March 2022

Prepare For Health Plan Impacts From FDA COVID 2nd Booster Approval

March 29, 2022

Employer and other group health plan sponsors, fiduciaries, administrators and insurers should prepare their plans and their administrators to respond appropriately to today’s (3/29/2022) U.S. Food and Drug Administration (“FDA”)’s authorization of a second booster dose of either the Pfizer-BioNTech or the Moderna COVID-19 vaccines for certain populations will affect health plan COVID-19 coverage, workplace vaccination mandates or both.

FDA Emergency Use Approval of Second COVID-19 Booster

On March 29, 2022, the FDA amended its e emergency use authorization (“EAU”) for COVID-19 vaccination to add authorization for second COVID-19 booster shots under the following circumstances:

A second booster dose of the Pfizer-BioNTech COVID-19 Vaccine or Moderna COVID-19 Vaccine may be administered to individuals 50 years of age and older at least 4 months after receipt of a first booster dose of any authorized or approved COVID-19 vaccine.
A second booster dose of the Pfizer-BioNTech COVID-19 Vaccine may be administered to individuals 12 years of age and older with certain kinds of immunocompromise at least 4 months after receipt of a first booster dose of any authorized or approved COVID-19 vaccine. These are people who have undergone solid organ transplantation, or who are living with conditions that are considered to have an equivalent level of immunocompromise.
A second booster dose of the Moderna COVID-19 Vaccine may be administered at least 4 months after the first booster dose of any authorized or approved COVID-19 vaccine to individuals 18 years of age and older with the same certain kinds of immunocompromise.

The second booster doses EAU announced March 29 applies only to the Pfizer-BioNTech and Moderna COVID-19 vaccines and the authorization of a single booster dose for other age groups with these vaccines remains unchanged. For more information on the FDA COVID-19 Vaccine Approvals, see e.g. ,Comirnaty and Pfizer-BioNTech COVID-19 Vaccine; Spikevax and Moderna COVID-19 Vaccine; COVID-19 Vaccines; Emergency Use Authorization for Vaccines Explained.

Second Booster Authorization Health Plan Implications

Group health plans, their sponsors, fiduciaries, administrators and insurers need to evaluate their existing group health plan language to determine if and when their group health plan will cover second COVID-19 booster doses.

While Federal law currently mandates that all group health plans and group and individual health insurance covered by the Patient Protection & Affordable Care Act (“ACA”) cover FDA-approved initial vaccination and first booster vaccinations administered in accordance with recommendations of the Advisory Committee on Immunization Practices (“ACIP”), the ACIP as of now has not amended its COVID-19 vaccination recommendations to include the FDA second boosters approved by the FDA.

Health plans’ current obligation to cover without cost sharing initial COVID-19 vaccinations and first boosters in accordance with FDA authorizations to covered individuals arises under Section 3203 of the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”). Since January 5, 2021, Section 3203 of the CARES Act has mandated that all group health plans and health insurance issuers subject to the Patient Protection and Affordable Care Act (“ACA”) cover without cost sharing any COVID-19 vaccine with an FDA approved EUA Biologics License Application (“BLA”) consistent with the recommendations of the ACIP. While the CARES Act mandates coverage for ACIP-recommended COVID-19 vaccinations, including vaccines and boosters securing FDA approval subsequent to the effective date of the mandate. As enacted, the CARES Act mandate grows to include COVID-19 vaccinations and booster shots securing FDA approval subsequent to its enactment when recommended by the ACIP. Since the CARES Act only mandates coverage of ACIP recommended vaccines and as of March 29, 2022, the second booster is nt ACIP recommended, the Cares Act does not appear to mandate group health plans and health plan insurers cover the second booster shot approved by the FDA as of March 29, 2022. If in the future the ACIP recommends the booster, coverage by ACA covered group health plans and individual and group health insurance would become mandatory.

As of March 29, 2022, coverage of the second COVID-19 booster with or without cost-sharing also does not appear to be required to comply with the preventive care mandates of §2713 of the Public Health Service Act [PHSA]) enacted as part of the ACA.

