Civil Rights |

Health Plans, Other Covered Entities Have Continuing Duty To Reevaluate HIPAA Enterprise Risk To PHI & Address Security Risks & Other Compliance Concern On Ongoing Basis

October 27, 2016

Compliance with the Privacy and Security Rules of the Health Insurance Portability & Accountability Act (HIPAA) is a living process that requires employer and other health plans, health insurers, health care providers and healthcare clearinghouses to recurrently reevaluate their HIPAA enterprise risk and timely act to mitigate security threats to electronic (ePHI) and other protected health information and other HIPAA compliance concerns on an ongoing basis. That’s the clear take away applicable to all HIPAA-Covered Entities and business associates from the St. Joseph Health Resolution Agreement and Corrective Action Plan (SJH Settlement) and the Oregon Health & Science University Resolution Agreement and Corrective Action Plan (OHSU Settlement) announced by the Department of Health & Human Services Office of Civil Rights (OCR) in the past 30 days. Health plans, their sponsors, fiduciaries and vendors, health care providers and health care clearinghouses should carefully heed this message and in response take documented steps to ensure

Their existing policies, practices and procedures properly are updated in response to changing guidance and events;
They in place the current, comprehensive enterprise risk assessment along with a mitigation plan documenting actions taken to address these risks;
Ensure that the organization has and is administering appropriate, documented processes and procedures to ensure that the organization reassesses its enterprise risk assessment and compliance on a timely basis as warranted by changes or other events that could impact ePHI, regulatory developments or other events that might impact its compliance; and
Have an appropriate, documented process for oversight by C-level management.

OHSU Charges & Settlement

The OHSU Settlement Agreement announced by OCR on September 23, 2016 requires OHSU to pay a $2.7 million settlement payment and adopt and implement a comprehensive three-year corrective action plan to address “widespread and diverse” HIPAA compliance problems OCR reports uncovering while investigating multiple HIPAA breach reports the large public academic health center and research university centered in Portland, Oregon.

OCR began investigating OHSU after the large public academic health center and research university centered in Portland, Oregon, submitted three HIPAA breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive:

On March 23, 2013, HHS received notification from OHSU regarding a breach of its unsecured electronic protected health information (“ePHI”) resulting from a stolen laptop computer;
On July 28, 2013, HHS received notification from OHSU regarding a breach of its ePHI resulting from storing ePHI at an internet-based service provider without a business associate agreement; and.

These incidents each garnered significant local and national press coverage. OCR’s investigation uncovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program, including the storage of the ePHI of more than 3,000 individuals on a cloud-based server without a business associate agreement. OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses.

OCR’s investigation showed the reported breaches resulted from widespread, long-term, systematic and unresolved HIPAA violations by OHSU that OCR attributed to an inadequate commitment to and oversight of HIPAA compliance by OHSU C-level management which resulted in the failure by OHSU to appropriately monitor the adequacy of its ongoing compliance and to assess and address changes in its enterprise-wide risk and compliance obligations on an ongoing basis. OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule. While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level. OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.

OCR concluded that the reported breaches were the result of long-standing, systematic deficiences in OHSU’s processes and procedures for HIPAA compliance, including the following:

While OHSU reportedly performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, OCR says its investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule;
While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level;
OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk;
OHSU failed to comply with its duty under HIPAA to enter into a business associate agreement with a vendor before allowing a vendor business associate to store ePHI; and
The absence of meaningful C-suite leadership oversight and commitment to HIPAA compliance.

Based on these investigations, OCR concluded that while OHSU initially adopted HIPAA Policies, the reported breaches were the result of a series of widespread and ongoing breaches of HIPAA resulted including the following:

From January 5, 2011, until July 3, 2013, OHSU disclosed the ePHI of 3,044 individuals in violation of Privacy Rules §§160.103 and 164.502(a) when workforce members disclosed the ePHI to a third party internet-based service provider without obtaining a business associate agreement or other satisfactory assurance that the internet-based service provider would safeguard the ePHI;
From January 5, 2011 until July 3, 2013 OHSU failed to obtain a business associate agreement from an internet-based service provider that was storing ePHI on its behalf as a business associate as required by 45 C.F.R. § 164.308(b);
From January 5, 2011 until July 3, 2013 OHSU failed to implement policies and procedures to prevent, detect, contain, and correct security violations as required under Privacy Rule § 164.308(a)(1)(i);
From July 12, 2010 to present, OHSU failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for all ePHI maintained in OHSU’s enterprise as required by Privacy Rules §§ 164.312(a)(2)(iv) and 164.306(d)(3)); and
From May 29, 2013 until July 3, 2013, OHSU failed to implement policies and procedures to address security incidents in violation of Privacy Rule § 164.308(a)(6)(i).

According to statements made by OCR Director Jocelyn Samuels in OCR’s announcement of the OHSU Settlement, the breaches should not have happened. “From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient,” said OCR Director Jocelyn Samuels. OCR’s announcement also signals that OCR views inadequate commitment and oversight by OHSU’s senior management to have played a key role in the creation and perpetuation of the OHSU violations. It quotes OCR Director Jocelyn Samuels as stating, “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

OCR’s announcement of the OHSU Settlement emphasizes its determination that a lack of commitment and oversight by C-level management resulted in the failure by OHSU to periodically perform a comprehensive enterprise risk analysis and to reevaluate and update that analysis and its policies, practices, procedures and training as warranted by changing events and guidance.

To resolve the HIPAA charges, the OHSU Settlement requires OHSU to pay OCR $2,700,000 as well as take a long series of corrective actions detailed in the Corrective Action Plan incorporated into the Settlement Agreement. The requirements of the Corrective Action Plan both seek to address the specific weaknesses that lead to the breaches of unsecured ePHI reported by OHSU in its breach notifications as well as the broader deficiencies in OHSU’s overall HIPAA compliance practice by requiring among other things that OHSU:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI at all OHSU facilities and on all systems, networks, and devices that create, receive, maintain, or transmit ePHI;.
Develop and present to OCR for approval a comprehensive written risk management plan that explains OHSU’s strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level based on OHSU’s circumstances as well as a comprehensive, enterprise-wide plan to implement effective oversight of OHSU workforce members to ensure their adherence to HIPAA Rules and OHSU’s internal privacy and security policies and procedures with specific timelines for their expected completion and compensating controls identified in the interim to safeguard OHSU’s ePHI;
Implement and administer the written risk management plan and other safeguards as approved by OCR;
Provide updates to OCR about OHSU’s implementation of required encryption including a Mobile Device Management (MDM) solution that ensures all OHSU- owned and personally-owned mobile devices (tablets, smart phones, and other mobile devices) that access ePHI on OHSU’s secure network are encrypted other than mobile devices for which OHSU has granted exceptions based on documented evidence of the implementation of alternative reasonable compensating controls to protect the ePHI on such devices;
Report to OCR on OHSU’s efforts to a solution to enforce encryption of ePHI on OHSU-owned and personally- owned devices (laptops, desktops, and medical equipment) connecting to OHSU’s secure wired and wireless networks except for any devices for which OHSU has granted exceptions to the encryption requirement;
Report to OCR about its implementation of policies that prohibit the transfer of data containing ePHI from OHSU-owned and personally-owned devices to unencrypted removable storage devices (USB drives and portable hard drives) and implementation of a technical solution that enforces the policies prohibiting transfers of this type when attached to the OHSU secure network, except for any removable storage devices for which OHSU has granted exceptions based on documented evidence of reasonable compensating controls that have been implemented to protect the ePHI on such devices;
Send a communication to all members of the OHSU community describing its commitment to enterprise encryption;
Prepare to the satisfaction of OCR security awareness training materials needed to implement its security management processing including specific privacy and security awareness related to a) use of internet-based information storage services; b) disclosures to third party entities that require a business associate agreement or other reasonable assurance in place to ensure that the business associate will safeguard the protected health information (PHI) and/or ePHI; c) regarding managers, effective oversight of workforce members’ uses and disclosures of PHI, including ePHI, to ensure the workforce members’ compliance with the Privacy and Security Rules and OHSU’s internal policies and procedures; d) security incident reporting; and e) password management;
Initially train all workforce members with access to PHI and/or ePHI with 120 days of OCR’s approval of the training and thereafter ensure that new workforce members are trained with 15 days of hire and that all workforce members subsequently continue to receive training on an on-going basis;
Review the security awareness training materials annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments;
Management oversight and supervision of the implementation and administration of the corrective actions required by the Corrective Action Plan and HIPAA compliance; and

Management reporting to OCR on its actions and compliance with the Corrective Action Plan.

SJH Settlement

Similarly, the SJH Settlement OCR announced on October 18, 2016 with St. Joseph Health (SJH) requires SJH to pay a $2.4 million plus settlement payment, conduct an enterprise-wide risk analysis and implement and administer a comprehensive correction plan to settle OCR charges that SJH violated HIPAA by allowing files containing ePHI of 31,800 individuals that SJH created for its participation in the Medicare meaningful use program to be publicly accessible on the internet from February 1, 2011, until February 13, 2012.

A nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, who through its 24,000 employees and 6,000 physicians provides a range of health care services to more than 137,000 inpatients and 3.6 million outpatients each year at SHS’ 4 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations located throughout California and in parts of Texas and New Mexico.

OCR’s charges against SJH arose out of OCR’s investigation into a 2012 breach notification report SJS filed with OCR. On February 14, 2012, SJH reported to OCR that files containing electronic protected health information (ePHI) of 31,800 individuals from five of the SJH hospitals-St. Jude Medical Center, Mission Hospital, Queen of the Valley Medical Center, Santa Rosa Memorial Hospital, and Petaluma Valley Hospital that SJH created for its participation in the meaningful use program were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.

SJH’s report to OCR indicated that this public access resulted from a configuration within its network server in which PDF files containing following patient information were uploaded: patient names; BMI; blood pressure; lab results; smoking status; diagnoses lists; medication allergies; advance directive status and demographic information (language, ethnicity, race, sex, and birth date). The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information from February 14, 2012 until SJH blocked external access to the ePHI when it shut down the application February 13, 2012.

OCR’s investigation indicated the following potential violations of the HIPAA Rules:

From February 1, 2011 to February 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals;
Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI;
Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.

To resolve charges resulting from these findings, the SJH Resolution Agreement requires SJH to pay OCR a $2,140,500 settlement payment and adopt a comprehensive corrective action plan which among other things, requires SJH to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. SJH’s Chief Executive Officer, Annette M. Walker, is named in the Corrective Action Plan as the SJH authorized representative and contact person responsible for overseeing the CAP implementation.

Among other things, the Corrective Action Plan specifically requires that SJH:

Within 240 days, conduct an enterprise-wide analysis and provide a report to OCR which includes a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, and prepare and deliver to OCR for review an enterprise-wide risk analysis that identifies all security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by SJH, its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic protected health information (ePHJ);
Revise this risk analysis plan as directed by OCR based on its review of the presented risk analysis;
Develop and implement to the satisfaction of OCR an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
Distribute the risk management plan as finally approved by OCR to to workforce members involved with implementation of the plan within 30 days of OCR approval;
Revise to OCR’s satisfaction, adopt and implement within 30 days of OCR’s approval compliant HIPAA policies and procedures;
Prepare for review of OCR training materials and once approved by OCR, provide initial training to required workforce members, and obtain certification of completion of that training from each required workforce member within 60 days of OCR’s approval of the training and thereafter at least annually as long as the Corrective Action Plan remains in force;
Promptly conduct a documented investigation of any information indicating a potential workforce member violation of the new HIPAA policies in the manner required by OCR and if the investigation confirms a violation (Reportable Event), notify OCR of the relevant facts, findings, corrective actions and sanctions imposed against the violating workforce member in the manner required by the Corrective Action Plan;
Submit annual report to OCR signed and attested to by an SJH officer, which contains the information and attestations of compliance with the requirements of the Corrective Action Plan in accordance with the Corrective Action Plan;
Retain for inspection and copying and provide to OCR upon request all documents and records relating to compliance with this Corrective Action Plan for six (6) years from the Effective Date of the SJH Settlement Agreement.

Take Away For Other Covered Entities & Business Associates

The OHSU and SJH Settlement Agreements send a clear message to all Covered Entities and business associates that they must be prepared to demonstrate not only that their initial adoption and implementation of required HIPAA Privacy and Security policies and safeguards, but also that their organization’s leadership needs to be prepared to demonstrate their commitment to HIPAA compliance by making adequate provision for HIPAA compliance, and appropriately monitoring developments that could impact the adequacy of their existing measures and timely update their systems and security, policies, procedures, training and other relevant safeguards.

The Settlements make clear that Covered Entities and their business associates should ensure that their organization possesses a well-documented current enterprise-wide risk assessment, as well as has in place and is administering as necessary to maintain the currency and adequacy of its risk assessment strong practices for conducting documented evaluations of their own HIPAA security, policies, practices, audits and investigations and other procedures necessary to comply with HIPAA, taking into account recent OCR guidance, its initiation of its Phase II audit program, the insights offered by OCR’s ever growing list of enforcement actions and compliance tools, as well as changes in systems, documentation, software, equipment or other occurrences within the operations of the Covered Entity or business associate’s operations that could impact the currency and adequacy of its risk assessment or otherwise raise compliance risks.

In this respect, Covered Entities and business associates are encouraged to take special note of the advisability of specifically reviewing and updating their HIPAA policies, practices, business associate agreements, training, oversight and documentation to in response to the guidance and insight that OCR provides, including:

A series of recent OCR Resolution Agreements emphasizing the need for Covered Entities and their Business Associates to verify that have in place, and review and update as necessary business associate agreements e.g. HIPAA Settlement Illustrates The Importance Of Reviewing And Updating, As Necessary, Business Associate Agreements (September 23, 2016); Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement (June 29, 2016);
Clarification of Permissible Fees for HIPAA Right of Access – Flat Rate Option Up to $6.50 is Not a Cap on All Fees for Copies of PHI (May 23, 2016)
Guidance On HIPAA & Cloud Computing released October 6, 2016, which provides guidance for Covered Entities and business associates about contracting and other procedures that HIPAA-regulated Covered Entities and their business associates should implement when contracting for and using Cloud Computing Services;
Joint Guidance published October 21, 2016 by the Federal Trade Commission and OCR reminding Covered Entities and their business associates of the need to ensure that in addition to fulfilling the technical content requirements of HIPAA, their HIPAA authorizations, privacy practices notices and other HIPAA notices and communications are written and presented in plan language, include required specific terms and descriptions and in a manner that does not mislead individuals about their rights or about what is happening with their PHI. Furthermore, where Covered Entities and their business associates contemplate that businesses associates may request that individuals sign HIPAA authorizations, Covered Entities and their business associates should the Covered Entity and business associate have in place a current, signed HIPAA-compliant business associate agreement that that expressly authorizes the business associate to request the HIPAA authorization in light of statements in the Joint Guidance indicating that OCR views the Privacy Rules as prohibiting a business associate from asking a consumer to sign a HIPAA authorization unless its business associate contract expressly permits the business associate to do so; and
Other OCR enforcement actions, tools and guidance. See, e.g. All Covered Entities Should Learn Lessons From Mississippi Medical Center’s $2.75 Million HIPAA Resolution Agreement; Providers, Health Plans Should Confirm Copy Charges Comply With New OCR HIPAA Guidance; $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use; Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework; HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.

Employer and other health plan sponsors, health plan fiduciaries and business associates, and their service providers also generally will want to consider their responsibilities to provide and enforce employer certifications, as well as the fiduciary obligations health plan fiduciaries under the fiduciary responsibility rules of the Employee Retirement Income Security Act (ERISA). Among other things, wrongful disclosure of PHI to a sponsoring employer or others could violate HIPAA or other plan terms. Furthermore, Department of Labor officials have indicated stated that a fiduciary’s general fiduciary responsibilities can apply to the protection and administration of PHI and other health plan information as well as create a duty by a responsible fiduciary to prudently investigate and take steps to address breaches or other potential concerns that place PHI at risk. See, HIPAA Settlement Warns Health Plans, Sponsoring Employers & Business Associates To Manage HIPAA Risks.

Furthermore, as breaches of PHI and other violations of HIPAA also frequently give rise to responsibilities or risks under a broad range of other federal and state laws medical and financial privacy and data security, Medicare and other terms of federal program participation, medical credentialing, licensure and ethics, insurance and Employee Retirement Income Security Act fiduciary responsibilities in the case of health plans, contractual, tort and other exposures, Covered Entities and their business associates also generally are best served to take into account these other responsibilities and exposures in conjunction with the design and administration of their HIPAA compliance and risk management policies and practices.

Covered Entities and their business associates also should seek advice from legal counsel regarding the adequacy of their compliance, investigatory, training, management oversight, training, reporting, documentation, document retention and other processes and procedures that could reduce risks of HIPAA violations and position the organization to effectively and more efficiently respond to a potential breach, audit, investigation or enforcement action and mitigate the costs and potential liability exposures that increasingly attends these events. In addition, given the typically high financial, operational and legal costs typically incurred to conduct investigations, report and redress breaches, and respond to OCR audits or investigations, much less make any payments and implement any corrective actions required to settle OCR changes, most Covered Entities and their business associations will want to consider the advisability and adequacy of insurance and other sources of funding or indemnification for the often substantial costs that often attend a HIPAA breach, audit or enforcement event. Since HIPAA violations under certain circumstances also can give rise to felony criminal liability, boards of directors and other leaders of Covered Entities and business associates also will want to ensure that their HIPAA compliance policies and practices also are incorporated and monitored by management as part of their organization’s overall Federal Sentencing Guideline Compliance programs and practices.

About The Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,”“Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely known for work, teachings and publications on HIPAA and other privacy and data security concerns earned in connection with her more than 28 years’ of involvement advising and representing business and government clients domestically and internationally about workforce and human resources, employee benefits; health care; insurance and financial; privacy and data security and other performance management, regulatory, internal controls and other compliance, risk management, public policy and operational other key concerns.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Group Chair and current Defined Contribution Plans Committee Co-Chair, Groups and Substantive Committee and Membership Committee Members, past Welfare Plans Committee Chair and Co-Chair, and former Fiduciary Responsibility Vice Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current ABA International Section Life Sciences Committee Vice Chair, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, former ABA Joint Committee on Employee Benefits Council Representative and Marketing Committee Chair and a prolific author and highly popular speaker and consultant, Ms. Stamer helps management manage.

