ONC HIPAA Security Risk Assessment Tool Intended To Help Covered Entities Assess Compliance

March 31, 2014

Health care providers, health plans, health care clearinghouses and their business associates Health Insurance Portability and Accountability Act (HIPAA)  should check out the new  Security Risk Assessment (SRA) Tool (Tool)  application from the Office of the National Coordinator for Health IT (ONC).  ONC says the Tool will help users take a self-directed tour of and assess compliance with the HIPAA Security Rule more understandable and security risk assessments easier. The Tool includes:

  • Context sections to help understand potential threats, vulnerabilities, and impacts
  • Examples of safeguards that could be instituted
  • Ability to export the report as an Excel or pdf document to share or analyze the information in a convenient format.

Download the Windows version of the tool at http://www.HealthIT.gov/security-risk-assessment or the iOS iPad version from the Apple App Store (search under “HHS SRA Tool”).

Public comments on the SRA Tool will be accepted at http://www.HealthIT.gov/security-risk-assessment until June 2. ONC says it will use comments to improve the SRA Tool in future update cycles.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


List of Countries Excluded From Foreign Earned Income Exclusion Minimum Time Requirements Published

March 24, 2014

Revenue Procedure 2014-25 has the list of countries for tax year 2013 for which the minimum time requirements are waived  for purposes of the foreign earned income exclusion.  It will be formally published in Internal Revenue Bulletin 2014-15 on April 7, 2014.

 For Representation, Training & Other Resources

If you need assistance monitoring or responding to these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


Some Sponsors Should Act by 3/31 To Withdraw Individually-Designed Cash Balance Plan Approval Request

March 19, 2014

Employer or other sponsors of individually-designed cash balance plans who have pending Cycle C determination letter applications pending before the Internal Revenue Service (IRA) seeking approval of the qualification of their individually-designed plan who now prefer instead to adopt a pre-approved cash balance plan should act quickly to withdraw their pending application.  The IRS has announced that these parties can get a refund of the application fee paid for the individually-designed plan application by signing the Form 8905, Certification of Intent to Adopt a Pre-approved Plan , by March 31, 2014 and withdrawing their pending applications for individually designed cash balance plans by May 31, 2014 in accordance with the instructions set forth later in this article.

Background

Announcement 2014-4 extended the submission period for pre-approved defined benefit pension plans from January 31, 2014, to February 2, 2015, to allow time for the IRS to expand the pre-approved program to let plans with cash balance features. The announcement also allowed Cycle C plan sponsors who want to adopt a pre-approved cash balance plan to complete and sign a Form 8905, Certification of Intent to Adopt a Pre-approved Plan by March 31, 2014, instead of submitting determination letter applications for individually designed plans by the Cycle C deadline of January 31, 2014.

Withdrawals for Cycle C Applicants For Individually-Designed Cash Balance Plan Approval

Cycle C applicants who already submitted their applications for individually-designed cash balance plans during the second Cycle C remedial amendment cycle that ended January 31, 2014, and who instead wish to adopt a pre-approved cash balance plan, may sign the Form 8905, withdraw the application, and request a refund of the user fee by complying with the instructions below.

The IRS says that a request for return of A Cycle C determination letter application and a refund of the user fee must be made in writing and  postmarked (or faxed) by May 31, 2014 to:  Internal Revenue Service 550 Main Street Cincinnati, OH 45202 Attn:  Joyce Heinbuch.  Correspondence sent via Fax should be sent to the attention of Ms. Heinbuch at (513) 263-4699 (not a toll-free call).

The written request must include:

  • the name of the plan sponsor
  • plan number
  • EIN
  • the document locator number, if known (shown on your IRS acknowledgement letter)
  • the following statement in bold letters: “Per Announcement 2014-4, we are withdrawing this application in order to submit under the pre-approved program.”

For additional information and resources, see   Deadline Extended For Pre-Approved Defined Benefit Plans and FAQs on Withdrawing Cycle C Applications or contact your preferred employee benefit attorney.

 For Representation, Training & Other Resources

If you need assistance monitoring or responding to these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


HHS Extends Health Plan Certification of Compliance Comment Period

March 18, 2014

The Department of Health and Human Services (HHS) has extended the comment period for the proposed rule, “Administrative Simplification: Health Plan Certification of Compliance” to April 3, 2014 in hopes of receiving additional input from third party administrators (TPAs) and self-insured plans.

HHS is now accepting public comments on the proposed rule through April 3, 2014.

