Discrimination Rules Create Risks For Employer Reliance On Injunction Of FMLA Rule On Same-Sex Partners’ Marital Status

April 9, 2015

Employers covered by the Family & Medical Leave Act (FMLA) have a temporary reprieve from the obligation to comply with a change to the FMLA regulations’ definition of “spouse” that requires FMLA-covered employers to recognize certain same-sex relationships as marriages for purposes of the FMLA that had been slated to take effect on March 27, 2015 under a preliminary injunction order granted by the District Court for the Northern District of Texas in Texas v. U.S, No. 7:15-cv-00056-O, 2015 BL 84253 (N.D. Tex. Mar. 26, 2015).   However the delay in the implementation of the regulation as a practical matter may present traps for unwary employers in light of federal employment discrimination law rules that prohibit employers from discriminating against employees based on sexual orientation or gender identity. 

The preliminary injunction issued by Judge Reed O’Connor of the U.S. District Court for the Northern District of Texas on March 26 rule enjoins the Labor Department from enforcing a final regulation that would require employers covered by the FMLA to grant workers in legal same-sex marriages to take job-protected leave under the FMLA to care for a seriously ill spouse even if the state where the employee lives or works doesn’t recognize same-sex marriages.

The preliminary injunction resulted from a lawsuit brought by the attorney generals of Texas, Arkansas, Louisiana and Nebraska questioning the validity of change to the definition of “spouse” in DOL Regulation § 825.102 and § 825.122 to expand the definition of the term “spouse” for purposes of the FMLA to include same-sex relationships recognized as marriage under the state law of the location of the marriage celebration.

The Final Regulation redefining the term “spouse” for purposes of the FMLA is one of a host of changes to federal employment, tax, immigration and other regulations and enforcement policies announced by the Obama Administration in response to the Supreme Court’s decision in United States v. Windsor, 133 S. Ct. 2675, 118 FEP Cases 1417 (2013).

In Windsor, the Supreme Court ruled unconstitutional and struck down Section 3 of the Defense of Marriage Act (DOMA), which sought to preclude same-sex couples from being treated as married for purposes of federal law including the FMLA by restricting the definition of marriage for federal law only to relationships between persons of the opposite sex.

If and when implemented, the FMLA Final Regulation will revise the DOL’s FMLA regulations to provide that “Spouse” means

a husband or wife. For purposes of this definition, husband or wife refers to the other person with whom an individual entered into marriage as defined or recognized under state law for purposes of marriage in the State in which the marriage was entered into or, in the case of a marriage entered into outside of any State, if the marriage is valid in the place where entered into and could have been entered into in at least one State. This definition includes an individual in a same-sex or common law marriage that either:

  1. Was entered into in a State that recognizes such marriages; or
  2. If entered into outside of any State, is valid in the place where entered into and could have been entered into in at least one State.

According the DOL, the adoption of a place of celebration standard for determining marital status in the Final Rule ensures that all legally married employees have consistent FMLA leave rights regardless of where they live. The Department believes that this place of celebration rule will give fullest effect to the purpose of the FMLA to let employees to take unpaid, job-protected leave to care for a spouse for an FMLA-qualifying reason.  Thus, whether a same-sex or other couple qualifies as married for purposes of the FMLA turns upon whether the couple is in a relationship legally recognized as a married in the state in which the ceremony was performed.  However, the Final Regulation does not require employers to treat same-sex civil unions, as well as opposite-sex civil unions, as marriages and as such are not guaranteed the right to take FMLA spousal leave nor do have other protections of the Act, including from retaliation. As noted above, an employer may offer an employment benefit program or plan that provides greater family or medical leave rights to employees than the rights established by the FMLA, including voluntarily offering other types of leave for couples in civil unions. In addition, eligible employees in civil unions can take FMLA leave for their own serious health condition, for the birth of a child or the placement of a child for adoption or foster care and for bonding, to care for their child or parent with a serious health condition, and for qualifying military family leave reasons.

In Texas v. U.S., the states jointly argued that the Final Rule unlawfully interferes with state laws that prohibit same-sex marriage and bar recognition of out-of-state same-sex marriages.  Explaining his finding that the states had demonstrated a substantial likelihood of prevailing on the merits on their claim that the Final Regulation violates the Full Faith & Credit Clause of the U.S. Constitution, Judge O’Conner wrote, “Congress has not delegated to the Department the power to force states defining marriages traditionally to afford benefits in accordance with the marriage laws of states defining marriage to include same-sex marriages.”  Accordingly, Justice O’Conner ordered the Labor Department to stay implementation of the Final Regulation pending a decision on the merits of the states’ claims.

Even as Judge O’Connor issued his preliminary injunction, the Obama Administration was moving ahead to implement new mandates extending sweeping new protections prohibiting government contractors and subcontractors from discriminating against workers based on sexual orientation or gender identity under an Executive Order issued by President Obama that took effect April 8, 2015.  See Obama Executive Order’s Prohibition Of Government Contractor Sexual Orientation & Gender Identity Discrimination Creates Challenges For All US EmployersSince the preliminary injunction issued by Judge O’Connor does not apply to that Executive Order, employers contemplating holding off granting FMLA rights to employees involved in same-sex relationships should consult with legal counsel about the potential that such delay, despite Judge O’Connor’s order, might form the basis of employment discrimination, government contracting regulation violations or both.

 For  Advice, Representation, Training & Other Resources

If you need help responding to these new or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, help updating or defending your workforce or employee benefit policies or practices, or other related assistance, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Recognized as a “Top” attorney in employee benefits, labor and employment and health care law, Ms. Stamer is a practicing attorney Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, author, pubic speaker,management policy advocate and thought leader with more than 25 years’ experience advising government contractors and other employers, their management, benefit plans and plan fiduciaries, vendors and service providers and others about OFCCP, EEOC, and other employment discrimination, government contracting compliance, and other workforce and operational performance, compliance, risk management, compensation, and benefits matters. As a part of this involvement, Ms. Stamer throughout her career specifically has advised and represented a broad range of employers across the U.S., their employee benefit plans and plan fiduciaries, insurers, health care providers and others about the implications of DOMA and other rules relating to rights and expectations of LBGT community members and others in federally protected classes under Federal and state employment, tax, discrimination, employee benefits, health care and other laws.