The ACA preventive care and other mandates generally apply to individual health insurance coverage, fully insured small- and large-group coverage, and self-insured group plans that are not grandfathered or otherwise exempt.

Where applicable, Section 2713’s preventive care mandate generally requires ACA covered plans to cover without cost sharing specified preventive health services recommended with an A or B rating by the United States Preventive Services Task Force (USPSTF) and any immunization with a recommendation by ACIP adopted by the Centers for Disease Control and Prevention (CDC), for routine use for a given individual. As of now neither agency has adopted a recommendation of the second COVID-19 vaccine booster. Since Section 2713 specifies that its coverage mandates cannot trigger an obligation for covered group health plans to cover a new or revised recommendation any sooner than one year after a new or revised recommendation ispublished, any future adoption by the USPSTF, but not the ACIP, of a recommendation of the second booster shot will not trigger a federal coverage mandate. the ACA preventive care mandate. In contrast, ACA covered health plans would become immediately obligated to cover the second COVID booster if and when the ACIP in the future adds it to its recommendations, as the CARES Act mandate effectively renders moot the one year waiting period applicable for the ACA mandate.

As ACA group health plans and health insurance will become immediately required by the CARES Act to cover the second booster if and when the ACIP amends its COVID recommendations to recommend the second booster, group health plans, their sponsors, fiduciaries, administrators and insurers should monitor the ACIP recommendations for possible changes.

Along with this diligent oversight, most plan sponsors, fiduciaries and administrators should review their existing health plan language to determine if their existing plan language provides the currently mandated coverage as well as if the current language expressly provides or is sufficiently ambiguous to open the door for construction of the plan as authorizing coverage beyond existing applicable mandates. The COVID-19 related operational disruptions and exigencies present when the existing COVID-19 coverage mandates took effect creates a substantial likelihood that many plans contain less than optimal language regarding the COVID-19 vaccine and other mandates. Employer and other health plan sponsors, insurers, fiduciaries and administrators should assess whether tightening up their health plan language for the vaccination and other mandates is advisable to minimize compliance exposure risks, plan administration errors or unnecessary overpayments. Regardless of whether any change in plan language is necessary or advisable, group health plan fiduciaries, sponsors, administrators and insurers should prepare plan administration team members to respond to likely questions from plan members about COVID-19 vaccine and other COVID-related coverage. Health plan and human resources staff should be trained both to provide the appropriate substantive responses and to follow appropriate processes and procedures to contain the spread of fiduciary liability and to minimize the retaliation and other risks.

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefits Counsel repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” by LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law and among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other workforce, employee benefits, health care and insurance legal representation, public policy leadership and advocacy, coaching, scholarship and training.

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, Vice Chair of the ABA International Section Life Sciences Committee, current Chair-Elect of the ABA Tort & Insurance Section (TIPS) Medicine and Law Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer’s has worked extensively health and other employee benefit plan, managed care and other health and wellness, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, workforce and vendor performance management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Ms. Stamer also shares her leadership through her extensive involvement in many professional, community and civic organizations including several current leadership roles in various ABA Committees, as a former Joint Committee on Employee Benefits Council Representative, former Society for Human Resources Management Region IV Board Chair and National Consultant’s Board Member; former Editorial Advisory Board Member and author for HR.com, Insurance ThoughtLeaders, BNA CD-Rolm, and Employee Benefits News; former Alliance for Healthcare Excellence Board President, Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, former Board Member and Compliance Chair of the National Kidney Foundation of North Texas. Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. These include hundreds of highly regarded articles and workshops on health and other benefits, workforce, health care and insurance concerns.

For more information about these requirements, Ms. Stamer or her experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Comments Off on Prepare For Health Plan Impacts From FDA COVID 2nd Booster Approval | Corporate Compliance | Tagged: COVID-19, Employer, Fiduciary, Health Insurance, Health Plans, vaccine | Permalink
Posted by Cynthia Marcotte Stamer

DOD Contractors May Face Added Health Plan Obligations On DOD Contracts Funded With Consolidated Appropriations Act, 2022 Funds

March 17, 2022

Businesses hoping to cash in on Department of Defense (“DOD”) appropriations in the Consolidated Appropriations Act, 2022 (“CAA”) signed into law on March 15, 2022 by contracting with DOD to perform functions currently performed by DOD civilian employees better budget to pay employer health plan contributions for workers that will perform the contracted services at the same rate as DOD would pay for services performed by its civilian employees.

