Employee Benefits |

Tell Congress Pass AHCA Today

May 4, 2017

The US House of Representatives is scheduled to vote again tonight on the revised Majority-leadership lead first step healthcare reform legislation seeking to provide Americans and American business with some initial relief from the soaring premium and health care costs, care access barriers and regulatory and other burdens that have resulted under the ObamaCare law and regulations. Every American should call, e-mail or fax the leaders and their Congressperson as soon as possible today and tell them to pass this legislation and get busy passing the next set of reforms with no further delay, the get and stay II formed and involved until it gets it done starting with the House hearing and vote slated tonight starting at 8:30 Eastern. Get details here.

Health care and its reform is a complex challenge. Americans and American businesses, health payers, and States and their healthcare needs are highly diverse. The ambitious but far from successful Obamacare law shows the dangers of well-meaning but unrealistic To try to fix these challenges with a sweeping, one shot fix.

While passage of this legislative package won’t magically fix these challenges, it will provide quick relief for some of the ObamaCare expense and restrictions and expand the choices that Americans, American business, payers, providers and States while Congress works with American to identify and pursue legislative, regulatory, marketplace and other improvements.

Let’s get things going in the right direction!

Comments Off on Tell Congress Pass AHCA Today | 4980D, 4980H, 6039D, ACA, Affordable Care Act, board of directors, Cafeteria Plans, Claims Administration, Consumer Protection, Contraception, Corporate Compliance, directors, EBSA, employee, Employee Benefits, Employer, Employers, Employment, Employment Tax, ERISA, Excepted Benefits, exchange, Excise Tax, Excise Taxes, Fair Labor Standards Act, fiduciary duty, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, health reform, HR, Human Resources, Insurance, insurers, Internal Revenue Code, IRC, King V. Burwell, Leadership, Management, Managment, MEWA, Non-Exempt, Obamacare, Overtime, Patient Empowerment, Patient Protection & Affordable Care Act, Patient Protection and Affordabel Care Act, Patient Protection and Affordable Care Act, Pay, Payroll Tax, Physician, Plan Admistrator, Premium Subsidies, preventive care, Provider, Public Policy, Reporting & Disclosure, SBC, Tax, Wellness, Wellness Programs, Worker Classification, Workforce | Tagged: Affordable Care Act, American Health Care Act, Health Plans, health reform, HSA | Permalink
Posted by Cynthia Marcotte Stamer

Latest $2.5M HIPAA Settlement Warning To Health Plans, Providers: Get HIPAA Compliant

April 26, 2017

A new Department of Health and Human Services Office of Civil Rights (OCR) CardioNet Resolution Agreement and Corrective Action Plan (Resolution Agreement) settling OCR charges of violations of the Privacy and Security Rules of the Health Insurance Portability & Accountability Act against remote cardiac monitoring provider CardioNet provides important lessons for all health plans, health insurers, telemedicine and other healthcare providers, healthcare clearinghouses (Covered Entities) and their business associates about steps to take to reduce their risk of getting hit with big OCR penalty like the $2.5 million settlement payment CardioNet must pay under the Resolution Agreement.

OCR announced the first OCR HIPAA settlement involving a wireless health services provider Monday, April 24. Under the Resolution Agreement, CardioNet agrees to pay OCR $2.5 million and to implement a corrective action plan to settle potential OCR charges it violated the HIPAA Privacy and Security Rules based on the impermissible disclosure of unsecured electronic protected health information (ePHI).

CardioNet Charges & Settlement

As has become increasingly common in recent years, the CardioNet settlement arose from concerns initially brought to OCR’s attention in connection with a HIPAA breach notification report. On January 10, 2012, OCR received notification from the provider of remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias that a workforce member’s laptop with the ePHI of 1,391 individuals was stolen from a parked vehicle outside of the employee’s home. CardioNet subsequently notified OCR of a second breach of ePHI 2,219 individuals, respectively.

Likewise, the HIPAA breaches uncovered by OCR in the course of investigating these CardioNet breaches occur in the operations of many other covered entities. According to the OCR’s investigation in response to these breach reports revealed a series of continuing compliance concerns, including:

CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities;
CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented;
CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices;
CardioNet failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of its facilities, the encryption of such media, and the movement of these items within its facilities until March 2015; and
CardioNet failed to safeguard against the impermissible disclosure of protected health information by its employees, thereby permitting access to that information by an unauthorized individual, and failed to take sufficient steps to immediately correct the disclosure.

To resolve these OCR charges, CardioNet agrees in the Resolution Agreement to pay $2.5 million to OCR and implement a corrective action plan. Among other things, the corrective action plan requires CardioNet to complete the following actions to the satisfaction of OCR:

Prepare a current, comprehensive and thorough Risk Analysis of security risks and vulnerabilities that incorporates its current facility or facilities and the electronic equipment, data systems, and applications controlled, currently administered or owned by CardioNet, that contain, store, transmit, or receive electronic protected health information (“ePHI”) and update that Risk Analysis annually or more frequently, if appropriate in response to environmental or operational changes affecting the security of ePHI.
Assess whether its existing security measures are sufficient to protect its ePHI and revise its Risk Management Plan, Policies and Procedures, and training materials and implement additional security measures, as needed.
Develop and implement an organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis as required by the Risk Management Plan.
Review and, to the extent necessary, revise, its current Security Rule Policies and Procedures (“Policies and Procedures”) based on the findings of the Risk Analysis and the implementation of the Risk Management Plan to comply with the HIPAA Security Rule.
Provide certification to OCR that all laptops, flashdrives, SD cards, and other portable media devices are encrypted, together with a description of the encryption methods used (“Certification”).
Review, revise its HIPAA Security training to include a focus on security, encryption, and handling of mobile devices and out-of-office transmissions and other policies and practices require to address the issues identified in the Risk Assessment and otherwise comply with the Risk Management Plan and HIPAA train its workforce on these policies and practices.
Investigate all potential violations of its HIPAA policies and procedures and notify OCR in writing within 30 days of any violation.
Submit annual reports to OCR, which must be signed by an owner or officer of CardioNet attesting that he or she has reviewed the annual report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
Maintain for inspection and copying, and provide to OCR, upon request, all documents and records relating to compliance with the corrective action plan for six years.

Implications For Covered Entities & Business Associates

The latest in a rapidly-growing list of high dollar HIPAA enforcement actions by OCR, the CardioNet Resolution Agreement contains numerous lessons for other Covered entities and their business associates about the importance of appropriate HIPAA privacy and security compliance, including but not limited to the following:

Like many previous resolution agreements announced by OCR, the Resolution Agreement reiterates the responsibility of covered entities and business associates to properly secure their ePHI and that as part of this process, OCR expects all laptop computers and other mobile devices containing or with access to ePHI be properly encrypted and secured.
It also reminds covered entities and their business associates to be prepared for, and expect an audit from OCR when OCR receives a report that their organization experienced a large breach of unsecured ePHI.
The Resolution Agreement’s highlighting of the draft status of CardioNet’s privacy and security policies also reflects OCR expects covered entities to actually final policies, procedures and training in place for maintaining compliance with HIPAA.
The discussion and requirements in the Corrective Action Plan relating to requirements to conduct comprehensive risk assessments at least annually and in response to other events, and to update policies and procedures in response to findings of these risk assessments also drives home the importance of conducting timely, documented risk analyses of the security of their ePHI, taking prompt action to address known risks and periodically updating the risk assessment and the associated privacy and security policies and procedures in response to the findings of the risk assessment and other changing events.
The requirement in the Resolution Agreement of leadership attestation and certification on the required annual report reflects OCR’s expectation that leadership within covered entities and business associates will make HIPAA compliance a priority and will take appropriate action to oversee compliance.
Finally, the $2.5 million settlement payment required by the Resolution Agreement and its implementation against CardioNet makes clear that OCR remains serious about HIPAA enforcement.

Clearly, covered entities, business associates and their management should take steps to promptly review the adequacy of their organizations’ HIPAA compliance policies, practices and documentation in light of the deficiencies listed in the CardioNet and other HIPAA OCR settlements and civil monetary penalty assessments. See e.g., Latest HIPAA Resolution Agreement Drives Home Importance Of Maintaining Current, Signed Business Associate Agreements; $400K HIPAA Penalty Teaches Risk Assessment Importance; $3.2 Children’s HIPAA CMP Teaches Key Lessons.

Of course, covered entities and business associates need to keep in mind that acts, omissions and events that create HIPAA liability risks also carry many other potential legal and business risks. For instance, since PHI records and data involved in such breaches usually incorporates Social Security Numbers, credit card or other debt or payment records or other personal consumer information, and other legally sensitive data, covered entities and business associates generally also may face investigation, notification and other responsibilities and liabilities under confidentiality, privacy or data security rules of the Fair and Accurate Credit Transaction Act (FACTA), the Internal Revenue Code, the Social Security Act, state identity theft, data security, medical confidentiality, privacy and ethics, insurance, consumer privacy, common law or other state privacy claims and a host of other federal or state laws. Depending on the nature of the covered entity or its business associates, the breach or other privacy event also may trigger fiduciary liability exposures for health plan fiduciaries in the case of a health plan, professional ethics or licensing investigations or actions against health care providers, insurance companies, administrative service providers or brokers, shareholder or other investor actions, employment or vendor termination or disputes and a host of other indirect legal consequences.

Beyond, and regardless of if, a covered entity or business ultimately succeeds in defending its actions against a charge of violating any of these or other standards, however, covered entities, business associates and their leaders should keep in mind that the most material and often most intractable consequences of a HIPAA or other data or other privacy breach report or public accusation, investigation, admission also typically are the most inevitable:

The intangible, but critical loss of trust and reputation covered entities and business associates inevitably incur among their patients, participants, business partners, investors and the community; and
The substantial financial expenses and administrative and operational disruptions of investigating, defending the actions of the organization and implementation of post-event corrective actions following a data or other privacy breach, audit, investigation, or charge.

In light of these risks, covered entities business associates and their management should use the experiences of CardioNet and other covered entities or business associates caught violating HIPAA or other privacy and security standards to reduce their HIPAA and other privacy and data security exposures. Management of covered entities and their business associates should take steps to ensure that their organizations policies, practices and procedures currently are up-to-date, appropriately administered and monitored, and properly documented. Management should ensure that their organizations carefully evaluate and strengthen as necessary their current HIPAA risk assessments, policies, practices, record keeping and retention and training in light of these and other reports as they are announced in a well-documented manner. The focus of these activities should be both to maintain compliance and position their organizations efficiently and effectively to respond to and defend their actions against a data breach, investigation, audit or accusation of a HIPAA or other privacy or security rule violation with a minimum of liability, cost and reputational and operational damages.

As the conduct of these activities generally will involve the collection and analysis of legally sensitive matters, most covered entities and business associates will want to involve legal counsel experienced with these matters and utilize appropriate procedures to be able to use and assert attorney-client privilege and other evidentiary privileges to mitigate risks associated with these processes. To help plan for and mitigate foreseeable expenses of investigating, responding to or mitigating a known, suspected or asserted breech or other privacy event, most covered entities and business associates also will want to consider the advisability of tightening privacy and data security standards, notification, cooperation and indemnification protections in contracts between covered entities and business associates, acquiring or expanding data breach or other liability coverage, or other options for mitigating the financial costs of responding to a breach notification, investigation or enforcement action.

About The Author

Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 29 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.

Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to manage and defend compliance, public policy, regulatory, staffing and other operations and risk management concerns. A core focus of this work includes work to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; dealings with JCHO and other accreditation and quality organizations; investigation and defense of private litigation and other federal and state health care industry investigations and enforcement; insurance or other liability management and allocation; process and product development; managed care, physician and other staffing, business associate and other contracting; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

In the course of this work, Ms. Stamer has accumulated extensive experience helping health industry clients manage workforce, medical staff, vendors and suppliers, medical billing, reimbursement, claims and other provider-payer relations, business partners, and their recruitment, performance, discipline, compliance, safety, compensation, benefits, and training, board, medical staff and other governance; compliance and internal controls; strategic planning, process and quality improvement; change management; assess, deter, investigate and address staffing, quality, compliance and other performance; meaningful use, EMR, HIPAA and other data security and breach and other health IT and data; crisis preparedness and response; internal, government and third-party reporting, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.

Author of leading works on HIPAA and other privacy and data security works and the scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with OCR, her experience includes extensive compliance, risk management and data breach and other crisis event investigation, response and remediation under HIPAA and other data security, privacy and breach laws. Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns.

In connection with this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.

Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other “nonpar,” insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved. For information about republication or other use, please contact Ms. Stamer here.

Comments Off on Latest $2.5M HIPAA Settlement Warning To Health Plans, Providers: Get HIPAA Compliant | ARRA, Attorney-Client Privilege, board of directors, Brokers, Civil Monetary Penalties, Civil Rights, compliance, Consumer Protection, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, directors, Electronic Medical Record, Employee Benefits, Employer, fiduciary duty, Fiduciary Responsibility, FINRA, GINA, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Physician, Plan Admistrator, Privacy, Professional Liability, Protected Health Information, Provider, Risk Management, Technology, Telecommuting, Uncategorized | Tagged: Breach, Breach Notification, Business Associate, Covered Entity, Health Insurance, Health Plan, HIPAA, HIPAA Privacy, HIPAA Security, Medical Privacy, OCR, Office of Civil Rights, REmote Care, Technology, Telemedicine | Permalink
Posted by Cynthia Marcotte Stamer

Employers Review Health Plans Now To Avoid Excise Taxes & Other Current Law Plan Risks & Ready For Health Reform

April 25, 2017

While Congress and the Trump Administration continue to ponder and debate what if anything to do with the health care reforms of the Patient Protection and Affordable Care Act (ACA), employer and other health plan sponsors, health plan insurers, plan fiduciaries and others responsible for health plan design, administration or funding must take steps to verify their past and continuing compliance with the ACA and other federal mandates while laying the groundwork to respond quickly to any eventual reforms.

Regardless of what, if anything, the existing Congress or the Trump Administration does to repeal or reform the ACA or other federal health plan rules, all health plan sponsors, insurers, fiduciaries and administrators should act to mitigate their substantial and ever-growing health plan exposures by arranging for an independent compliance audit of their health plan terms, materials and operations for potential uncorrected past or current violations of the 40 federal mandates covered by the Form 8928 reporting and associated Internal Revenue Code excise tax liability exposure, as well as other applicable plan liabilities under the Employee Retirement Income Security Act (ERISA), the Social Security Act, the Internal Revenue Code and other federal laws within open statute of limitation periods.

The cost, complexity and riskiness of health plan sponsorship and administration has grown exponentially over the past two decades. Thanks to the ACA and the continuous stream of other federal laws and regulations implemented over the past 20 years, sponsoring employers, as well as their health plans and those responsible as fiduciaries for administering, funding and insuring these programs now face huge costs, responsibilities and liabilities. While the ACA substantially expanded the federal health plan mandates and liabilities, the ACA is not the lone cause and its amendment or repeal alone won’t fully resolve these risks prospectively or retrospectively insulate sponsoring employers, their plans or their fiduciaries and insurers from the liabilities and costs of compliance issues occurring before Congress repeals or amends the ACA.

Of particular note for employer and other sponsors of group health plans are the self-reporting and excise tax self-assessment and payment requirements for employers coupled with the companion responsibilities and liabilities fiduciaries, plan administrators and others face under these federal mandates make it important that employers and others sponsoring group health plans and their management or other leaders overseeing or participating in plan design or vendor selection, plan administration or other plan related activities get advice and help from qualified legal counsel experienced in health plan matters:

To conduct an independent compliance review and risk assessment of their health plans,
To recommend and assist in the performance of recommended steps to correct or mitigate risks from any potential past or existing violations or other exposures that have arisen or are likely to arise from existing contractual, plan design or other health plan actions;
To explore the potential advisability of taking additional steps to prevent or mitigate health plan associated compliance or other risks going forward whether or not health reform happens; and
To begin preparing to take advantage of any impending health care reforms by evaluating the requirements and procedures that existing plan terms, contracts, vendors and arrangements are likely to require to implement changes necessary to respond to any reforms as quickly and efficiently as possible.

Spring Clean Your Health Plan House

Since any reforms eventually enacted are unlikely to retroactively eliminate liability of employers, their health plans or fiduciaries for violations of federal health plan mandates, health plan terms, or associated contracts occurring before the effective date of reform, employer and other health plan sponsors, fiduciaries, insurers and administrators should begin by identifying, cleaning up any existing, unresolved, and preventing any new health plan compliance problems.

While overall compliance with applicable federal mandates and health terms generally should be the goal, employers or others sponsoring group health plans need to be particularly concerned with their responsibilities and potential liability under the Internal Revenue Code to self-identify, report and pay stiff excise tax penalties of $100 per day per violation of any of 40 federal health plan mandates imposed by the ACA and various other federal laws when the sponsor files its annual tax return.

This employer or other plan sponsor excise tax liability generally arises in addition to the liabilities that plans, their fiduciaries and their insures face for failing to administer and pay benefits under the plans in accordance with the listed 40 federal mandates, whether actually written into or imputed by operation of law into the plan, the costs of which sponsoring employers often will bear responsibility for funding in whole or in part pursuant to their contractual liabilities under the health plan contracts, as plan fiduciaries or both. See, Businesses Must Confirm & Clean Up Health Plan ACA & Other Compliance Following Supreme Court’s King v. Burwell　Decision;　 More Work For Employers, Benefit Plans Following SCOTUS Same-Sex Marriage　Ruling; 2016 & 2017 Health Plan Budgets, Workplans Should Anticipate Expected Changes To　SBCs.

Sponsors and plan fiduciaries also need to be concerned about other risks beyond sponsoring employers’ excise tax liability exposures for sponsoring a non-compliant group health plan. Among other things, group health plans and their fiduciaries can face audits, litigation and enforcement actions by the Centers for Medicare & Medicaid Services and other health plans for improperly coordinating plan claims with other coverage as well as lawsuits from covered persons, their health care providers or other beneficiaries, the Department of Labor and CMS, or others seeking to enforce rights to benefits, penalties in the case of CMS or the Department of Labor, and attorneys’ fees and other costs of enforcement. Beyond benefit litigation, the employer or representatives of the sponsoring employer, if any, named or acting as fiduciaries, insurer or third-party service providers named or acting as fiduciaries, also could face fiduciary lawsuits seeking damages, equitable relief, and attorneys’ fees and costs of court, for failing to prudently administer the plan in accordance with its terms and the law brought by covered persons or their beneficiaries or the DOL as well as fiduciary breach penalties if the fiduciary breach action is brought by the DOL. If the plan fails to comply with claims and appeals procedures or other ERISA notification requirements, parties named or functioning as the plan administrator for this purpose also could face penalties of up to $125 per violation per day in the case of enforcement actions brought by participants and beneficiaries or $1025 per violation per day in the case of actions brought by the DOL, plus attorneys’ fees and other costs of enforcement. Unless the employer previously took steps to draft its health plan documents and negotiate its vendor contracts to provide otherwise, most vendor provided plans typically assign these liabilities to the sponsoring employer or a member of its management by naming that employer or the management person the “plan administrator” and/or “named fiduciary” responsible for those activities and liabilities, requiring the plan sponsor to indemnify the vendor for costs and liabilities arising from the performance of actions under the plan even when those actions don’t comply with ERISA fiduciary or other legal standards applicable to the performance of those duties under the plan, or both, and other contractual or plan provisions that shift liabilities and costs to the plan sponsor.

To mitigate their exposure to these liabilities and costs, employer or other health plan sponsors should consider arranging for an independent legal compliance and risk assessment of their health plan, its terms, materials and operations to help mitigate the sponsoring employer’s exposure to self-identify, self-report on IRS Form 2848 and pay the $100 per day per violation excise tax liability now generally required under the Internal Revenue Code for any such violation.

Beyond mitigating a plan sponsor’s Form 8928 reporting and associated excise tax exposures, an independent compliance audit also can mitigate other risks and exposures for the sponsoring employer, the plan and its fiduciaries, the cost of which the sponsoring employer often bears financial responsibility for funding pursuant to the contractual indemnification and funding obligations entered into in connection with the establishment and maintenance of the plan, the fiduciary role, if any, of the employer with respect to the plan, or both. Accordingly, a timely and appropriate review is likely to help mitigate other risks and liabilities such as:

Fiduciary liability that can arising from failing to administer the plan in accordance with these and other federal health plan mandates under ERISA;
Unanticipated benefit costs and liabilities, which for self-insured plans are likely to be particularly burdensome if compliance issues are not identified and corrected before applicable deadlines to pay and submit claims to the stop-loss or other insurer expire (usually at or shortly after the close of a plan year or if earlier, contract termination);
Benefit costs and penalties for wrongful coordination of benefits with Medicare, Medicaid, DOD and certain other plans or coverage in violation of Secondary Payer and other mandates; and
Costs of defending and settling audits, litigation and other government or participant enforcement actions.

Since prompt self-audit and correction can help mitigate all of these liabilities, business leaders of employers sponsoring health plans should act promptly to engage experienced legal counsel experienced with health plan laws and operations to advise the plan sponsor about how to audit their group health plan’s plan documents, materials and operations for compliance with these and other federal health plan rules within the scope of attorney-client privilege while managing tax, financial, benefit and fiduciary liability exposures to deal with potential compliance concerns that the review might discover as well as mitigate risks that could result if the audit is improperly structured or conducted.

Prepare To Respond To Potential Health Reform & Other Health Plan Improvement

Beyond identifying and addressing existing compliance concerns and other risks associated with prior or existing plan design or administration, most employer and other sponsors also will want to review the health plan document and materials and associated insurance, third-party administration and other health plan vendor contracts pursuant to which the health plan is established, maintained and administered to identify requirements and opportunities to respond quickly to make changes when and if health care reform happens as well as for other opportunities to mitigate existing risks and costs.

As most commentators expect some type of regulatory or statutory health plan relief to result from the current health care reform debates in Congress, employer and other health plan sponsors desiring to accelerate their ability to take advantage of any forthcoming relief should familiarize themselves with the procedures required under existing plan terms, contracts and rules to modify their programs in response to these changes. Almost certainly, plan sponsors should anticipate needing to adopt some amendments to plan documents, summary plan descriptions and other materials to take advantage of any legislative or statutory relief. Plan sponsors also need to keep in mind that their vendor contracts with administrators, group, stop-loss or captive insurers, and other vendors likely also will require the plan sponsor to notify and negotiate with its vendors to secure their agreement before adopting these changes to avoid violating those vendor agreements and prudently to arrange for appropriate implementation and administration of the modified plan design and terms. Identification of the contractual and plan requirements and commencement of discussions with the relevant vendors can help expedite the planning and implementation of any desired plan modifications the plan sponsor elects to make in response to any statutory or regulatory reforms.

While preparing for anticipated health care reforms, most plan sponsors also will want to review their plans and vendor contracts for other potential opportunities to mitigate risks or expenses. With respect to existing and future liability mitigation, each plan sponsor generally should carefully assess the allocation of fiduciary responsibility and liability between the sponsoring employer, members of its management or other workforce team, and vendors to identify potential areas where the contract may assign named or other plan administrator or other fiduciary status and liability to the plan sponsor or a member of its workforce for duties outsourced to a vendor. Sponsoring employers or their management may want to initiate negotiations with the vendor to reallocate the fiduciary role and responsibility to the party responsible for performance of the specific duties, enhancement of performance guarantees, indemnifications and insurance coverage for proper performance of the outsourced duties by the vendor in accordance with the plan terms, including any mandates imposed by the ACA and other federal laws in form and operation, and other safeguards or, if the vendor is unwilling to consider these changes, begin searching for a replacement vendor willing to provide better accountability for its actions with respect to the services it is hired to perform.

Except in rare circumstances where the sponsoring employer has carefully contracted to transfer fiduciary liability to its insurer or administrator and otherwise does not exercise or have a fiduciary obligation to exercise discretion or control over these responsibilities, employers sponsoring group health plans that violate federal mandates like the out-of-pocket limit often ultimately bear some or all of these liabilities even if the violation actually was committed by a plan vendor hired to administer the program either because the plan documents name the employer as the “named fiduciary” or “plan administrator” under ERISA, the employer or a member of its management named in the plan generally bears fiduciary responsibility functionally for selection or oversight of the culpable party, the employer signed a contract, resolution or plan document obligating the employer to indemnify the service provider for the liability, or a combination of these reasons.

Since prompt self-audit and correction can help mitigate all of these liabilities as well as help to preserve access to stop-loss or other reinsurance coverage, if any, applicable to help pay for some or all of any additional benefit liabilities resulting from these benefit mandates, business leaders of companies offering group health plan coverage should act quickly to engage experienced legal counsel for their companies for advice about how to audit their group health plan’s compliance with these and other federal health plan rules within the scope of attorney-client privilege while managing tax, financial, benefit and fiduciary liability exposures to deal with potential compliance concerns that the review might discover as well as mitigate risks that could result if the audit is improperly structured or conducted.

While businesses inevitably will need to involve or coordinate with their accounting, broker, and other vendors involved with the plans, businesses generally will want to get legal advice in a manner that preserves their potential to claim attorney-client privilege to protect against discovery in the event of future enforcement or litigation actions sensitive discussions and analysis　about compliance audits, plan design choices, and other risk management and liability planning as well as to get help identifying potential plan design, contracting, procedural or other changes that may be needed to fix compliance deficiencies and mitigate other risks, particularly in light of complexity of the exposures and risks.

About The Author

Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health and othre employee benefit, financial services, health care and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

Throughout her career, she has helped a diverse array of clients manage, administer and defend employee and other workforce, vendors and suppliers, their recruitment, selection, performance management, contracting, investigation, discipline and termination; health and other employee benefits; compensation; safety; governance; compliance and internal controls; strategic planning, process and quality improvement; change management; trade secret and other privacy, data security and data breach;; crisis preparedness and response; internal, government and third-party reporting relations, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.

The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has worked extensively throughout her career with employers, health and other employee benefit plans, insurers, managed care organizations, health care clearinghouses, health care providers, their business associates, employers, banks and other financial institutions, management services organizations, professional and trade associations, accreditation agencies, auditors, technology and other vendors and service providers, and others on benefit and insurance program legal and operational compliance, risk management, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending plan sponsors, fiduciaries, service providers, managed care organizations, insurers, self-insured health plans and other payers. Her experience includes both leading edge work designing and administering programs, as well as defending clients in connection with audits and enforcement actions by OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC, OSHA, Department of Insurance, Department of Justice and state attorneys’ general and other federal and state agencies; accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

A lead policy advisor to the Government of Bolivia on its pension privitization project and involved in U.S. federal and state as well as cross border workforce, pension, health care, Social Security, immigration, and tax regulatory and statutory reform throughout her adult life, Ms. Stamer also is widely sought out for her thoughtleadership and assistance with domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.

For more information about Ms. Stamer or her experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Comments Off on Employers Review Health Plans Now To Avoid Excise Taxes & Other Current Law Plan Risks & Ready For Health Reform | 4980D, 4980H, 6039D, ACA, board of directors, Brokers, Cafeteria Plans, church plan, Civil Monetary Penalties, Civil Rights, Claims Administration, compliance, Corporate Compliance, corporate governance, directors, employee, Employee Benefits, Employer, Employment, ERISA, Fair Labor Standards Act, fiduciary duty, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, health reform, HR, Human Resources, Insurance, insurers, Internal Controls, IRC, Management, Mental Health, Mental Health Parity, Obamacare, Patient Empowerment, Patient Protection & Affordable Care Act, Premium Subsidies, preventive care, Reporting & Disclosure, SBC, Uncategorized, Wellness Programs | Tagged: Americas Health Care Act, Employee Benefits, Employer, Health Benefits, Health Care Reform, Health Plans, Obamacare, Trump Care | Permalink
Posted by Cynthia Marcotte Stamer

Latest HIPAA Resolution Agreement Drives Home Importance Of Maintaining Current, Signed Business Associate Agreements

April 24, 2017

Health plans, their fiduciaries and sponsors, health insurers, health care providers, health care clearinghouses (“covered entities”) and their business associates must get and keep your business associate (BA) agreements (BAAs) in place, up-to-date, and readily available for inspection in accordance with the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule, 45 C.F.R. Part 160 and Subparts A and E of Part 164 (Privacy Rule). That’s the clear message to covered entities and their business associates in the April 17, 2017 HIPAA Resolution Agreement just announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) with the Center for Children’s Digestive Health (CCDH).

While the Resolution Agreement relates to breaches of the BAA requirements of a small pediatric practice, all health plans, health care providers and other covered entities and business associates should focus on the adequacy of their BAAs and their BAA record keeping. HIPAA compliance surveys reflect deficiencies with the BAA rules are common throughout the industry. These findings and the involvement of BAs in data breaches or other OCR enforcement activities suggest a high probability that many other covered entities and business associates may be sitting ducks for similar sanctions. See e.g., HIPAA Compliance Survey Churns Up Many Business Associate Problems (January 3, 2017). Consequently, all covered entities and business associates generally should treat the CCDH Resolution Agreement as a message to review and correct as necessary their organizations’ compliance and recordkeeping to minimize their exposure to potential sanctions from violations of the HIPAA business associate rules.

The HIPAA Business Associate Agreement Requirements

OCR’s announcement of the CCDH Resolution Agreement is the latest in a growing series of HIPAA enforcement actions showing the growing risk covered entities and their business associates face for failing to take appropriate steps to comply with the BAA and other Privacy Rule requirements of HIPAA.

As compliance audits and surveys of covered entities and business associates suggest a high level of noncompliance with the business associate agreement requirements among covered entities and business associates, While the ever-growing list of Resolution Agreements and Civil Monetary Penalties announced by OCR cover a variety of categories of HIPAA violations, the CCDH Resolution Agreement highlights the importance of covered entities and their business associates ensuring that before the BA creates, accesses, receives, discloses, retains or destroys any PHI for the covered entity, a BAA meeting the Privacy Rule requirements is signed and retained for at least the six-year period the Privacy Rule requires in a manner easily producible when and if OCR or another agency asks for a copy as part of an investigation or other compliance audit. See Privacy Rule §§ 164.502(e), 164.504(e), 164.532(d) and (e).

The Privacy Rule requires that covered entities and business associates enter into a written and signed business associate agreement that contains the elements specified in Privacy Rule § 164.504(e) before the business associate creates, uses, accesses or discloses PHI of the covered entity. Meanwhile, the Privacy Rule recordkeeping requirements require that covered entities and BAs maintain copies of these BAAs for a minimum of six years.