In addition to her extensive client work Ms. Stamer also is a widely published author, management policy advocate and thought leader, and management policy advocate on these and other workforce and related matters who shares her experience and leadership in a wide range of contexts.  A current or former author and advisory board member of HR.com, Insurance Thought Leadership, SHRM, BNA and several other the prominent publications, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, former President of the Richardson Development Center Board of Directors, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, An American College of Employee Benefit Counsel, American Bar Association (ABA) and State Bar of Texas Fellow, Martindale Hubble Premier AV Rated (the highest), Ms. Stamer publishes and speaks extensively on these and other staffing and human resources, compensation and benefits, technology, health care, privacy, public policy, and other operations and risk management concerns. As a part of these activities, Ms. Stamer is scheduled to speak about Same-Sex Marriages and Domestic Partnerships: Lessons Learned, Unanswered Questions and Best Practices on May 1, 2015 for the ABA RPTE Section 2015 Spring Symposium in Washington D.C.  See also Stamer Talks About “Handling Health Plan Spouse, Dependent & Other “Family” Matters in Post-DOMA World” at SPBA 2014 Spring Meeting  Her publications and insights appear in the ABA and other professional publications, HR.com, SHRM, Insurance Thought Leadership, Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update here including:

About Solutions Law Press

Solutions Law Pressâ„¢ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources at www.solutionslawpress.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.

©2015 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. All other rights reserved.


Obama Executive Order’s Prohibition Of Government Contractor Sexual Orientation & Gender Identity Discrimination Creates Challenges For All US Employers

April 8, 2015

Effective today (April 8, 2015), all U.S. businesses working as government contractors or subcontractors are prohibited from discriminating in employment against lesbian, gay, bisexual and transgender (LGBT) applicants and employees on the basis of sexual orientation or gender identity. While the new LGBT nondiscrimination rules for government contractors and subcontractors imposed by are the latest in a series of changes imposing new obligations for U.S. government contractors and other U.S. employers in their dealings with LGBT workers, all employers of 15 or more employees, not just government contractors, increasingly face employment discrimination risks and other expanding obligations to LGBT workers as a result of evolving judicial precedent and the pro-LGBT rights regulatory agenda of the Obama Administration. As publicity and the Obama Administration’s outreach about the implementation of the new nondiscrimination rules for government contractors and other announcements about these other new federal LGBT employment protections are likely to fuel new claims and demands by workers asserting these new rights, government contractors and all other employers should act quickly to ensure that their policies and benefit programs, as well as compliance and risk management procedures are properly updated to meet these changing federal rules regarding the employment rights of LGBT workers.

The new federal government contracting prohibition against sexual orientation and gender identity discrimination by federal government contractors is imposed by President Obama’s Executive Order on LGBT Workplace Discrimination, which takes effect today and applies to all federal government contractors and subcontractors regardless of the type of government contract, number of employees or project revenue. The Executive Order’s requirement that government contractors and subcontractors not discriminate based on sexual orientation or gender identity covers every type of new and modified federal contract and every establishment of those contractors and subcontractors – not just the ones directly involved in performing the contract. As a result of the Executive Order, all federal government contractors and subcontractors are prohibited from discriminating against lesbian, gay, bisexual or transgender people in hiring, firing, pay, promotion and other employment practices based on their sexual orientation or gender identity.

The Executive Order’s prohibition against federal contractors and subcontractors discriminating on the basis of sexual orientation and gender identity expressly elevates sexual orientation and gender identity to the same protected status as race, color, religion, national origin, disability and veteran status for purposes of the employment discrimination rules applicable to federal government contractors. While at this point, the Obama Administration rules do not also require federal government contractors and subcontractors to undertake any specific new record keeping, data analysis, goal setting or other similar affirmative action, government contractors and subcontractors of all types and sizes will want to take care to update their nondiscrimination policies and practices to reflect their policy against discrimination based on sexual orientation or gender identity, as well as ensure that their hiring, promotion, compensation and other employment practices and associated documentation are administered and documented to defend against potential discrimination charges based on gender identity or sexual orientation.

While the Executive Order expressly applies only to government contractors and subcontractors, in fact all employers of 15 or more employees increasingly need to be concerned about employment discrimination exposures brought by employees who are, or are perceived to be LGBT individuals, as well as keeping their employment and employee benefit practices compliant with a host of recent federal rule changes on the treatment of LGBT individuals.

On the employment discrimination front, most employers, not just government contractors, need to use care to meet their duty to protect LGBT and others from “gender stereotyping” and same-sex sexual harassment or other sex discrimination in their workplaces recognized by the courts as encompassed in Title VII’s sex discrimination protections.

Under the gender stereotyping theory recognized by the Supreme Court in Price Waterhouse v. Hopkins (1989), for instance, an employer violates Title VII if “X discriminates against Y because X believes that Y does not dress, walk, talk, etc. as members of Y’s gender typically do.”  In EEOC v. Boh Bros. Const. Co., LLC , 731 F. 3d 444 (5th Cir. 2013) for instance, the Fifth Circuit upheld Title VII gender stereotying based sex discrimination claims of an iron worker  who claimed his supervisor in the all-male work environment  accused him of being gay subjected him to highly offensive, often sexually explicit verbal and physical harassment for months because the supervisor perceived his behavior was effeminate and did not conform to the supervisor’s  idea of how a man should act.