Section 8047 of the CAA generally prohibits the DOD from using DOD appropriations from the CAA to pay for outsourced services to perform activities or functions performed by DOD civilian employees as of March 15, 2022 unless:

The conversion is based on the result of a public-private competition that includes a most efficient and cost-effective organization plan developed by such activity or function;
The Competitive Sourcing Official determines that, overall performance periods stated in the solicitation of offers for performance of the activity or function, the cost of performance of the activity or function by a contractor would be less costly to the Department of Defense by an amount that equals or exceeds the lesser of 10 percent of the most efficient organization’s personnel-related costs for performance of that activity or function by Federal employees or $10,000,000; and
The contractor does not receive an advantage for a proposal by not making an employer-sponsored health insurance plan available to the workers to be employed in the performance of that activity or function under the contract or offering such workers an employer-sponsored health benefits plan that requires the employer to contribute less towards the premium or subscription share than the amount that is paid by the Department of Defense for health benefits for civilian employees under chapter 89 of title 5, United States Code.

The health coverage requirement Section 8047 adds an addition nuance to the long and complex list of recruiting, employment, compensation, fringe benefit, procurement, cybersecurity, governance, contracting, conflict of interest, recordkeeping and a multitude of other requirements applicable to DOD contractors under the U.S. Department of Labor Office of Federal Contract Compliance Programs (OFCCP) regulations, the DOD Federal Acquisition Regulation (FAR), Defense Federal Acquisition Regulation Supplement (DFARS) and other federal laws and regulations.

Beyond the health coverage requirements of CAA Section 8047, DOD and other federal government contractors and subcontractors also should review and update their compliance plans for compliance with other applicable contracting and compliance obligations, many of which have been impacted by a series of policy and enforcement changes implemented by changes in Federal statutes, regulations and Executive Order impacting affirmative action, cybersecurity, benefits, compensation, worker classification and a host of other practices. Noncompliance with these requirements can trigger substantial judgments, civil monetary penalties, program disqualification and exclusion and in some instances criminal or civil prosecution under the False Claims Act and other federal statutes. DOD and other governmental contractors and subcontractors are encouraged to review their compliance plans, practices and documentation to confirm their readiness to defend a potential audit or enforcement action.

More Information.

For additional information about the requirements or concerns discussed in this article, republication or other related matters, please contact the author, employment lawyer Cynthia Marcotte Stamer via e-mail, via telephone at (214) 452 -8297 or on LinkedIn.

Solutions Law Press, Inc. invites you to receive future updates by registering here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for management work, coaching, teachings, and publications.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, Form I-9 and other compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, internal controls, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well-known for her extensive work with health and life sciences, insurance, financial services, technology, energy, manufacturing, retail, hospitality, government contractors, governmental and other highly regulated employers, her more than 30 years’ of experience encompasses domestic and international businesses of all types and sizes.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a management consultant, business coach and consultant and policy strategist as well through her leadership participation in professional and civic organizations such her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.

Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on DOD Contractors May Face Added Health Plan Obligations On DOD Contracts Funded With Consolidated Appropriations Act, 2022 Funds | Corporate Compliance, corporate governance, DFAR, Emploeyrs, Employee Benefits, Employer, Employers, Government Accountability, Government Contractors, government employer, government plan, OFCCP, OFCCP | Permalink
Posted by Cynthia Marcotte Stamer

Proposed SEC Cyber Rules Expand Cyber Obligations & Risks For Public Companies and Other SEC Regulated Entities & Their Leaders

March 9, 2022

Public companies and other market participating or influencing companies and their leaders should begin preparing to comply with enhanced cybersecurity risk management, disclosure, strategy, governance and incident reporting and response requirements of a Proposed Rule the Security and Exchange Commission (“SEC”) published in today’s (March 9, 2022) Federal Register.

