pay more than $150,000 in back wages following US Labor Department investigation.

Violation of wage and hour laws exposes health care and other employers to significant back pay awards, substantial civil penalties and, if the violation is found to be willful, even potential criminal liability.   Because states all have their own wage and hour laws, employers may face liability under either or both laws.   Coupled with these and other enforcement efforts against health and other caregiver businesses, today’s announcement reflects enforcement risks will continue to rise for employers of home care workers.

In light of the proposed regulatory changes and demonstrated willingness of the Labor Department and private plaintiffs to bring actions against employers violating these rules, health care and others employing home care workers should take well-documented steps to manage their risks.  These employers should both confirm the adequacy of their practices under existing rules, as well as evaluate and begin preparing to respond to the proposed modifications to these rules.  In both cases, employers of home care or other health care workers are encouraged to critically evaluate their classification or workers, both with respect to their status as employees versus contractor or leased employees, as well as their characterization as exempt versus non-exempt for wage and hour law purposes.  In addition, given the nature of the scheduled frequently worked by home care givers, their employers also generally should pay particular attention to the adequacy of practices for recordkeeping.

Of course, the home care and health care industry are not the only industries that need to worry about FLSA enforcement.   The Obama Administration is very aggressive in its enforcement of wage and hour and overtime laws generally.  For instance, First Republic Bank recently paid $1,009,643.93 in overtime back wages for 392 First Republic Bank employees in California, Connecticut, Massachusetts, New York and Oregon after the Labor Department found the San Francisco-based bank wrongly classified the employees as exempt from the FLSA’s overtime and recordkeeping requirements, resulting in violations of the Fair Labor Standards Act’s overtime and record-keeping provisions.  The Labor Department announced the settlement resulting in the payment on November 27, 2012.  The  settlement resulted from an investigation by the Labor Department that found the San Francisco-based bank wrongly classified the employees as exempt from overtime, resulting in violations of the FLSA’s overtime and record-keeping provisions.

The FLSA requires that covered, nonexempt employees be paid at least the federal minimum wage of $7.25 for all hours worked, plus time and one-half their regular rates, including commissions, bonuses and incentive pay, for hours worked beyond 40 per week. Employers also are required to maintain accurate time and payroll records.

While the FLSA provides an exemption from both minimum wage and overtime pay requirements for individuals employed in bona fide executive, administrative, professional and outside sales positions, as well as certain computer employees, job titles do not determine the applicability of this or other FLSA exemptions. In order for an exemption to apply, an employee’s specific job duties and salary must meet all the requirements of the department’s regulations. To qualify for exemption, employees generally must meet certain tests regarding their job duties and be paid on a salary basis at not less than $455 per week.

Investigators found that First Republic Bank failed to consider the FLSA’s criteria that allow certain administrative and professional employees to be exempt from receiving overtime pay. In fact, the employees were entitled to overtime compensation at one and one-half times their regular rates for hours worked over 40 in a week. Additionally, the bank failed to include bonus payments in nonexempt employees’ regular rates of pay when computing overtime compensation, in violation of the act. Record-keeping violations resulted from the employer’s failure to record the number of hours worked by the misclassified employees.

“It is essential that employers take the time to carefully assess the FLSA classification of their workforce,” said Secretary of Labor Hilda L. Solis in the Labor Department’s announcement of the settlement. “As this investigation demonstrates, improper classification results in improper wages and causes workers real economic harm.”

 FLSA Violations Generally Costly;  Enforcement Rising

The enforcement record of the Labor Department confirms that employers that improperly treat workers as exempt from the FLSA’s overtime, minimum wage and recordkeeping requriements run a big risk.  The Labor Deprtment and private plaintiffs alike regularly target employers that use aggressive worker classification or other pay practices to avoid paying minimum wage or overtime to workers.  Under the Obama Administration, DOL officials have made it a priority to enforce overtime, record keeping, worker classification and other wage and hour law requirements.  See e.g.,  Boston Furs Sued For $1M For Violations Of Fair Labor Standards Act; Record $2.3 Million+ Backpay Order; Minimum Wage, Overtime Risks Highlighted By Labor Department Strike Force Targeting Residential Care & Group Homes; Review & Strengthen Defensibility of Existing Worker Classification Practices In Light of Rising Congressional & Regulatory Scrutiny; 250 New Investigators, Renewed DOL Enforcement Emphasis Signal Rising Wage & Hour Risks For EmployersQuest Diagnostics, Inc. To Pay $688,000 In Overtime Backpay In an effort to further promote compliance and enforcement of these rules,  the Labor Department is using  smart phone applications, social media and a host of other new tools to educate and recruit workers in its effort to find and prosecute violators. See, e.g. New Employee Smart Phone App New Tool In Labor Department’s Aggressive Wage & Hour Law Enforcement Campaign Against Restaurant & Other Employers.    As a result of these effort, employers violating the FLSA now face heightened risk of enforcement from both the  Labor Department and private litigation.

Employers Should Strengthen Practices For Defensibility

 To minimize exposure under the FLSA, employers should review and document the defensibility of their existing practices for classifying and compensating workers under existing Federal and state wage and hour laws and take other actions to minimize their potential liability under applicable wages and hour laws.  Steps advisable as part of this process include, but are not necessarily limited to:

  • Audit of each position current classified as exempt to assess its continued sustainability and to develop documentation justifying that characterization;
  • Audit characterization of workers obtained from staffing, employee leasing, independent contractor and other arrangements and implement contractual and other oversight arrangements to minimize risks that these relationships could create if workers are recharacterized as employed by the employer receiving these services;
  • Review the characterization of on-call and other time demands placed on employees to confirm that all compensable time is properly identified, tracked, documented, compensated and reported;
  • Review of existing practices for tracking compensable hours and paying non-exempt employees for compliance with applicable regulations and to identify opportunities to minimize costs and liabilities arising out of the regulatory mandates;
  • If the audit raises questions about the appropriateness of the classification of an employee as exempt, self-initiation of proper corrective action after consultation with qualified legal counsel;
  • Review of existing documentation and record keeping practices for hourly employees;
  • Exploration of available options and alternatives for calculating required wage payments to non-exempt employees; and
  • Re-engineering of work rules and other practices to minimize costs and liabilities as appropriate in light of the regulations and enforcement exposures.

Because of the potentially significant liability exposure, employers generally will want to consult with qualified legal counsel before starting their risk assessment and assess risks and claims within the scope of attorney-client privilege to help protect the ability to claim attorney-client privilege or other evidentiary protections to help shelter conversations or certain other sensitive risk activities from discovery under the rules of evidence.

