October 2016

Stop Bullying Month Opportunity to Strengthen Workplace Anti-Harassment Efforts

October 28, 2016

Cyber and other bullying usually is discussed as a child protection concern. However bullying of adults in the workplace also can be a big employment issue.

Applying the term “harassment” to adult bullying in the workplace allows most businesses to rapidly recognize need to prevent bullying and harassment in the workplace.

The connection between bullying and harassment is rapidly apparent from the definition of bullying. The government website stopbullying.gov defines “bullying” as unwanted, aggressive behavior among school aged children that involves a real or perceived power imbalance. The behavior is repeated, or has the potential to be repeated, over time. Bullying includes actions such as making threats, spreading rumors, attacking someone physically or verbally, and excluding someone from a group on purpose.”

In employment or other adult environments, the word “harassment” typically is used instead of bullying to refer to aggressive unwarranted behavior against an adult. Regardless of which term is used, bullying and harassment in workplaces and other communities is disruptive for the victims, co-workers, the employment or other community and those who interact with them.

Of course by now, all businesses and their leaders are legally accountable to know that the law generally requires businesses to prevent and protect their employees against harassment by management or other employees, customers, vendors and others with whom they do business on account of sex, sexual preference, race, age, disability, National origin, religion, whistleblower status, worker’s compensation or certain other benefit claims and the exercise of a host of other protected types of conduct.

Beyond the substantial legal exposures that businesses risk from harassment in the workplace, harassment or other pulling in the work place also inevitably creates other substantial operation costs for businesses by undermining job performance of bullying victims and others, undermining morale, increasing employee turnover, creating distractions, increasing management demands, eroding trust and team work, and more.

To reduce their exposure to these legal and operational risks, most US businesses have policies, conduct training and investigations, and engage in a host of other anti-harassment activities. Even with these efforts, however, effective prevention, detection and management of bullying and other harassment behaviors in most workplaces remains a challenge. For this reason businesses and their management should constantly be on the watch for tips and tools ate them in this endeavor.

The United States government’s annual Stop Bullying Month observances each October provide an excellent opportunity for US businesses and employers to strengthen their anti-harassment risks and compliance by joining in the celebration in October and using the resources available in their anti-harassment efforts throughout the year.

Businesses also may want to take advantage of resources like stopbullying.gov that provide tips and training for identifying and addressing bullying of children and others requiring special protection.

Stopbullying.gov, for instance includes a multitude of resources for Parents, Educators, Communities, and others that can be reworked and applied and workplace and other business contexts. Beyond these generally applicable tips, The website also includes videos and other materials addressing special topics like Cyberbullying and what to do about it, Sexual Preference Harassment and many others.

Human resources and other business leaders should check out these resources and leverage them to expand their tools and strengthen their anti-harassment efforts and risk management.

About The Author

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see www.CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

Comments Off on Stop Bullying Month Opportunity to Strengthen Workplace Anti-Harassment Efforts | Accommodation, ADA, Affirmative Action, board of directors, Child Safety, Civil Rights, compliance, Corporate Compliance, Cybercrime, Data Security, directors, Disability, Disability Discrimination, Disease Management, Drug & Alcohol, E-Verify, Education, EEOC, employee, Employer, Employers, Employment, Employment Agreement, Employment Discrimination, fiduciary duty, FLSA, GINA, Government Contractors | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans, Other Covered Entities Have Continuing Duty To Reevaluate HIPAA Enterprise Risk To PHI & Address Security Risks & Other Compliance Concern On Ongoing Basis

October 27, 2016

Compliance with the Privacy and Security Rules of the Health Insurance Portability & Accountability Act (HIPAA) is a living process that requires employer and other health plans, health insurers, health care providers and healthcare clearinghouses to recurrently reevaluate their HIPAA enterprise risk and timely act to mitigate security threats to electronic (ePHI) and other protected health information and other HIPAA compliance concerns on an ongoing basis. That’s the clear take away applicable to all HIPAA-Covered Entities and business associates from the St. Joseph Health Resolution Agreement and Corrective Action Plan (SJH Settlement) and the Oregon Health & Science University Resolution Agreement and Corrective Action Plan (OHSU Settlement) announced by the Department of Health & Human Services Office of Civil Rights (OCR) in the past 30 days. Health plans, their sponsors, fiduciaries and vendors, health care providers and health care clearinghouses should carefully heed this message and in response take documented steps to ensure

Their existing policies, practices and procedures properly are updated in response to changing guidance and events;
They in place the current, comprehensive enterprise risk assessment along with a mitigation plan documenting actions taken to address these risks;
Ensure that the organization has and is administering appropriate, documented processes and procedures to ensure that the organization reassesses its enterprise risk assessment and compliance on a timely basis as warranted by changes or other events that could impact ePHI, regulatory developments or other events that might impact its compliance; and
Have an appropriate, documented process for oversight by C-level management.

OHSU Charges & Settlement

The OHSU Settlement Agreement announced by OCR on September 23, 2016 requires OHSU to pay a $2.7 million settlement payment and adopt and implement a comprehensive three-year corrective action plan to address “widespread and diverse” HIPAA compliance problems OCR reports uncovering while investigating multiple HIPAA breach reports the large public academic health center and research university centered in Portland, Oregon.

OCR began investigating OHSU after the large public academic health center and research university centered in Portland, Oregon, submitted three HIPAA breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive:

On March 23, 2013, HHS received notification from OHSU regarding a breach of its unsecured electronic protected health information (“ePHI”) resulting from a stolen laptop computer;
On July 28, 2013, HHS received notification from OHSU regarding a breach of its ePHI resulting from storing ePHI at an internet-based service provider without a business associate agreement; and.

These incidents each garnered significant local and national press coverage. OCR’s investigation uncovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program, including the storage of the ePHI of more than 3,000 individuals on a cloud-based server without a business associate agreement. OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses.

