directors | | Page 2

Health Plans, Other Covered Entities Have Continuing Duty To Reevaluate HIPAA Enterprise Risk To PHI & Address Security Risks & Other Compliance Concern On Ongoing Basis

October 27, 2016

Compliance with the Privacy and Security Rules of the Health Insurance Portability & Accountability Act (HIPAA) is a living process that requires employer and other health plans, health insurers, health care providers and healthcare clearinghouses to recurrently reevaluate their HIPAA enterprise risk and timely act to mitigate security threats to electronic (ePHI) and other protected health information and other HIPAA compliance concerns on an ongoing basis. That’s the clear take away applicable to all HIPAA-Covered Entities and business associates from the St. Joseph Health Resolution Agreement and Corrective Action Plan (SJH Settlement) and the Oregon Health & Science University Resolution Agreement and Corrective Action Plan (OHSU Settlement) announced by the Department of Health & Human Services Office of Civil Rights (OCR) in the past 30 days. Health plans, their sponsors, fiduciaries and vendors, health care providers and health care clearinghouses should carefully heed this message and in response take documented steps to ensure

Their existing policies, practices and procedures properly are updated in response to changing guidance and events;
They in place the current, comprehensive enterprise risk assessment along with a mitigation plan documenting actions taken to address these risks;
Ensure that the organization has and is administering appropriate, documented processes and procedures to ensure that the organization reassesses its enterprise risk assessment and compliance on a timely basis as warranted by changes or other events that could impact ePHI, regulatory developments or other events that might impact its compliance; and
Have an appropriate, documented process for oversight by C-level management.

OHSU Charges & Settlement

The OHSU Settlement Agreement announced by OCR on September 23, 2016 requires OHSU to pay a $2.7 million settlement payment and adopt and implement a comprehensive three-year corrective action plan to address “widespread and diverse” HIPAA compliance problems OCR reports uncovering while investigating multiple HIPAA breach reports the large public academic health center and research university centered in Portland, Oregon.

OCR began investigating OHSU after the large public academic health center and research university centered in Portland, Oregon, submitted three HIPAA breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive:

On March 23, 2013, HHS received notification from OHSU regarding a breach of its unsecured electronic protected health information (“ePHI”) resulting from a stolen laptop computer;
On July 28, 2013, HHS received notification from OHSU regarding a breach of its ePHI resulting from storing ePHI at an internet-based service provider without a business associate agreement; and.

These incidents each garnered significant local and national press coverage. OCR’s investigation uncovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program, including the storage of the ePHI of more than 3,000 individuals on a cloud-based server without a business associate agreement. OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses.

OCR’s investigation showed the reported breaches resulted from widespread, long-term, systematic and unresolved HIPAA violations by OHSU that OCR attributed to an inadequate commitment to and oversight of HIPAA compliance by OHSU C-level management which resulted in the failure by OHSU to appropriately monitor the adequacy of its ongoing compliance and to assess and address changes in its enterprise-wide risk and compliance obligations on an ongoing basis. OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule. While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level. OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.

OCR concluded that the reported breaches were the result of long-standing, systematic deficiences in OHSU’s processes and procedures for HIPAA compliance, including the following:

While OHSU reportedly performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, OCR says its investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule;
While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level;
OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk;
OHSU failed to comply with its duty under HIPAA to enter into a business associate agreement with a vendor before allowing a vendor business associate to store ePHI; and
The absence of meaningful C-suite leadership oversight and commitment to HIPAA compliance.

Based on these investigations, OCR concluded that while OHSU initially adopted HIPAA Policies, the reported breaches were the result of a series of widespread and ongoing breaches of HIPAA resulted including the following:

From January 5, 2011, until July 3, 2013, OHSU disclosed the ePHI of 3,044 individuals in violation of Privacy Rules §§160.103 and 164.502(a) when workforce members disclosed the ePHI to a third party internet-based service provider without obtaining a business associate agreement or other satisfactory assurance that the internet-based service provider would safeguard the ePHI;
From January 5, 2011 until July 3, 2013 OHSU failed to obtain a business associate agreement from an internet-based service provider that was storing ePHI on its behalf as a business associate as required by 45 C.F.R. § 164.308(b);
From January 5, 2011 until July 3, 2013 OHSU failed to implement policies and procedures to prevent, detect, contain, and correct security violations as required under Privacy Rule § 164.308(a)(1)(i);
From July 12, 2010 to present, OHSU failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for all ePHI maintained in OHSU’s enterprise as required by Privacy Rules §§ 164.312(a)(2)(iv) and 164.306(d)(3)); and
From May 29, 2013 until July 3, 2013, OHSU failed to implement policies and procedures to address security incidents in violation of Privacy Rule § 164.308(a)(6)(i).

According to statements made by OCR Director Jocelyn Samuels in OCR’s announcement of the OHSU Settlement, the breaches should not have happened. “From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient,” said OCR Director Jocelyn Samuels. OCR’s announcement also signals that OCR views inadequate commitment and oversight by OHSU’s senior management to have played a key role in the creation and perpetuation of the OHSU violations. It quotes OCR Director Jocelyn Samuels as stating, “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

OCR’s announcement of the OHSU Settlement emphasizes its determination that a lack of commitment and oversight by C-level management resulted in the failure by OHSU to periodically perform a comprehensive enterprise risk analysis and to reevaluate and update that analysis and its policies, practices, procedures and training as warranted by changing events and guidance.

To resolve the HIPAA charges, the OHSU Settlement requires OHSU to pay OCR $2,700,000 as well as take a long series of corrective actions detailed in the Corrective Action Plan incorporated into the Settlement Agreement. The requirements of the Corrective Action Plan both seek to address the specific weaknesses that lead to the breaches of unsecured ePHI reported by OHSU in its breach notifications as well as the broader deficiencies in OHSU’s overall HIPAA compliance practice by requiring among other things that OHSU:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI at all OHSU facilities and on all systems, networks, and devices that create, receive, maintain, or transmit ePHI;.
Develop and present to OCR for approval a comprehensive written risk management plan that explains OHSU’s strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level based on OHSU’s circumstances as well as a comprehensive, enterprise-wide plan to implement effective oversight of OHSU workforce members to ensure their adherence to HIPAA Rules and OHSU’s internal privacy and security policies and procedures with specific timelines for their expected completion and compensating controls identified in the interim to safeguard OHSU’s ePHI;
Implement and administer the written risk management plan and other safeguards as approved by OCR;
Provide updates to OCR about OHSU’s implementation of required encryption including a Mobile Device Management (MDM) solution that ensures all OHSU- owned and personally-owned mobile devices (tablets, smart phones, and other mobile devices) that access ePHI on OHSU’s secure network are encrypted other than mobile devices for which OHSU has granted exceptions based on documented evidence of the implementation of alternative reasonable compensating controls to protect the ePHI on such devices;
Report to OCR on OHSU’s efforts to a solution to enforce encryption of ePHI on OHSU-owned and personally- owned devices (laptops, desktops, and medical equipment) connecting to OHSU’s secure wired and wireless networks except for any devices for which OHSU has granted exceptions to the encryption requirement;
Report to OCR about its implementation of policies that prohibit the transfer of data containing ePHI from OHSU-owned and personally-owned devices to unencrypted removable storage devices (USB drives and portable hard drives) and implementation of a technical solution that enforces the policies prohibiting transfers of this type when attached to the OHSU secure network, except for any removable storage devices for which OHSU has granted exceptions based on documented evidence of reasonable compensating controls that have been implemented to protect the ePHI on such devices;
Send a communication to all members of the OHSU community describing its commitment to enterprise encryption;
Prepare to the satisfaction of OCR security awareness training materials needed to implement its security management processing including specific privacy and security awareness related to a) use of internet-based information storage services; b) disclosures to third party entities that require a business associate agreement or other reasonable assurance in place to ensure that the business associate will safeguard the protected health information (PHI) and/or ePHI; c) regarding managers, effective oversight of workforce members’ uses and disclosures of PHI, including ePHI, to ensure the workforce members’ compliance with the Privacy and Security Rules and OHSU’s internal policies and procedures; d) security incident reporting; and e) password management;
Initially train all workforce members with access to PHI and/or ePHI with 120 days of OCR’s approval of the training and thereafter ensure that new workforce members are trained with 15 days of hire and that all workforce members subsequently continue to receive training on an on-going basis;
Review the security awareness training materials annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments;
Management oversight and supervision of the implementation and administration of the corrective actions required by the Corrective Action Plan and HIPAA compliance; and

Management reporting to OCR on its actions and compliance with the Corrective Action Plan.