For Help With Investigations, Policy Updates Or Other Needs

If you need help in conducting a risk assessment of or responding to an IRS, DOL, Justice Department, or other federal or state agencies or other private plaintiff or other legal challenges to your organization’s existing workforce classification or other labor and employment, compliance,  employee benefit or compensation practices, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469) 767-8872 .

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 23 years of work helping employers; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit  and management policies and practices. The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer often has worked, extensively on these and other workforce and performance related matters.   She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For more information about Ms. Stamer and her experience or to get access to other publications by Ms. Stamer see here or contact Ms. Stamer directly.

About Solutions Law Press, Inc.

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested in exploring other Solutions Law Press, Inc. ™ tools, products, training and other resources here and reading some of our other Solutions Law Press, Inc.™ human resources news here including the following:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2012 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press, Inc.™  All other rights reserved.


Cascom Inc. Owner Must Pay Nearly $1.5 M After Company Misclassified Employees As Independent Contractors

August 30, 2013

The owner of a now-defunct Ohio business, Cascom Inc., will pay a heavy price for now defunct Cascom, Inc.’s misclassification of workers as independent contractors and resulting wage and hour and overtime violations.  U.S. businesses, their owners and their leaders should heed the strong warning to employers about the risks of misclassification of workers provided by the judgment and statements included in the Department of Labor (DOL) announcement of the court’s decision and take appropriate steps to audit and correct as necessary worker classification and other practices that Another in the growing tidal wave of judicial and administrative orders and settlements nailing businesses, their owners and management for misclassifications of workers resulting in violations of Federal employment, tax or other laws, the U.S. District Court for the Southern District of Ohio has ordered Cascom Inc. back wages and liquidated damages totaling $1,474,266 to approximately 250 cable installers that the court ruled that the Cascom Inc. misclassified as independent contractors in violation of the Fair Labor Standards Act (FLSA).

The misclassification of employees as something other than employees, such as independent contractors, presents a serious problem for affected employees, employers and the economy. Misclassified employees are often denied access to critical benefits and protections — such as family and medical leave, overtime, minimum wage and unemployment insurance — to which they are entitled. Employee misclassification also generates substantial losses to the Treasury and the Social Security and Medicare funds, as well as to state unemployment insurance and workers’ compensation funds.  To nix these and other concerns, the DOL, Internal Revenue Services, Department of Health & Human Services, Customs & Immigration and other federal agencies increasingly are going after businesses that misclassify workers as non-employees.

Cascom Inc. In A Nutshell

The Cascom Inc. decision is one of a fast-growing list of situations where DOL or other agencies or private plaintiffs obtained judgments or settlements under the FLSA for employers that failed to comply with these FLSA obligations because the business treated workers that under the facts and circumstances were common law employees as independent contractors or otherwise exempt from the FLSA.  See Solis v. Cascom Inc.

The FLSA generally requires that a business pay covered, nonexempt employees at least the federal minimum wage of $7.25 per hour for all hours worked, plus time and one-half their regular rates, including commissions, bonuses and incentive pay, for hours worked beyond 40 per week. Employers also are required to maintain accurate time and payroll records.

For purposes of determining if a worker is an employee protected by the FLSA, the FLSA distinguishes an employment relationship from an independent contractor or other non-employed contractual relationship.  The protections of the FLSA apply only to employees.  An employee — as distinguished from a person who in a business of his or her own — is one who, as a matter of economic reality, follows the usual path of an employee and is dependent on the business that he or she serves. For more information, visit here.

The judgment jointly against Cascom Inc. and its owner, Julia J. Gress, arose following a damages hearing held in connection with a lawsuit originally filed by the U.S. Department of Labor (DOL) in 2009 based on a DOL Wage and Hour Division investigation which found that Cascom Inc. failed to pay overtime and engaged in other FLSA violations as a result of its wrongful classification of workers as independent contractors rather than employees.  The court previously ruled in September 2011 that Cascom Inc. and its owner, Julia J. Gress, violated the FLSA by failing to compensate employees for hours worked in excess of 40 per work week because they were misclassified as independent contractors.

The installers were found to be employees covered by the FLSA, rather than independent contractors. The court found Cascom Inc. liable for $737,133 in back wages and an equal amount in liquidated damages, collectible from both from the company and its owner. Since the litigation began, the company has ceased operations.  Consequently, DOL plans to collect damages from owner Gress.

Employer Misclassification Audits & Enforcement Significant Risk For US Businesses

The prosecution by DOL of Cascom Inc. under the FLSA reflects the increased readiness of the DOL and other agencies to scrutinize and challenge the characterization by a business of workers as independent contractors exempt from the FLSA or other federal requirements on the obligations of an employer to an employee.  DOL and other federal agencies increasingly scrutinize the treatment by employers of a worker as an independent contractor and prosecute employers when DOL determines that FLSA or other legal obligations that the employer violated because the employer misclassified the workers.

Wage and hour laws are only one of a myriad of areas where the Department of Labor, Internal Revenue Service and other federal and state regulators increasingly are scrutinizing worker classifications to uncover violations of applicable law resulting from the mischaracterization of workers as exempt or as non-employee service providers.

The enforcement record of the Labor Department confirms that employers that improperly treat workers as exempt from the FLSA’s overtime, minimum wage and recordkeeping requirements run a big risk.  The Labor Department and private plaintiffs alike regularly target employers that use aggressive worker classification or other pay practices to avoid paying minimum wage or overtime to workers.  Under the Obama Administration, DOL officials have made it a priority to enforce overtime, record keeping, worker classification and other wage and hour law requirements.  See e.g.,  Boston Furs Sued For $1M For Violations Of Fair Labor Standards Act; Record $2.3 Million+ Backpay Order; Minimum Wage, Overtime Risks Highlighted By Labor Department Strike Force Targeting Residential Care & Group Homes; Review & Strengthen Defensibility of Existing Worker Classification Practices In Light of Rising Congressional & Regulatory Scrutiny; 250 New Investigators, Renewed DOL Enforcement Emphasis Signal Rising Wage & Hour Risks For EmployersQuest Diagnostics, Inc. To Pay $688,000 In Overtime BackpayBanks’ $1Million Overtime Settlement Shows Risks of Misapplying FLSA’s Administrative Exemption;  Employer Charged With Misclassifying & Underpaying Workers To Pay $754,578 FLSA Backpay Settlement; $1 Million + FLSA Overtime Settlement Shows Employers Should Tighten On-Call, Other Wage & Hour Practices.