The Certification of Compliance for Health Plans proposed rule is different from previous Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification regulations because it affects more and different types of entities.

For example, many third party administrators, self-funded health plans, and group health plans that have not been impacted by previous HIPAA Administrative Simplification requirements will be affected by this rule, even if they do not directly conduct HIPAA covered transactions.

The proposed rule would require controlling health plans to submit documentation on or before December 31, 2015. It would also establish penalty fees for a controlling health plan that fails to comply with the Certification of Compliance requirements.

HHS says the goal of the extension of the comment period is to provide self-insured health plans and their TPAs time to understand and offer feedback on the business impacts of the Certification of Compliance proposed rule. HHS encourages these entities to submit feedback so that their comments and suggestions can be considered during the policy-making process.

The proposed rules will require self-insured health plans and their TPAs to incur financial and operational expense to implement the necessary technology, data collection and other arrangements to come into compliance with the proposed rules.  To help minimize these burdens to the extent possible, these and other concerned parties should review the rules and share their concerns and input as soon as possible.  Accordingly, self-insured health plans, their sponsors, TPAs and advisors should review the proposed rules and provide relevant input as soon as possible and no later than the extended April 3, 2014 due date.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


HIPAA Covered Entities Should Review & Correct HIPAA Policies In Response To New County Hospital Resolution Agreement, Other Developments

March 16, 2014

Health Department HIPAA Violations Cost County $250,000, Requires Sweeping HIPAA Reforms

Hear Update On Resolution Agreement & Other New HIPAA Developments At 3/18 North Texas Healthcare Professionals Association Meeting

Skagit County, Washington will pay a $215,000 monetary settlement and work closely with the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) to correct deficiencies in its HIPAA compliance program to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules by the Skagit County Public Health Department (Health Department) under a Resolution Agreement announced by OCR on March 7, 2014.  The Resolution Agreement makes clear the need for health care providers, health plans, health care clearinghouses and their business associates to update and maintain their policies and practices in compliance with the constantly evolving OCR guidance and resolution agreements, as well as to timely investigate and report breaches.   Interested persons are invited to hear a briefing on a series of new developments including this latest Resolution Agreement at the March 18, 2014 North Texas Healthcare Professionals Association Meeting.

OCR investigated the Health Department after receiving a breach report that unknown parties accessed money receipts with electronic protected health information (ePHI) of seven individuals after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.

OCR reports its investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals. Many of the accessible files involved sensitive information, including protected health information about the testing and treatment of infectious diseases.

OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.

Specifically, the Resolution Agreement between OCR and the Health Department states that OCR found the following conduct occurred (“Covered Conduct”).

  • From approximately September 14, 2011 until September 28, 2011, Skagit County disclosed the ePHI of 1,581 individuals in violation of the Privacy Rule by providing access to ePHI on its public web server;
  • From  November 28, 2011 until present, Skagit County failed to provide notification as required by the Breach Notification Rule to all of the individuals for whom it knew or should have known that the privacy or security of the individual’s ePHI had been compromised as a result of the breach incident;
  • From April 20, 2005 until present, Skagit County failed to implement sufficient policies and procedures to prevent, detect, contain, and correct security violations;
  • From April 20, 2005 until June 1, 2012, Skagit County failed to implement and  maintain in written or electronic form policies and procedures reasonably designed to ensure compliance with the Security Rule; and
  • From April 20, 2005 until present, Skagit County failed to provide security awareness  and training to all workforce members, including its Information Security staff members, as necessary and appropriate for the workforce members to carry out their functions within Skagit County.

To resolve OCR’s allegations of these breaches, Skagit County agrees under the Resolution Agreement to pay HHS $215,000.00 and to ensure that the Health Department implements a series of corrective actions.  Among other things, the Resolution Agreement requires that the Health Department:

  • Provide substitute Breach Notification to individuals not previously notified of the breach of their ePHI in accordance with the Resolution Agreement
  • Revise to the satisfaction of OCR and adopt revised accounting for disclosure, hybrid entity designations, policies on safeguarding PHI, including its sample business associate agreements;
  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered health care components of Skagit County as identified in its hybrid entity documentation approved by HHS and implement security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level.
  • Create and revise, as necessary, written policies and procedures for its covered health care components to comply with the Federal standards that govern the privacy, security, and breach notification of individually identifiable health information;
  • Comply with strict workforce training requirements;
  • Notify and OCR of the occurrence of some reported breaches, its investigation and corrective actions;
  • Provide a summary of the reported events and the status of any corrective and preventative action relating to all such Reportable Events; and
  • Provide OCR with an attestation signed by an officer of Skagit County attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