SJH Settlement

Similarly, the SJH Settlement OCR announced on October 18, 2016 with St. Joseph Health (SJH) requires SJH to pay a $2.4 million plus settlement payment, conduct an enterprise-wide risk analysis and implement and administer a comprehensive correction plan to settle OCR charges that SJH violated HIPAA by allowing files containing ePHI of 31,800 individuals that SJH created for its participation in the Medicare meaningful use program to be publicly accessible on the internet from February 1, 2011, until February 13, 2012.

A nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, who through its 24,000 employees and 6,000 physicians provides a range of health care services to more than 137,000 inpatients and 3.6 million outpatients each year at SHS’ 4 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations located throughout California and in parts of Texas and New Mexico.

OCR’s charges against SJH arose out of OCR’s investigation into a 2012 breach notification report SJS filed with OCR. On February 14, 2012, SJH reported to OCR that files containing electronic protected health information (ePHI) of 31,800 individuals from five of the SJH hospitals-St. Jude Medical Center, Mission Hospital, Queen of the Valley Medical Center, Santa Rosa Memorial Hospital, and Petaluma Valley Hospital that SJH created for its participation in the meaningful use program were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.

SJH’s report to OCR indicated that this public access resulted from a configuration within its network server in which PDF files containing following patient information were uploaded: patient names; BMI; blood pressure; lab results; smoking status; diagnoses lists; medication allergies; advance directive status and demographic information (language, ethnicity, race, sex, and birth date). The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information from February 14, 2012 until SJH blocked external access to the ePHI when it shut down the application February 13, 2012.

OCR’s investigation indicated the following potential violations of the HIPAA Rules:

From February 1, 2011 to February 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals;
Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI;
Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.

To resolve charges resulting from these findings, the SJH Resolution Agreement requires SJH to pay OCR a $2,140,500 settlement payment and adopt a comprehensive corrective action plan which among other things, requires SJH to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. SJH’s Chief Executive Officer, Annette M. Walker, is named in the Corrective Action Plan as the SJH authorized representative and contact person responsible for overseeing the CAP implementation.

Among other things, the Corrective Action Plan specifically requires that SJH:

Within 240 days, conduct an enterprise-wide analysis and provide a report to OCR which includes a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, and prepare and deliver to OCR for review an enterprise-wide risk analysis that identifies all security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by SJH, its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic protected health information (ePHJ);
Revise this risk analysis plan as directed by OCR based on its review of the presented risk analysis;
Develop and implement to the satisfaction of OCR an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
Distribute the risk management plan as finally approved by OCR to to workforce members involved with implementation of the plan within 30 days of OCR approval;
Revise to OCR’s satisfaction, adopt and implement within 30 days of OCR’s approval compliant HIPAA policies and procedures;
Prepare for review of OCR training materials and once approved by OCR, provide initial training to required workforce members, and obtain certification of completion of that training from each required workforce member within 60 days of OCR’s approval of the training and thereafter at least annually as long as the Corrective Action Plan remains in force;
Promptly conduct a documented investigation of any information indicating a potential workforce member violation of the new HIPAA policies in the manner required by OCR and if the investigation confirms a violation (Reportable Event), notify OCR of the relevant facts, findings, corrective actions and sanctions imposed against the violating workforce member in the manner required by the Corrective Action Plan;
Submit annual report to OCR signed and attested to by an SJH officer, which contains the information and attestations of compliance with the requirements of the Corrective Action Plan in accordance with the Corrective Action Plan;
Retain for inspection and copying and provide to OCR upon request all documents and records relating to compliance with this Corrective Action Plan for six (6) years from the Effective Date of the SJH Settlement Agreement.

Take Away For Other Covered Entities & Business Associates

The OHSU and SJH Settlement Agreements send a clear message to all Covered Entities and business associates that they must be prepared to demonstrate not only that their initial adoption and implementation of required HIPAA Privacy and Security policies and safeguards, but also that their organization’s leadership needs to be prepared to demonstrate their commitment to HIPAA compliance by making adequate provision for HIPAA compliance, and appropriately monitoring developments that could impact the adequacy of their existing measures and timely update their systems and security, policies, procedures, training and other relevant safeguards.

The Settlements make clear that Covered Entities and their business associates should ensure that their organization possesses a well-documented current enterprise-wide risk assessment, as well as has in place and is administering as necessary to maintain the currency and adequacy of its risk assessment strong practices for conducting documented evaluations of their own HIPAA security, policies, practices, audits and investigations and other procedures necessary to comply with HIPAA, taking into account recent OCR guidance, its initiation of its Phase II audit program, the insights offered by OCR’s ever growing list of enforcement actions and compliance tools, as well as changes in systems, documentation, software, equipment or other occurrences within the operations of the Covered Entity or business associate’s operations that could impact the currency and adequacy of its risk assessment or otherwise raise compliance risks.

In this respect, Covered Entities and business associates are encouraged to take special note of the advisability of specifically reviewing and updating their HIPAA policies, practices, business associate agreements, training, oversight and documentation to in response to the guidance and insight that OCR provides, including:

A series of recent OCR Resolution Agreements emphasizing the need for Covered Entities and their Business Associates to verify that have in place, and review and update as necessary business associate agreements e.g. HIPAA Settlement Illustrates The Importance Of Reviewing And Updating, As Necessary, Business Associate Agreements (September 23, 2016); Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement (June 29, 2016);
Clarification of Permissible Fees for HIPAA Right of Access – Flat Rate Option Up to $6.50 is Not a Cap on All Fees for Copies of PHI (May 23, 2016)
Guidance On HIPAA & Cloud Computing released October 6, 2016, which provides guidance for Covered Entities and business associates about contracting and other procedures that HIPAA-regulated Covered Entities and their business associates should implement when contracting for and using Cloud Computing Services;
Joint Guidance published October 21, 2016 by the Federal Trade Commission and OCR reminding Covered Entities and their business associates of the need to ensure that in addition to fulfilling the technical content requirements of HIPAA, their HIPAA authorizations, privacy practices notices and other HIPAA notices and communications are written and presented in plan language, include required specific terms and descriptions and in a manner that does not mislead individuals about their rights or about what is happening with their PHI. Furthermore, where Covered Entities and their business associates contemplate that businesses associates may request that individuals sign HIPAA authorizations, Covered Entities and their business associates should the Covered Entity and business associate have in place a current, signed HIPAA-compliant business associate agreement that that expressly authorizes the business associate to request the HIPAA authorization in light of statements in the Joint Guidance indicating that OCR views the Privacy Rules as prohibiting a business associate from asking a consumer to sign a HIPAA authorization unless its business associate contract expressly permits the business associate to do so; and
Other OCR enforcement actions, tools and guidance. See, e.g. All Covered Entities Should Learn Lessons From Mississippi Medical Center’s $2.75 Million HIPAA Resolution Agreement; Providers, Health Plans Should Confirm Copy Charges Comply With New OCR HIPAA Guidance; $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use; Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework; HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.