Violations of the Privacy Rule can carry stiff civil or even criminal penalties Pursuant to amendments to HIPAA enacted as part of the HITECH Act, civil penalties typically do not apply to violations punished under the criminal penalty rules of HIPAA set forth in Social Security Act , 42 U.S.C § 1320d-6 (Section 1177).

Under Section 1177, the criminal enforcement provisions of HIPAA authorize the Justice Department to prosecute a person who knowingly in violation of the Privacy Rule (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, punishable by the following criminal sanctions and penalties:

A fine of up to $50,000, imprisoned not more than 1 year, or both;
If the offense is committed under false pretenses, a fine of up to $100,000, imprisonment of not more than 5 years, or both; and
If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of up to $250,000, imprisoned not more than 10 years, or both.

In contrast, as amended by the HITECH Act, the civil enforcement provisions of HIPAA empower OCR to impose Civil Monetary Penalties on both covered entities and BAs for violations of any of the requirements of the Privacy or Security Rules. The penalty ranges for civil violations depends upon the circumstances associated with the violations and are subject to upward adjustment for inflation. As most recently adjusted here effective September 6, 2016, the following currently are the progressively increasing Civil Monetary Penalty tiers:

A minimum penalty of $100 and a maximum penalty of $50,000 per violation, for violations which the CE or BA “did not know, and by exercising reasonable diligence would not have known” about using “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances;”
A minimum penalty of $1,000 and a maximum penalty of $50,000 per violation, for violations for “reasonable cause” which do not rise to the level of “willful neglect” where “reasonable cause” means the “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the violated Privacy Rule requirement;”
A minimum penalty of $10,000 and a maximum penalty of $50,000 per violation, for violations attributed to “willful neglect,” defined as “the conscious, intentional failure or reckless indifference to the obligation to comply” with the requirement or prohibition; and
A minimum penalty of $50,000 and a maximum penalty of $1.5 million per violation, for violations attributed to “willful neglect” not remedied within 30 days of the date that the covered entity or BA knew or should have known of the violation.

For continuing violations such as failing to implement a required BAA, OCR can treat each day of noncompliance as a separate violation. However, sanctions under each of these tiers generally are subject to a maximum penalty of $1,500,000 for violations of identical requirements or prohibitions during a calendar year. For violations such as the failure to implement and maintain a required BAA where more than one covered entity bears responsibility for the violation, OCR an impose Civil Monetary Penalties against each culpable party. OCR considers a variety of mitigating and aggravating facts and circumstances when arriving at the amount of the penalty within each of these applicable tiers to impose.

While criminal enforcement of HIPAA remains relatively rare, a review of the OCR enforcement record in recent years makes clear that civil enforcement of HIPAA and the sanctions imposed is growing. See e.g., $400K HIPAA Settlement Shows Need To Conduct Timely & Appropriate Risk Assessments; $5.5M Memorial HIPAA Resolution Agreement Shows Need To Audit. For more examples, also see here.

CCDH Sanctions For Violation Of HIPAA Business Associate Agreement Rules

The CCDH Resolution Agreement arises from violations of this requirement that OCR says it discovered as a result of a compliance review conducted in response to an OCR investigation of a CCDH business associate, FileFax, Inc. According to OCR, OCR found from the compliance review of CCDH triggered by OCR’s investigation of FileFax that while CCDH began disclosing PHI to Filefax in 2003 and that Filefax stored records containing protected health information (PHI) for CCDH, neither CCDH nor Filefax could produce a signed Business Associate Agreement (BAA) covering their relationship for any period before October 12, 2015.

Based on the resulting investigation, OCR concluded:

CCDH failed to obtain a BAA providing written assurances from Filefax that it would appropriately safeguard the PHI in Filefax’s possession or control satisfactory assurances as required by Privacy Rule §164.502(e); and
Because CCDH failed to secure the required BAA, it violated the Privacy Rule by impermissibly disclosing the PHI of at least 10,728 individuals to Filefax when CCDH transferred the PHI to Filefax without obtaining the requisite BAA from Filefax (Covered Conduct).

In the Resolution Agreement, CCDH agrees to pay HHS $31,000.00 (Resolution Amount) and enter into and comply with a Corrective Action Plan (CAP) in return for OCR’s release of CCDH from liability for “any actions it may have against CCDH under the HIPAA Rules” for the Covered Conduct. The Resolution Agreement only settles the civil monetary penalty and other OCR enforcement liabilities of CCDH with respect to the Covered Conduct. Its provisions expressly state the Resolution Agreement does not affect any exposures of CCDH to CCDH to OCR civil monetary penalties or other enforcement for any HIPAA violations other than the Covered Conduct.

Perhaps even more noteworthy given the HITECH Act’s provisions coordinating the civil and criminal sanctions of HIPAA, while the Resolution Agreement provides no clear indication that the Justice Department might be considering criminally prosecuting CCDH or any other party in relation to the Covered Conduct, the Resolution Agreement also expressly states that its provisions do not affect CCDH’s potential exposure, if any, to criminal prosecution by the Justice Department for a criminal violation of the Privacy Rules under Section 1177 of the Social Security Act.

Implications For Covered Entities & Business Associates

Covered entities and their business associates should heed the CCDH Resolution Agreement as a strong message from OCR to ensure their organizations are complying with HIPAA’s BAA and other requirements. The Resolution Agreement makes clear that the starting point of this compliance effort must be obtaining and maintaining the requisite BAAs for each BA relationship.

To position their organizations to withstand potential investigation by OCR, covered entities and BAs should start by conducting a well-documented audit within the scope of attorney-client privilege both to verify that an appropriate, signed BAA is in place for each BA relationship as well as adequacy of processes for identifying business associate relationships, ensuring that signed BAAs are in effect before BAs access any PHI, and for investigating, reporting and resolving any breaches of the HIPAA Privacy or Security Rules that may arise in the course of operations.

Conducting this audit as soon as possible is particularly important in light of reported findings of widespread compliance concerns. See HIPAA Compliance Survey Churns Up Many Business Associate Problems (January 3, 2017). As the audit process could identify potential violations or other legally sensitive concerns, covered entities and business associates generally will want to arrange for this audit and evaluation to be conducted under the supervision of legal counsel experienced with HIPAA within or pursuant to processes structured with the assistance of legal counsel within the scope of attorney-client privilege.

Beyond confirming all necessary BAAs are in place, covered entities and business associates also generally will want to evaluate the adequacy of BAs’ processes and procedures for maintaining compliance with the Privacy and Security Rules as well as processes and procedures for responding to audits, investigations and complaints, reporting and addressing breaches of electronic and other PHI and other possible compliance concerns under HIPAA and other related laws. In many instances, parties may n wish to revise and strengthen existing BAAs to more specifically define these policies and procedures more specifically as well as indemnification, cyber or other liability coverage requirements and other contractual provisions for allocating potential costs and liabilities arising from breaches, audits, investigations and other expenses associated with the administration of these provisions.

About The Author

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar, insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

In connection with this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Comments Off on Latest HIPAA Resolution Agreement Drives Home Importance Of Maintaining Current, Signed Business Associate Agreements | ARRA, Attorney-Client Privilege, Cafeteria Plans, church plan, Civil Monetary Penalties, Civil Rights, Claims, Consumer Protection, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, employee, Employee Benefits, Employer, Employers, Employment, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Patient Empowerment, Physician, Plan Admistrator, Privacy, Professional Liability, Protected Health Information, Provider, Risk Management, Uncategorized | Tagged: Business Associate, Health Care, Health Insurer, Health Plans, HIPAA, HIPAA OCR, HIPAA Privacy, HITECH, Insurer, Technology, tpa | Permalink
Posted by Cynthia Marcotte Stamer

$400K HIPAA Penalty Teaches Risk Assessment Importance

April 12, 2017

Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), must pay $400,000 and implement a corrective action plan to resolve U.S. Department of Health and Human Services, Office for Civil Rights (OCR) charges it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule by failing to implement a security management process to safeguard electronic protected health information (ePHI). The latest in a growing series of high-dollar HIPAA settlements and penalty assessments, it reminds health plans and other HIPAA-covered entities of the importance of conducting risk assessments and other actions to prevent and prepare to respond to hacking and other data breach and security events.

The Resolution Agreement and Corrective Action Plan, like most others before it, resulted from an investigation opened in response to a breach report. On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident. However, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012 – well after the hacking incident reported in the breach report.Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.

When MCPN finally conducted a risk analysis, OCR found that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.

OCR made a point in announcing the Resolution Agreement of noting it considered MCPN’s status as a FQHC when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care. MCPN provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level. It is likely that OCR would have imposed a much greater settlement amount had the covered entity not been a FQHC serving the poor.

About The Author

Throughout her career, she has helped health industry clients manage workforce, medical staff, vendors and suppliers, medical billing, reimbursement, claims and other provider-payer relations, business partners, and their recruitment, performance, discipline, compliance, safety, compensation, benefits, and training ;board, medical staff and other governance; compliance and internal controls; strategic planning, process and quality improvement; change management; assess, deter, investigate and address staffing, quality, compliance and other performance; meaningful use, EMR, HIPAA and other data security and breach and other health IT and data; crisis preparedness and response; internal, government and third-party reporting, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.
Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.
For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved. For information about republication or other use, please contact Ms. Stamer here.

Comments Off on $400K HIPAA Penalty Teaches Risk Assessment Importance | board of directors, Civil Monetary Penalties, compliance, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, Employee Benefits, Employer, Employers, health benefit, Health Benefits, health Care, health insurance, health plan, Health Plans, HIPAA, HIPAA, HR, Human Resources, Identity Theft, Uncategorized | Tagged: Data Security, HIPAA, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Periodically Reevaluate Employee Business Expense Reimbursement Practices

April 5, 2017

Employers looking for cost-effective opportunities to sweeten the perceived value their compensation and fringe benefit packages periodically should re-examine their policies for reimbursement of employees for ordinary and necessary business expenses an employee incurs in connection with the performance of his duties, such as:

Required work clothes or uniforms not appropriate for everyday use.
Supplies and tools for use on the job.
Business use of a car.
Business meals and entertainment.
Business travel away from home.
Business use of a home.
Work-related education.

Businesses generally consider a wide range of factors when deciding what expenses to reimburse to employees. In arriving at these decisions, however, many businesses overlook the opportunity to stretch the overall compensation dollars by reimbursing employees for business expenses in lieu of paying cash compensation to the employee but requiring the employee to use after tax dollars to pay business expenses not reimbursed by the employer.

While many employers believe “cash is king” when paying employees, paying employees more cash in lieu of reimbursing employees for business often increases the employment tax liability of the employer while also unwittingly diminishing the value of the cash compensation paid to the employee because of federal tax rules governing individual deductions a business expenses.

While the Internal Revenue Code and associated Internal Revenue Service regulations impose special rules for certain categories of employment, federal tax law generally allows businesses both:

To deduct from the gross income of the business for purposes of determining its adjusted gross income those amounts the business pays as wages as well as amounts paid to reimburse an employee for ordinary and necessary business expenses expended by the employee in the performance of his duties and to exclude such amounts for calculating the employment tax liabilities of both the employer and the employee; and
In many, but not all instances, to exclude all or some of the reimbursement amount from the taxable wages of the employee for income tax and/or employment tax purposes.

The income and employment tax treatment of business expenses paid by an employee generally is much less favorable when an employee seeks to deduct or exclude xpenditures made for ordinary and necessary business expenses from taxable income.

While federal income tax rules generally allow businesses to deduct ordinary and business expenses directly from gross income to arrive at their taxable adjusted gross income, federal tax rules are more restrictive concerning the deduction of business expenses by employees for income tax purposes and provides no easy mechanism to claim credit for such amounts for employment tax purposes.

In general, the Internal Revenue Code generally only allows employees who otherwise have sufficient deductible expenses to itemize deductions to claim any business expenses as a deduction when calculating their federal income taxes. Depending on the income of the workforce and particularly in the case of lower income workers, the itemization requirement effectively bars a large percentage of employees from any possibility of deducting business expenses incurred in the performance of their work.

Beyond the requirement to itemize, the Internal Revenue Code also imposes a second hurdle that further restricts the deductibility of business expenses when claimed by an employee versus a business. Specifically, the Internal Revenue Code generally only allows an employee to deduct business expenses paid by the employee to the extent those expenses exceed 2% of the employee’ adjusted gross income. This means that even those employees who qualify to file itemize deductions cannot deduct the initial 2% of the ordinary and necessary business expenses the employee pays and connection of the performance of his job even though the Internal Revenue Code would allow the employer to deduct the full amount of amounts paid to reimburse the employee for those same expenses.

Since most employees understand that the purchasing power of any cash compensation they receive from the employer is reduced by the amount of any expenses that they pay but are not reimbursed for, considering reimbursing employees for expenses in lieu of paying the employee cash, then requiring the employee to pay those expenses out of taxable income.

Of course, when considering whether to pay or reimburse employee expenses, employers also should evaluate and verify that their planned treatment of an expenditure and its reimbursement otherwise complies with any union or other contracts, as well as any applicable federal and state occupational safety, wage and hour and other laws.

Regardless of whether the employer or the employee plans to claim a business expense for tax purposes, an employer should encourage its employees to keep, and if reimbursing the employee, submit good records for proof of income and expenses. Employers reimbursing business expenses may wish to educate employees about both the tax and financial value of these reimbursement benefits as a part of the overall compensation package provided to employees. Even where an employer does not reimburse its employees all or part of an otherwise deductible business expense, however, it also may want to share Internal Revenue Service resources like “IRS Publication 529, Miscellaneous Deductions,” and “Publication 463, Travel, Entertainment, Gift and Car Expenses” with employees to help educate employees about these tax rules and their opportunities and responsibilities.

About The Author

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and advisor to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group; immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment, employee benefits, compensation, and other regulatory and operational risk management. Examples of her many highly regarded publications on these matters include the “Texas Payday Law” Chapter of Texas Employment Law, as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Comments Off on Periodically Reevaluate Employee Business Expense Reimbursement Practices | employee, Employee Benefits, Employment, Employment Discrimination, Employment Tax, HR, Human Resources, Income Tax, IRC, Tax, Unemployment Benefits, Unemployment Insurance | Tagged: benefits, Compensation, Employee, Employer, Employment Tax, expense reimbursement, Fringe Benefits, Income Tax | Permalink
Posted by Cynthia Marcotte Stamer

Employers, Benefit Plans & Exempt Org: Prepare For Shortened Deadlines & Other Changes To IRS Employee Plan & Exempt Organization Exam Documentation Request Procedures

March 1, 2017

Heads up tax-exempt and governmental entities, employer and other qualified employee benefit plan sponsor, fiduciaries, administrators, and recordkeepers and their management, accountants, attorneys, and other service providers and advisors. Changes to the procedures that Internal Revenue Service (IRS) Tax Exempt and Government Entities TE/GE examiners use to make and enforce Information Document Request (IDR) in connection with an audit or other examination make it more important than ever that taxpayers use special care to collect, organize and maintain all of the data and documentation that examiners are likely to request in IDR and take other steps to prepare in advance to respond to an IDR.

New procedures announced in the February 27, 2017 Memorandum For All TE/GE Examiners On New Process For All Information Document Requests and scheduled to take effect April 1 seek to expedite the examination process and reduce backlogs. To accomplish this, the new procedures impose specific, tightened timelines for responding to IDRs and IRS follow and enforcement of data and document productions demanded by an IDR. As part of these changes, the new procedures shorten the time that the examiners will issue early subpoena warnings and subpoenas to compel taxpayers to produce requested data.

Taxpayers unable to respond in a timely fashion risk of both triggering these perilous enforcement procedures and an enhanced risk that IRS examiners will view the delay as an indication that the taxpayer may not be using the internal controls and processes expected by the IRS rules. Accordingly, taxpayers should seek advise from experienced legal counsel about the policies, practices, data and information they might be expected to need to respond to a IDR or other government investigation, recommendations for conducting their operations to promote their ability to efficiently assemble and produce the necessary data, records and other information to respond to a IDR or other investigation, audit or enforcement action, and other appropriate steps to position their organizations timely to recognize and produce the often substantial data generally demanded by an IRD and minimize risks of liability likely to arise from an IRS examination or other governmental or private investigation or action.

About The Author

Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 28 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.

Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other employee benefit, insurance, technology and other highly regulated organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps these and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer’s includes nearly 30 years’ of work with a diverse range of health industry clients on an extensive range of matters.

Ms. Stamer has worked closely with health industry, managed care and insurance, employee benefit, financial services, technology, restructuring, retail, hospitality, manufacturing, consulting, sales, energy, import-export, staffing and other businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of staffing, human resources and workforce performance management, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others, and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Best known for her thoughleadership and experience on health benefit and other health and insurance industy matters, Ms. Stamer has worked throughout her career health care, health benefit and insurance and health information technology, data and related process and systems development, policy and operations design, management, product development, innovation, administration, public policy, regulatory compliance, enforcement, contracting, privacy and data security and related matter. Ms. Stamer continuously advises health and insurance industry clients about licensing, regulatory compliance and internal controls, workforce, agent and broker and medical staff performance, claims and reimbursement, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer also is widely recognized for her extensive work and leadership on HIPAA, FACTA, PCI, IRC and other tax, Social Security, GLB, rade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns including policy design, drafting, administration and training; business associate and other contracting; risk assessments, audits and other risk prevention and mitigation; investigation, reporting, mitigation and resolution of known or suspected breaches, violations or other incidents; and defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others. Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks, insurers and other financial institutions, and others on trade secret confidentiality, privacy, data security and other risk management and compliance including the design, establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR, FTC and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns.

Her clients include public and private health care providers, health insurers, health plans, employers, payroll, staffing, recruitment, insurance and financial services, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others. Ms. Stamer also has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use published by BNA, the ABA and other premier legal industy publishers.

Ms. Stamer also has extensive experience with a diverse array of other human resources and other staffing, services, outsourcing and other workforce, qualified and nonqualified employee benefit, compensation, and related matters, their design, documentation, administration, modification, enforcement and defense and other related operational, compliance and risk management. Her experience includes advising andassisting employer and other plan sponsors, fiduciaries, administrators, vendors and others with and program design, documentation and ongoing administration administration for compliance and defensibility under IRS and other federal and state tax, OFCCP, CAS, SCA, Davis Bacon, SEC and other corporate, ERISA and other federal and state labor and employment, SEC and other corporate, Department of Insurance and other laws and regulations; advising and assisting buyers, sellers, investors, debtors, creditors, trustees, plan fiduciaries and service providers and others in relation to business transactions, restructurings, bankruptcies and other substantial corporate and business events and transactions including significant work involving amendment, termination, windup and restructuring of employee benefit plans and workforce concerns in highly publicized fiduciary, securities or other misconduct investigation and enforcement, bankruptcy, restructuring or other distress situations.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy and governmental and regulatory affairs experience, Ms. Stamer also is widely recognized for regulatory and policy work, advocacy and outreach on healthcare, education, aging, disability, savings and retirement, workforce, ethics, and other policies. Throughout her adult life and career, Ms. Stamer has provided thought leadership; policy and program design, statutory and regulatory development design and analysis; drafted legislation, proposed regulations and other guidance, position statements and briefs, comments and other critical policy documents; advised, assisted and represented health care providers, health plans and insurers, employers, professional. and trade associations, community and government leaders and others on health care, health, pension and retirement, workers’ compensation, Social Security and other benefit, insurance and financial services, tax, workforce, aging and disability, immigration, privacy and data security and a host of other international and domestic federal, state and local public policy and regulatory reforms through her involvement and participation in numerous client engagements, founder and Executive Director of the Coalition for Responsible Health Policy and its PROJECT COPE: the Coalition on Patient Empowerment, adviser to the National Physicians Congress for Healthcare Policy, leadership involvement with the US-Mexico Chamber of Commerce, the Texas Association of Business, the ABA JCEB, Health Law, RPTE, Tax, Labor, TIPS, International Life Sciences, and other Sections and Committees, SHRM Governmental Affairs Committee and a host of other involvements and activities.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. In addition to her many years of service as a scrivener for the ABA JCEB’s meeting with OCR, for instance, she also serves as Chair the Southern California ISSA Health Care Privacy & Security Summit, and an editorial advisory board member, author, program chair or steering committee member, and faculties for a multitude of other programs and publications regarding privacy, data security, technology and other compliance, risk management and operational concerns in the health care, health and other insurance, employee benefits and human resources, retail, financial services and other arenas.Ms. Stamer also shares her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Comments Off on Employers, Benefit Plans & Exempt Org: Prepare For Shortened Deadlines & Other Changes To IRS Employee Plan & Exempt Organization Exam Documentation Request Procedures | 401(k), Attorney-Client Privilege, board of directors, church plan, compensation, compliance, Corporate Compliance, corporate governance, Defined Benefit Plans, defined contribution plan, Defined Contribution Plans, directors, Discrimination, Employee Benefits, Employer, Employers, Employment Tax, ERISA, Executive Compensation, Fiduciary Responsibility, Form 5500, HR, Human Resources, Internal Revenue Code, IRC, Pay, pension plan, Plan Admistrator, Retirements, Tax, Tax Qualification, third party administrators, Workforce | Tagged: 401(k), 457 plan, Employee Benefits, Exempt Organizations, IRS, retirement plan, tax exempt, tax qualification, TEGE | Permalink
Posted by Cynthia Marcotte Stamer

ACA-ERISA Lawsuit Risks Likely To Continue Until Congress Acts Despite Trump Executive Order For Agencies To Issue Relief

January 23, 2017

Employer and other health plan sponsors, fiduciaries and insurers generally should be prepared to prove that they are maintaining and administering their health plans to comply with many Patient Protection and Affordable Care Act (ACA) mandates pending Congressional repeal or reform of the ACA, despite President Trump’s January 20, 2017 Executive Order on “Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal” (Executive Order) because the Federal agencies responsible for the implementation and interpretation of the ACA generally don’t have authority to bar health plan participants and beneficiaries from bringing benefit denial or breach of fiduciary duty lawsuits against health plans or fiduciaries for violating ACA mandates incorporated into the Employee Retirement Income Security Act (ERISA).

In addition to affirming President Trump’s commitment to seek the prompt repeal of the ACA, the Executive Order seeks to mitigate the burden of the ACA pending Congressional repeal by ordering the Departments Health and Human Services (HHS), Labor (DOL), Treasury (Treasury) and other agencies with ACA authority (Agencies) to exercise all available authority and discretion to the “maximum extent permitted by law:”

To waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the ACA that would impose a “cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications.”
To provide greater flexibility to States and cooperate with them in implementing healthcare programs and to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the Act that would impose a fiscal burden on any State;
For departments and agencies with responsibilities relating to healthcare or health insurance to encourage the development of a free and open market in interstate commerce for the offering of healthcare services and health insurance, with the goal of achieving and preserving maximum options for patients and consumers.

While applicable Agencies are expected to act as quickly as possible to comply with President Trump’s orders, various statutory and procedural requirements almost certainly will limit both the relief granted and the speed with which the Agencies can grant the relief. One obvious place where statutory limitations on Agencies authority almost certainly will impact the availability of relief arises from the ACA’s incorporation of many of its patient protection act group mandates into ERISA. While the Agencies may possess the authority to lessen the burden of compliance with the regulatory mandates of the ACA by revising regulations, issuing enforcement relief or other certain other actions, these powers do not extend to blocking the authority of participants and beneficiaries to bring suit to enforce the provision of the ACA that the ACA added to ERISA through private benefit denial or breach of fiduciary duty lawsuits brought under ERISA.

In the case of insured health plans, sponsors, insurers and administrators also will need to consider whether their ability to take advantage of the federal relieve available is blocked or restricted by state insurance statutes, regulations or other administrative requirements. The likelihood of state statutory or regulatory restrictions on insured arrangements is particularly likely because of the heavy regulation of these products by states including the widespread incorporation of ACA mandates into state insurance laws and regulations in response to the Market Reform provisions of the ACA.

Even if these federal requirements are met to qualify for, adopt and implement any federally issued regulatory relief, employer and other plan sponsors, insurers, fiduciaries and administrators also should plan for and be prepared to run the necessary traps to properly amend their plan document, summary plan description and other plan notifications, administrative services agreements, stop loss or other insurance contracts and other vendor agreements to implement their desired changes. Beyond knowing what has to be done to adopt and communicate the desired changes, employer and other sponsors and fiduciaries, their consultants, brokers and advisors need to consider the requirements and consequences that the planned changes might have under applicable plan documents and vendor agreements to avoid unanticipated costs or liabilities as well as what actions are needed to ensure that ERISA’s prudence and other fiduciary requirements are met.

Responsible parties should begin preparing to take advantage of the anticipated legislative and regulatory relief both by both carefully monitoring statutory and regulatory health plan developments and positioning themselves to act quickly when relief comes by evaluating their existing heath plan documents, contracts, communications and systems to verify existing compliance and determine requirements for implementing any planned changes, opening up discussion vendors about these possibilities and taking other steps to position themselves to act knowledgeably and efficiently to take advantage of new opportunities if and when they emerge and are warranted.

About The Author

Ms. Stamer works with health industry and other businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and advisor to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group; immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment, employee benefits, compensation, and other regulatory and operational risk management. Examples of her many highly regarded publications on these matters include the “Texas Payday Law” Chapter of Texas Employment Law, as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Comments Off on ACA-ERISA Lawsuit Risks Likely To Continue Until Congress Acts Despite Trump Executive Order For Agencies To Issue Relief | 105(h), 4980D, 4980H, 6039D, ACA, Affordable Care Act, Appeals, board of directors, Brokers, Cafeteria Plans, Claims, Claims Administration, COBRA, COBRA Subsidy, compliance, Consumer Protection, Contraception, Corporate Compliance, corporate governance, directors, EBSA, employee, Employee Benefits, Employer, ERISA, Excepted Benefits, exchange, Excise Tax, Excise Taxes, fiduciary duty, Fiduciary Responsibility, FLSA, FMLA, Health Care Reform, health reform, Human Resources, Insurance, insurers, Internal Controls, Internal Revenue Code, IRC, King V. Burwell, Management, Mental Health, Mental Health Parity, MEWA, Obamacare, Patient Empowerment, Patient Protection & Affordable Care Act, Physician, Plan Admistrator, Prescription Drugs, preventive care, Provider, SBC, Uncategorized | Tagged: ACA, Executive Order, Health Care, Health Care Reform, Health Care Reimbursement, Health Insurance, Health Plans, health policy, Minimizing the Economic Burden of the Patient Protection and Affordable Act Act Pending Repeal, Obamacare, Patient Protection and Affordable Care Act | Permalink
Posted by Cynthia Marcotte Stamer

Employers, Plans, Don’t Jump The Gun On ACA Relief

January 23, 2017

Trump Executive Order Promises But Gives No ACA Health Plan Relief Until Agencies Act

Employer and other health plan sponsors, insurers, plan members and their family, health care providers and others struggling to cope with the costs and burdens of complying with the Patient Protection and Affordable Care Act (ACA) health care reforms are celebrating the promise of impending relief from ACA mandates held out by newly inagurated President Donald Trump January 20, 2017 Executive Order on “Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal” (Executive Order).

To waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the ACA that would impose a “cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications.”
To provide greater flexibility to States and cooperate with them in implementing healthcare programs and to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the Act that would impose a fiscal burden on any State;
For departments and agencies with responsibilities relating to healthcare or health insurance to encourage the development of a free and open market in interstate commerce for the offering of healthcare services and health insurance, with the goal of achieving and preserving maximum options for patients and consumers.

While employer and other health plan sponsors and others struggling to cope with the costs and mandates of ACA unquestionably welcome the promise of relief offered by the Executive Order, it is critical that those looking forward to enjoying this promised relief not jump the gun or overestimate the scope of the relief. Because the Executive Order is not self-executing, the Executive Order provides no legally enforceable relief from applicable ACA compliance obligations unless and until the applicable Agency or Congress adopts that relief consistent with law. While applicable Agencies are expected to act as quickly as possible to comply with President Trump’s orders, various statutory and procedural requirements almost certainly will limit both the relief granted and the speed with which the Agencies can grant the relief.

First, because the Executive Order is not self-executing, it doesn’t actually provide any relief for anyone; rather it just creates the expectation that the Agencies will grant some relief in the future. Those anticipating relief should expect that even regulatory relief will take time since the Agencies by law as well as the terms of the Executive Order will be required to comply with the often time consuming and cumbersome requirements of the Administrative Procedure Act and other applicable statutes in considering and issuing regulatory revisions and relief, including any applicable requirements for submission and approval by the Office of Management and Budget. The often added need for interagency collaboration and negotiation created by the ACA’s grant of multijurisdictional authority over many of its provisions historically has made negotiating these requirements more complicated and time consuming.

Second, relief will not be available for certain exposures because statutory limits on the jurisdiction and authority of the Agencies under the ACA will limit the scope of the relief that an Agency can grant. The Agencies generally do not have the authority to waive certain provisions of the ACA which are not within the discretion of the Agencies, such as the right of participants and beneficiaries in employer or union-sponsored health plan to sue to enforce ACA health plan mandates through a benefits or breach of fiduciary action brought under the Employee Retirement Income Security Act. Likewise, Agencies also will be restricted in their ability to waive penalties or requirements where the statutory mandate is drafted in a manner that denies the Agency discretionary authority to offer that relief.

Third, health plans, their sponsors, insurers, fiduciaries and administrators should anticipate that they may need to take certain action in response to any issued relief before they can take advantage of the relief allowed such as adopting health plan amendments, issuing notices to participants or beneficiaries, making elections or a combination of these actions.

Until these and other required actions are completed by the Agencies and the applicable plan sponsors, fiduciaries and other parties, employers and other plan sponsors, their management, their health plans, health plan fiduciaries, administrators and insurers remain legally obligated to continue to comply with the ACA as presently implemented under the existing regulations and judicial and administrative rulings. While preparing for future changes, health plans, their sponsors, fiduciaries, administrators and insurers also should act to manage their prior and existing liabilities arising out of acts or omissions occurring before Congress or the regulators revise and ease the rules.

While health plans, their sponsors, fiduciaries, administrators and insurers remain legally responsible to comply with existing rules until changed by the regulators or Congress, they still have much to do to get ready for the changes that are coming while acting to manage their health plan costs and liabilities in the meantime. Whether or not the Trump Administration in the future provides relief from Form 8928 self-reporting and excise tax self- assessment penalties for violation of 40 federal group health plans, group health plans and their fiduciaries almost certainly will remain exposed to ERISA lawsuits for violation of ACA or other federal group health plan mandates. In addition, until revoked or revised, employers and health plans remain subject to and risk liability for failing to provide ACA-required tax forms, notices, benefits, coverage, rights or other compliance.