In addition to bringing its policies and practices up to date with OCR regulations in effect at the time of the breach that resulted in the Resolution Agreement, the Health Department also will have to update its policies and practices to meet changes to OCR’s HIPAA rules that have taken effect since the breach under the revised rules published by OCR in its Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013 as well as a series of recently issued OCR rules such as the following:

Covered Entities & Business Associates Should Review & Tighten Practices in Response To Resolution Agreement & Other New Guidance

Other covered entities and their business associates should carefully evaluate and tighten their existing practices in response to the Resolution Agreement and other recent guidance.  In the past, OCR officials have stated it expects that other health care providers, health plans, health care clearinghouses and their business associates will review resolution agreements like this one along with other emerging OCR guidance and update their practices as necessary to address concerns within their own organization that might be similar to those reflected in the applicable resolution agreement.  The Resolution Agreement documents this expectation by specifically incorporating this requirement as part of its terms.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

Hear Stamer’s Update On Resolution Agreement & Other New HIPAA Developments At 3/18 North Texas Healthcare Professionals Association Meeting

Scribe for the American Bar Association Annual Agency Meeting with OCR for the fourth year, attorney Cynthia Marcotte Stamer will overview these and other HIPAA developments when she presents “Tutoring On OCR’s Latest HIPAA Homework” at the North Texas Healthcare Professionals Association Study Group Luncheon on Tuesday,  March 18, 2014 from 11:30 p.m. to 1:00 p.m. at the offices of the Dallas Ft Worth Hospital Council, 250 Decker Drive, Irving, TX 75062-2706.  A complimentary luncheon will be served to guests to who register in advance.  There is no charge to particulate but space is limited.  RSVP here by Noon on March 17, 2014.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


NLRB Helps Union Force Another Health Care Employer To Recognize & Bargain With Union

March 13, 2014

Hospitals, skilled nursing and other health care organizations need to be concerned about union organizing of their employees in light of the growing success of unions with the aid of the pro-union support and agenda of the National Labor Relations Board (NLRB) under the Obama Administration’s leadership. The Administration’s goal of telling health care providers what to do extends well beyond Medicare and Medicaid into their workforce and terms and conditions of employment.

On February 21, 2014, for instance, the Obama Administration helped the Service Employees International Union (the Union) force Holy Cross Youth and Family Services, Inc., d/b/a Kairos Healthcare (the Employer), a provider of drug and alcohol rehabilitation services, to recognize and bargain with the over terms and conditions of employees with the Union by securing a court order forcing the employer to recognize and bargain with the Union.

Ruling in a lawsuit filed by the NLRB against the Employer on February 21, a federal court judge for the Eastern District of Michigan ordered upheld the allegations made in August 23, 2013 by the National Labor Relations Board (NLRB) Detroit, Michigan Regional Office that the Employer violated the National Labor Relations Act when it withdrew recognition from Local 517M, made unilateral changes to employees’ terms and conditions of employment without affording the Union an opportunity to bargain over those changes, and failed to provide relevant information to the Union to help in its bargaining with the Employer on behalf of the employees.

The Regional Office sought, and the Board authorized, seeking interim injunctive relief to return the parties to the bargaining table pending final resolution of the matter, to require the Employer to provide the Union with the information it requested and, upon request, to rescind the unilateral changes made to employees’ terms and conditions of employment.

On February 21, 2014, the District upheld the Regional Office’s action. It ruled that an interim injunction was appropriate to prevent loss of Union support, to keep the employees’ right to bargain with their Employer through their chosen bargaining representative, and to provide the Union with the information it needs to evaluate and make bargaining proposals while the administrative case is pending before the Board.

The case is one of a growing number of actions where the NLRB has used is powers to help Unions force health care and other employers to yield to union demands. See e.g., Specialty Healthcare and Rehabilitation of Mobile, Board Case No. 15-CA-68248 (reported at 357 NLRB No. 174) (6th Cir. decided August 15, 2013 under the name Kindred Nursing Centers East, LLC f/k/a Specialty Healthcare and Rehabilitation of Mobile v. NLRB).