Ms. Stamer’s legal and management consulting work throughout her nearly 30-year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and representing clients on privacy and data security concerns and other health industry matters, Ms. Stamer also has served for several years as a scrivener for the ABA JCEB’s meeting with OCR, the Chair of the Southern California ISSA Health Care Privacy & Security Summit, and an editorial advisory board member, author, program chair or steering committee member, and faculties for a multitude of other programs and publications regarding privacy, data security, technology and other compliance, risk management and operational concerns in the health care, health and other insurance, employee benefits and human resources, retail, financial services and other arenas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

Comments Off on Health Plans, Other Covered Entities Have Continuing Duty To Reevaluate HIPAA Enterprise Risk To PHI & Address Security Risks & Other Compliance Concern On Ongoing Basis | ARRA, board of directors, Brokers, Cafeteria Plans, CHIP, Civil Monetary Penalties, Civil Rights, Claims, compliance, Consumer Protection, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, directors, EBSA, Electronic Medical Record, employee, Employee Benefits, Employer, Employers, Employment, EMR, fiduciary duty, Fiduciary Responsibility, GINA, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Technology, third party administrators, Uncategorized, Union, Workforce | Tagged: Breach Notification, broker, Covered Entity, Data Breach, Data Security, EPHI, ERISA, health care providers, Health Plans, HIPAA, Medical Privach, Medical Privacy, Personal Health Information, Privacy, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Manage Retaliation Risks In Response To Updated EEOC Enforcement Guidance, Rising Retaliation Claims

August 31, 2016

U.S. employers, employment agencies, unions, their benefit plans and fiduciaries, and their management and service providers should move quickly to review and strengthen their employment and other practices to guard against a foreseeable surge in employee retaliation claims and judgements likely to follow the August 30, 2016 issuance by the Equal Employment Opportunity Commission (EEOC) of its new final EEOC Enforcement Guidance on Retaliation and Related Issues and concurrently published Question and Answer Guidance(Guidance).

Updating and superceding 2008 guidance previously set forth in the Retaliation Chapter of the EEOC Enforcement Manual, the Guidance details the EEOC’s current policy for investigating and enforcing the retaliation prohibitions under each of the equal employment opportunity (EEO) laws enforced by EEOC, including Title VII of the Civil Rights Act of 1964, the Age Discrimination in Employment Act (ADEA), Title V of the Americans with Disabilities Act (ADA), Section 501 of the Rehabilitation Act, the Equal Pay Act (EPA) and Title II of the Genetic Information Nondiscrimination Act (GINA) as well as the ADA’s separate “interference” prohibitions, which prohibit coercion, threats, or other acts that interfere with the exercise of ADA rights. Among other things, the Guidance discusses :

What “retaliation means” and the scope of employee activity protected by the prohibitions against retaliation included in all laws enforced by the EEOC as well as the interference prohibitions of the ADA;
Legal analysis the EEOC will use to determine if evidence supports a claim of retaliation against an employer or other party;
Detailed examples of employer actions that the EEOC says may constitute prohibited retaliation; and
Remedies available for retaliation.

Understanding and properly responding to the Guidance is critically important for employers and other subject to the EEO laws because in light of the substantial and growing liability exposures retaliation claims present and the likely that the issuance of the Guidance will further fuel these risks.

Even before the EEOC published the Guidance, retaliation and interference exposures were a substantial source of concern for most employers. Employers, employment agencies and unions caught engaging in prohibited retaliation or intimidation in violation of EEO laws can incur compensatory and (except for governmental employers) punitive damage awards, back pay, front pay, reinstatement into a job or other equitable remedies, injunctive or administrative orders requiring changes in employer policies and procedures, managerial training, reporting to the EEOC and other corrective measures, as well as substantial investigation and defense costs.

These substantial liability exposures have become particularly concerning as retaliation and interference claims also have become increasingly common over the past decade. According to the EEOC, for example, EEO law retaliation charges have remained the most frequently alleged basis of charges filed with the EEOC since 2009 and in Fiscal Year 2015 accounted for 44.5 percent of all employment discrimination charges received by EEOC.
Since the EEOC’s issuance of the Retaliation Regs are likely to encourage additional retaliation or interference claims, employers, employment agencies, unions and their management, service providers and agents should quickly to evaluate the updated guidance provided in the Retaliation Reg and act to mitigate their exposure to retaliation retaliation and interference claims under these EEO laws.

Retaliation Risks Under EEO Laws

Federal EEO laws generally prohibit employers, employment agencies, or unions from punishing or taking other adverse actions against job applicants or employees for “asserting their rights” (often referred to as “protected activity”) to be free from harassment or other prohibited employment discrimination as well as certain other conduct. Such claims generally are referred to as “retaliation claims.”
Prohibited retaliation in violation of EEO laws occurs when an employer, employment agency or union takes a materially adverse action because an applicant or employee asserts rights or engages in certain other activities protected by the EEO laws.

To prevail in a retaliation claim, an applicant, employee or other individual generally must show that:

The individual engaged in prior protected activity;
The employer, employment agency or union took a materially adverse action; and
More likely than not, retaliation caused the adverse action by the employer, employment agency or union.

Persons Protected By EEO Retaliation Rules

EEO retaliation prohibitions protect both applicants and current and former employees (full-time, part-time, probationary, seasonal, and temporary) against retaliation under the EEO laws. The retaliation prohibitions bar an employer from refusing to hire or otherwise taking adverse action against any current or former applicant or employee because of his EEO complaint or other protected activity under applicable EEO laws. The EEOC interprets the retaliation rules as prohibiting an employer from giving a false negative job reference to punish a former employee for making an EEO complaint or engaging in other protected activity as well as as prohibiting an employer from refusing to hire or otherwise retaliating or discriminating against an applicant or employee based on a complaint made or other protected activity engaged against any a prior employer. The Guidance also makes clear that the retaliation prohibitions apply regardless of an applicant or employee’s citizenship or work authorization status.

Protected Activity

“Protected activity” generally means either participating in an EEO process or reasonably opposing conduct made unlawful by an EEO law.

The prohibition against an employer retaliating against an individual for “participating” in an EEO process means that an employer cannot punish an applicant or employee for filing an EEO complaint, serving as a witness, or participating in any other way in an EEO matter, even if the underlying discrimination allegation is unsuccessful or untimely. As a part of these prohibitions, the EEOC says that an employer, employment agency or union is not allowed to do anything in response to EEO activity that would discourage someone from resisting or complaining about future discrimination. For example, depending on the facts of the particular case, it could be retaliation because of the employee’s EEO activity for an employer to:

Reprimand an employee or give a performance evaluation that is lower than it should be;
Transfer the employee to a less desirable position;
Engage in verbal or physical abuse;
Threaten to make, or actually make reports to authorities (such as reporting immigration status or contacting the police);
Increase scrutiny;
Spread false rumors, treat a family member negatively (for example, cancel a contract with the person’s spouse); or
Take action that makes the person’s work more difficult (for example, punishing an employee for an EEO complaint by purposefully changing his work schedule to conflict with family responsibilities).

The Guidance clearly states that the EEOC views participating in any capacity in a complaint process or other protected equal employment opportunity as protected activity which is protected from retaliation under all circumstances. The EEOC views other acts to oppose discrimination also as protected as long as the employee was acting on a reasonable belief that something in the workplace may violate EEO laws, even if he or she did not use legal terminology to describe the issue. EEOC’s view is that protections against retaliation extend to participation in an employer’s internal EEO complaint process, even if a charge of discrimination has not yet been filed with the EEOC. The EEOC also takes the position that participation in the EEO process is protected whether or not the EEO allegation is based on a reasonable, good faith belief that a violation occurred. While an employer is free to bring these to light in the EEO matter where it may rightly affect the outcome, the Retaliation Regs state it is unlawful retaliation for an employer to take matters into its own hands and impose consequences for participating in an EEO matter.

In addition to prohibition for participation in protected activities, EEO law also prohibits retaliation against an individual for “opposing” a perceived unlawful EEO practice. The EEOC construes prohibition against retaliation for opposition as prohibiting an employer or other covered entity from punishing an applicant or employee for communicating or taking other action in opposition of a perceived EEO violation if the individual acted reasonably and based on a reasonable good faith belief that the conduct opposed is or could become unlawful if repeated.

According to the EEOC, opposition also can be protected even if it is informal or does not include the words “harassment,” “discrimination,” or other legal terminology. A communication or act may be protected opposition as long as the circumstances show that the individual is conveying resistance to a perceived potential EEO violation such as, for example:

Complaining or threatening to complain about alleged discrimination against oneself or others;
Taking part in an internal or external investigation of employment discrimination, including harassment;
Filing or being a witness in a charge, complaint, or lawsuit alleging discrimination;
Communicating with a supervisor or manager about employment discrimination, including harassment;
Answering questions during an employer investigation of alleged harassment;
Refusing to follow orders that would result in discrimination;
Resisting sexual advances, or intervening to protect others;
Reporting an instance of harassment to a supervisor;
Requesting accommodation of a disability or for a religious practice;
Asking managers or co-workers about salary information to uncover potentially discriminatory wages;
Providing information in an employer’s internal investigation of an EEO matter;
Refusing to obey an order reasonably believed to be discriminatory;
Advising an employer on EEO compliance;
Resisting sexual advances or intervening to protect others;
Passive resistance (allowing others to express opposition);
Requesting reasonable accommodation for disability or religion;
Complaining to management about EEO-related compensation disparities;
Talking to coworkers to gather information or evidence in support of a potential EEO claim; or
Other acts of opposition.

In order for the protection against opposition to apply, however, the individual must act with a reasonable good faith belief that the conduct opposed is unlawful or could become unlawful if repeated. Opposition not based on such a good faith belief is not protected. Employers should note that the EEOC takes the position that opposition by an employee could qualify as reasonable opposition protected against retaliation when an employee or applicant complains about behavior that is not yet legally harassment (i.e., even if the mistreatment has not yet become severe or pervasive) or to complain about conduct the employee believes violates the EEO laws if the EEOC has adopted that interpretation, even if some courts disagree with the EEOC on the issue.

Furthermore, an individual opposing a perceived violation of an EEO law is disqualified for protection against retaliation for his opposition unless the individual behaves in a reasonable manner when expressing his opposition. For example, threats of violence, or badgering a subordinate employee to give a witness statement, are not protected opposition.

Subject to these conditions, however, the Guidance states that retaliation for opposing perceived unlawful EEOC practices need not be applied directly to the employee to qualify for protection. If an employer, employment agency or union takes an action against someone else, such as a family member or close friend, in order to retaliate against an employee, the EEOC says both individuals would have a legal claim against the employer.

Moreover, according to the EEOC, the prohibitions against retaliation for participation and opposition apply regardless of whether the person is suffers the retaliation for acting as a witness or otherwise participating in the investigation of a prohibited practice regarding an EEO complaint brought by others, or for complaining of conduct that directly affects himself.

Materially Adverse Action

To fall within EEO law prohibitions against retaliation, the retaliatory actions must be “materially adverse,” which the Guidance defines to include any action that under the facts and circumstances might deter a reasonable person from engaging in protected activity. This definition of “materially adverse” sweeps broadly to include more than employment actions such as denial of promotion, non-hire, denial of job benefits, demotion, suspension, discharge, or other actions that can be challenged directly as employment discrimination. It also encompasses within the scope of retaliation employer action that is work-related, as well as other actions with no tangible effect on employment, or even an action that takes place exclusively outside of work, as long as it may well dissuade a reasonable person from engaging in protected activity.

Whether an action is materially adverse depends on the facts and circumstances of the particular case. The U.S. Supreme Court has held that transferring a worker to a harder, dirtier job within the same pay grade, and suspending her without pay for more than a month (even though the pay was later reimbursed) were both “materially adverse actions” that could be challenged as retaliation. The Supreme Court has also said that actionable retaliation includes: the FBI’s refusing to investigate death threats against an agent; the filing of false criminal charges against a former employee; changing the work schedule of a parent who has caretaking responsibilities for school-age children; and excluding an employee from a weekly training lunch that contributes to professional advancement.

In contrast, a petty slight, minor annoyance, trivial punishment, or any other action that is not likely to dissuade an employee from engaging in protected activity in the circumstances is not “materially adverse.” For example, courts have concluded on the facts of given cases that temporarily transferring an employee from an office to a cubicle was not a materially adverse action and that occasional brief delays by an employer in issuing refund checks to an employee that involved small amounts of money were not materially adverse.

The facts and circumstances of each case determine whether a particular action is retaliatory in that context. For this reason, the same action may be retaliatory in one case but not in another. Depending on the facts, other examples of “materially adverse” actions may include:

Work-related threats, warnings, or reprimands;
Negative or lowered evaluations;
Transfers to less prestigious or desirable work or work locations;
Making false reports to government authorities or in the media;
Filing a civil action;
Threatening reassignment;
Scrutinizing work or attendance more closely than that of other employees, without justification;
Removing supervisory responsibilities;
Engaging in abusive verbal or physical behavior that is reasonably likely to deter protected activity, even if it is not yet “severe or pervasive” as required for a hostile work environment;
Requiring re-verification of work status, making threats of deportation, or initiating other action with immigration authorities because of protected activity;
Terminating a union grievance process or other action to block access to otherwise available remedial mechanisms; or
Taking (or threatening to take) a materially adverse action against a close family member (who would then also have a retaliation claim, even if not an employee).

ADA Interference Claims

In addition to the need to manage potential exposures for prohibited retaliation, employers, employment agencies and unions also should be careful to manage their exposure to potential liability arising from claims for wrongful interference and individual’s exercise of the disability rights or protections granted under the ADA.

The ADA generally prohibits disability discrimination, limits an employer’s ability to ask for medical information, requires confidentiality of medical information, and gives employees who have disabilities the right to reasonable accommodations at work absent undue hardship and like other EEO laws, prohibits retaliation. In addition to its prohibitions against retaliation, however, the ADA also more broadly prohibits “interference” with statutory rights under the ADA.

Interference is broader than retaliation. The ADA’s interference provision makes it unlawful to coerce, intimidate, threaten, or otherwise interfere with an individual’s exercise of ADA rights, or with an individual who is assisting another to exercise ADA rights.

In addition, the ADA also prohibits employers from interfering with ADA rights by doing anything that makes it more difficult for an applicant or employee to assert any of these rights such as using threats or other actions to discourage someone from asking for, or keeping, a reasonable accommodation; intimidating an applicant or employee into undergoing an unlawful medical examination; or pressuring an applicant or employee not to file a disability discrimination complaint.

Prohibited interference may be actionable under the ADA even if ineffective and even if the person subjected to intimidation goes on to exercise his ADA rights.

While acknowledging that some employer actions may be both retaliation and interference, or may overlap with unlawful denial of accommodation, the Guidance identifies the following actions as examples of interference prohibited under the ADA:
Coercing an individual to relinquish or forgo an accommodation to which he or she is otherwise entitled;
Intimidating an applicant from requesting accommodation for the application process by indicating that such a request will result in the applicant not being hired;
Threatening an employee with loss of employment or other adverse treatment if he does not “voluntarily” submit to a medical examination or inquiry that is otherwise prohibited under the statute;
Issuing a policy or requirement that purports to limit an employee’s rights to invoke ADA protections (e.g., a fixed leave policy that states “no exceptions will be made for any reason”);
Interfering with a former employee’s right to file an ADA lawsuit against the former employer by stating that a negative job reference will be given to prospective employers if the suit is filed; and
Subjecting an employee to unwarranted discipline, demotion, or other adverse treatment because he assisted a coworker in requesting reasonable accommodation.

According to the EEOC, a threat does not have to be carried out in order to violate the interference provision, and an individual does not actually have to be deterred from exercising or enjoying ADA rights in order for the interference to be actionable.

Strategies To Help Deter Or Rebut Retaliation Charges

Even though individuals claiming retaliation technically bear the burden of proving more likely than not that he suffered an adverse employment action more probably than not as a result of retaliation, an employer, employment agency or union charged with illegal retaliation frequently need to rebut or undermine a claimant’s evidence of retaliation by having and introducing admissible evidence that it a non-retaliatory reason for taking the challenged action such as evidence that:

The employer was not, in fact, aware of the protected activity;
There was a legitimate non-retaliatory motive for the challenged action, that the employer can demonstrate, such as poor performance; inadequate qualifications for position sought; qualifications, application, or interview performance inferior to the selectee; negative job references (provided they set forth legitimate reasons for not hiring or promoting an individual); misconduct (e.g., threats, insubordination, unexcused absences, employee dishonesty, abusive or threatening conduct, or theft); or reduction in force or other downsizing;
Similarly-situated applicants or employees who did not engage in protected activity were similarly treated;
Where the “but-for” causation standard applies, there is evidence that the challenged adverse action would have occurred anyway, despite the existence of a retaliatory motive; or
Other credible evidence showing a legitimate, non-discriminatory and non-retalitory motive behind the action.

It is important that employer other other potential defendants in retaliation actions recognize and take appropriate steps to create and retain evidence documenting these or other legitimate business reasons justifying the action prior to taking adverse action. Many employer or other defendants charged with discrimination or retaliation discover too late that a rule of evidence commonly referred to as the “After Acquired Evidence Doctrine” often prevents an employer or other defendant from using documentation or other evidence of motive created after the adverse action occurs. Consequently, employer and other potential targets of retaliation claims before taking the adverse action would be wise to carefully collect, document and retain the evidence and analysis showing their adverse action was taken for a legitimate, nonretalitory, nondiscriminatory reason rather than for any retaliatory purpose.

Other Defensive Actions & Strategies

Beyond taking care to document and retain evidence of its legitimate motivations for taking an adverse employment action, employers, employment agencies and unions interested in avoiding or enhancing their defenses against retaliation or interference claims also may find it helpful to:

Maintain a written, plain-language anti-retaliation and anti-interference policy that provides practical guidance on the employer’s expectations with user-friendly examples of what to do and not to do;
Send a message from top management that retaliation and interference are prohibited and will not be tolerated;
Ensure that top management understands and complies with policies against prohibited discrimination, retaliation and interference;
Consistently and fairly administer all equal employment opportunity and other policies and procedures in accordance with applicable laws in a documented, defensible manner;
Post and provide all required posters or other equal employment opportunity notices;
Timely and accurately complete and file all required EEO reports;
Clearly communicate orally and in writing the policy against prohibited retaliation and interference, as well as procedures for reporting, investigating and addressing concerns about potential violations of these policies in corporate policies as well as to employees complaining or participating in investigations or other protected activities;
Conduct documented training for all managers, supervisors and other employees and agents of the employer about policies against prohibited discrimination, retaliation, and interference including, as necessary, specific education about specific behaviors or situations that could raise retaliation or interference concerns, when and how to report or respond to such concerns and other actions to take to prevent or stop potential retaliation and interference;
Establish and administer clear policies and procedures for reporting and investigating claims or other indicators of potential prohibited employment discrimination, retaliation, interference including appropriate procedures for monitoring and protecting applicants and workers who have made claims of discrimination or have a record of involvement in activities that might qualify for corrective action;
Review performance, compensation and other criteria for potential evidence of overt or hidden bias or other evidence of potential prohibited retaliation or interference and take documented corrective action as needed to prevent improper bias from adversely corrupting decision-making process;
Conduct timely, well-documented investigations of all reports or other evidence of suspected discrimination, retaliation, and interference including any disciplinary, remedial or corrective action taken or foregone and the justification underlying these actions;
Obtain and enforce contractual reassurances from recruiting, staffing and other contractors to adhere to, and cooperate with the employer in its investigation and redress of the nondiscrimination, data collection and reporting, anti-retaliation and anti-interference requirements of equal employment opportunity and other laws;
Incorporate appropriate inquiries and other procedures for documented evaluating and monitoring that hiring, staffing, performance review, promotion, demotion, discipline, termination and other employment decisions and actions for evidence or other indicators of potential prohibited discrimination, retaliation, interference or other prohibited conduct and take corrective action as necessary based on the evidence developed; and
Designate appropriately empowered and trained members of the management of the employer to receive and investigate complaints and other potential concerns;
Arrange for an unbiased third party review of the adverse action or the performance or other decision criteria, processes and analysis that the employer or other defendant contemplates relying on to decide and implement employment decisions for indicators of potential discriminatory, retaliatory or other illegal or undesirable biasand take corrective action as needed to address those concerns before undertaking employment actions;
Evaluate and allocate appropriate funds within the employer’s budget to support the employer’s compliance efforts as well as to provide for the availability of sufficient funds to investigate and defend potential charges or public or private charges of illegal discrimination, retaliation or interference through the purchase of employment practices liablity or other insurance coverages or otherwise;
If a manager or other party recommends an adverse action in the wake of an employee’s filing of an EEOC charge or participation in other protected activity, conducting or arranging for an another party to ndependently evaluate whether the adverse action is appropriate;
Proactively seek assistance from qualified legal counsel with the design and review of policies, practices and operations, investigation and analysis of internal or external complaints or other concerns about potential prohibited discrimination, retaliation or interference, review and execution of termination, discipline or other workforce events to mitigate discrimination, retaliation or interference risks as well as the defense of EEOC or private enforcement actions; and
Be ever diligent in your efforts to prevent, detect and redress actions or situations that could be a basis for retaliation or interference claims.