OCR’s investigation showed the reported breaches resulted from widespread, long-term, systematic and unresolved HIPAA violations by OHSU that OCR attributed to an inadequate commitment to and oversight of HIPAA compliance by OHSU C-level management which resulted in the failure by OHSU to appropriately monitor the adequacy of its ongoing compliance and to assess and address changes in its enterprise-wide risk and compliance obligations on an ongoing basis. OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule. While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level. OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.

OCR concluded that the reported breaches were the result of long-standing, systematic deficiences in OHSU’s processes and procedures for HIPAA compliance, including the following:

While OHSU reportedly performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, OCR says its investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule;
While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level;
OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk;
OHSU failed to comply with its duty under HIPAA to enter into a business associate agreement with a vendor before allowing a vendor business associate to store ePHI; and
The absence of meaningful C-suite leadership oversight and commitment to HIPAA compliance.

Based on these investigations, OCR concluded that while OHSU initially adopted HIPAA Policies, the reported breaches were the result of a series of widespread and ongoing breaches of HIPAA resulted including the following:

From January 5, 2011, until July 3, 2013, OHSU disclosed the ePHI of 3,044 individuals in violation of Privacy Rules §§160.103 and 164.502(a) when workforce members disclosed the ePHI to a third party internet-based service provider without obtaining a business associate agreement or other satisfactory assurance that the internet-based service provider would safeguard the ePHI;
From January 5, 2011 until July 3, 2013 OHSU failed to obtain a business associate agreement from an internet-based service provider that was storing ePHI on its behalf as a business associate as required by 45 C.F.R. § 164.308(b);
From January 5, 2011 until July 3, 2013 OHSU failed to implement policies and procedures to prevent, detect, contain, and correct security violations as required under Privacy Rule § 164.308(a)(1)(i);
From July 12, 2010 to present, OHSU failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for all ePHI maintained in OHSU’s enterprise as required by Privacy Rules §§ 164.312(a)(2)(iv) and 164.306(d)(3)); and
From May 29, 2013 until July 3, 2013, OHSU failed to implement policies and procedures to address security incidents in violation of Privacy Rule § 164.308(a)(6)(i).

According to statements made by OCR Director Jocelyn Samuels in OCR’s announcement of the OHSU Settlement, the breaches should not have happened. “From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient,” said OCR Director Jocelyn Samuels. OCR’s announcement also signals that OCR views inadequate commitment and oversight by OHSU’s senior management to have played a key role in the creation and perpetuation of the OHSU violations. It quotes OCR Director Jocelyn Samuels as stating, “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

OCR’s announcement of the OHSU Settlement emphasizes its determination that a lack of commitment and oversight by C-level management resulted in the failure by OHSU to periodically perform a comprehensive enterprise risk analysis and to reevaluate and update that analysis and its policies, practices, procedures and training as warranted by changing events and guidance.

To resolve the HIPAA charges, the OHSU Settlement requires OHSU to pay OCR $2,700,000 as well as take a long series of corrective actions detailed in the Corrective Action Plan incorporated into the Settlement Agreement. The requirements of the Corrective Action Plan both seek to address the specific weaknesses that lead to the breaches of unsecured ePHI reported by OHSU in its breach notifications as well as the broader deficiencies in OHSU’s overall HIPAA compliance practice by requiring among other things that OHSU:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI at all OHSU facilities and on all systems, networks, and devices that create, receive, maintain, or transmit ePHI;.
Develop and present to OCR for approval a comprehensive written risk management plan that explains OHSU’s strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level based on OHSU’s circumstances as well as a comprehensive, enterprise-wide plan to implement effective oversight of OHSU workforce members to ensure their adherence to HIPAA Rules and OHSU’s internal privacy and security policies and procedures with specific timelines for their expected completion and compensating controls identified in the interim to safeguard OHSU’s ePHI;
Implement and administer the written risk management plan and other safeguards as approved by OCR;
Provide updates to OCR about OHSU’s implementation of required encryption including a Mobile Device Management (MDM) solution that ensures all OHSU- owned and personally-owned mobile devices (tablets, smart phones, and other mobile devices) that access ePHI on OHSU’s secure network are encrypted other than mobile devices for which OHSU has granted exceptions based on documented evidence of the implementation of alternative reasonable compensating controls to protect the ePHI on such devices;
Report to OCR on OHSU’s efforts to a solution to enforce encryption of ePHI on OHSU-owned and personally- owned devices (laptops, desktops, and medical equipment) connecting to OHSU’s secure wired and wireless networks except for any devices for which OHSU has granted exceptions to the encryption requirement;
Report to OCR about its implementation of policies that prohibit the transfer of data containing ePHI from OHSU-owned and personally-owned devices to unencrypted removable storage devices (USB drives and portable hard drives) and implementation of a technical solution that enforces the policies prohibiting transfers of this type when attached to the OHSU secure network, except for any removable storage devices for which OHSU has granted exceptions based on documented evidence of reasonable compensating controls that have been implemented to protect the ePHI on such devices;
Send a communication to all members of the OHSU community describing its commitment to enterprise encryption;
Prepare to the satisfaction of OCR security awareness training materials needed to implement its security management processing including specific privacy and security awareness related to a) use of internet-based information storage services; b) disclosures to third party entities that require a business associate agreement or other reasonable assurance in place to ensure that the business associate will safeguard the protected health information (PHI) and/or ePHI; c) regarding managers, effective oversight of workforce members’ uses and disclosures of PHI, including ePHI, to ensure the workforce members’ compliance with the Privacy and Security Rules and OHSU’s internal policies and procedures; d) security incident reporting; and e) password management;
Initially train all workforce members with access to PHI and/or ePHI with 120 days of OCR’s approval of the training and thereafter ensure that new workforce members are trained with 15 days of hire and that all workforce members subsequently continue to receive training on an on-going basis;
Review the security awareness training materials annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments;
Management oversight and supervision of the implementation and administration of the corrective actions required by the Corrective Action Plan and HIPAA compliance; and

Management reporting to OCR on its actions and compliance with the Corrective Action Plan.