Likewise, the EEOC and courts also have continued to recognize sexual harassment claims based on harassing conduct inflicted by a party of the same sex as the victim plaintiff.   For instance, last year the EEOC announced  that Wells Fargo Bank, N.A. agreed to pay $290,000 to four female bank tellers and take other corrective action to settle an EEOC sexual harassment lawsuit where the EEOC charged that a female manager and another female bank teller at a Wells Fargo branch in Reno, Nevada sexually harassed the women by making graphic sexual comments, gestures and images; inappropriate touching, and making suggestions to wear sexually provocative clothing to attract customers and to advance in the workplace, which the Wells Fargo allegedly failed to act quickly to stop despite complaints about the conduct from the victims.

In addition, government contractors and other U.S. employers also generally need to review and update heir employment, employee benefit plans, leave policies and other practices to ensure that they are up to date and defensible in light of the ongoing series of new rules affording new protections for LGBT workers issued by the Obama Administration in the aftermath of the Supreme Court’s ruling of the Defense of Marriage Act unconstitutional in Windsor. In the aftermath of Windsor, the Departments of Labor, Veterans Affairs, Treasury, Justice, Homeland Security and other federal agencies modified immigration, family and military leave, employee benefits, and a host of other rules to require both public and private employers and their employee benefit plans afford marriage-equivalent treatment workers involved in certain same-sex relationships as well as to extend other LGBT employment and other protections. As a result of these and other expansions in the legal protections of LGBT individuals by the Obama Administration like the Executive Order and these other regulatory and enforcement changes, as well as evolving precedent in the wake of the Windsor decision, all U.S. employers should prepare to meet new legal requirements, as well as rising expectations by members of the LGBT community about their workplace, employee benefits and other rights.

In anticipation of these rising requirements and expectations all employers including government contractors should engage legal counsel for assistance in reviewing and updating their policies and practices to comply with the evolving federal and state rules on workplace and other rights of LGBT individuals and strategies for appropriately managing the legal risks and other concerns associated with these emerging entitlements and expectations. For government contractors and other employers concerns about discrimination exposures, this discussion generally should include consideration about whether in addition updating written policies and procedures, the employer should consider workforce training, communications or other actions to promote workforce compliance with the new policies, minimize the risk that the failure to retrain the workforce might make it easier for potential plaintiffs to use events or policies occurring before the new rules became effective to help bolster post-effective date discrimination claims, and other risk management and compliance procedures.

 For  Advice, Representation, Training & Other Resources

If you need help responding to these new or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, help updating or defending your workforce or employee benefit policies or practices, or other related assistance, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Recognized as a “Top” attorney in employee benefits, labor and employment and health care law, Ms. Stamer is a practicing attorney Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, author, pubic speaker,management policy advocate and thought leader with more than 25 years’ experience advising government contractors and other employers, their management, benefit plans and plan fiduciaries, vendors and service providers and others about OFCCP, EEOC, and other employment discrimination, government contracting compliance, and other workforce and operational performance, compliance, risk management, compensation, and benefits matters. As a part of this involvement, Ms. Stamer throughout her career specifically has advised and represented a broad range of employers across the U.S., their employee benefit plans and plan fiduciaries, insurers, health care providers and others about the implications of DOMA and other rules relating to rights and expectations of LBGT community members and others in federally protected classes under Federal and state employment, tax, discrimination, employee benefits, health care and other laws.

In addition to her extensive client work Ms. Stamer also is a widely published author, management policy advocate and thought leader, and management policy advocate on these and other workforce and related matters who shares her experience and leadership in a wide range of contexts.  A current or former author and advisory board member of HR.com, Insurance Thought Leadership, SHRM, BNA and several other the prominent publications, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, former President of the Richardson Development Center Board of Directors, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, An American College of Employee Benefit Counsel, American Bar Association (ABA) and State Bar of Texas Fellow, Martindale Hubble Premier AV Rated (the highest), Ms. Stamer publishes and speaks extensively on these and other staffing and human resources, compensation and benefits, technology, health care, privacy, public policy, and other operations and risk management concerns. As a part of these activities, Ms. Stamer is scheduled to speak about Same-Sex Marriages and Domestic Partnerships: Lessons Learned, Unanswered Questions and Best Practices on May 1, 2015 for the ABA RPTE Section 2015 Spring Symposium in Washington D.C.  See also Stamer Talks About “Handling Health Plan Spouse, Dependent & Other “Family” Matters in Post-DOMA World” at SPBA 2014 Spring Meeting  Her publications and insights appear in the ABA and other professional publications, HR.com, SHRM, Insurance Thought Leadership, Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update here including:

About Solutions Law Press

Solutions Law Pressâ„¢ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources at www.solutionslawpress.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.

©2015 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. All other rights reserved.


New Excepted Benefits Final Rule May Allow Some Employers Limited Opportunity To Offer Individually Insured Wraparound Coverage

March 20, 2015

Employers Urged Not Overestimate When Plan Qualifies As Excepted Or Overlook Other Applicable Federal Mandates

Changes to the definition of “excepted benefits” in Final Excepted Benefit Rules (Rules) published March 18, 2015 by the Departments of Labor, Health and Human Services, and Treasury (Tri-Agencies) might allow some employer and union group health plan sponsors, in limited circumstances, to offer wraparound coverage to certain employees purchasing individual health insurance in the private market, including in the Health Insurance Marketplace without violating the Patient Protection & Affordable Care Act (ACA) if the arrangements are carefully crafted to meet the specific requirements of one of two pilot programs set forth in the Rules.

Employers contemplating or maintaining arrangements that they or their service providers consider excepted benefits should use care to ensure that their arrangements are vetted in light of the latest guidance by experienced, qualified employee benefits counsel knowledgeable in these and other applicable group health plan rules and products because it is important to meet all of the requirements for qualifying the arrangement as an excepted benefit arrangement under the Rules and other applicable requirements of law to minimize the likelihood that the arrangement does not produce undesirable unanticipated consequences.