About The Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and advisor to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group; immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment, employee benefits, compensation, and other regulatory and operational risk management. Examples of her many highly regarded publications on these matters include the “Texas Payday Law” Chapter of Texas Employment Law, as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Comments Off on Employers, Plans, Don’t Jump The Gun On ACA Relief | 105(h), 4980D, 4980H, 6039D, ACA, Affordable Care Act, Appeals, board of directors, Brokers, Cafeteria Plans, Claims Administration, compensation, compliance, Consumer Protection, Contraception, Corporate Compliance, corporate governance, defined contribution plan, Discrimination, Drug & Alcohol, EBSA, Employee Benefits, Employer, Employment, ERISA, Excepted Benefits, exchange, Excise Tax, Excise Taxes, fiduciary duty, FLSA, FMLA, health reform, HR, Human Resources, Insurance, insurers, Internal Controls, Internal Revenue Code, IRC, Mental Health, Mental Health Parity, MEWA, Obamacare, Patient Empowerment, Patient Protection & Affordable Care Act, Prescription Drugs, SBC, Uncategorized | Tagged: ACA, Health Care Reform, Health Insurance, Health Plans, Insurance, Insurer, Obama Care, Patient Protection and Affordable Care Act, Plan Sponsors, Trump | Permalink
Posted by Cynthia Marcotte Stamer

PBGC Table Shows Present Value PBGC Maximum Guarantee

December 4, 2016

On December 02, 2016, PBGC posted a table showing the applicable present values for 2017 plan years. For more information see Technical Update 07-04. (12/02/2016).

Comments Off on PBGC Table Shows Present Value PBGC Maximum Guarantee | Bankruptcy, Corporate Compliance, corporate governance, defined benefit plan, Employee Benefits, Employment, Retirements | Permalink
Posted by Cynthia Marcotte Stamer

IRS Changing Employee Plans & Exempt Organization Audit Procedures

November 21, 2016

Employee benefit plans and tax-exempt organizations facing Internal Revenue Service (IRS) audits or investigations after April, 2016, their leaders and advisors should prepare for some changes in the practices IRS agents will use to issue and enforce document requests (IDRs) after March 31.

The IRS Tax Exempt and Government Entities Division (TEGE) just issued updated internal guidance (Guidance) governing the procedures its agents will use to gather information for employee benefit plan and exempt organization examinations including information requests made in connection with:

Employee Benefit Form 5500 Examination Procedures
Exempt Organizations Pre-Audit Procedures
On-Site Examinations
Tax Exempt Bonds Examinations
Indian Tribal Government Examinations and
Federal, State and Local Governments (FSLG) Examinations

The new Guidance follows other recent announcements of changes of IRS employee plan or exempt organization procedures such as recently announced changes in IRS employee plan correction procedures. See, e.g., IRS Qualified Plan Correction Procedures Changing 1/1/17.

The new procedures defined in the Guidance apply more broadly and take effect April 1, 2017. The Guidance also requires that TEGE update the following IRMs to specifically reflect the new procedures within the next two years:

IRM 4.71.1, Overview of Form 5500 Examination Procedures;
IRM 4.75.10, Exempt Organizations Pre-Audit Procedures;
IRM 4.75.11, On-Site Examination Guidelines;
IRM 4.81.5, Tax Exempt Bonds Examination Program Procedures – Conducting the Examination;
IRM 4.86.5, Conducting Indian Tribal Government Examinations; and
IRM 4.90.9, Federal, State and Local Governments (FSLG) – Procedures, Workpapers and Report Writing.

Among other things, the new Guidance will require “active involvement” by managers of IRS examiners’ early in the process. The Guidance also calls for:

Taxpayers to be involved in the IDR process.
Examiners to discuss the issue being examined and the information needed with the taxpayer prior to issuing an IDR.
Examiners to ensure that the IDR clearly states the issue and the relevant information they are requesting.
If the taxpayer does not timely provide the information requested in the IDR by the agreed upon date, including extensions, examiners to issue a delinquency notice.
If the taxpayer fails to respond to the delinquency notice or provides an incomplete response, for the examiner to issue a pre-summons notice to advise the taxpayer that the IRS will issue a summons unless the missing items are fully provided.
For a summons to be issued if the taxpayer fails to provide a complete response to the pre-summons letter by its response due date.

According to TEGE the new procedures set forth in the Guidance are designed to “ensure” that IRS Counsel is prepared to enforce IDRs through the issuance of a summons when necessary while also reinforcing the IRS’ commitment to the respect of taxpayer rights under the Taxpayer Bill of Rights. TEGE says the updated procedures established in the Guidance will promote these goals by:

Providing for open and meaningful communication between the IRS and taxpayers;
Reducing taxpayer burdens
Providing for consistent treatment of taxpayers;
Allowing the IRS to secure more complete and timely responses to IDRs;
Providing consistent timelines for IRS agents to review IDR responses; and
Promoting timely issue resolution.

While it remains to be seen exactly how well the new procedures will promote these goals in operation, leaders, sponsors, administrators and tax advisors to employee benefit plans and exempt organizations tagged for audits after the Guidelines take effect will want to ensure that they review and fully understand the new procedures as soon as possible after receiving notice of the audit.

A clear understanding of the procedures can help the entities and their representatives to take advantage of all available options for mitigating exposures and liability from the audit as well as to avoid unfortunate missteps that could result in forfeiture of otherwise available tax-related rights and options or otherwise increase the tax and other associated risks and liabilities of the entities or others associated with them arising from the audit.

Along with responding to these tax-related risks, leaders and advisors of employee benefit plan and exempt organizations also need to keep in mind the often substantial non-tax related risks that may arise concurrently or evolve from a TEGE or other tax-related audit or investigation. The often substantial tax and non-tax exposures typically makes it desirable if not necessary to involve experienced legal counsel in the process as soon as possible.

To help respond to the audit and manage its tax and non-tax related risks and, leaders responsible for these entities generally not only will want to seek legal advice within the scope of attorney-client privilege from legal counsel immediately after receiving an IDR or other notice of an audit or investigation, as well as consider periodically consulting experienced legal counsel for assistance in conducting pre-audit assessment of compliance and other compliance and risk management planning.

Early involvement of legal counsel generally is necessary both to understand and manage both the tax and non-tax exposures associated with the audit, as well as to preserve and utilize the potential benefits of attorney-client privilege and other evidentiary privileges that could help to mitigate both the tax and non-tax related risks. While federal tax rules afford some evidentiary privileges to certain accounting professionals when providing tax representation or advice, the protective scope of such privileges generally are more limited than attorney-client privilege and work product evidentiary privileges and typically do not apply to non-tax matters. As a result, most entities and their leaders will want to consider involvement of legal counsel to maximize privilege protections and non-tax related exposures even if the parties plan for a qualified tax professional or other consultant to play a significant role in assisting them to prepare for and respond to the audit.

About The Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and advisor to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group; immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment, employee benefits, compensation, and other regulatory and operational risk management. Examples of her many highly regarded publications on these matters include the “Texas Payday Law” Chapter of Texas Employment Law, as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Comments Off on IRS Changing Employee Plans & Exempt Organization Audit Procedures | 105(h), 401(k), 4980D, 4980H, 6039D, ACA, Affordable Care Act, Attorney-Client Privilege, board of directors, Brokers, Cafeteria Plans, church plan, COBRA, compensation, compliance, Corporate Compliance, corporate governance, defined benefit plan, Defined Benefit Plans, defined contribution plan, Defined Contribution Plans, directors, Discrimination, EBSA, employee, Employee Benefits, Employer, Employers, Employment, Employment Tax, ERISA, ESOP, Excise Tax, Excise Taxes, Executive Compensation, Exempt, Form 5500, health reform, HR, Human Resources, Identity Theft, Income Tax, Internal Controls, Internal Investigations, Internal Revenue Code, IRC, Pay, Payroll Tax, pension plan, Plan Admistrator, Tax, Tax Credit, Tax Qualification, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans, Other Covered Entities Have Continuing Duty To Reevaluate HIPAA Enterprise Risk To PHI & Address Security Risks & Other Compliance Concern On Ongoing Basis

October 27, 2016

Compliance with the Privacy and Security Rules of the Health Insurance Portability & Accountability Act (HIPAA) is a living process that requires employer and other health plans, health insurers, health care providers and healthcare clearinghouses to recurrently reevaluate their HIPAA enterprise risk and timely act to mitigate security threats to electronic (ePHI) and other protected health information and other HIPAA compliance concerns on an ongoing basis. That’s the clear take away applicable to all HIPAA-Covered Entities and business associates from the St. Joseph Health Resolution Agreement and Corrective Action Plan (SJH Settlement) and the Oregon Health & Science University Resolution Agreement and Corrective Action Plan (OHSU Settlement) announced by the Department of Health & Human Services Office of Civil Rights (OCR) in the past 30 days. Health plans, their sponsors, fiduciaries and vendors, health care providers and health care clearinghouses should carefully heed this message and in response take documented steps to ensure

Their existing policies, practices and procedures properly are updated in response to changing guidance and events;
They in place the current, comprehensive enterprise risk assessment along with a mitigation plan documenting actions taken to address these risks;
Ensure that the organization has and is administering appropriate, documented processes and procedures to ensure that the organization reassesses its enterprise risk assessment and compliance on a timely basis as warranted by changes or other events that could impact ePHI, regulatory developments or other events that might impact its compliance; and
Have an appropriate, documented process for oversight by C-level management.

OHSU Charges & Settlement

The OHSU Settlement Agreement announced by OCR on September 23, 2016 requires OHSU to pay a $2.7 million settlement payment and adopt and implement a comprehensive three-year corrective action plan to address “widespread and diverse” HIPAA compliance problems OCR reports uncovering while investigating multiple HIPAA breach reports the large public academic health center and research university centered in Portland, Oregon.

OCR began investigating OHSU after the large public academic health center and research university centered in Portland, Oregon, submitted three HIPAA breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive:

On March 23, 2013, HHS received notification from OHSU regarding a breach of its unsecured electronic protected health information (“ePHI”) resulting from a stolen laptop computer;
On July 28, 2013, HHS received notification from OHSU regarding a breach of its ePHI resulting from storing ePHI at an internet-based service provider without a business associate agreement; and.

These incidents each garnered significant local and national press coverage. OCR’s investigation uncovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program, including the storage of the ePHI of more than 3,000 individuals on a cloud-based server without a business associate agreement. OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses.

OCR’s investigation showed the reported breaches resulted from widespread, long-term, systematic and unresolved HIPAA violations by OHSU that OCR attributed to an inadequate commitment to and oversight of HIPAA compliance by OHSU C-level management which resulted in the failure by OHSU to appropriately monitor the adequacy of its ongoing compliance and to assess and address changes in its enterprise-wide risk and compliance obligations on an ongoing basis. OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule. While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level. OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.

OCR concluded that the reported breaches were the result of long-standing, systematic deficiences in OHSU’s processes and procedures for HIPAA compliance, including the following:

While OHSU reportedly performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, OCR says its investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule;
While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level;
OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk;
OHSU failed to comply with its duty under HIPAA to enter into a business associate agreement with a vendor before allowing a vendor business associate to store ePHI; and
The absence of meaningful C-suite leadership oversight and commitment to HIPAA compliance.

Based on these investigations, OCR concluded that while OHSU initially adopted HIPAA Policies, the reported breaches were the result of a series of widespread and ongoing breaches of HIPAA resulted including the following:

From January 5, 2011, until July 3, 2013, OHSU disclosed the ePHI of 3,044 individuals in violation of Privacy Rules §§160.103 and 164.502(a) when workforce members disclosed the ePHI to a third party internet-based service provider without obtaining a business associate agreement or other satisfactory assurance that the internet-based service provider would safeguard the ePHI;
From January 5, 2011 until July 3, 2013 OHSU failed to obtain a business associate agreement from an internet-based service provider that was storing ePHI on its behalf as a business associate as required by 45 C.F.R. § 164.308(b);
From January 5, 2011 until July 3, 2013 OHSU failed to implement policies and procedures to prevent, detect, contain, and correct security violations as required under Privacy Rule § 164.308(a)(1)(i);
From July 12, 2010 to present, OHSU failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for all ePHI maintained in OHSU’s enterprise as required by Privacy Rules §§ 164.312(a)(2)(iv) and 164.306(d)(3)); and
From May 29, 2013 until July 3, 2013, OHSU failed to implement policies and procedures to address security incidents in violation of Privacy Rule § 164.308(a)(6)(i).

According to statements made by OCR Director Jocelyn Samuels in OCR’s announcement of the OHSU Settlement, the breaches should not have happened. “From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient,” said OCR Director Jocelyn Samuels. OCR’s announcement also signals that OCR views inadequate commitment and oversight by OHSU’s senior management to have played a key role in the creation and perpetuation of the OHSU violations. It quotes OCR Director Jocelyn Samuels as stating, “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

OCR’s announcement of the OHSU Settlement emphasizes its determination that a lack of commitment and oversight by C-level management resulted in the failure by OHSU to periodically perform a comprehensive enterprise risk analysis and to reevaluate and update that analysis and its policies, practices, procedures and training as warranted by changing events and guidance.

To resolve the HIPAA charges, the OHSU Settlement requires OHSU to pay OCR $2,700,000 as well as take a long series of corrective actions detailed in the Corrective Action Plan incorporated into the Settlement Agreement. The requirements of the Corrective Action Plan both seek to address the specific weaknesses that lead to the breaches of unsecured ePHI reported by OHSU in its breach notifications as well as the broader deficiencies in OHSU’s overall HIPAA compliance practice by requiring among other things that OHSU:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI at all OHSU facilities and on all systems, networks, and devices that create, receive, maintain, or transmit ePHI;.
Develop and present to OCR for approval a comprehensive written risk management plan that explains OHSU’s strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level based on OHSU’s circumstances as well as a comprehensive, enterprise-wide plan to implement effective oversight of OHSU workforce members to ensure their adherence to HIPAA Rules and OHSU’s internal privacy and security policies and procedures with specific timelines for their expected completion and compensating controls identified in the interim to safeguard OHSU’s ePHI;
Implement and administer the written risk management plan and other safeguards as approved by OCR;
Provide updates to OCR about OHSU’s implementation of required encryption including a Mobile Device Management (MDM) solution that ensures all OHSU- owned and personally-owned mobile devices (tablets, smart phones, and other mobile devices) that access ePHI on OHSU’s secure network are encrypted other than mobile devices for which OHSU has granted exceptions based on documented evidence of the implementation of alternative reasonable compensating controls to protect the ePHI on such devices;
Report to OCR on OHSU’s efforts to a solution to enforce encryption of ePHI on OHSU-owned and personally- owned devices (laptops, desktops, and medical equipment) connecting to OHSU’s secure wired and wireless networks except for any devices for which OHSU has granted exceptions to the encryption requirement;
Report to OCR about its implementation of policies that prohibit the transfer of data containing ePHI from OHSU-owned and personally-owned devices to unencrypted removable storage devices (USB drives and portable hard drives) and implementation of a technical solution that enforces the policies prohibiting transfers of this type when attached to the OHSU secure network, except for any removable storage devices for which OHSU has granted exceptions based on documented evidence of reasonable compensating controls that have been implemented to protect the ePHI on such devices;
Send a communication to all members of the OHSU community describing its commitment to enterprise encryption;
Prepare to the satisfaction of OCR security awareness training materials needed to implement its security management processing including specific privacy and security awareness related to a) use of internet-based information storage services; b) disclosures to third party entities that require a business associate agreement or other reasonable assurance in place to ensure that the business associate will safeguard the protected health information (PHI) and/or ePHI; c) regarding managers, effective oversight of workforce members’ uses and disclosures of PHI, including ePHI, to ensure the workforce members’ compliance with the Privacy and Security Rules and OHSU’s internal policies and procedures; d) security incident reporting; and e) password management;
Initially train all workforce members with access to PHI and/or ePHI with 120 days of OCR’s approval of the training and thereafter ensure that new workforce members are trained with 15 days of hire and that all workforce members subsequently continue to receive training on an on-going basis;
Review the security awareness training materials annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments;
Management oversight and supervision of the implementation and administration of the corrective actions required by the Corrective Action Plan and HIPAA compliance; and

Management reporting to OCR on its actions and compliance with the Corrective Action Plan.

SJH Settlement

Similarly, the SJH Settlement OCR announced on October 18, 2016 with St. Joseph Health (SJH) requires SJH to pay a $2.4 million plus settlement payment, conduct an enterprise-wide risk analysis and implement and administer a comprehensive correction plan to settle OCR charges that SJH violated HIPAA by allowing files containing ePHI of 31,800 individuals that SJH created for its participation in the Medicare meaningful use program to be publicly accessible on the internet from February 1, 2011, until February 13, 2012.

A nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, who through its 24,000 employees and 6,000 physicians provides a range of health care services to more than 137,000 inpatients and 3.6 million outpatients each year at SHS’ 4 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations located throughout California and in parts of Texas and New Mexico.

OCR’s charges against SJH arose out of OCR’s investigation into a 2012 breach notification report SJS filed with OCR. On February 14, 2012, SJH reported to OCR that files containing electronic protected health information (ePHI) of 31,800 individuals from five of the SJH hospitals-St. Jude Medical Center, Mission Hospital, Queen of the Valley Medical Center, Santa Rosa Memorial Hospital, and Petaluma Valley Hospital that SJH created for its participation in the meaningful use program were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.

SJH’s report to OCR indicated that this public access resulted from a configuration within its network server in which PDF files containing following patient information were uploaded: patient names; BMI; blood pressure; lab results; smoking status; diagnoses lists; medication allergies; advance directive status and demographic information (language, ethnicity, race, sex, and birth date). The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information from February 14, 2012 until SJH blocked external access to the ePHI when it shut down the application February 13, 2012.

OCR’s investigation indicated the following potential violations of the HIPAA Rules:

From February 1, 2011 to February 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals;
Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI;
Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.

To resolve charges resulting from these findings, the SJH Resolution Agreement requires SJH to pay OCR a $2,140,500 settlement payment and adopt a comprehensive corrective action plan which among other things, requires SJH to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. SJH’s Chief Executive Officer, Annette M. Walker, is named in the Corrective Action Plan as the SJH authorized representative and contact person responsible for overseeing the CAP implementation.

Among other things, the Corrective Action Plan specifically requires that SJH:

Within 240 days, conduct an enterprise-wide analysis and provide a report to OCR which includes a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, and prepare and deliver to OCR for review an enterprise-wide risk analysis that identifies all security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by SJH, its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic protected health information (ePHJ);
Revise this risk analysis plan as directed by OCR based on its review of the presented risk analysis;
Develop and implement to the satisfaction of OCR an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
Distribute the risk management plan as finally approved by OCR to to workforce members involved with implementation of the plan within 30 days of OCR approval;
Revise to OCR’s satisfaction, adopt and implement within 30 days of OCR’s approval compliant HIPAA policies and procedures;
Prepare for review of OCR training materials and once approved by OCR, provide initial training to required workforce members, and obtain certification of completion of that training from each required workforce member within 60 days of OCR’s approval of the training and thereafter at least annually as long as the Corrective Action Plan remains in force;
Promptly conduct a documented investigation of any information indicating a potential workforce member violation of the new HIPAA policies in the manner required by OCR and if the investigation confirms a violation (Reportable Event), notify OCR of the relevant facts, findings, corrective actions and sanctions imposed against the violating workforce member in the manner required by the Corrective Action Plan;
Submit annual report to OCR signed and attested to by an SJH officer, which contains the information and attestations of compliance with the requirements of the Corrective Action Plan in accordance with the Corrective Action Plan;
Retain for inspection and copying and provide to OCR upon request all documents and records relating to compliance with this Corrective Action Plan for six (6) years from the Effective Date of the SJH Settlement Agreement.

Take Away For Other Covered Entities & Business Associates

The OHSU and SJH Settlement Agreements send a clear message to all Covered Entities and business associates that they must be prepared to demonstrate not only that their initial adoption and implementation of required HIPAA Privacy and Security policies and safeguards, but also that their organization’s leadership needs to be prepared to demonstrate their commitment to HIPAA compliance by making adequate provision for HIPAA compliance, and appropriately monitoring developments that could impact the adequacy of their existing measures and timely update their systems and security, policies, procedures, training and other relevant safeguards.

The Settlements make clear that Covered Entities and their business associates should ensure that their organization possesses a well-documented current enterprise-wide risk assessment, as well as has in place and is administering as necessary to maintain the currency and adequacy of its risk assessment strong practices for conducting documented evaluations of their own HIPAA security, policies, practices, audits and investigations and other procedures necessary to comply with HIPAA, taking into account recent OCR guidance, its initiation of its Phase II audit program, the insights offered by OCR’s ever growing list of enforcement actions and compliance tools, as well as changes in systems, documentation, software, equipment or other occurrences within the operations of the Covered Entity or business associate’s operations that could impact the currency and adequacy of its risk assessment or otherwise raise compliance risks.

In this respect, Covered Entities and business associates are encouraged to take special note of the advisability of specifically reviewing and updating their HIPAA policies, practices, business associate agreements, training, oversight and documentation to in response to the guidance and insight that OCR provides, including:

A series of recent OCR Resolution Agreements emphasizing the need for Covered Entities and their Business Associates to verify that have in place, and review and update as necessary business associate agreements e.g. HIPAA Settlement Illustrates The Importance Of Reviewing And Updating, As Necessary, Business Associate Agreements (September 23, 2016); Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement (June 29, 2016);
Clarification of Permissible Fees for HIPAA Right of Access – Flat Rate Option Up to $6.50 is Not a Cap on All Fees for Copies of PHI (May 23, 2016)
Guidance On HIPAA & Cloud Computing released October 6, 2016, which provides guidance for Covered Entities and business associates about contracting and other procedures that HIPAA-regulated Covered Entities and their business associates should implement when contracting for and using Cloud Computing Services;
Joint Guidance published October 21, 2016 by the Federal Trade Commission and OCR reminding Covered Entities and their business associates of the need to ensure that in addition to fulfilling the technical content requirements of HIPAA, their HIPAA authorizations, privacy practices notices and other HIPAA notices and communications are written and presented in plan language, include required specific terms and descriptions and in a manner that does not mislead individuals about their rights or about what is happening with their PHI. Furthermore, where Covered Entities and their business associates contemplate that businesses associates may request that individuals sign HIPAA authorizations, Covered Entities and their business associates should the Covered Entity and business associate have in place a current, signed HIPAA-compliant business associate agreement that that expressly authorizes the business associate to request the HIPAA authorization in light of statements in the Joint Guidance indicating that OCR views the Privacy Rules as prohibiting a business associate from asking a consumer to sign a HIPAA authorization unless its business associate contract expressly permits the business associate to do so; and
Other OCR enforcement actions, tools and guidance. See, e.g. All Covered Entities Should Learn Lessons From Mississippi Medical Center’s $2.75 Million HIPAA Resolution Agreement; Providers, Health Plans Should Confirm Copy Charges Comply With New OCR HIPAA Guidance; $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use; Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework; HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.

Employer and other health plan sponsors, health plan fiduciaries and business associates, and their service providers also generally will want to consider their responsibilities to provide and enforce employer certifications, as well as the fiduciary obligations health plan fiduciaries under the fiduciary responsibility rules of the Employee Retirement Income Security Act (ERISA). Among other things, wrongful disclosure of PHI to a sponsoring employer or others could violate HIPAA or other plan terms. Furthermore, Department of Labor officials have indicated stated that a fiduciary’s general fiduciary responsibilities can apply to the protection and administration of PHI and other health plan information as well as create a duty by a responsible fiduciary to prudently investigate and take steps to address breaches or other potential concerns that place PHI at risk. See, HIPAA Settlement Warns Health Plans, Sponsoring Employers & Business Associates To Manage HIPAA Risks.

Furthermore, as breaches of PHI and other violations of HIPAA also frequently give rise to responsibilities or risks under a broad range of other federal and state laws medical and financial privacy and data security, Medicare and other terms of federal program participation, medical credentialing, licensure and ethics, insurance and Employee Retirement Income Security Act fiduciary responsibilities in the case of health plans, contractual, tort and other exposures, Covered Entities and their business associates also generally are best served to take into account these other responsibilities and exposures in conjunction with the design and administration of their HIPAA compliance and risk management policies and practices.

Covered Entities and their business associates also should seek advice from legal counsel regarding the adequacy of their compliance, investigatory, training, management oversight, training, reporting, documentation, document retention and other processes and procedures that could reduce risks of HIPAA violations and position the organization to effectively and more efficiently respond to a potential breach, audit, investigation or enforcement action and mitigate the costs and potential liability exposures that increasingly attends these events. In addition, given the typically high financial, operational and legal costs typically incurred to conduct investigations, report and redress breaches, and respond to OCR audits or investigations, much less make any payments and implement any corrective actions required to settle OCR changes, most Covered Entities and their business associations will want to consider the advisability and adequacy of insurance and other sources of funding or indemnification for the often substantial costs that often attend a HIPAA breach, audit or enforcement event. Since HIPAA violations under certain circumstances also can give rise to felony criminal liability, boards of directors and other leaders of Covered Entities and business associates also will want to ensure that their HIPAA compliance policies and practices also are incorporated and monitored by management as part of their organization’s overall Federal Sentencing Guideline Compliance programs and practices.

About The Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,”“Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely known for work, teachings and publications on HIPAA and other privacy and data security concerns earned in connection with her more than 28 years’ of involvement advising and representing business and government clients domestically and internationally about workforce and human resources, employee benefits; health care; insurance and financial; privacy and data security and other performance management, regulatory, internal controls and other compliance, risk management, public policy and operational other key concerns.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Group Chair and current Defined Contribution Plans Committee Co-Chair, Groups and Substantive Committee and Membership Committee Members, past Welfare Plans Committee Chair and Co-Chair, and former Fiduciary Responsibility Vice Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current ABA International Section Life Sciences Committee Vice Chair, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, former ABA Joint Committee on Employee Benefits Council Representative and Marketing Committee Chair and a prolific author and highly popular speaker and consultant, Ms. Stamer helps management manage.

Ms. Stamer’s legal and management consulting work throughout her nearly 30-year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and representing clients on privacy and data security concerns and other health industry matters, Ms. Stamer also has served for several years as a scrivener for the ABA JCEB’s meeting with OCR, the Chair of the Southern California ISSA Health Care Privacy & Security Summit, and an editorial advisory board member, author, program chair or steering committee member, and faculties for a multitude of other programs and publications regarding privacy, data security, technology and other compliance, risk management and operational concerns in the health care, health and other insurance, employee benefits and human resources, retail, financial services and other arenas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Comments Off on Health Plans, Other Covered Entities Have Continuing Duty To Reevaluate HIPAA Enterprise Risk To PHI & Address Security Risks & Other Compliance Concern On Ongoing Basis | ARRA, board of directors, Brokers, Cafeteria Plans, CHIP, Civil Monetary Penalties, Civil Rights, Claims, compliance, Consumer Protection, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, directors, EBSA, Electronic Medical Record, employee, Employee Benefits, Employer, Employers, Employment, EMR, fiduciary duty, Fiduciary Responsibility, GINA, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Technology, third party administrators, Uncategorized, Union, Workforce | Tagged: Breach Notification, broker, Covered Entity, Data Breach, Data Security, EPHI, ERISA, health care providers, Health Plans, HIPAA, Medical Privach, Medical Privacy, Personal Health Information, Privacy, Technology | Permalink
Posted by Cynthia Marcotte Stamer

New ACA Student Health Insurance Guidance Allows College Payment Of Working Students’ Student Health Insurance Premiums Post 2016

October 21, 2016

Colleges and other institutions of higher education within the meaning of the Higher Education Act of 1965 (schools) may continue until further notice to pay or subsidize student health insurance coverage premiums for students performing work-study or other services for the school as part of their financial aid package without fear of prosecution for violation of the group market reform requirements of the Patient Protection & Affordable Care Act (ACA), according to ACA guidance jointly published by the Departments of Labor (DOL), Health and Human Services (HHS), and the Treasury (collectively, the Tri-Agencies) today.

Many schools have arrangements in place with insurers under which students can purchase individual policies providing health insurance coverage (“student health insurance coverage”), which are individual policies required to comply with the individual market reforms of the ACA other than as provided in the student health insurance guidance issued by HHS. See 45 CFR 147.145.

Of course, the agreement between the college and the student health insurance coverage issuer makes the coverage available for purchase by most if not all students attending the school by paying the specified premium. In some cases, however, the school might include in a student’s financial aid package a reduction to the cost of coverage of the otherwise applicable premium for student health insurance through a credit, offset, reimbursement, stipend, or similar arrangement (a premium reduction arrangement). If the student also performs services under a workstudy or other relationship, however, Tri-Agency guidance interpreting the Group Market Reforms could present a problem unless qualifies for an exemption from the Tri-Agencies’ interpretation of the Group Market Reforms as prohibited employers from paying or reimbursing individual health insurance policy premiums of employees..

The Tri-Agencies’ first announced their interpretation of the Group Market Reforms as prohibiting employer reimbursement of individual health insurance premiums in 2013. Technical Release 2013-03 announced that employers sponsoring arrangements under which the employer directly pays or reimburses premiums for employees’ individual health insurance coverage directly, or through a cafeteria plan pre-tax premium program, health flexible spending account arrangement (health FSA), health reimbursement arrangement (HRA), or other employer arrangement would incur excise taxes liability under section 4980D of the Internal Revenue Code and other penalties and liabilities for violating the ACA Group Market Reform rules. This Tri-Agency Guidance states that because by their very definition, these arrangements promise to reimburse or pay medical expenses on the employee’s behalf only up to a certain dollar amount each year, employer-sponsored arrangements that pay or reimburse employees for individual health insurance premiums generally violate the prohibition on annual dollar limits under Public Health Services (PHS) Act section 2711 and the requirement to provide certain preventive services without cost sharing under PHS Act section 2713 unless properly integrated with a group health plan that otherwise complies with ACA requirements. Furthermore, because the Tri-Agencies also construe the ACA market reforms as preventing the integration of EPPs and individual health insurance coverage, the Tri-Agencies’ guidance also states that an arrangement through which an employer reimburses or directly pays the premium for individual coverage violates the ACA market reform rules. Accordingly, unless otherwise exempted from coverage, this Tri-Agency guidance would prohibit schools from reimbursing students providing services to the school for student health insurance premiums.