SJH Settlement

Similarly, the SJH Settlement OCR announced on October 18, 2016 with St. Joseph Health (SJH) requires SJH to pay a $2.4 million plus settlement payment, conduct an enterprise-wide risk analysis and implement and administer a comprehensive correction plan to settle OCR charges that SJH violated HIPAA by allowing files containing ePHI of 31,800 individuals that SJH created for its participation in the Medicare meaningful use program to be publicly accessible on the internet from February 1, 2011, until February 13, 2012.

A nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, who through its 24,000 employees and 6,000 physicians provides a range of health care services to more than 137,000 inpatients and 3.6 million outpatients each year at SHS’ 4 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations located throughout California and in parts of Texas and New Mexico.

OCR’s charges against SJH arose out of OCR’s investigation into a 2012 breach notification report SJS filed with OCR. On February 14, 2012, SJH reported to OCR that files containing electronic protected health information (ePHI) of 31,800 individuals from five of the SJH hospitals-St. Jude Medical Center, Mission Hospital, Queen of the Valley Medical Center, Santa Rosa Memorial Hospital, and Petaluma Valley Hospital that SJH created for its participation in the meaningful use program were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.

SJH’s report to OCR indicated that this public access resulted from a configuration within its network server in which PDF files containing following patient information were uploaded: patient names; BMI; blood pressure; lab results; smoking status; diagnoses lists; medication allergies; advance directive status and demographic information (language, ethnicity, race, sex, and birth date). The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information from February 14, 2012 until SJH blocked external access to the ePHI when it shut down the application February 13, 2012.

OCR’s investigation indicated the following potential violations of the HIPAA Rules:

From February 1, 2011 to February 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals;
Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI;
Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.

To resolve charges resulting from these findings, the SJH Resolution Agreement requires SJH to pay OCR a $2,140,500 settlement payment and adopt a comprehensive corrective action plan which among other things, requires SJH to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. SJH’s Chief Executive Officer, Annette M. Walker, is named in the Corrective Action Plan as the SJH authorized representative and contact person responsible for overseeing the CAP implementation.

Among other things, the Corrective Action Plan specifically requires that SJH:

Within 240 days, conduct an enterprise-wide analysis and provide a report to OCR which includes a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, and prepare and deliver to OCR for review an enterprise-wide risk analysis that identifies all security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by SJH, its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic protected health information (ePHJ);
Revise this risk analysis plan as directed by OCR based on its review of the presented risk analysis;
Develop and implement to the satisfaction of OCR an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
Distribute the risk management plan as finally approved by OCR to to workforce members involved with implementation of the plan within 30 days of OCR approval;
Revise to OCR’s satisfaction, adopt and implement within 30 days of OCR’s approval compliant HIPAA policies and procedures;
Prepare for review of OCR training materials and once approved by OCR, provide initial training to required workforce members, and obtain certification of completion of that training from each required workforce member within 60 days of OCR’s approval of the training and thereafter at least annually as long as the Corrective Action Plan remains in force;
Promptly conduct a documented investigation of any information indicating a potential workforce member violation of the new HIPAA policies in the manner required by OCR and if the investigation confirms a violation (Reportable Event), notify OCR of the relevant facts, findings, corrective actions and sanctions imposed against the violating workforce member in the manner required by the Corrective Action Plan;
Submit annual report to OCR signed and attested to by an SJH officer, which contains the information and attestations of compliance with the requirements of the Corrective Action Plan in accordance with the Corrective Action Plan;
Retain for inspection and copying and provide to OCR upon request all documents and records relating to compliance with this Corrective Action Plan for six (6) years from the Effective Date of the SJH Settlement Agreement.

Take Away For Other Covered Entities & Business Associates

The OHSU and SJH Settlement Agreements send a clear message to all Covered Entities and business associates that they must be prepared to demonstrate not only that their initial adoption and implementation of required HIPAA Privacy and Security policies and safeguards, but also that their organization’s leadership needs to be prepared to demonstrate their commitment to HIPAA compliance by making adequate provision for HIPAA compliance, and appropriately monitoring developments that could impact the adequacy of their existing measures and timely update their systems and security, policies, procedures, training and other relevant safeguards.

The Settlements make clear that Covered Entities and their business associates should ensure that their organization possesses a well-documented current enterprise-wide risk assessment, as well as has in place and is administering as necessary to maintain the currency and adequacy of its risk assessment strong practices for conducting documented evaluations of their own HIPAA security, policies, practices, audits and investigations and other procedures necessary to comply with HIPAA, taking into account recent OCR guidance, its initiation of its Phase II audit program, the insights offered by OCR’s ever growing list of enforcement actions and compliance tools, as well as changes in systems, documentation, software, equipment or other occurrences within the operations of the Covered Entity or business associate’s operations that could impact the currency and adequacy of its risk assessment or otherwise raise compliance risks.

In this respect, Covered Entities and business associates are encouraged to take special note of the advisability of specifically reviewing and updating their HIPAA policies, practices, business associate agreements, training, oversight and documentation to in response to the guidance and insight that OCR provides, including:

A series of recent OCR Resolution Agreements emphasizing the need for Covered Entities and their Business Associates to verify that have in place, and review and update as necessary business associate agreements e.g. HIPAA Settlement Illustrates The Importance Of Reviewing And Updating, As Necessary, Business Associate Agreements (September 23, 2016); Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement (June 29, 2016);
Clarification of Permissible Fees for HIPAA Right of Access – Flat Rate Option Up to $6.50 is Not a Cap on All Fees for Copies of PHI (May 23, 2016)
Guidance On HIPAA & Cloud Computing released October 6, 2016, which provides guidance for Covered Entities and business associates about contracting and other procedures that HIPAA-regulated Covered Entities and their business associates should implement when contracting for and using Cloud Computing Services;
Joint Guidance published October 21, 2016 by the Federal Trade Commission and OCR reminding Covered Entities and their business associates of the need to ensure that in addition to fulfilling the technical content requirements of HIPAA, their HIPAA authorizations, privacy practices notices and other HIPAA notices and communications are written and presented in plan language, include required specific terms and descriptions and in a manner that does not mislead individuals about their rights or about what is happening with their PHI. Furthermore, where Covered Entities and their business associates contemplate that businesses associates may request that individuals sign HIPAA authorizations, Covered Entities and their business associates should the Covered Entity and business associate have in place a current, signed HIPAA-compliant business associate agreement that that expressly authorizes the business associate to request the HIPAA authorization in light of statements in the Joint Guidance indicating that OCR views the Privacy Rules as prohibiting a business associate from asking a consumer to sign a HIPAA authorization unless its business associate contract expressly permits the business associate to do so; and
Other OCR enforcement actions, tools and guidance. See, e.g. All Covered Entities Should Learn Lessons From Mississippi Medical Center’s $2.75 Million HIPAA Resolution Agreement; Providers, Health Plans Should Confirm Copy Charges Comply With New OCR HIPAA Guidance; $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use; Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework; HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.