These decisions should remind health care and other employers of the highly union-friendly bent of the NLRB under the current administration, as well as the hazards of mishandling efforts to defend against union organizing and other protected activities under the NLRA. Beyond the obligation to recognize and bargain with properly certified collective bargaining unions, the NLRB and other federal labor laws also grant employees a host of other protections. Among these are recently affirmed rights-even for a worker not represented by a union – to insist another employee be present when participating in disciplinary and certain other meetings with management, rules limit the ability of employers to prohibit or restrict employees requiring employees to keep confidential and not discuss among each other salary, wages or other terms of compensation or employment terms and conditions, and others. The Obama Administration has made known its desire to expand these rights further and has carried out an aggressive legislative, regulatory and enforcement campaign in pursuit of this goal since taking office. For this reason, health care or other organizations should seek the advice and assistance of qualified legal counsel experienced with labor management relations matters to review policies for compliance, to prepare and administer anti-organizing activities, and to evaluate and respond to union organizing or bargaining activities.

For Advice, Training & Other Resources

If you need assistance monitoring these and other workforce, benefits and compensation regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, an ABA Joint Committee On Employee Benefits Council representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a Fellow in the American College of Employee Benefit Counsel, ABA, and State Bar of Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health plans and insurers about ACA, and a wide range of other plan design, administration, data security and privacy and other compliance risk management policies.  Ms. Stamer also regularly represents clients and works with Congress and state legislatures, EBSA, IRS, EEOC, OCR and other HHS agencies, state insurance and other regulators, and others.   She also publishes and speaks extensively on health and other employee benefit plan and insurance, staffing and human resources, compensation and benefits, technology, public policy, privacy, regulatory and public policy and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile http://www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here

NOTE:  This article is provided for educational purposes.  It is does not establish any attorney-client relationship nor provide or serve as a substitute for legal advice to any individual or organization.  Readers must engage properly qualified legal counsel to secure legal advice about the rules discussed in light of specific circumstances.

The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations.  The Regulations now require that either we (1) include the following disclaimer in most written Federal tax correspondence or (2) undertake significant due diligence that we have not performed (but can perform on request).

ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, or (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Hospitals, skilled nursing and other health care organizations need to be concerned about union organizing of  their employees in light of the growing success of unions with the aid of the pro-union support and agenda of the National Labor Relations Board (NLRB)  under the Obama Administration’s leadership.  The Administration’s goal of telling health care providers what to do extends well beyond Medicare and Medicaid into their workforce and terms and conditions of employment.

 On February 21, 2014, for instance, the Obama Administration helped the Service Employees International Union (the Union) force Holy Cross Youth and Family Services, Inc., d/b/a Kairos Healthcare (the Employer), a provider of drug and alcohol rehabilitation services, to recognize and bargain with the  over terms and conditions of employees with the Union by securing a court order forcing the employer to recognize and bargain with the Union.

 Ruling in a lawsuit filed by the NLRB against the…

View original post 1,385 more words


Hospital To Pay $75K For Refusing To Hire Disabled Child Care Worker

March 10, 2014

Osceola Community Hospital Refused To Hire Child Care Worker With Cerebral Palsy Who Had Worked As Volunteer

Osceola Community Hospital in Sibley, Iowa will pay $75,000 and furnish other relief to settle an Americans With Disabilities Act (ADA) disability discrimination lawsuit filed by the U.S. Equal Employment Opportunity Commission (EEOC) for its refusal to hire a child care worker with cerebral palsy.  The case shows both the need for health care and other employers to have sufficient evidence to support decisions not to hire disabled workers for safety reasons as well as the potential risks that hospitals or other face when refusing to hire disabled individuals who have been allowed to work as volunteers in their organizations.

The EEOC charged a day care center operated by the hospital, Bright Beginnings of Osceola County, unlawfully failed to hire a volunteer employee into a paid position for which she was qualified because of her cerebral palsy.  Although the woman who brought the charge of discrimination against the hospital already volunteered in the day care center and held a job driving a school bus, the EEOC’s investigation revealed the county refused to hire her into a paying job in the center out of an unfounded fear that her disability meant that she could not safely care for the children.

Judge Mark Bennett entered a consent decree on February, 28, 2014, resolving the brought by the EEOC in EEOC v. Osceola Community Hospital d/b/a Bright Beginnings of Osceola County, Civil Action No. 5:12-cv-4087 (N.D. Iowa, Sept. 26, 2012 that orders Osceola Community Hospital to pay $75,000 to the discrimination victim.  The decree also requires the hospital to institute a policy prohibiting discrimination on the basis of disability and to distribute the policy to all of its employees.  The hospital also must train its employees and report regularly to the EEOC on its compliance with the ADA.