Under Tri-Agency guidance published in February, 2016, the Tri-Agencies previously announced they would not that a premium reduction arrangement provided by a school to a student fails to satisfy PHS Act section 2711 or 2713 if the arrangement is offered in connection with other student health coverage (insured or self-insured) for a plan year or policy year beginning before January 1, 2017, but until October 21, 2016, did not address the post-2016 treatment of these arrangements . See Technical Release 2016-01; Notice 2016-17, Insurance Standards Bulletin, Application of the Market Reforms and Other Provisions of the Affordable Care Act to Student Health Coverage.

Under guidance jointly published October 21, 2016, however, the Tri-Agencies extended their policy of non-enforcement with respect to school student health insurance premium reimbursement arrangements beyond its previously announced December 31, 2016 expiration date. FAQs About Affordable Care Act Implementation Part 33 (“FAQ 33”) jointly published by the Tri-Agencies states that “pending further guidance, the Tri-Agencies consider it appropriate to further extend the enforcement relief provided in the February 5, 2016 guidance and will not assert that a premium reduction arrangement offered by an institution of higher education fails to satisfy PHS Act section 2711 or 2713 if the arrangement is offered in connection with student health coverage (insured or self-insured).

About The Author

Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecture and policy advocate, recognized for her nearly 30-years of cutting edge management work as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Labor & Employment,”“Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

For additional information about this topic or Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile h ere. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™. All other rights reserved.

IMPORTANT NOTICES

These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein

Comments Off on New ACA Student Health Insurance Guidance Allows College Payment Of Working Students’ Student Health Insurance Premiums Post 2016 | 105(h), 4980D, 6039D, ACA, Affordable Care Act, Cafeteria Plans, compliance, Employee Benefits, Employer, Employers, Employment, ERISA, health benefit, health insurance, Health Plans, health reform, HR, Human Resources, Insurance, insurers, Internal Controls, Patient Protection and Affordabel Care Act, Uncategorized | Tagged: ACA, College, employer payment plan, Financial Aid, higher education, HRA, HSA, premium reimbursement, Schools | Permalink
Posted by Cynthia Marcotte Stamer

IRS Qualified Plan Correction Procedures Changing 1/1/17

October 13, 2016

Employers and other plan sponsors of tax-qualified 401(k) and other defined contribution or defined benefit plans (retirement plans) and others working to avoid plan disqualification by correcting plan documentation, administration or other problems that otherwise could disqualify their program for tax qualified treatment under the Internal Revenue Code (Code) under the Internal Revenue Service (IRS) Employee Plans Compliance Resolution System (EPCRS) or the Audit Closing Agreement Program (Audit CAP) modified rules beginning January 1, 2017, under changes announced by the IRS in Revenue Procedure 2016-51 on September 29, 2016.

The EPCRS and Audit CAP programs are two IRS correction programs commonly used to preserve the tax qualified status of a retirement plan affected by plan documentation, administration or other deficiencies that otherwise would result in the plan ceasing to qualify as a tax retirement plan under the Code. The EPCRS program generally is available to correct and resolve certain qualification concerns not eligible for self-correction that retirement plan sponsors or plans self-identify and disclose to the IRS in accordance with the EPCRS correction procedures, In contrast, the Audit CAP program provides an avenue that may provide a pathway for a plan sponsor of a retirement plan with significant problems in its compliance with the Code’s qualification requirements that are discovered by the IRS on audit or during the determination letter application process to preserve the tax benefits associated with maintaining a retirement plan in compliance with the Code’s tax qualification requirements by entering into a Closing Agreement pursuant to which the problems are corrected and paying a reasonable sanction to the IRS based directly on the amount of tax benefits preserved and the nature, extent and severity of the failure, taking into account the extent to which correction occurred before audit.

Key changes to the EPCRS correction procedures scheduled to take effect on January 1, 2017 under Revenue Procedure 2016-51 include the following:

The IRS no longer will permit determination letter applications when applying the correction programs under EPCRS;
The requirement for a plan sponsor to submit a determination letter application to the IRS when correcting qualification failures that include a plan amendment no longer will apply; and
Fees associated with the Voluntary Correction Program (VCP) after December 31, 2017 will be user fees and no longer set forth in the EPCRS revenue procedure. For VCP submissions made in 2016, refer to Proc. 2016-8 and Rev. Proc. 2013-12 to determine the applicable user fee and after 2016, refer to the annual Employee Plans user fees revenue procedure to determine VCP user fees for that year. Availability of Self-Correction Program (SCP) for significant failures has been modified to provide that, for qualified individually designed plans, a determination letter need not be current to satisfy the Favorable Letter requirement

In addition to its announcements of changes to the EPCRS correction program Revenue Procedures 2016-51 also announces various modifications to the Audit CAP program, including:

A revised approach to determining Audit CAP sanctions under which

Sanctions, generally, will not be less than the fees associated with voluntary compliance under the EPCRS program;
The required reasonable sanction will no longer be a negotiated percentage of the maximum payment amount (MPA). Instead, auditors will review facts and circumstances and the MPA amount is simply one factor to consider. In addition, there are revised, additional factors that IRS considers;
New factors used in determining sanctions for late amender failures will apply;
For late amender failures discovered by the IRS, while reviewing a determination letter application, a new approach to determining the applicable sanction will apply;
The IRS will not provide partial refunds for certain Anonymous Submissions

Beyond specific modifications to the EPCRS and Audit CAP procedures, Revenue Procedures 2016-51 also:

Updates citations and cross-references for several items previously contained in Rev. Proc. 2013-12; and
Invites public comments on recovery of overpayments and on expanding EPCRS correction rules to provide additional guidance on the recovery or recoupment of overpayments.

Revenue Procedures 2016-51 is effective January 1, 2017. Plan sponsors may not elect to apply provisions before January 1, 2017. Rev. Proc. 2013-12, as modified by Rev. Proc. 2015-27 and Rev. Proc. 2015-28, are in effect for 2016. When Revenue Procedure 2016-51 takes effect on January 1, 2017:

Proc. 2013-12 no longer applies as of January 1, 2017; and
Provisions of Rev. Proc. 2015-27 and Rev. Proc. 2015-28 concerning EPCRS and other older revenue procedures will no longer apply.

About The Author

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

For additional information about this topic or Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Comments Off on IRS Qualified Plan Correction Procedures Changing 1/1/17 | 401(k), compensation, compliance, defined benefit plan, Defined Benefit Plans, defined contribution plan, Defined Contribution Plans, Employee Benefits, Employer, Employers, Employment, ERISA, IRC, Retirement Plans, Uncategorized | Tagged: 401(k), Audits, Compensation, defined benefit plan, defined contribution plan, employee benefit plan, Employee Benefits, E{CRS, Plan Audits, plan qualification, Qualified Plan, Tax | Permalink
Posted by Cynthia Marcotte Stamer

Manage Retaliation Risks In Response To Updated EEOC Enforcement Guidance, Rising Retaliation Claims

August 31, 2016

U.S. employers, employment agencies, unions, their benefit plans and fiduciaries, and their management and service providers should move quickly to review and strengthen their employment and other practices to guard against a foreseeable surge in employee retaliation claims and judgements likely to follow the August 30, 2016 issuance by the Equal Employment Opportunity Commission (EEOC) of its new final EEOC Enforcement Guidance on Retaliation and Related Issues and concurrently published Question and Answer Guidance(Guidance).

Updating and superceding 2008 guidance previously set forth in the Retaliation Chapter of the EEOC Enforcement Manual, the Guidance details the EEOC’s current policy for investigating and enforcing the retaliation prohibitions under each of the equal employment opportunity (EEO) laws enforced by EEOC, including Title VII of the Civil Rights Act of 1964, the Age Discrimination in Employment Act (ADEA), Title V of the Americans with Disabilities Act (ADA), Section 501 of the Rehabilitation Act, the Equal Pay Act (EPA) and Title II of the Genetic Information Nondiscrimination Act (GINA) as well as the ADA’s separate “interference” prohibitions, which prohibit coercion, threats, or other acts that interfere with the exercise of ADA rights. Among other things, the Guidance discusses :

What “retaliation means” and the scope of employee activity protected by the prohibitions against retaliation included in all laws enforced by the EEOC as well as the interference prohibitions of the ADA;
Legal analysis the EEOC will use to determine if evidence supports a claim of retaliation against an employer or other party;
Detailed examples of employer actions that the EEOC says may constitute prohibited retaliation; and
Remedies available for retaliation.

Understanding and properly responding to the Guidance is critically important for employers and other subject to the EEO laws because in light of the substantial and growing liability exposures retaliation claims present and the likely that the issuance of the Guidance will further fuel these risks.

Even before the EEOC published the Guidance, retaliation and interference exposures were a substantial source of concern for most employers. Employers, employment agencies and unions caught engaging in prohibited retaliation or intimidation in violation of EEO laws can incur compensatory and (except for governmental employers) punitive damage awards, back pay, front pay, reinstatement into a job or other equitable remedies, injunctive or administrative orders requiring changes in employer policies and procedures, managerial training, reporting to the EEOC and other corrective measures, as well as substantial investigation and defense costs.

These substantial liability exposures have become particularly concerning as retaliation and interference claims also have become increasingly common over the past decade. According to the EEOC, for example, EEO law retaliation charges have remained the most frequently alleged basis of charges filed with the EEOC since 2009 and in Fiscal Year 2015 accounted for 44.5 percent of all employment discrimination charges received by EEOC.
Since the EEOC’s issuance of the Retaliation Regs are likely to encourage additional retaliation or interference claims, employers, employment agencies, unions and their management, service providers and agents should quickly to evaluate the updated guidance provided in the Retaliation Reg and act to mitigate their exposure to retaliation retaliation and interference claims under these EEO laws.

Retaliation Risks Under EEO Laws

Federal EEO laws generally prohibit employers, employment agencies, or unions from punishing or taking other adverse actions against job applicants or employees for “asserting their rights” (often referred to as “protected activity”) to be free from harassment or other prohibited employment discrimination as well as certain other conduct. Such claims generally are referred to as “retaliation claims.”
Prohibited retaliation in violation of EEO laws occurs when an employer, employment agency or union takes a materially adverse action because an applicant or employee asserts rights or engages in certain other activities protected by the EEO laws.

To prevail in a retaliation claim, an applicant, employee or other individual generally must show that:

The individual engaged in prior protected activity;
The employer, employment agency or union took a materially adverse action; and
More likely than not, retaliation caused the adverse action by the employer, employment agency or union.

Persons Protected By EEO Retaliation Rules

EEO retaliation prohibitions protect both applicants and current and former employees (full-time, part-time, probationary, seasonal, and temporary) against retaliation under the EEO laws. The retaliation prohibitions bar an employer from refusing to hire or otherwise taking adverse action against any current or former applicant or employee because of his EEO complaint or other protected activity under applicable EEO laws. The EEOC interprets the retaliation rules as prohibiting an employer from giving a false negative job reference to punish a former employee for making an EEO complaint or engaging in other protected activity as well as as prohibiting an employer from refusing to hire or otherwise retaliating or discriminating against an applicant or employee based on a complaint made or other protected activity engaged against any a prior employer. The Guidance also makes clear that the retaliation prohibitions apply regardless of an applicant or employee’s citizenship or work authorization status.

Protected Activity

“Protected activity” generally means either participating in an EEO process or reasonably opposing conduct made unlawful by an EEO law.

The prohibition against an employer retaliating against an individual for “participating” in an EEO process means that an employer cannot punish an applicant or employee for filing an EEO complaint, serving as a witness, or participating in any other way in an EEO matter, even if the underlying discrimination allegation is unsuccessful or untimely. As a part of these prohibitions, the EEOC says that an employer, employment agency or union is not allowed to do anything in response to EEO activity that would discourage someone from resisting or complaining about future discrimination. For example, depending on the facts of the particular case, it could be retaliation because of the employee’s EEO activity for an employer to:

Reprimand an employee or give a performance evaluation that is lower than it should be;
Transfer the employee to a less desirable position;
Engage in verbal or physical abuse;
Threaten to make, or actually make reports to authorities (such as reporting immigration status or contacting the police);
Increase scrutiny;
Spread false rumors, treat a family member negatively (for example, cancel a contract with the person’s spouse); or
Take action that makes the person’s work more difficult (for example, punishing an employee for an EEO complaint by purposefully changing his work schedule to conflict with family responsibilities).

The Guidance clearly states that the EEOC views participating in any capacity in a complaint process or other protected equal employment opportunity as protected activity which is protected from retaliation under all circumstances. The EEOC views other acts to oppose discrimination also as protected as long as the employee was acting on a reasonable belief that something in the workplace may violate EEO laws, even if he or she did not use legal terminology to describe the issue. EEOC’s view is that protections against retaliation extend to participation in an employer’s internal EEO complaint process, even if a charge of discrimination has not yet been filed with the EEOC. The EEOC also takes the position that participation in the EEO process is protected whether or not the EEO allegation is based on a reasonable, good faith belief that a violation occurred. While an employer is free to bring these to light in the EEO matter where it may rightly affect the outcome, the Retaliation Regs state it is unlawful retaliation for an employer to take matters into its own hands and impose consequences for participating in an EEO matter.

In addition to prohibition for participation in protected activities, EEO law also prohibits retaliation against an individual for “opposing” a perceived unlawful EEO practice. The EEOC construes prohibition against retaliation for opposition as prohibiting an employer or other covered entity from punishing an applicant or employee for communicating or taking other action in opposition of a perceived EEO violation if the individual acted reasonably and based on a reasonable good faith belief that the conduct opposed is or could become unlawful if repeated.

According to the EEOC, opposition also can be protected even if it is informal or does not include the words “harassment,” “discrimination,” or other legal terminology. A communication or act may be protected opposition as long as the circumstances show that the individual is conveying resistance to a perceived potential EEO violation such as, for example:

Complaining or threatening to complain about alleged discrimination against oneself or others;
Taking part in an internal or external investigation of employment discrimination, including harassment;
Filing or being a witness in a charge, complaint, or lawsuit alleging discrimination;
Communicating with a supervisor or manager about employment discrimination, including harassment;
Answering questions during an employer investigation of alleged harassment;
Refusing to follow orders that would result in discrimination;
Resisting sexual advances, or intervening to protect others;
Reporting an instance of harassment to a supervisor;
Requesting accommodation of a disability or for a religious practice;
Asking managers or co-workers about salary information to uncover potentially discriminatory wages;
Providing information in an employer’s internal investigation of an EEO matter;
Refusing to obey an order reasonably believed to be discriminatory;
Advising an employer on EEO compliance;
Resisting sexual advances or intervening to protect others;
Passive resistance (allowing others to express opposition);
Requesting reasonable accommodation for disability or religion;
Complaining to management about EEO-related compensation disparities;
Talking to coworkers to gather information or evidence in support of a potential EEO claim; or
Other acts of opposition.

In order for the protection against opposition to apply, however, the individual must act with a reasonable good faith belief that the conduct opposed is unlawful or could become unlawful if repeated. Opposition not based on such a good faith belief is not protected. Employers should note that the EEOC takes the position that opposition by an employee could qualify as reasonable opposition protected against retaliation when an employee or applicant complains about behavior that is not yet legally harassment (i.e., even if the mistreatment has not yet become severe or pervasive) or to complain about conduct the employee believes violates the EEO laws if the EEOC has adopted that interpretation, even if some courts disagree with the EEOC on the issue.

Furthermore, an individual opposing a perceived violation of an EEO law is disqualified for protection against retaliation for his opposition unless the individual behaves in a reasonable manner when expressing his opposition. For example, threats of violence, or badgering a subordinate employee to give a witness statement, are not protected opposition.

Subject to these conditions, however, the Guidance states that retaliation for opposing perceived unlawful EEOC practices need not be applied directly to the employee to qualify for protection. If an employer, employment agency or union takes an action against someone else, such as a family member or close friend, in order to retaliate against an employee, the EEOC says both individuals would have a legal claim against the employer.

Moreover, according to the EEOC, the prohibitions against retaliation for participation and opposition apply regardless of whether the person is suffers the retaliation for acting as a witness or otherwise participating in the investigation of a prohibited practice regarding an EEO complaint brought by others, or for complaining of conduct that directly affects himself.

Materially Adverse Action

To fall within EEO law prohibitions against retaliation, the retaliatory actions must be “materially adverse,” which the Guidance defines to include any action that under the facts and circumstances might deter a reasonable person from engaging in protected activity. This definition of “materially adverse” sweeps broadly to include more than employment actions such as denial of promotion, non-hire, denial of job benefits, demotion, suspension, discharge, or other actions that can be challenged directly as employment discrimination. It also encompasses within the scope of retaliation employer action that is work-related, as well as other actions with no tangible effect on employment, or even an action that takes place exclusively outside of work, as long as it may well dissuade a reasonable person from engaging in protected activity.

Whether an action is materially adverse depends on the facts and circumstances of the particular case. The U.S. Supreme Court has held that transferring a worker to a harder, dirtier job within the same pay grade, and suspending her without pay for more than a month (even though the pay was later reimbursed) were both “materially adverse actions” that could be challenged as retaliation. The Supreme Court has also said that actionable retaliation includes: the FBI’s refusing to investigate death threats against an agent; the filing of false criminal charges against a former employee; changing the work schedule of a parent who has caretaking responsibilities for school-age children; and excluding an employee from a weekly training lunch that contributes to professional advancement.

In contrast, a petty slight, minor annoyance, trivial punishment, or any other action that is not likely to dissuade an employee from engaging in protected activity in the circumstances is not “materially adverse.” For example, courts have concluded on the facts of given cases that temporarily transferring an employee from an office to a cubicle was not a materially adverse action and that occasional brief delays by an employer in issuing refund checks to an employee that involved small amounts of money were not materially adverse.

The facts and circumstances of each case determine whether a particular action is retaliatory in that context. For this reason, the same action may be retaliatory in one case but not in another. Depending on the facts, other examples of “materially adverse” actions may include:

Work-related threats, warnings, or reprimands;
Negative or lowered evaluations;
Transfers to less prestigious or desirable work or work locations;
Making false reports to government authorities or in the media;
Filing a civil action;
Threatening reassignment;
Scrutinizing work or attendance more closely than that of other employees, without justification;
Removing supervisory responsibilities;
Engaging in abusive verbal or physical behavior that is reasonably likely to deter protected activity, even if it is not yet “severe or pervasive” as required for a hostile work environment;
Requiring re-verification of work status, making threats of deportation, or initiating other action with immigration authorities because of protected activity;
Terminating a union grievance process or other action to block access to otherwise available remedial mechanisms; or
Taking (or threatening to take) a materially adverse action against a close family member (who would then also have a retaliation claim, even if not an employee).

ADA Interference Claims

In addition to the need to manage potential exposures for prohibited retaliation, employers, employment agencies and unions also should be careful to manage their exposure to potential liability arising from claims for wrongful interference and individual’s exercise of the disability rights or protections granted under the ADA.

The ADA generally prohibits disability discrimination, limits an employer’s ability to ask for medical information, requires confidentiality of medical information, and gives employees who have disabilities the right to reasonable accommodations at work absent undue hardship and like other EEO laws, prohibits retaliation. In addition to its prohibitions against retaliation, however, the ADA also more broadly prohibits “interference” with statutory rights under the ADA.

Interference is broader than retaliation. The ADA’s interference provision makes it unlawful to coerce, intimidate, threaten, or otherwise interfere with an individual’s exercise of ADA rights, or with an individual who is assisting another to exercise ADA rights.

In addition, the ADA also prohibits employers from interfering with ADA rights by doing anything that makes it more difficult for an applicant or employee to assert any of these rights such as using threats or other actions to discourage someone from asking for, or keeping, a reasonable accommodation; intimidating an applicant or employee into undergoing an unlawful medical examination; or pressuring an applicant or employee not to file a disability discrimination complaint.

Prohibited interference may be actionable under the ADA even if ineffective and even if the person subjected to intimidation goes on to exercise his ADA rights.

While acknowledging that some employer actions may be both retaliation and interference, or may overlap with unlawful denial of accommodation, the Guidance identifies the following actions as examples of interference prohibited under the ADA:
Coercing an individual to relinquish or forgo an accommodation to which he or she is otherwise entitled;
Intimidating an applicant from requesting accommodation for the application process by indicating that such a request will result in the applicant not being hired;
Threatening an employee with loss of employment or other adverse treatment if he does not “voluntarily” submit to a medical examination or inquiry that is otherwise prohibited under the statute;
Issuing a policy or requirement that purports to limit an employee’s rights to invoke ADA protections (e.g., a fixed leave policy that states “no exceptions will be made for any reason”);
Interfering with a former employee’s right to file an ADA lawsuit against the former employer by stating that a negative job reference will be given to prospective employers if the suit is filed; and
Subjecting an employee to unwarranted discipline, demotion, or other adverse treatment because he assisted a coworker in requesting reasonable accommodation.

According to the EEOC, a threat does not have to be carried out in order to violate the interference provision, and an individual does not actually have to be deterred from exercising or enjoying ADA rights in order for the interference to be actionable.

Strategies To Help Deter Or Rebut Retaliation Charges

Even though individuals claiming retaliation technically bear the burden of proving more likely than not that he suffered an adverse employment action more probably than not as a result of retaliation, an employer, employment agency or union charged with illegal retaliation frequently need to rebut or undermine a claimant’s evidence of retaliation by having and introducing admissible evidence that it a non-retaliatory reason for taking the challenged action such as evidence that:

The employer was not, in fact, aware of the protected activity;
There was a legitimate non-retaliatory motive for the challenged action, that the employer can demonstrate, such as poor performance; inadequate qualifications for position sought; qualifications, application, or interview performance inferior to the selectee; negative job references (provided they set forth legitimate reasons for not hiring or promoting an individual); misconduct (e.g., threats, insubordination, unexcused absences, employee dishonesty, abusive or threatening conduct, or theft); or reduction in force or other downsizing;
Similarly-situated applicants or employees who did not engage in protected activity were similarly treated;
Where the “but-for” causation standard applies, there is evidence that the challenged adverse action would have occurred anyway, despite the existence of a retaliatory motive; or
Other credible evidence showing a legitimate, non-discriminatory and non-retalitory motive behind the action.

It is important that employer other other potential defendants in retaliation actions recognize and take appropriate steps to create and retain evidence documenting these or other legitimate business reasons justifying the action prior to taking adverse action. Many employer or other defendants charged with discrimination or retaliation discover too late that a rule of evidence commonly referred to as the “After Acquired Evidence Doctrine” often prevents an employer or other defendant from using documentation or other evidence of motive created after the adverse action occurs. Consequently, employer and other potential targets of retaliation claims before taking the adverse action would be wise to carefully collect, document and retain the evidence and analysis showing their adverse action was taken for a legitimate, nonretalitory, nondiscriminatory reason rather than for any retaliatory purpose.

Other Defensive Actions & Strategies

Beyond taking care to document and retain evidence of its legitimate motivations for taking an adverse employment action, employers, employment agencies and unions interested in avoiding or enhancing their defenses against retaliation or interference claims also may find it helpful to:

Maintain a written, plain-language anti-retaliation and anti-interference policy that provides practical guidance on the employer’s expectations with user-friendly examples of what to do and not to do;
Send a message from top management that retaliation and interference are prohibited and will not be tolerated;
Ensure that top management understands and complies with policies against prohibited discrimination, retaliation and interference;
Consistently and fairly administer all equal employment opportunity and other policies and procedures in accordance with applicable laws in a documented, defensible manner;
Post and provide all required posters or other equal employment opportunity notices;
Timely and accurately complete and file all required EEO reports;
Clearly communicate orally and in writing the policy against prohibited retaliation and interference, as well as procedures for reporting, investigating and addressing concerns about potential violations of these policies in corporate policies as well as to employees complaining or participating in investigations or other protected activities;
Conduct documented training for all managers, supervisors and other employees and agents of the employer about policies against prohibited discrimination, retaliation, and interference including, as necessary, specific education about specific behaviors or situations that could raise retaliation or interference concerns, when and how to report or respond to such concerns and other actions to take to prevent or stop potential retaliation and interference;
Establish and administer clear policies and procedures for reporting and investigating claims or other indicators of potential prohibited employment discrimination, retaliation, interference including appropriate procedures for monitoring and protecting applicants and workers who have made claims of discrimination or have a record of involvement in activities that might qualify for corrective action;
Review performance, compensation and other criteria for potential evidence of overt or hidden bias or other evidence of potential prohibited retaliation or interference and take documented corrective action as needed to prevent improper bias from adversely corrupting decision-making process;
Conduct timely, well-documented investigations of all reports or other evidence of suspected discrimination, retaliation, and interference including any disciplinary, remedial or corrective action taken or foregone and the justification underlying these actions;
Obtain and enforce contractual reassurances from recruiting, staffing and other contractors to adhere to, and cooperate with the employer in its investigation and redress of the nondiscrimination, data collection and reporting, anti-retaliation and anti-interference requirements of equal employment opportunity and other laws;
Incorporate appropriate inquiries and other procedures for documented evaluating and monitoring that hiring, staffing, performance review, promotion, demotion, discipline, termination and other employment decisions and actions for evidence or other indicators of potential prohibited discrimination, retaliation, interference or other prohibited conduct and take corrective action as necessary based on the evidence developed; and
Designate appropriately empowered and trained members of the management of the employer to receive and investigate complaints and other potential concerns;
Arrange for an unbiased third party review of the adverse action or the performance or other decision criteria, processes and analysis that the employer or other defendant contemplates relying on to decide and implement employment decisions for indicators of potential discriminatory, retaliatory or other illegal or undesirable biasand take corrective action as needed to address those concerns before undertaking employment actions;
Evaluate and allocate appropriate funds within the employer’s budget to support the employer’s compliance efforts as well as to provide for the availability of sufficient funds to investigate and defend potential charges or public or private charges of illegal discrimination, retaliation or interference through the purchase of employment practices liablity or other insurance coverages or otherwise;
If a manager or other party recommends an adverse action in the wake of an employee’s filing of an EEOC charge or participation in other protected activity, conducting or arranging for an another party to ndependently evaluate whether the adverse action is appropriate;
Proactively seek assistance from qualified legal counsel with the design and review of policies, practices and operations, investigation and analysis of internal or external complaints or other concerns about potential prohibited discrimination, retaliation or interference, review and execution of termination, discipline or other workforce events to mitigate discrimination, retaliation or interference risks as well as the defense of EEOC or private enforcement actions; and
Be ever diligent in your efforts to prevent, detect and redress actions or situations that could be a basis for retaliation or interference claims.

About The Author

Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecture and policy advocate, recognized for her nearly 30-years of cutting edge management work as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Labor & Employment,”“Tax: Erisa & Employee Benefits” “Health Care” and “Business and Commercial Law” by D Magazine.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Chair and current committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, a former ABA Joint Committee on Employee Benefits Council Representative and , Ms. Stamer helps management manage.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™. All other rights reserved.

Comments Off on Manage Retaliation Risks In Response To Updated EEOC Enforcement Guidance, Rising Retaliation Claims | Accommodation, ADA, Affirmative Action, Civil Rights, compensation, Corporate Compliance, corporate governance, Disability, Disability, Disability Discrimination, Disability Plans, Discrimination, E-Verify, EEOC, employee, Employee Benefits, Employer, Employers, Employment, Employment Discrimination, Government Contractors, Hiring, HR, Human Resources, Internal Controls, Internal Investigations, Leave, LEP, LGBT, Management, Managment, Risk Management, Sexual Harassment, Uncategorized, Workforce | Tagged: Civl Rights, Discrimination, EEOC, Employee, Employer, Employment Agency, employment discrimination, Equal Employment Opportunity, Interference, Retaliation, Union | Permalink
Posted by Cynthia Marcotte Stamer

Criminal Conviction Of Plan Trustee, Outside Legal Counsel Shows Risks of Retaliating Against Whistleblowers For Reporting ERISA Violations

August 1, 2016

The U.S. Department of Labor’s just announced successful whistleblower prosecution in Perez v. Scott Brain, et al of an employee benefit plan trustee, and an individual lawyer and her law firm that served as the employee benefit plan’s outside legal counsel of violating the fiduciary responsibility and whistleblower rules of the Employee Retirement Income Security Act of 1974 (ERISA) illustrates why employee benefit plan sponsors, trustees or other fiduciaries, their management, legal counsel, auditors and other service providers must both prudently investigate whistleblower allegations or other evidence of potential wrongdoing involving their employee benefit plans and resist the temptation to retaliate against employees or others for reporting or cooperating in the investigation of alleged improprieties involving an employee benefit plan.

The Brain decision highlights the care that employee benefit plan sponsors, fiduciaries, advisors and service providers and their management must use when responding to allegations or other evidence of wrongdoing relating to an employee benefit plan or its administration, investigating and addressing alleged misconduct or other performance or disciplinary concerns involving parties whose report or involvement in investigations of ERISA or other misconduct could form the basis of a potential ERISA 510 or other retaliation complaint.

The decision also makes clear that outside legal counsel advising an employee benefit plan or its fiduciaries in relation to the investigation or response to charges of ERISA misconduct involving an employee benefit plan must use care to avoid actions that could render them liable for participation in acts of illegal retaliation, violating their duty of loyalty to the plan by allowing themselves to become involved in a conflict of interest when investigating or defending potential wrongdoing involving an employee benefit plan, or engaging in other discretionary actions that could constitute a breach of fiduciary duty in violation of ERISA.

In Perez v. Scott Brain, et al., the U.S. District Court for the Central District of California ruled that Cement Masons Southern California Trust Fund’s trustee and Cement Masons Local 600 business manager, Scott Brain (Brain) and outside trust fund legal counsel, Melissa Cook, violated sections 510 and 404 of ERISA by causing the firing a trust fund employee Cheryle Robbins (Robbins) and an employee of the plan’s third party administrator, Cory Rice (Rice), in retaliation for their involvement in filing an internal complaint about and cooperating with the Labor Department’s Employee Benefit Security Administration’s federal criminal investigation of reports of Brain’s wrongful interference as a trustee with collections and contributions from unionized employers.

In 2011, Robbins, director of the trust funds’ audit and collections department, responded to a federal criminal investigation into Brain’s activities with contractors. The same year, she and Rice, who worked for the third-party administrator to the trust fund, American Benefit Plan Administrators, now, Zenith American Solutions (Zenith), participated in an effort to complain about Brain’s interference with efforts to collect delinquent contributions from contractors. Within weeks of this conduct, Robbins was suspended from her employment with the trust fund. Less than six months later, both Robbins and Rice were fired.