Published on the heels of the SEC’s announcement of plans to hold public companies and their leaders accountable for lax cybersecurity risk management and disclosure, the SEC’s promotion of the Proposed Rule is one of a growing series of SEC and other federal agency initiatives ratcheting up responsibilities and legal liability risks of organizations and their executives in the face of growing cybersecurity threats. Aside from the added SEC requirements directly applicable to market participating or influencing companies, the protections intended to protect investors against undisclosed or improperly managed cyber-related risks to their investments also are likely to impact the cybersecurity practices of organizations that provide investments or investment related services with respect to employee benefit plans and the disclosures they provide.

In the face of these rising risks, public companies and their leaders should move promptly to conduct documented assessments of the adequacy of their existing cybersecurity safeguards, risk assessments and breach detection and response practices within the protective scope of attorney-client privilege as soon as possible considering the requirements of the Proposed Rule and other rapidly evolving rules, precedent and cyberthreats. Meanwhile, individuals and organizations wishing to comment on the Proposed Rule should submit their comments as soon as possible and no later than May 8, 2022, which is the last day of the 60-day comment period established in the Proposed Regulation.

Cybersecurity Risks & Responsibilities Of Companies & Their Leaders Rising

With cybersecurity threats and compliance concerns growing, the SEC is prioritizing cybersecurity investigation and enforcement against public companies and other market participants for lack cybersecurity governance, safeguards or disclosures. See e.g., SEC Office of Compliance Inspections and Examinations Cybersecurity and Resiliency Observations. Along announcing its commitment to hold market involved and impacting regulated entities accountable for failing to maintain and enforce appropriate internal and external controls to prevent, detect and redress cybersecurity threats, including appropriate board governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, training and awareness, investor disclosures and other practices.

Beginning in 2019, the SEC strengthened its warnings to public companies and other market involved and influencing organizations and has begun more aggressively investigating and pursuing enforcement against companies that fail to fulfill their SEC cybersecurity obligations. As public companies and investor losses from data breaches, malware and other cybersecurity have continued, taken enforcement action against various public companies that experienced significant drops in stock value due to malware, data breach or other cybersecurity incidents. See here. For instance, in August, 2021, London-based educational publishing giant Pearson plc, agreed to pay $1 million to settle SEC charges that it had inadequate cybersecurity disclosure controls and procedures and made misleading statements and omissions about the 2018 data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. In its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion already had occurred. Also in a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and falsely that Pearson had “strict protections” in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified. The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen. The SEC order further found that Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach and that Pearson waited to inform investors about the breach until after contacted by the media. After the SEC issued an order that found Pearson violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Exchange Act of 1934 and Rules 12b-20, 13a-15(a), and 13a-16 thereunder, without admitting or denying the SEC’s findings, Pearson agreed to cease and desist from committing violations of these provisions and to pay a $1 million civil penalty.

Until recently, these cybersecurity enforcement actions focused primarily on entities. Last summer, however, the SEC announced that along with continuing its enforcement against public companies and other market involved and impacting companies for cybersecurity deficiencies, it now intends to purse enforcement against officers, directors or other leaders of companies that allow these deficiencies. Coincident with this announcement, the SEC made good on its promise to prosecute individual leaders by suing leaders of three companies accused of violating SEC cybersecurity controls, governance, and disclosure rules.. See, e.g., SEC Announces Three Actions Charging Deficient Cybersecurity Procedures.

Newly Proposed SEC Cybersecurity Rule Clarifies Expectations, Facilitates Noncompliance Enforcement Against Public Companies & Leaders

The SEC publication of the Proposed Rule both reenforces its prior cybercompliance warnings and adds more teeth to the SEC’s efforts to monitor, investigate and enforce its rules against market involved and impacting regulated entities and their leaders that fail to fulfill their cybersecurity obligations.

The “clarifications” in the Proposed Rule define minimum expectations for public company management and disclosures to investors about their cyber risk management, strategy, and governance and requiring public companies to notify investors of material cybersecurity incidents very quickly.