Meanwhile, the Internal Revenue Service (IRS) continues to conduct worker classification audits while encouraging employers to self correct existing payroll tax misclassifications by participating in a new Voluntary Worker Classification Settlement Program (“Settlement Program”) announced in September. However the limited scope of the relief provided makes use of the program challenging for most employers. See New IRS Voluntary IRS Settlement Program Offers New Option For Resolving Payroll Tax Risks Of Misclassification But Employers Also Must Manage Other Legal Risks; Medical Resident Stipend Ruling Shows Health Care, Other Employers Should Review Payroll Practices; Employment Tax Takes Center Stage as IRS Begins National Research Project , Executive Compensation Audits.  

While these and other agencies continue to keep the heat up on employers that misclassify workers, Congress also continues to consider legislation that would further clarify and tighten worker classification rules.  See e.g., Review & Strengthen Defensibility of Existing Worker Classification Practices In Light of Rising Congressional & Regulatory Scrutiny; New IRS Worker Classification Settlement Program and Its Risks

The uptake in worker misclassification related prosecutions is no accident.  In her November 3, 2011 testimony to the House Subcommittee on Workforce Protections Committee on Education and the Workforce, U.S. Labor Department Wage & Hour Division (WHD) Deputy Administrator (WHD) Nancy Leppink confirmed that the Labor Department is joining a growing list of federal and state agencies that are making ending employee misclassification an audit and enforcement priority.  Ms Leppink testified that “employee misclassification is a serious and, according to all available evidence, growing problem” that the Obama Administration is “committed to working to end.”  See Testimony of Nancy J. Leppink, Deputy Wage and Hour Administrator, Wage and Hour Division, U.S. Department of Labor before the Subcommittee on Workforce Protections, Committee on Education and the Workforce, U.S. House of Representatives (November 3, 2011).

Her testimony also makes clear that interagency coöperation and sharing of information among agencies is an increasingly valuable tool to this effort. Ms. Leppink told the Subcommittee that the Labor Department is a part of a multi-agency Misclassification Initiative that seeks to strengthen and coördinate Federal and State efforts to enforce violations of the law that result from employee misclassification.

According to Ms. Leppink, the WHD’s exchange of information about investigations with other law enforcement agencies is as “particularly important with respect to our efforts to combat the violations of our laws that occur because of employees who are misclassified as independent contractors or other non-employees.” On September 19, 2011 the Labor Department and Internal Revenue Service (IRS) signed a Memorandum of Understanding (MOU) to share information about investigations with each other.  The MOU helps the IRS investigate if employers the Labor Department has found in violation of federal labor laws have paid the proper employment taxes. Similarly, the WHD also entered into memoranda of understandings with several state labor agencies that allow the Labor Department to share information about its investigations and coordinate misclassification enforcement when appropriate.

“These agreements mean that all levels of government are working together to solve this critical problem,” she said.

Statements by the DOL in its announcement of its victory in Cascom Inc. confirm that the DOL’s enforcement resolve remains strong.   The DOL sent a clear warning to employers that DOL and other agencies are targeting employers that violate minimum wage and overtime, tax, and other laws by misclassifying workers that are employees as independent contractors in its press release about the Cascom, Inc. ruling, which states:

“The misclassification of employees as something other than employees, such as independent contractors, presents a serious problem for affected employees, employers and the economy. Misclassified employees are often denied access to critical benefits and protections — such as family and medical leave, overtime, minimum wage and unemployment insurance — to which they are entitled. Employee misclassification also generates substantial losses to the Treasury and the Social Security and Medicare funds, as well as to state unemployment insurance and workers’ compensation funds.”.

Employers Urged To Audit & Strengthen Worker Classification Practices

As Federal and state regulators take aim at misclassification abuses, U.S. employers need to review each arrangement where their business receives services that the business treats as not employed by their business, as well as any employees of their business that the business treats as exempt employees keeping in mind that they generally will bear the burden of proving the appropriateness of that characterization for most purposes of law.

To guard against these and other growing risks of worker classification, employers receiving services from workers who are not considered employees for purposes of income or payroll should review within the scope of attorney-client privilege the defensibility of their existing worker classification, employee benefit, fringe benefit, employment, wage and hour, and other workforce policies and consult with qualified legal counsel about the advisability to adjust these practices to mitigate exposures to potential IRS, Labor Department or other penalties associated with worker misclassification.

Review and management of these issues is particularly timely in light of the opening by the Internal Revenue Service (IRS) of a new settlement program for resolving payroll tax issues resulting from misclassification.  Given broader labor and other risks, however, before taking advantage of a new Internal Revenue Service program offering employers the opportunity to resolve potential payroll tax liabilities arising from the misclassification of workers, employers should consider and develop a risk management their overall worker misclassification liability exposures.  See “New IRS Worker Classification Settlement Program and its Risks,” in the January, 2011 issue of the Dallas Bar Journal To read her article, see page 8 of the January, 2012 Dallas Bar Journal here.

For Help or More Information

If you need help with worker classification or other human resources or internal controls matters, please contact the author of this article, Cynthia Marcotte Stamer.  Board Certified in Labor & employment Law by the Texas Board of Legal Specialization,management attorney, author and consultant  Ms. Stamer is nationally and internationally recognized for more than 24 years of work helping private and governmental organizations and their management; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; schools and other governmental agencies and others design, administer and defend innovative compliance, risk management, workforce, compensation, employee benefit, privacy, procurement and other management policies and practices. Her experience includes extensive work helping employers carry out, audit, manage and defend worker classification,union-management relations, wage and hour, discrimination and other labor and employment laws, procurement, conflict of interest, discrimination management, privacy and data security, internal investigation and discipline and other workforce and internal controls policies, procedures and actions.
Widely published on worker classification and other workforce risk management and compliance concerns, the immediate past-Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee and current Co-Chair of its Welfare Plan Committee, Vice Chair of the ABA TIPS Section Employee Benefits Committee,  a Council Representative of the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on management, worker classification, re-engineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters.  She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to get access to other publications by Ms. Stamer see here or contact Ms. Stamer directly.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at www.solutionslawpress.com.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press. All other rights reserved.

 

Use New Government Health Care Reform Resources With Care

July 22, 2013

While large employers are getting an additional year to collect data and make other preparations to comply with the “pay-or-play” rules in the shared responsibility provisions of new Internal Revenue Code Section 4980H under the extension announced by the Administration in early July, all employers still have much to do stay on top of the developing rules and make the arrangements necessary to prepare to comply with the current and 2014 federal health plan mandates of the Patient Protection & Affordable Care Act (ACA) and other federal laws.

As the Departments of Health & Human Services, Labor and Treasury continue to refine and roll out guidance implementing these rules, the agencies recently released various updated resources discussing these evolving rules.   Among others, Publication 5093, Healthcare Law Online Resources, lists ACA resources from the IRS, the Departments of Health & Human Services and Labor, and the Small Business Administration.  Meanwhile, IRS.gov and HealthCare.gov also have new ACA webpages.