About The Author

Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecture and policy advocate, recognized for her nearly 30-years of cutting edge management work as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Labor & Employment,”“Tax: Erisa & Employee Benefits” “Health Care” and “Business and Commercial Law” by D Magazine.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Chair and current committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, a former ABA Joint Committee on Employee Benefits Council Representative and , Ms. Stamer helps management manage.

For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal control and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.Solutionslawpress.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™. All other rights reserved.

Comments Off on Manage Retaliation Risks In Response To Updated EEOC Enforcement Guidance, Rising Retaliation Claims | Accommodation, ADA, Affirmative Action, Civil Rights, compensation, Corporate Compliance, corporate governance, Disability, Disability, Disability Discrimination, Disability Plans, Discrimination, E-Verify, EEOC, employee, Employee Benefits, Employer, Employers, Employment, Employment Discrimination, Government Contractors, Hiring, HR, Human Resources, Internal Controls, Internal Investigations, Leave, LEP, LGBT, Management, Managment, Risk Management, Sexual Harassment, Uncategorized, Workforce | Tagged: Civl Rights, Discrimination, EEOC, Employee, Employer, Employment Agency, employment discrimination, Equal Employment Opportunity, Interference, Retaliation, Union | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans & Other HIPAA Entities Should Learn From $2.75M UMMC HIPAA Settlement

July 28, 2016

Employers, insurers and other health plan sponsors or issuers (health plans), health care providers, healthcare clearinghouses (covered entities) and their business associates should reevaluate the adequacy of their practices and procedures for the protection of electronic protected health information (ePHI) on or accessible through laptops or other mobile devices in light of the $2.75 million penalty and other schooling the Department of Health and Human Services Office for Civil Rights (OCR) just gave the University of Mississippi (UM) Medical Center (UMMC) documented in a July 7, 2016 Resolution Agreement and Corrective Action Plan (Resolution Agreement) resolving OCR charges of multiple violations of the privacy, security and breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA) OCR says it uncovered while investigating UMMC’s breach notification report to OCR of the loss a laptop containing 328 files containing the ePHI of an estimated 10,000 patients.

UMMC Report of Missing Laptop Leads To Multiple Charges & Resolution Agreement

Mississippi’s sole public academic health science center, UMMC provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the State as well as conducts medical education and research functions. Its designated health care component, UMMC, includes University Hospital, the site of the breach in this case, located on the main UMMC campus in Jackson.

The settlement agreed to by UMMC stems from charges resulting from an OCR investigation of UMMC triggered by a breach of unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals.

Like many prior resolution agreements previously announced by OCR, UMMC’s HIPAA woes came to light after a laptop went missing. OCR learned of the breach and opened its investigation in response to a March 21, 2013 notification UMMC filed with OCR. UMMC made the breach notification to comply with HIPAA’s Breach Notification Rule requirement that health care providers, health plans and healthcare clearinghouses (Covered Entities) timely notify affected individuals, OCR and others of breaches of unsecured ePHI.

UMMC’s breach notification disclosed that UMMC’s privacy officer had discovered a password-protected laptop containing ePHI of thousands of UMMC patients missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC additionally reported that based on its investigation, UMMC believed that the missing laptop likely was stolen by a visitor to the MICU who had inquired about borrowing one of the laptops.

After discovering the loss, UMMC disclosed the breach to local media and on its website and notified OCR of the breach but apparently did not individually notify the subjects of the missing ePHI.

In keeping with its announced policy of investigating all breach reports impacting 500 or more individuals, OCR opened an investigation into UMMC’s breach report. Based on this investigation, OCR concluded that while the laptop apparently was password protected, UMMC had breached the Security Rules because ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could use a generic username and password to access an active directory containing 67,000 files including 328 files containing the ePHI of an estimated 10,000 patients.

While OCR’s investigation confirmed that UMMC had implemented policies and procedures pursuant to the HIPAA Rules, OCR’s additionally found that the theft of the laptop that prompted UMMC’s breach report resulted from broad deficiencies in UMMC’s implementation and administration of these policies and its practices.

Based on these findings, OCR charged UMMC with the following HIPAA violations:

From the compliance date of the Security Rule, April 20, 2005, through the settlement date, UMMC violated 45 C.F.R. §164.308(a)(1)(i) by failing to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI it holds, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
From January 19, 2013, until March 1, 2014, UMMC violated 45 C.F.R. §164.310(c) by failing to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
From the compliance date of the Security Rule, April 20, 2005, to March 14, 2013, UM violated 45 C.F.R. § 164.312 (a)(2)(i) by failing to assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI including, for example, allowing workforce members to access ePHI on a shared department network drive through a generic account, preventing UMMC from tracking which specific users were accessing ePHI; and
While UMMC provided notification on UMMC’s website and in local media outlets following the discovery of the reported breach of unsecured ePHI,, UMMC violated the Breach Notification Rule by failing to notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

Finally, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet took no significant risk management activity until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.

To resolve these charges, UMMC agrees in the Resolution Agreement to pay OCR $2.75 million and implement a comprehensive compliance plan which among other things, requires UMMC to conduct a sweeping review and correct its HIPAA privacy, security and breach notification policies and their implementation and administration to comply with HIPAA as well as implement and administer detailed management and OCR oversight and reporting processes over the implementation and administration of these procedures.

Lessons For Other Covered Entities From UMMC Resolution Agreement

The UMMC charges and Resolution Agreement contains several key lessons for other covered entities and their business associates, which OCR’s July 21, 2016 announcement warns other covered entities and business associates to heed..

Certainly, the $2.75 million settlement amount reaffirms that covered entities and their business associates risk substantial liability for failing to properly assess and protect the security of ePHI in accordance with HIPAA’s Privacy and Security Rule.

Furthermore, the charges and Resolution Agreement also adds a new twist to OCR’s now well established to stiffly sanction covered entities and their business associates that fail appropriately assess and address risks to the security of their ePHI on or accessible from laptops or other mobile devices. Through previous resolution agreements and guidance, OCR has made clear that it interprets the HIPAA Security Rule as generally requiring that covered entities and business associates encrypt all laptops or other mobile devices containing ePHI. The UMMC charges and Resolution Agreement makes clear that the responsibility to protect ePHI on or accessible through laptops or other mobile devices does not end with encryption. Rather, the Resolution Agreement makes clear that covered entities and their business associates also must take appropriate, well-documented steps to monitor, assess, identify, and timely and effectively address other potential risks to the security of the ePHI.

The Resolution Agreement makes clear that these additional responsibilities include, but are not necessarily limited to ensuring that proper safeguards are implemented and enforced to secure access not only to the ePHI contained on the laptop as well as other data bases and systems containing ePHI accessible through the laptop. In this respect, the Resolution Agreement particularly highlights the need for covered entities and their business associates to assess risks and take appropriate steps:

To safeguard the physical security of laptops and other mobile devices;
To prevent the use of generic or other unsecure passwords to access ePHI on or accessible through the laptop or other mobile device;
To establish and administer appropriate, well-documented processes for assessing and addressing the adequacy of safeguards for and potential threats to the security of ePHI both initially and on an ongoing basis in a manner that meaningfully assesses the actual risks and effectiveness of safeguards against these risks, including those resulting from nonadherence to required safeguards and practices such as the sharing of passwords, changing systems or circumstances, and other developments that potentially threaten the adequacy of ePHI security.

Furthermore, OCR’s July 21, 2016 press release concerning the Resolution Agreement also sends a clear message to all covered entities and business associates that OCR views HIPAA as requiring organizations not only to adopt written policies and procedures that comply on paper or in theory with HIPAA, but also to take steps to monitor and maintain the effectiveness of their safeguard by continuously assessing and monitoring their HIPAA risks and acting as necessary to ensure that required safeguards of protected health information and ePHI and other HIPAA requirements are effectively implemented and administered in operation as well as form.

In OCR’s Press Release announcing the Resolution Agreement, OCR Director Jocelyn Samuels. Stated, “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.” She also warned “In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame.”

Additionally, the Resolution Agreement also illustrates need for covered entities and business associates to timely provide all individual and other notifications and otherwise fully comply with all requirements of the Breach Notification Rules.

Since the risk of a breach is ever-present even for Covered Entities and business associates exercising the highest degree of care to safeguard PHI and maintain compliance with HIPAA, Covered Entities and business associates are wise to take steps to position themselves to be able to demonstrate the adequacy of both their written policies and procedures and the effectiveness of their implementation and enforcement including ongoing documented practices for assessing, monitoring and addressing security risks and other compliance concerns as well as prepare to comply with the breach notification requirements in the event they experience their own breach of unsecured ePHI.

About The Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.

Ms. Stamer’s health industry experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Ms. Stamer also is known for her experience in HIPAA and other privacy and data security and breach concerns. The scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press Inc.™

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates like the following:

Go here to register to receive other Solutions Law Press, Inc. updates and announcements about other upcoming briefings, training or other programs, products, services, and activities or to learn more about Solutions Law Press, Inc., its publications, programs and training, PROJECT COPE: Coalition on Patient Empowerment community service and education projects, event management and other resources and services.

For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Comments Off on Health Plans & Other HIPAA Entities Should Learn From $2.75M UMMC HIPAA Settlement | Civil Rights, Claims Administration, Consumer Protection, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, employee, Employee Benefits, Employer, Employers, Employment, Employment Discrimination, ERISA, FACTA, GINA, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Mental Health Parity, Uncategorized | Tagged: Business Associate, Corporate Compliance, Data Breach, employee benefitsd, Employer, Health Insurance, Health Insurer, HIPAA, Insurance, Medical Privacy, OCR, Office of Civil Rights, Privacy, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans Disclosing Data To State All Payer Data Banks Face HIPAA Risks

May 31, 2016

Self-insured employer or union sponsored health plans (Plans), their fiduciaries, third party administrative or other service providers, and sponsors should consult legal counsel for advice about whether their Plans might violate the Privacy Rule of the Health Insurance Portability & Accountability Act (HIPAA) by disclosing individually identifiable claims or other Plan records or data to a state “all payer” claims or other data base in response to a state law or regulation mandating those disclosures in light of the Supreme Court’s recent ruling in Gobeille v. Liberty Mutual, 136 S. Ct. 936 (2016).

Gobeille involved a challenge to a Vermont “all payer” law similar to laws enacted by at least 20 other states, that requires health plan payers, their administrators or both to disclose individually identifiable health claims and other claims data about Plan members to a state created all payer data base. The Vermont law challenged in Gobeille required health insurers and other payers to disclose treatment information about Plan members as well as other certain health care claim payment and other data to an all payer claims database, which under the law is made “available as a resource for insurers, employers, providers, purchasers of health care, and State agencies to continuously review health care utilization, expenditures, and performance in Vermont. See Gobeille at 941. Vermont’s law requires third party administrators of self-insured Plans and other payers to disclose the information regardless of whether the member resides or received the treatment in Vermont.

In Gobeille, the Supreme Court ruled that the preemption provisions of Section 514 of the Employee Retirement Income Security Act (ERISA) bar Vermont from requiring self-insured ERISA Plans

In addition to excusing self-insured Plans from the trouble and expense of complying with Vermont’s disclosure law, the Supreme Court’s ruling in Gobeille that Vermont cannot enforce the law against self-insured ERISA Plans raises a concern that the Privacy Rules of HIPAA may prohibit Plans from disclosing certain individually identifiable claims information. The HIPAA compliance concern arises because the claims information and other data that the Vermont and most other similar laws require Plans and other payers to disclose generally is or include information that qualifies as “protected health information” within the meaning of the HIPAA Privacy Rule. These laws generally are structured either to directly require self-insured Plans to disclose the claims data directly, indirectly compel the disclosure by requiring third party administrators of such Plans to disclose the claims information for Plans they administer, or both.

Under the HIPAA Privacy Rule, Plans and other HIPAA-covered entities and service providers acting as business associates of the Plans are prohibited from using or disclosing individually identifiable protected health information unless the use or disclosure is expressly authorized by the Privacy Rule. Since violations of the Privacy Rule trigger substantial civil or even criminal penalties under HIPAA, Plans, their fiduciaries, service providers acting as business associates and other members of their workforce need to verify that the disclosure meets all of the requirements to fall within an exception to the Privacy Rule’s prohibition against disclosure before allowing such a disclosure

Before Gobeille, many self-insured Plans and their administrators treated the disclosures of individually identifiable claims data of the Plans as permitted as a disclosure “required by law” Privacy § 164.512(a), which provides in relevant part:

a) Standard: Uses and disclosures required by law.

(1) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.

(2) A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law.

The Gobeille ruling that that the Vermont law is unenforceable against self-insured Plans appears to eliminate the availability of this exception as a basis for allowing disclosures in response to the Vermont law as well as calls into question the ability of Plans to rely upon the “required by law” exception to the Privacy Rule to justify disclosures of protected health information to state all payer data bases in response to similar requirements enacted in the other 20 states that have enacted similar mandates. Plans that previously disclose or intend in the future to disclose protected health information to a state all payer data base in Vermont or another state generally will want to carefully document their justification, if any for making that disclosure under the Privacy Rule.

Unless the disclosure otherwise falls within another exception to the HIPAA Privacy Rule against disclosures without authorization, Plans, their sponsors, fiduciaries, third party administrators and other service providers and other members of the Plan workforce at minimum should be concerned that the HIPAA risks of disclosing protected health information in response to these state mandates after Gobeille. Plans that decide not to disclose information otherwise required by such state law requirements in light of the Gobeille ruling or HIPAA concerns may want to consult with qualified legal counsel about the steps, if any, that the Plan might want to take to document its ERISA preemption or other justifications for not providing the otherwise required disclosures.

Beyond evaluating the advisability of future disclosures in response to the Vermont or another similar all payer statute, Plans whose data previously was disclosed by the Plan or its administrator to an all payer data base under the belief that the disclosure was required by law also may want to seek the advice of qualified legal counsel about whether these prior disclosures triggered breach notification responsibilities under the Breach Notification rules of HIPAA with respect to any disclosures previously made. When electronic protected health information is used or disclosed in violation of HIPAA, the Breach Notification Rules of HIPAA generally require Plans and their business associates timely notify impacted individuals and the Department of Health & Human Services Office of Civil Rights (OCR) in accordance with the detailed requirements set forth in OCR’s implementing regulations. Furthermore, where a breach involves 500 or more individuals, the timetable for providing notification to OCR is accelerated and the Plan also is required to provide notification to the media and others.

About The Author

Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecturer and policy advocate, recognized for her nearly 30-years of cutting edge management work as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Tax: Erisa & Employee Benefits” and “Health Care” by D Magazine.

Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, expat and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer serves on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and as an editorial advisor and contributing author of many other publications. Her leadership involvements with the American Bar Association (ABA) include year’s serving many years as a Joint Committee on Employee Benefits Council representative; ABA RPTE Section current Practice Management Vice Chair and Substantive Groups & Committees Committee Member, RPTE Employee Benefits & Other Compensation Committee Past Group Chair and Diversity Award Recipient, current Defined Contribution Plans Committee Co-Chair, and past Welfare Benefit Plans Committee Chair Co-Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; International Section Life Sciences Committee Policy Vice Chair; and a speaker, contributing author, comment chair and contributor to numerous Labor, Tax, RPTE, Health Law, TIPS, International and other Section publications, programs and task forces. Other selected service involvements of note include Vice President of the North Texas Healthcare Compliance Professionals Association; past EO Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former Southwest Benefits Association Board of Directors member, Continuing Education Chair and Treasurer; former Texas Association of Business BACPAC Committee Member, Executive Committee member, Regional Chair and Dallas Chapter Chair; former Society of Human Resources Region 4 Chair and Consultants Forum Board Member and Dallas HR Public Policy Committee Chair; former National Board Member and Dallas Chapter President of Web Network of Benefit Professionals; former Dallas Business League President and others. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal control and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at Solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc. ™. All other rights reserved.

Comments Off on Health Plans Disclosing Data To State All Payer Data Banks Face HIPAA Risks | Brokers, Civil Rights, Claims, Claims Administration, Corporate Compliance, Cybercrime, Data Breach, Data Security, EBSA, employee, Employee Benefits, Employer, Employers, Employment, ERISA, fiduciary duty, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health insurance, health plan, Health Plans, health reform, HIPAA, HIPAA, HR, Human Resources, insurers, Internal Controls, Internal Investigations, Patient Empowerment, Preemption, Privacy, Reporting & Disclosure, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Brace For Health Plan OCR HIPAA Audits

March 22, 2016

Employer and union sponsored health plans, their sponsors, fiduciaries, and business associates should brace for audits and enforcement of the Privacy, Security, and Breach Notification rules by the Department of Health & Human Service Office of Civil Rights (OCR) follow OCR’s 2016 audit program on the heels of its announcement last week of two large HIPAA settlements last week.

OCR confirmed today it is sending emails notifying health plans, healthcare providers, healthcare clearing houses (Covered Entities) and their business associates identified as part of the kickoff of its next phase of audits of Covered Entities. In light of the HIPAA verification rules and the notorious spread of opportunistic identity theft and other fraud by opportunistic Cybercriminals following these types of announcements, Covered Entities and business associates should carefully verify the requests validity and manage the response to avoid violating HIPAA in responding and position for defensibility against potential penalties.

Even if health plans or other Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever-expanding list of enforcement actions by OCR.

To catch up on this latest guidance, Solutions Law Press, Inc. ™ invites you to register to participate in a special WebEx briefing on “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” on Wednesday, March 30, 2016 beginning at Noon Central Time on Wednesday, March 30, 2016.

2016 Audit Program

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by Covered Entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. OCR says it will primarily conduct these audits as desk audits, although some on-site audits will be conducted.

According to today’s announcement, the 2016 audit process begins with verification of an entity’s address and contact information. OCR is sending emails to Covered Entities and business associates requesting that contact information be provided to OCR on time. OCR will then send a pre-audit questionnaire to gather data about the size, type, and operations of potential audit targets. OCR says this data will be used with other information to create potential audit subject pools. Recipients should contact qualified legal counsel immediately for advice and assistance about proper procedures to verify the email is in fact from OCR and for assistance in responding.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review. Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, OCR expects entities to check their junk or spam email folder for emails from OCR.

The announcement also reflects that OCR is still developing other aspects of the audit program. OCR will post updated audit protocols on its website closer to conducting the 2016 audits. The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.