The lawsuit provides another example to health care and other employers of their growing exposure to disability discrimination claims under the ADA.  The EEOC action and lawsuit highlights the importance of employers ensuring that decisions to refuse to hire disabled workers for safety reasons are based upon appropriate evidence of actual safety concerns that prevent the worker from safely performing the assigned duties with or without reasonable accommodation.

The fact that the worker in this case had in fact worked as a volunteer likely created additional challenges in defending the decision.  The use of volunteer workers in health industry businesses is a common practice that may justify special care before those organizations deny employment to a former volunteer on the basis of safety concerns associated with the disabilities of the applicant or worker both to document the reasonable basis of the safety concern and that the concern could not be adequately resolved through reasonable accommodation.

Eenforcing federal discrimination laws is a high priority of the Obama Administration. The Departments of Labor, Health & Human Services, Education, Justice, Housing & Urban Development, and others all have both increased enforcement, audits and public outreach, as well as have sought or are proposing tighter regulations.

The expanding applicability of nondiscrimination rules coupled with the wave of new policies and regulatory and enforcement actions should alert private businesses and state and local government agencies of the need to exercise special care to prepare to defend their actions against potential disability or other Civil Rights discrimination challenges under employment and a broad range of other laws.

Health care and organizations, public or private, government contractor or not, should act to ensure both that their organizations, their policies, and people in form and in action understand and comply with current disability discrimination laws and that these compliance activities are well-documented to help defend against potential charges or other challenges.  Because of changing regulatory and enforcement trends, organizations and their leaders should avoid assuming the adequacy of current compliance and risk management. Most organization should reevaluate their assessments concerning whether their organization is a federal government contractor or subcontractor to minimize the risk of overlooking critical obligations.

Many organizations need to update their understanding, policies and practices in light of tightening rules and enforcement. The scope and applicability of federal nondiscrimination and other laws have been expanded or modified in recent years by the differences in perspectives of the Obama Administration from the Bush Administration, as well as statutory, regulatory, judicial precedent and enforcement changes.  In addition, all organization should conduct well-documented periodic training and take other actions to monitor and enforce compliance by staff, contractors and others with whom they do business.

For Help With Compliance & Risk Management and Defense

If you need help in auditing or assessing, updating or defending your organization’s compliance, risk manage or other  internal controls practices or actions, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469)767-8872.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 24 years of work helping private and governmental organizations and their management; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; schools and other governmental agencies and others design, administer and defend innovative compliance, risk management, workforce, compensation, employee benefit, privacy, procurement and other management policies and practices. Her experience includes extensive work helping employers implement, audit, manage and defend union-management relations, wage and hour, discrimination and other labor and employment laws, procurement, conflict of interest, discrimination management, privacy and data security, internal investigation and discipline and other workforce and internal controls policies, procedures and actions.  The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on management, reengineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters.  She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at ww.solutionslawpress.com.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2014 Cynthia Marcotte Stamer.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


Use Care Before Using “Skinny Plan” Option As Code Section 4980H Tool

March 9, 2014

Employers considering skinny plans and the brokers, third party administrators (TPAs), insurers and consultants recommending the use of these arrangements alone or as part of a broader health plan design should seek qualified legal advice for help with structuring and implementing these arrangements to avoid potential traps and missteps that could trigger unanticipated benefits, costs and/or tax consequences.  While offering some potential for certain employers, employers must carefully evaluate the potential suitability, benefits, risks and resultant responsibilities of including skinny plan options in their group health benefit offerings and ensure that any such arrangements are properly designed and administered to comply with applicable requirements.

Why Code Section 4980H Has Fueled Growing Skinny Plan Option Hype

Over the past year, many brokers and consultants have advocated that employers adopt a “preventive only” or “skinny plan” to low paid or other groups of employees as a means of avoiding liability for the potential $165 per month “employer shared liability payment” now scheduled to take effect for employers of more than 100 employees on January 1, 2015 and later for employers of more than 50 employees under Internal Revenue Code (Code) Section 4980H(a) (the “A Penalty”).

The Code Section 4980H rules are only one of a plethora of federal mandates and rules applicable to group health plans and their employers under federal law as a result of the health care reforms of the Patient Protection & Affordable Care Act (ACA) as well as a host of previously enacted federal laws.

Enthusiasm for the skinny plan option has been fueled by IRS guidance originally in IRS Notice 2013-54 and its subsequent publication in February 2014 of its final regulations implementing Code Section 4980H that reflect that most plans that pay or provide for reimbursement of medical care costs might qualify as the “minimum essential coverage” necessary to avoid triggering the penalty under Code Section 4980H(a) as long as the arrangement is not an “excepted benefit plan” for purposes of ACA.