While these updated resources are intended by the agencies to help acquaint businesses with ACA’s requirements, businesses and the insurers and administrators that offer health benefit services need to keep in mind that these resources have risk and limitations.  As the agencies are continuing to refine the rules, these resources often do not reflect the most current or emerging guidance or status of rules.  Additionally, government provided explanations, model forms and resources often incorporate provisions or interpretations that are biased against the interests of the businesses,  or contain other provisions that may not fully inform the business to all of its options.  Furthermore, because of limitations in jurisdiction and other constraints, guidance issued by an agency or agency that reflects that certain approaches may satisfy the requirements of the rules specifically addressed by the guidance often do not disclose or adequately communicate potential concerns with certain types of actions under other applicable requirements.

For instance,  model exchange notices published by the Department of Labor this Spring to assist employers to provide the notifications about federal exchange coverage options that ACA requires employers distribute by October 1 contain many provisions beyond the content actually required to meet the notice requirements.  The Labor Department in announcing the model notices indicated that its model language includes discretionary provisions which the Department thought some employers might want to include to minimize questions from employees about employer provided benefits that employees interested in pursuing subsidized coverage could be expected to need to apply for subsidies.  While as of now, exchanges and subsidies still are scheduled to come on line January 1, 2014, the Obama Administration extended the employer “pay-or-play” mandate of Code Section 4980 and its associated employer reporting requirements, as well as has established that it does not plan to verify eligibility for subsidies requested by individuals enrolling in exchanges in 2014.  Given this, most employers will want to consider carefully the specific content that they wish to include in the exchange notice as they prepare the notice in anticipation of its distribution in October.Accordingly, all businesses dealing with these issues are encouraged to arrange for comprehensive advice from qualified legal counsel familiar with these requirements and other related human resources, health care, insurance and employee benefit issues.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

If you need help with HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other human resources, employee benefit, or other compliance, risk management, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Nationally recognized for her extensive work, publications and leadership on HIPAA and other privacy and data security concerns, Ms. Stamer has extensive experience representing, advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical and other privacy and data security, employment, employee benefits, and to handle other compliance and risk management policies and practices; to investigate and respond to OCR and other enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

A Fellow in the American College of Employee Benefit Counsel, State Bar of Texas and American Bar Association, Vice President of the North Texas Health Care Compliance Professionals Association, the Former Chair of the ABA RPTE Employee Benefit & Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Council Representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer serves as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR. Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights  on HIPAA and other data privacy and security concerns appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the third year will serve in 2013 as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

In addition to this extensive HIPAA specific experience, Ms. Stamer also is recognized for her experience and skill aiding clients with a diverse range of other employment, employee benefits, health and safety, public policy, and other compliance and risk management concerns.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a member of the Editorial Advisory Board and expert panels of HR.com, Employee Benefit News, InsuranceThoughtLeadership.com, and Solutions Law Press, Inc., management attorney and consultant Ms. Stamer has 25 years of experience helping employers; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit  and management policies and practices.   Ms. Stamer often has worked, extensively on these and other workforce and performance related matters.  In addition to her continuous day-to-day involvement helping businesses to manage employment and employee benefit plan concerns, she also has extensive public policy and regulatory experience with these and other matters domestically and internationally.  A former member of the Executive Committee of the Texas Association of Business and past Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, Ms. Stamer served as a primary advisor to the Government of Bolivia on its pension privatization law, and has been intimately involved in federal, state, and international workforce, health care, pension and social security, tax, education, immigration, education and other legislative and regulatory reform in the US and abroad.  She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For more information about Ms. Stamer and her experience or to get access to other publications by Ms. Stamer see here or contact Ms. Stamer directly.

For help  with these or other compliance concerns, to ask about compliance audit or training, or for legal representation on these or other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here

About Solutions Law Press, Inc.

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested in exploring other Solutions Law Press, Inc. ™ tools, products, training and other resources here and reading some of our other Solutions Law Press, Inc.™ human resources news here including the following:

“Pay Or Play” Reprieve Still Leaves Employers Facing Challenging 2014 Health Care Reform Deadlines

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press, Inc.™  All other rights reserved.


OCR Warns Others Learn From WellPoint’s $1.7 M HIPAA Settlement

July 12, 2013

WellPoint $1.7 M HIPAA Settlement Expensive Lesson On HIPAA Risks Of Leaving PHI Too Accessible In Web-Based Applications

As health plans and health care organizations increasingly jump on the Web-based application bandwagon, managed care company WellPoint Inc. (WellPoint) is learning a $1.7 million lesson about the importance of ensuring Web-based applications and portals that allow access to members or other consumers protected health information (PHI) have the administrative, technical and other security safeguards required by the Health Insurance Portability & Accountability Act (HIPAA) Privacy and Security rules.

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced late yesterday (July 11, 2013) that WellPoint has agreed to pay $1.7 million to settle OCR charges that WellPoint violated the HIPAA Security Rule and left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet by failing to implement appropriate administrative and technical safeguards in its Web-based applications. See WellPoint HIPAA Settlement Press Release.

Web-based application use is increasingly popular among health plans and their wellness programs, as well as health care providers.  Employers and health plans use them both in plan administration and offer them to members to use as member tools.  Health care providers use them for health care operations, as well as patient engagement and communication tools.  The WellPoint settlement illustrates that managed care and other health insurers, health plans and their employer or other sponsors, health care providers, health care clearinghouses (Covered Entities) and their business associates can’t let their enthusiasm for the ease of use of these products to compromise the security of PHI.

Rather, health plans and other Covered Entities, employer and other  health plan sponsors, their business associates, and the Web and other technology developers, providers and consultants marketing products, services or other solutions should learn from WellPoint’s hard lesson by ensuring that current and future Web-based applications, portals and other information system components that are or could be used to provide access to PHI incorporate the Security Rule safeguards both when originally implemented and with each subsequent upgrade.

HIPAA Privacy, Security & Breach Notification Rules Require PHI Safeguards & Other Protections

The Breach Notification Rule added to HIPAA under the Health Information Technology for Economic and Clinical Health, or HITECH Act requires HIPAA-covered entities to notify OCR, affected individuals and the media promptly of a breach of “unsecured protected health information” (UPHI) impacting more than 500 individuals.  For smaller breaches, the Breach Notification Rule still requires prompt notice to affected individuals, but allows Covered Entities to disclose the breach to OCR as part of an annual breach report and to forego notification to the media. UPHI generally includes any PHI, whether or not ePHI that is not either secured or destroyed in the way described by the Breach Notification Rules.