Among other things, the Proposed Rule will require that public companies:

Amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within 4 business days after the registrant determines that it has experienced a material cybersecurity incident;
Add new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate; and
Amend Form 6-K to add “cybersecurity incidents” as a reporting topic.

The Proposed Rule also will require enhanced and standardized disclosure about public company cybersecurity risk management, strategy, and governance by:

Adding Item 106 to Regulation S-K and Item 16J of Form 20-F to require a registrant to:
Describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation; and
Require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies; and
Amending Item 407 of Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise including disclosure in annual reports and certain proxy filings if any member of the registrant’s board of directors has expertise in cybersecurity, the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise; and
Requiring public companies present the cybersecurity disclosures in Inline eXtensible Business Reporting Language (Inline XBRL).

Given the SEC’s announced cybersecurity priorities, most commentators expect the SEC to move promptly to implement the Proposed Rule after the comment period ends on May 8. If these expectations prove true, market participating and influencing entities and their leaders already at risk under preexisting enforcement priorities will have to move quickly to clean up their compliance and fulfill their new responsibilities.

Managing existing risks and meeting these new requirements will be complicated by the need or advisability for many of the impacted public companies and their leaders to consider and appropriately address longstanding and newly expanding SEC and other cybersecurity exposures and disclosures. Aside from meeting the particulars of the new requirements going forward, companies also should be prepared to address preexisting cybersecurity exposures under existing SEC and other laws, regulations and contracts.

In conducting these activities, organizations and their leaders should keep in mind that their SEC cybersecurity obligations and exposures include both SEC specific new and unresolved historical obligations as well as cybersecurity risks arising from other operational, contractual and regulatory sources.

Federal electronic crimes, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act (“FACTA”), the Internal Revenue Code, and a plethora of other federal and state laws long have required or made highly advisable that organizations and their leaders include appropriate cybersecurity governance, security, breach detection and response, disclosure and mitigation obligations in their Federal Sentencing Guideline or other organizational compliance programs.

To adequately fulfill the SEC expectations, corporations and their leaders generally also will need to assess compliance, controls and exposures considering other cybersecurity duties and risks from key components of public company and other organizations’ operations, heightened exposures to private litigation, audits, investigations and enforcement and other cybersecurity responsibilities and risks subsumed within their public company and employee benefit plan operations. See e.g., New DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards ;Federal Agencies Take Aim At Businesses, Benefit Plan Fiduciaries & Service Providers & Others With Lax Cybersecurity & CyberBreach Compliance; Build Defenses By Strengthening Internal & External Controls & Risk Management; HIPAA & ERISA Fiduciary Rules Drive Imperative To Protect Health Plan Data & Systems From Hacking & Other Cyber Threats; Check Up Updated FinCEN Advisory on Ransomware For Opportunities To Strengthen Defenses; Raise Cybersecurity & Cyberbreach Compliance & Risk Management To Defend Against Rising Cyber Regulatory & Enforcement Risks; DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards.

As the conduct of the compliance and risk assessments necessary to evaluate and determine actions required or recommended in response to the emerging SEC and other cybersecurity obligations and risks could uncover and involve discussions of obligations and options for responding to known or suspected past or existing noncompliance risks, organizations and leaders should conduct their audit and analysis to the extent possible with the guidance of and within the scope of attorney-client privilege.

As part of these efforts, organizations and their leaders should move quickly to position themselves to defend against potential investigation and enforcement risks created by these emerging policies. These efforts should seek to ensure compliance with all applicable statutory, regulatory and contractual requirements as well as institutionalize the necessary operational controls to protect systems, data and operations from cyber breaches and other threats, to detect and redress cyber events promptly, and to ensure that the organization otherwise can demonstrate both their compliance efforts, as well as their timely prudent detection, investigation, reporting, mitigation and remediation in response to actual or suspected cyber threats or other compliance breaches.

Efforts should begin by taking carefully crafted, well-documented documented steps to prudently evaluate and strengthen cybersecurity and breach safeguards and compliance, as well as prudently to assess and verify those of their vendors and others involved with their employee benefit plans or their administration within the scope of attorney-client privilege.