While a properly implemented “skinny plan” option may work for many employers with self-insured health plans, getting past the Code Section 4890H(a) employer shared responsibility payment doesn’t necessarily mean that the employer won’t face liability under Code Section 4980H.  Furthermore, getting past Code Section 4980H isn’t all that employers, insurers, brokers and consultants need to consider when designing group health plans.  In fact, an improperly designed skinny plan that avoids triggering liability under Code Section 4980H could trigger much greater liability than the penalty that the employer hoped to avoid by using the skinny plan.

While a full understanding of all the potential implications that may affect a decision to offer a skinny plan is beyond the scope of this short article, it often is helpful to begin by understanding first the mechanics of Code Section 4980H and its employer-shared responsibility payments.

Code Section 4980H Employer Shared Responsibility Penalty Basics

The A Penalty is one of two potential employer shared responsibility payments that Code Section 4980H may impose against a “large employer” that fails to provide the necessary coverage mandated to avoid triggering liability under Code Section 4980H.  Under Code Section 4980H, there are two potential penalties that could be triggered:  the penalty under Code Section 4980H(a) commonly called the “A Penalty” or the penalty under Code Section 4989H(b) commonly called the “B Penalty.”  Understanding the skinny plan hype starts with understanding the basics and applicability of these two potential penalties.

First, the Code Section 4980H penalty doesn’t apply as long as the employer either doesn’t have 50 or more full-time employees or non of its full-time employees enroll in subsidized health coverage through a health insurance exchange.  Also, neither penalty under Code Section 4980H applies to any employer until at the earliest, January 1, 2015, when under the delayed effective date announced by the Obama Administration, employers with 100 or more full-time employees will become subject to Code Section 4980H.  Employers of 50 to 99 full-time employees enjoy an even further delayed effective date and employers of fewer than 50 full-time employees are exempt.

The A Penalty under Code Section 4980H(a) results when a large employer fails to offer employee and dependent coverage providing “minimum essential coverage” to is full-time employees.  The month A-Penalty amount generally will equal the result of the total number of all full-time employees of the employer minus 30, multiplied by $165 per month.

Just because an employer avoids the A Penalty by offering a plan providing minimum essential coverage to all employees does not necessarily mean it avoids liability under Code Section 4980H.  An employer offering the minimum essential coverage under a group health plan to all employees needed to get past the A Penalty generally still risks liability under Code Section 4980H to pay the “B Penalty” of $250 per month for any employee who actually enrolls in health care coverage through a Health Insurance Exchange whose family adjusted gross income is less than 400% of the Federal Poverty Level (approximately $98,000), unless the skinny plan or another group health plan offered to the employee by the employee both:

  • Provides both minimum essential coverage and the required “minimum value” within the meaning of Code Section 4980H; and
  • Doesn’t require the full-time employee to contribute more than 9.5% of his family adjusted gross income to qualify for the coverage offered under the group health plan.

Thus, while offering a skinny plan to all full-time employees may allow an employer to avoid liability for the A Penalty, an employer offering a skinny plan risks liability for the B Penalty of $250 per month for each employee whose family adjusted gross income is less than 400% of the Federal Poverty Level who actually choses to enroll in the richer health care coverage offered through the Health Insurance Exchanges rather than the skinny plan offered by the employer.

Since ACA provides subsidies for many employees with family adjusted gross incomes of less than 400% of the Federal Poverty Level, offering only a skinny plan alone creates a risk for employers that employ a significant number of these lower paid employees that employees will choose to enroll in health insurance coverage offered through the Health Insurance Exchange with subsidies rather than the skinny plan.  To the extent that this occurs, the offering of the skinny plan actually may increase the liability under Code Section 4980H of that employer for that employee from $165 per month to $250 per month.  Some skinny plan proponents may pooh-pooh this risk, arguing that the cost for an employer that incurs the B Penalty will not be higher because See Code § 4980H(b)(2) caps the amount of the B Penalty at the amount of the A Penalty.  While it technically is true that this means that the amount of the B Penalty will not exceed the amount of the A Penalty that the employer would have incurred had it not provided any coverage, the fact remains that the cost to the employer could still be greater because in addition to the B Penalty, the employer also will have incurred the cost of coverage and compliance to provide the skinny plan in addition to the B Penalty incurred.  Accordingly, employers considering this approach need to carefully evaluate their workforce to assess the potential exposure to B Penalties before assuming that avoiding the A Penalty is the best option for their organization and options to mitigate their downside exposures.