In addition to the Breach Notification Rule, most Covered Entities and their business associates also are subject to state laws or regulations that impose similar or additional breach notification and other standards and responsibilities on the protection of personal health or other data including required notification and other responses following a breach of the security of UPHI or other PHI.

WellPoint’s $1.7 HIPAA Security Mistake

WellPoint’s $1.7 million settlement lesson resulted from an OCR investigation started in response to a breach report WellPoint submitted to comply with the Breach Notification Rules.

According to OCR, the Breach Report indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet.

OCR says its investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule.  According to OCR, WellPoint did not:

  • Adequately implement policies and procedures for authorizing access to the on-line application database;
  • Perform an appropriate  technical evaluation in response to a software upgrade to its information systems; or
  • Have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.

As a result, OCR concluded that from October 23, 2009 until March 7, 2010, WellPoint impermissibly disclosed the ePHI of 612,402 individuals by allowing access to their ePHI maintained in the application database. This data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.

Under the resulting WellPoint HIPAA Resolution Agreement, WellPoint must pay OCR a $1.7 million settlement payment as well as take a series of corrective actions to correct the deficiencies in its policies and practices that resulted in the reported breach to minimize future risks of breaches resulting from these deficient.

OCR Warns Learn From WellPoint’s Experience

All Covered Entities and their business associates and leaders should heed the lesson sent to them by OCR in announcing the WellPoint settlement and take appropriate steps other to ensure that appropriate policies and safeguards are adopted and applied in selecting and implementing future application or system upgrades, as well as review existing systems to ensure that the security of existing systems and applications have incorporated and apply the requisite safeguards.

OCR made clear that the WellPoint settlement is intended to send a message to Covered Entities and their business associates to ensure that these steps are appropriately taken.  The settlement announcement states:

This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet. Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet.

The settlement announcement also reminds business associates that OCR will begin holding them directly accountable along with their Covered Entity clients for complying with many HIPAA requirements beginning in September, stating:

Beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.

Take Documented Steps To Show You Hear OCR’s Messages

Covered entities and their business associates and leaders, and vendors and consultants offering services or products to them should take care to conduct careful and well-documented reviews and implement corrective actions necessary to show their applications and systems, policies and practices reflect their strong commitment and action to appropriately protect PHI in accordance with the expectations shown by the WellPoint HIPAA Resolution Agreement and other OCR settlements, OCR’s updated HIPAA regulations, and other OCR and industry information.

In addition to the guidance set forth in OCR’s Resolution Agreements with WellPoint and other Covered Entities, revisions to OCR’s Privacy and Security Rules in OCR’s 2013 restatement of its regulations here cause all Covered Entities and their business associates conduct a well-documented reassessment of the adequacy of their existing policies, systems and practices and steps taken to redress any uncovered gaps.

Among other things, the 2013 Regulations:

  • Revise OCR’s HIPAA regulations to reflect the HITECH Act’s amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA’s civil and criminal penalties for violating HIPAA’s Privacy, Security, and Breach Notification rules;
  • Update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose PHI is breached, HHS and in some cases, the media when a breach of unsecured information happens;
  • Update interim enforcement guidance OCR previously published to implement increased penalties and other changes to HIPAA’s civil and criminal sanctions enacted by the HITECH Act;
  • Implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose PHI for marketing and fundraising purposes and prohibit Covered Entities from selling an individual’s health information without getting the individual’s authorization in the manner required by the 2013 Regulations;
  • Update OCR’s rules about the individual rights that HIPAA requires that Covered Entities to afford to individuals who are the subject of PHI used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act  that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic PHI in electronic form;
  • Revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of PHI protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
  • Clarifies and revises other provisions to reflect other interpretations and information guidance that OCR has issued since HIPAA was passed and to make certain other changes that OCR found appropriate based on its experience administering and enforcing the rules.

Covered Entities were required to begin complying with most of these rule changes earlier this year.  However, delayed compliance dates in the 2013 Regulations allowed Covered Entities and Business Associates to delay updates to pre-existing business associate agreements and the date that OCR would begin enforcing many of the HIPAA Rules directly against business associates to September 23, 2013.

Even without the necessity Settlements like that involving WellPoint, these 2013 Regulations make it imperative that Covered Entities to take the necessary steps to conduct an appropriate and well-documented review  and update as needed their systems, policies and practices,  business associate agreements, training and documentation.

With self-disclosures of breaches mandated by the Breach Notification Rules and OCR audits and enforcement rising, careful documentation of these activities and its analysis is necessary so that Covered Entities can be in a position to show OCR that the risk assessments required by the Security Rules was conducted as well as the efforts and commitment of the Covered Entity or business associate in the event of a breach investigation or audit. Yesterday’s WellPoint HIPAA announcement is just the latest in an ever-growing list of examples of the expensive consequences that can result if a Covered Entity or business associate cannot produce this documentation in response to an OCR audit or investigation. See, e.g.  OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach; OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks$1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website; Providence To Pay $100000 & Implement Other SafeguardsIn contrast, the OCR website also provides a multitude of examples showing how the ability to produce documentation and other evidence showing diligent efforts to comply has helped other covered entities that fall under OCR investigation to avoid or mitigate serious sanctions.

Coupled with statements by OCR about its intolerance, the WellPoint and other settlements provide a strong warning to covered entities of the need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

In response to the 2013 Regulations and these expanding exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions against WellPoint and others, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable.  Covered Entities and business associates should document this review in a manner that both reflects the scope and diligence of their activities including relevant considerations and decision-making about identified potential susceptibilities and reasoning about the adequacy of safeguards and other solutions.