Employer and other health plan sponsors, health plan fiduciaries and business associates, and their service providers also generally will want to consider their responsibilities to provide and enforce employer certifications, as well as the fiduciary obligations health plan fiduciaries under the fiduciary responsibility rules of the Employee Retirement Income Security Act (ERISA). Among other things, wrongful disclosure of PHI to a sponsoring employer or others could violate HIPAA or other plan terms. Furthermore, Department of Labor officials have indicated stated that a fiduciary’s general fiduciary responsibilities can apply to the protection and administration of PHI and other health plan information as well as create a duty by a responsible fiduciary to prudently investigate and take steps to address breaches or other potential concerns that place PHI at risk. See, HIPAA Settlement Warns Health Plans, Sponsoring Employers & Business Associates To Manage HIPAA Risks.

Furthermore, as breaches of PHI and other violations of HIPAA also frequently give rise to responsibilities or risks under a broad range of other federal and state laws medical and financial privacy and data security, Medicare and other terms of federal program participation, medical credentialing, licensure and ethics, insurance and Employee Retirement Income Security Act fiduciary responsibilities in the case of health plans, contractual, tort and other exposures, Covered Entities and their business associates also generally are best served to take into account these other responsibilities and exposures in conjunction with the design and administration of their HIPAA compliance and risk management policies and practices.

Covered Entities and their business associates also should seek advice from legal counsel regarding the adequacy of their compliance, investigatory, training, management oversight, training, reporting, documentation, document retention and other processes and procedures that could reduce risks of HIPAA violations and position the organization to effectively and more efficiently respond to a potential breach, audit, investigation or enforcement action and mitigate the costs and potential liability exposures that increasingly attends these events. In addition, given the typically high financial, operational and legal costs typically incurred to conduct investigations, report and redress breaches, and respond to OCR audits or investigations, much less make any payments and implement any corrective actions required to settle OCR changes, most Covered Entities and their business associations will want to consider the advisability and adequacy of insurance and other sources of funding or indemnification for the often substantial costs that often attend a HIPAA breach, audit or enforcement event. Since HIPAA violations under certain circumstances also can give rise to felony criminal liability, boards of directors and other leaders of Covered Entities and business associates also will want to ensure that their HIPAA compliance policies and practices also are incorporated and monitored by management as part of their organization’s overall Federal Sentencing Guideline Compliance programs and practices.

About The Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,”“Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely known for work, teachings and publications on HIPAA and other privacy and data security concerns earned in connection with her more than 28 years’ of involvement advising and representing business and government clients domestically and internationally about workforce and human resources, employee benefits; health care; insurance and financial; privacy and data security and other performance management, regulatory, internal controls and other compliance, risk management, public policy and operational other key concerns.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Group Chair and current Defined Contribution Plans Committee Co-Chair, Groups and Substantive Committee and Membership Committee Members, past Welfare Plans Committee Chair and Co-Chair, and former Fiduciary Responsibility Vice Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current ABA International Section Life Sciences Committee Vice Chair, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, former ABA Joint Committee on Employee Benefits Council Representative and Marketing Committee Chair and a prolific author and highly popular speaker and consultant, Ms. Stamer helps management manage.

Ms. Stamer’s legal and management consulting work throughout her nearly 30-year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and representing clients on privacy and data security concerns and other health industry matters, Ms. Stamer also has served for several years as a scrivener for the ABA JCEB’s meeting with OCR, the Chair of the Southern California ISSA Health Care Privacy & Security Summit, and an editorial advisory board member, author, program chair or steering committee member, and faculties for a multitude of other programs and publications regarding privacy, data security, technology and other compliance, risk management and operational concerns in the health care, health and other insurance, employee benefits and human resources, retail, financial services and other arenas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Comments Off on Health Plans, Other Covered Entities Have Continuing Duty To Reevaluate HIPAA Enterprise Risk To PHI & Address Security Risks & Other Compliance Concern On Ongoing Basis | ARRA, board of directors, Brokers, Cafeteria Plans, CHIP, Civil Monetary Penalties, Civil Rights, Claims, compliance, Consumer Protection, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, directors, EBSA, Electronic Medical Record, employee, Employee Benefits, Employer, Employers, Employment, EMR, fiduciary duty, Fiduciary Responsibility, GINA, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Technology, third party administrators, Uncategorized, Union, Workforce | Tagged: Breach Notification, broker, Covered Entity, Data Breach, Data Security, EPHI, ERISA, health care providers, Health Plans, HIPAA, Medical Privach, Medical Privacy, Personal Health Information, Privacy, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Colleges post 2016 can pay student health premiums without triggering ACA penalty

October 22, 2016

Colleges post 2016 can pay student health insurance coverage premiums for working students without triggering ACA penaltiesper new guidance. http://ow.ly/AeCZ305qjov

Comments Off on Colleges post 2016 can pay student health premiums without triggering ACA penalty | Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

New ACA Student Health Insurance Guidance Allows College Payment Of Working Students’ Student Health Insurance Premiums Post 2016

October 21, 2016

Colleges and other institutions of higher education within the meaning of the Higher Education Act of 1965 (schools) may continue until further notice to pay or subsidize student health insurance coverage premiums for students performing work-study or other services for the school as part of their financial aid package without fear of prosecution for violation of the group market reform requirements of the Patient Protection & Affordable Care Act (ACA), according to ACA guidance jointly published by the Departments of Labor (DOL), Health and Human Services (HHS), and the Treasury (collectively, the Tri-Agencies) today.