To reduce this risk, many consultants and brokers may suggest that the employer adopt a group health plan that offers all full-time employees the option to choose either to enroll in a skinny plan, to enroll in a group health plan coverage option that provides minimum essential coverage offering minimum value at a higher cost than the cost of the skinny plan coverage, or to forego coverage under the group health plan.  Since current IRS guidance states that offering group health plan coverage under a group health plan providing both minimum value and minimum essential coverage with an employee premium of less than 9.5 percent of family adjusted gross income will avoid liability under for the B Penalty for an employee even if an employee who otherwise would qualify for a subsidy choses to enroll in health insurance coverage through the Health Insurance Exchange, this design, properly implemented, may allow the employer to avoid liability under Code Section 4980H.  However, this is not all that an employer needs to worry about.  In fact, unless the group health plans including the skinny plan meets other rules and the discrimination rules applicable to the group health plan and the cafeteria plan through which the enrollment choices are offered meet applicable nondiscrimination requirements, the employer may create unanticipated exposures equal to or greater to the Code Section 4980H liability that the employer seeks to avoid.

Other Traps To Step To Beyond Code Section 4980H May Carry Bigger Risks

Code Section 4980H is only one of several issues that employers contemplating offering skinny plan designs alone or along with an alternative minimum essential coverage, minimum value group health plan coverage option must consider a plethora of other applicable laws and regulations, some of the most significant of which are highlighted in the following paragraphs.

First, when deciding the skinny plan or other group health plan design, employers and their insurers, brokers, administrators and consultants need to ensure that the benefit plan coverage, benefits and other terms meet all applicable mandates of applicable federal, and in the case of insured, multiple employer welfare arrangements (MEWAs) and certain staffing and leasing company arrangements, ACA’s insured plan mandates and other applicable state insurance rules.  Federal law imposes a wide range of mandates on group health plans beyond the requirements of Code Section 4980H.  These include additional coverage, benefit, and nondiscrimination rules added to the Employee Retirement Income Security Act (ERISA), the Code, the Public Health Services Act and other provisions of the Social Security Act, by laws like the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA), the Health Insurance Portability & Accountability Act (HIPAA), Code health and cafeteria plan nondiscrimination rules, federal laws mandating coverage for breast cancer, newborns and mothers, mental health and substance abuse, ACA’s coverage, benefit, non-discrimination, procedural and other reforms and various other requirements.  Where a group health plan is or is treated as insured, ACA, as well as state insurance regulations impose additional mandates.  Any group health plan must be designed to meet these rules.  Because ACA and state insurance requirements for insured, MEWA and other arrangements subject to regulation as insured group health programs generally mandate that the arrangement meet ACA’s essential health benefit requirements as well as other ACA and state insurance mandates, current federal and state regulations generally make it unlikely that a skinny plan option that qualifies as minimum essential coverage plans can be offered through an insured, a MEWA or other arrangement subject to regulation as an insured program.  Even where the arrangement is self-insured, ACA and other the inclusion of prescription drug or wellness benefits covering a wide range of conditions and treatments along with an otherwise skinny plan design many trigger mental health parity or other mandates often overlooked by brokers and consultants promoting these arrangements. While guidance is still evolving, there also exists a risk that the scope of mandates also can be greater than expected if the skinny plan is offered with an insured “limited benefit” or other insurance benefit arrangement in a manner that is considered integrated with the skinny plan. Furthermore, regardless if the arrangement is insured or self-insured, failure to comply with these mandates can trigger significant liability including in the case of many of these rules, the obligation to self-identify, self-report, self-assess, and pay penalties under Code Section 6039D of a minimum penalty of the greater of $2500 or $100 per day, as well as any other liability as otherwise applies under ERISA and the Code to participants, the IRS and DOL, or both.

Second, even if the arrangement is self-insured, employers, their administrators, brokers, consultants and advisors need to monitor whether the arrangement is discriminatory under the group health plan nondiscrimination rules or cafeteria plan discrimination rules of the Code.  Particularly where it is possible that highly compensated or key employees will enroll in coverage or a richer coverage option, while lower paid workers will forego enrollment or chose the skinny plan over enrolling in a richer minimum value, minimum essential coverage option, an employer must test to determine if the arrangement discriminates in favor of key or highly compensated employees for purposes of Code Section 125.  If so, at minimum, the employer will want to ensure that its cafeteria plan is drafted to require and that discriminatory contributions are recharacterized and reported to highly compensated and key employees as after-tax, taxable contributions.  It also is equally important that the discriminatory status of the arrangement under Code Section 105(h) be considered for a self-insured program and to the extent that the arrangement is discriminatory that income be reported to highly compensated employees as well.  It should be noted that the harsh nondiscrimination rules and draconian liabilities that can result from offering a discriminatory insured group health plan would add nondiscrimination concerns to the challenges of designing an insured skinny plan that could comply with applicable mandates discussed earlier.