Because this review is likely to uncover existing or past deficiencies or breaches, most covered entities and business associates will want to discuss with qualified legal counsel the planned assessment within the scope of attorney-client privilege to understand when and how to conduct the assessment to preserve options to claim attorney-client privilege to protect sensitive work product or discussions that may result in the course of the investigation within the attorney-client communication, work product or other evidentiary privileges, evaluation of the adequacy and appropriateness of the audit and resulting investigations and its documentation, and other assistance in strengthening the defensibility of compliance and risk management activities.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

If you need help with HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other human resources, employee benefit, or other compliance, risk management, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Nationally recognized for her extensive work, publications and leadership on HIPAA and other privacy and data security concerns, Ms. Stamer has extensive experience representing, advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical and other privacy and data security, employment, employee benefits, and to handle other compliance and risk management policies and practices; to investigate and respond to OCR and other enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

A Fellow in the American College of Employee Benefit Counsel, State Bar of Texas and American Bar Association, Vice President of the North Texas Health Care Compliance Professionals Association, the Former Chair of the ABA RPTE Employee Benefit & Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Council Representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer serves as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR. Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights  on HIPAA and other data privacy and security concerns appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the third year will serve in 2013 as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

In addition to this extensive HIPAA specific experience, Ms. Stamer also is recognized for her experience and skill aiding clients with a diverse range of other employment, employee benefits, health and safety, public policy, and other compliance and risk management concerns.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a member of the Editorial Advisory Board and expert panels of HR.com, Employee Benefit News, InsuranceThoughtLeadership.com, and Solutions Law Press, Inc., management attorney and consultant Ms. Stamer has 25 years of experience helping employers; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit  and management policies and practices.   Ms. Stamer often has worked, extensively on these and other workforce and performance related matters.  In addition to her continuous day-to-day involvement helping businesses to manage employment and employee benefit plan concerns, she also has extensive public policy and regulatory experience with these and other matters domestically and internationally.  A former member of the Executive Committee of the Texas Association of Business and past Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, Ms. Stamer served as a primary advisor to the Government of Bolivia on its pension privatization law, and has been intimately involved in federal, state, and international workforce, health care, pension and social security, tax, education, immigration, education and other legislative and regulatory reform in the US and abroad.  She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For more information about Ms. Stamer and her experience or to get access to other publications by Ms. Stamer see here or contact Ms. Stamer directly.

For help  with these or other compliance concerns, to ask about compliance audit or training, or for legal representation on these or other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here

About Solutions Law Press, Inc.

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested in exploring other Solutions Law Press, Inc. ™ tools, products, training and other resources here and reading some of our other Solutions Law Press, Inc.™ human resources news here including the following:

“Pay Or Play” Reprieve Still Leaves Employers Facing Challenging 2014 Health Care Reform Deadlines

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press, Inc.™  All other rights reserved.


HIPAA Sanctions Triggered From Covered Entity Statements To Media, Workforce

June 14, 2013

Health plans, health care providers, health care clearinghouses (covered entities) and their business associates should confirm their existing policies, practices and training for communicating with the media and others comply with the Privacy Rule requirements of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in light of a Resolution Agreement with Shasta Regional Medical Center (SRMC) announced by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights today (June 14, 2013).

Under the Resolution Agreement, SRMC agrees to pay $275,000 and implement a comprehensive corrective action plan (CAP) to settle an investigation that resulted when SRMC used and disclosed protected health information (PHI) of a patient to members of the media and its workforce while trying to do damage control against fraud or other allegations of misconduct involving individual patient information or circumstances.  The Resolution Agreement shows how efforts to respond to press or media reports, patient or other complaints, physician or employee disputes, high profile accidents, or other events that may involve communications not typically run by privacy officers can create big exposures.  While the Resolution Agreement targets a health care provider, the lessons are equally applicable to health plans and health care clearinghouses, who increasingly face their own pressure to communicate with the media and others about enforcement actions, workforce claims and other matters.

Talking Out Of Turn To Media & Others Violated HIPAA

OCR investigated SRMC after a January 4, 2012 Los Angeles Times article reported two SRMC senior leaders had met with media to discuss medical services provided to a patient.  OCR’s investigation indicated that SRMC failed to safeguard the patient’s protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR’s review also revealed senior management at SRMC impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce.  Further, SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy.

Among other things, the specific misconduct uncovered by HHS’s investigation indicated that from December 13 – 20, 2011, SRMC failed to safeguard the patient’s PHI from any impermissible intentional or unintentional disclosure on multiple occasions in connection with its response to media coverage arising from a Medicare fraud story including:

  • On December 13, 2011, for instance, OCR reports SRMC’s parent company sent a letter to California Watch, responding to a story about Medicare fraud. The letter described  the patient’s medical treatment and provided specifics about her lab results even though SRMC did not have a written authorization from  the patient to disclose this information to this news outlet.
  • On December 16, 2011, two of SRMC’s senior leaders also met with The Record Searchlight’s editor to discuss the patient’s medical record in detail even though SRMC did not have a written authorization from  the patient to disclose this information to this newspaper.
  • On December 20, 2011, SRMC sent a letter to The Los Angeles Times, which contained detailed information about the treatment  the patient received when, again, SRMC did not have a written authorization from  the patient to disclose this information to this newspaper.

In addition, OCR found SRMC impermissibly used the affected party’s PHI  when on December 20, 2011, SRMC sent an email to its entire workforce and medical staff, approximately 785-900 individuals, describing, in detail,  the patient’s medical condition, diagnosis and treatment. SRMC did not have a written authorization from  the patient to share this information with SRMC’s entire workforce and medical staff.

SRMC Must Correct & Pay $$275K Penalty

Under the Resolution Agreement, SRMC pays a $275,000 monetary settlement and agrees to comply with a CAP for the next year.

The CAP requires SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members.  The CAP also requires fifteen other hospitals or medical centers under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.

The Resolution Agreement specifically requires that Shasta Regional Medical Center, among other things:

  • To update policies to include specific policies about sharing PHI with the media, members of the workforce not involved in an individual patient’s care and others to comply with HIPAA;.
  • To provide updated policies to OCR for approval;
  • To provide training documented with certification of all workforce members before allowing them to get access to PHI;

SRMC is one of several Prime Healthcare Services facilities under common ownership and control.  The Resolution Agreement also requires corrective action at these commonly owned facilities including California-based Alvarado Hospital Medical Center in San Diego, Centinela Hospital Medical Center in Inglewood, Chino Valley Medical Center in Chino, Desert Valley Hospital in Victorville, Garden Grove Hospital Medical Center in Garden Grove,  La Palma Intercommunity Hospital in La Palma, Paradise Valley Hospital in National City, San Dimas Community Hospital in San Dimas, Shasta Regional Medical Center in Redding, and West Anaheim Medical Center in Anaheim; Saint Mary’s Regional Medical Center in Reno, Nevada; Pennsylvania based Lower Bucks Hospital in Bristol and Roxborough Memorial Hospital in Philadelphia;and Texas-based Dallas Medical Center in Dallas, Harlingen Medical Center in Harlingen, Pampa Regional Medical Center in Pampa.  Among other things, the Resolution Agreement requires that for each of these related facilities:

  • The CEO and Privacy Officer of each facility must give OCR a signed affidavit stating that they understand that the Privacy Rule protects an individual’s PHI is protected by Privacy Rule even if such information is already in the public domain or even though it has been disclosed by the individual; and that disclosures of PHI in response to media inquiries are only permissible pursuant to a signed HIPAA authorization; and
  • Ensure all members of their respective workforce are informed of this policy.