OCR says its audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits. Through the information gleaned from the audits, OCR will develop tools and guidance to aid the industry in compliance self-evaluation and in preventing breaches. OCR plans to use results and procedures used in the phase 2 audits to develop its permanent HIPAA audit program.

OCR Settlements Show Enforcement Risk

The audit program announcement comes less than a week after OCR announced millions of dollars of new penalties under settlements with two Covered Entities:

A $1,555,000 settlement with North Memorial Health Care of Minnesota;
A $3.9 million settlement with Feinstein Institute for Medical Research.

The two settlements drive home again the substantial liability that health care providers, health plans, health care clearinghouses and their business associates risk for violating HIPAA.

Feinstein Settlement

Feinstein is a biomedical research institute organized as a New York not-for-profit corporation sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York comprised of 21 hospitals and over 450 patient facilities and physician practices.

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information about potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Feinstein/index.html.

North Memorial

The Feinstein settlement announcement follows yesterday’s announcement of a $1.5 million plus settlement with North Memorial to resolve HIPAA charges that it failed to implement a business associate agreement with a major contractor and failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.

The settlement highlights the importance for healthcare providers, health plans, healthcare clearinghouses and their business associates to comply with HIPAA’s business associate agreement and other HIPAA organizational, risk assessment, privacy and security, and other requirements.

OCR’s announcement emphasizes the importance of meeting these requirements. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Director Samuels. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

The settlement comes from charges filed after OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the ePHI of 9,497 individuals.

OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.

The Resolution Agreement and Corrective Action Plan can be found on the HHS website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html.
Settlement Latest Reminder To Manage HIPAA Risks.

Following up on OCR’s imposition of its second-ever HIPAA Civil Monetary Penalty (CMP) and the latest in an ever-growing list of settlements by Covered Entities under HIPAA, these latest settlements illustrate the substantial liability that Covered Entities face for violating HIPAA. To avoid these liabilities, Covered Entities must constantly be diligent to comply with the latest guidance of OCR about their obligations under HIPAA.

As OCR continues to issue additional guidance as well as supplement this guidance through information shared in settlement agreements like the North Memorial settlement, even if Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever-expanding list of enforcement actions by OCR.

Since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA, Covered Entities face growing responsibilities and liability for maintaining the security of ePHI.

In response to HITECH, OCR continues to use a carrot and stick approach to encouraging and enforcing compliance. As demonstrated by OCR’s imposition of the second-ever HIPAA Civil Monetary Penalty (CMP) of $239,000 against Lincare and the ever-growing list of Resolution Agreements OCR announces with other Covered Entities, OCR continues to step up enforcement against Covered Entities that breach the Privacy and Security Rules. See OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000.

On the other hand, OCR also continues to encourage voluntary compliance by Covered Entities by sharing guidance and tools to aid Covered Entities to understand fulfill their HIPAA responsibilities such as the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (Crosswalk) unveiled by OCR on February 24, 2016.The crosswalk that maps the HIPAA Security Rule to the standards of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) as well as mappings to certain other commonly used security frameworks.

While stating that the HIPAA Security Rule does not require use of the NIST Cybersecurity Framework, OCR says it hopes the Crosswalk will provide “a helpful roadmap” for HIPAA Covered Entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help Covered Entities safeguard health data in a time of increasing risks and help them to identify potential gaps in their programs.

At the same time, OCR’s announcement of its release of the Crosswalk also cautions users that “use of the Framework does not guarantee HIPAA compliance.” Rather, OCR says “the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.

With a USA Today report attributing more than 40 percent of data breaches to the healthcare industry over the last three years 91 percent of all health organizations having reporting breaches over the last two years, OCR has made clear that it intends to zealously investigate and enforce the Security Rules against Covered Entities that violate the Security Rules against Covered Entities that fail to take suitable steps to safeguard the security of PHI as required by the HIPAA Security Rule.

To meet these requirements, the HIPAA Security Rule requires that Covered Entities conduct and be prepared to product documentation of their audit and other efforts to comply with the Security Rule Most Covered Entities will want to consider including an assessment of the adequacy of their existing practices under the Crosswalk and other requirements disclosed by OCR in these assessments to help position the Covered Entity to defend or mitigate HIPAA CMP and other liabilities in the event of a HIPAA breech or audit.

Changing Rules Complicate Compliance

In addition to maintaining adequate security, HIPAA also requires Covered Entities to provide individuals with the right to access and receive a copy of their health information from their providers, hospitals, and health insurance plans in accordance with the HIPAA Privacy Rule. In response to recurrent difficulties experienced by individuals in exercising these rights, OCR recently published supplemental guidance to clarify and promote better understanding and compliance with these rules by Covered Entities. OCR started this process in January, 2015 by releasing a comprehensive fact sheet (Access fact sheet) and the first in a series of topical frequently asked questions (FAQs) addressing patients’ right to access their medical records, which set forth requirements providers must follow in sharing medical records with patients, including that they must do so in a timely manner and in a format that works for the patient.

Earlier this month, OCR followed up by publishing on March 1, 2016 a second set of FAQs addresses additional issues, including the fees individuals may be charged for copies of their health information and the right of individuals to have their health information sent directly to a third party if they so choose.

Covered entities and their business associates should expect OCR to ask about use of these tools in audits and investigations. Accordingly, they should move quickly to review and update their business associate agreements and other practices to comply with this new guidance as well as watch for further guidance and enforcement about these practices from OCR.

Other Key HIPAA Regulatory & Enforcement Changes Raise Responsibilities & Risks

OCR’s new guidance on access to PHI follows a host of other regulatory and enforcement activities. While the particulars of each of these new actions and guidance vary, all send a very clear message: OCR expects Covered Entities and their business associates to comply with HIPAA and is offering tools and other guidance to aid them in that process. In the event of a breach or audit, Covered Entities and their business associates need to be prepared to demonstrate their efforts to comply.

Those that cannot show adequate compliance efforts should be prepared for potentially substantial CMP or Resolution Agreement payments and other sanctions.

Register For 3/30 Webex Briefing

Solutions Law Press, Inc.™ invites to catch up on the latest guidance on the Covered Entities’ responsibility under HIPAA to provide access to patients to PHI by registering here to participate in the “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” Webex briefing by attorney Cynthia Marcotte Stamer that Solutions Law Press, Inc.™ will host beginning at Noon Central Time on Wednesday, March 30, 2016.

About The Author

Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.
Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, the Co-Managing Member of Stamer Chadwick Soefje PLLC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served for several years as the scrivener for the ABA JCEB’s meeting with OCR for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

Comments Off on Brace For Health Plan OCR HIPAA Audits | Brokers, Civil Rights, compensation, compliance, Corporate Compliance, Cybercrime, Data Breach, Data Security, employee, Employee Benefits, FACTA, fiduciary duty, Fiduciary Responsibility, Financial Security, GINA, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, HIPAA, HIPAA, Hospitality, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Management, Medicare Part D, Mental Health, Mental Health Parity, MEWA, Obamacare, Patient Empowerment, Prescription Drugs, Privacy, Professional Liability, Risk Management, third party administrators, Uncategorized, Wellness, Wellness Programs, Workforce | Tagged: Data Breach, Data Security, Employee Benefits, ERISA, Fiduciary Liability, financial privacy, Health Insurance, Health Plan, Health Plans, HIPAA, Medical Privacy, OCR, Office of Civil Rights, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Obama Administration Proposes Rules Giving Jobseeker Equal Opportunity Protections

January 26, 2016

In keeping with President Obama’s administration long agenda of expanding equal employment and discrimination protections and enforcement, the Obama Administration now is proposing new regulations that if adopted as proposed, would expand the equal employment and nondiscrimination protections applicable for individuals receiving services through federal apprenticeships and other programs or activities provided by partners at American Job Centers and other key workforce programs that aid jobseekers administered by the U.S. Department of Labor’s Civil Rights Center (CRC).

In a Notice of Proposed Rulemaking released by CRC on January 25, 2016, CRC proposed to revise its current regulations, which were originally adopted in 1999 both:

To implement the expanded nondiscrimination and equal opportunity obligations made under Section 188 of the Workforce Innovation and Opportunity Act (WIOA) signed into law in July 2014; and
To reflect the Obama Administration’s expansive interpretation, enforcement and other practices of protections for transgender, gender identity, pregnancy, limited English proficiency (LEP) and other individuals against discrimination implemented by the Obama Administration in its enforcement of other federal equal employment and other nondiscrimination laws.

WIOA Implementation Identified As Reason For Proposed Regulations

In the cases of the CRC’s proposed regulations, the CRC identifies its need to adopt regulations to implement the WIOA as the reason for its restatement of its equal opportunity regulations at this time.

The Obama Administration is using its adoption of implementing regulations for WIOA Section 188 to revise and update the CRC’s equal opportunity rules generally to reflect changes in the interpretation of federal employment and other nondiscrimination rules already adopted during Mr. Obama’s presidency in other federal equal rights and nondiscrimination laws and regulations.

WIOA Section 188 prohibits discrimination against individuals participating in any job training for adults and youth, apprenticeships, and programs or activities provided by partners at American Job Centers or other covered program or activity that receives financial assistance under Title I of WIOA because of the race, color, religion, sex, national origin, age, disability, or political affiliation or belief of the individual participating in the program and, for beneficiaries only, because of their citizenship status. The WIOA discrimination and equal opportunity rules apply to recipients of financial assistance under Title I of WIOA and to program partners at American Job Centers that offer programs or activities through the workforce development system including partners that conduct related programs or activities through the One-Stop delivery system such as Unemployment Insurance, Temporary Assistance for Needy Families, adult education, Trade Adjustment Assistance, and others. The CRC’s proposed regulations are the latest of the growing responsibilities and risks that private businesses and state and local government agencies increasingly face to lawsuits, agency audits and sanctions, program disqualification, and other enforcement actions under federal equal employment opportunity and nondiscrimination requirements, particularly in light of the expanded scope and applicability of disability and various other federal nondiscrimination laws implemented during the Obama Administration by statutory, regulatory, executive order or other federal action. The extension of these changes into the CRC regulations reflects the continuing commitment of the Obama Administration to implement and enforce these expansions as fully as possible before Mr. Obama leaves office.

Highlights of Proposed CRC Regulations

If adopted as proposed by the CRC, the proposed rule would update the equal opportunity and nondiscrimination requirements applicable to American Job Centers and other WIOA partners working within the workforce development system to:

Align the equal opportunity and nondiscrimination protections for individuals in WIOA programs with current regulations and guidance issued by the Departments of Justice and Education, the Equal Employment Opportunity Commission and other federal agencies regarding the following equal opportunity and discrimination laws:
- Title VI and Title VII of the Civil Rights Act of 1964;
- Title IX of the Education Amendments of 1972;
- The Americans with Disabilities Act of 1990 and the ADA Amendments Act of 2008; and
- Section 504 of the Rehabilitation Act of 1973.
Clarify that sex discrimination under the WIOA, as under the Pregnancy Discrimination Act of 1978, which amended Title VII of the Civil Rights Act of 1964, and Title IX of the Education Amendments of 1972, includes discrimination based on transgender status, gender identity, or sex-stereotyping as well as pregnancy, childbirth, and related medical conditions.
Clarify that discrimination based on national origin may include discrimination because someone has limited English proficiency (LEP) and strengthen the ability of the Labor Department and private plaintiffs to enforce this expectation by requiring recipients and partners to:
- Record the primary language of applicants, participants and beneficiaries in their programs;
- Take “reasonable steps” to ensure that LEP individuals have meaningful access to aid, benefits, services, and training;
- Notify participants about these rights, including offering oral interpretation and written translation of both hard-copy and electronic materials in non-English languages.
- The Proposed Rule also would clarify which CRC views as “vital” documents required to be translated and include an appendix describing promising practices to help recipients comply with their legal obligations and includes the components of a plan to facilitate meaningful access for individuals with limited English proficiency.
Change the equal opportunity notice or poster that the Labor Department requires recipients and partners to post to inform individuals participating in their programs and activities about their equal employment opportunity protections and rights to reflect these expanded rights and responsibilities by among other things, clearly state that “sex,” as a prohibited basis for discrimination, includes pregnancy, childbirth, and related medical conditions, transgender status, gender identity, and sex stereotyping and that discrimination against LEP persons may be a form of national origin discrimination.
Promote the ability of the Labor Department and private plaintiffs to enforce compliance by among other things:
- Implementing clearer and broader descriptions of recipient and partner responsibilities, more effective Equal Opportunity Officers, and enhanced data collection;
- Expanding recipient and partner recordkeeping and requiring other actions that will make proof of violations easier;
- Requiring annual monitoring, instead of the current “periodic” monitoring and other increased enforcement in accord with the Pregnancy Discrimination Act of 1978, which amended Title VII of the Civil Rights Act of 1964, and in accord with Title IX of the Education Amendments of 1972.

CRC Proposal Reflects Broader Agency Regulatory & Enforcement Agenda For All U.S. Businesses & State & Local Agencies

While the CRC’s proposed regulations most directly impact those providing services or programs to jobseekers and other assistance under CRC administered programs, the proposed regulations also are yet another strong sign for private businesses and state and local government agencies alike of the need to step up their compliance and risk management in light of expanded responsibilities and enforcement of federal equal employment opportunity laws under the Obama Administration. As a result, all U.S. businesses as well as state and local government agencies should exercise special care to prepare to defend their actions against potential disability or other Civil Rights discrimination challenges. All organizations, whether public or private need to make sure both that their organizations, their policies, and people in form and in action understand and comply with current disability and other nondiscrimination laws. When reviewing these responsibilities, many state and local governments and private businesses may need to update their understanding of current requirements as well as strengthen oversight and investigation practices, tighten vendor contracts, explore insurance or other options for planning for funding costs of defending investigations, litigation or other enforcement actions, and other heightened compliance and risk management strategies and practices.

About The Author

Recognized as a “Top” attorney in employee benefits, labor and employment and health care law extensively involved in health and other employee benefit and human resources policy and program design and administration representation and advocacy throughout her career, Cynthia Marcotte Stamer is a practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick│Soefje PLLC, author, pubic speaker, management policy advocate and industry thought leader with more than 27 years’ experience practicing at the forefront of employee benefits and human resources law.

A Fellow in the American College of Employee Benefit Counsel, past Chair and current Welfare Benefit Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, an ABA Joint Committee on Employee Benefits Council Representative and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on health and other employee benefit, human resources and insurance matters and policy.

Ms. Stamer helps management manage. Ms. Stamer’s legal and management consulting work throughout her nearly 30- year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see CynthiaStamer.com or StamerChadwickSoefje.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Comments Off on Obama Administration Proposes Rules Giving Jobseeker Equal Opportunity Protections | ADA, Affirmative Action, Civil Rights, Corporate Compliance, corporate governance, Disability, Disability, Disability Discrimination, Discrimination, Education, EEOC, Employer, Employers, Employment, Employment Discrimination, Government Contractors, LEP, LGBT, Nonresident aliens, OFCCP, Rehabilitation Act, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Settlement Warns Health Plans, Sponsoring Employers & Business Associates To Manage HIPAA Risks

July 11, 2015

Health plans, insurers and other health plan industry service providers widespread use and reliance on internet applications to access and share protected health information when performing online enrollment, claims administration and payment, reporting, member and provider communications and a host of other key health plan functions makes it particularly important for health plans, their employer or other sponsors, fiduciaries, insurers and other vendors and their management to respond quickly to a warning from Department of Health & Human Services (HHS) Office of Civil Rights (OCR) warning to ensure applications and systems properly safeguard protected health information (PHI) as required by the Health Insurance Portability & Accountability (HIPAA) Privacy, Security & Breach Notification Rules (HIPAA Rules) and other laws made in its July 10, 2015 announcement of its latest HIPAA settlement.

The new Resolution Agreement with the Massachusetts based hospital system, St. Elizabeth’s Medical Center (SEMC) settles charges OCR made that SEMC reached HIPAA by failing to protect the security of PHI when using internet applications to access and share PHI. The Resolution Agreement also shows how complaints filed with OCR by workforce members can create additional compliance headaches for Covered Entities or their business associates while the “robust corrective action plan” imposed under the Resolution Agreement shares examples of ladder reporting and management oversight and documentation Covered Entities and business associates can expect to need to prove their organizations maintains the “culture of compliance” with HIPAA OCR expects in the event of an OCR audit or investigation.

With recent reports on massive health plan HIPAA and other data breaches fueling widespread participant and regulatory concern over identity theft and other data security, Covered Entities and their business associates should prepare to defend the adequacy of their own HIPAA and other data security practices in the event of an OCR breach investigation or audit. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities.

SEMC Resolution Agreement Overview

The SEMC Resolution Agreement settles OCR charges that SEMC violated HIPAA stemming from an OCR investigation of a November 16, 2012 complaint by SEMC workforce members and a separate data breach report SEMC separately made to OCR of a breach of unsecured electronic PHI (ePHI) stored on a former SEMC workforce member’s personal laptop and USB flash drive affecting 595 individuals. In their complaint, SEMC workers complained SEMC violated HIPAA by allowing workforce members to use an internet-based document sharing application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

SEMC improperly disclosed the PHI of at least 1,093 individuals;
SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
SEMC failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan” to correct these alleged HIPAA violations. While the required settlement payment is relatively small, the Resolution Agreement’s focus security requirements for internet application and data use and sharing activities engaged in by virtually every Covered Entity and business associate make the Resolution Agreement merit the immediate attention of all Covered Entities, their business associates and their management.

SEMC HIPAA Specific Compliance Lessons For Health Plans & Business Associates

In announcing the Resolution Agreement, OCR Director Jocelyn Samuels sent a clear warning to all Covered Entities and their business associates “to pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” stating “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The Resolution Agreement makes clear that OCR expects health plans and other Covered Entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates Covered Entities and business associates must be able to produce documentation and other evidence needed to show the top to bottom dedication to HIPAA compliance necessary to prove a “culture of compliance” with HIPAA permeates their organizations.

In light of OCR’s warning and expectations, Covered Entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan” included in the Resolution Agreement, starting with the specific steps the corrective action plan requires SEMC to address its internet application security concerns such as:

Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
Conducting other tests and audits of security and compliance with policies, processes and procedures; and
Documenting results, findings, and corrective actions including appropriate up the ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance & Risk Management Lessons

Beyond the specific internet applications and other security of ePHI lessons in the Resolution Agreement, Covered Entities and their business associates also should be mindful of other more subtle, but equally important broader HIPAA compliance and risk management lessons provided in the Resolution Agreement and other recent OCR guidance about their overall HIPAA compliance responsibilities.

One of the most significant of these lessons is the need for proper workforce training, oversight and management. The Resolution Agreement sends an undeniable message that OCR expects Covered Entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies. The SEMC corrective action plan should prompt Covered Entities and business associates to weigh the adequacy of their existing workforce training, reporting, investigation and other management processes and documentation. Meanwhile, OCR’s report that an OCR complaint made by SEMC insiders to OCR prompted its investigation also should sensitize Covered Entities and their business associates of the need to ensure that their workforce training and management processes are appropriate to position their organization both to show their processes encourage proper internal reporting and investigation of compliance concerns, as well as manage the inevitable HIPAA and other human resources retaliation and whistleblower exposures that can arise out of such reports.