Employer and other health plan sponsors, health plan fiduciaries and business associates, and their service providers also generally will want to consider their responsibilities to provide and enforce employer certifications, as well as the fiduciary obligations health plan fiduciaries under the fiduciary responsibility rules of the Employee Retirement Income Security Act (ERISA). Among other things, wrongful disclosure of PHI to a sponsoring employer or others could violate HIPAA or other plan terms. Furthermore, Department of Labor officials have indicated stated that a fiduciary’s general fiduciary responsibilities can apply to the protection and administration of PHI and other health plan information as well as create a duty by a responsible fiduciary to prudently investigate and take steps to address breaches or other potential concerns that place PHI at risk. See, HIPAA Settlement Warns Health Plans, Sponsoring Employers & Business Associates To Manage HIPAA Risks.

Furthermore, as breaches of PHI and other violations of HIPAA also frequently give rise to responsibilities or risks under a broad range of other federal and state laws medical and financial privacy and data security, Medicare and other terms of federal program participation, medical credentialing, licensure and ethics, insurance and Employee Retirement Income Security Act fiduciary responsibilities in the case of health plans, contractual, tort and other exposures, Covered Entities and their business associates also generally are best served to take into account these other responsibilities and exposures in conjunction with the design and administration of their HIPAA compliance and risk management policies and practices.

Covered Entities and their business associates also should seek advice from legal counsel regarding the adequacy of their compliance, investigatory, training, management oversight, training, reporting, documentation, document retention and other processes and procedures that could reduce risks of HIPAA violations and position the organization to effectively and more efficiently respond to a potential breach, audit, investigation or enforcement action and mitigate the costs and potential liability exposures that increasingly attends these events. In addition, given the typically high financial, operational and legal costs typically incurred to conduct investigations, report and redress breaches, and respond to OCR audits or investigations, much less make any payments and implement any corrective actions required to settle OCR changes, most Covered Entities and their business associations will want to consider the advisability and adequacy of insurance and other sources of funding or indemnification for the often substantial costs that often attend a HIPAA breach, audit or enforcement event. Since HIPAA violations under certain circumstances also can give rise to felony criminal liability, boards of directors and other leaders of Covered Entities and business associates also will want to ensure that their HIPAA compliance policies and practices also are incorporated and monitored by management as part of their organization’s overall Federal Sentencing Guideline Compliance programs and practices.

About The Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,”“Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely known for work, teachings and publications on HIPAA and other privacy and data security concerns earned in connection with her more than 28 years’ of involvement advising and representing business and government clients domestically and internationally about workforce and human resources, employee benefits; health care; insurance and financial; privacy and data security and other performance management, regulatory, internal controls and other compliance, risk management, public policy and operational other key concerns.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Group Chair and current Defined Contribution Plans Committee Co-Chair, Groups and Substantive Committee and Membership Committee Members, past Welfare Plans Committee Chair and Co-Chair, and former Fiduciary Responsibility Vice Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current ABA International Section Life Sciences Committee Vice Chair, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, former ABA Joint Committee on Employee Benefits Council Representative and Marketing Committee Chair and a prolific author and highly popular speaker and consultant, Ms. Stamer helps management manage.

Ms. Stamer’s legal and management consulting work throughout her nearly 30-year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and representing clients on privacy and data security concerns and other health industry matters, Ms. Stamer also has served for several years as a scrivener for the ABA JCEB’s meeting with OCR, the Chair of the Southern California ISSA Health Care Privacy & Security Summit, and an editorial advisory board member, author, program chair or steering committee member, and faculties for a multitude of other programs and publications regarding privacy, data security, technology and other compliance, risk management and operational concerns in the health care, health and other insurance, employee benefits and human resources, retail, financial services and other arenas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

Comments Off on Health Plans, Other Covered Entities Have Continuing Duty To Reevaluate HIPAA Enterprise Risk To PHI & Address Security Risks & Other Compliance Concern On Ongoing Basis | ARRA, board of directors, Brokers, Cafeteria Plans, CHIP, Civil Monetary Penalties, Civil Rights, Claims, compliance, Consumer Protection, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, directors, EBSA, Electronic Medical Record, employee, Employee Benefits, Employer, Employers, Employment, EMR, fiduciary duty, Fiduciary Responsibility, GINA, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Technology, third party administrators, Uncategorized, Union, Workforce | Tagged: Breach Notification, broker, Covered Entity, Data Breach, Data Security, EPHI, ERISA, health care providers, Health Plans, HIPAA, Medical Privach, Medical Privacy, Personal Health Information, Privacy, Technology | Permalink
Posted by Cynthia Marcotte Stamer

DOL Employer & Employee Benefit Fines Going Up

July 1, 2016

Employers, employee benefit plan fiduciaries and others caught violating Federal employment, employee benefit, and a wide range of other laws and regulations ranging from the Fair Labor Standards Act (FLSA) to the Employee Retirement Income Security Act (ERISA), and many other Federal Labor and employment laws should brace for increased civil penalties and other changes in the calculation of these penalties under interium rules just released by the DOL. Employers and other parties must comply with these rules but if concerned with these Interium Rules, will have 45 days to comment before DOL will publish any final rule.

In 2015, Congress passed the Federal Civil Penalties Inflation Adjustment Act Improvements Act, which requires the Department of Labor (DOL) and other agencies adjust their penalties for inflation each year.
In response to this mandate, the DOL has published two interim final rules to adjust its penalties for inflation effective August 1:

Federal Civil Penalties Inflation Adjustment Act Catch-Up Adjustments, which is DOL-only rule covering the vast majority of penalties assessed by a number of the DOL’s agencies including the DOL’s Employee Benefits Security Administration, Mine Safety and Health Administration, Occupational Safety and Health Administration, Office of Workers’ Compensation Programs, and Wage and Hour Division; and
Federal Civil Penalties Inflation Adjustment Act Catch-Up Adjustments: H-2B Temporary Non-agricultural Worker Program, which will be issued jointly with the Department of Homeland Security to adjust penalties associated with the H-2B temporary guest worker program

Both rules define rules that DOL plans to use to apply the 2015 Inflation Adjustment Act’s formula on how to determine the proper adjustment for each penalty effective August 1, 2016 to civil penalties that DOL can assess against employers for violations.

The new method will adjust penalties for inflation, though the amount of the increase is capped at 150 percent of the existing penalty amount. The baseline is the last increase other than for inflation. The new civil penalty amounts are applicable only to civil penalties assessed after August 1, 2016, whose associated violations occurred after Nov. 2, 2015.

The rules published under the 2015 law will increase some penalties that DOL perceives have lost ground to inflation including:

OSHA’s maximum penalties, which have not been raised since 1990, will increase by 78 percent. The top penalty for serious violations will rise from $7,000 to $12,471. The maximum penalty for willful or repeated violations will increase from $70,000 to $124,709.
OWCP’s penalty for failure to report termination of payments made under the Longshore and Harbor Workers’ Compensation Act, has only increased $10 since 1927, and will rise from $110 to $275.
WHD’s penalty for willful violations of the minimum wage and overtime provisions of the Fair Labor Standards Act will increase from $1,100 to $1,894.