Beyond the new Rules, the Tri-Agencies have published a host of other guidance regarding the arrangements that qualify as excepted benefit arrangements and those that the Tri-Agencies view as not meeting this definition, as well as the implications of these distinctions.  This includes guidance that reflects the Tri-Agencies concerns that many arrangements prompted by certain brokers or other advisors as qualifying as excepted benefits, alone or in conjunction with other arrangements sponsored or offered by the employer, do not qualify as excepted benefit arrangements as well as guidance about potential consequences of these arrangements that the promoter or an employer considering these arrangements should fully understand before moving forward,  For this reason, employers that already provide, or are interested in providing health coverage under an employer sponsored arrangement to employees or their dependents enrolled in individual health coverage through the Health Insurance Marketplace or other privately provided individual insurance arrangement are urged to carefully review the proposed arrangement in light of the Rules, as well as to understand the treatment and implication of their proposed arrangement under other applicable Federal group health plan mandates and rules.

As interpreted by the Tri-Agencies, except for excepted benefit arrangements as defined in the Rules, employers generally cannot pay for individual health coverage or offer or provide wrap around or other group health coverage to employees that enroll in individual coverage The Rules amend the definition of excepted benefits to include under very narrow specified conditions an employer to offer specified limited coverage that wraps around individual health insurance when the employer provided coverage is specifically designed to provide “meaningful benefits” such as coverage for expanded in-network medical clinics or providers, reimbursement for the full cost of primary care, or coverage of the cost of prescription drugs not on the formulary of the primary plan and otherwise fulfills the requirements of the Rules.

The final rules permit group health plan sponsors, only in the limited circumstances identified in the Rules, to offer wraparound coverage to employees who are purchasing individual health insurance in the private market, including in the Health Insurance Marketplace.

The Rules establish two pilot programs where the Rules treat wraparound coverage as an excepted benefit that an employers can offer to individuals enrolled in health coverage through the Health Insurance Marketplace:

  • One allows wraparound benefits only for multi-state plans in the Health Insurance Marketplace; and
  • One that allows wraparound benefits for part-time workers who enroll in an individual health insurance policy or in Basic Health Plan coverage for low-income individuals established under the Affordable Care Act. These workers could, under existing excepted benefit rules, qualify for a flexible spending arrangement alternative to this wraparound coverage.

When the requirements of the Rules are met, the Rules allow employers a narrow opportunity to offer certain employees enrolled in individual coverage wrap around health coverage from the employer to enhance that individual coverage.

Because the arrangement must qualify as an excepted benefit arrangement under the Rules, employers also need to fully understand the implications of the excepted health benefit status of the anticipated arrangement under related rules like the Portability Rules of the Health Insurance Portability & Accountability Act (HIPAA), the ACA rules and other relevant laws and arrangements.

Because of the necessity to ensure that any arrangement an employer contemplates offering as an excepted benefit meet all of the required conditions to qualify for that status under the Rules and otherwise meet all other requirements of applicable law, it is important to carefully review any such proposed arrangement with qualified legal counsel.

Most employers contemplating moving forward to implement such arrangements also should consider seeking written opinions of qualified counsel that meets the Internal Revenue Service’s requirements to be a “tax reliance opinion” as well as the written opinion of the broker, insurer or other vendor promoting or endorsing the arrangement.

Employers also should keep in mind that with excepted benefit status may excuse the arrangement from the obligation to comply with certain mandates of ACA, the Portability Rules of the Health Insurance Portability & Accountability Act or certain other rules, these arrangements generally remain subject to the requirements of the Employee Retirement Income Security Act, various Code rules, and a host of other federal rules. As a result, employers should consult with qualified legal counsel about the implications and compliance of these and other health coverage arrangements to ensure that they properly understand all responsibilities and consequences of these arrangements and manage potential responsibilities and liabilities.

Employers and their health plan fiduciaries, administrators, and vendors are reminded that the excepted benefit distinction has implications on other compliance obligations and health plan treatment of the arrangement in question. For instance, excepted benefit coverage typically does not qualify as minimum excepted coverage that an employer can count as providing minimum essential coverage for purposes of the Code Section 4980H employer shared responsibility payment rules or as enrollment by the individual in minimum individual coverage for purposes of the employee avoiding liability for the individual shared responsibility payment.

Beyond ensuring that the proposed wrap around arrangement meets the requirements to qualify as an excepted benefit under the Rules, employers and those working with them on the design or use of these arrangements need to verify that the arrangements and other arrangements of the employer by their terms and in operation comply with other health plan rules and guidance.  With regard to dealings with employees who are enrolled in individual policies, employers must keep in mind the Tri-Agencies rules prohibiting employer payment or subsidization of the costs of those policies.  The Tri-Agencies have made clear that they construe ACA as prohibiting employer payment or reimbursement of the cost of individual health insurance policies (other than excepted benefit only arrangements) p covering employees or dependents whether purchased from a Health Insurance Marketplace or otherwise.  This prohibition extends to any employer payment or reimbursement arrangement, whether pre-tax or after-tax or on a group or individual basis.   See Notice 2015-17 (affirming employer payment plans or other arrangements that reimburse or pay employees for costs of individual health coverage purchased through Health Insurance Marketplaces or private insurance markets are prohibited as previously announced in Notice 2013-54). See also ACA Prohibits Employer Paying Individual Health Premiums For Employees, IRS Says Again.

About the Author

If your business need legal advice about the your health or other employee benefit or human resources practices, assistance assessing or resolving potential past or existing compliance exposures, or monitoring and responding to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to receive these and other updates here.  Recent examples of these updates include:

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, an ABA Joint Committee On Employee Benefits Council representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a Fellow in the American College of Employee Benefit Counsel, ABA, and State Bar of Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health plans and insurers about ACA, and a wide range of other plan design, administration, data security and privacy and other compliance risk management policies.  Ms. Stamer also regularly represents clients and works with Congress and state legislatures, EBSA, IRS, EEOC, OCR and other HHS agencies, state insurance and other regulators, and others.   She also publishes and speaks extensively on health and other employee benefit plan and insurance, staffing and human resources, compensation and benefits, technology, public policy, privacy, regulatory and public policy and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources at www.solutionslawpress.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.