The Resolution Agreement also provides insights to the internal corporate processes and documentation of compliance efforts that Covered Entities and business associates may need to show their organization has the required “culture of compliance” needed to mitigate consequences of breaches or other compliance glitches. Particularly notable are Resolution Agreement’s terms on the documentation and up the ladder reporting to management and OCR of SEMC’s self-audit and self-correction activities and management oversight and management of these activities. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details in the Resolution Agreement provide invaluable tips to Boards and other leaders of Covered Entities and business associates about steps they can take to promote their ability to demonstrate their organizations have the necessary culture of HIPAA compliance OCR expects.

Health Plan HIPAA Compliance Risks & Responsibilities of Employers & Their Leaders

While HIPAA places the primary duty for complying with HIPAA on Covered Entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons.

As employers forced to cope with the deluge of fears and questions of employees and other health plan members impacted by recent massive PHI breach reports shared by Blue Cross association health insurance plan giants, Anthem and Premera can attest, HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction of the health benefit plan as an employee benefit. These concerns also usually require employers to expend significant management and financial resources to respond to these concerns and address other employer fallout from the breach.

The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all too rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators, and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Since employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements.

Sponsoring employers and their management also should be aware the employer’s exception from direct liability for HIPAA Rule compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation.

While HIPAA generally limits direct responsibility for compliance with the HIPAA Rules to a health plan or other Covered Entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA Rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations in order for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces, and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk.

When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA Rules.

Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI, systems in violation of these conditions or other HIPAA Rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – from wrongfully accessing health plan PHI, electronic records or systems. Since health plan PHI records also typically include personal tax, social security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concern about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Since HIPAA and some of these other laws under certain conditions make it a felony crime to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s Federal Sentencing Guideline and other compliance programs.

Beyond the already discussed concerns, employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements to many the exposure of the employer or management or other staff to statutory, regulatory, contractual or ethical liabilities arising under ERISA, Internal Revenue Code, the Fair & Accurate Credit Transaction Act (FACTA), trade secret, insurance, disability, identity theft, cybersecurity or other federal or state laws.

For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure that the health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. Consequently, the sponsoring employer and certain members of its human resources or other executive management team who functionally possess or exercise responsibility or authority over the administration of the employer’s health plan or its data or other assets, the selection or oversight of plan fiduciaries, vendors, or other workforce members its administration, or other key health plan operations risk ERISA fiduciary liability for their own failures to act prudently in carrying out HIPAA compliance or other responsibilities or to take action when they know or should know that another fiduciary is or has breached these duties. This fiduciary status and risk can occur even if the entity or individual does not is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Since fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority to avoid or minimize these potential ERISA fiduciary exposures.

Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints.

Act To Manage HIPAA & Other Related Risks

OCR’s release of the Resolution Agreement on the heels of widespread publicity about massive health plan and other data breaches at Blue Cross health care giants, Anthem and Premera and other U.S. businesses and the potential legal and financial exposures that a HIPAA data breach or other violation could create, health plans and their sponsors, insurers, business associates, and leaders should appreciate the advisability of acting promptly to ensure that their health plans and business associates are taking appropriate steps to comply with the HIPAA Rules and manage other associated risks and liabilities. At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stop gap against the costs of investigation or defense of a HIPAA security or other data breach.

For Legal or Consulting Advice, Legal Representation, Training Or More Information

If you need help responding to these new or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, help updating or defending your workforce or employee benefit policies or practices, or other related assistance, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick │Soefje PLLC, Ms. Stamer’s more than 27 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

Board certified in labor and employment law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Chair and current Welfare Benefit Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, an ABA Joint Committee on Employee Benefits Council Representative and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on HIPAA and other health and other employee benefit, human resources, and related insurance, health care, privacy and data security and tax matters and policy.

Ms. Stamer’s legal and management consulting work throughout her 27 plus year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements.

She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. In these and other engagements, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health plans, their sponsors, administrators, insurers and many other business, professional and civic organizations.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see www.cynthiastamer.com, or http://www.stamerchadwicksoefje.com the member of contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:

Obama Administration Proposal Would Extend FLSA Minimum Wage & Overtime Requirements To 5 Million+ Workers
Prompt Business Action Needed To Mitigate Post-King Employer Health Benefit Costs & Liabilities
More Work For Employers, Benefit Plans Following SCOTUS Same-Sex Marriage Ruling
Businesses Must Confirm & Clean Up Health Plan ACA & Other Compliance Following Supreme Court’s King v. Burwell Decision
Obama Administration Devoting $1.25 Million To Find Ways To Encourage States To Force Employers To Give Paid Leave
IRS FAQ Addresses Determination Letter Program As Applied To Multiple Employer Plans
OSHA Rules Requires New Construction Industry Close Space Safeguards
2016 & 2017 Health Plan Budgets, Workplans Should Anticipate Expected Changes To SBCs
$1.4M FLSA Back Pay Award Demonstrates Worker Misclassification Risks
Discrimination Rules Create Risks For Employer Reliance On Injunction Of FMLA Rule On Same-Sex Partners’ Marital Status
Obama Executive Order’s Prohibition Of Government Contractor Sexual Orientation & Gender Identity Discrimination Creates Challenges For All US Employers
Congress Passes Joint Resolution Overturning NLRB “Quickie Election Rule”
IRS Changes Plan Correction Procedures

Comments Off on HIPAA Settlement Warns Health Plans, Sponsoring Employers & Business Associates To Manage HIPAA Risks | 105(h), ADA, ARRA, Cafeteria Plans, Civil Rights, Claims Administration, Corporate Compliance, Defined Contribution Plans, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, GINA, Government Contractors, Health Plans, HIPAA, Human Resources, Mental Health, MEWA, Retaliation, Risk Management | Tagged: Breach Notification, Data Breach, Employer, ERISA, Federal Sentencing Guidelines, Fiduciary Duties, Health Plans, HIPAA, Privacy, Risk Managemnet | Permalink
Posted by Cynthia Marcotte Stamer

Stamer Kicks Off Dallas HR 2015 Monthly Lunch Series With 2015 Federal Legislative, Regulatory & Enforcement Update

November 10, 2014

Human resources and other management leaders are watching Washington to see if the change in Congressional control resulting from the November 4, 2014 mid-term election ushers in a more management friendly federal legal environment. Since President Obama took office, the Democrats aggressive pursuit of health care, minimum wage and other federal pro-labor legislation, regulations and enforcement has increased management responsibilities, costs and liabilities.

Nationally recognized management attorney, public policy advisor and advocate, author and lecturer Cynthia Marcotte Stamer will help human resources and other management leaders prepare for 2015 when she speaks on “2015 Federal Legislative, Regulatory & Enforcement Update: What HR & Benefit Leaders Should Expect & Do Now” at the 2015 Dallas HR monthly luncheon series kickoff meeting on January 13, 2014.

About The Program

While November 4, 2014 Republican election victories gave Republicans a narrow majority in both the House and Senate when the new Congress takes office January 3, 2015, the new Republican Majority may face significant challenges delivering on their promises to move quickly to enact more business-friendly health care, guest worker, tax and other key reforms Republicans say will boost the employment and the economy.

While President Obama and Democrat Congressional leaders say they plan to work with the new majority, President Obama already is threatening to use vetoes, regulations and executive orders to block Republicans from obstructing or rolling back his pro-labor policy and enforcement agenda. When the new Congress takes office, the narrowness of the Republican Majority in the Senate means Republicans can’t block a Democratic filibuster or override a Presidential veto without recruiting some Democratic support.

As the Democrats and Republicans head into battle again, Board Certified Labor & Employment attorney and public policy advocate Cynthia Marcotte Stamer will help human resources and other management leaders get oriented for the year ahead by sharing her insights and predictions on the legislative, regulatory and enforcement agendas that HR, benefit and other business leaders need to plan for and watch in 2015. Among other things, Ms. Stamer will:

Discuss how management can benefit from monitoring and working to influence potential legislative, regulatory and enforcement developments when planning and administering HR and related workforce policies;
Discuss the key workforce and other legislative, regulatory and enforcement priorities and proposals Democrats and Republicans plan to pursue during 2015;
Share her insights and predictions about how the narrow Republican majority, Mr. Obama’s lame duck presidency and other factors could impact each Party’s ability to pursue its agenda
Share tips management leaders can use to help monitor developments and to help shape legislation, regulation and enforcement through Dallas HR, SHRM and other organizations as well as individually;
Learn tips for anticipating and maintaining flexibility to respond to legislative, regulatory and enforcement developments; and
More

To register or get more details about the program, DallasHR, or both, see http://www.dallashr.org.

About Ms. Stamer

Board certified labor and employment attorney, public policy leader, author, speaker Cynthia Marcotte Stamer is nationally and internationally recognized and valued for her more than 25 years of work advising and representing employers, insurers, employee benefit plans, their fiduciaries and advisors, business and community leaders and governments about workforce, employee benefits, social security and pension, health and insurance, immigration and other performance and risk management, public policy and related regulatory and public policy, management and other operational concerns.

Throughout her career, Ms. Stamer continuously both has helped businesses and their management to monitor and respond to federal and state legislative, regulatory and enforcement concerns and to anticipate and shape federal, state and other laws, regulations, and enforcement in the United States and internationally.

Well known for her leadership on workforce, health and pension policy through her extensive work with clients as well as through her high profile involvements as the Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment, a founding Board member of the Alliance for Health Care Excellence, a Fellow in the American College of Employee Benefit Counsel, the American Bar Association (ABA), and the State Bar of Texas leadership and other involvements with the ABA including her annual service leading the annual agency meeting of Joint Committee on Employee Benefits (JCEB) representatives with the HHS Office of Civil Rights and participation in other JCEB agency meetings, past involvements with legislative affairs for the Texas Association of Business and Dallas HR and others, and many speeches, publications, and other educational outreach efforts, Ms. Stamer has worked closely with Congress and federal and state regulators on the Patient Protection & Affordable Care Act and other health care, pension, immigration, tax and other workforce-related legislative and regulatory reforms for more than 30 years. One of the primary drafters of the Bolivian Social Security reform law and a highly involved leader on U.S. workforce, benefits, immigration and health care policy reform, Ms. Stamer’s experience also includes working with U.S. and foreign government, trade association, private business and other organizations to help reform other countries’ and U.S. workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Ms. Stamer also contributes her policy, regulatory and other leadership to many professional and civic organizations including as Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Committee and its current Welfare Benefit Plans Committee Co-Chair, a Substantive Groups & Committee Member; a member of the leadership council of the ABA Joint Committee on Employee Benefits; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; the current Vice Chair of the ABA TIPS Employee Benefit Committee, and the past Coordinator of the Gulf Coast TEGE Council TE Division.

The publisher and editor of Solutions Law Press, Inc. who serves on the Editorial Advisory Boards of Employee Benefit News, HR.com, InsuranceThoughtLeadership.com and many other publications, Ms. Stamer also is a prolific and highly respected author and speaker, National Public Radio, CBS, NBC, and other national and regional news organization, Atlantic Information Services, The Bureau of National Affairs, HealthLeaders, Telemundo, Modern Healthcare, Business Insurance, Employee Benefit News, the Employee Benefits News, World At Work, Benefits Magazine, InsuranceThoughtLeadership.com, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, CEO Magazine, CFO Magazine, CIO Magazine, the Houston Business Journal, and many other prominent news and publications. She also serves as a planning faculty member and regularly conducts training and speaks on these and other management, compliance and public policy concerns for these and a diverse range of other organizations. For additional information about Ms. Stamer, see www.cynthiastamer.com.

For Added Information and Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For Help Or More Information

If you need assistance in auditing or assessing, updating or defending your organization’s compliance, risk manage or other internal controls practices or actions, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469)767-8872.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 24 years of work helping employers and other management; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit and management policies and practices. Her experience includes extensive work helping employers implement, audit, manage and defend union-management relations, wage and hour, discrimination and other labor and employment laws, privacy and data security, internal investigation and discipline and other workforce and internal controls policies, procedures and actions. The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on management, reengineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters. She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters.Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see hereor contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources at www.solutionslawpress.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.

Comments Off on Stamer Kicks Off Dallas HR 2015 Monthly Lunch Series With 2015 Federal Legislative, Regulatory & Enforcement Update | 105(h), ACA, ADA, Affirmative Action, Affordable Care Act, Bankruptcy, Cafeteria Plans, Child Labor, CHIP, Civil Rights, Claims Administration, COBRA, compensation transparency, Corporate Compliance, Defined Benefit Plans, Defined Contribution Plans, Disability, Disability, Disability Plans, Discrimination, Disease Management, Drug & Alcohol, E-Verify, EEOC, EEOC, Employee Benefits, Employers, Employment Agreement, Employment Tax, ERISA, ESOP, Excise Tax, Executive Compensation, family leave, Fiduciary Responsibility, FMLA, GINA, Government Contractors, Health Care Reform, Health Plans, HIPAA, Human Resources, I-9, Immigration, Income Tax, Insurance, Internal Controls, Internal Investigations, Labor Management Relations, Leave, medical leave, Mental Health, Mental Health Parity, MEWA, Military Leave, Non-Compete, Non-Competition Agreement, Nonresident aliens, OFCCP, OSHA, Patient Protection and Affordable Care Act, Payroll Tax, Preemption, Premium Subsidies, Prescription Drugs, Privacy, Professional Liability, Protected Health Information, Public Policy, Rehabilitation Act, Reporting & Disclosure, Restructuring, Retaliation, Retirement Plans, Risk Management, Safety, Sexual Harassment, Tax, Tax Credit, Telecommuting, Unemployment Benefits, Unemployment Insurance, Union, USERRA, VEVRRA, Wage & Hour, Wellness, Wellness Programs | Tagged: Administrative Simplification, CMS, Health Benefits, Health Insurance, Health insurers, Health Plans, HHS, HPID, HPOES, out-of-pocket maximum, TPAs | Permalink
Posted by Cynthia Marcotte Stamer

Hospital To Pay $75K For Refusing To Hire Disabled Child Care Worker

March 10, 2014

Osceola Community Hospital Refused To Hire Child Care Worker With Cerebral Palsy Who Had Worked As Volunteer

Osceola Community Hospital in Sibley, Iowa will pay $75,000 and furnish other relief to settle an Americans With Disabilities Act (ADA) disability discrimination lawsuit filed by the U.S. Equal Employment Opportunity Commission (EEOC) for its refusal to hire a child care worker with cerebral palsy. The case shows both the need for health care and other employers to have sufficient evidence to support decisions not to hire disabled workers for safety reasons as well as the potential risks that hospitals or other face when refusing to hire disabled individuals who have been allowed to work as volunteers in their organizations.

The EEOC charged a day care center operated by the hospital, Bright Beginnings of Osceola County, unlawfully failed to hire a volunteer employee into a paid position for which she was qualified because of her cerebral palsy. Although the woman who brought the charge of discrimination against the hospital already volunteered in the day care center and held a job driving a school bus, the EEOC’s investigation revealed the county refused to hire her into a paying job in the center out of an unfounded fear that her disability meant that she could not safely care for the children.

Judge Mark Bennett entered a consent decree on February, 28, 2014, resolving the brought by the EEOC in EEOC v. Osceola Community Hospital d/b/a Bright Beginnings of Osceola County, Civil Action No. 5:12-cv-4087 (N.D. Iowa, Sept. 26, 2012 that orders Osceola Community Hospital to pay $75,000 to the discrimination victim. The decree also requires the hospital to institute a policy prohibiting discrimination on the basis of disability and to distribute the policy to all of its employees. The hospital also must train its employees and report regularly to the EEOC on its compliance with the ADA.

The lawsuit provides another example to health care and other employers of their growing exposure to disability discrimination claims under the ADA. The EEOC action and lawsuit highlights the importance of employers ensuring that decisions to refuse to hire disabled workers for safety reasons are based upon appropriate evidence of actual safety concerns that prevent the worker from safely performing the assigned duties with or without reasonable accommodation.

The fact that the worker in this case had in fact worked as a volunteer likely created additional challenges in defending the decision. The use of volunteer workers in health industry businesses is a common practice that may justify special care before those organizations deny employment to a former volunteer on the basis of safety concerns associated with the disabilities of the applicant or worker both to document the reasonable basis of the safety concern and that the concern could not be adequately resolved through reasonable accommodation.

Eenforcing federal discrimination laws is a high priority of the Obama Administration. The Departments of Labor, Health & Human Services, Education, Justice, Housing & Urban Development, and others all have both increased enforcement, audits and public outreach, as well as have sought or are proposing tighter regulations.

The expanding applicability of nondiscrimination rules coupled with the wave of new policies and regulatory and enforcement actions should alert private businesses and state and local government agencies of the need to exercise special care to prepare to defend their actions against potential disability or other Civil Rights discrimination challenges under employment and a broad range of other laws.

Health care and organizations, public or private, government contractor or not, should act to ensure both that their organizations, their policies, and people in form and in action understand and comply with current disability discrimination laws and that these compliance activities are well-documented to help defend against potential charges or other challenges. Because of changing regulatory and enforcement trends, organizations and their leaders should avoid assuming the adequacy of current compliance and risk management. Most organization should reevaluate their assessments concerning whether their organization is a federal government contractor or subcontractor to minimize the risk of overlooking critical obligations.

Many organizations need to update their understanding, policies and practices in light of tightening rules and enforcement. The scope and applicability of federal nondiscrimination and other laws have been expanded or modified in recent years by the differences in perspectives of the Obama Administration from the Bush Administration, as well as statutory, regulatory, judicial precedent and enforcement changes. In addition, all organization should conduct well-documented periodic training and take other actions to monitor and enforce compliance by staff, contractors and others with whom they do business.

For Help With Compliance & Risk Management and Defense

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 24 years of work helping private and governmental organizations and their management; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; schools and other governmental agencies and others design, administer and defend innovative compliance, risk management, workforce, compensation, employee benefit, privacy, procurement and other management policies and practices. Her experience includes extensive work helping employers implement, audit, manage and defend union-management relations, wage and hour, discrimination and other labor and employment laws, procurement, conflict of interest, discrimination management, privacy and data security, internal investigation and discipline and other workforce and internal controls policies, procedures and actions. The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on management, reengineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters. She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at ww.solutionslawpress.com.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Comments Off on Hospital To Pay $75K For Refusing To Hire Disabled Child Care Worker | ADA, Civil Rights, Disability, Disability, Discrimination, EEOC, Employers, Uncategorized | Tagged: ADA, Disability Discrimination, EEOC, Employer, Health Care | Permalink
Posted by Cynthia Marcotte Stamer

New OCR HIPAA De-Identification Guidance Among Developments Covered In 12/12 HIPAA Update Web Workshop

November 27, 2012

Get Up To Date On Details of New De-Identification Guidance & Other HIPAA Developments By Participating In 12/12 HIPAA Update Web Workshop

Health care providers, health plans, health care clearinghouses (covered entities) and their business associates and leadership should check and update their policies and practices for the de-identification of protected health information (PHI) in light of newly-released Guidance Regarding Methods for De-identification of Protected Health Information in Accordance With the Health Insurance Portability and Accountablity Act (HIPAA) Privacy Rule (Guidance) released by the Department of Health & Human Services (HHS) Office of Civil Rights yesterday (November 26, 2012).