Many schools have arrangements in place with insurers under which students can purchase individual policies providing health insurance coverage (“student health insurance coverage”), which are individual policies required to comply with the individual market reforms of the ACA other than as provided in the student health insurance guidance issued by HHS. See 45 CFR 147.145.

Of course, the agreement between the college and the student health insurance coverage issuer makes the coverage available for purchase by most if not all students attending the school by paying the specified premium. In some cases, however, the school might include in a student’s financial aid package a reduction to the cost of coverage of the otherwise applicable premium for student health insurance through a credit, offset, reimbursement, stipend, or similar arrangement (a premium reduction arrangement). If the student also performs services under a workstudy or other relationship, however, Tri-Agency guidance interpreting the Group Market Reforms could present a problem unless qualifies for an exemption from the Tri-Agencies’ interpretation of the Group Market Reforms as prohibited employers from paying or reimbursing individual health insurance policy premiums of employees..

The Tri-Agencies’ first announced their interpretation of the Group Market Reforms as prohibiting employer reimbursement of individual health insurance premiums in 2013. Technical Release 2013-03 announced that employers sponsoring arrangements under which the employer directly pays or reimburses premiums for employees’ individual health insurance coverage directly, or through a cafeteria plan pre-tax premium program, health flexible spending account arrangement (health FSA), health reimbursement arrangement (HRA), or other employer arrangement would incur excise taxes liability under section 4980D of the Internal Revenue Code and other penalties and liabilities for violating the ACA Group Market Reform rules. This Tri-Agency Guidance states that because by their very definition, these arrangements promise to reimburse or pay medical expenses on the employee’s behalf only up to a certain dollar amount each year, employer-sponsored arrangements that pay or reimburse employees for individual health insurance premiums generally violate the prohibition on annual dollar limits under Public Health Services (PHS) Act section 2711 and the requirement to provide certain preventive services without cost sharing under PHS Act section 2713 unless properly integrated with a group health plan that otherwise complies with ACA requirements. Furthermore, because the Tri-Agencies also construe the ACA market reforms as preventing the integration of EPPs and individual health insurance coverage, the Tri-Agencies’ guidance also states that an arrangement through which an employer reimburses or directly pays the premium for individual coverage violates the ACA market reform rules. Accordingly, unless otherwise exempted from coverage, this Tri-Agency guidance would prohibit schools from reimbursing students providing services to the school for student health insurance premiums.

Under Tri-Agency guidance published in February, 2016, the Tri-Agencies previously announced they would not that a premium reduction arrangement provided by a school to a student fails to satisfy PHS Act section 2711 or 2713 if the arrangement is offered in connection with other student health coverage (insured or self-insured) for a plan year or policy year beginning before January 1, 2017, but until October 21, 2016, did not address the post-2016 treatment of these arrangements . See Technical Release 2016-01; Notice 2016-17, Insurance Standards Bulletin, Application of the Market Reforms and Other Provisions of the Affordable Care Act to Student Health Coverage.

Under guidance jointly published October 21, 2016, however, the Tri-Agencies extended their policy of non-enforcement with respect to school student health insurance premium reimbursement arrangements beyond its previously announced December 31, 2016 expiration date. FAQs About Affordable Care Act Implementation Part 33 (“FAQ 33”) jointly published by the Tri-Agencies states that “pending further guidance, the Tri-Agencies consider it appropriate to further extend the enforcement relief provided in the February 5, 2016 guidance and will not assert that a premium reduction arrangement offered by an institution of higher education fails to satisfy PHS Act section 2711 or 2713 if the arrangement is offered in connection with student health coverage (insured or self-insured).

About The Author

Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecture and policy advocate, recognized for her nearly 30-years of cutting edge management work as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Labor & Employment,”“Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine.

For additional information about this topic or Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal control and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.Solutionslawpress.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile h ere. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™. All other rights reserved.

IMPORTANT NOTICES

These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein

Comments Off on New ACA Student Health Insurance Guidance Allows College Payment Of Working Students’ Student Health Insurance Premiums Post 2016 | 105(h), 4980D, 6039D, ACA, Affordable Care Act, Cafeteria Plans, compliance, Employee Benefits, Employer, Employers, Employment, ERISA, health benefit, health insurance, Health Plans, health reform, HR, Human Resources, Insurance, insurers, Internal Controls, Patient Protection and Affordabel Care Act, Uncategorized | Tagged: ACA, College, employer payment plan, Financial Aid, higher education, HRA, HSA, premium reimbursement, Schools | Permalink
Posted by Cynthia Marcotte Stamer

FTC, state law deceptive trade practices

October 21, 2016

FTC, state law deceptive trade practices & other rules increasingly trump common law “puffing” when tech, HIPAA/EMR/Auto or other certifications/, solutions http://ow.ly/xwuR305pdnc

Comments Off on FTC, state law deceptive trade practices | Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

ERISA Violations Cost More Now

October 19, 2016

ERISA Civil Penalties For Employers, Fiduciaries & Plan Administrators Rose August 1

Employer and other employee benefit plan sponsors, fiduciaries and administrators required by the Department of Labor Employee Benefit Security Administration (EBSA) to pay a civil monetary penalty for a post-November 2, 2015 violation of the employee benefit related obligations of the Employee Retirement Income Security Act (ERISA) should expect to pay more if EBSA assesses the penalty after August 1, 2016.