The Resolution Agreement highlights the difficulty that health care providers and other covered entities often face in properly recognizing and handling PHI in the case of fraud or other disputes.  While health care providers have an understandable wish to defend themselves in the media and elsewhere in response to charges of misconduct, today’s settlement shows that improperly sharing PHI of each patient in the process will make matters much worse. It’s important to keep in mind that just omitting to mention the name or other common identifying information may not overcome this concern because information about a patient can be considered individually identifiable and to enjoy protection under HIPAA where the facts and circumstances would allow another person to know or determine who the individual is, even if the specific name, address or more common identifying information is not shared.

Furthermore, the settlement also makes clear that merely because the patient or some other party has shared the same information with the media or others does not excuse the health care provider or other covered entity or business associate from the obligation to keep confidential the PHI unless it gets proper consent or otherwise can show that an exception to HIPAA applies.

Finally, the Resolution Agreement also makes clear that OCR expects covered entities to connect their HIPAA compliance with other policies and operations and will hold covered entities and associates accountable for properly integrating, training workforce and enforcing compliance with these policies.  While this  means that covered entities and business associates may find themselves in the uncomfortable situation of facing unsavory reports and rumors without the ability to respond, the significant civil and even criminal penalties that can arise from violation of HIPAA make it critical that covered entities exercise discipline in responding to avoid sharing PHI improperly.

The 2013 Regulations Overview

Adding a review and update of HIPAA and other policies for communicating with the media and internally on matters that may involve use or discussions of PHI in unusual contexts outside the purview of typically HIPAA policies is a good idea while health plans and other covered entities and business associates are updating their existing policies and practices for compliance with updated Omnibus HIPAA Rules (2013 Regulations) implementing HITECH Act amendments to the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Rulemaking announced January 17, 2013 may be viewed here.

Since 2003, HIPAA generally has required that health care providers, health plans, health care clearinghouses and their business associates (“Covered Entities”) restrict and safeguard individually identifiable  health care information (“PHI”) of individuals and afford other protections to individuals that are the subject of that information.  The 2013 Regulations published today complete the implementation of changes to HIPAA that Congress enacted when it passed the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 as well as make other changes to the prior regulations that OCR found desirable based on its experience administering and enforcing the law over the past decade.

Since passage of the HITECH Act, OCR officials have warned Covered Entities to expect an omnibus restatement of its original regulations.  While OCR had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to  its HIPAA Rules. The 2013 Regulations published today fulfill  that promise by restating OCR’s HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR’s interpretation and enforcement of HIPAA.

Among other things, the 2013 Regulations:

  • Revise OCR’s HIPAA regulations to reflect the HITECH Act’s amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA’s civil and criminal penalties for violating HIPAA’s Privacy, Security, and Breach Notification rules;
  • Update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose PHI is breached, HHS and in some cases, the media when a breach of unsecured information happens;
  • Update interim enforcement guidance OCR previously published to implement increased penalties and other changes to HIPAA’s civil and criminal sanctions enacted by the HITECH Act;
  • Implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose PHI for marketing and fundraising purposes and prohibit Covered Entities from selling an individual’s health information without getting the individual’s authorization in the way required by the 2013 Regulations;
  • Update OCR’s rules about the rights that HIPAA requires that Covered Entities to afford to individuals who are the subject of PHI used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act  that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic PHI in electronic form;
  • Revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of PHI protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
  • Clarifies and revises other provisions to reflect other interpretations and information guidance that OCR has issued since HIPAA was passed and to make certain other changes that OCR found appropriate based on its experience administering and enforcing the rules.

Liability & Enforcement Risks Heighten Need To Act To Review & Update Policies & Practices

The new Resolution Agreement and the growing list of others like it, as well as restated rules in the 2013 Regulations make it imperative that Covered Entities review the revised rules carefully and updated their policies, practices, business associate agreements, training and documentation to comply with the updated requirements and other enforcement and liability risks.  OCR even prior to the regulations has aggressively investigated and enforced the HIPAA requirements.

OCR increasingly is imposing  sanctions against a covered entity for data breaches to show the potential risks of HIPAA violations are significant and growing.  OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach; OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks$1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website; Providence To Pay $100000 & Implement Other Safeguards.

In response to the 2013 Regulations and these expanding exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable.   In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The SRMC Resolution Agreement again shows the growing risk of enforcement that health care providers, health plans, health care clearinghouses and their business associates face as OCR continues its audits and enforcement, new Omnibus HIPAA Regulations implementing the HITECH Act amendments to HIPAA and state and federal liability grows..  See e.g., $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

As part of this process, covered entities should ensure they look outside the four corners of their Privacy Policies to ensure that appropriate training and clarification is provided to address media, practice transition, workforce communication and other policies and practices that may be covered by pre-existing or other policies of other departments or operational elements not typically under the direct oversight and management of the Privacy Officer such as media relations.  Media relations, physician and patients affairs, outside legal counsel, media relations, marketing and other internal and external departments and consultants dealing with the media, the public or other inquiries or disputes should carefully include and coordinate with the privacy officer both to ensure appropriate policies and procedures are followed and proper documentation created and retained to show authorization, account, or meet other requirements.

For more information about HIPAA compliance and risk management tips, see here.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

If you need help with HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other human resources, employee benefit, or other compliance, risk management, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Nationally recognized for her extensive work, publications and leadership on HIPAA and other privacy and data security concerns, Ms. Stamer has extensive experience representing, advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical and other privacy and data security, employment, employee benefits, and to handle other compliance and risk management policies and practices; to investigate and respond to OCR and other enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

A Fellow in the American College of Employee Benefit Counsel, State Bar of Texas and American Bar Association, Vice President of the North Texas Health Care Compliance Professionals Association, the Former Chair of the ABA RPTE Employee Benefit & Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Council Representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer serves as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR. Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights  on HIPAA and other data privacy and security concerns appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the third year will serve in 2013 as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

In addition to this extensive HIPAA specific experience, Ms. Stamer also is recognized for her experience and skill aiding clients with a diverse range of other employment, employee benefits, health and safety, public policy, and other compliance and risk management concerns.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a member of the Editorial Advisory Board and expert panels of HR.com, Employee Benefit News, InsuranceThoughtLeadership.com, and Solutions Law Press, Inc., management attorney and consultant Ms. Stamer has 25 years of experience helping employers; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit  and management policies and practices.   Ms. Stamer often has worked, extensively on these and other workforce and performance related matters.  In addition to her continuous day-to-day involvement helping businesses to manage employment and employee benefit plan concerns, she also has extensive public policy and regulatory experience with these and other matters domestically and internationally.  A former member of the Executive Committee of the Texas Association of Business and past Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, Ms. Stamer served as a primary advisor to the Government of Bolivia on its pension privatization law, and has been intimately involved in federal, state, and international workforce, health care, pension and social security, tax, education, immigration, education and other legislative and regulatory reform in the US and abroad.  She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For more information about Ms. Stamer and her experience or to get access to other publications by Ms. Stamer see here or contact Ms. Stamer directly.