Assessments should take into account all existing required statutory, regulatory, and contractual controls and practices, documentation and other procedures. In addition, organizations should consider the advisability of adopting other “best practice” safeguards or actions taking into account relevant agency guidance and resources, government or other contracts, other industry or related standards, known and suspected breaches, “red flags” and threats, their own, their vendor and business partner and other risk profiles and experience, and other factors likely to be viewed as prudent under the circumstances.

In assessing, designing and administering the cybersecurity processes, organizations and their leaders should give due attention to assessing and addressing the adequacy of their internal and external controls to ensure the adequacy of their systems, processes, oversight and response practices and capabilities as of the time of the assessment and on an ongoing basis. Beyond establishing required policies and formal controls, organization should ensure that their organizations have in place the necessary policies and practices to monitor and control cyberthreats arising from conduct and risks created by employees and other internal workforce, vendors and other parties interacting with the business and its operations. As part of these efforts, most organizations will need to evaluate their contractual obligations and requirements for vendors, suppliers and others interacting with their businesses. Beyond general contractual compliance obligations, organizations should weigh requiring contractors, suppliers and other business partners to make specific commitments to maintain and monitor compliance and other risks, to provide timely notice and reports, to cooperate with audits and investigations necessary or advisable to respond to private or government complaints, government or other investigation, reporting or other requirements, their own compliance and risk assessments, audits and investigations and other compliance and risk management efforts. Organizations also should give careful attention and review the adequacy of protections and responsibilities arising from contractual cybersecurity and breach notice, investigation, cooperation, indemnification, insurance and other associated protections and cooperation.

Organizations also should consider establishing and administering processes for independent monitoring of regulatory, news, and other reports that could provide early warning of potential cybersecurity weaknesses, threats and breaches.

All processes should include appropriate governance, oversight and reporting to provide for ongoing monitoring and oversight necessary to identify and respond to evolving risks arising in the course of their operations as well as consistent practices for carefully documenting their compliance and risk management compliance efforts.

Because of the frequently high cost of breach investigation, response and mitigation, most organizations will want to consider securing cyber liability or other coverage, require vendors and other business partners to provide cyber liability indemnifications backed up with insurance or other adequate assurance of their ability to fulfill these financial responsibilities.

Organizations and their leaders also should ensure that their compliance programs are backed up with appropriate governance and oversight to monitor and maintain compliance, address emerging issues and identify and respond to new requirements and incidents with appropriate process and documentation to defend compliance and mitigate other cyber-related risks for their organizations, their investors and their leaders.

More Information

We hope this update is helpful. For more information about or assistance with these or other workforce, internal controls and compliance or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, and author of the “Medical Privacy” Chapter in the BNA/ERISA Litigation Treatise, the “Other Torts Chapter” in the BNA/ABA E-Heath & Other Torts Treatise, “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other highly regarded data privacy and security, workforce and health care change and crisis management and other highly regarded publications and presentations, Ms. Stamer is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with private and public companies of all types and sizes, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. In the course of this work, she has had extensive involvement in the design, administration and defense of payroll, employee benefit, insurance, securities, trade secret and other confidential information and other internal and external record and data systems and processes as well as investigation, reporting, redress and mitigation of cyber and other incidents.

As a part of this work, she has continuously and extensively worked with domestic and international health and other employee benefit plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies. She also has extensive experience dealing with OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, current RPTE Welfare Benefit Committee Co-Chair and former Chair of its Fiduciary Responsibility, Plan Terminations and Distributions and Defined Contribution Plan Committees, a former JCEB Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former SHRM Consultants Board and Region IV Chair, former Texas Association of Business Board, BACPAC Board and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any situation and does not necessarily address all relevant issues. Because developments could impact the currency and completeness of this discussion, the author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Proposed SEC Cyber Rules Expand Cyber Obligations & Risks For Public Companies and Other SEC Regulated Entities & Their Leaders | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

South Sudan F-1 Visa Status Extended

March 4, 2022

The U.S Department of Homeland Security U.S. Citizenship and Immigration Services is extending its designation of South Sudan for Temporary Protected Status and associated Employment Authorization:
for South Sudanese F–1 Nonimmigrant Students experiencing severe economic hardship as a direct result of the current South Sudan humanitarian crisis.