Solutions Law Press, Inc. will host a one-hour, online HIPAA Update Workshop on the Guidance and other recent regulatory and enforcement developments under HIPAA for covered entities and their business associates on Wednesday, December 12 beginning at Noon Central Time. To register, see here.

PHI collected by health care providers, health plans, their management, sponsors, and vendors often includes a wealth of information valuable for use for functions unrelated to the HIPAA-covered functions and activities that leads covered entities or their business associates to collect or keep this data. While it might be tempting to repurpose this information for business planning and marketing purposes, covered entities and their business partners or associates frequently assume that covered entities and others that they deal with must take proper steps to that no PHI is used, accessed, disclosed or shared unless that action is allowed under the Privacy Rules, properly de-identified, or both.

When planning to rely upon the de-identification of PHI to engage in these activities, parties planning to rely upon HIPAA’s exception for de-identified PHI will want to consult new guidance just released by OCR about the de-identification requirements before moving forward. Existing Privacy Rules and the Guidance recognize two alternative methods that covered entities and their business can use to properly de-identify PHI for purposes of the HIPAA Privacy Rule.

OCR published the Guidance to help covered entities to understand what qualifies as de-identification, the general process by which de-identified information is created, and the options available for performing de-identification for purposes of the HIPAA Privacy Rule. The publication of this guidance was mandated as part of amendments to HIPAA enacted by Health Information Technology for Economic and Clinical Health (HITECH) Act included in the American Recovery and Reinvestment Act of 2009 (ARRA). Section 13424(c) of the HITECH Act requires the HHS to issue guidance on how best to implement the requirements for the de-identification of health information contained in the Privacy Rule.

De-identification & Its Rationale Under Privacy Rule

The Privacy Rule was designed to protect individually identifiable health information through permitting only certain uses and disclosures of PHI provided by the Rule, or as authorized by the individual subject of the information. However, in recognition of the potential utility of health information even when it is not individually identifiable, §164.502(d) of the Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications in Privacy Rule §164.514(a)-(b). These provisions allow the entity to use and disclose information that neither identifies nor provides a reasonable basis to identify an individual provided the Covered Entity can show that the PHI has been de-identified in accordance with either the Expert Determination Method or the Safe Harbor Method of the de-identification standard of the Privacy Rule and is not re-identified. Regardless of the method used to de-identify PHI, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered PHI and is not re-identified.

Privacy Rule De-Identification Implementation Standards Permit Alternative Methods of De-identification

Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual. See Privacy Rule § 164.514.

Sections 164.514(b) and (c) of the Privacy Rule contain the implementation specifications that a covered entity must follow to meet the de-identification standard. As summarized in Figure 1, the Privacy Rule provides two methods by which health information can be designated as de-identified:

The formal determination by a qualified expert in accordance with the Privacy Rule (Expert Determination Method); or
The removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (Safe Harbor Method).

In order for PHI to qualify as de-identified under the “Expert Determination Method, Privacy Rule § 164.514(b)(1) requires that a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
Documents the methods and results of the analysis that justify such determination.

Alternatively, Privacy Rule § 164.514(b)(2) provides that PHI will qualify as de-identified under the Safe Harbor Method if:

All of an extensive list of identifiers of the individual or of relatives, employers, or household members of the individual, are removed from the data; and
The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

As long as the data is not re-identified, the Guidance indicates that a covered entity may prove fulfillment of the de-identification standard of Privacy Rule §164.514(a) by showing satisfaction of all applicable requirements of either method. Under the Privacy Rule, de-identified health information created following these methods is no longer protected by the Privacy Rule because it does not fall within the definition of PHI. Of course, de-identification leads to information loss which may limit the usefulness of the resulting health information in certain circumstances. Consequently, covered entities may wish to select de-identification strategies that minimize such loss.

Both alternatives for de-identification under the Privacy Rule require that covered entities and their business associates decide whether and how to keep the option for re-identification of PHI slated for de-identification and where applicable, appropriately manage the re-identification opportunity and data to avoid violation of the Privacy Rule.

According to the Privacy Rule, if a covered entity or business associate successfully undertook an effort to identify the subject of de-identified information it maintained, the health information now related to a specific individual would again be protected by the Privacy Rule, as it would meet the definition of PHI. Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified is also considered a disclosure of PHI. In this regard, Privacy Rule §164.514(c) specifies that if the covered entity assigns a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, themeans of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; it can’t use elements of the protected PHI as the re-identification key,must safeguard the key, and can’t use or disclose the key or other re-identification tool for any other purpose.

Preparing For, Guiding & Documenting The De-identification Process For Defensibility

The Guidance stresses that importance of documentation for which values in health data correspond to PHI, as well as the systems that manage PHI and its risk of identification or re-identification in the de-identification process cannot be overstated.

The Guidance provides guidance to help guide covered entities and their business associates through the steps and analysis of using the Expert Determination versus Safe Harbor Method. A review of this Guidance makes clear that the design and administration of the de-identification process under either method requires careful and well-documented planning, analysis and implementation to fulfill and to keep the documentation that a covered entity or business associate might need to defend its decision to treat and use PHI as de-identified under the Privacy Rule against a potential audit or enforcement inquiry. The Guidance also seeks to further illuminate the requirements for effective de-identification through a series of questions and answers, supplemented by work flow and other charts, examples and other illustrations and tips on the proper use of each alternative Method and managing risks and the process associated with that Method. A Glossary of Terms also is shared. The discussion in the Guidance makes clear that covered entities and their businesses associates using either Method to de-identify PHI should be prepared to make a number of judgments about which Method to use, whether and how to make arrangements for re-identification, and how to properly manage the process to meet the requirements of the implementation standard and manage re-identification or other risks.

Register For 12/12 HIPAA Update Web Workshop To Catch Up On De-Identification Guidance & Other HIPAA & Texas HIPAA Regulatory & Enforcement Developments

Training and compliance mandates applicable to covered entities and their business associates under the newly strengthened Texas HIPAA law and HIPAA’s Privacy and Breach Notification Rules make it more important than ever that covered entities and their business associates get the timely training and other assistance needed to properly comply with requirements for the protection of PHI under the new Guidance and other HIPAA and Texas HIPAA mandates.

To aid in this process, Solutions Law Press, Inc. will host a 2012 HIPAA Update Web Workshop covering the new Guidance on de-identification and other regulatory and enforcement developments under HIPAA and the newly amended Texas HIPAA law on December 12, 2012 from 1:00 P.M.-2:00 P.M. Eastern | Noon – 1:00 P.M. Central | 11:00 A.M-Noon Mountain | 10:00A.M-11:00 A.M. Pacific Time.

Expanded health care privacy mandates of the Texas Medical Records Privacy Act that take effect September 1, 2012 and HIPAA regulations require covered entities and their business associates conduct training and take other steps to protect the privacy and security of PHI.

Complete HIPAA Training While You Catch Up On The Latest On HIPAA & Texas Medical Records Privacy Rules & Get Helpful Compliance And Risk Management Tips!

Health care providers, health plans, health care clearinghouses face new imperatives to strengthen their HIPAA and other procedures for handling protected health information and other sensitive information to manage expanding risks and responsibilities arising from evolving rules, expanding enforcement and oversight, and rising penalties and other liabilities.

The $4.3 million HIPAA Civil Monetary Penalty and growing list of $1 million plus resolution payments announced by the Office of Civil Rights coupled with its commitment to investigate all large breaches reported under the HITECH Act Breach Notification Rule and other stepped up enforcement and newly initiated audit activities send a clear signal that HIPAA-covered entities and their business associates face significant exposures for failing to appropriately manage their HIPAA and other responsibilities when handling protected health information. Meanwhile, Texas House Bill 300 has raised maximum state civil penalties for unlawful disclosures of Protected Health Information under the Texas Medical Records Privacy Act to from $5,000 to $1.5 million per year. Meanwhile HITECH Act amendments to HIPAA require covered entities provide notification of certain breaches while Texas House Bill 300 adds its own specific requirements to provide notice of certain breaches of computerized data containing sensitive personal information.

With Texas House Bill 300 expanding covered entities responsibilities and liabilities and OCR issuing new regulations and other guidance to implement amendments to the HIPAA Privacy & Security Standards and implement and enforce the HITECH Act Breach Notification Rule, health care providers, health plans and insurers, their brokers, third-party administrators, and other covered entities, as well as their business associates and employer and union clients must review and tighten their policies, practices, business associate and other contracts, and enforcement to manage HIPAA and other compliance and manage risks arising from the access, collection, use, protection and disclosure of PHI to meet expanding mandates and to guard against growing liability exposures under HIPAA and other federal and state laws.

Solutions Law Press, Inc. invites you to catch up on the latest on these and other key HIPAA requirements and enforcement and learn tips for managing risks and liabilities by participating in the “HIPAA Update Workshop” on Wednesday, December 12, 2012 via WebEx for a registration fee of $125.00.

Pre-approved for various types of continuing and professional education credit, the December 12, 2012 HIPAA Update Workshop will brief participants on the De-Identification Guidance as well as the latest on other regulatory and enforcement guidance under the HIPAA Privacy, Security and Breach Notification rules and guidance and share compliance and risk management lessons emerging from recent OCR enforcement and audit activities and other selected federal and state litigation and enforcement actions impacting the handling of protected health information. Among other things, the workshop will cover:

The De-Identification Guidance just released by OCR on November 26, 2012;
The latest HIPAA Privacy, Security & Breach Notification Guidance, Audits & Enforcement
Highlights Texas House Bill’s Amendments To Texas Medical Records Privacy Law That Took Effect September 1, 2012
Post HITECH Act Heightened Liability Risks: Audits, Civil Penalties, Criminal Penalties & State Lawsuits
Expansion of HIPAA Responsibilities & Liabilities To Business Associates & What Covered Entities & Business Associates Should Do In Response
HIPAA Data Breach Notification Requirements
Practical Challenges & Strategies For Managing These Responsibilities
Tips For Coordinating HIPAA & Other Federal & State Medical Privacy, Financial Information, Identity Theft & Date Security Compliance and Risk Management
Practical Strategies For Monitoring & Responding To New Requirements & Changing Rules
Participant Questions

About The Speaker

The workshop will be conducted by attorney Cynthia Marcotte Stamer. A Fellow in the American College of Employee Benefits Counsel, recognized in International Who’s Who, North Texas Health Care Compliance Professionals Association Vice-President and Board Certified in Labor & Employment Law, attorney Cynthia Marcotte Stamer has 25 years experience advising and representing private and public health care providers, employers, employer and union plan sponsors, employee benefit plans, associations, their fiduciaries, administrators, and vendors, group health, Medicare and Medicaid Advantage, and other insurers, governmental leaders and others on privacy and data security, health care, health and other employee benefit. employment, insurance and related matters. A well-known and prolific author and popular speaker, Ms. Stamer has worked extensively with heath care providers, health plans and other payers, health and insurance IT and data systems, and others on HIPAA and other privacy and data security concerns. She served as the scrivener for the ABA JCEB Agency Meetings with the Office of Civil Rights on HIPAA Privacy for the past two years. She presently serves as Co-Chair of the ABA RPTE Section Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Representative, an Editorial Advisory Board Member of the Institute of Human Resources (IHR/HR.com) and Employee Benefit News, and various other publications. A primary drafter of the Bolivian Social Security privatization law with extensive domestic and international regulatory and public policy experience, Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on HIPAA and other privacy and data security risks and requirements as well as a broad range of other health, employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with OCR and other HHS agencies, as well as the Departments of Labor, Treasury, Federal Trade Commission, HUD and Justice, Congress and state legislatures, and various state attorneys general, insurance, labor, worker’s compensation, medical licensure and disciplinary and other agencies and regulators. A prolific author and popular speaker, Ms. Stamer regularly authors materials and conducts workshops and professional, management and other training on HIPAA and other privacy, health care, employee benefits, human resources, insurance and related topics for the ABA, Aspen Publishers, the Bureau of National Affairs (BNA), SHRM, World At Work, Government Institutes, Inc., the Society of Professional Benefits Administrators and many other organizations. Her insights on privacy and other matters are quoted in Modern Healthcare, HealthLeaders, Benefits, Caring for the Elderly, The Wall Street Journal and many other publications. She also regularly serves on the faculty and planning committees of a multitude of symposium and other educational programs. For more details about Ms. Stamer’s services, experience, presentations, publications, and other credentials or to ask about arranging counseling, training or presentations or other services by Ms. Stamer, see www.CynthiaStamer.com.

Registration

The Registration Fee is $125.00 per person. Registration Fee Discounts available for groups of three or more. Pre-payment required via website registration required via website PayPal. No checks or cash accepted. Persons not registered at least 48 hours in advance will only participate subject to system and space availability.

Continuing Education Credit

The HIPAA Update Workshop is approved to be offered for general certification credit by the State Bar of Texas, Texas Department of Insurance, HRCI and WorldAtWork education credit for the time period offered subject to fulfillment all applicable accrediting agency requirements, completion of required procedures. Note that the applicable credentialing agency retain the final authority to determine whether an individual qualifies to receive requested continuing education credit. Neither Solutions Law Press, Inc., the speaker or any of their related parties guarantees the approval of credit for any individual or has any liability for any denial of credit. Special fees or other conditions may apply. CANCELLATION & REFUND POLICY: In order to receive credit, cancellation (either fax or mail) must be received at least 48 hours in advance of the meeting and are subject to a $10.00 refund processing fee. Refunds will be made within 60 days of receipt of written cancellation notice.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives. Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs. For additional information about upcoming programs, to explore becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship, to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com. If you would prefer not to receive communications from Solutions Law Press, Inc. send an e-mail with “Solutions Law Press Unsubscribe” in the Subject to support@solutionslawyer.net. CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request.

Comments Off on New OCR HIPAA De-Identification Guidance Among Developments Covered In 12/12 HIPAA Update Web Workshop | ADA, Civil Rights, Consumer Protection, Corporate Compliance, Data Security, Disease Management, Drug & Alcohol, Employers, ERISA, Fiduciary Responsibility, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Medicare Part D, Prescription Drugs, Privacy, Wellness Programs | Tagged: compliance, Health Care, Heatlh Plans, HIPAA, PHI, Texas Medical Records Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Tighten Disability Discrimination Defenses As National Disability Employment Awareness Month Promises To Whip Up New Claims & Awareness

October 1, 2012

President Obama’s declaration today (October 1, 2012) of October as National Disability Employment Awareness Month reminds business that U.S. businesses and their leaders need to tighten their disability discrimination risk management and compliance in light of the Obama Administration’s emphasis on aggressively interpreting and enforcing disability discrimination laws, rising private plaintiff lawsuits and other recent regulatory and judicial changes. With the Administration expected to step up further its already substantial educational outreach to the disabled and their advocates, U.S. employers should brace for this month’s celebration to fuel even more disability discrimination claims and other activity by the disabled and their activists.

Since taking office, President Obama has make enforcing and expanding the rights of the disabled in employment and other areas a leading priority.

In his proclamation today, President Obama reaffirmed his often stated commitment to the aggressive enforcement of disability laws and other efforts to promote opportunities for disabled individuals, stating:

“[My Administration remains committed to helping our businesses, schools, and communities support our entire workforce. To meet this challenge,… we are striving to make it easier to get and keep those jobs by improving compliance with Section 508 of the Rehabilitation Act.”

As the administration marks the month, U.S. employers and other business leaders can expect the Obama Administration will be stepping up its already aggressive outreach to disabled Americans to promote awareness of their disability law rights and tools for asserting and enforcing these rights. See, e.g. October Is National Disability Employment Awareness Month (NDEAM).

Business Faces Growing Employment Disability Exposures

As part of his administration’s commitment, the Obama Administration has moved to aggressively enforce the disability and accommodations of the Americans With Disabilities Act (ADA), Section 508 of the Rehabilitation Act, and other federal disability discrimination laws. The reach and effectiveness of these efforts has been enhanced by statutory and regulatory changes that require employers to exercise greater efforts to meet their compliance obligations and manage their disability and other discrimination risks.

ADA Exposures Heightened

The ADA, for instance, generally prohibits disability discrimination and requires employers to make reasonable accommodations to employees’ and applicants’ disabilities as long as this does not pose an undue hardship. Violations of the ADA can expose businesses to substantial liability. Violations of the ADA may be prosecuted by the EEOC or by private lawsuits. Employees or applicants that can prove they experienced prohibited disability discrimination under the ADA generally can recover actual damages, attorneys’ fees, and up to $300,000 of exemplary damages (depending on the size of the employer).

In recent years, amendments to the original provisions of the ADA have made it easier for plaintiffs and the EEOC to prove disabled status of an individual. Businesses should exercise caution to carefully document legitimate business justification for their hiring, promotion and other employment related decisions about these and other individuals who might qualify as disabled. Provisions of the ADA Amendments Act (ADAAA) that expand the definition of “disability” under the ADA, As signed into law on September 25, 2008, the ADAAA amended the definition of “disability” for purposes of the disability discrimination prohibitions of the ADA to make it easier for an individual seeking protection under the ADA to establish that that has a disability within the meaning of the ADA. The ADAAA retains the ADA’s basic definition of “disability” as an impairment that substantially limits one or more major life activities, a record of such an impairment, or being regarded as having such an impairment. However, provisions of the ADAAA that took effect January 1, 2009 change the way that these statutory terms should be interpreted in several ways. Most significantly, the Act:

Directs EEOC to revise that part of its regulations defining the term “substantially limits;”
Expands the definition of “major life activities” by including two non-exhaustive lists: (1) The first list includes many activities that the EEOC has recognized (e.g., walking) as well as activities that EEOC has not specifically recognized (e.g., reading, bending, and communicating); and (2) The second list includes major bodily functions (e.g., “functions of the immune system, normal cell growth, digestive, bowel, bladder, neurological, brain, respiratory, circulatory, endocrine, and reproductive functions”);
States that mitigating measures other than “ordinary eyeglasses or contact lenses” shall not be considered in assessing whether an individual has a disability;
Clarifies that an impairment that is episodic or in remission is a disability if it would substantially limit a major life activity when active;
Changes the definition of “regarded as” so that it no longer requires a showing that the employer perceived the individual to be substantially limited in a major life activity, and instead says that an applicant or employee is “regarded as” disabled if he or she is subject to an action prohibited by the ADA (e.g., failure to hire or termination) based on an impairment that is not transitory and minor; and
Provides that individuals covered only under the “regarded as” prong are not entitled to reasonable accommodation.

The ADAAA also emphasizes that the definition of disability should be construed in favor of broad coverage of individuals to the maximum extent permitted by the terms of the ADA and generally shall not require extensive analysis.In adopting these changes, Congress expressly sought to overrule existing employer-friendly judicial precedent construing the current provisions of the ADA and to require the EEOC to update its existing guidance to confirm with the ADAAA Amendments. Under the leadership of the Obama Administration, the EEOC and other federal agencies have embraced this charge and have significantly stepped up enforcement of the ADA and other federal discrimination laws.

Recent enforcement, regulatory and other activities by the EEOC show that the EEOC is enthusiastically moving forward to exercise its regulatory and enforcement powers under these enhanced ADA provisions to tighten requirements for employers and to enforce its rules. See e.g., Leprino Foods To Pay $550K To Settle OFCCP Charge Pre-Hire Screening Test Illegally Discriminated « As EEOC Steps Up ADA Accommodation Enforcement, New DOD Apple App, Other Resources Released; Wal-Mart Settlement Shows ADA Risks When Considering Employee Return To Work Accommodation Requests & Inquiries; Employer Pays $475,000 To Settle ADA Discrimination Lawsuit Challenging Medical Fitness Testing For EMTs, Firefighters & Other Public Safety Worker’s.