For help  with these or other compliance concerns, to ask about compliance audit or training, or for legal representation on these or other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here

About Solutions Law Press, Inc.

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested in exploring other Solutions Law Press, Inc. ™ tools, products, training and other resources here and reading some of our other Solutions Law Press, Inc.™ human resources news here including the following:

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press, Inc.™  All other rights reserved.


Consider OCR Technical Corrections When Updating Privacy Practices & Agreements For Omnibus Restatement of HIPAA Privacy, Security, Breach Notification & Enforcement Rules

June 6, 2013

The Department of Health & Human Services Office of Civil Rights (OCR) on June 6, 2013 released an advance copy of to Technical Corrections  (Technical Corrections) to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notifications Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Rule) previously published on January 25, 2013.  Health plans, health care clearinghouses, health care providers and their business associates will want to be sure to take into account the Technical Corrections as they rush to update business associate agreements, policies, practices, training and other HIPAA compliance to comply with the Omnibus Rule changes by the September 2013 deadline.

Technical Corrections To Omnibus Rule Released

OCR published the Omnibus Rule to implement changes to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (“the HIPAA Rules”) enacted by the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”) and section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008, as well as to address public comment received on the interim final Breach Notification Rule and to other changes to the HIPAA Rules.  The Technical Corrections are scheduled for publication in the Federal Register on June 7, 2013.

The Technical Corrections correct various typographical errors and other oversights in the Omnibus Regulations as originally published.   While many of these corrections have limited material impact, certain corrections do have substantive implications.  For instance, by correcting errors in references to other provisions of the Omnibus Regulations, the Technical Corrections clarify that the authority of OCR to grant an extension of time pursuant to § 160.508(c)(5) for violations before February 18, 2009 also applies to violations occurring on or after February 18, 2009, as there is for violations occurring prior to February 18, 2009.

Health plans, health care clearinghouses and their business associates will need to review and take into account the Technical Corrections as they work to review and update their  policies and practices for handling and disclosing personally identifiable health care information (“PHI”) in response to the Omnibus Rule.

Get Moving To Update HIPAA Compliance For New Omnibus Rule Requirements As Amended By Technical Corrections

Covered entities and their business associates have a lot to accomplish between now and September to update their business associates and comply with other changes made by the Omnibus Rule by its September 2013 deadline. Among other things, the Omnibus Regulations:

  • Revise OCR’s HIPAA regulations to reflect the HITECH Act’s amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA’s civil and criminal penalties for violating HIPAA’s Privacy, Security, and Breach Notification rules;
  • Update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose PHI is breached, HHS and in some cases, the media when a breach of unsecured information happens;
  • Update interim enforcement guidance OCR previously published to implement increased penalties and other changes to HIPAA’s civil and criminal sanctions enacted by the HITECH Act;
  •  Implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose PHI for marketing and fundraising purposes and prohibit Covered Entities from selling an individual’s health information without getting the individual’s authorization in the way required by the Omnibus Regulations;
  • Update OCR’s rules about the individual rights that HIPAA requires that Covered Entities to afford to individuals who are the subject of PHI used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act  that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic PHI in electronic form;
  • Revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of PHI protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
  • Clarifies and revises other provisions to reflect other interpretations and information guidance that OCR has issued since HIPAA was passed and to make certain other changes that OCR found appropriate based on its experience administering and enforcing the rules.

Liability & Enforcement Risks Heighten Need To Act To Review & Update Policies & Practices

The restated rules in the Omnibus Rule make it imperative that Covered Entities review the revised rules carefully and updated their policies, practices, business associate agreements, training and documentation to comply with the updated requirements and other enforcement and liability risks.  OCR even prior to the regulations has aggressively investigated and enforced the HIPAA requirements.  See, e.g.,  OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach; OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks$1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website; Providence To Pay $100000 & Implement Other Safeguards.

Coupled with statements by OCR about its intolerance, the HONI and other settlements provide a strong warning to covered entities of the need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

All Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable.   In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

If you need help with HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other human resources, employee benefit, or other compliance, risk management, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Nationally recognized for her extensive work, publications and leadership on HIPAA and other privacy and data security concerns, Ms. Stamer has extensive experience representing, advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical and other privacy and data security, employment, employee benefits, and to handle other compliance and risk management policies and practices; to investigate and respond to OCR and other enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

A Fellow in the American College of Employee Benefit Counsel, State Bar of Texas and American Bar Association, Vice President of the North Texas Health Care Compliance Professionals Association, the Former Chair of the ABA RPTE Employee Benefit & Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Council Representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer serves as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR. Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights  on HIPAA and other data privacy and security concerns appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the third year will serve in 2013 as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

In addition to this extensive HIPAA specific experience, Ms. Stamer also is recognized for her experience and skill aiding clients with a diverse range of other employment, employee benefits, health and safety, public policy, and other compliance and risk management concerns.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a member of the Editorial Advisory Board and expert panels of HR.com, Employee Benefit News, InsuranceThoughtLeadership.com, and Solutions Law Press, Inc., management attorney and consultant Ms. Stamer has 25 years of experience helping employers; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit  and management policies and practices.   Ms. Stamer often has worked, extensively on these and other workforce and performance related matters.  In addition to her continuous day-to-day involvement helping businesses to manage employment and employee benefit plan concerns, she also has extensive public policy and regulatory experience with these and other matters domestically and internationally.  A former member of the Executive Committee of the Texas Association of Business and past Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, Ms. Stamer served as a primary advisor to the Government of Bolivia on its pension privatization law, and has been intimately involved in federal, state, and international workforce, health care, pension and social security, tax, education, immigration, education and other legislative and regulatory reform in the US and abroad.  She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For more information about Ms. Stamer and her experience or to get access to other publications by Ms. Stamer see here or contact Ms. Stamer directly.

For help  with these or other compliance concerns, to ask about compliance audit or training, or for legal representation on these or other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here

About Solutions Law Press, Inc.

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested in exploring other Solutions Law Press, Inc. ™ tools, products, training and other resources here and reading some of our other Solutions Law Press, Inc.™ human resources news here including the following:

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press, Inc.™  All other rights reserved.


Follow

Get every new post delivered to your Inbox.

Join 528 other followers