In 2015, Congress passed the Federal Civil Penalties Inflation Adjustment Act Improvements Act, which requires the Department of Labor (DOL) and other agencies adjust their penalties for inflation each year. In response to this mandate, the DOL has published two interim final rules to adjust its penalties for inflation effective August 1:

Federal Civil Penalties Inflation Adjustment Act Catch-Up Adjustments, which is DOL-only rule covering the vast majority of penalties assessed by a number of the DOL’s agencies including the DOL’s Employee Benefits Security Administration, Mine Safety and Health Administration, Occupational Safety and Health Administration, Office of Workers’ Compensation Programs, and Wage and Hour Division; and
Federal Civil Penalties Inflation Adjustment Act Catch-Up Adjustments: H-2B Temporary Non-agricultural Worker Program, which will be issued jointly with the Department of Homeland Security to adjust penalties associated with the H-2B temporary guest worker program

Both rules define rules that DOL plans to use to apply the 2015 Inflation Adjustment Act’s formula on how to determine the proper adjustment for each penalty effective August 1, 2016 to civil penalties that DOL can access against employers for violations.

The new method will adjust penalties for inflation, though the amount of the increase is capped at 150 percent of the existing penalty amount. The baseline is the last increase other than for inflation. The following chart shows the new civil penalty amounts assessable by EBSA after August 1, 2016 for post November 2, 2015 ERISA violations.

ERISA Civil Monetary Penalties Effective 8/16/2016 The Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 requires federal agencies to increase the amounts of civil monetary penalties annually for inflation. The new penalties under the Employee Retirement Income Security Act of 1974 (ERISA) shown below took effect August 16, 2016 and apply to a penalty assessed after August 1, 2016 that relates to a violation that occurred after November 2, 2015.
Offending Party	Action in Question	ERISA Section	Penalty As of August 15, 2016	Penalty Effective August 16, 2016
Employer	Failure to maintain records or furnish information sufficient to determine benefits	209(b)	$11 per employee	$28 per employee
Plan administrator	Failure/refusal to file annual report (Form 5500) with DOL	502(c)(2)	$1,100 per day	$2,063 per day
Administrator of multiemployer plan	Failure to certify endangered or critical (funding) status	502(c)(2)	$1,100 per day	$2,063 per day
Single-employer defined benefit plan	Failure to provide notice of funding-based limit on certain forms of distribution	101(j) and 502(c)(4)	$1,000 per day	$1,632 per day
Administrator of multiemployer plan	Failure to provide financial and actuarial reports on written request	101(k) and 502(c)(4)	$1,000 per day	$1,632 per day
Sponsor/Administrator of multiemployer plan	Failure to provide timely estimate of withdrawal liability upon request	101(l) and 502(c)(4)	$1,000 per day	$1,632 per day
Administrator of 401(k) plan with automatic contribution arrangement	Failure to provide notice to participants of their rights and obligations under the arrangement before the start of the plan year	514(e)(3) and 502(c)(4)	$1,000 per day	$1,632 per day
Multiple employer welfare arrangement (MEWA)	Failure/refusal to meet applicable reporting and disclosure requirements	502(c)(5)	$1,100 per day	$1,502 per day
Plan administrator	Failure to provide benefit plan information (including SPD) to DOL	502(c)(6)	$110 per day; capped at $1,100 per request	$147 per day; capped at $1,472 per request
Administrator of defined contribution plan with participant-directed investments	Failure/refusal to provide participants and beneficiaries with “blackout” notice or notice of right to divest employer securities	502(c)(7)	$100 per day per required recipient	$131 per day per required recipient
Underfunded multiemployer pension plan	Failure to timely adopt a funding improvement or rehabilitation plan or to meet benchmarks by the end of the improvement period	502(c)(8)	$1,100 per day	$1,296 per day
Employer	Failure to disclose group health plan benefits to states re Medicaid/CHIP eligible individuals	502(c)(9)	$100 per employee per day	$110 per employee per day
Employer	Failure to provide employees with written notice of opportunities for state-provided premium assistance for health coverage	502(c)(9)	$100 per employee per day	$110 per employee per day
Group health plan or plan’s health insurance issuer	Failure to follow genetic information protocols	502(c)(10)	$100 per participant per day	$110 per participant per day
Group health plan or plan’s health insurance issuer	Failure to follow genetic information protocols, where de minimis failure is not corrected before plan receives notice of violation from DOL	502(c)(10)	Minimum penalty is $2,500	Minimum penalty is $2,745
Group health plan or plan’s health insurance issuer	Failure to follow genetic information protocols, where violation is more than de minimis	502(c)(10)	Minimum penalty is $15,000	Minimum penalty is $16,473
Group health plan or plan’s health insurance issuer	Failure to follow genetic information protocols due to reasonable cause, not willful neglect	502(c)(10)	Maximum penalty is $500,000	Maximum penalty is $549,095
Plan fiduciary	Making improper distribution	502(m)	$10,000 per improper distribution	$15,909 per improper distribution
Group health plan	Willful failure to provide summary of benefits coverage to participant or beneficiary	715 and new Labor Reg. §2575.2(m)	$1,000 per failure	$1,087 per failure
Sponsor of Cooperative and Small Employer Charity (CSEC) plan	Failure to establish or update a funding restoration plan	502(c)(12)	$100 per day	$100 per day (no change)

The civil penalty increase provides yet another reason for employer and other plan sponsors,. fiduciaries and administrators to strive to prevent ERISA violations.

About The Author

Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecture and policy advocate, recognized for her nearly 30-years of cutting edge management work as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Tax: Erisa & Employee Benefits” and “Health Care” by D Magazine.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Chair and current committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, a former ABA Joint Committee on Employee Benefits Council Representative and , Ms. Stamer helps management manage.

Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, expat and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.
Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer serves on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and as an editorial advisor and contributing author of many other publications. Her leadership involvements with the American Bar Association (ABA) include year’s serving many years as a Joint Committee on Employee Benefits Council representative; ABA RPTE Section current Practice Management Vice Chair and Substantive Groups & Committees Committee Member, RPTE Employee Benefits & Other Compensation Committee Past Group Chair and Diversity Award Recipient, current Defined Contribution Plans Committee Co-Chair, and past Welfare Benefit Plans Committee Chair Co-Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; International Section Life Sciences Committee Policy Vice Chair; and a speaker, contributing author, comment chair and contributor to numerous Labor, Tax, RPTE, Health Law, TIPS, International and other Section publications, programs and task forces. Other selected service involvements of note include Vice President of the North Texas Healthcare Compliance Professionals Association; past EO Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former Southwest Benefits Association Board of Directors member, Continuing Education Chair and Treasurer; former Texas Association of Business BACPAC Committee Member, Executive Committee member, Regional Chair and Dallas Chapter Chair; former Society of Human Resources Region 4 Chair and Consultants Forum Board Member and Dallas HR Public Policy Committee Chair; former National Board Member and Dallas Chapter President of Web Network of Benefit Professionals; former Dallas Business League President and others. For additional information about Ms. Stamer, seeCynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal control and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at Solutionslawpress.com including:

OFCCP Ups Government Contractor Vet Hiring Targets
Average American Family 2016 Healthcare
Brace For OCR HIPAA Audits
Health Plans Disclosing Data To State All Payer Data Banks Face HIPAA Risks
Confirm Copy Charges Comply With New HIPAA Guidance
Frontier Says “Conversion Issues” for
Obama Offers Grants To States To Boost Paid Leave Availability With State Grants
Business Associate Rule Violations Behind $750K HIPAA Settlement
Final Investment Advice Fiduciary Rules Mean Work For Employers, Fiduciaries & Advisors
Employers, Insurers & TPAS: Budget Time, $ For 2017 Summary of Benefits and Coverage Updates
Expect New Fed Regs To Increase Childcare Costs
OSHA Raises Silica Safety Requirements
DOL “Persuader Rule” Changes Broaden Employer & Consultant Anti-Union Contract Disclosure Duties
Check Health Plan Privacy For New Guidance Compliance
Marketplace Data Deficiencies Signal Employer ACA Headaches
SCOTUS: States Can’t Require Reporting of ERISA Health Plan Data
IRS OK’s Skipping Certain 2015 Form 5500 Questions
DOL Proposes Changes To Summary of Benefit & Coverage Rules
More proof government should stay out of healthcare
Health Care Quality: Different Meaning For Care Vs. Coverage
IRS Changes Plan Qualification Procedures, Returns, Other Procedures
Remember Microsoft: The Need for Effective Risk Management as to Contract Employees
Obama Administration Proposes Rules Giving Jobseeker Equal Opportunity Protections
Health Benefit Still Top Employer Benefit Cost
S. Businesses & Their Leaders Face Rising FLSA Collective Action Liability Risks
Improve HR Value To Company By Making HR A Performance Rather Than People Department
Sponsoring Employers Face Excise Taxes, Other Liabilities Unless Health Plans Comply With ACA Out-Of-Pocket & Other Federal Rules
Legal Review Of Health Plan Documents, Processes Needed To Mitigate Employer’s Excise Tax & Other Health Plan Risks
EEOC ADA Suit Against Magnolia Health Highlights US Employer’s Growing Disability Discrimination Risks
Proposed OSHA Regs Will Clarify Employer’s Continuing Duty To Ensure OSHA 300 Log Completeness
10 Practical Pointers To Use Law To Better Strengthen The Legal Defensibility Of Your Business & Its Leaders

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc. ™. All other rights reserved.

Comments Off on ERISA Violations Cost More Now | Civil Monetary Penalties, Employer, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, health plan, Health Plans, pension plan, Plan Admistrator, retirement plan, Retirement Plans, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

CMS Clarifies Home Health Form CMS-10280 Effective Date

October 19, 2016

On June 2016, the Home Health Change of Care Notice (HHCCN), Form CMS-10280 was revised and approved by the Office of Management and Budget. The revised HHCCN form that Home health agencies use to notify Original Medicare beneficiaries receiving home health care benefits of plan of care changes can be located here. CMS has confirmed the effective date for use of the revised HHCCN form is 90 days from this announcement.

Comments Off on CMS Clarifies Home Health Form CMS-10280 Effective Date | Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

New Rule Gives ONC Power To Pull Noncompliant EHR Products

October 16, 2016

The Office of the National Coordinator for Health IT (ONC) will have more oversight over certifying electronic health records and other technologies that store, share and analyze health information for consumers and the authority to ask developers to pull noncompliant products from the market under a new Final Rule scheduled for official publication in the Federal Register on October 19, 2016.
The Final Rule will give ONC power to decertify health IT products and issue a cease-and-desist notice to prevent the future sale or marketing of products that don’t comply with regulations or found to pose a risk to public health or safety. Developers of decertified products also would have to notify affected customers and providers who purchased the products.

Comments Off on New Rule Gives ONC Power To Pull Noncompliant EHR Products | ACA, Data Breach, Data Security, Electronic Medical Record, EMR, health Care, health reform, Physician, Provider | Permalink
Posted by Cynthia Marcotte Stamer

IRS Qualified Plan Correction Procedures Changing 1/1/17

October 13, 2016

Employers and other plan sponsors of tax-qualified 401(k) and other defined contribution or defined benefit plans (retirement plans) and others working to avoid plan disqualification by correcting plan documentation, administration or other problems that otherwise could disqualify their program for tax qualified treatment under the Internal Revenue Code (Code) under the Internal Revenue Service (IRS) Employee Plans Compliance Resolution System (EPCRS) or the Audit Closing Agreement Program (Audit CAP) modified rules beginning January 1, 2017, under changes announced by the IRS in Revenue Procedure 2016-51 on September 29, 2016.

The EPCRS and Audit CAP programs are two IRS correction programs commonly used to preserve the tax qualified status of a retirement plan affected by plan documentation, administration or other deficiencies that otherwise would result in the plan ceasing to qualify as a tax retirement plan under the Code. The EPCRS program generally is available to correct and resolve certain qualification concerns not eligible for self-correction that retirement plan sponsors or plans self-identify and disclose to the IRS in accordance with the EPCRS correction procedures, In contrast, the Audit CAP program provides an avenue that may provide a pathway for a plan sponsor of a retirement plan with significant problems in its compliance with the Code’s qualification requirements that are discovered by the IRS on audit or during the determination letter application process to preserve the tax benefits associated with maintaining a retirement plan in compliance with the Code’s tax qualification requirements by entering into a Closing Agreement pursuant to which the problems are corrected and paying a reasonable sanction to the IRS based directly on the amount of tax benefits preserved and the nature, extent and severity of the failure, taking into account the extent to which correction occurred before audit.