A list of each agency’s individual penalty adjustments is available here.

In addition to increasing its civil penalties, the DOL has indicated that in response to these changes, it will update the FLSA Minimum Wage Poster and other required labor posters before the August 1, 2016 effective date.

Since these impending increases raise the civil penalty exposures for employers in the most heavily enforced by the DOL, employers now have an even greater need to tighten their compliance and risk management practices under these laws.

About The Author

Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecture and policy advocate, recognized for her nearly 30-years of cutting edge management work as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Tax: Erisa & Employee Benefits” and “Health Care” by D Magazine.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Chair and current committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, a former ABA Joint Committee on Employee Benefits Council Representative and , Ms. Stamer helps management manage.

Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, expat and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer serves on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and as an editorial advisor and contributing author of many other publications. Her leadership involvements with the American Bar Association (ABA) include year’s serving many years as a Joint Committee on Employee Benefits Council representative; ABA RPTE Section current Practice Management Vice Chair and Substantive Groups & Committees Committee Member, RPTE Employee Benefits & Other Compensation Committee Past Group Chair and Diversity Award Recipient, current Defined Contribution Plans Committee Co-Chair, and past Welfare Benefit Plans Committee Chair Co-Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; International Section Life Sciences Committee Policy Vice Chair; and a speaker, contributing author, comment chair and contributor to numerous Labor, Tax, RPTE, Health Law, TIPS, International and other Section publications, programs and task forces. Other selected service involvements of note include Vice President of the North Texas Healthcare Compliance Professionals Association; past EO Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former Southwest Benefits Association Board of Directors member, Continuing Education Chair and Treasurer; former Texas Association of Business BACPAC Committee Member, Executive Committee member, Regional Chair and Dallas Chapter Chair; former Society of Human Resources Region 4 Chair and Consultants Forum Board Member and Dallas HR Public Policy Committee Chair; former National Board Member and Dallas Chapter President of Web Network of Benefit Professionals; former Dallas Business League President and others. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal control and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at Solutionslawpress.com including:

OFCCP Ups Government Contractor Vet Hiring Targets
Average American Family 2016 Healthcare
Brace For OCR HIPAA Audits
Health Plans Disclosing Data To State All Payer Data Banks Face HIPAA Risks
Confirm Copy Charges Comply With New HIPAA Guidance
Frontier Says “Conversion Issues” for
Obama Offers Grants To States To Boost Paid Leave Availability With State Grants
Business Associate Rule Violations Behind $750K HIPAA Settlement
Final Investment Advice Fiduciary Rules Mean Work For Employers, Fiduciaries & Advisors
Employers, Insurers & TPAS: Budget Time, $ For 2017 Summary of Benefits and Coverage Updates
Expect New Fed Regs To Increase Childcare Costs
OSHA Raises Silica Safety Requirements
DOL “Persuader Rule” Changes Broaden Employer & Consultant Anti-Union Contract Disclosure Duties
Check Health Plan Privacy For New Guidance Compliance
Marketplace Data Deficiencies Signal Employer ACA Headaches
SCOTUS: States Can’t Require Reporting of ERISA Health Plan Data
IRS OK’s Skipping Certain 2015 Form 5500 Questions
DOL Proposes Changes To Summary of Benefit & Coverage Rules
More proof government should stay out of healthcare
Health Care Quality: Different Meaning For Care Vs. Coverage
IRS Changes Plan Qualification Procedures, Returns, Other Procedures
Remember Microsoft: The Need for Effective Risk Management as to Contract Employees
Obama Administration Proposes Rules Giving Jobseeker Equal Opportunity Protections
Health Benefit Still Top Employer Benefit Cost
S. Businesses & Their Leaders Face Rising FLSA Collective Action Liability Risks
Improve HR Value To Company By Making HR A Performance Rather Than People Department
Sponsoring Employers Face Excise Taxes, Other Liabilities Unless Health Plans Comply With ACA Out-Of-Pocket & Other Federal Rules
Legal Review Of Health Plan Documents, Processes Needed To Mitigate Employer’s Excise Tax & Other Health Plan Risks
EEOC ADA Suit Against Magnolia Health Highlights US Employer’s Growing Disability Discrimination Risks
Proposed OSHA Regs Will Clarify Employer’s Continuing Duty To Ensure OSHA 300 Log Completeness
10 Practical Pointers To Use Law To Better Strengthen The Legal Defensibility Of Your Business & Its Leaders

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc. ™. All other rights reserved.

Comments Off on DOL Employer & Employee Benefit Fines Going Up | Accommodation, ADA, compliance, Contraception, Cybercrime, directors, E-Verify, EEOC, Employment, Employment Agreement, Employment Discrimination, ERISA, fiduciary duty, FMLA, GINA, h-2A Visa, health reform, HIPAA, Hiring, Insurance, Internal Controls, Labor Management Relations, LEP, mine safety, Obamacare, OFCCP, Rehabilitation Act, SBC, Uncategorized, Union, Union certification, Union elections, visas, Wellness, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

Final Investment Advice Fiduciary Rules Mean Work For Employers, Fiduciaries & Advisors

April 12, 2016

Employer and other employee benefit plan sponsors, benefit plan committees and fiduciaries, and the broker-dealers, financial advisors, insurance agents and other plan service providers that provide investment-related platforms, advice, recommendations or other services for employee benefit plans need to reevaluate the fiduciary status of their service providers and begin restructuring as necessary their associated relationships, service provider commission or other compensation, service agreements and arrangements or other services in response to a new Regulatory Guidance Package (Rule) that explicitly classifies parties providing “covered investment advice” as fiduciaries subject to the conflict of interest and other fiduciary responsibility rules of the Employee Retirement Income Security Act (ERISA).

Supplementing existing precedent and EBSA’s already existing broad, functional definition of “fiduciary,” the Rule clarifies when individuals and entities that provide “covered investment advice” to plans, plan sponsors, fiduciaries, plan participants, beneficiaries and Individual Retirement Accounts (IRAs) and IRA owners are:

Fiduciaries of the Plan or IRA for purposes of Title I of ERISA;
Required to acknowledge their status and the status of their individual advisers as “fiduciaries” of the plan for purposes of ERISA;
Accountable as fiduciaries for making prudent investment recommendations without regard to their own interests, or the interests of those other than the plan or plan participant or beneficiary that is the customer;
Restricted to charging only “reasonable compensation” for their advice or service;
Prohibited from making misrepresentations to their customers regarding recommended investments; and
Prohibited from providing advice or making payments that involve any conflicts of interest prohibited by ERISA unless the arrangements fully complies with a prohibited transaction exemption issued by EBSA under ERISA Section 408 that otherwise complies with ERISA Section 404.

Concurrent with its adoption of final regulations implementing these new rules concerning investment advisors and their fiduciary responsibilities, the Rule also adopts certain new Prohibited Transaction Exemptions that define requirements that providers of covered investment advice and the plan fiduciaries that engage them generally will be required after April 7, 2017 to ensure are met for investment advisors to receive commission-based compensation for their services, to sell or purchase certain recommended debt securities and other investments out of their own inventories to or from plans and IRAs, or to receive compensation for recommending fixed rate annuity contracts to plans and IRAs.