The court’s 71-page decision chronicles the coordinated retaliatory campaign orchestrated by Brain and Cook that led to Robbins’ suspension and firing by the employee benefit plan as well as the termination of Cook by his employer, Zenith..

With respect to Robbins’ suspension, the court found that the evidence showed Brain and Cook “were very upset with Robbins due to her contact with the [Department of Labor],” and that Brain and Cook “used their positions and influence to cause the other trustees to vote in favor of” suspending Robbins. To do so, the court explained, Brain and Cook “took the lead at the . . . [b]oard meeting with respect to the discussion of Robbins’ contact with the [Department of Labor]” and “created an environment that was hostile to her,” which “caused the trustees to vote to place her on leave.” The court noted that the two “‘set in motion’ the decision by the Joint Board to put Robbins on leave [.]”

As for Rice’s firing, the court explained how Brain and Cook retaliated against Rice by pressuring his employer, Zenith, into firing Rice and manipulating the Zenith relationship to deter Zenith from rehiring Rice in retaliation for his involvement in efforts to make an internal complaint about Brain.

Based upon evidence introduced during a five-day trial, the District Court ruled that Brain, Cook and Cook’s law firm violated ERISA section 510 by suspending and then discharging Robbins, and causing Zenith to refuse to hire Robbins and to discharge Rice in retaliation for their participation in reporting Brian’s misconduct to the General President of the Operative Plasterers’ and Cement Masons’ International Association and because Robbins participated in a federal criminal investigation of Brain. Specifically, the District Court ruled:

Brain, Cook and Cook’s law firm wrongfully retaliated against Robbins in violation of ERISA 510 for her communications with the DOL by placing her on administrative leave; causing the work performed by the department that Robbins previously managed to be outsourced to Zenith and by causing Zenith not to hire Robbins to participate in its work;
Brain, Cook and Cook’s law firm wrongfully retaliated against Rice in violation of ERISA 510 by causing Zenith to terminate Cook;
Brain breached his fiduciary duty under ERISA 404 by retaliating against Robbins and causing her to be placed on administrative leave and that Cook knowingly participated in that breach.

The court held that Brain and Cook’s retaliatory conduct violated section 510 of ERISA, which prohibits retaliation against whistleblowers for complaining of ERISA violations or cooperating with a governmental investigation of such violations. The court also held that the couple’s retaliation against Robbins breached Brain’s fiduciary duties under ERISA section 404 to the trust funds and that Cook participated knowingly in that breach.

In reaching its decision, the court rejected attorney Cook’s argument that she was somehow immunized from her unlawful conduct because she was an attorney to the trust funds. Among other things, the court noted the “apparent conflict of interest” Cook had in representing the trust funds while being in an undisclosed “romantic relationship” with Brain, which existed as defendants carried out their retaliatory scheme. Reminding lawyers of their ethical duties in California, the court cited California Rule of Professional Conduct 3-310(B), which the court explained “requires that an attorney disclose to a client any personal relationship or interest that he or she knows, or with the exercise of reasonable diligence should know, could substantially affect her his or her professional judgment in advising the client.”

As punishing for these criminal violations of ERISA, the District Court ordered the permanent removal of Brain as a trustee. It also ordered the permanent barring of Brain, Cook and her law firm from serving the Cement Masons Southern California Trust Funds. In addition, the court ordered Cook and her law firm to repay all attorneys’ fees she billed the trust funds for the actions she took in retaliating against whistleblowers Robbins and Rice. These criminal sanctions were in addition to the $630,000 civil damage award that the Labor Department previously secured in lost wages and damages for Robbins, Rice and another worker victimized by Brain and Cook in August 2015.

In addition to its successful prosecution of Brain, Cook and Cook’s law firm on these charges, the DOL also had sought, but failed to convince the District Court based on the evidence presented at trial to find Brain, Cook, Cook’s law firm and Brain’s fellow trust fund trustee Local 600 business agent and Joint Board of Trustees member Jaime Briceno guilty of wrongful retaliation against another alleged whistleblower or Briceno of breaching his fiduciary duties under ERISA by failing to prudently investigate Robbins’ allegations against Brain; or by voting to use assets of the Trust Funds to pay the cost of the settlement of the civil action brought by Robbins. The District Court also refused to consider a newly raised charge that Brain breached his fiduciary duty by failing to collect all monies owed to the Trust Funds on the grounds that the Labor Department had failed to timely raise the charge. While the court refused to convict Briceno, Brain, Cook or Cook’s law firm on the additional charges, the Labor Department’s prosecution of these claims illustrates that along with abstaining from retaliating against ERISA whistleblowers, employee benefit plan fiduciaries also should position themselves to defend against potential breach of fiduciary duty claims based on alleged inadequacies in their investigation or response to reports or other evidence of misconduct involving the plan by prudently investigating and acting to redress allegations or other evidence of potential wrongdoing in the administration of employee benefit plans or their assets.

About The Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” in ERISA, Labor and Employment and Healthcare Law by D Magazine for her nearly 30 years of experience and knowledge representing and advising employers, employee benefit plans, their sponsors, fiduciaries, service providers and vendors and others on these and other planning, business transaction and contracting, administration, compliance, risk management, audits, investigations, government and private litigation and other enforcement and other related matters.

past Chair and current committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, a former ABA Joint Committee on Employee Benefits Council Representative ,

Ms. Stamer’s legal and management consulting work throughout her nearly 30-year career has focused on helping management manage. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, she de[;pus jer her extensive legal and operational knowledge and experience to help organizations and their management use the law and process to manage people, process, compliance, operations and risk.

As a key part of this work, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, expat and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

A former lead consultant to the Government of Bolivia on its Social Security reform law Ms. Stamer also is well-known for her leadership on U.S. health and pension, wage and hour, tax, workforce, tax, education, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer for many years acted as the scribe responsible for leading the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights annual agency meeting and regularly participates in the OCR and other JCEB annual agency meetings, and participates in the development and submission of comments and other input to the agencies on regulatory, enforcement and other concerns. She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer serves on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and as an editorial advisor and contributing author of many other publications. Her leadership involvements with the American Bar Association (ABA) include year’s serving many years as a Joint Committee on Employee Benefits Council representative; ABA RPTE Section current Practice Management Vice Chair and Substantive Groups & Committees Committee Member, RPTE Employee Benefits & Other Compensation Committee Past Group Chair and Diversity Award Recipient, current Defined Contribution Plans Committee Co-Chair, and past Welfare Benefit Plans Committee Chair Co-Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; International Section Life Sciences Committee Policy Vice Chair; and a speaker, contributing author, comment chair and contributor to numerous Labor, Tax, RPTE, Health Law, TIPS, International and other Section publications, programs and task forces. Other selected service involvements of note include Vice President of the North Texas Healthcare Compliance Professionals Association; past EO Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former Southwest Benefits Association Board of Directors member, Continuing Education Chair and Treasurer; former Texas Association of Business BACPAC Committee Member, Executive Committee member, Regional Chair and Dallas Chapter Chair; former Society of Human Resources Region 4 Chair and Consultants Forum Board Member and Dallas HR Public Policy Committee Chair; former National Board Member and Dallas Chapter President of Web Network of Benefit Professionals; former Dallas Business League President and others. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates like the following:

Go here to register to receive other Solutions Law Press, Inc. updates and announcements about other upcoming briefings, training or other programs, products, services, and activities or to learn more about Solutions Law Press, Inc., its publications, programs and training, PROJECT COPE: Coalition on Patient Empowerment community service and education projects, event management and other resources and services.

For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Comments Off on Criminal Conviction Of Plan Trustee, Outside Legal Counsel Shows Risks of Retaliating Against Whistleblowers For Reporting ERISA Violations | 401(k), Appeals, Attorney-Client Privilege, Banking, Bankruptcy, board of directors, Brokers, Claims Administration, compensation, compliance, Corporate Compliance, corporate governance, Cybercrime, defined benefit plan, defined contribution plan, Disability Plans, EBSA, employee, Employee Benefits, Employer, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, health benefit, Health Benefits, health insurance, health plan, Health Plans, HR, Human Resources, Insurance, insurers, Internal Controls, Internal Investigations, Labor Management Relations, Malpractice, Reporting & Disclosure, Uncategorized | Tagged: defined contribution plan, EBSA, employee benefit plans, Employer, ERISA, ERISA 404, ERISA 510, Fiduciary responsiility, Health Plan, Health Plans, Multiemployer collectively bargained employee benefit plans, Retailiation, Retirement Plans, Union, Whistleblower | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans & Other HIPAA Entities Should Learn From $2.75M UMMC HIPAA Settlement

July 28, 2016

Employers, insurers and other health plan sponsors or issuers (health plans), health care providers, healthcare clearinghouses (covered entities) and their business associates should reevaluate the adequacy of their practices and procedures for the protection of electronic protected health information (ePHI) on or accessible through laptops or other mobile devices in light of the $2.75 million penalty and other schooling the Department of Health and Human Services Office for Civil Rights (OCR) just gave the University of Mississippi (UM) Medical Center (UMMC) documented in a July 7, 2016 Resolution Agreement and Corrective Action Plan (Resolution Agreement) resolving OCR charges of multiple violations of the privacy, security and breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA) OCR says it uncovered while investigating UMMC’s breach notification report to OCR of the loss a laptop containing 328 files containing the ePHI of an estimated 10,000 patients.

UMMC Report of Missing Laptop Leads To Multiple Charges & Resolution Agreement

Mississippi’s sole public academic health science center, UMMC provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the State as well as conducts medical education and research functions. Its designated health care component, UMMC, includes University Hospital, the site of the breach in this case, located on the main UMMC campus in Jackson.

The settlement agreed to by UMMC stems from charges resulting from an OCR investigation of UMMC triggered by a breach of unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals.

Like many prior resolution agreements previously announced by OCR, UMMC’s HIPAA woes came to light after a laptop went missing. OCR learned of the breach and opened its investigation in response to a March 21, 2013 notification UMMC filed with OCR. UMMC made the breach notification to comply with HIPAA’s Breach Notification Rule requirement that health care providers, health plans and healthcare clearinghouses (Covered Entities) timely notify affected individuals, OCR and others of breaches of unsecured ePHI.

UMMC’s breach notification disclosed that UMMC’s privacy officer had discovered a password-protected laptop containing ePHI of thousands of UMMC patients missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC additionally reported that based on its investigation, UMMC believed that the missing laptop likely was stolen by a visitor to the MICU who had inquired about borrowing one of the laptops.

After discovering the loss, UMMC disclosed the breach to local media and on its website and notified OCR of the breach but apparently did not individually notify the subjects of the missing ePHI.

In keeping with its announced policy of investigating all breach reports impacting 500 or more individuals, OCR opened an investigation into UMMC’s breach report. Based on this investigation, OCR concluded that while the laptop apparently was password protected, UMMC had breached the Security Rules because ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could use a generic username and password to access an active directory containing 67,000 files including 328 files containing the ePHI of an estimated 10,000 patients.

While OCR’s investigation confirmed that UMMC had implemented policies and procedures pursuant to the HIPAA Rules, OCR’s additionally found that the theft of the laptop that prompted UMMC’s breach report resulted from broad deficiencies in UMMC’s implementation and administration of these policies and its practices.

Based on these findings, OCR charged UMMC with the following HIPAA violations:

From the compliance date of the Security Rule, April 20, 2005, through the settlement date, UMMC violated 45 C.F.R. §164.308(a)(1)(i) by failing to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI it holds, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
From January 19, 2013, until March 1, 2014, UMMC violated 45 C.F.R. §164.310(c) by failing to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
From the compliance date of the Security Rule, April 20, 2005, to March 14, 2013, UM violated 45 C.F.R. § 164.312 (a)(2)(i) by failing to assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI including, for example, allowing workforce members to access ePHI on a shared department network drive through a generic account, preventing UMMC from tracking which specific users were accessing ePHI; and
While UMMC provided notification on UMMC’s website and in local media outlets following the discovery of the reported breach of unsecured ePHI,, UMMC violated the Breach Notification Rule by failing to notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

Finally, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet took no significant risk management activity until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.

To resolve these charges, UMMC agrees in the Resolution Agreement to pay OCR $2.75 million and implement a comprehensive compliance plan which among other things, requires UMMC to conduct a sweeping review and correct its HIPAA privacy, security and breach notification policies and their implementation and administration to comply with HIPAA as well as implement and administer detailed management and OCR oversight and reporting processes over the implementation and administration of these procedures.

Lessons For Other Covered Entities From UMMC Resolution Agreement

The UMMC charges and Resolution Agreement contains several key lessons for other covered entities and their business associates, which OCR’s July 21, 2016 announcement warns other covered entities and business associates to heed..

Certainly, the $2.75 million settlement amount reaffirms that covered entities and their business associates risk substantial liability for failing to properly assess and protect the security of ePHI in accordance with HIPAA’s Privacy and Security Rule.

Furthermore, the charges and Resolution Agreement also adds a new twist to OCR’s now well established to stiffly sanction covered entities and their business associates that fail appropriately assess and address risks to the security of their ePHI on or accessible from laptops or other mobile devices. Through previous resolution agreements and guidance, OCR has made clear that it interprets the HIPAA Security Rule as generally requiring that covered entities and business associates encrypt all laptops or other mobile devices containing ePHI. The UMMC charges and Resolution Agreement makes clear that the responsibility to protect ePHI on or accessible through laptops or other mobile devices does not end with encryption. Rather, the Resolution Agreement makes clear that covered entities and their business associates also must take appropriate, well-documented steps to monitor, assess, identify, and timely and effectively address other potential risks to the security of the ePHI.

The Resolution Agreement makes clear that these additional responsibilities include, but are not necessarily limited to ensuring that proper safeguards are implemented and enforced to secure access not only to the ePHI contained on the laptop as well as other data bases and systems containing ePHI accessible through the laptop. In this respect, the Resolution Agreement particularly highlights the need for covered entities and their business associates to assess risks and take appropriate steps:

To safeguard the physical security of laptops and other mobile devices;
To prevent the use of generic or other unsecure passwords to access ePHI on or accessible through the laptop or other mobile device;
To establish and administer appropriate, well-documented processes for assessing and addressing the adequacy of safeguards for and potential threats to the security of ePHI both initially and on an ongoing basis in a manner that meaningfully assesses the actual risks and effectiveness of safeguards against these risks, including those resulting from nonadherence to required safeguards and practices such as the sharing of passwords, changing systems or circumstances, and other developments that potentially threaten the adequacy of ePHI security.

Furthermore, OCR’s July 21, 2016 press release concerning the Resolution Agreement also sends a clear message to all covered entities and business associates that OCR views HIPAA as requiring organizations not only to adopt written policies and procedures that comply on paper or in theory with HIPAA, but also to take steps to monitor and maintain the effectiveness of their safeguard by continuously assessing and monitoring their HIPAA risks and acting as necessary to ensure that required safeguards of protected health information and ePHI and other HIPAA requirements are effectively implemented and administered in operation as well as form.

In OCR’s Press Release announcing the Resolution Agreement, OCR Director Jocelyn Samuels. Stated, “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.” She also warned “In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame.”

Additionally, the Resolution Agreement also illustrates need for covered entities and business associates to timely provide all individual and other notifications and otherwise fully comply with all requirements of the Breach Notification Rules.

Since the risk of a breach is ever-present even for Covered Entities and business associates exercising the highest degree of care to safeguard PHI and maintain compliance with HIPAA, Covered Entities and business associates are wise to take steps to position themselves to be able to demonstrate the adequacy of both their written policies and procedures and the effectiveness of their implementation and enforcement including ongoing documented practices for assessing, monitoring and addressing security risks and other compliance concerns as well as prepare to comply with the breach notification requirements in the event they experience their own breach of unsecured ePHI.

About The Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.

Ms. Stamer’s health industry experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Ms. Stamer also is known for her experience in HIPAA and other privacy and data security and breach concerns. The scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press Inc.™

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates like the following:

Comments Off on Health Plans & Other HIPAA Entities Should Learn From $2.75M UMMC HIPAA Settlement | Civil Rights, Claims Administration, Consumer Protection, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, employee, Employee Benefits, Employer, Employers, Employment, Employment Discrimination, ERISA, FACTA, GINA, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Mental Health Parity, Uncategorized | Tagged: Business Associate, Corporate Compliance, Data Breach, employee benefitsd, Employer, Health Insurance, Health Insurer, HIPAA, Insurance, Medical Privacy, OCR, Office of Civil Rights, Privacy, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans Disclosing Data To State All Payer Data Banks Face HIPAA Risks

May 31, 2016

Self-insured employer or union sponsored health plans (Plans), their fiduciaries, third party administrative or other service providers, and sponsors should consult legal counsel for advice about whether their Plans might violate the Privacy Rule of the Health Insurance Portability & Accountability Act (HIPAA) by disclosing individually identifiable claims or other Plan records or data to a state “all payer” claims or other data base in response to a state law or regulation mandating those disclosures in light of the Supreme Court’s recent ruling in Gobeille v. Liberty Mutual, 136 S. Ct. 936 (2016).

Gobeille involved a challenge to a Vermont “all payer” law similar to laws enacted by at least 20 other states, that requires health plan payers, their administrators or both to disclose individually identifiable health claims and other claims data about Plan members to a state created all payer data base. The Vermont law challenged in Gobeille required health insurers and other payers to disclose treatment information about Plan members as well as other certain health care claim payment and other data to an all payer claims database, which under the law is made “available as a resource for insurers, employers, providers, purchasers of health care, and State agencies to continuously review health care utilization, expenditures, and performance in Vermont. See Gobeille at 941. Vermont’s law requires third party administrators of self-insured Plans and other payers to disclose the information regardless of whether the member resides or received the treatment in Vermont.

In Gobeille, the Supreme Court ruled that the preemption provisions of Section 514 of the Employee Retirement Income Security Act (ERISA) bar Vermont from requiring self-insured ERISA Plans

In addition to excusing self-insured Plans from the trouble and expense of complying with Vermont’s disclosure law, the Supreme Court’s ruling in Gobeille that Vermont cannot enforce the law against self-insured ERISA Plans raises a concern that the Privacy Rules of HIPAA may prohibit Plans from disclosing certain individually identifiable claims information. The HIPAA compliance concern arises because the claims information and other data that the Vermont and most other similar laws require Plans and other payers to disclose generally is or include information that qualifies as “protected health information” within the meaning of the HIPAA Privacy Rule. These laws generally are structured either to directly require self-insured Plans to disclose the claims data directly, indirectly compel the disclosure by requiring third party administrators of such Plans to disclose the claims information for Plans they administer, or both.

Under the HIPAA Privacy Rule, Plans and other HIPAA-covered entities and service providers acting as business associates of the Plans are prohibited from using or disclosing individually identifiable protected health information unless the use or disclosure is expressly authorized by the Privacy Rule. Since violations of the Privacy Rule trigger substantial civil or even criminal penalties under HIPAA, Plans, their fiduciaries, service providers acting as business associates and other members of their workforce need to verify that the disclosure meets all of the requirements to fall within an exception to the Privacy Rule’s prohibition against disclosure before allowing such a disclosure

Before Gobeille, many self-insured Plans and their administrators treated the disclosures of individually identifiable claims data of the Plans as permitted as a disclosure “required by law” Privacy § 164.512(a), which provides in relevant part:

a) Standard: Uses and disclosures required by law.

(1) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.

(2) A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law.

The Gobeille ruling that that the Vermont law is unenforceable against self-insured Plans appears to eliminate the availability of this exception as a basis for allowing disclosures in response to the Vermont law as well as calls into question the ability of Plans to rely upon the “required by law” exception to the Privacy Rule to justify disclosures of protected health information to state all payer data bases in response to similar requirements enacted in the other 20 states that have enacted similar mandates. Plans that previously disclose or intend in the future to disclose protected health information to a state all payer data base in Vermont or another state generally will want to carefully document their justification, if any for making that disclosure under the Privacy Rule.

Unless the disclosure otherwise falls within another exception to the HIPAA Privacy Rule against disclosures without authorization, Plans, their sponsors, fiduciaries, third party administrators and other service providers and other members of the Plan workforce at minimum should be concerned that the HIPAA risks of disclosing protected health information in response to these state mandates after Gobeille. Plans that decide not to disclose information otherwise required by such state law requirements in light of the Gobeille ruling or HIPAA concerns may want to consult with qualified legal counsel about the steps, if any, that the Plan might want to take to document its ERISA preemption or other justifications for not providing the otherwise required disclosures.

Beyond evaluating the advisability of future disclosures in response to the Vermont or another similar all payer statute, Plans whose data previously was disclosed by the Plan or its administrator to an all payer data base under the belief that the disclosure was required by law also may want to seek the advice of qualified legal counsel about whether these prior disclosures triggered breach notification responsibilities under the Breach Notification rules of HIPAA with respect to any disclosures previously made. When electronic protected health information is used or disclosed in violation of HIPAA, the Breach Notification Rules of HIPAA generally require Plans and their business associates timely notify impacted individuals and the Department of Health & Human Services Office of Civil Rights (OCR) in accordance with the detailed requirements set forth in OCR’s implementing regulations. Furthermore, where a breach involves 500 or more individuals, the timetable for providing notification to OCR is accelerated and the Plan also is required to provide notification to the media and others.

About The Author

Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecturer and policy advocate, recognized for her nearly 30-years of cutting edge management work as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Tax: Erisa & Employee Benefits” and “Health Care” by D Magazine.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.

About Solutions Law Press, Inc.™

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc. ™. All other rights reserved.

Comments Off on Health Plans Disclosing Data To State All Payer Data Banks Face HIPAA Risks | Brokers, Civil Rights, Claims, Claims Administration, Corporate Compliance, Cybercrime, Data Breach, Data Security, EBSA, employee, Employee Benefits, Employer, Employers, Employment, ERISA, fiduciary duty, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health insurance, health plan, Health Plans, health reform, HIPAA, HIPAA, HR, Human Resources, insurers, Internal Controls, Internal Investigations, Patient Empowerment, Preemption, Privacy, Reporting & Disclosure, Uncategorized | Permalink
Posted by Cynthia Marcotte Stamer

Confirm Health Plan Contraceptive & Colonoscopy Coverage Meets Latest FAQ ACA Preventive Care Guidance

April 27, 2016

Employer and other group health plan sponsors, fiduciaries and administrators and individual and group health insurers should confirm their plan documents and practices comply with new additional guidance on when the Patient Protection and Affordable Care Act (ACA) preventive care mandates set forth in Public Health Services (PHS) Act section 2713, the Employee Retirement Income Security Act (ERISA) and the Internal Revenue Code (the Code) require non-grandfathered group health plans to cover colonoscopies and Food and Drug Administration (FDA)-approved contraceptives as preventive services without co-pays or deductibles in light of yet more guidance on the preventive care rule jointly published April 20, 2016 by the Departments of Labor (DOL), Health and Human Services (HHS), and the Treasury (collectively, the “Agencies”) in FAQs about Affordable Care Act Implementation (Part 31) (FAQ 31).

Employer and other plan sponsors, group health plan fiduciaries and insurers alike should make compliance with the ACA preventive care mandates a priority because violations of the preventive coverage rule not only exposes group health plans and insurers to potential liability for wrongful denial of benefits, breach of fiduciary duty for ERISA covered arrangements and other similar insurance claims for insurers under state law, noncompliance with these mandates generally triggers liability for an employer to self-assess, self-report on Internal Revenue Service Form 8928 an excise penalty of $100 per participant per day for each day of uncorrected violation. With most employers sponsoring plans facing a deadline to file Form 8928’s for any uncorrected disclosures soon, now is the time to review and correct any violations of the preventive care guidelines over the past year and preventing future deadlines.

ACA Preventive Care Mandate Overview

The preventive care mandates of ACA generally require that health insurance or plan coverage offered in the individual or group market cover the following items or services without imposing any cost-sharing requirements:

Evidence-based items or services that have in effect a rating of “A” or “B” in the current recommendations of the United States Preventive Services Task Force (USPSTF) with respect to the individual involved, except for the recommendations of the USPSTF regarding breast cancer screening, mammography, and prevention issued in or around November 2009, which are not considered in effect for this purpose;
Immunizations for routine use in children, adolescents, and adults that have in effect a recommendation from the Advisory Committee on Immunization Practices (ACIP) of the Centers for Disease Control and Prevention (CDC) with respect to the individual involved;
With respect to infants, children, and adolescents, evidence-informed preventive care and screenings provided for in comprehensive guidelines supported by the Health Resources and Services Administration (HRSA); and
For women, evidence-informed preventive care and screening provided for in comprehensive guidelines supported by HRSA, to the extent not included in certain recommendations of the USPSTF subject to special rules with respect to coverage of contraceptive services for group health plans and group health insurance coverage provided in connection with group health plans established or maintained by religious employers.

See 1.26 CFR 54.9815-2713, 29 CFR 2590.715-2713, 45 CFR 147.130.

If a recommendation or guideline does not specify the frequency, method, treatment, or setting for the provision of a recommended preventive service, then the plan or issuer may use reasonable medical management techniques to determine any such coverage limitations. See 26 CFR 54.9815-2713(a)(4), 29 CFR 2590.715-2713(a)(4), 45 CFR 147.130(a)(4).

FAQ 31 On Coverage of Colonoscopies Pursuant to USPSTF Recommendations

Concerning colonoscopies, FAQ 31 states that because the Agencies view preparation for a preventive screening colonoscopy an integral part of the procedure, bowel preparation medications, when medically appropriate and prescribed by a health care provider, are an integral part of the preventive screening colonoscopy that group health plans and health insurers must cover without cost sharing, subject to reasonable medical management).

Coverage of Food and Drug Administration (FDA)-approved Contraceptives

FAQ 31 also supplements an already extensive list of Agency guidance concerning when group health plans and health insurers must cover contraceptives as preventive care without cost sharing under ACA stemming from the HRSA Guidelines’ inclusion of a recommendation of all FDA-approved contraceptive methods, sterilization procedures, and patient education and counseling for all women with reproductive capacity, as prescribed by a health care provider.

FAQs about Affordable Care Act Implementation (Part XII), Q14 (FAQ 12) previously released in 2013 states the HRSA Guidelines ensure women’s access to the full range of FDA-approved contraceptive methods including, but not limited to, barrier methods, hormonal methods, and implanted devices, as well as patient education and counseling, as prescribed by a health care provider. FAQ 12 also states group health plans and insurers may use reasonable medical management techniques to control costs and promote efficient delivery of care, such as covering a generic drug without cost sharing and imposing cost sharing for equivalent branded drugs provided that the plan or insurer accommodates any individual for whom a particular drug (generic or brand name) would be medically inappropriate, as determined by the individual’s health care provider, by having a mechanism for waiving the otherwise applicable cost sharing for the brand or non-preferred brand version.

In FAQs about Affordable Care Act Implementation (Part XXVI), Q2 and Q3 (FAQ26) subsequently published on May 15, 2016, the Agencies clarified that group health plans and health insurers:

Must cover without cost sharing at least one form of contraception in each of the methods (currently 18) identified for women by the FDA;
To the extent plans and issuers use reasonable medical management techniques within a specified method of contraception, must have an easily accessible, transparent, and sufficiently expedient exceptions process that provides for making a determination on the claim according to a timeframe and in a manner that takes into account the nature of the claim (e.g., pre-service or post-service) and ensures the medical exigencies involved for a claim involving urgent care is not unduly burdensome on the individual or provider (or other individual acting as a patient’s authorized representative, including a provider) to ensure coverage without cost sharing of any service or FDA-approved item within the specified method of contraception;
Must defer to the determination of the attending provider and cover a service or item without cost sharing a particular service or FDA-approved item that the individual’s attending provider recommends based on a determination of medical necessity with respect to that individual, where medical necessity could include considerations such as severity of side effects, differences in permanence and reversibility of contraceptives, and ability to adhere to the appropriate use of the item or service, as determined by the attending provider; and
In the case of health insurers required to provide essential health benefits (EHB) under the ACA, must have an exceptions process that meets the standards in 45 CFR 156.122(c).

FAQ 31 supplements this previous Agency guidance by confirming that group health plans and health insurers may develop a standard exception form with instructions that an attending provider may use to prescribe a particular service or FDA-approved item based on a determination of medical necessity with respect to the individual involved and suggests the Medicare Part D Coverage Determination Request Form as an appropriate model for the development of such forms.

Act To Verify Compliance, Leverage Opportunities

FAQ 31 and the other guidance presents a two-edged sword for health insurers and group health plans and their sponsors. On one hand, failing to design and administer their health benefit programs to comply with these and other rules and interpretations about the preventive care and other federal health plan mandates imposed by the ACA or other laws can trigger significant liability for insurers as well as group health plans and theirsponsoring employers. On the other hand, group health plans and insurers that carefully design and administer their arrangements to comply with the guidance also can take advantage of opportunities to manage utilization and costs using the narrow windows of opportunity offered within the guidance.

In either case, careful, well-documented efforts to verify compliance in response to the evolving guidance is important to prevent unanticipated violations and position group health plans, their sponsoring employers and fiduciaries and insurers to mitigate potential exposures in the event of a violation of existing or subsequently published guidance.

About The Author

A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., Ms. Stamer’s more than 28 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecturer and policy advocate, recognized as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Tax: Erisa & Employee Benefits” and “Health Care” by D Magazine.

Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer helps management manage. Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. Well-known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

A Fellow in the American College of Employee Benefit Counsel, Ms. Stamer uses her deep and highly specialized knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions. In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see here or contact Ms. Stamer directly by email here or by telephone at (469) 767-8872.