Rising Rehabilitation Act Risks For Government Contractors

Beyond the generally applicable risks applicable to all employers of more than 15 employees under the ADA, federal and state government contractors face more responsibilities and risks.

Subject to limited exceptions, government contractors providing services or supplies on ARRA or other government-funded contracts or projects must comply both with generally applicable employment discrimination requirements and special statutory and contractual nondiscrimination, affirmative action, and recordkeeping requirements applicable government contractors. For instance, federal law generally requires government contractors to comply with the special equal employment opportunity requirements of Executive Order 11246 (EO 11246); Section 503 of the Rehabilitation Act of 1973 (Section 503); and the Vietnam Veterans’ Readjustment Assistance Act of 1974 (VEVRAA). Pursuant to these laws, business with the federal government, both contractors and subcontractors, generally must follow a number of statutory and contractual requirements to follow the fair and reasonable standard that they not discriminate in employment on the basis of sex, race, color, religion, national origin, disability or status as a protected veteran. OFCCP generally audits and enforces these requirements. Memo to Funding Recipients: Compliance with Applicable Nondiscrimination and Equal Opportunity Statutes, Regulations, and Executive Orders.

OFCCP has made clear that it will conduct compliance evaluations and host compliance assistance events to ensure that federal contractors comply and are aware of their responsibilities under EO 11246, Section 503 and VEVRAA.

While many government contractors may be tempted to become complacent about OFCCP exposures based on reports of the OFCCP’s relatively low enforcement in the past, see Report Says OFCCP Enforcement Data Show Infrequent Veteran, Disability Bias Findings | Bloomberg BNA recent enforcement data documents OFCCP is getting much more serious and aggressive about auditing and enforcing compliance with its affirmative action and other requirements against government contractors under the Obama Administration. See, OFCCP Enforcement Data is Available on a New DOL Website. See also, Affirmative Action Update: OFCCP Enforcement Statistics Show Increase in Violations. The readiness of OFCCP to enforce its rules is illustrated by the settlement of an OFCCP action filed against federal contractor Nash Finch Co. (Nash Finch) announceed last week. Under the settlement, Nash Finch to pay $188,500 in back wages and interest and offer jobs to certain women applicants who OFCCP charged Nash rejected for the entry-level position of order selector at the company’s distribution facility in Lumberton, Minnesota. See Settlement of OFCCP Employment Discrimination Charge Reminder To ARRA, Other Government Contractors Of Heightened Enforcement Risks.

These government contractor disability discrimination risks are particularly acute where the government contractor works on or provides supplies on contacts or projects funded in whole or in part by monies provided under ARRA. When the contract or project in question receives any funding out of the $787 billion of stimulus funding provided by ARRA, special OFCCP rules applicable to ARRA funded projects necessitates that federal contractors exercise special care to understand and meet their responsibilities and manage associated exposures. See, e.g. Settlement of OFCCP Employment Discrimination Charge Reminder To ARRA, Other Government Contractors Of Heightened Enforcement Risks.

GINA & Other Medical Information Nondiscrimination & Privacy Risks

Employers also need to use care to ensure that their hiring and other employment practices, as well as their employee benefits, workers’ compensation and wellness practices are up to date and properly managed to mitigate exposures under laws like the Genetic Information and Nondiscrimination Act (GINA), the ADA’s medical information privacy requirements, as well as the privacy and nondiscrimination rules of the Health Insurance Portability & Accountability Act and other relevant federal and state laws.

Signed into law by President Bush on May 21, 2008 and in effect since November 21, 2009, for instance, Title VII of GINA amended the Civil Rights Act to prohibit employment discrimination based on genetic information and to restrict the ability of employers and their health plans to require, collect or retain certain genetic information. Under GINA, employers, employment agencies, labor organizations and joint labor-management committees face significant liability for violating the sweeping nondiscrimination and confidentiality requirements of GINA concerning their use, maintenance and disclosure of genetic information. Employees can sue for damages and other relief like now available under Title VII of the Civil Rights Act of 1964 and other nondiscrimination laws. For instance, GINA’s employment related provisions include rules that:

Prohibit employers and employment agencies from discriminating based on genetic information in hiring, termination or referral decisions or in other decisions regarding compensation, terms, conditions or privileges of employment;
Prohibit employers and employment agencies from limiting, segregating or classifying employees so as to deny employment opportunities to an employee based on genetic information;
Bar labor organizations from excluding, expelling or otherwise discriminating against individuals based on genetic information;
Prohibit employers, employment agencies and labor organizations from requesting, requiring or purchasing genetic information of an employee or an employee’s family member except as allowed by GINA to satisfy certification requirements of family and medical leave laws, to monitor the biological effects of toxic substances in the workplace or other conditions specifically allowed by GINA;
Prohibit employers, labor organizations and joint labor-management committees from discriminating in any decisions related to admission or employment in training or retraining programs, including apprenticeships based on genetic information;
Mandate that in the narrow situations where limited cases where genetic information is obtained by a covered entity, it maintain the information on separate forms in separate medical files, treat the information as a confidential medical record, and not disclosure the genetic information except in those situations specifically allowed by GINA;
Prohibit any person from retaliating against an individual for opposing an act or practice made unlawful by GINA; and
Regulate the collection, use, access and disclosure of genetic information by employer sponsored and certain other health plans.

These employment provisions of GINA are in addition to amendments to HIPAA, the Employee Retirement Income Security Act of 1974 (ERISA), the Public Health Service Act, the Internal Revenue Code of 1986, and Title XVIII (Medicare) of the Social Security Act that are effective for group health plan for plan years beginning after May 20, 2009. Under these HIPAA and GINA rules, health plans generally may not make certain medical inquiries or discriminate against employees or their family members based on family or individual medical history or genetic information. In addition, health plans and others are required to safeguard personal medical information and may only share that information only under very limited circumstances requiring specific documentation be in place and that the parties can prove that the access and use of that information is appropriately restricted. Violation of these and other rules can have significant civil and in some cases even criminal liabilities for companies, plans, plan fiduciaries and company officials that take part in violations of these rules.

Businesses Should Act To Manage Risks

The ADAAA amendments, the Rehabilitation Act’s expanded reach, and the Obama Administration’s emphasis on enforcement make it likely that businesses generally will face more disability claims from a broader range of employees and will have fewer legal shields to defend themselves against these claims. These changes will make it easier for certain employees to qualify and claim protection as disabled under the ADA, the Rehabilitation Act, and other disability discrimination laws.

All U.S. businesses should review and tighten the adequacy of their existing compliance and risk management practices to promote and document compliance. These efforts should focus on all relevant hiring, recruitment, promotion, compensation, recordkeeping and reporting policies and practices internally, as well as those of any recruiting agencies, subcontractors or other business partners whose actions might impact on compliance.

In light of these and other developments and risks, businesses generally should act cautiously when dealing with applicants or employees with actual, perceived, or claimed physical or mental impairments to minimize exposures under the ADA, the Rehabilitation Act and other laws. Management should exercise caution to carefully and appropriately assess and identify the potential legal significance of physical or mental impairments or conditions that might be less significant in severity or scope, correctable through the use of eyeglasses, hearing aids, daily medications or other adaptive devices, or that management might be tempted to assume fall outside the ADA’s scope.

Likewise, businesses should be ready for the EEOC, OFCCP and the courts to treat a broader range of disabilities, including those much more limited in severity and life activity restriction, to qualify as disabling for purposes of the Act. Businesses should assume that a greater number of employees with such conditions are likely to seek to use the ADA as a basis for challenging hiring, promotion and other employment decisions. For this reason, businesses generally should tighten job performance and other employment recordkeeping to enhance their ability to demonstrate nondiscriminatory business justifications for the employment decisions made by the businesses.

Businesses also should consider tightening their documentation regarding their procedures and processes governing the collection and handling records and communications that may contain information regarding an applicant’s physical or mental impairment, such as medical absences, worker’s compensation claims, emergency information, or other records containing health status or condition related information. The ADA generally requires that these records be maintained in separate confidential files and disclosed only to individuals with a need to know under circumstances allowed by the ADA.

As part of this process, businesses also should carefully review their employment records, group health plan, family leave, disability accommodation, and other existing policies and practices to comply with, and manage exposure under the genetic information nondiscrimination and privacy rules enacted as part of GINA, the health care privacy rules of the HIPAA, and the medical record privacy rules of the ADA. Particular care should be used when planning wellness, health risk assessment, work-related injury, family or other medical leave or related programs, all of which raise particular risks and concerns.

In the face of the rising emphasis of OFCCP, the EEOC and other federal and state agencies on these audit and enforcement activities, government contractors should exercise additional compliance and risk management efforts beyond these generally recommended steps. Among other things, these steps should include the following:

Government contractors and subcontractors should specifically review their existing or proposed contracts and involvements to identify projects or contracts which may involve federal or state contracts or funding that could trigger responsibility. In this respect, businesses should conduct well-documented inquiries when proposing and accepting contracts to ensure that potential obligations as a government contractor are not overlooked because of inadequate intake procedures. Businesses also should keep in mind that ARRA and other federal program funds often may be filtered through a complex maze of federal grants or program funding to states or other organizations, which may pass along government contractor status and liability when subcontracting for services as part of the implementation of broader programs. Since the existence of these obligations often is signaled by contractual representations in the contracts with these parties, careful review of contractual or bid specifications and commitments is essential. However, it also generally is advisable also to inquire about whether the requested products or services are provided pursuant to programs or contracts subject to these requirements early in the process.
In addition to working to identify contracts and arrangements that are covered by OFCCP or other requirements, government contractors and other businesses also should reconfirm and continuously monitor the specific reporting, affirmative action, and other requirements that apply to any programs that may be subject to OFCCP requirements to ensure that they fully understand and implement appropriate procedures to comply with these conditions as well as pass along the obligation to make similarly necessary arrangements to any subcontractors or suppliers that the government contractor involves as a subcontractor.
Throughout the course of the contract, the government contractor also should take steps to maintain and file all required reports and monitor and audit operational compliance with these and other requirements.
The organization should develop and administer appropriate procedures for monitoring and investigating potential compliance concerns and maintaining documentation of that activity. Any known potential deficiencies or complaints should be promptly investigated and redressed with the assistance of qualified counsel in a prompt manner to mitigate potential risks.
Documentation should be carefully retained and organized on a real time and continuous basis to faciliate efficiency and effectiveness in completing required reports, monitoring compliance indicators and responding to OFCCP, EEOC or private plaintiff charges as well as other compliance inquiries.
Any audit inquiries or charges should be promptly referred to qualified legal counsel for timely evaluation and response.
When available and affordable, management should consider securing appropriate employment practices liability coverage, indemnification from business partners and other liability protection and assurance to help mitigate investigagtion and defense costs.
Board members or other senior management should include periodic review of compliance in their agenda.

If you have any questions or need help reviewing and updating your organization’s employment and/or employee practices in response to the Rehabilitation Act, ADA, GINA or other applicable laws, or if we may be of help with regard to any other workforce management, employee benefits or compensation matters, please do not hesitate to contact the author of this update, Board Certified Labor and Employment Attorney and Management Consultant Cynthia Marcotte Stamer at 469.767.8872.

About The Author

Management attorney and consultant Cynthia Marcotte Stamer helps businesses, governments and associations solve problems, develop and implement strategies to manage people, processes, and regulatory exposures to meet their business and operational goals and manage legal, operational and other risks. Board certified in labor and employment law by the Texas Board of Legal Specialization, with more than 25 years human resource, employee benefits and management experience, Ms. Stamer helps businesses manage their people-related risks and the performance of their internal and external workforce though appropriate human resources, employee benefit, worker’s compensation, insurance, outsourcing and risk management strategies domestically and internationally. Recognized in the International Who’s Who of Professionals and bearing the Martindale Hubble AV-Rating, Ms. Stamer also is a highly regarded author and speaker, who regularly conducts management and other training on a wide range of labor and employment, employee benefit, human resources, internal controls and other related risk management matters. Her writings frequently are published by the American Bar Association (ABA), Aspen Publishers, Bureau of National Affairs, the American Health Lawyers Association, SHRM, World At Work, Government Institutes, Inc., Atlantic Information Services, Employee Benefit News, and many others. For a listing of some of these publications and programs, see here. Her insights on human resources risk management matters also have been quoted in The Wall Street Journal, various publications of The Bureau of National Affairs and Aspen Publishing, the Dallas Morning News, Spencer Publications, Health Leaders, Business Insurance, the Dallas and Houston Business Journals and a host of other publications. Chair of the ABA RPTE Employee Benefit and Other Compensation Committee, a council member of the ABA Joint Committee on Employee Benefits, and the Legislative Chair of the Dallas Human Resources Management Association Government Affairs Committee, she also serves in leadership positions in many human resources, corporate compliance, and other professional and civic organizations. For more details about Ms. Stamer’s experience and other credentials, contact Ms. Stamer, information about workshops and other training, selected publications and other human resources related information, see here or contact Ms. Stamer via telephone at 469.767.8872 or via e-mail here.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles published in this electronic Solutions Law publication available for review here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here.

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@solutionslawyer.net.

Comments Off on Tighten Disability Discrimination Defenses As National Disability Employment Awareness Month Promises To Whip Up New Claims & Awareness | ADA, Affirmative Action, Civil Rights, Corporate Compliance, Data Security, Disability Plans, Discrimination, EEOC, Employers, GINA, Government Contractors, VEVRRA | Tagged: ADA, Disability, Disability Discrimination, EEOC, Employer, GINA, Human Resources, Rehabilitation Act, Risk Management | Permalink
Posted by Cynthia Marcotte Stamer

Tighten Defensibility of Criminal & Other Background Check Practices In Light of Labor Department Non-Discrimination Regulation & Enforcement Emphasis

May 25, 2012

Employers, job banks, recruiters and other parties that conduct and rely upon criminal background checks for purposes of screening applicants or making other employment decisions should check and update their practices in response to the announced plans of the U.S. Department of Labor to expand and enforce limitations on employment discrimination against individuals with criminal records as well as the criminal background check requirements of the Fair Credit Reporting Act and other applicable laws.

While criminal or other background checks often are mandated or otherwise business justified, employers and others conducting or using background check information need to understand and comply with legal requirements about the use and administration of criminal or other background checks.

Potential Employment Discrimination Exposures From Criminal Background Checks

Over the past several months, Labor Department officials have identified protection of individuals with criminal backgrounds against employment discrimination as a policy and enforcement priority.

In keeping with this goal, the Labor Department Employment and Training Administration (ETA), with the Civil Rights Center (CRC). on May 25, 2012 published updated training guidance for about exclusions based on criminal records, and how they are relevant to the existing nondiscrimination obligations for the public workforce system and certain other entities that receive federal financial assistance to operate Job Banks, to provide assistance to job seekers in locating and obtaining employment, and to assist employers by screening and referring qualified applicants in Training and Employment Guidance Letter No. 31-11 (TEGL) along with the following accompanying guidance documents:

Meet FCRA Criminal & Other Background Check Requirements

When conducting such a criminal or other background check using a third-party or the internet, care should be taken to comply with the applicable purpose, notice and consent requirements for conducting third-party conducted background checks under the Fair Credit Reporting Act (FCRA) and otherwise applicable law.

Since criminal and other background investigations generally qualify as a credit check for purposes of the FCRA, employers, recruiters, job banks and other parties conducting background checks for employment related purposes risk significant liability for conducting these activities without providing the proper notifications and obtaining necessary consents. Additional requirements often also may apply under applicable state laws, labor-management contracts, government contracting requirements or other similar requirements. Consequently, before doing any credit or other background check, employers or others should ensure that they have the policies, disclosures, data security and written consents required to comply with the FCRA and other laws.

With these procedures in place, employers or others planning to use criminal or other background checks then should work to manage discrimination and other potential risks associated with potential challenges to their use of the information.

Among other things, businesses should carefully document the business justification for their use of the background check and restrict the data they request and receive to information relevant to that purpose. The collection and receipt of this information should be structured and managed in such a way to mitigate employment discrimination, privacy and other legal risks and to promote defensibility. For instance, proper procedures should be used to lower the risk of a pattern of prohibited discrimination on race, national origin, disability or other similar employment discrimination laws. Likewise, collection or receipt of information such as bankruptcy history or other liability sensitive information should be avoided unless a legally defensible need and appropriate procedures governing use can be demonstrated in operation. Care also should be taken to apply the criteria uniformly. Given ADA, GINA, FACTA and other privacy concerns, employers also should specifically check their data collection and protection procedures for adequacy.

To help with these and other concerns, consider defining and documenting in advance the relevant criteria for the position and why it is relevant. Where possible, try to avoid getting information beyond that defined as relevant which could raise sensitivities. Since the FCRA requires notice if adverse hiring decisions are made, employers also should carefully evaluate and document the basis of their decisions when deciding not to hire or promote individuals based on this information and appropriately safeguard this information against improper use or disclosure.

For Help Or Additional Information

If you need help reviewing and updating, administering or defending your background check or other employee benefits, human resources, health care or insurance matters, please contact the author of this update, Cynthia Marcotte Stamer.

Board Certified in Labor and Employment Law, a Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 24 years of work, advocacy, education and publications on human resources, recruitment, employee benefits, compensation, credentialing, promotion and discipline and related workforce and risk management matters.

Widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend employment and other services arrangements and assocaited employee benefit, compensation, reductions in force and other severance and other human resources, employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s r management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations. She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications. You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at ww.solutionslawpress.com.

Comments Off on Tighten Defensibility of Criminal & Other Background Check Practices In Light of Labor Department Non-Discrimination Regulation & Enforcement Emphasis | ADA, Affirmative Action, Bankruptcy, Civil Rights, Corporate Compliance, Disability, EEOC, Employee Benefits, Employers, GINA, Government Contractors, Internal Controls, Labor Management Relations, Mental Health, Mental Health Parity, Nonresident aliens, OFCCP, Rehabilitation Act, Tax | Tagged: background check, criminal background check, Discrimination, Employer, FCRA, job bank | Permalink
Posted by Cynthia Marcotte Stamer

HR Key Player In Managing Countrywide & Other US Discrimination Exposures

December 23, 2011

This week’s announcement by the U.S. Justice Department of the largest residential fair lending settlement in history on December 21, 2011 highlights the widening scope of exposures that U.S. businesses face under a broad range of federal Civil Rights and other discrimination laws. The settlement shows that discrimination risks are rising and that employment discrimination is only part of the problem. In addition to managing employment discrimination exposures in their employment practices, many businesses and business leaders also need to take steps to adequately recognize and provide policies, management controls and training to maintain compliance with federal disability and other discrimination laws prohibiting discrimination against disabled or other customers or others with whom they do business.

Human resources and other management leaders should move quickly to help their organizations manage these risks and responsibilities.