Use Care When Considering Or Using Skinny Plan Design

Accordingly, while some employers may benefit from including a properly designed and implemented skinny plan option in their group health plan design, employers need to act carefully to ensure that the design is appropriate and properly integrated and administered. Those considering these plans should use care (a) to ensure that the plan is self-insured and not an insured plan or MEWA subject to ACA’s insurance reforms and/or state mandates; (b) meet all required federal and state mandates; (c) are tested for potential discrimination issues under Code sections 125 and 105(h); (d) are not paired with insurance contracts considered to be excepted insurance policies in a way that is considered integrated to trigger unexpected mandates and costs; and (e) when an employer group has a large group of subsidy-eligible employees, that the offering of a skinny plan doesn’t result in an increase in the employer’s Code Section 4980H liability by triggering the larger Code Section 4980H(b) penalty of $250 per month instead of the smaller Code Section 4980H(a) penalty of $165 per month.

For Advice, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, an ABA Joint Committee On Employee Benefits Council representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a Fellow in the American College of Employee Benefit Counsel, ABA, and State Bar of Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health plans and insurers about ACA, and a wide range of other plan design, administration, data security and privacy and other compliance risk management policies.  Ms. Stamer also regularly represents clients and works with Congress and state legislatures, EBSA, IRS, EEOC, OCR and other HHS agencies, state insurance and other regulators, and others.   She also publishes and speaks extensively on health and other employee benefit plan and insurance, staffing and human resources, compensation and benefits, technology, public policy, privacy, regulatory and public policy and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here

NOTE:  This article is provided for educational purposes.  It is does not establish any attorney-client relationship nor provide or serve as a substitute for legal advice to any individual or organization.  Readers must engage properly qualified legal counsel to secure legal advice about the rules discussed in light of specific circumstances.

The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations.  The Regulations now require that either we (1) include the following disclaimer in most written Federal tax correspondence or (2) undertake significant due diligence that we have not performed (but can perform on request).

ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, or (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


HHS Extends Proposed EDI Rule Time to 4/3 To Get More Input From Self-Insured Plans, TPAs

March 6, 2014

Third party administrators  (TPAs), self-insured health plans and concerned payers and plan sponsors now have a little more time to comment on the Department of Health & Human Services (HHS) proposed rule, “Administrative Simplification: Health Plan Certification of Compliance.”

HHS announced its extension to April 3, 2014 of the comment period today in specific hopes that it will receive additional comments from TPAs  and self-insured plans

The Certification of Compliance for Health Plans proposed rule is different from previous Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification regulations because it affects more and different types of entities.

For example, many third party administrators, self-funded health plans, and group health plans that have not been impacted by previous HIPAA Administrative Simplification requirements will be affected by this rule, even if they do not directly conduct HIPAA covered transactions.

As proposed, the proposed rule would require controlling health plans to submit documentation on or before December 31, 2015. It would also establish penalty fees for a controlling health plan that fails to comply with the Certification of Compliance requirements.

HHS says that the goal of the extension of the comment period is to provide these entities with time to understand and offer feedback on the business impacts of the Certification of Compliance proposed rule. HHS encourages these entities to submit feedback so that their comments and suggestions can be considered during the policy-making process.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


New OCR Guidance Assigns More HIPAA Homework Health Plans, Providers, Business Associates and Employers

March 5, 2014

Think your health plan, health care organization, health care clearinghouse or their business associates has health care privacy covered?  Think again.

A series of supplemental guidance issued by the Department of Health & Human Services Office of Civil Rights (OCR) in recent weeks is giving health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates even more to do in reviewing and updating their policies, practices and training for handing protected health information (PHI) beyond bringing their policies and practices into line with OCR’s restatement and update to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act since the Omnibus Final Rule took effect on March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Meanwhile, the Omnibus Final Rule generally has required business associates have updated business associate agreements in place and otherwise to have come into compliance with all of the applicable requirements of the Omnibus Final Rule since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.