NOTE:  This article is provided for educational purposes.  It is does not establish any attorney-client relationship nor provide or serve as a substitute for legal advice to any individual or organization.  Readers must engage properly qualified legal counsel to secure legal advice about the rules discussed in light of specific circumstances. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, or (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here.

©2015 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


Health Plans, Sponsoring Employers & Others Urged To Act Immediately In Response To Premera, Anthem Blue Cross Breaches

March 17, 2015

Today’s report by Premera Blue Cross of a massive data breach affecting as many as 11 million customers’ personal health and financial information on the heels of the large-scale data breach announcement by fellow Blue Cross Association, Anthem, is another reminder that employers and other health plan sponsors, fiduciaries, insurers specifically, and U.S. businesses generally should immediately assess and tighten up their privacy, data security and data breach compliance and risk management to fulfill applicable legal mandates and to strengthen defenses against resulting liabilities and member backlash likely to arise from these or future breaches.

Notice of the Premera and Anthem breaches are likely to trigger obligations for health plans and their sponsoring employers or unions, administrators, insurers, and other vendors and service providers to take immediate steps to conduct documented investigations, take corrective action and provide breach notifications the  Privacy, Security and Breach Notification rules of the Health Insurance Portability & Accountability Act require health plans and their business associates to provide in response to notice of a breach. Depending on the scope and nature of data affected and their involvement with the affected plans, employer or other plan sponsors, fiduciaries, administrators and service providers also may be subject additional responsibilities under applicable contracts and policies, the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (ERISA), the Internal Revenue Code, and a host of other laws.  Insurance industry or other vendors providing services to these plans also may face specific responsibilities under applicable insurance, health care, federal or state identity theft, privacy or data security, or other federal or state laws.  See, e.g., Restated HIPAA Regulations Require Health Plans To Tighten Privacy Policies And Practices; Cybercrime and Identity Theft: Health Information Security Beyond; HIPAA Compliance & Breach Data Shares Helpful Lessons For Health Plans, Providers and Business Associates.

The need for prompt assessment and action is not necessarily limited to health plans and organizations sponsoring, administering or doing business with the plans involved in the Premera or Anthem breaches.  The occurrence of these breaches arguably raises the questions about the adequacy of the safeguards, practices and policies of other health plans and insurers, their sponsors and fiduciaries, insurers, administrators and other vendors.  places other health plans.  Health plans, their sponsors, fiduciaries, administrators, insurers and other vendors generally will want to make prudent documented inquiries about the adequacy of their health plan’s data security and privacy safeguards in anticipation of potential future breaches, audits or other scrutiny.

Beyond the specific health plan related concerns, most businesses also will want to consider the adequacy and defensibility of the data collection, use, disclosure, security and other practices affecting sensitive data within or on behalf of their organization.  The report of these and other health plan breaches, as well recent reports of identity theft and other fraud impacting federal tax returns and other large data breach reports involving retailers and other prominent businesses are spurring recognition of the large risks and need for greater scrutiny and accountability to business collection, use, and protection of sensitive personal and other data.

Of course, as in the case of health plans, the risk is exploding largely in response to the continued evolution of electronic payment and other business operating systems coupled with the emergence of data harvesting and other capabilities.  These new technologies and practices are fueling a host of new mandates, opportunities and risks for virtually every U.S. business.  Cyber criminals seem to always be one step ahead of business and government in leveraging these emerging opportunities for their criminal purposes.

With everyone from the Internal Revenue Service and other federal and state government agencies to private business partners pushing to leverage the efficiencies and other opportunity of electronic transactions and data, businesses in the US and around the world increasing are encouraged if not required to conduct more and more transactions containing sensitive business and individual tax information, personal financial information, personal health information, trade secrets and other confidential business and personal information electronically.  Meanwhile big data and other business and marketing gurus also encourage business to leverage their own opportunities to use data collected for these business mandates and expanding technology also to collect, use and repurpose customer,  prospect or other business information collected in the course of business to benefit their business’ marketing, transactional and other opportunities.

As these practices take hold and expand, data breaches and other cyber crime events, the legal requirements and risks of collection and use of data also are growing.  Privacy, identity theft and other cyber crime and other concerns have led federal and state lawmakers to enact an ever-growing list of notice, consent, disclosure, security and other laws and regulations including but not limited to the Fair & Accurate Credit Transaction Act (FACTA),the Gramm-Leach-Bliley Act, the HIPAA Privacy & Security Rules, state identity theft, data security and data breach and other electronic privacy and security laws and an ever-growing plethora of others.

As the cyber crime epidemic continues to grow and notorious breeches and schemes involving the Internal Revenue Service, Veterans Administration, retail giants like Target, Home Depot, and others, insurance giants like Anthem and Premera and others, government and private enforcement is rising and the judgments, penalties and other costs soaring even as federal and state regulators are looking at the need for expanded rules and penalties.   See Cybercrime Enforcement Statistics; DOJ Enforcement Priorities & Statistics. In addition, widening data privacy and security concerns from these massive data breach reports also are prompting  Congress and State regulatorsto consider the need for added reforms, see, McCaul to Hold Hearing on President’s Cybersecurity.  In deed, even before news of the Premera breach broke, he Federal Trade Commission today announced plans to host a workshop on Nov. 16, 2015, to look at the privacy issues around the tracking of consumers’ activities across their different devices for advertising and marketing purposes.

While these and other legal and enforcement developments promise new liabilities and expenses, the business losses and customer and business partner implications experienced by Target, Anthem and other businesses already affected illustrate the severe business consequences that inevitably result if a business appears to have failed to take customer privacy or other data security concerns seriously.