Investment Advice Covered By The Rule

The final rule applies to “covered investment advice.” For purposes of the rule, “covered investment advice” generally includes:

A recommendation to a plan, plan fiduciary, plan participant and beneficiary and IRA owner for a fee or other compensation, direct or indirect, as to the advisability of buying, holding, selling or exchanging securities or other investment property, including recommendations as to the investment of securities or other property after the securities or other property are rolled over or distributed from a plan or IRA;
A recommendation as to the management of securities or other investment property, including, among other things, recommendations on investment policies or strategies, portfolio composition, selection of other persons to provide investment advice or investment management services, selection of investment account arrangements (e.g., brokerage versus advisory); or recommendations with respect to rollovers, transfers, or distributions from a plan or IRA, including whether, in what amount, in what form, and to what destination such a rollover, transfer, or distribution should be made.

Under the Rule, the fundamental threshold element in establishing the existence of fiduciary investment advice is whether a “recommendation” occurred. The Department has taken an approach to defining “recommendation” that is consistent with and based upon the approach taken by the Financial Industry Regulatory Authority (FINRA), the independent regulatory authority of the broker-dealer industry, subject to the oversight of the Securities and Exchange Commission (SEC).

The Rule specifies that a “recommendation” is a communication that, based on its content, context, and presentation, would reasonably be viewed as a suggestion that the advice recipient engage in or refrain from taking a particular course of action. Under the Rule, the more individually tailored the communication is to a specific advice recipient or recipients, the more likely the communication will be viewed as a recommendation.

The types of relationships that must exist for such recommendations to give rise to fiduciary investment advice responsibilities include recommendations made either directly or indirectly (e.g. through or together with any affiliate) by a person who:

Represents or acknowledges that they are acting as a fiduciary within the meaning of ERISA or the Internal Revenue Code (Code);
Renders advice pursuant to a written or verbal agreement, arrangement or understanding that the advice is based on the particular investment needs of the advice recipient; or
Directs the advice to a specific recipient or recipients regarding the advisability of a particular investment or management decision with respect to securities or other investment property of the plan or IRA.

Also, the Rule only applies where a recommendation is provided directly or indirectly in exchange for a “fee or other compensation.” “Fee or other compensation, direct or indirect” means any explicit fee or compensation for the advice received by the person (or by an affiliate) from any source, and any other fee or compensation received from any source in connection with or as a result of the recommended purchase or sale of a security or the provision of investment advice services including, though not limited to, such things as commissions, loads, finder’s fees, and revenue sharing payments. A fee or compensation is paid “in connection with or as a result of” such transaction or service if the fee or compensation would not have been paid but for the transaction or service or if eligibility for or the amount of the fee or compensation is based in whole or in part on the transaction or service.

Investment Advice Not Covered By Rule

While the Rule reaches broadly, not all communications with financial advisers are covered fiduciary investment advice under the Rule. As a threshold issue, if the communications do not meet the definition of “recommendations” as described above, the communications will be considered non-fiduciary. In response to requests from commenters, and for clarification, the final rule includes some specific examples of communications that would not rise to the level of a recommendation and therefore would not constitute a fiduciary investment advice communication under the Rule.

When evaluating the applicability and effect of these exemptions, however, it is important to keep in mind that by adding the new Rule, EBSA seeks to make clear that individuals or organizations that engage in activities described in the Rule as covered investment advice are fiduciaries subject to these requirements. Since the Rule does not revoke existing EBSA fiduciary guidance or judicial precedent, service providers and other parties with discretionary authority or responsibility over employee benefit plans not covered by the Rule still could qualify as fiduciaries if their authority, responsibility or actions functionally causes them to fall within the definition of a fiduciary under these other pre-existing definitions of fiduciary status. Subject to this cautionary proviso, the following are some of the activities that the Rule identifies as activities that might fall outside the Rule’s covered investment activities in the manner required by the Rule:

“Education” as defined and provided in accordance with the Rule;
“General communications that a reasonable person would not view as an investment recommendation;”
Simply making available a platform of investment alternatives without regard to the individualized needs of the plan, its participants, or beneficiaries if a plan fiduciary independent of the platform service provider actually decides what investment options are offered and the platform service provider also represents in writing to the plan fiduciary that they are not undertaking to provide impartial investment advice or to give advice in a fiduciary capacity; and
Transactions with independent plan fiduciaries where the adviser knows or reasonably believes that the independent fiduciary is a licensed and regulated provider of financial services (banks, insurance companies, registered investment advisers, broker-dealers) or those that have responsibility for the management of $50 million in assets, and other conditions set forth in the Rule are met;
Communications and activities made by advisers to ERISA-covered employee benefit plans in swap or security-based swap transactions when the swap transaction meets certain conditions set forth in the Rule, which EBSA designed in coordination with the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) to avoid conflicts between the Rule and the swap and security-based swap rules promulgated by those agencies under the Dodd–Frank Wall Street Reform and Consumer Protection Act; and
Activities and communications of employees working in the payroll, accounting, human resources, and financial departments of the plan sponsor or its affiliated business who routinely develop reports and recommendations for the company and other named fiduciaries of the sponsors’ plans if the employees receive no fee or other compensation in connection with any such recommendations beyond their normal compensation for work performed for their employer.

New Prohibited Transaction Exemptions Published With Rule

Concurrent with its publication of the Rule, EBSA also is adopting the following new “Prohibited Transaction Exemptions to the otherwise applicable statutory list of prohibited conflict of interest transactions in ERISA Section 406 and the companion rules of the Internal Revenue Code (Code) applicable to qualified retirement plans.

Noncompliance with the Rule, including where necessary to avoid violating ERISA Section 406’s prohibited transaction prohibitions, by parties providing covered investment advice or the engagement or retention of such a service provider by an employer or other party exercising or with responsibility or authority to make that engagement carriers big legal risk. Advisers and financial institutions that don’t meet the BICE standards and other requirements of the Rule expose themselves to liability from breach of fiduciary duty claims under ERISA brought by ERISA plans, participants, and beneficiaries or in the case of IRAs or other non-ERISA plans, state law breach of contract or other state law claims brought by IRAs and other non-ERISA plans or accountholders. Likewise an employer, member of its management or other party responsible for or having authority to choose the service provider risks breaching its own fiduciary duties under ERISA by engaging a party that renders covered investment advice without complying with the Rule. In addition, to the extent that the engagement or activities of the service provider involves commission compensation payments, swaps or other activities that would constitute a prohibited conflict of interest under ERISA Section 406 not structured and conducted with an applicable prohibited transaction exemption, both the service provider and the fiduciary could bear personal liability for involving the plan or its assets in a prohibited transaction in violation of ERISA Section 406. For this reason, to help positions themselves to mitigate or defend against liability for such potential claims, advisors generally should take steps to ensure that the advisor can prove the advisor acted in their clients’ best interest by documenting their use of a reasonable process and adherence to professional standards in deciding to make the recommendation and determining it was in the customer’s best interest, and by documenting their compliance with the financial institution’s policies and procedures required by the Best Interest Contract Exemption.

“Best Interest Contract Exemption” (BICE)

ERISA and the Internal Revenue Code rules for qualified retirement plans generally prohibit individuals or entities providing fiduciary investment advice to plan sponsors, plan participants, and IRA owners to receive payments creating any of the listed statutory conflicts of interest listed in ERISA or the Code without a prohibited transaction exemption (PTE), employee benefit plan sponsors, benefit plan committees and other fiduciaries, and the broker-dealers, financial advisors, insurance agents and other plan service providers providing covered investment services to employee benefit plans also need to ensure that their compensation is structured to ensure that the compensation and other arrangements do not violate these prohibited transaction and conflict of interest prohibitions of the Code and ERISA, ERISA’s reasonable compensation rules, or the other requirements of ERISA.