About Solutions Law Press, Inc.™

Comments Off on Confirm Health Plan Contraceptive & Colonoscopy Coverage Meets Latest FAQ ACA Preventive Care Guidance | 4980D, 6039D, ACA, board of directors, Claims Administration, compensation, compensation transparency, compliance, Contraception, EBSA, employee, Employee Benefits, Employer, Employers, Employment, ERISA, Excise Taxes, fiduciary duty, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, health reform, HR, Human Resources, Insurance, Internal Controls, Internal Revenue Code, IRC, Medicare Part D, Obamacare, Patient Protection & Affordable Care Act, preventive care, Uncategorized, Wellness Programs | Tagged: ACA, Contraceptive Coverage, Employer, Form 8928, group health plan, health coverage, Health Plan, Health Plans, Patient Proection and Affordable Care Act, preventive care | Permalink
Posted by Cynthia Marcotte Stamer

Business Associate Rule Violations Behind $750K HIPAA Settlement

April 21, 2016

Health Plans, Sponsors & Business Associates Should Verify Plan’s HIPAA Compliance

Employers and other health plan sponsors and the health plan fiduciaries and business associates providing services involving dealings on behalf of the plan with protected health information just received another reminder to confirm and be prepared to prove all required business associate agreements are in place and that the health plans otherwise properly are administering all policies, practices, safeguards and procedures for handling, using and disclosing electronic and other protected health information from the April 20, 2016 Department of Health & Human Services Office of Civil Rights (OCR) announcement of its latest resolution agreement settling Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule charges OCR made against a HIPAA-covered entity for violating HIPAA’s business associate agreement rules.

OCR Charges Brought For Business Associate Agreement Violations

HIPAA’s Privacy Rules generally apply to “covered entities,” which under HIPAA are health plans and insurers, health care providers, health care clearinghouses (Covered Entities) and “business associates,” which are individuals or entities that perform services that aid the Covered Entity to perform its duties as a Covered Entity.

The Resolution Agreement and Corrective Action Plan (Resolution Agreement) with Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) announced by OCR on April 20th requires Raleigh Orthopaedic to pay $750,000 to settle charges OCR it violated the Privacy Rule by handing over protected health information of approximately 17,300 patients to a potential business partner without first executing a business associate agreement.

Raleigh Orthopaedic is a provider group practice that operates clinics and a surgery center in the Raleigh, North Carolina area. OCR initiated its investigation of Raleigh Orthopaedic after receiving a breach report on April 30, 2013. OCR’s investigation indicated that Raleigh Orthopaedic violated the Privacy Rules by releasing the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopaedic failed to execute a business associate agreement with this entity before turning over the x-rays and PHI.

OCR says this sharing of the x-ray files and other protected health information by Raleigh Orthopaedic violated the Privacy Rules.

Specifically, the Privacy Rules prohibit Covered Entities and their business associates from using, accessing and disclosing protected health information except as specifically permitted in the Privacy Rules. As part of these rules, the “Business Associate” requirements of the Privacy Rule prohibit Covered Entities from disclosing or allowing business associates to use, and business associates from receiving or using protected health information unless the parties first enter into a written business associate agreement that complies with the requirements of the Privacy Rules.

The Resolution Agreement settles OCR charges that Raleigh Orthopaedic violated this Business Associate Agreement requirement by sharing the x-rays and other protected health information with the service provider without first entering a business associate agreement. Under the Settlement Agreement, Raleigh Orthopaedic must pay a $750,000 payment, as well as revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the Covered Entity hires the business associate.

Although the Resolution Agreement only addresses charges OCR brought against the Covered Entity, Raleigh Orthopaedic, business associates need to keep in mind that both Covered Entities and business associates now are responsible for ensuring compliance with the business associate agreement requirements of the Privacy Rules since the Stimulus Bill amended HIPAA to make most provisions of the Privacy Rule directly applicable to business associates as well as Covered Entities.

Take Aways For Covered Entities & Their Business Associates

OCR’s announcement of the Resolution Agreement includes a strong message for other Covered Entities and business associates of the importance of taking seriously their responsibility under the Privacy Rule to ensure that the business associate agreement requirements of the Privacy Rule are met before business associates are allowed to receive, access or use protected health information. The announcement quotes Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as stating. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.” and “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.”

In light of the Business Associate Rule and Director Samuels’ comments, Covered Entities and business associates alike should review the adequacy of their documentation, policies and practices regarding dealings with service providers who are or could collect, receive or use electronic or other protected health information to propose or perform services in the capacity as a business associate. Certainly both Covered Entities and business associates to ensure that they possess and are able to produce if needed signed business associate agreements for each current business associate agreement as well as that appropriate policies, practices and procedures are in place to ensure that all required business associate agreements are implemented before any disclosure or use of protected health information to the business associate in the future. As part of these activities, both Covered Entities and business associates also should ensure their policies and practices appropriately provide for the retention of signed copies of all business associate agreements and other records, and the implementation of all other processes and procedures required to position the entity to be able to demonstrate it not only had policies requiring compliance, but appropriately implemented and administered those policies in accordance with the Privacy Rule.

When conducting this review, Covered Entities and business associates also generally should consider the advisability of also reviewing their business associate agreements and the adequacy of these arrangements in light of any other contractual confidentiality and or contractual rights and commitments, regulatory requirements and other operational and risk management concerns that impact or interrelate with the relationship between the business associate and the Covered Entity. It is important to ensure that appropriate steps are taken to evaluate and properly integrate the confidentiality and other commitments that the Privacy Rules mandate a business associate agreement include with audit, performance assessment, and other data access or disclosure, trade secrets, confidentiality, performance standards and guarantees, indemnity and other contractual obligations of other agreements that could impact or be impacted by the business associate agreements. Steps also should be taken to incorporate appropriate processes and procedures for ensuring that the Covered Entity and members of its workforce understand and consistently administer and document their use of appropriate processes to ensure that the business associate agreement and other requirements of the Privacy Rules are fulfilled. In the case of employer sponsored plans subject to the Employee Retirement Income Security Act of 1974, for instance, the selection and proper oversight of business associates and the management of plan data both are subject to the fiduciary responsibility rules of ERISA. Meanwhile, insurers, business associates and other plan vendors also generally should anticipate that beyond HIPAA, they also may be subject to data security, privacy and other mandates and exposures under state HIPAA-like rules for protected health information, as well as other obligations under insurance, data security, identity theft, breach, privacy and other state laws.

The process of evaluating the adequacy of current arrangement and considering the advisability of changes to tighten existing practices in many cases will result in the discovery and discussion of potentially sensitive information about the adequacy of current or past compliance with the Privacy Rules or other matters. For example, it is possible that in the course of review, parties may be unable to locate a signed business associate agreement governing a relationship that the Privacy Rules require be subject to a business associate agreement or in the course of review, information indicating breaches of protected health information or other Privacy Rule violations may have occurred. For this reason, most Covered Entities and their business associates will want to consider arranging for this review and analysis to be conducted within the scope of attorney-client privilege by or under the direction of qualified legal counsel with HIPAA experience that has entered into a business associate agreement with the Covered Entity or business associate.

About The Author

Throughout her career, Ms. Stamer has advised these and other clients about health care, health plan, financial information, trade secret, privacy and other related compliance, data breach response and remediation and related compliance, risk management and related concerns. In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others.

Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

About Solutions Law Press, Inc.™

Comments Off on Business Associate Rule Violations Behind $750K HIPAA Settlement | Attorney-Client Privilege, board of directors, Corporate Compliance, Cybercrime, Data Breach, Data Security, Employee Benefits, Employer, Employers, Employment, ERISA, FACTA, fiduciary duty, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, HIPAA, HIPAA, HR, Human Resources, Insurance, insurers, Internal Controls, Uncategorized | Tagged: Business Associate, Corporate Compliance, Employee Benefits, Employer, ERISA, Health Insurance, Health Plans, HIPAA, Human Resources, Insurance, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Final Investment Advice Fiduciary Rules Mean Work For Employers, Fiduciaries & Advisors

April 12, 2016

Employer and other employee benefit plan sponsors, benefit plan committees and fiduciaries, and the broker-dealers, financial advisors, insurance agents and other plan service providers that provide investment-related platforms, advice, recommendations or other services for employee benefit plans need to reevaluate the fiduciary status of their service providers and begin restructuring as necessary their associated relationships, service provider commission or other compensation, service agreements and arrangements or other services in response to a new Regulatory Guidance Package (Rule) that explicitly classifies parties providing “covered investment advice” as fiduciaries subject to the conflict of interest and other fiduciary responsibility rules of the Employee Retirement Income Security Act (ERISA).

Supplementing existing precedent and EBSA’s already existing broad, functional definition of “fiduciary,” the Rule clarifies when individuals and entities that provide “covered investment advice” to plans, plan sponsors, fiduciaries, plan participants, beneficiaries and Individual Retirement Accounts (IRAs) and IRA owners are:

Fiduciaries of the Plan or IRA for purposes of Title I of ERISA;
Required to acknowledge their status and the status of their individual advisers as “fiduciaries” of the plan for purposes of ERISA;
Accountable as fiduciaries for making prudent investment recommendations without regard to their own interests, or the interests of those other than the plan or plan participant or beneficiary that is the customer;
Restricted to charging only “reasonable compensation” for their advice or service;
Prohibited from making misrepresentations to their customers regarding recommended investments; and
Prohibited from providing advice or making payments that involve any conflicts of interest prohibited by ERISA unless the arrangements fully complies with a prohibited transaction exemption issued by EBSA under ERISA Section 408 that otherwise complies with ERISA Section 404.

Concurrent with its adoption of final regulations implementing these new rules concerning investment advisors and their fiduciary responsibilities, the Rule also adopts certain new Prohibited Transaction Exemptions that define requirements that providers of covered investment advice and the plan fiduciaries that engage them generally will be required after April 7, 2017 to ensure are met for investment advisors to receive commission-based compensation for their services, to sell or purchase certain recommended debt securities and other investments out of their own inventories to or from plans and IRAs, or to receive compensation for recommending fixed rate annuity contracts to plans and IRAs.

Investment Advice Covered By The Rule

The final rule applies to “covered investment advice.” For purposes of the rule, “covered investment advice” generally includes:

A recommendation to a plan, plan fiduciary, plan participant and beneficiary and IRA owner for a fee or other compensation, direct or indirect, as to the advisability of buying, holding, selling or exchanging securities or other investment property, including recommendations as to the investment of securities or other property after the securities or other property are rolled over or distributed from a plan or IRA;
A recommendation as to the management of securities or other investment property, including, among other things, recommendations on investment policies or strategies, portfolio composition, selection of other persons to provide investment advice or investment management services, selection of investment account arrangements (e.g., brokerage versus advisory); or recommendations with respect to rollovers, transfers, or distributions from a plan or IRA, including whether, in what amount, in what form, and to what destination such a rollover, transfer, or distribution should be made.

Under the Rule, the fundamental threshold element in establishing the existence of fiduciary investment advice is whether a “recommendation” occurred. The Department has taken an approach to defining “recommendation” that is consistent with and based upon the approach taken by the Financial Industry Regulatory Authority (FINRA), the independent regulatory authority of the broker-dealer industry, subject to the oversight of the Securities and Exchange Commission (SEC).

The Rule specifies that a “recommendation” is a communication that, based on its content, context, and presentation, would reasonably be viewed as a suggestion that the advice recipient engage in or refrain from taking a particular course of action. Under the Rule, the more individually tailored the communication is to a specific advice recipient or recipients, the more likely the communication will be viewed as a recommendation.

The types of relationships that must exist for such recommendations to give rise to fiduciary investment advice responsibilities include recommendations made either directly or indirectly (e.g. through or together with any affiliate) by a person who:

Represents or acknowledges that they are acting as a fiduciary within the meaning of ERISA or the Internal Revenue Code (Code);
Renders advice pursuant to a written or verbal agreement, arrangement or understanding that the advice is based on the particular investment needs of the advice recipient; or
Directs the advice to a specific recipient or recipients regarding the advisability of a particular investment or management decision with respect to securities or other investment property of the plan or IRA.

Also, the Rule only applies where a recommendation is provided directly or indirectly in exchange for a “fee or other compensation.” “Fee or other compensation, direct or indirect” means any explicit fee or compensation for the advice received by the person (or by an affiliate) from any source, and any other fee or compensation received from any source in connection with or as a result of the recommended purchase or sale of a security or the provision of investment advice services including, though not limited to, such things as commissions, loads, finder’s fees, and revenue sharing payments. A fee or compensation is paid “in connection with or as a result of” such transaction or service if the fee or compensation would not have been paid but for the transaction or service or if eligibility for or the amount of the fee or compensation is based in whole or in part on the transaction or service.

Investment Advice Not Covered By Rule

While the Rule reaches broadly, not all communications with financial advisers are covered fiduciary investment advice under the Rule. As a threshold issue, if the communications do not meet the definition of “recommendations” as described above, the communications will be considered non-fiduciary. In response to requests from commenters, and for clarification, the final rule includes some specific examples of communications that would not rise to the level of a recommendation and therefore would not constitute a fiduciary investment advice communication under the Rule.

When evaluating the applicability and effect of these exemptions, however, it is important to keep in mind that by adding the new Rule, EBSA seeks to make clear that individuals or organizations that engage in activities described in the Rule as covered investment advice are fiduciaries subject to these requirements. Since the Rule does not revoke existing EBSA fiduciary guidance or judicial precedent, service providers and other parties with discretionary authority or responsibility over employee benefit plans not covered by the Rule still could qualify as fiduciaries if their authority, responsibility or actions functionally causes them to fall within the definition of a fiduciary under these other pre-existing definitions of fiduciary status. Subject to this cautionary proviso, the following are some of the activities that the Rule identifies as activities that might fall outside the Rule’s covered investment activities in the manner required by the Rule:

“Education” as defined and provided in accordance with the Rule;
“General communications that a reasonable person would not view as an investment recommendation;”
Simply making available a platform of investment alternatives without regard to the individualized needs of the plan, its participants, or beneficiaries if a plan fiduciary independent of the platform service provider actually decides what investment options are offered and the platform service provider also represents in writing to the plan fiduciary that they are not undertaking to provide impartial investment advice or to give advice in a fiduciary capacity; and
Transactions with independent plan fiduciaries where the adviser knows or reasonably believes that the independent fiduciary is a licensed and regulated provider of financial services (banks, insurance companies, registered investment advisers, broker-dealers) or those that have responsibility for the management of $50 million in assets, and other conditions set forth in the Rule are met;
Communications and activities made by advisers to ERISA-covered employee benefit plans in swap or security-based swap transactions when the swap transaction meets certain conditions set forth in the Rule, which EBSA designed in coordination with the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) to avoid conflicts between the Rule and the swap and security-based swap rules promulgated by those agencies under the Dodd–Frank Wall Street Reform and Consumer Protection Act; and
Activities and communications of employees working in the payroll, accounting, human resources, and financial departments of the plan sponsor or its affiliated business who routinely develop reports and recommendations for the company and other named fiduciaries of the sponsors’ plans if the employees receive no fee or other compensation in connection with any such recommendations beyond their normal compensation for work performed for their employer.

New Prohibited Transaction Exemptions Published With Rule

Concurrent with its publication of the Rule, EBSA also is adopting the following new “Prohibited Transaction Exemptions to the otherwise applicable statutory list of prohibited conflict of interest transactions in ERISA Section 406 and the companion rules of the Internal Revenue Code (Code) applicable to qualified retirement plans.

Noncompliance with the Rule, including where necessary to avoid violating ERISA Section 406’s prohibited transaction prohibitions, by parties providing covered investment advice or the engagement or retention of such a service provider by an employer or other party exercising or with responsibility or authority to make that engagement carriers big legal risk. Advisers and financial institutions that don’t meet the BICE standards and other requirements of the Rule expose themselves to liability from breach of fiduciary duty claims under ERISA brought by ERISA plans, participants, and beneficiaries or in the case of IRAs or other non-ERISA plans, state law breach of contract or other state law claims brought by IRAs and other non-ERISA plans or accountholders. Likewise an employer, member of its management or other party responsible for or having authority to choose the service provider risks breaching its own fiduciary duties under ERISA by engaging a party that renders covered investment advice without complying with the Rule. In addition, to the extent that the engagement or activities of the service provider involves commission compensation payments, swaps or other activities that would constitute a prohibited conflict of interest under ERISA Section 406 not structured and conducted with an applicable prohibited transaction exemption, both the service provider and the fiduciary could bear personal liability for involving the plan or its assets in a prohibited transaction in violation of ERISA Section 406. For this reason, to help positions themselves to mitigate or defend against liability for such potential claims, advisors generally should take steps to ensure that the advisor can prove the advisor acted in their clients’ best interest by documenting their use of a reasonable process and adherence to professional standards in deciding to make the recommendation and determining it was in the customer’s best interest, and by documenting their compliance with the financial institution’s policies and procedures required by the Best Interest Contract Exemption.

“Best Interest Contract Exemption” (BICE)

ERISA and the Internal Revenue Code rules for qualified retirement plans generally prohibit individuals or entities providing fiduciary investment advice to plan sponsors, plan participants, and IRA owners to receive payments creating any of the listed statutory conflicts of interest listed in ERISA or the Code without a prohibited transaction exemption (PTE), employee benefit plan sponsors, benefit plan committees and other fiduciaries, and the broker-dealers, financial advisors, insurance agents and other plan service providers providing covered investment services to employee benefit plans also need to ensure that their compensation is structured to ensure that the compensation and other arrangements do not violate these prohibited transaction and conflict of interest prohibitions of the Code and ERISA, ERISA’s reasonable compensation rules, or the other requirements of ERISA.

Concerning ERISA Section 406’s party-in-interest and other conflict of interest requirements, EBSA issued in conjunction with its publication of the Rule a new “Best Interest Contract Exemption” (BICE), which provides a prohibited transaction exception that permits the payment of commission-based compensation to fiduciary investment advisors as long as the conditions specified in the BICE are met. Among other things, the BICE requires as a condition of the applicability of this exception that:

The financial institution to acknowledge in writing fiduciary status for itself and its advisers;
The financial institution and advisers to adhere to ERISA’s basic standards of impartial conduct, including giving prudent advice that is in the customer’s best interest, avoiding making misleading statements, and receiving no more than reasonable compensation;
The financial institution to have policies and procedures designed to mitigate harmful impacts of conflicts of interest; and
The financial institution to disclose specified information about their conflicts of interest and the cost of their advice.

The specified disclosures required to meet the conditions of the BICE include:

Descriptions of material conflicts of interest;
Descriptions of fees or charges paid by the retirement investor
A statement of the types of compensation the firm expects to receive from third parties in connection with recommended investments;
Notification that investors have the right to obtain specific disclosure of costs, fees, and other compensation upon request; and
A requirement that a website must be maintained and updated regularly that includes information about the financial institution’s business model and associated material conflicts of interest, a written description of the financial institution’s policies and procedures that mitigate conflicts of interest, and disclosure of compensation and incentive arrangements with advisers, among other information. However, the BICE currently does not require that the website include individualized information about a particular adviser’s compensation.

Noncompliance with the Rule by parties providing covered investment advice or the engagement or retention of such a service provider by an employer or other party exercising or with responsibility or authority to make that engagement carriers big legal risk. Advisers and financial institutions that don’t meet the BICE standards and other requirements of the Rule expose themselves to liability from breach of fiduciary duty claims under ERISA brought by ERISA plans, participants, and beneficiaries or in the case of IRAs or other non-ERISA plans, state law breach of contract or other state law claims brought by IRAs and other non-ERISA plans or accountholders. Likewise an employer, member of its management or other party responsible for or having authority to choose the service provider risks breaching its own fiduciary duties under ERISA by engaging a party that renders covered investment advice without complying with the Rule. In addition, to the extent that the engagement or activities of the service provider involves commission compensation payments, swaps or other activities that would constitute a prohibited conflict of interest under ERISA Section 406 not structured and conducted with an applicable prohibited transaction exemption, both the service provider and the fiduciary could bear personal liability for involving the plan or its assets in a prohibited transaction in violation of ERISA Section 406. For this reason, to help positions themselves to mitigate or defend against liability for such potential claims, advisors generally should take steps to ensure that the advisor can prove the advisor acted in their clients’ best interest by documenting their use of a reasonable process and adherence to professional standards in deciding to make the recommendation and determining it was in the customer’s best interest, and by documenting their compliance with the financial institution’s policies and procedures required by the Best Interest Contract Exemption.

Principle Transactions Exemption

The “Principal Transactions Exemption” published in connection with the Rule provides an exemption from the prohibitions of ERISA Section 406 to allow investment advice fiduciaries to sell or purchase certain recommended debt securities and other investments out of their own inventories to or from plans and IRAs where the requirements of the Exemption are met. As with the Best Interest Contract Exemption, the Principle Transaction Exemption requires, among other things, that investment advice fiduciaries adhere to certain impartial conduct standards, including obligations to act in the customer’s best interest, avoid misleading statements, and seek to obtain the best execution reasonably available under the circumstances for the transaction.

Existing PTE For Fixed Rate Annuity Contracts

In connection with its adoption of the Rule, EBSA also is amending existing exemption, PTE 84-24, which provides relief for insurance agents and brokers, and insurance companies, to receive compensation for recommending fixed rate annuity contracts to plans and IRAs. As amended in connection with the Rule, the requirements of PTE 84-24 are modified to provide increased safeguards for retirement investors while still providing “more streamlined conditions” than those required to meet the Best Interest Contract Exemption. Consistent with its enthusiasm for encouraging the offering and adoption of life time income products to retirees over the past several years, EBSA says these more streamlined conditions of PTE 84-24 are appropriate to “facilitate access by plans and IRAs to these relatively simple lifetime income products.” More complex products, such as variable annuities and indexed annuities, will be able to be recommended by advisers and financial institutions under the terms of the Best Interest Contract Exemption.

Other PTE Exemptions Modified To Raise Requirements

The Department is amending other existing exemptions, as well, to ensure that plan and IRA investors receiving investment advice are consistently protected by impartial conduct standards, regardless of the particular exemption upon which the adviser and the fiduciary engaging that advisor intend to rely upon to avoid violating of ERISA 406.

While the compliance deadline for the new Rule is not until April 8, 2017, the relief from ERISA Section 406 offered by the new Exemptions announced in connection with the Rule’s publication generally became available when EBSA published them in connection with the Rule on April 8, 2016. As this relief could provide helpful protection against fiduciary challenges or exposures that some service providers might already face under already existing fiduciary precedent or guidance, many service providers involved in dealings with plan or IRA investments may wish to take steps to position themselves to claim protection under one of these new PTE Exemptions even before the Rule takes effect. When evaluating this option, some service providers should be aware of the availability of transitional relief that may make it easier for some service providers to claim relief under the new BICE or Principal Transactions Exemption between April 8, 2017 and January 1, 2018 (Transition Period). In addition, parties that contemplate wishing to take advantage of the relief offered by the new BICE or Principal Transactions Exemption may benefit from taking advantage of reduced requirements for meeting these conditions during the phase in Transition Period. During this Transition Period, EBSA still will require firms and advisers to adhere to the Exemptions’ impartial conduct standards, provide a notice to retirement investors that, among other things, acknowledges their fiduciary status and describes their material conflicts of interest, and to designate a person responsible for addressing material conflicts of interest and monitoring advisers’ adherence to the impartial conduct standards; however compliance with certain other requirements is waived until January 1, 2018. Of course, full compliance with all requirements of the applicable Exemptions will be required as of January 1, 2018.

Rule Requires Action By Plan Sponsors, Fiduciaries & Service Providers

The new Rule creates lots of new work both for advisors and other service providers in, as well as plan sponsors, plan administrative committees or other fiduciaries responsible for selection, retention and oversight of those providing these services. All such parties have much to do to fulfill their ERISA responsibilities by the April 8, 2017 deadline for compliance with the new Rule and to deal with other likely fallout from the new Rule.

Fallout for Covered Investment Advisors & Other Service Providers

Clearly, advisors, financial institutions and other service providers providing covered investment advice and others with involvement with investments or investment platforms have much work to do to prepare for the new rule. However, compliance with the Rule is not merely a service provider problem. Employer or other plan sponsors, plan fiduciaries or other responsible for the credentialing, selection, retention, and oversight of service providers dealing with investments also need to ensure that the party or parties responsible for these vendor dealings fulfills its own fiduciary responsibilities in dealing with vendors and service providers that may be impacted by these requirements.

Advisers and financial institutions that don’t meet the requirements of the new Rule expose themselves to liability from breach of fiduciary duty claims under ERISA brought by ERISA plans, participants, and beneficiaries or in the case of IRAs or other non-ERISA plans, state law breach of contract or other state law claims brought by IRAs and other non-ERISA plans or accountholders. Obviously, advisors, financial institutions and other service providers providing advice or having dealings or involvement with IRA or employee benefit plan investments, their selection or administration will want to review and update their relationships and their associated compensation, contracts, disclosures and other arrangements and processes in light of the new Rule. Clearly, those that could be considered to offer or provide covered investment advice need to start revising contracts, compensation, policies, practices and other arrangements in anticipation of the Rule. At the same time, the Rule also is likely to create work for certain service providers with involvement or dealings with investments that the service provider considers to fall outside of the Rule:

To respond to changes in client requests for proposals, contracts or other due diligence in response to the Rule;
To respond to changes in response to the Rule by covered investment advisors to reconfigure services, relationships and contracts in response to the Rule;
To clarify and institutionalize and document communications by the uncovered service provider to clients and others of limits on the service provider’s services and capacity that are necessary or helpful to avoid or limit exposure of the service provider to coverage by or claims of liability arising out of the Rule; and/or
Otherwise.

Fallout For Plan Sponsors & Plan Fiduciaries Selecting & Overseeing Service Providers

Employer or other plan sponsors, plan fiduciaries or other responsible for the credentialing, selection, retention, and oversight of service providers dealing with investments also need to anticipate and be prepared to deal the effects of adoption of the Rule on their responsibilities and risks as they relate to the selection, retention, contracting, compensation and other dealings with service providers impacted by the Rule.

The Rule’s explicit designation as fiduciaries of certain service providers that previously may have been characterized as providing services as non-fiduciaries, much less its tightening of requirements for the investment advisors that are covered fiduciaries, creates a host of new responsibilities and considerations for employers sponsoring plans and its members of management that select, retain, contract with and oversee these service providers.

Under ERISA, parties designated in writing or function exercising discretionary authority or responsibility for the selection, retention, compensation and oversight of fiduciary or other service providers generally are considered fiduciaries for purposes of carrying out these responsibilities and bear personal liability for prudently selecting, retaining and monitoring the service provider in accordance with ERISA.

To fulfill this fiduciary obligation, those involved in selecting and retaining investment advisors covered by the rules should expect to bear responsibility for ensuring that the covered investment advisor is engaged in compliance with the Rule and the otherwise applicable requirements of ERISA, including that the engagement and compensation of the selected investment advisor will not involve the plan or its assets in a prohibited conflict of interest listed in ERISA Section 406. Furthermore, failing to ensure that the engagement of an investment advisor does not violate these conflict of interest rules also exposes a sponsoring employer of a qualified plan to excise tax liability under the Code’s companion party-in-interest rules applicable to such plans.

Accordingly, whether the employer itself retains and directly exercises the discretionary authority to select and retain a service provider or appoints a committee or member of its staff to perform these responsibilities as a designated fiduciary, an accurate understanding of which service providers, taking into account the rule, now will be considered fiduciaries and the requirements of the Rule flowing from this status is essential to understand and make appropriate provisions to ensure that proper steps are taken to ensure that the Rule and ERISA’s other requirements for prudent credentialing, bonding, contracting, compensation, and other dealings with the service provider and to budget for the proper conduct of the activities needed to fulfill these obligations.

In light of these and other exposures and obligations, employer and other plan sponsors, plan fiduciaries and plan service providers alike all should start preparing to respond to the new Rule.

To help positions themselves to mitigate or defend against liability for such potential claims, each party generally will want to take prudent and well-documented steps to evaluate the fiduciary status of each applicable service provider, as well as its own fiduciary status, capacity, responsibility and other exposures in light of the new Rule. Since ERISA fiduciary status attaches functionally based on the functional facts and circumstances, sponsoring employers, as well as service providers generally will want to consider taking appropriate steps to document this analysis and other compliance and risk management efforts to avoid violations of the Rule, as well as to position themselves to defend against other claims and liabilities.

In all cases, each impacted party should make an effort to apply and retain evidence documenting its efforts including, in the case of all service providers, whether or not covered investment advisors under the Rule, their efforts to act in their clients’ best interest by documenting their use of a reasonable process and adherence to professional standards in deciding to make the recommendation and determining it was in the customer’s best interest, and by documenting their compliance with the financial institution’s policies and procedures and applicable requirements of the law.

About The Author

Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Group Chair, past Welfare Benefit Committee Chair, and Current Defined Contribution Plan Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, a past ABA Joint Committee on Employee Benefits Council Representative Cynthia Marcotte Stamer is a practicing attorney, regulatory and public policy advocate, author, lecturer and industry and public policy thought leader recognized as a “Top” attorney in employee benefits, labor and employment and health care law for her more than 28 years’ of leading edge experience nationally and internationally providing practical and effective advice and representation to management.

Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management understand and use the law and process to manage people, performance, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative and pragmatic problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements.

She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. In these and other engagements, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. In the course of this work, Ms. Stamer has accumulated an impressive resume of more than 28 years’ of experience advising and representing clients on Title I and other ERISA fiduciary responsibility concerns including assisting and advising plan sponsors, plan fiduciary and plan service providers to design and administer fiduciary and other compliance and risk management policies and practices, conducting investigations of potential fiduciary or other breaches, and serving as special counsel, advising and representing these and other clients in connection with EBSA, IRS, SEC and other governmental audits, investigations and enforcement actions; in private disputes and litigation regarding plan investments or other fiduciary concerns between plan participant and beneficiaries, plans, plan fiduciaries, plan sponsors and plan service providers; or both.

Ms. Stamer also is deeply involved in helping to influence health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. Deeply involved in both U.S. statutory and regulatory pension and health care reform throughout her career, Ms. Stamer both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health plans, their sponsors, administrators, insurers and many other business, professional and civic organizations.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see www.cynthiastamer.com, or http://www.stamerchadwicksoefje.com the member of contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. All other rights reserved.

Comments Off on Final Investment Advice Fiduciary Rules Mean Work For Employers, Fiduciaries & Advisors | 401(k), Banking, board of directors, Brokers, compensation, compliance, Consumer Protection, Corporate Compliance, corporate governance, defined benefit plan, defined contribution plan, directors, EBSA, Employee Benefits, Employer, Employers, Employment, ERISA, Excise Tax, Excise Taxes, fiduciary duty, Fiduciary Responsibility, HR, Human Resources, insurers, Internal Controls, Internal Investigations, Internal Revenue Code, IRC, Tax, Tax Qualification, Uncategorized | Tagged: benefit plan, conflict of interest, conflict of interest rule, employee benefit plan, Employee Benefits, Employer, ERISA, Fiduciary, Fiduciary Responsibility, investment advice, investment advisor, plan, prohibited transaction | Permalink
Posted by Cynthia Marcotte Stamer

Employers, Insurers & TPAS: Budget Time, $ For 2017 Summary of Benefits and Coverage Updates

April 11, 2016

Group health plans and group and individual health insurers (Health Plans) must add updating their 2017 Summary of Benefits and Coverage (SBC) forms to their 2017 to do list in response to the publication by the Departments of Health and Human Services (HHS), Labor (DOL) and Treasury (collectively “Agencies) of enhanced content requirements for the 2017 Summary of Benefits and Coverage (SBC) template and Uniform Glossary that the Patient Protection & Affordable Care Act (ACA) requires Health Plans to provide to Health Plan members. Health Plans must begin using SBCs updated to comply with the 2017 SBC template released by the Agencies on April 6, 2016 beginning on the first day of the first open enrollment period that begins on or after April 1, 2017.