The now notorious Target hacking data breach event is illustrative. Target reported in late 2013 that credit and debit card thieves stole the name, address, email address and phone number from the credit and debit card records of around 70 million Target shoppers between November 27 and December 15, 2013. After announcing the breach, Target reported a 46% drop in profits in the fourth quarter of 2013, compared with the year before despite having announced plans to invest $100 million upgrading their payment terminals to support Chip-and-PIN enabled cards and millions of dollars more in rectification efforts. See The Target Breach, By the Numbers. Subsequently, Target’s losses have continued to mount even as it now faces lawsuits and other enforcement actions as a result of the breach. See Banks’ Lawsuits Against Target for Losses Related to Hacking Can ContinueMeanwhile, the enforcement and other fallout continues to evolve.

While businesses generally need to tighten their defenses and compliance, health plans, their sponsors, fiduciaries, administrators and vendors have specific obligations that require immediate, well-documented action when an actual or potential breach happens.  The Privacy, Security and Breach Notification requirements of HIPAA require that health plans adopt specific policies and maintain and administer specific safeguards to prevent and respond to breaches of protected health information.  In the event of a breach, these rules require that the health plan, usually acting through its fiduciaries, and affected service providers that qualify as business associates both investigate and redress the breach, as well as provide specific notification as soon as possible and usually no later than 30 days after the health plan knows or has reason to know of the breach.  Significant civil and even criminal penalties can apply if a health plan, health insurer or its business associate fails to fulfill these obligations.

Beyond the specific requirements of HIPAA, employers and other plan sponsors and others involved in the maintenance and administration of the health plan or the selection and oversight of its vendors often may have other less-realized responsibilities.  As health plan data often includes payroll and other tax data, employers, the health plans and other parties involved also may have specific responsibilities under the Internal Revenue Code or other laws.   To the extent that the plan sponsor or another party is named as the plan administrator or otherwise exercises discretion and control over the selection of the insurer or other plan vendor or other plan operations, the fiduciary obligations of ERISA also may require a prudent investigation and other action to meet fiduciary obligations of ERISA.  Brokers, insurers, third party administrators, preferred provider organizations or other managed care providers and others doing business with the health plan also may have specific responsibilities under state insurance, health care, data breach and identity theft or other laws.  Under the provisions of most of these laws, leaving it to the insurer or other vendor involved in the breach generally will not suffice to fulfill applicable legal responsibilities, much less allay the fears of plan members, employees, health care providers and others involved with the health plan.

In the face of these developments, health plans and their sponsors, fiduciaries and others working with them must take immediate action in response to the breaches reported.  Along with these specific health plan related responses,  businesses also should the adequacy and defensibility of their current overall data collection, use and security practices while remaining ever vigilant for new requirements, as well as weaknesses in their own practices.  Health plans specifically and businesses generally need to build their defenses in anticipation of these events both to withstand government and private litigation and enforcement, and to survive the harsh judgment of public opinion.

 For Help With Risk Management, Compliance & Other Management Concerns

If you need assistance in responding to a health plan breach concern or with auditing or assessing, updating or defending your organization’s compliance, risk management or other  internal controls practices or actions, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469) 767-8872.

Scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights, a faculty and steering committee for the Southern California ISSA-HIMSS Health Care Privacy Program, Board Certified in Labor & Employment Law, a Fellow in the American College of Employee Benefits Counsel  recognized as a “Top 100″ lawyer in labor and employment, employee benefits and health care law, Ms. Stamer is nationally recognized for her work, publications, public speaking and education and other leadership on privacy and data security and other risk management and compliance.

A management attorney who works with businesses and government to manage and redress people, process and risk, Ms. Stamer has worked extensively on data and other privacy risk management and compliance,  Throughout her career, she has conducted investigations and advised, and assisted health care, insurance, retail and a broad range of other public and private organizations with privacy and data security audit and risk management, contracting, investigation, defense and remediation throughout her more than 25 year career.

Past Chair and of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits,  past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, current Co-Chair of the RPTE Welfare Benefit Committee and Vice Chair of the ABA TIPS Employee Benefits Committee, Ms. Stamer works, publishes and speaks extensively on cyber crime and other privacy, management, reengineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters.  She also is recognized for her publications, industry leadership, workshops and presentations on these and other  concerns and regularly speaks and conducts training on these matters.Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the ABA, Insurance Thought Leadership, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications.

As part of her extensive involvements in privacy and data security concerns, Ms. Stamer will be among the panelists discussing “Fiduciary Obligations In the Context of a Data Breach” conference call to be hosted on April 2, 2015 by Fiduciary Responsibility Committee of the American Bar Association (ABA) Real Property Probate and Estate Section Employee Benefits & Other Compensation Group.  During the program, Ms. Stamer and other panelists will discuss the quagmire of fiduciary legal and operational challenges that data breach announcements by health plan vendors and insurers present for employer and union-sponsored health plan fiduciaries and health plans.  She also will serves as the scribe for the upcoming ABA Joint Committee On Employee Benefits Annual Agency Meeting with the Federal agency that enforces HIPAA, the Office of Civil Rights, and 2014 Conference Chair and  steering committee and faculty member of the Southern California ISSA/HIMSS Healthcare Privacy & Security Summit scheduled for June 4, 2015 in Los Angeles.

For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.  For information about participation in the April 2 Conference Call or joining the Committee, see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources at www.solutionslawpress.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.

©2015 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press.  All other rights reserved.


Out-Of-Date, Unpatched Software Triggers HIPAA Security Sanction

December 11, 2014

Health plans, health care providers ealth care clearinghouses (covered entities) and their business associates need to watch for and protect protected health information (PHI) against security exposures from unpatched or unsupported software and other weaknesses in their data security protections as part of their compliance obligations under the Security Rules of the Health Insurance Portability & Accountability Act (HIPAA).