Concerning ERISA Section 406’s party-in-interest and other conflict of interest requirements, EBSA issued in conjunction with its publication of the Rule a new “Best Interest Contract Exemption” (BICE), which provides a prohibited transaction exception that permits the payment of commission-based compensation to fiduciary investment advisors as long as the conditions specified in the BICE are met. Among other things, the BICE requires as a condition of the applicability of this exception that:

The financial institution to acknowledge in writing fiduciary status for itself and its advisers;
The financial institution and advisers to adhere to ERISA’s basic standards of impartial conduct, including giving prudent advice that is in the customer’s best interest, avoiding making misleading statements, and receiving no more than reasonable compensation;
The financial institution to have policies and procedures designed to mitigate harmful impacts of conflicts of interest; and
The financial institution to disclose specified information about their conflicts of interest and the cost of their advice.

The specified disclosures required to meet the conditions of the BICE include:

Descriptions of material conflicts of interest;
Descriptions of fees or charges paid by the retirement investor
A statement of the types of compensation the firm expects to receive from third parties in connection with recommended investments;
Notification that investors have the right to obtain specific disclosure of costs, fees, and other compensation upon request; and
A requirement that a website must be maintained and updated regularly that includes information about the financial institution’s business model and associated material conflicts of interest, a written description of the financial institution’s policies and procedures that mitigate conflicts of interest, and disclosure of compensation and incentive arrangements with advisers, among other information. However, the BICE currently does not require that the website include individualized information about a particular adviser’s compensation.

Noncompliance with the Rule by parties providing covered investment advice or the engagement or retention of such a service provider by an employer or other party exercising or with responsibility or authority to make that engagement carriers big legal risk. Advisers and financial institutions that don’t meet the BICE standards and other requirements of the Rule expose themselves to liability from breach of fiduciary duty claims under ERISA brought by ERISA plans, participants, and beneficiaries or in the case of IRAs or other non-ERISA plans, state law breach of contract or other state law claims brought by IRAs and other non-ERISA plans or accountholders. Likewise an employer, member of its management or other party responsible for or having authority to choose the service provider risks breaching its own fiduciary duties under ERISA by engaging a party that renders covered investment advice without complying with the Rule. In addition, to the extent that the engagement or activities of the service provider involves commission compensation payments, swaps or other activities that would constitute a prohibited conflict of interest under ERISA Section 406 not structured and conducted with an applicable prohibited transaction exemption, both the service provider and the fiduciary could bear personal liability for involving the plan or its assets in a prohibited transaction in violation of ERISA Section 406. For this reason, to help positions themselves to mitigate or defend against liability for such potential claims, advisors generally should take steps to ensure that the advisor can prove the advisor acted in their clients’ best interest by documenting their use of a reasonable process and adherence to professional standards in deciding to make the recommendation and determining it was in the customer’s best interest, and by documenting their compliance with the financial institution’s policies and procedures required by the Best Interest Contract Exemption.

Principle Transactions Exemption

The “Principal Transactions Exemption” published in connection with the Rule provides an exemption from the prohibitions of ERISA Section 406 to allow investment advice fiduciaries to sell or purchase certain recommended debt securities and other investments out of their own inventories to or from plans and IRAs where the requirements of the Exemption are met. As with the Best Interest Contract Exemption, the Principle Transaction Exemption requires, among other things, that investment advice fiduciaries adhere to certain impartial conduct standards, including obligations to act in the customer’s best interest, avoid misleading statements, and seek to obtain the best execution reasonably available under the circumstances for the transaction.

Existing PTE For Fixed Rate Annuity Contracts

In connection with its adoption of the Rule, EBSA also is amending existing exemption, PTE 84-24, which provides relief for insurance agents and brokers, and insurance companies, to receive compensation for recommending fixed rate annuity contracts to plans and IRAs. As amended in connection with the Rule, the requirements of PTE 84-24 are modified to provide increased safeguards for retirement investors while still providing “more streamlined conditions” than those required to meet the Best Interest Contract Exemption. Consistent with its enthusiasm for encouraging the offering and adoption of life time income products to retirees over the past several years, EBSA says these more streamlined conditions of PTE 84-24 are appropriate to “facilitate access by plans and IRAs to these relatively simple lifetime income products.” More complex products, such as variable annuities and indexed annuities, will be able to be recommended by advisers and financial institutions under the terms of the Best Interest Contract Exemption.

Other PTE Exemptions Modified To Raise Requirements

The Department is amending other existing exemptions, as well, to ensure that plan and IRA investors receiving investment advice are consistently protected by impartial conduct standards, regardless of the particular exemption upon which the adviser and the fiduciary engaging that advisor intend to rely upon to avoid violating of ERISA 406.

While the compliance deadline for the new Rule is not until April 8, 2017, the relief from ERISA Section 406 offered by the new Exemptions announced in connection with the Rule’s publication generally became available when EBSA published them in connection with the Rule on April 8, 2016. As this relief could provide helpful protection against fiduciary challenges or exposures that some service providers might already face under already existing fiduciary precedent or guidance, many service providers involved in dealings with plan or IRA investments may wish to take steps to position themselves to claim protection under one of these new PTE Exemptions even before the Rule takes effect. When evaluating this option, some service providers should be aware of the availability of transitional relief that may make it easier for some service providers to claim relief under the new BICE or Principal Transactions Exemption between April 8, 2017 and January 1, 2018 (Transition Period). In addition, parties that contemplate wishing to take advantage of the relief offered by the new BICE or Principal Transactions Exemption may benefit from taking advantage of reduced requirements for meeting these conditions during the phase in Transition Period. During this Transition Period, EBSA still will require firms and advisers to adhere to the Exemptions’ impartial conduct standards, provide a notice to retirement investors that, among other things, acknowledges their fiduciary status and describes their material conflicts of interest, and to designate a person responsible for addressing material conflicts of interest and monitoring advisers’ adherence to the impartial conduct standards; however compliance with certain other requirements is waived until January 1, 2018. Of course, full compliance with all requirements of the applicable Exemptions will be required as of January 1, 2018.

Rule Requires Action By Plan Sponsors, Fiduciaries & Service Providers

The new Rule creates lots of new work both for advisors and other service providers in, as well as plan sponsors, plan administrative committees or other fiduciaries responsible for selection, retention and oversight of those providing these services. All such parties have much to do to fulfill their ERISA responsibilities by the April 8, 2017 deadline for compliance with the new Rule and to deal with other likely fallout from the new Rule.

Fallout for Covered Investment Advisors & Other Service Providers

Clearly, advisors, financial institutions and other service providers providing covered investment advice and others with involvement with investments or investment platforms have much work to do to prepare for the new rule. However, compliance with the Rule is not merely a service provider problem. Employer or other plan sponsors, plan fiduciaries or other responsible for the credentialing, selection, retention, and oversight of service providers dealing with investments also need to ensure that the party or parties responsible for these vendor dealings fulfills its own fiduciary responsibilities in dealing with vendors and service providers that may be impacted by these requirements.

Advisers and financial institutions that don’t meet the requirements of the new Rule expose themselves to liability from breach of fiduciary duty claims under ERISA brought by ERISA plans, participants, and beneficiaries or in the case of IRAs or other non-ERISA plans, state law breach of contract or other state law claims brought by IRAs and other non-ERISA plans or accountholders. Obviously, advisors, financial institutions and other service providers providing advice or having dealings or involvement with IRA or employee benefit plan investments, their selection or administration will want to review and update their relationships and their associated compensation, contracts, disclosures and other arrangements and processes in light of the new Rule. Clearly, those that could be considered to offer or provide covered investment advice need to start revising contracts, compensation, policies, practices and other arrangements in anticipation of the Rule. At the same time, the Rule also is likely to create work for certain service providers with involvement or dealings with investments that the service provider considers to fall outside of the Rule:

To respond to changes in client requests for proposals, contracts or other due diligence in response to the Rule;
To respond to changes in response to the Rule by covered investment advisors to reconfigure services, relationships and contracts in response to the Rule;
To clarify and institutionalize and document communications by the uncovered service provider to clients and others of limits on the service provider’s services and capacity that are necessary or helpful to avoid or limit exposure of the service provider to coverage by or claims of liability arising out of the Rule; and/or
Otherwise.