The ACA requires Health Plans to provide covered persons a brief (4 page) summary of what the plan covers and the plan’s cost sharing along with a comprehensive uniform glossary of commonly used health coverage and medical terms with the detailed content and format dictated by the Agencies SBC regulations. Intended to help covered persons understand and compare coverage options by providing standardized information in a standardized format about each plan, the SBC and Glossary must include all required content in the type and format dictated by the SBC regulations. In addition to ensuring that their SBC and Glossary meet these requirements, Health Plans also may need to prepare and offer translations of the SBC and Glossary to comply with the ACA’s “culturally and linguistically appropriate” requirements.

The current and 2017 SBC Template along with instructions for its preparation and completion, model translation documents for certain forms, and other information about the SBC requirements are available here.

Currently, the dictated SBC format includes coverage examples that demonstrate the cost sharing amounts an individual might be responsible for in three common medical situations. In addition to the current coverage examples that address diabetes care and childbirth, the updated template for 2017 also will require a new coverage example that addresses coverage for a foot fracture so that a consumer understands what a plan covers in an emergency scenario.

Beyond dictating the emergency example, the 2017 templates also expand the information about cost sharing that SBCs much contain to include enhanced language to explain deductibles and a requirement that plans address individual and overall out-of-pocket limits in the SBC.

While the Agencies regulations dictate the required content, health insurers and employers or others serving as health plan administrators or sponsors need to use care to ensure that SBCs are prepared appropriately and provided when and how required. Failure to timely deliver the SBC not only can trigger penalties under ERISA against the plan administrator and/or against the insurer under the ACA market reform rules, noncompliance with the SBC requirements also is among the listed ACA compliance defects that can expose the sponsoring employer to excise tax penalties under the Internal Revenue Code.

In order to fulfill this and other important ACA and other federal health plan notice and reporting mandates, employer and other plan sponsors, administrators and fiduciaries generally must finalize their health plan design well in advance of the date the new health plan design is intended to take effect. The Agencies SBC regulations generally require that the SBC be provided before the first day of the enrollment period and that updated SBCs be provided whenever any material change in benefits or coverage is enacted after the delivery of the original SPB. The requirement to prepare and deliver the SBC is in addition to the current federal mandate that plan administrators provide written notice of material changes to a health plan at least 60 days before the effective date of the material change and a host of other health plan notice requirements imposed by federal law. Employers, insurers, third party administrators and health plan fiduciaries need to understand and make appropriate arrangements to ensure that these SBC and other notice and reporting requirements are timely and appropriately completed.

About The Author

About Solutions Law Press, Inc.™

Comments Off on Employers, Insurers & TPAS: Budget Time, $ For 2017 Summary of Benefits and Coverage Updates | ACA, Affordable Care Act, Employee Benefits, Employer, Employers, Employment, ERISA, Excise Taxes, Fiduciary Responsibility, health benefit, Health Benefits, Health Care Reform, health insurance, health insurance marketplace, health plan, Health Plans, health reform, HR, Human Resources, Insurance, insurers, Internal Controls, Internal Revenue Code, IRC, Patient Empowerment, Patient Protection & Affordable Care Act, Patient Protection and Affordable Care Act, Public Policy, Reporting & Disclosure, SBC, Uncategorized | Tagged: Affordable Care Act, disclosure, Employee Benefits, Employer, Employment, ERISA, Health Insurance, Health Insurer, Health Plans, Patient Protection & Affordable Care Act, SBC, Summary of Benefts and Coverage, tpa | Permalink
Posted by Cynthia Marcotte Stamer

Brace For Health Plan OCR HIPAA Audits

March 22, 2016

Employer and union sponsored health plans, their sponsors, fiduciaries, and business associates should brace for audits and enforcement of the Privacy, Security, and Breach Notification rules by the Department of Health & Human Service Office of Civil Rights (OCR) follow OCR’s 2016 audit program on the heels of its announcement last week of two large HIPAA settlements last week.

OCR confirmed today it is sending emails notifying health plans, healthcare providers, healthcare clearing houses (Covered Entities) and their business associates identified as part of the kickoff of its next phase of audits of Covered Entities. In light of the HIPAA verification rules and the notorious spread of opportunistic identity theft and other fraud by opportunistic Cybercriminals following these types of announcements, Covered Entities and business associates should carefully verify the requests validity and manage the response to avoid violating HIPAA in responding and position for defensibility against potential penalties.

Even if health plans or other Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever-expanding list of enforcement actions by OCR.

To catch up on this latest guidance, Solutions Law Press, Inc. ™ invites you to register to participate in a special WebEx briefing on “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” on Wednesday, March 30, 2016 beginning at Noon Central Time on Wednesday, March 30, 2016.

2016 Audit Program

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by Covered Entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. OCR says it will primarily conduct these audits as desk audits, although some on-site audits will be conducted.

According to today’s announcement, the 2016 audit process begins with verification of an entity’s address and contact information. OCR is sending emails to Covered Entities and business associates requesting that contact information be provided to OCR on time. OCR will then send a pre-audit questionnaire to gather data about the size, type, and operations of potential audit targets. OCR says this data will be used with other information to create potential audit subject pools. Recipients should contact qualified legal counsel immediately for advice and assistance about proper procedures to verify the email is in fact from OCR and for assistance in responding.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review. Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, OCR expects entities to check their junk or spam email folder for emails from OCR.

The announcement also reflects that OCR is still developing other aspects of the audit program. OCR will post updated audit protocols on its website closer to conducting the 2016 audits. The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.

OCR says its audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits. Through the information gleaned from the audits, OCR will develop tools and guidance to aid the industry in compliance self-evaluation and in preventing breaches. OCR plans to use results and procedures used in the phase 2 audits to develop its permanent HIPAA audit program.

OCR Settlements Show Enforcement Risk

The audit program announcement comes less than a week after OCR announced millions of dollars of new penalties under settlements with two Covered Entities:

A $1,555,000 settlement with North Memorial Health Care of Minnesota;
A $3.9 million settlement with Feinstein Institute for Medical Research.

The two settlements drive home again the substantial liability that health care providers, health plans, health care clearinghouses and their business associates risk for violating HIPAA.

Feinstein Settlement

Feinstein is a biomedical research institute organized as a New York not-for-profit corporation sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York comprised of 21 hospitals and over 450 patient facilities and physician practices.

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information about potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Feinstein/index.html.

North Memorial

The Feinstein settlement announcement follows yesterday’s announcement of a $1.5 million plus settlement with North Memorial to resolve HIPAA charges that it failed to implement a business associate agreement with a major contractor and failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.

The settlement highlights the importance for healthcare providers, health plans, healthcare clearinghouses and their business associates to comply with HIPAA’s business associate agreement and other HIPAA organizational, risk assessment, privacy and security, and other requirements.

OCR’s announcement emphasizes the importance of meeting these requirements. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Director Samuels. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

The settlement comes from charges filed after OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the ePHI of 9,497 individuals.

OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.

The Resolution Agreement and Corrective Action Plan can be found on the HHS website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html.
Settlement Latest Reminder To Manage HIPAA Risks.

Following up on OCR’s imposition of its second-ever HIPAA Civil Monetary Penalty (CMP) and the latest in an ever-growing list of settlements by Covered Entities under HIPAA, these latest settlements illustrate the substantial liability that Covered Entities face for violating HIPAA. To avoid these liabilities, Covered Entities must constantly be diligent to comply with the latest guidance of OCR about their obligations under HIPAA.

As OCR continues to issue additional guidance as well as supplement this guidance through information shared in settlement agreements like the North Memorial settlement, even if Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever-expanding list of enforcement actions by OCR.

Since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA, Covered Entities face growing responsibilities and liability for maintaining the security of ePHI.

In response to HITECH, OCR continues to use a carrot and stick approach to encouraging and enforcing compliance. As demonstrated by OCR’s imposition of the second-ever HIPAA Civil Monetary Penalty (CMP) of $239,000 against Lincare and the ever-growing list of Resolution Agreements OCR announces with other Covered Entities, OCR continues to step up enforcement against Covered Entities that breach the Privacy and Security Rules. See OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000.

On the other hand, OCR also continues to encourage voluntary compliance by Covered Entities by sharing guidance and tools to aid Covered Entities to understand fulfill their HIPAA responsibilities such as the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (Crosswalk) unveiled by OCR on February 24, 2016.The crosswalk that maps the HIPAA Security Rule to the standards of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) as well as mappings to certain other commonly used security frameworks.

While stating that the HIPAA Security Rule does not require use of the NIST Cybersecurity Framework, OCR says it hopes the Crosswalk will provide “a helpful roadmap” for HIPAA Covered Entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help Covered Entities safeguard health data in a time of increasing risks and help them to identify potential gaps in their programs.

At the same time, OCR’s announcement of its release of the Crosswalk also cautions users that “use of the Framework does not guarantee HIPAA compliance.” Rather, OCR says “the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.

With a USA Today report attributing more than 40 percent of data breaches to the healthcare industry over the last three years 91 percent of all health organizations having reporting breaches over the last two years, OCR has made clear that it intends to zealously investigate and enforce the Security Rules against Covered Entities that violate the Security Rules against Covered Entities that fail to take suitable steps to safeguard the security of PHI as required by the HIPAA Security Rule.

To meet these requirements, the HIPAA Security Rule requires that Covered Entities conduct and be prepared to product documentation of their audit and other efforts to comply with the Security Rule Most Covered Entities will want to consider including an assessment of the adequacy of their existing practices under the Crosswalk and other requirements disclosed by OCR in these assessments to help position the Covered Entity to defend or mitigate HIPAA CMP and other liabilities in the event of a HIPAA breech or audit.

Changing Rules Complicate Compliance

In addition to maintaining adequate security, HIPAA also requires Covered Entities to provide individuals with the right to access and receive a copy of their health information from their providers, hospitals, and health insurance plans in accordance with the HIPAA Privacy Rule. In response to recurrent difficulties experienced by individuals in exercising these rights, OCR recently published supplemental guidance to clarify and promote better understanding and compliance with these rules by Covered Entities. OCR started this process in January, 2015 by releasing a comprehensive fact sheet (Access fact sheet) and the first in a series of topical frequently asked questions (FAQs) addressing patients’ right to access their medical records, which set forth requirements providers must follow in sharing medical records with patients, including that they must do so in a timely manner and in a format that works for the patient.

Earlier this month, OCR followed up by publishing on March 1, 2016 a second set of FAQs addresses additional issues, including the fees individuals may be charged for copies of their health information and the right of individuals to have their health information sent directly to a third party if they so choose.

Covered entities and their business associates should expect OCR to ask about use of these tools in audits and investigations. Accordingly, they should move quickly to review and update their business associate agreements and other practices to comply with this new guidance as well as watch for further guidance and enforcement about these practices from OCR.

Other Key HIPAA Regulatory & Enforcement Changes Raise Responsibilities & Risks

OCR’s new guidance on access to PHI follows a host of other regulatory and enforcement activities. While the particulars of each of these new actions and guidance vary, all send a very clear message: OCR expects Covered Entities and their business associates to comply with HIPAA and is offering tools and other guidance to aid them in that process. In the event of a breach or audit, Covered Entities and their business associates need to be prepared to demonstrate their efforts to comply.

Those that cannot show adequate compliance efforts should be prepared for potentially substantial CMP or Resolution Agreement payments and other sanctions.

Register For 3/30 Webex Briefing

Solutions Law Press, Inc.™ invites to catch up on the latest guidance on the Covered Entities’ responsibility under HIPAA to provide access to patients to PHI by registering here to participate in the “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” Webex briefing by attorney Cynthia Marcotte Stamer that Solutions Law Press, Inc.™ will host beginning at Noon Central Time on Wednesday, March 30, 2016.

About The Author

Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.
Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served for several years as the scrivener for the ABA JCEB’s meeting with OCR for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

Comments Off on Brace For Health Plan OCR HIPAA Audits | Brokers, Civil Rights, compensation, compliance, Corporate Compliance, Cybercrime, Data Breach, Data Security, employee, Employee Benefits, FACTA, fiduciary duty, Fiduciary Responsibility, Financial Security, GINA, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, HIPAA, HIPAA, Hospitality, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Management, Medicare Part D, Mental Health, Mental Health Parity, MEWA, Obamacare, Patient Empowerment, Prescription Drugs, Privacy, Professional Liability, Risk Management, third party administrators, Uncategorized, Wellness, Wellness Programs, Workforce | Tagged: Data Breach, Data Security, Employee Benefits, ERISA, Fiduciary Liability, financial privacy, Health Insurance, Health Plan, Health Plans, HIPAA, Medical Privacy, OCR, Office of Civil Rights, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Learn Latest HIPAA Health Plan Rules In 3/30 SLP Webex

March 9, 2016

Solutions Law Press, Inc. ™ Invites You To A Special WebEx Briefing

HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments

Wednesday, March 30, 2016

1:00 P.M.-2:00 P.M. Eastern | 12:00 P.M.-1:00 P.M. Central 11:00 A.M-12:00 P.M. Mountain | 10:00 A.M-11:00 A.M. Pacific

Health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) face new imperatives to review and tighten their practices to ensure their practices comply with recently released guidance from the U.S. Department of Health & Human Services Office of Civil Rights (OCR)) emphasizing and clarifying the responsibilities of health care providers, health plans and the healthcare clearinghouses under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) to provide access to individuals that are the subject of protected health information or “PHI” to access or copies of their PHI in accordance with HIPAA’s rules and other recent HIPAA guidance and enforcement. With OCR’s recent release of added guidance and OCR enforcement statistics continuing to show HIPAA access rule violations among the most common HIPAA violations and OCR stepping up HIPAA enforcement, health care providers, health plans, healthcare clearinghouses can expect heightened scrutiny and enforcement of these requirements. Additionally, Covered Entities also should evaluate the adequacy of their other practices in light of other recent OCR guidance and enforcement actions.

Solutions Law Press, Inc.™ invites to catch up on the latest guidance on HIPAA’s requirements to provide access to patients to PHI by registering here to participate in the Solutions Law Press, Inc.™ “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” WebEx briefing from Cynthia Marcotte Stamer on Friday, March 18, 2016. During the Briefing, Ms. Stamer will provide participants with:

√ An update on OCR enforcement actiions and guidance over past 12 months

√ A detailed discussion of OCR’s new guidance about when Covered Entities must provide PHI access or copies to patients

√ Discuss rules and best practices for verifying the identity and credentials of an individual requesting PHI as a patient or personal representative of a patient

√ Share tips for contracting and dealing with business associates to facilitate administration of patient PHI access and security compliance activities

√ Share other practical considerations & best practices for compliance and risk management

√ Respond to participant questions on a time permitting basis

√ More

ABOUT THE SPEAKER

Recognized as “Legal Leader™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” and an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble, singled out as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine;, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her more than 28 years extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care, health plan and employee benefits, workforce and related regulatory and other compliance, performance management, risk management, product and process development, public policy and other key operational concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, the Co-Managing Member of Stamer Chadwick Soefje PLLC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance including extensive involvement with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others. Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on HIPAA and other privacy and data security risks and requirements as well as a broad range of other health, employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, Federal Trade Commission, HUD and Justice, as well as a state legislatures attorneys general, insurance, labor, worker’s compensation, and other agencies and regulators as well supports clients in defending litigation as lead strategy counsel, special counsel and as an expert witness.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served as the scrivener for the ABA JCEB’s meeting with OCR on HIPAA for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, serves on the faculty and planning committee of many workshops, seminars, and symposia, and on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

REGISTRATION & PROGRAM DETAILS

Registration Fee per course is $75.00 per person. Registration Fee Discounts available for groups of three or more participants from the same organization. Limited opportunities for participation. Registration accommodated on a first come basis. Completed registration and payment required via website registration 48 hours in advance of the program. No checks or cash accepted. Persons not registered with completed payment at least 48 hours in advance will only participate subject to availability and completed registration and payment. Payment only accepted via website PayPal. Register Here!

The Webex will be conducted over the internet. Participants will receive access code and instructions for sign on to participate in the Webex and/or dial in to participate in the program via telephone after processing of completed registration. Participants must have access to a computer with internet access and to telephone access to dial in via telephone to participate in the program. Solutions Law Press, Inc. is not responsible for any interruption or interference in participation resulting from limitations in the internet connectivity, computer, telephone or other equipment used by the participant to access and participate in the program.

ABOUT SOLUTIONS LAW PRESS, INC.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders better anticipate legal and operational issues impacting their organization’s performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives. Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs. For additional information about upcoming programs, to inquire about becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com. These programs, publications and other resources are provided only for general informational and educational purposes, the applicability of which to any particular circumstances may be impacted by legal changes, the specific facts and circumstances or other factors. Consequently, neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are not intended to or shall not be construed as establishing an attorney-client relationship, to constitute legal advice or a substitute for legal advice, or otherwise provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties that any participant or any other party can rely upon the information or any statements presented herein. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com. If you would prefer not to receive communications from Solutions Law Press, Inc. send an e-mail with “Solutions Law Press Unsubscribe” in the Subject to support@solutionslawyer.net. CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request. ©2016 Solutions Law Press, Inc.

Comments Off on Learn Latest HIPAA Health Plan Rules In 3/30 SLP Webex | Employee Benefits, Employer, Employers, health benefit, Health Benefits, health Care, Health Care Reform, health insurance, health insurance marketplace, health plan, Health Plans, HIPAA, HIPAA, Privacy, Protected Health Information, Uncategorized | Tagged: Business Associate, Health Insurance, Health Plan, HIPAA, Medical Privacy, PHI, Protected Health Information, third party administrator, tpa | Permalink
Posted by Cynthia Marcotte Stamer

Marketplace Data Deficiencies Signal Employer ACA Headaches

March 9, 2016

By: Cynthia Marcotte Stamer

Employers, health plans and individual taxpayers should be concerned about reports of deficiencies in the eligibility and enrollment tracking procedures of some health insurance exchanges or “marketplaces” created under the Patient Protection and Affordable Care Act (ACA) that are likely to identify individuals enrolling in health insurance coverage offered through the Healthcare.gov and certain state health insurance exchanges or “marketplaces” as eligible for subsidies who in fact are ineligible for subsidies.

As the Internal Revenue Service (IRS) and Department of Health & Human Services (HHS) rely upon Marketplaces’ eligibility and enrollment records to enroll Americans in health insurance coverage through the ACA created marketplaces, to help determine in individual Americans and employers are complying with the ACA shared responsibility rules, and to determine which individuals enrolling in coverage through marketplaces qualify for ACA subsidies, deficiencies in these practices and resulting errors in eligibility and enrollment records are likely to mean headaches for employer, health plans and individual Americans.

Marketplace Eligibility & Enrollment Data Critical To Administer ACA Reforms

Accurate eligibility and enrollment determination by marketplaces is critical to the administration of the ACA’s complicated web of reforms, including the determination the determination of whether the employee of a large employer who enrolls in coverage qualifies for a subsidy so as to trigger an obligation for the employer to pay an employer shared responsibility payment under IRC Section 4980H if the employee is not enrolled in group health coverage offered by the employer meeting ACA’s requirements.

As part of ACA’s massive restructuring of the health care payment system enacted by President Obama and the then Democrat-led Congress, most Americans now must pay an “individual shared responsibility payment” unless enrolled in “minimum essential coverage” one of the ACA-approved health coverage options. Along with this individual mandate, the ACA:

Dictates that all group and individual health insurance policies other than a narrow list of “excluded” plans include the rich and generally expensive package of ACA-mandated “essential health benefits,” pay a host of ACA-imposed taxes and assessments, and comply with a host of tight ACA market reforms;
Penalizes employers with 50 or more full-time employees (large employers) that fail to offer all full-time employees group health coverage for the employee and each of his dependent children (hereafter “dependent coverage”) through an employer-sponsored arrangement that provides minimum essential benefits at a cost not greater than 9.5 percent of the federal poverty level by providing that any large employer with at least 1 employee enrolled in subsidized health coverage offered through an ACA-established health insurance marketplace, to pay a monthly “employer shared responsibility payment” under Internal Revenue Code Section 4980H of:
- For any large employer not offering any group health plan employee and dependent coverage providing minimum essential coverage to each full-time employee, $150 per full-time employee per month; or
- For any other large employer, $250 per month for each full-time employee earning less than 400 percent of the federal poverty level enrolled in subsidized health insurance coverage through an ACA-established health insurance marketplace unless the employer shows the employer offered the employee the opportunity to enroll in employee and dependent coverage under a group health plan that provided the ACA-required minimum essential coverage at a cost not exceeding 9.5 percent of the employee’s adjusted gross income; and
Seeks to incentivize small employers (generally with fewer than 25 full-time and full-time equivalent employees) tax credits for offering minimum essential coverage under an employer-sponsored plan that meets the ACA requirements; and
Created a system of one federal and various state health care exchanges or “marketplaces” through which individual Americans and small employers can purchase an expensive package of “essential health benefits” from private health insurers offering “qualified health plans” (QHPs) through the their state “marketplace,” if any, or for Americans living in a state with that elected not to establish a state marketplace, the federal Healthcare.gov marketplace;
Uses federal tax dollars to subsidize a portion of the premiums paid by certain Americans earning less than 400% of the federal poverty level that enroll in coverage under a QHP through the marketplace applicable in their states unless the individual had the option to enroll in an employer-sponsored group health plan meeting the ACA’s “minimum essential coverage,” “minimum value” and “affordability” standards; and
Requires all employers, health plans and insurers and each Marketplace accurately and reliably to collect, maintain and report certain key data needed to coordinate and administer ACA’s individual coverage mandates, employer mandates and subsidy rules.

For proper administration and coordination with other plans and employers and the administration by the Internal Revenue Service of ACA tax subsidies payable to qualifying individuals obtaining coverage in a QHP through an exchange, HHS regulations require each marketplace to implement and administer reliably an application and enrollment process for enrollment in QHPs through the exchange.

To enroll in a QHP, an applicant must complete an application and meet eligibility requirements defined by the ACA. An applicant can enroll in a QHP through the Federal or a State marketplace, depending on the applicant’s State of residence. Applicants can enroll through a Web site, by phone, by mail, in person, or directly with a broker or an agent of a health insurance company. For online and phone applications, the marketplace verifies the applicant’s identity through an identity-proofing process. For paper applications, the marketplace requires the applicant’s signature before the marketplace processes the application. When completing any type of application, the applicant attests that answers to all questions are true and that the applicant is subject to the penalty of perjury.

After reviewing the applicant’s information, HHS expects the marketplace to determine whether the applicant is eligible for a QHP and, when applicable, eligible for insurance affordability programs. To verify the information submitted by the applicant, the marketplace is expected to use multiple electronic data sources, including those available through the Federal Data Services Hub (Data Hub). Data sources available through the Data Hub are the U.S. Department of Health and Human Services, Social Security Administration (SSA), U.S. Department of Homeland Security, and Internal Revenue Service, among others. The marketplace can verify an applicant’s eligibility for ESI through Federal employment by obtaining information from the U.S. Office of Personnel Management through the Data Hub.

Generally, when a marketplace cannot verify information that the applicant submitted or the information is inconsistent with information available through the Data Hub or other sources, HHS regulations require the marketplace to attempt to resolve the inconsistency in accordance with HHS regulations before treating the individual as ineligible. Because of the presumption of eligibility built into the system, individual’s who care not verified as ineligible are treated as eligible. As a result, inadequate verification practices by marketplaces are likely to result in the inappropriate characterization of individuals as eligible for enrollment with subsidies.

Audits Show Marketplace Eligibility & Enrollment Practices Deficient

Unfortunately, recent OIG reports raising concerns about the adequacy of the eligibility and enrollment verification procedures of various marketplaces are raising concerns about the reliability and adequacy of the eligibility and enrollment verification procedures and resulting data of various marketplaces. For instance, in its recently released report, Not All of the District of Columbia Marketplace’s Internal Controls Were Effective in Ensuring That Individuals Were Enrolled in Qualified Health Plans According to Federal Requirements, HHS OIG Report A-03-14-03301 (the ”D.C. Report”), OIG reports that OIG’s audit of 45 sample applicants from the enrollment period for insurance coverage in the District of Colombia’s exchange for calendar year 2014 revealed that District of Colombia’s health insurance marketplace had ineffective internal processes and controls for:

Verifying an applicant’s eligibility for minimum essential coverage (both employer-sponsored insurance and non-employer-sponsored insurance;
Maintaining application and eligibility verification data;
Maintain identity-proofing documentation for applicants who apply for QHPs;
Verifying annual household income in accordance with Federal requirements;
Maintaining documentation demonstrating that it verified whether an applicant was eligible for minimum essential coverage under an employment based health plan; and
Ensuring that its enrollment system maintains application, eligibility, and documentation, including all electronic eligibility verifications from the Data Hub.

Deficiencies Create Likely Headaches For Employers, Plans & Individual Taxpayers

Given the importance of accurate subsidy eligibility and other marketplace enrollment information, marketplace audit results recently reported by the OIG finding certain federal and state health insurance marketplaces are not using effective internal controls to verify and administer eligibility and enrollment processes raises concerns not only concerns for taxpayers generally, but also could signal added headaches for employers and health plans.

Large employers and individual Americans receiving subsidies are likely to experience the greatest impact because of the reliance upon the IRS on marketplace data to determine employer and individual shared responsibility payment liability. However, all employers and health plans also could experience some fallout.

Large employers should be prepared to receive and defend against IRS assertions that the employer is liable for paying employer shared responsibility payment under IRC Section 4980H when an employee of the employer is one of those individuals that a marketplace improperly classifies as eligible to receive subsidies because of deficient marketplace eligibility or enrollment data collection and verification practices. In addition, all employers should be prepared to receive and respond to inquiries from marketplaces, the IRS or HHS seeking to investigate, verify and reconcile data relevant to the administration of the ACA market, subsidy, shared responsibility and other reforms of the ACA.

Meanwhile, employers, health plans and individual Americans alike should brace to receive inquiries from the IRS, HHS, marketplaces, health plans and others seeking to verify and reconcile marketplace data with data reported by health plans, employers and individual Americans. While timely and appropriate response to legitimate requests from the IRS, HHS, a marketplace or other appropriate party is important, all parties should be careful to verify the legitimacy of the request and the identity and credentials of the party making the request in light of the IRS and other agencies’ reports of the identity theft and other scams by opportunist criminals using the pretext of acting for the IRS or other legitimate purposes illegally to trick businesses or individuals into sharing sensitive tax, financial or other information. While all parties need to use care in responding to these requests, employers, health plans and their service providers also need to ensure that these procedures are appropriately conducted and documented to minimize their exposure to liability for violations of the confidentiality, privacy or data security requirements that may apply to the employer, health plan or other party under the IRC, the Health Insurance Portability & Accountability Act (HIPAA) or various other federal or state laws.

To help prepare for these potential inquiries, employers, health plans and other parties should ensure that their recordkeeping, enrollment and reporting practices under ACA are clean and ready to respond to these and other government or employee inquiries.

Employers and others concerned about the impact of these deficiencies on the liabilities of large employers, taxpayers or both may wish express concern to their elected representatives in Congress.

About The Author

Recognized as a “Top” attorney in employee benefits, labor and employment and health care law extensively involved in health and other employee benefit and human resources policy and program design and administration representation and advocacy throughout her career, Cynthia Marcotte Stamer is a practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick│Soefje PLLC, author, pubic speaker, management policy advocate and industry thought leader with more than 28 years’ experience practicing at the forefront of employee benefits and human resources law.

A Fellow in the American College of Employee Benefit Counsel, past Chair and current Welfare Benefit Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, an ABA Joint Committee on Employee Benefits Council Representative and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on health and other employee benefit, human resources and insurance matters and policy.

Ms. Stamer helps management manage. Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Comments Off on Marketplace Data Deficiencies Signal Employer ACA Headaches | 105(h), 4980D, 4980H, 6039D, ACA, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, EBSA, employee, Employee Benefits, Employer, Employers, Employment, Employment Tax, ERISA, exchange, Excise Tax, Excise Taxes, fiduciary duty, health benefit, Health Benefits, health Care, Health Care Reform, health insurance, health insurance marketplace, health plan, Health Plans, health reform, HIPAA, HIPAA, Hiring, HR, Identity Theft, Income Tax, Insurance, insurers, Internal Controls, Internal Revenue Code, IRC, Obamacare, Patient Protection & Affordable Care Act, Patient Protection and Affordable Care Act, Pay, Premium Subsidies, Privacy, Protected Health Information, Reporting & Disclosure, Risk Management, third party administrators, Worker Classification, Workforce | Tagged: 4980H, ACA, group health plan, Health Care Reform, health insurance marketplace, Health Plans, Insurer, marketplace, Obama Care, shared responsibility payment | Permalink
Posted by Cynthia Marcotte Stamer

SCOTUS: States Can’t Require Reporting of ERISA Health Plan Data

March 2, 2016

Employer and union sponsored group health plans covered by the Employee Retirement Income Security Act of 1974 (ERISA) and their insurers are not required to comply with a Vermont state law that requires health insurers and certain other parties to report payments relating to health care claims and other information relating to health care services to a state agency for compilation in an all-inclusive health care database, according to the United States Supreme Court’s March 1, 2016 ruling in Gobeille v. Liberty Mutual Insurance Company.

In a 6-2 opinion authored by Justice Kennedy, the Supreme Court held in Gobeille that ERISA Section 514 preempts Vermont’s requirement that health insurers and other health benefit payers report health care claims and other information relating to health care services to a state agency for inclusion in an all-inclusive health care data base.