Countrywide Settlement

This week’s Justice Department settlement with Countrywide Financial Corporation and its subsidiaries (Countrywide) provides for payment of $335 million in compensation to the more than 200,000 qualified African-American and Hispanic borrowers that Federal officials allege were victims of the widespread pattern or practice of illegal discrimination against qualified African-American and Hispanic borrowers by Countrywide while Countrywide served as one of the nation’s largest single-family mortgage lenders and originated more than 4 million residential mortgage loans. Bank of America now owns Countrywide.

Federal officials charged Countrywide engaged in discriminatory mortgage lending practices against more than 200,000 qualified African-American and Hispanic borrowers from 2004 through 2008. The Justice Department claimed it uncovered a pattern or practice of discrimination involving victims in more than 180 geographic markets across 41 states and the District of Columbia. These discriminatory acts allegedly included widespread violations of the Fair Housing Act and the Equal Credit Opportunity Act, and resulted in African-American and Hispanic borrowers being charged higher rates for mortgage loans – solely because of their race or national origin.

According to Attorney General Eric Holder, today’s settlement will compensate the more than 200,000 African-American and Hispanic borrowers who were victims of discriminatory conduct, including more than 10,000 African-American or Hispanic borrowers who – despite the fact that they qualified for prime loans – were steered into subprime loans. Subprime borrowers pay higher penalties and higher interest rates, have a greater likelihood of default and foreclosure than with prime loans, and other damages.

When announcing the settlement, Attorney General Holder reaffirmed the Obama Administration’s commitment to finding and prosecuting businesses that engage in illegal discriminatory practices. To read Attorney General Eric Holder’s remarks, click here.

Discrimination Obama Administration Priority

Enforcing disability discrimination laws is a high priority of the Obama Administration Business leaders increasingly recognize the need to tighten procedures to manage disability discrimination risks.

Human resources and other business leaders often recognize human resource related discrimination risks as requiring management. The heightened emphasis of the Obama Administration on disability regulation and enforcement clearly is raising business responsibilities and exposures under these employment laws. In order to manage these exposures effectively, however, it is important that businesses and their human resources leaders do not take for granted the adequacy of their current compliance and risk management efforts in light of the Obama Administration’s aggressive regulatory and enforcement agenda in this area. See e.g., Affordable Care Act To Require Health Plans Cover Contraception & Other Women’s Health Procedures In 2012; EEOC Finalizes Updates To Disability Regulations In Response to ADA Amendments Act; Update Employment Practices To Manage Genetic Info Discrimination Risks Under New EEOC Final GINA Regulations; EEOC Attacks Medical Leave Denials As Prohibited Disability Discrimination; Labor Secretary Comments Highlight Federal Protections & Resources To Support Veteran’s Employment Rights.

Employment discrimination risks are not the only discrimination exposures that U.S. organizations need to be concerned about, however. The Countrywide settlement joins a lengthy list of settlements and other actions by the Obama Administration against businesses and government entities for alleged violations of U.S. civil rights and other nondiscrimination laws. See, e.g. Businesses Face Rising Disability Discrimination Enforcement Risks; New Obama Administration Affirmative Action Guidance Highlights Organization’s Need To Tighten Nondiscrimination Practices; OFCCP Proposed Increased Disability Hiring Targets, Other Tougher Government Contractor Rules another Sign Of Rising Employment Discrimination Risks; Incentives To Get Employee Into Wellness Education Requires Legal Risk Management; New School Racial Accommodation Guidance Gives Important Insights For Schools & Other Organizations On Obama Administration Affirmative Action Enforcement; Justice Department Landlord Suit Shows Businesses Face Rising Disability Discrimination Enforcement Risks; Big Penalty for Lender Shows Risks of Violating Military Service or Vets Rights; OCR Requires Rhode Island DHS To Provide Translation, Other Services For Limited English, Other Language Impaired Accommodations.

These regulatory, audit, enforcement and other actions show that private businesses and state and local government agencies alike should exercise special care to prepare to defend their employment and other business practices against potential disability or other Civil Rights discrimination challenges on a broad range of fronts.

HR Key Player

Human resources professionals are key players to efforts to effectively manage their organization’s overall discrimination risks and responsibilities by managing compliance throughout the organization.

All organizations, whether public or private need to make sure both that their organizations, their policies, and people in form and in action understand and comply with current disability and other nondiscrimination laws. When reviewing these responsibilities, many state and local governments and private businesses may need to update their understanding of current requirements.

Federal nondiscrimination and other laws have been expanded or modified in recent years by statutory, regulatory or enforcement changes, risk management efforts should begin with an assessment of the adequacy of existing policies and practices in light of the latest rules and enforcement actions. Based on this assessment, business and governmental organizations should update policies and procedures as required, tighten documentation, and conduct ongoing, well-documented audits and training to mitigate exposures.

Human resources and other management leaders should position their organizations to guard against rising enforcement of these laws by updating policies, oversight and training to ensure that their workers and business partners recognize and know how to conduct themselves properly to fulfill responsibilities to persons with disabilities or others with whom the business deals who may be protected under Federal or state disability discrimination laws. In addition to adopting and training workers on policies requiring compliance with these laws, businesses should include contractual provisions requiring compliance with these laws in leases and other relevant business contracts. Most businesses also may want to provide and post information about processes that customers or others who may have a concern about the needs of persons with these special needs to position the business to address concerns that otherwise might go unnoticed until they arise to the level of an agency or other legal complaint.

If you need assistance in conducting a risk assessment of or responding to a challenge to your organization’s existing policies or practices for dealing with the issues addressed in these publications or other compliance, labor and employment, employee benefit, compensation, internal controls or other management practices, contact attorney Cynthia Marcotte Stamer.

For Help With Compliance, Risk Management & Defense

If you need help in auditing or assessing, updating or defending your organization’s compliance, risk manage or other internal controls practices or actions, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469)767-8872. If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available at www.cynthiastamer.com.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 24 years of work helping employers and other management; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit and management policies and practices. Her experience includes extensive work helping employers carry out, audit, manage and defend union-management relations, wage and hour, discrimination and other labor and employment laws, privacy and data security, internal investigation and discipline and other workforce and internal controls policies, procedures and actions. The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on management, re-engineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters. She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For more information about Ms. Stamer and her experience or to get access to other publications by Ms. Stamer see here or contact Ms. Stamer directly.

Comments Off on HR Key Player In Managing Countrywide & Other US Discrimination Exposures | ADA, Affirmative Action, Child Labor, Civil Rights, Corporate Compliance, Disability, EEOC, Employers, GINA, Government Contractors, OFCCP, Rehabilitation Act, Retaliation, USERRA, VEVRRA | Tagged: ADA, civil rights, Discrimination, employment discrimination, Risk Management | Permalink
Posted by Cynthia Marcotte Stamer

New Obama Administration Affirmative Action Guidance Highlights Organization’s Need To Tighten Nondiscrimination Practices

December 3, 2011

HR Key Player In Managing Rising Race & Other Discimination Suits Under Obama Administration Justice Department

The Obama Administration’s December 2 announcement of its revocation and replacement of Bush Administration policies on affirmative action in education highlights the heightened aggressiveness under the Obama Administration on the implementation, interpretation and enforcement of race, sex, disability, national origin and other federal discrimination and Civil Rights laws.

The new guidance discussed in more detail at http://wp.me/p1hsKH-1k makes clear the Administration’s view that schools can and should be doing more to promote integration and other affirmative action efforts in the schools and other organizations. It also gives a number of examples of the types of steps that the Administration believes schools should be pursuing. While specifically directed in schools, it provides insights about the affirmative action expectations of the Administration that merit notice by all public and private organizations and businesses.

The Justice Department under the Obama Administration in making discrimination in schools and other state and local agencies as well as by private businesses a priority. For instance, in addition to tightening and enforcing race discrimination laws, the Justice Department on November 23, 2011 sued the University of Nebraska at Kearney (UNK), the Board of Regents of the University of Nebraska and employees of UNK for violating the Fair Housing Act by discriminating against students with disabilities.

These and other activities are part of a growing number of regulatory and enforcement actions under the Obama Administation that illustrate the growing risk created for private and public organizations by failing to manage compliance with discrimination or other civil rights laws in the conduct of their business operations, as well as employment practices.

While most governmental agencies and businesses recognize the need to manage compliance with discrimination laws in their employment practices, many fail to adequately recognize and provide policies, management controls and training to maintain compliance with federal discrimination laws prohibiting discrimination in dealing with customers, vendors or other swith whom they do business.

Human resources and other management leaders should position their organizations to guard against rising enforcement of these laws by updating policies, oversight and training to ensure that their workers and business partners recognize and know how to conduct themselves properly to fulfill responsibilities with whom the business deals who may be protected under Federal or state race or other discrimination laws. In addition to adopting and training workers on policies requiring compliance with these laws, businesses should include contractual provisions requiring compliance with these laws in leases and other relevant business contracts. Most businesses also may want to provide and post information about processes that customers or others who may have a concern about potential prohibited discrimination to position the business to address concerns that otherwise might go unnoticed until they arise to the level of an agency or other legal complaint.

For Added Information and Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For Help Or More Information

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 24 years of work helping employers and other management; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit and management policies and practices. Her experience includes extensive work helping employers implement, audit, manage and defend union-management relations, wage and hour, discrimination and other labor and employment laws, privacy and data security, internal investigation and discipline and other workforce and internal controls policies, procedures and actions. The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on management, reengineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters. She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

About Solutions Law Press

Comments Off on New Obama Administration Affirmative Action Guidance Highlights Organization’s Need To Tighten Nondiscrimination Practices | Civil Rights, Disability, Disability, Disability Plans, Discrimination | Tagged: Accommodation, ADA, Consumer Rights, Disability Discrimination, Discrimination, Internal Controls, Justice Department, Real Estate | Permalink
Posted by Cynthia Marcotte Stamer

HR Key Player In Managing Rising Risk of Disability, Other Discimination Suits Under Obama Administration Justice Department

November 26, 2011

Latest Action Shows Obama Justice Department Aggressively Enforcing Discrimination Laws

The Justice Department on November 23, 2011 sued the University of Nebraska at Kearney (UNK), the Board of Regents of the University of Nebraska and employees of UNK for violating the Fair Housing Act by discriminating against students with disabilities. The latest in a growing string of disability and other discrimination suits brought by the Justice Department since the Obama Administration took office, it highlights the growing risk created for private and public organizations by failing to manage compliance with disability or other civil rights laws in the conduct of their business operations, as well as employment practices.

The lawsuit filed in the U.S. District Court for Nebraska, charges that UNK and its employees engaged in a pattern or practice of violating the Fair Housing Act or denied rights protected by the act by denying reasonable accommodation requests by students with psychological or emotional disabilities seeking to live with emotional assistance animals in university housing.

The Justice Department suit also charges that UNK requires students with psychological disabilities to disclose sensitive medical and other information that is unnecessary to evaluate their accommodation requests.

The latest in a growing series of disability discrimination lawsuits brought by the Justice Department against public and private landlords and a growing list of other businesses, the UNK lawsuit arises from a complaint filed with the Department of Housing and Urban Development (HUD) by a student enrolled at UNK who sought to live with an emotional assistance dog that had been prescribed. The lawsuit seeks a court order prohibiting future discrimination by the defendants, monetary damages for those harmed by the defendants’ actions, and a civil penalty.

The federal Fair Housing Act prohibits discrimination in housing on the basis of race, color, religion, sex, familial status, national origin and disability. With regard to disability discrimination, the Fair Housing Act requires housing providers to give reasonable accommodations for people with disabilities so that all have equal housing opportunities and limits the medical information that landlords can require from persons seeking disability accommodation in order to receive an accommodation.

The Obama Administration Justice Department has made enforcement of disability and other federal discrimination laws a key priority. Businesses should tighten policies, practices and training to minimize exposures to Justice Department or private plaintiff complaints for violations under these laws.

While most businesses recognize the need to manage compliance with the ADA and other discrimination laws in their employment practices, many businesses and business leaders fail to adequately recognize and provide policies, management controls and training to maintain compliance with federal disability and other discrimination laws prohibiting discrimination against disabled or other customers or others with whom they do business. Human resources and other management leaders should position their organizations to guard against rising enforcement of these laws by updating policies, oversight and training to ensure that their workers and business partners recognize and know how to conduct themselves properly to fulfill responsibilities to persons with disabilities or others with whom the business deals who may be protected under Federal or state disability discrimination laws. In addition to adopting and training workers on policies requiring compliance with these laws, businesses should include contractual provisions requiring compliance with these laws in leases and other relevant business contracts. Most businesses also may want to provide and post information about processes that customers or others who may have a concern about the needs of persons with these special needs to position the business to address concerns that otherwise might go unnoticed until they arise to the level of an agency or other legal complaint.

For Added Information and Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For Help Or More Information

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 24 years of work helping employers and other management; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit and management policies and practices. Her experience includes extensive work helping employers implement, audit, manage and defend union-management relations, wage and hour, discrimination and other labor and employment laws, privacy and data security, internal investigation and discipline and other workforce and internal controls policies, procedures and actions. The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on management, reengineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters. She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

About Solutions Law Press

Comments Off on HR Key Player In Managing Rising Risk of Disability, Other Discimination Suits Under Obama Administration Justice Department | Civil Rights, Disability, Disability, Disability Plans, Discrimination | Tagged: Accommodation, ADA, Consumer Rights, Disability Discrimination, Discrimination, Internal Controls, Justice Department, Real Estate | Permalink
Posted by Cynthia Marcotte Stamer

Big Penalty for Lender Shows Risks of Violating Military Service or Vets Rights

November 14, 2011

Businesses Urged To Review and Strengthen Their Policies, Practices & Training

Today’s (November 14, 2011) Justice Department announcement that a Bank of America subsidiary will pay 160 military service members at least $116,785 apiece for violating their federal credit rights is the latest reminder to businesses and their leaders of the significant liability that they run for failing to honor the legal rights of U.S. military service persons and their families. The payments are required as part of the terms of a May 26, 2011 settlement agreement reached to resolve charges that BAC Home Loans Servicing LP unlawfully foreclosed on servicemembers’ homes in violation of the Servicemembers Civil Relief Act (SCRA). The settlement represents the largest action taken under the SCRA by the Justice Department to date.

The announcement follows the Justice Department’s September 22, 2011 announcement that ServiceMaster 24-Hour and its owner would pay $15,000 for refusing to reemploy a member of the U.S. Army Reserve following his return from active duty in violation of USERRA. Together, the settlements together illustrate the growing risks businesses run if they fail to honor these and other rights of members and veterans of the U.S. military.

With government and private awareness and enforcement of these rights on the rise, U.S businesses should review and tighten their business and employment practices for dealing with individuals in the military and their families in light of growing risks of enforcement of the Uniformed Services Employment and Reemployment Rights Act of 1994 (USERRA) and other federal and state protections.

You can learn more details about these settlements and other enforcement of these rules here.

For Help With These Or Other Matters

If you need assistance in conducting a risk assessment of or responding to a challenge to your organization’s existing policies or practices for dealing with servicemembers or with other compliance, labor and employment, employee benefit or compensation practices, please contact the author of this update, attorney Cynthia Marcotte Stamer.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experience worker classification and other employment, employee benefits and workforce matters, Ms. Stamer has extensive experience advising and representing businesses about managing responsibilities and risks under USERRA, SCRA and other federal rules regarding the rights of military service members and veterans in employment, credit and other transactions as part of her broader human resources and internal controls practice.

Ms. Stamer has more than 24 years experience advising and representing employer, employee benefit and other clients before the Department of Labor, Justice Department, Internal Revenue Service, the Department of Labor, Department of Veterans Affairs, Immigrations & Customs, and other agencies, private plaintiffs and others on worker classification and related human resources, employee benefit, internal controls and risk management matters.

Ms. Stamer works extensively with employers, employee benefit plan sponsors, insurers, administrators, and fiduciaries, payroll and staffing companies, technology and other service providers and others to develop and operate legally defensible programs, practices and policies that promote the client’s human resources, employee benefits or other management goals. She works extensively with, speaks and publishes, and conducts management training on compliance and risk management of requirements concerning the handing of servicemember employment and other rights.

A featured presenter of numerous presentations on employment and other responsibilities of U.S. businesses to servicemembers, Ms. Stamer also is a widely published author and highly regarded speaker on these and other employee benefit and human resources matters who is active in many other employee benefits, human resources and other management focused organizations. She frequently speaks and conducts training for the American Bar Association, DallasHR, Solutions Law Press and a wide range of other corporations and associations on the management of compliance and risks associated with employment and consumer rights of military service members, veterans and their families See, e.g., Update on Employment Rights of Emploeyes in The Military & Their Family.

You can learn more about Ms. Stamer and her experience, find out about upcoming training or other events, review some of her past training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer at www.CynthiaStamer.com.

For Help With These Or Other Matters

If you would like help reviewing or defending your organization’s practices or programs, need legal representation defending those programs and activities, or wish to discuss arranging for Ms. Stamer to conduct training or speak for your organization, please contact Ms Stamer here.

For important information concerning this communication click here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at www.solutionslawpress.com.

Comments Off on Big Penalty for Lender Shows Risks of Violating Military Service or Vets Rights | Affirmative Action, Civil Rights, Consumer Protection, EEOC, Employee Benefits, Employers, Military Leave, OFCCP, Rehabilitation Act, Restructuring, Retirement Plans, Tax, USERRA, VEVRRA | Tagged: creditors, Determination Letters, Employee Benefits, Employers, lenders, military servicemembers, plan qualification, Retirement Plans, SCRA, Tax, USERRA, veterans | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans, Other Covered Entities Have Continuing Duty To Reevaluate HIPAA Enterprise Risk To PHI & Address Security Risks & Other Compliance Concern On Ongoing Basis

Manage Retaliation Risks In Response To Updated EEOC Enforcement Guidance, Rising Retaliation Claims

Health Plans & Other HIPAA Entities Should Learn From $2.75M UMMC HIPAA Settlement

Health Plans Disclosing Data To State All Payer Data Banks Face HIPAA Risks

Brace For Health Plan OCR HIPAA Audits

Obama Administration Proposes Rules Giving Jobseeker Equal Opportunity Protections

HIPAA Settlement Warns Health Plans, Sponsoring Employers & Business Associates To Manage HIPAA Risks

Stamer Kicks Off Dallas HR 2015 Monthly Lunch Series With 2015 Federal Legislative, Regulatory & Enforcement Update

Hospital To Pay $75K For Refusing To Hire Disabled Child Care Worker

New OCR HIPAA De-Identification Guidance Among Developments Covered In 12/12 HIPAA Update Web Workshop

Get Up To Date On Details of New De-Identification Guidance & Other HIPAA Developments By Participating In 12/12 HIPAA Update Web Workshop

Tighten Disability Discrimination Defenses As National Disability Employment Awareness Month Promises To Whip Up New Claims & Awareness

Tighten Defensibility of Criminal & Other Background Check Practices In Light of Labor Department Non-Discrimination Regulation & Enforcement Emphasis

HR Key Player In Managing Countrywide & Other US Discrimination Exposures

New Obama Administration Affirmative Action Guidance Highlights Organization’s Need To Tighten Nondiscrimination Practices

HR Key Player In Managing Rising Risk of Disability, Other Discimination Suits Under Obama Administration Justice Department

Big Penalty for Lender Shows Risks of Violating Military Service or Vets Rights

Email Subscription

Pages

Recent Posts

Archives

Share this blog

Solutions Law Press HR & Benefits Update