Fallout For Plan Sponsors & Plan Fiduciaries Selecting & Overseeing Service Providers

Employer or other plan sponsors, plan fiduciaries or other responsible for the credentialing, selection, retention, and oversight of service providers dealing with investments also need to anticipate and be prepared to deal the effects of adoption of the Rule on their responsibilities and risks as they relate to the selection, retention, contracting, compensation and other dealings with service providers impacted by the Rule.

The Rule’s explicit designation as fiduciaries of certain service providers that previously may have been characterized as providing services as non-fiduciaries, much less its tightening of requirements for the investment advisors that are covered fiduciaries, creates a host of new responsibilities and considerations for employers sponsoring plans and its members of management that select, retain, contract with and oversee these service providers.

Under ERISA, parties designated in writing or function exercising discretionary authority or responsibility for the selection, retention, compensation and oversight of fiduciary or other service providers generally are considered fiduciaries for purposes of carrying out these responsibilities and bear personal liability for prudently selecting, retaining and monitoring the service provider in accordance with ERISA.

To fulfill this fiduciary obligation, those involved in selecting and retaining investment advisors covered by the rules should expect to bear responsibility for ensuring that the covered investment advisor is engaged in compliance with the Rule and the otherwise applicable requirements of ERISA, including that the engagement and compensation of the selected investment advisor will not involve the plan or its assets in a prohibited conflict of interest listed in ERISA Section 406. Furthermore, failing to ensure that the engagement of an investment advisor does not violate these conflict of interest rules also exposes a sponsoring employer of a qualified plan to excise tax liability under the Code’s companion party-in-interest rules applicable to such plans.

Accordingly, whether the employer itself retains and directly exercises the discretionary authority to select and retain a service provider or appoints a committee or member of its staff to perform these responsibilities as a designated fiduciary, an accurate understanding of which service providers, taking into account the rule, now will be considered fiduciaries and the requirements of the Rule flowing from this status is essential to understand and make appropriate provisions to ensure that proper steps are taken to ensure that the Rule and ERISA’s other requirements for prudent credentialing, bonding, contracting, compensation, and other dealings with the service provider and to budget for the proper conduct of the activities needed to fulfill these obligations.

In light of these and other exposures and obligations, employer and other plan sponsors, plan fiduciaries and plan service providers alike all should start preparing to respond to the new Rule.

To help positions themselves to mitigate or defend against liability for such potential claims, each party generally will want to take prudent and well-documented steps to evaluate the fiduciary status of each applicable service provider, as well as its own fiduciary status, capacity, responsibility and other exposures in light of the new Rule. Since ERISA fiduciary status attaches functionally based on the functional facts and circumstances, sponsoring employers, as well as service providers generally will want to consider taking appropriate steps to document this analysis and other compliance and risk management efforts to avoid violations of the Rule, as well as to position themselves to defend against other claims and liabilities.

In all cases, each impacted party should make an effort to apply and retain evidence documenting its efforts including, in the case of all service providers, whether or not covered investment advisors under the Rule, their efforts to act in their clients’ best interest by documenting their use of a reasonable process and adherence to professional standards in deciding to make the recommendation and determining it was in the customer’s best interest, and by documenting their compliance with the financial institution’s policies and procedures and applicable requirements of the law.

About The Author

Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Group Chair, past Welfare Benefit Committee Chair, and Current Defined Contribution Plan Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, a past ABA Joint Committee on Employee Benefits Council Representative Cynthia Marcotte Stamer is a practicing attorney, regulatory and public policy advocate, author, lecturer and industry and public policy thought leader recognized as a “Top” attorney in employee benefits, labor and employment and health care law for her more than 28 years’ of leading edge experience nationally and internationally providing practical and effective advice and representation to management.

Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management understand and use the law and process to manage people, performance, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative and pragmatic problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements.

She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. In these and other engagements, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. In the course of this work, Ms. Stamer has accumulated an impressive resume of more than 28 years’ of experience advising and representing clients on Title I and other ERISA fiduciary responsibility concerns including assisting and advising plan sponsors, plan fiduciary and plan service providers to design and administer fiduciary and other compliance and risk management policies and practices, conducting investigations of potential fiduciary or other breaches, and serving as special counsel, advising and representing these and other clients in connection with EBSA, IRS, SEC and other governmental audits, investigations and enforcement actions; in private disputes and litigation regarding plan investments or other fiduciary concerns between plan participant and beneficiaries, plans, plan fiduciaries, plan sponsors and plan service providers; or both.

Ms. Stamer also is deeply involved in helping to influence health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. Deeply involved in both U.S. statutory and regulatory pension and health care reform throughout her career, Ms. Stamer both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health plans, their sponsors, administrators, insurers and many other business, professional and civic organizations.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see www.cynthiastamer.com, or http://www.stamerchadwicksoefje.com the member of contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc. ™ resources at www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. All other rights reserved.

Comments Off on Final Investment Advice Fiduciary Rules Mean Work For Employers, Fiduciaries & Advisors | 401(k), Banking, board of directors, Brokers, compensation, compliance, Consumer Protection, Corporate Compliance, corporate governance, defined benefit plan, defined contribution plan, directors, EBSA, Employee Benefits, Employer, Employers, Employment, ERISA, Excise Tax, Excise Taxes, fiduciary duty, Fiduciary Responsibility, HR, Human Resources, insurers, Internal Controls, Internal Investigations, Internal Revenue Code, IRC, Tax, Tax Qualification, Uncategorized | Tagged: benefit plan, conflict of interest, conflict of interest rule, employee benefit plan, Employee Benefits, Employer, ERISA, Fiduciary, Fiduciary Responsibility, investment advice, investment advisor, plan, prohibited transaction | Permalink
Posted by Cynthia Marcotte Stamer

Prompt Business Action Needed To Mitigate Post-King Employer Health Benefit Costs & Liabilities

June 30, 2015

With the Obama Administration construing the United States Supreme Court’s King v. Burwell decision as a green light for its full implementation and enforcement of the Patient Protection & Affordable Care Act (ACA), U.S. businesses should brace for both increases in health benefit costs and liabilities over the next year as well as take prompt action to identify and mitigate potential excise tax and other exposures from any unaddressed compliance deficiencies in their 2014 or 2015 health plans as soon as possible and no later than the due date for filing their 2014 business tax return.

As health benefit costs continue their upward trend, many businesses and their leaders plan to look for new options to manage costs and liabilities following the King decision. In most cases, businesses assume they can delay these actions until the beginning of their upcoming health plan year, not realizing their company’s potential liability exposures from existing and past defects. Businesses and their leaders who have held off updating their health plan compliance and expect to delay completion of these activities until the beginning of their upcoming health plan year are likely to be in for a rude awakening, however, particularly since a much underappreciated Sarbanes-Oxley style provision of the Internal Revenue Code will require employer or other group health plan sponsors to self-report, self-assess and pay stiff excise tax penalties when filing their company’s 2014 business tax return unless their group health plan complied with a long list of ACA and other federal health plan rules in 2014.