Key changes to the EPCRS correction procedures scheduled to take effect on January 1, 2017 under Revenue Procedure 2016-51 include the following:

The IRS no longer will permit determination letter applications when applying the correction programs under EPCRS;
The requirement for a plan sponsor to submit a determination letter application to the IRS when correcting qualification failures that include a plan amendment no longer will apply; and
Fees associated with the Voluntary Correction Program (VCP) after December 31, 2017 will be user fees and no longer set forth in the EPCRS revenue procedure. For VCP submissions made in 2016, refer to Proc. 2016-8 and Rev. Proc. 2013-12 to determine the applicable user fee and after 2016, refer to the annual Employee Plans user fees revenue procedure to determine VCP user fees for that year. Availability of Self-Correction Program (SCP) for significant failures has been modified to provide that, for qualified individually designed plans, a determination letter need not be current to satisfy the Favorable Letter requirement

In addition to its announcements of changes to the EPCRS correction program Revenue Procedures 2016-51 also announces various modifications to the Audit CAP program, including:

A revised approach to determining Audit CAP sanctions under which

Sanctions, generally, will not be less than the fees associated with voluntary compliance under the EPCRS program;
The required reasonable sanction will no longer be a negotiated percentage of the maximum payment amount (MPA). Instead, auditors will review facts and circumstances and the MPA amount is simply one factor to consider. In addition, there are revised, additional factors that IRS considers;
New factors used in determining sanctions for late amender failures will apply;
For late amender failures discovered by the IRS, while reviewing a determination letter application, a new approach to determining the applicable sanction will apply;
The IRS will not provide partial refunds for certain Anonymous Submissions

Beyond specific modifications to the EPCRS and Audit CAP procedures, Revenue Procedures 2016-51 also:

Updates citations and cross-references for several items previously contained in Rev. Proc. 2013-12; and
Invites public comments on recovery of overpayments and on expanding EPCRS correction rules to provide additional guidance on the recovery or recoupment of overpayments.

Revenue Procedures 2016-51 is effective January 1, 2017. Plan sponsors may not elect to apply provisions before January 1, 2017. Rev. Proc. 2013-12, as modified by Rev. Proc. 2015-27 and Rev. Proc. 2015-28, are in effect for 2016. When Revenue Procedure 2016-51 takes effect on January 1, 2017:

Proc. 2013-12 no longer applies as of January 1, 2017; and
Provisions of Rev. Proc. 2015-27 and Rev. Proc. 2015-28 concerning EPCRS and other older revenue procedures will no longer apply.

About The Author

For additional information about this topic or Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal control and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.Solutionslawpress.com.

Comments Off on IRS Qualified Plan Correction Procedures Changing 1/1/17 | 401(k), compensation, compliance, defined benefit plan, Defined Benefit Plans, defined contribution plan, Defined Contribution Plans, Employee Benefits, Employer, Employers, Employment, ERISA, IRC, Retirement Plans, Uncategorized | Tagged: 401(k), Audits, Compensation, defined benefit plan, defined contribution plan, employee benefit plan, Employee Benefits, E{CRS, Plan Audits, plan qualification, Qualified Plan, Tax | Permalink
Posted by Cynthia Marcotte Stamer

Govt & payer mis-“management” increase

October 13, 2016

Govt & payer mis-“management” increased costs & reduced care. TIme to reform the “health reform” to provide patient care, not bigger insurers and government. http://ow.ly/XAYp3059aph http://ow.ly/i/nWJpP

Comments Off on Govt & payer mis-“management” increase | Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

DOL Invites FLSA Section 14(c) Certificateholders Test Prototype Application

October 12, 2016

The Department of Labor Wage and Hour Division is seeking input from Fair Labor Standards Act (FLSA) section 14(c) certificate holders to help to develop an online application to replace our current paper-based system. DOL hopes moving to a digital format will streamline the process, and make the transmission of information more convenient, efficient and secure for everyone.

DOL is looking for 8 current section 14(c) certificate holders to participate in some testing of its prototype as it moves forward. It hopes input early in the process will help DOL identify where to improve the product to ensure the final version meets your needs.

Participants volunteering will be asked to visit a prototype website, complete several short tasks, and answer questions about their experience and perceptions of the website.including how easy the application is to use.

DOL says if you volunteer to participate, and you are selected, DOL will contact you to schedule one or more one hour sessions at times convenient for you. You must have a computer and an Internet connection to participate. Each session will be conducted online using video conferencing accessible through your office or home computer. No travel is required.

If you are a current section 14(c) certificate holders to volunteer and interested, email WHDNOComm@dol.gov with the name of your organization, along with the name, email address, and phone number of the point of contact volunteering. DOL will contact the volunteers selected to participate.

Comments Off on DOL Invites FLSA Section 14(c) Certificateholders Test Prototype Application | compensation, Employer, Employers, Fair Labor Standards Act, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Stop Bullying Month Opportunity to Strengthen Workplace Anti-Harassment Efforts

Health Plans, Other Covered Entities Have Continuing Duty To Reevaluate HIPAA Enterprise Risk To PHI & Address Security Risks & Other Compliance Concern On Ongoing Basis

Colleges post 2016 can pay student health premiums without triggering ACA penalty

New ACA Student Health Insurance Guidance Allows College Payment Of Working Students’ Student Health Insurance Premiums Post 2016

FTC, state law deceptive trade practices

ERISA Violations Cost More Now

CMS Clarifies Home Health Form CMS-10280 Effective Date

New Rule Gives ONC Power To Pull Noncompliant EHR Products

IRS Qualified Plan Correction Procedures Changing 1/1/17

Govt & payer mis-“management” increase

DOL Invites FLSA Section 14(c) Certificateholders Test Prototype Application

Email Subscription

Pages

Recent Posts

Archives

Share this blog

Blogroll

Solutions Law

Solutions Law Press HR & Benefits Update