The need to monitor and address data security threats associated with unpatched or unsupported software is demonstrated by the December 9, 2014 announcement by the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR) that Anchorage Community Mental Health Services (ACMHS) will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program resulting from unpatched and unsupported software.

OCR opened an investigation against the five-facility, nonprofit provider of behavioral health care services to children, adults, and families in Anchorage, Alaska after receiving notification from ACMHS of a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources.

According to the OCR announcement of the ACMHS Resolution Agreement with OCR, OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but failed to follow these procedures. Moreover, OCR found that the reported security incident directly resulted of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” said OCR Director Jocelyn Samuels. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

In an effort to promote awareness of the need to assess and monitor the security of ePHI by covered entities and business associates, OCR continues to encourage covered entities and business associates to conduct regular documented evaluations of the adequacy of their ePHI safeguards and systems. To aid in this process, OCR and the Office of the National Coordinator for Health Information Technology have created a Security Rule Risk Assessment Tool available here to assist organizations that handle PHI in conducting a regular review of the administrative, physical and technical safeguards they have in place to protect the security of the information. Since OCR points to the Tool as a resource, covered entities and business associates should anticipate that their failure to identify and address any deficiencies in the areas identified by the tools as a potentially serious compliance issue. As a result, covered entities and business associates likely will want to take steps to ensure that their records include documented review of the adequacy of the security safeguards identified in the Tool. At the same time, covered entities and their business associates should not assume that the Tool adequately covers all potential HIPAA Security Rule exposures. OCR has made clear in this and other Resolution Agreements that HIPAA’s Security Rule requires ongoing monitoring and assessment of the adequacy of security in response to changes in software or system, emerging threats and other developments.

For Advice, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, an ABA Joint Committee On Employee Benefits Council representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a Fellow in the American College of Employee Benefit Counsel, ABA, and State Bar of Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health plans and insurers about ACA, and a wide range of other plan design, administration, data security and privacy and other compliance risk management policies.  Ms. Stamer also regularly represents clients and works with Congress and state legislatures, EBSA, IRS, EEOC, OCR and other HHS agencies, state insurance and other regulators, and others.   She also publishes and speaks extensively on health and other employee benefit plan and insurance, staffing and human resources, compensation and benefits, technology, public policy, privacy, regulatory and public policy and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here

NOTE:  This article is provided for educational purposes.  It is does not establish any attorney-client relationship nor provide or serve as a substitute for legal advice to any individual or organization.  Readers must engage properly qualified legal counsel to secure legal advice about the rules discussed in light of specific circumstances.

The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations.  The Regulations now require that either we (1) include the following disclaimer in most written Federal tax correspondence or (2) undertake significant due diligence that we have not performed (but can perform on request).

ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, or (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


Check Out Updated Kaiser Calculator For 2015 Zip Code-Specific Premium and Tax Credit Estimates for Health Marketplace Coverage Coverage

November 13, 2014

The Kaiser Family Foundation has announced that its updated Health Insurance Marketplace Calculator now includes zip code-specific data on 2015 health plans that are being sold through the Patient Protection & Affordable Care Act’s (ACA’s) insurance marketplaces during the open enrollment period that begins this Saturday, November 15.

Kaiser says the new tool allows consumers around the nation  to generate estimates of their health insurance premiums and government subsidies for 2015 plans that they purchase on their own through an ACA marketplace. The estimates are based on zip code, household income, family size and ages of family members. The calculator also helps consumers determine whether they could be eligible for Medicaid.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry, insurance, technology and other clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to OCR Privacy and Civil Rights, DOL, IRS, SEC, insurance department and other investigation and enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.  The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights,  Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns.  Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.  In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans,  as well as  HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for  Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

For the past four years, Ms. Stamer has served as the  scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR.   Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here.

©2014 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press, Inc.   All rights reserved.


Ebola Scare & New OCR Privacy Guidance Reminder To Prepare For Pandemic & Other Emergencies

November 11, 2014

The recent US Ebola scare provided an important reminder to health care providers, health insurers and health plans, health care clearinghouses, employers and others of the importance of understanding and preparing to deal with health care privacy and other challenges arising from epidemics and other emergencies.  In response to the recent Ebola and other contagious disease outbreaks and just as U.S. health care and other business leaders are working to prepare for the biggest contagious disease time of the year, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is reminding health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates that the privacy rules of the Health Insurance Portability & Accountability Act (HIPAA) requiring Covered Entities and their business associates to limit the use, access and disclosure of patient’s protected health information (PHI) continue to apply during emergency situations and help them understand when HIPAA allows them to share PHI in emergency situations in a new notice titled “HIPAA Privacy in Emergency Situations” (Guidance) published November 10, 2014. A business associate of a covered entity (including a business associate that is a subcontractor) also must continue to comply with HIPAA and may only make disclosures permitted by the Privacy Rule on behalf of a Covered Entity or another business associate to the extent authorized by its business associate agreement and consistent with HIPAA’s requirements.  With annual flu season approaching and the Ebola and other pandemic issues still circling, it’s time for all organizations to prepare to respond to these and other emergencies including the special privacy and other concerns they often raise.

Sharing Patient Information

The Guidance begins by reminding Covered Entities and their business associates that HIPAA’s Privacy Rule continues to apply in emergency situations and requires Covered Entities protect and prohibits their use, access or disclosure of patient’s protected health information except as allowed by HIPAA unless the patient authorizes the Covered Entity to disclose the PHI in accordance with HIPAA’s requirements for authorization set forth in 45 CFR 164.508.

The Guidance then goes on to discuss the following circumstances that the HIPAA Privacy Rule might allow Covered Entities to share PHI without getting patient authorization, subject to the reminder that in many cases, HIPAA will require that the Covered Entity limit the disclosure to the minimum necessary disclosure necessary for the allowable purpose and require other conditions to be fulfilled:

  • Treatment.

Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501.

  • Public Health Activities.

The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization:

  • To Or At The Direction Of A Public Health Authority.

The HIPAA Privacy Rule allows Covered Entities to share protected health information with Public Health Authorities authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability like the Centers for Disease Control and Prevention (CDC) or a state or local health department. This would include, for example, the reporting of disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. See 45 CFR §§ 164.501 and 164.512(b)(1)(i). For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola virus disease.

The HIPAA Privacy Rule also allows Covered Entities to share information at the direction of a public health authority:

    • To a foreign government agency that is acting in collaboration with the public health authority. See 45 CFR 164.512(b)(1)(i); and
    • To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations. See 45 CFR 164.512(b)(1)(iv)
  • Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification.

The HIPAA Privacy Rule allows a Covered Entity to share protected health information:

    • With a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care;
    • About a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death including where necessary to notify family members and others, the police, the press, or the public at large. See 45 CFR 164.510(b).

The Guidance reminds Covered Entities, however, that the Privacy Rule requires the Covered Entity to get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible. If the individual is incapacitated or not available, the Guidance states Covered Entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.

The Guidance also confirms that Covered Entities may share protected health information with disaster relief organizations authorized by law or by their charters to assist in disaster relief efforts like the American Red Cross for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

  • Imminent Danger

The Guidance also states that Covered Entities that are health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j).

  • Disclosures to the Media & Others Not Involved in the Care of the Patient/Notification

The Guidance also reminds Covered Entities of the importance of closely adhering to HIPAA’s rules when responding to information requests from the medial or others not involved in the care of a patient. The Guidance states that when the media or other other party not involved un the patient’s care asks the Covered Entity for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. See 45 CFR 164.510(a). In general, except in the limited circumstances authorized in the HIPAA Privacy Rule, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient).

  • Minimum Necessary Restriction Requirement

The Guidance cautions Covered Entities and their business associates that for most disclosures, a Covered Entity generally must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. However, this minimum necessary requirement does not apply to disclosures to health care providers for treatment purposes.

Covered Entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary when making disclosures in response to request from those parties. For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum necessary for the public health purpose.

  • Required Internal Restrictions On Use, Access & Disclosure

Internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties. See 45 CFR §§ 164.502(b), 164.514(d).

Safeguarding Patient Information

Beyond limiting the use, access and disclosure of PHI, the Guidance also reminds Covered Entities and their business associates that even in emergency situations, HIPAA continues to require them to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures as well as to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic PHI.

Limited Waiver

Although HHS has yet to take steps to trigger a limited waiver, the Guidance also reminds Covered Entities and their business associates that HHS has the power to do so, the effect of a limited waiver and the circumstances under which HHS could elect to apply  a limited waiver to waive sanctions against a hospital for certain specific types of HIPAA violations while the waiver is in effect.

As the Guidance notes, the HIPAA Privacy Rule is not suspended during a public health or other emergency.  Rather, the limited waiver rules only operates to permit the Secretary of HHS to waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. The limited waiver only applies when the President declares an emergency or disaster and HHS declares a public health emergency. When and if these requirements are met, HHS may waive sanctions and penalties against a Covered Entity that is a hospital for failing to comply with the following HIPAA Privacy Rule provisions:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

If the Secretary issues such a waiver, Covered Entities and their business associates should keep in mind the waiver only applies to the list violations and only applies:

  • For so long as the waiver remains in effect;
  • In the emergency area and for the emergency period identified in the public health emergency declaration
  • To hospitals that have instituted a disaster protocol; and
  • For up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Not Necessarily Just About HIPAA

HIPAA is not necessarily the only law that Covered Entities, business associates or others need to consider when deciding what to disclose during an emergency or otherwise.  The HIPAA Privacy Rule applies to disclosures made by and Covered Entities, business associates employees, volunteers, and other members of a Covered Entity’s or Business Associate’s workforce. The Privacy Rule does not apply to disclosures made by entities or other persons who are not Covered Entities.

Beyond HIPAA, Covered Entities, their business associates or members of their workforce, employers, and other organizations also need to consider whether other federal or state laws, ethical rules, contracts or policies may restrict use or disclosure, safeguard, or take other steps to protect PHI or other information.  For instance, other federal laws, state law, professional ethical rules, contracts, facility policies or procedures, or other restrictions often apply to health care provides, insurers, brokers, employers or others.  Employers, health care organizations, insurers and others also need to be concerned about potential discrimination, common law and statutory privacy, retaliation, defamation and other exposures.

Prepare For Compliance Now

The recent experiences of various health care organizations intimately involved in caring for the Ebola patients highlights the importance of anticipating, preparing and conducting training, and having your workforce practice to prepare  to deal with the special challenges of dealing with HIPAA and other legal responsibilities in advance of emergency events.  When preparing for these events, Covered Entities and business associates need to take into account the need to comply operationally as well as to document and retain records of compliance.   They should  both should anticipate and prepare to respond to both typical inquiries as well as those from the media, public and others.   They also should consider how various types of emergencies could create new privacy or security risks.  For instance, in certain emergency situations, recordkeeping or other systems could be disrupted, impacting the ability retain and subsequently produce required documentation.  Furthermore, Covered Entities also should prepare to manage the patient and public relations aspects of these events including adverse impressions that often arise when the media or others are disappointed at being denied information because of compliance obligations, from breaches or perceived breaches, or other similar events.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry, insurance, technology and other clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to OCR Privacy and Civil Rights, DOL, IRS, SEC, insurance department and other investigation and enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.  The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights,  Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns.  Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.  In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans,  as well as  HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for  Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

For the past four years, Ms. Stamer has served as the  scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR.   Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here.

©2014 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press, Inc.   All rights reserved.


Follow

Get every new post delivered to your Inbox.

Join 617 other followers