Employer Health Benefit & Other Compensation Up, Costs Exposures Projected To Continue To Rise

While many businesses delayed making tough choices about their health plan design and compliance over the past several years in hopes of some judicial or Congressional relief from the mandates and costs of ACA, businesses generally have continued to struggle with ever-rising compensation and benefit costs, with health benefit costs the biggest challenge. Recent U.S. Bureau of Labor Statistics (BLS) data confirms what business leaders already know. Compensation and benefit costs rose over the past year, with health benefit costs remaining a big factor in these increased costs. According to BLS, employer compensation costs rose slightly and health benefit costs remained the largest individual benefit cost for employers during the 12-month period ending March 31, 2015, according to the U.S. Bureau of Labor Statistics (BLS). See BLS Employment Cost Index News Release (April 30, 2015).

The BLS Employer Costs For Employee Compensation Report, March 2015 released June 10, 2015 Report) shows private employers spent an average of $31.65 per hour worked for compensation in March 2015 with health benefits accounting averaging 7.7 percent of this average employer total compensation cost per employee. This compares to BLS showing that in March 2014, In March 2014, total employer compensation costs for private industry workers averaged $29.99 per hour worked, with wages and salaries averaging $20.96 per hour (69.9 percent) and benefits averaging $9.03 per hour (30.1 percent). See BLS Employer Costs For Employee Compensation, March 2014 (June 12, 2014)(2014 Report).

BLS data on health benefit and other compensation and benefit costs and trends provides many interesting insights for business as well as government leaders and the role health benefit cost increases play in these increased expenditures. For instance, BLS statistics show for private employers on average during the 12-month period ending March 31, 2015:

Compensation costs for private industry workers increased 2.8 percent over the year, higher than the March 2014 increase of 1.7 percent;
Wages and salaries increased 2.8 percent, also higher than the March 2014 increase of 1.7 percent;
Benefits costs rose 2.6 percent, which was higher than March 2014, when the increase was 1.8 percent; and
Health benefits on average increased 2.5 percent over during the 12-month period that ended on March 31, 2015, rising from the March 2014 increase in compensation costs of 1.8 percent.

Businesses Must Prepare For Impending ACA Enforcement While Dealing With Upsurge In Health Benefit Costs

While the continued rise in the average hourly cost of health benefits for employers is significant in its own right, the reported health benefit cost and employer health cost data in the Report does not include additional reporting and other compliance and risk management costs, which in light of the explosion in employer group health plan mandates since the passage of the Patient Protection and Affordable Care Act (ACA). Research indicates that the employer plan design changes slowed the upward trend in employer health benefit expenditures that otherwise would have occurred in 2015. This upward trend is projected to continue if not accelerate in 2016, however.

The 2015 Report shows these upward increases in employer costs for health benefits and other compensation continued in the first quarter of 2015. Concerning health benefits, for instance, the 2015 Report shows health benefit costs paid by employers averaged $2.43 per hour worked (7.7 percent of total compensation)in private industry in March 2015, compared to the average health benefit costs BLS reported. In comparison, the 2014 Report indicated in March, 2014, the average cost for health insurance benefits in private industry was $2.36 per hour worked in March 2014 (7.9 percent of total compensation).

Overall health benefit costs and associated compliance expenses of employers that elect to continue to offer health benefits for employees are projected to rise throughout 2015 and 2016 as ACA driven mandates and market changes drive up employer’s direct health benefit costs. See, e.g. Employers’ Health Costs Projected to Rise 6.5% for 2016.

The trend data and judicial and political developments indicate that business leaders can look for these trends not only to continue, but accelerate. With an impending responsibility to self-report violations of ACA and various of federal health plan mandates imminent, business leaders should brace to deal with any deficiencies in compliance in their 2014 and 2015 health plans much sooner than they might have expected following the Supreme Court’s King v. Burwell decision last week. President Obama made clear last week he views the King ruling as giving the Internal Revenue Service, Department of Labor and Department of Health & Human Services the all clear for full implementation and enforcement of ACA and other federal health plan rules. While these overall enforcement exposures will play out over the next several years, many employers are poised to experience the first bite of these new enforcement exposures over the next few months, when the Internal Revenue Code will require that employers that offered health coverage for employees in 2014 self-assess, report and pay stiff new excise tax penalties of $100 per day per violation when filing their 2014 tax return unless their program complied with all of a long list of ACA or other federal law mandates in addition to otherwise applicable exposures under the Employee Retirement Income Security Act (ERISA) and other laws. See, Businesses Must Confirm & Clean Up Health Plan ACA & Other Compliance Following Supreme Court’s King v. Burwell Decision. Since prompt self-audit and correction can help mitigate these liabilities, business leaders should act quickly to engage experienced legal counsel for their companies for help in evaluating, within the scope of attorney client privilege, the adequacy of their 2014 and 2015 health plan compliance, options for addressing potential exposures from any compliance deficiencies, and for advice and assistance to decide whether to offer health benefits going forward and if so, aid in designing and implementing their future health benefit program to enhance its defensibility. While businesses inevitably will need to involve or coordinate with their accounting, broker, and other vendors involved with the plans, businesses generally will want to get legal advice in a manner that preserves their potential to claim attorney-client privilege to protect against discovery in the event of future enforcement or litigation actions sensitive discussions and analysis about compliance audits, plan design choices, and other risk management and liability planning as well as to get help evaluating potential future plan design changes or proposed solutions to known or suspected liability exposures, particularly in light of complexity of the exposures and risks.

For Legal or Consulting Advice, Legal Representation, Training Or More Information

If you need help responding to these new or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, help updating or defending your workforce or employee benefit policies or practices, or other related assistance, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Recognized as a “Top” attorney in employee benefits, labor and employment and health care law extensively involved in health and other employee benefit and human resources policy and program design and administration representation and advocacy throughout her career, Cynthia Marcotte Stamer is a practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick │Soefje PLLC, author, pubic speaker, management policy advocate and industry thought leader with more than 27 years’ experience practicing at the forefront of employee benefits and human resources law.

A Fellow in the American College of Employee Benefit Counsel, past Chair and current Welfare Benefit Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, an ABA Joint Committee on Employee Benefits Council Representative and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms.Stamer is recognized nationally and internationally for her practical and creative insights and leadership on health and other employee benefit, human resources and insurance matters and policy.

Ms. Stamer helps management manage. Ms. Stamer’s legal and management consulting work throughout her 27 plus year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see www.cynthiastamer.com, or www.stamerchadwicksoefje.com the member of contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

1 Comment | 105(h), ACA, board of directors, compensation, compliance, corporate governance, directors, Employee Benefits, Excise Tax, Health Care Reform, health insurance, Health Plans, insurers, Internal Controls, Internal Revenue Code, officers, Tax, third party administrators | Tagged: ACA, business, compensaton, compliance, corporate budgets, corporate liability, Employee Benefits, Employer, ERISA, Group Health plans, Health Insurance, Health Plans, Insurance, king, King v. Burwell, Management, Obamacare, officers and directors, Patient Protection & Affordable Care Act, Risk Management | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans, Other Covered Entities Have Continuing Duty To Reevaluate HIPAA Enterprise Risk To PHI & Address Security Risks & Other Compliance Concern On Ongoing Basis

DOL Employer & Employee Benefit Fines Going Up

Final Investment Advice Fiduciary Rules Mean Work For Employers, Fiduciaries & Advisors

Email Subscription

Pages

Recent Posts

Archives

Share this blog

Solutions Law Press HR & Benefits Update