More Information

About the Author

Well-known for her extensive work with health and life sciences, insurance, financial services, technology, energy, manufacturing, retail, hospitality, governmental and other highly regulated employers, her nearly 30 years’ of experience encompasses domestic and international businesses of all types and sizes.

About Solutions Law Press, Inc.™

Comments Off on South Sudan F-1 Visa Status Extended | COVID, COVID-19, employee, Employer, Employers, h-2A Visa, I-9, Immigration, Internal Controls, Internal Investigations, Pandemic, Remote Work, Telecommuting, visas | Permalink
Posted by Cynthia Marcotte Stamer

DOJ Sues To Stop UnitedHealth Acquisition Of Change Health To Protect Employer Plan Innovation & Commercial Health Insurance Market Competition

March 3, 2022

The U.S. Department of Justice along with the Minnesota and New York Attorneys General (collectively “Justice Department”) have filed a civil antitrust lawsuit to stop UnitedHealth Group Incorporated (“United”) from acquiring Change Healthcare Inc. (“Change”) on February 24, 2022 in an announced $13 billion transaction that the Justice Department claims will harm self-insured employer health plan innovation and competition in the commercial health insurance market. The suit is the latest in a series of Justice Department suits that seek to prevent continued consolidation of the health industry giants following decades of industry consolidation.

United, headquartered in Minnetonka, Minnesota, is an integrated health care enterprise that includes, among other subsidiaries, UnitedHealthcare, the largest health insurer in the United States; Optum Health, a large network of health care providers located throughout the country; OptumRx, a large pharmacy benefit manager; and OptumInsight, a health care technology business. United’s revenues were $288 billion in 2021.

Change Healthcare Inc. headquartered in Nashville, Tennessee, is a leading independent health care technology company providing health care analytics, software, services and data to health care providers, health insurers and other software and services firms in the health care industry. Today, Change markets itself as a partner to a wide variety of other health care ecosystem organizations including United’s major health insurance competitors as providing vital software and services need for innovation and problem solving. These services include electronic data interchange (EDI) clearinghouse services, which transmit claims and payment information between insurers and providers, and first-pass claims editing solutions, which review claims under the health insurer’s policies and relevant treatment protocols. Change’s revenues were $3.4 billion in 2021.

In the civil antitrust complaint filed in the U.S. District Court for the District of Columbia on February 24, 2022, the Justice Department charges United’s acquisition of this neutral player would allow United to tilt the playing field in its favor, harming current competition and allowing United to control and distort the course of innovation in this industry for the foreseeable future.

Among other things, the Justice Department alleges allowing United to eliminate a significant independent and innovative competitor firm by acquiring Change will undermine competition in the commercial health insurance market, stifle innovation in the employer health insurance markets and suppress competition in the market for a vital technology used by health insurers to process health insurance claims and reduce health care costs by giving United control of a critical data highway through which about half of all Americans’ health insurance claims pass each year.

As alleged in the complaint, the proposed transaction would give United, a massive company that owns the largest health insurer in the United States, access to a vast amount of its rival health insurers’ competitively sensitive information. Post-acquisition, United would be able to use its rivals’ information to gain an unfair advantage and harm competition in health insurance markets. The Justice Department also claims the proposed transaction would eliminate United’s only major rival for first-pass claims editing technology — a critical product used to efficiently process health insurance claims and save health insurers billions of dollars each year — and give United a monopoly share in the market.

A Justice Department press release about the lawsuit quotes Principal Deputy Assistant Attorney General Doha Mekki of the Justice Department’s Antitrust Division as saying, “Unless the deal is blocked, United stands to see and potentially use its health insurance rivals’ competitively sensitive information for its own business purposes and control these competitors’ access to innovations in vital health care technology. The department’s lawsuit makes clear that we will not hesitate to challenge transactions that harm competition by placing so much control of data and innovation in the hands of a single firm.”

The suit is the latest in a series of civil antitrust lawsuits challenging proposed mergers or acquisitions of between health insurance industry giants as anticompetitive in recent years. Stay tuned for more details.