The lawsuit stemmed from a lawsuit challenging Vermont’s attempt to enforce the law against Liberty Mutual Insurance Company’s self-insured health plan (Plan). Liberty Mutual provides benefits under the Plan to its thousands of employees which are located in all 50 States of which only approximately 140 of which are located in Vermont. When Vermont sought to require the Plan’s third-party administrator, Blue Cross Blue Shield of Massachusetts, Inc. (Blue Cross) to transmit its files on the Plan’s eligibility, medical claims, and pharmacy claims for the Plan’s Vermont members to the state data base, Liberty Mutual was concerned that the disclosure of such confidential information might violate its fiduciary duties, It instructed Blue Cross not to comply and sued seeking a declaratory judgement that ERISA pre-empts application of Vermont’s statute and regulation to the Plan and an injunction prohibiting Vermont from trying to acquire data about the Plan or its members. After the District Court granted summary judgment to Vermont, the Second Circuit reversed, concluding that Vermont’s reporting scheme is pre-empted by ERISA as applied to the Plan.

When Vermont appealed the Second Circuit’s decision to the Supreme Court, the Supreme Court sided with Liberty Mutual. It upheld the Second Circuit’s ruling, holding that the preemption provisions of ERISA bar Vermont from enforcing the reporting requirement against ERISA-covered health plans or their administrators.

Righting for the Supreme Court Majority, Justice Kennedy explained that ERISA expressly pre-empts “any and all State laws insofar as they may now or hereafter relate to any employee benefit plan.” 29 U.S.C §1144(a). Commenting that this preemption reaches to any state law that has an impermissible “connection with” ERISA plans, Justice Kennedy took judicial notice that ERISA seeks to make the benefits promised by an employer more secure by mandating certain uniform reporting and other oversight systems and other standard procedures, Justice Kennedy said ERISA’s extensive reporting, disclosure, and recordkeeping requirements are central to, and an essential part of, this uniform plan administration system. He also wrote that ERISA’s uniform rule design also makes clear that it is the Secretary of Labor, not the separate States, that is authorized to decide whether to exempt plans from ERISA reporting requirements or to require ERISA plans to report data such as that sought by Vermont. Because Vermont’s law and regulation also govern plan reporting, disclosure, and recordkeeping, Justice Kennedy explained that pre-emption is necessary in order to prevent multiple jurisdictions from imposing differing or even parallel, regulations, creating wasteful administrative costs and threatening to subject plans to wide-ranging liability.

Justice Kennedy also found unpersuasive Vermont’s counterargument that respondent has not shown that the State scheme has caused it to suffer economic costs, stating that Liberty Mutual need not wait to bring its pre-emption claim until confronted with numerous inconsistent obligations and encumbered with any ensuing costs. In addition, Justice Kennedy wrote that the fact that ERISA and the state reporting scheme have different objectives does not transform Vermont’s direct regulation of a fundamental ERISA function into an innocuous and peripheral set of additional rules and that Vermont’s regime also cannot be saved by invoking the State’s traditional power to regulate in the area of public health. Furthermore, Justice Kennedy added that ERISA’s pre-existing reporting, disclosure, and recordkeeping provisions maintain their pre-emptive force regardless of whether the new Patient Protection and Affordable Care Act’s reporting obligations also pre-empt state law.

About The Author

Recognized as a “Top” attorney in employee benefits, labor and employment and health care law extensively involved in health and other employee benefit and human resources policy and program design and administration representation and advocacy throughout her career, Cynthia Marcotte Stamer is a practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick│Soefje PLLC, author, pubic speaker, management policy advocate and industry thought leader with more than 27 years’ experience practicing at the forefront of employee benefits and human resources law.

Ms. Stamer helps management manage. Ms. Stamer’s legal and management consulting work throughout her 27 plus year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

U.S. Businesses & Their Leaders Face Rising FLSA Collective Action Liability Risks

Health Care Providers’ ERISA Health Plan Benefit Opportunities & Employee Benefits Compliance Obligations Topic of 9/15 Study Group

Improve HR Value To Company By Making HR A Performance Rather Than People Department

Sponsoring Employers Face Excise Taxes, Other Liabilities Unless Health Plans Comply With ACA Out-Of-Pocket & Other Federal Rules

Legal Review Of Health Plan Documents, Processes Needed To Mitigate Employer’s Excise Tax & Other Health Plan Risks

EEOC ADA Suit Against Magnolia Health Highlights US Employer’s Growing Disability Discrimination Risks

Proposed OSHA Regs Will Clarify Employer’s Continuing Duty To Ensure OSHA 300 Log Completeness

10 Practical Pointers To Use Law To Better Strengthen The Legal Defensibility Of Your Business & Its Leaders

Tri-Agencies Update On Planned ACA Transparency Reporting Rules For Non-QHP Issuers & Non-Grandfathered Group Health Plans

Employers, Plan Administrators Confirm All Form 5500s Timely Filed; Valuable Relief Options Available For Non-Filers

Health Insurer/Vendor’s Claims & Appeals Deficiencies Could Trigger Significant Employer Excise Tax Liability

HIPAA Settlement Warns Health Plans, Sponsoring Employers & Business Associates To Manage HIPAA Risks

Obama Administration Proposal Would Extend FLSA Minimum Wage & Overtime Requirements To 5 Million+ Workers

Prompt Business Action Needed To Mitigate Post-King Employer Health Benefit Costs & Liabilities

Comments Off on SCOTUS: States Can’t Require Reporting of ERISA Health Plan Data | ACA, Claims Administration, employee, Employee Benefits, Employer, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, Form 5500, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, health reform, HIPAA, HIPAA, Preemption, Uncategorized | Tagged: 10th Amendment, eligibility, Employee Benefits, Employee Retirement Income Security act, enrollment, ERISA, Health Data, Health Data Privacy, Health Data Reporting, Health Insurance, Health Plan, HIPAA, Plan Administration, Privacy, reporting, Supreme Court, third party administrator, Vermont | Permalink
Posted by Cynthia Marcotte Stamer

IRS OK’s Skipping Certain 2015 Form 5500 Questions

February 29, 2016

2015-5500

The Internal Revenue Service (IRS) has announced that it will not require plan administrators to answer certain new questions added to the Form 5500/5500-SF and Schedules H, I and R for the 2015 plan year. The questions on the 2015 Form 5500 that the IRS says plan administrators can skip answering are:

The Preparer Information on the bottom of page 1 of the Form 5500
Lines 4o-p, 6a-d on the Schedule H
Lines 4o-p, 6a-d on the Schedule I
New Part VII (Lines 20a-c, 21a-b, 22a-d, and 23) on Schedule R
Preparer Information (page 1 bottom), Lines 10j, 14a-d, and New Part IX
(Lines 15a-c, 16a-b, 17a-d, 18, 19, and 20) on Form 5500-SF

See IRS Compliance Questions on the 2015 Form 5500-Series Returns (February 25, 2016).

About the Author

Recognized as a “Top” attorney in employee benefits, labor and employment and health care law extensively involved in health and other employee benefit and human resources policy and program design and administration representation and advocacy throughout her career, Cynthia Marcotte Stamer is a practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer P.C,, a member of Stamer│Chadwick│Soefje PLLC author, pubic speaker, management policy advocate and industry thought leader with more than 27 years’ experience practicing at the forefront of employee benefits and human resources law.

Ms. Stamer helps management manage. Ms. Stamer’s legal and management consulting work throughout her nearly 30- year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see CynthiaStamer.com or StamerChadwickSoefje.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

DOL Proposes Changes To Summary of Benefit & Coverage Rules

More proof government should stay out of healthcare

Health Care Quality: Different Meaning For Care Vs. Coverage

IRS Changes Plan Qualification Procedures, Returns, Other Procedures

Remember Microsoft: The Need for Effective Risk Management as to Contract Employees

Obama Administration Proposes Rules Giving Jobseeker Equal Opportunity Protections

Health Benefit Still Top Employer Benefit Cost

Practioners Register For New PBGC E-Filing Portal

Health Coverage Options When Employment Ends

Varying LGBT Obligations Of Private Employers Underscore Importance Of Familiarity With State and Municipal Laws

Strengthen Your Cyber Security By Sharing National Cyber Security Awareness Month Resources This Week

Ranching Employers: Labor Department Tightening H-2A VISA Rules For Employing Range Workers

NLRB 29 Unfair Labor Practice Charges Against Community Health Systems, Inc. Shows Industry Labor Risks

DOL Schools Halliburton With $18M+ Overtime Settlement; Other Employers & Executives Should Take Note

U.S. Businesses & Their Leaders Face Rising FLSA Collective Action Liability Risks

Improve HR Value To Company By Making HR A Performance Rather Than People Department

Sponsoring Employers Face Excise Taxes, Other Liabilities Unless Health Plans Comply With ACA Out-Of-Pocket & Other Federal Rules

Legal Review Of Health Plan Documents, Processes Needed To Mitigate Employer’s Excise Tax & Other Health Plan Risks

EEOC ADA Suit Against Magnolia Health Highlights US Employer’s Growing Disability Discrimination Risks

Proposed OSHA Regs Will Clarify Employer’s Continuing Duty To Ensure OSHA 300 Log Completeness

10 Practical Pointers To Use Law To Better Strengthen The Legal Defensibility Of Your Business & Its Leaders

Tri-Agencies Update On Planned ACA Transparency Reporting Rules For Non-QHP Issuers & Non-Grandfathered Group Health Plans

Employers, Plan Administrators Confirm All Form 5500s Timely Filed; Valuable Relief Options Available For Non-Filers

Health Insurer/Vendor’s Claims & Appeals Deficiencies Could Trigger Significant Employer Excise Tax Liability

HIPAA Settlement Warns Health Plans, Sponsoring Employers & Business Associates To Manage HIPAA Risks

Obama Administration Proposal Would Extend FLSA Minimum Wage & Overtime Requirements To 5 Million+ Workers

Prompt Business Action Needed To Mitigate Post-King Employer Health Benefit Costs & Liabilities

Comments Off on IRS OK’s Skipping Certain 2015 Form 5500 Questions | 401(k), EBSA, Employee Benefits, Employers, ERISA, Health Benefits, health Care, health insurance, health plan, Health Plans, Reporting & Disclosure, Uncategorized | Tagged: Employee Benefits, Employer, Form 5500, Form 5500 ERISA Employee Benefits, Health Plans | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Settlement Warns Health Plans, Sponsoring Employers & Business Associates To Manage HIPAA Risks

July 11, 2015

Health plans, insurers and other health plan industry service providers widespread use and reliance on internet applications to access and share protected health information when performing online enrollment, claims administration and payment, reporting, member and provider communications and a host of other key health plan functions makes it particularly important for health plans, their employer or other sponsors, fiduciaries, insurers and other vendors and their management to respond quickly to a warning from Department of Health & Human Services (HHS) Office of Civil Rights (OCR) warning to ensure applications and systems properly safeguard protected health information (PHI) as required by the Health Insurance Portability & Accountability (HIPAA) Privacy, Security & Breach Notification Rules (HIPAA Rules) and other laws made in its July 10, 2015 announcement of its latest HIPAA settlement.

The new Resolution Agreement with the Massachusetts based hospital system, St. Elizabeth’s Medical Center (SEMC) settles charges OCR made that SEMC reached HIPAA by failing to protect the security of PHI when using internet applications to access and share PHI. The Resolution Agreement also shows how complaints filed with OCR by workforce members can create additional compliance headaches for Covered Entities or their business associates while the “robust corrective action plan” imposed under the Resolution Agreement shares examples of ladder reporting and management oversight and documentation Covered Entities and business associates can expect to need to prove their organizations maintains the “culture of compliance” with HIPAA OCR expects in the event of an OCR audit or investigation.

With recent reports on massive health plan HIPAA and other data breaches fueling widespread participant and regulatory concern over identity theft and other data security, Covered Entities and their business associates should prepare to defend the adequacy of their own HIPAA and other data security practices in the event of an OCR breach investigation or audit. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities.

SEMC Resolution Agreement Overview

The SEMC Resolution Agreement settles OCR charges that SEMC violated HIPAA stemming from an OCR investigation of a November 16, 2012 complaint by SEMC workforce members and a separate data breach report SEMC separately made to OCR of a breach of unsecured electronic PHI (ePHI) stored on a former SEMC workforce member’s personal laptop and USB flash drive affecting 595 individuals. In their complaint, SEMC workers complained SEMC violated HIPAA by allowing workforce members to use an internet-based document sharing application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

SEMC improperly disclosed the PHI of at least 1,093 individuals;
SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
SEMC failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan” to correct these alleged HIPAA violations. While the required settlement payment is relatively small, the Resolution Agreement’s focus security requirements for internet application and data use and sharing activities engaged in by virtually every Covered Entity and business associate make the Resolution Agreement merit the immediate attention of all Covered Entities, their business associates and their management.

SEMC HIPAA Specific Compliance Lessons For Health Plans & Business Associates

In announcing the Resolution Agreement, OCR Director Jocelyn Samuels sent a clear warning to all Covered Entities and their business associates “to pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” stating “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The Resolution Agreement makes clear that OCR expects health plans and other Covered Entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates Covered Entities and business associates must be able to produce documentation and other evidence needed to show the top to bottom dedication to HIPAA compliance necessary to prove a “culture of compliance” with HIPAA permeates their organizations.

In light of OCR’s warning and expectations, Covered Entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan” included in the Resolution Agreement, starting with the specific steps the corrective action plan requires SEMC to address its internet application security concerns such as:

Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
Conducting other tests and audits of security and compliance with policies, processes and procedures; and
Documenting results, findings, and corrective actions including appropriate up the ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance & Risk Management Lessons

Beyond the specific internet applications and other security of ePHI lessons in the Resolution Agreement, Covered Entities and their business associates also should be mindful of other more subtle, but equally important broader HIPAA compliance and risk management lessons provided in the Resolution Agreement and other recent OCR guidance about their overall HIPAA compliance responsibilities.

One of the most significant of these lessons is the need for proper workforce training, oversight and management. The Resolution Agreement sends an undeniable message that OCR expects Covered Entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies. The SEMC corrective action plan should prompt Covered Entities and business associates to weigh the adequacy of their existing workforce training, reporting, investigation and other management processes and documentation. Meanwhile, OCR’s report that an OCR complaint made by SEMC insiders to OCR prompted its investigation also should sensitize Covered Entities and their business associates of the need to ensure that their workforce training and management processes are appropriate to position their organization both to show their processes encourage proper internal reporting and investigation of compliance concerns, as well as manage the inevitable HIPAA and other human resources retaliation and whistleblower exposures that can arise out of such reports.

The Resolution Agreement also provides insights to the internal corporate processes and documentation of compliance efforts that Covered Entities and business associates may need to show their organization has the required “culture of compliance” needed to mitigate consequences of breaches or other compliance glitches. Particularly notable are Resolution Agreement’s terms on the documentation and up the ladder reporting to management and OCR of SEMC’s self-audit and self-correction activities and management oversight and management of these activities. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details in the Resolution Agreement provide invaluable tips to Boards and other leaders of Covered Entities and business associates about steps they can take to promote their ability to demonstrate their organizations have the necessary culture of HIPAA compliance OCR expects.

Health Plan HIPAA Compliance Risks & Responsibilities of Employers & Their Leaders

While HIPAA places the primary duty for complying with HIPAA on Covered Entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons.

As employers forced to cope with the deluge of fears and questions of employees and other health plan members impacted by recent massive PHI breach reports shared by Blue Cross association health insurance plan giants, Anthem and Premera can attest, HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction of the health benefit plan as an employee benefit. These concerns also usually require employers to expend significant management and financial resources to respond to these concerns and address other employer fallout from the breach.

The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all too rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators, and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Since employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements.

Sponsoring employers and their management also should be aware the employer’s exception from direct liability for HIPAA Rule compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation.

While HIPAA generally limits direct responsibility for compliance with the HIPAA Rules to a health plan or other Covered Entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA Rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations in order for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces, and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk.

When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA Rules.

Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI, systems in violation of these conditions or other HIPAA Rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – from wrongfully accessing health plan PHI, electronic records or systems. Since health plan PHI records also typically include personal tax, social security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concern about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Since HIPAA and some of these other laws under certain conditions make it a felony crime to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s Federal Sentencing Guideline and other compliance programs.

Beyond the already discussed concerns, employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements to many the exposure of the employer or management or other staff to statutory, regulatory, contractual or ethical liabilities arising under ERISA, Internal Revenue Code, the Fair & Accurate Credit Transaction Act (FACTA), trade secret, insurance, disability, identity theft, cybersecurity or other federal or state laws.

For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure that the health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. Consequently, the sponsoring employer and certain members of its human resources or other executive management team who functionally possess or exercise responsibility or authority over the administration of the employer’s health plan or its data or other assets, the selection or oversight of plan fiduciaries, vendors, or other workforce members its administration, or other key health plan operations risk ERISA fiduciary liability for their own failures to act prudently in carrying out HIPAA compliance or other responsibilities or to take action when they know or should know that another fiduciary is or has breached these duties. This fiduciary status and risk can occur even if the entity or individual does not is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Since fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority to avoid or minimize these potential ERISA fiduciary exposures.

Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints.

Act To Manage HIPAA & Other Related Risks

OCR’s release of the Resolution Agreement on the heels of widespread publicity about massive health plan and other data breaches at Blue Cross health care giants, Anthem and Premera and other U.S. businesses and the potential legal and financial exposures that a HIPAA data breach or other violation could create, health plans and their sponsors, insurers, business associates, and leaders should appreciate the advisability of acting promptly to ensure that their health plans and business associates are taking appropriate steps to comply with the HIPAA Rules and manage other associated risks and liabilities. At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stop gap against the costs of investigation or defense of a HIPAA security or other data breach.

For Legal or Consulting Advice, Legal Representation, Training Or More Information

If you need help responding to these new or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, help updating or defending your workforce or employee benefit policies or practices, or other related assistance, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick │Soefje PLLC, Ms. Stamer’s more than 27 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

Board certified in labor and employment law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Chair and current Welfare Benefit Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, an ABA Joint Committee on Employee Benefits Council Representative and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on HIPAA and other health and other employee benefit, human resources, and related insurance, health care, privacy and data security and tax matters and policy.

Ms. Stamer’s legal and management consulting work throughout her 27 plus year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health plans, their sponsors, administrators, insurers and many other business, professional and civic organizations.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see www.cynthiastamer.com, or http://www.stamerchadwicksoefje.com the member of contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Obama Administration Proposal Would Extend FLSA Minimum Wage & Overtime Requirements To 5 Million+ Workers
Prompt Business Action Needed To Mitigate Post-King Employer Health Benefit Costs & Liabilities
More Work For Employers, Benefit Plans Following SCOTUS Same-Sex Marriage Ruling
Businesses Must Confirm & Clean Up Health Plan ACA & Other Compliance Following Supreme Court’s King v. Burwell Decision
Obama Administration Devoting $1.25 Million To Find Ways To Encourage States To Force Employers To Give Paid Leave
IRS FAQ Addresses Determination Letter Program As Applied To Multiple Employer Plans
OSHA Rules Requires New Construction Industry Close Space Safeguards
2016 & 2017 Health Plan Budgets, Workplans Should Anticipate Expected Changes To SBCs
$1.4M FLSA Back Pay Award Demonstrates Worker Misclassification Risks
Discrimination Rules Create Risks For Employer Reliance On Injunction Of FMLA Rule On Same-Sex Partners’ Marital Status
Obama Executive Order’s Prohibition Of Government Contractor Sexual Orientation & Gender Identity Discrimination Creates Challenges For All US Employers
Congress Passes Joint Resolution Overturning NLRB “Quickie Election Rule”
IRS Changes Plan Correction Procedures

Comments Off on HIPAA Settlement Warns Health Plans, Sponsoring Employers & Business Associates To Manage HIPAA Risks | 105(h), ADA, ARRA, Cafeteria Plans, Civil Rights, Claims Administration, Corporate Compliance, Defined Contribution Plans, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, GINA, Government Contractors, Health Plans, HIPAA, Human Resources, Mental Health, MEWA, Retaliation, Risk Management | Tagged: Breach Notification, Data Breach, Employer, ERISA, Federal Sentencing Guidelines, Fiduciary Duties, Health Plans, HIPAA, Privacy, Risk Managemnet | Permalink
Posted by Cynthia Marcotte Stamer

Prompt Business Action Needed To Mitigate Post-King Employer Health Benefit Costs & Liabilities

June 30, 2015

With the Obama Administration construing the United States Supreme Court’s King v. Burwell decision as a green light for its full implementation and enforcement of the Patient Protection & Affordable Care Act (ACA), U.S. businesses should brace for both increases in health benefit costs and liabilities over the next year as well as take prompt action to identify and mitigate potential excise tax and other exposures from any unaddressed compliance deficiencies in their 2014 or 2015 health plans as soon as possible and no later than the due date for filing their 2014 business tax return.

As health benefit costs continue their upward trend, many businesses and their leaders plan to look for new options to manage costs and liabilities following the King decision. In most cases, businesses assume they can delay these actions until the beginning of their upcoming health plan year, not realizing their company’s potential liability exposures from existing and past defects. Businesses and their leaders who have held off updating their health plan compliance and expect to delay completion of these activities until the beginning of their upcoming health plan year are likely to be in for a rude awakening, however, particularly since a much underappreciated Sarbanes-Oxley style provision of the Internal Revenue Code will require employer or other group health plan sponsors to self-report, self-assess and pay stiff excise tax penalties when filing their company’s 2014 business tax return unless their group health plan complied with a long list of ACA and other federal health plan rules in 2014.

Employer Health Benefit & Other Compensation Up, Costs Exposures Projected To Continue To Rise

While many businesses delayed making tough choices about their health plan design and compliance over the past several years in hopes of some judicial or Congressional relief from the mandates and costs of ACA, businesses generally have continued to struggle with ever-rising compensation and benefit costs, with health benefit costs the biggest challenge. Recent U.S. Bureau of Labor Statistics (BLS) data confirms what business leaders already know. Compensation and benefit costs rose over the past year, with health benefit costs remaining a big factor in these increased costs. According to BLS, employer compensation costs rose slightly and health benefit costs remained the largest individual benefit cost for employers during the 12-month period ending March 31, 2015, according to the U.S. Bureau of Labor Statistics (BLS). See BLS Employment Cost Index News Release (April 30, 2015).

The BLS Employer Costs For Employee Compensation Report, March 2015 released June 10, 2015 Report) shows private employers spent an average of $31.65 per hour worked for compensation in March 2015 with health benefits accounting averaging 7.7 percent of this average employer total compensation cost per employee. This compares to BLS showing that in March 2014, In March 2014, total employer compensation costs for private industry workers averaged $29.99 per hour worked, with wages and salaries averaging $20.96 per hour (69.9 percent) and benefits averaging $9.03 per hour (30.1 percent). See BLS Employer Costs For Employee Compensation, March 2014 (June 12, 2014)(2014 Report).

BLS data on health benefit and other compensation and benefit costs and trends provides many interesting insights for business as well as government leaders and the role health benefit cost increases play in these increased expenditures. For instance, BLS statistics show for private employers on average during the 12-month period ending March 31, 2015:

Compensation costs for private industry workers increased 2.8 percent over the year, higher than the March 2014 increase of 1.7 percent;
Wages and salaries increased 2.8 percent, also higher than the March 2014 increase of 1.7 percent;
Benefits costs rose 2.6 percent, which was higher than March 2014, when the increase was 1.8 percent; and
Health benefits on average increased 2.5 percent over during the 12-month period that ended on March 31, 2015, rising from the March 2014 increase in compensation costs of 1.8 percent.

Businesses Must Prepare For Impending ACA Enforcement While Dealing With Upsurge In Health Benefit Costs

While the continued rise in the average hourly cost of health benefits for employers is significant in its own right, the reported health benefit cost and employer health cost data in the Report does not include additional reporting and other compliance and risk management costs, which in light of the explosion in employer group health plan mandates since the passage of the Patient Protection and Affordable Care Act (ACA). Research indicates that the employer plan design changes slowed the upward trend in employer health benefit expenditures that otherwise would have occurred in 2015. This upward trend is projected to continue if not accelerate in 2016, however.

The 2015 Report shows these upward increases in employer costs for health benefits and other compensation continued in the first quarter of 2015. Concerning health benefits, for instance, the 2015 Report shows health benefit costs paid by employers averaged $2.43 per hour worked (7.7 percent of total compensation)in private industry in March 2015, compared to the average health benefit costs BLS reported. In comparison, the 2014 Report indicated in March, 2014, the average cost for health insurance benefits in private industry was $2.36 per hour worked in March 2014 (7.9 percent of total compensation).

Overall health benefit costs and associated compliance expenses of employers that elect to continue to offer health benefits for employees are projected to rise throughout 2015 and 2016 as ACA driven mandates and market changes drive up employer’s direct health benefit costs. See, e.g. Employers’ Health Costs Projected to Rise 6.5% for 2016.

The trend data and judicial and political developments indicate that business leaders can look for these trends not only to continue, but accelerate. With an impending responsibility to self-report violations of ACA and various of federal health plan mandates imminent, business leaders should brace to deal with any deficiencies in compliance in their 2014 and 2015 health plans much sooner than they might have expected following the Supreme Court’s King v. Burwell decision last week. President Obama made clear last week he views the King ruling as giving the Internal Revenue Service, Department of Labor and Department of Health & Human Services the all clear for full implementation and enforcement of ACA and other federal health plan rules. While these overall enforcement exposures will play out over the next several years, many employers are poised to experience the first bite of these new enforcement exposures over the next few months, when the Internal Revenue Code will require that employers that offered health coverage for employees in 2014 self-assess, report and pay stiff new excise tax penalties of $100 per day per violation when filing their 2014 tax return unless their program complied with all of a long list of ACA or other federal law mandates in addition to otherwise applicable exposures under the Employee Retirement Income Security Act (ERISA) and other laws. See, Businesses Must Confirm & Clean Up Health Plan ACA & Other Compliance Following Supreme Court’s King v. Burwell Decision. Since prompt self-audit and correction can help mitigate these liabilities, business leaders should act quickly to engage experienced legal counsel for their companies for help in evaluating, within the scope of attorney client privilege, the adequacy of their 2014 and 2015 health plan compliance, options for addressing potential exposures from any compliance deficiencies, and for advice and assistance to decide whether to offer health benefits going forward and if so, aid in designing and implementing their future health benefit program to enhance its defensibility. While businesses inevitably will need to involve or coordinate with their accounting, broker, and other vendors involved with the plans, businesses generally will want to get legal advice in a manner that preserves their potential to claim attorney-client privilege to protect against discovery in the event of future enforcement or litigation actions sensitive discussions and analysis about compliance audits, plan design choices, and other risk management and liability planning as well as to get help evaluating potential future plan design changes or proposed solutions to known or suspected liability exposures, particularly in light of complexity of the exposures and risks.

For Legal or Consulting Advice, Legal Representation, Training Or More Information

Recognized as a “Top” attorney in employee benefits, labor and employment and health care law extensively involved in health and other employee benefit and human resources policy and program design and administration representation and advocacy throughout her career, Cynthia Marcotte Stamer is a practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick │Soefje PLLC, author, pubic speaker, management policy advocate and industry thought leader with more than 27 years’ experience practicing at the forefront of employee benefits and human resources law.

A Fellow in the American College of Employee Benefit Counsel, past Chair and current Welfare Benefit Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, an ABA Joint Committee on Employee Benefits Council Representative and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms.Stamer is recognized nationally and internationally for her practical and creative insights and leadership on health and other employee benefit, human resources and insurance matters and policy.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see www.cynthiastamer.com, or www.stamerchadwicksoefje.com the member of contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

1 Comment | 105(h), ACA, board of directors, compensation, compliance, corporate governance, directors, Employee Benefits, Excise Tax, Health Care Reform, health insurance, Health Plans, insurers, Internal Controls, Internal Revenue Code, officers, Tax, third party administrators | Tagged: ACA, business, compensaton, compliance, corporate budgets, corporate liability, Employee Benefits, Employer, ERISA, Group Health plans, Health Insurance, Health Plans, Insurance, king, King v. Burwell, Management, Obamacare, officers and directors, Patient Protection & Affordable Care Act, Risk Management | Permalink
Posted by Cynthia Marcotte Stamer

Businesses Must Confirm & Clean Up Health Plan ACA & Other Compliance Following Supreme Court’s King v. Burwell Decision

June 25, 2015

With the Supreme Court’s much anticipated June 25, 2015 King v. Burwell decision dashing the hope that the Supreme Court would provide relief for businesses and their group health plans from the Patient Protection and Affordable Care Act (ACA) mandates by striking down ACA, U.S. businesses that offered health coverage in 2014 and those continuing to sponsor health coverage currently swiftly to act to review and verify the adequacy of their 2014 and current group health plan’s compliance with ACA and other federal group health plan mandates as well as begin their finalizing their group health plan design decisions for the upcoming year.

King Decision Nixes Hope For Meaningful Judicial Relief For Businesses, Plans For Existing ACA Violations

Prompt action to assess and verify compliance is particularly critical in light of much overlooked the “Sox For Health Plans” style rules of Internal Revenue Code (Code) Section 6039D, which generally require group health plans that violated various federal group health plan mandates to self-identify and self-report these violations, as well as self-assess and pay the excise taxes of up to $100 per day per violation triggered by uncorrected violations. While applicable prior to 2014 for uncorrected violations of a relatively short list of pre-ACA federal group health mandates, ACA broadened the applicability of Code Section 6039D to include ACA’s group health plan mandates beginning in 2014. see SOX FOR HEALTH PLANS? IRS Excise Tax Requirements For Failing to Report Plan Violations Who Must File the IRS Form 8928, Requirement for Self-Reporting? This means that in addition to any other liability that the company, its group health plan and its fiduciaries might bear for violating these rules under the Employee Retirement Income Security Act, the Code, the Social Security Act or otherwise, the sponsoring business also will incur liability for the Code Section 6039D excise tax for uncorrected violations, as well as late or non-filing penalties and interest that can result from late or non-filing.

Many employers have significant exposure to these Code Section 6039D excise tax liabilities since many plan sponsors or their vendors have delayed reviewing or updating their group health plans for compliance with some or all of ACA’s mandates. In many cases, businesses delayed in hopes that the Supreme Court would strike down the law, Congress would amend or repeal it, or both. In other cases, limited or continuing changes to the regulatory guidance about some of ACA’s mandates prompted businesses to hold off investing in compliance to minimize compliance costs. Regardless of the past reasons for such delays, however, businesses sponsoring group health plans after 2013 need to recognize and act to address their uncorrected post-2013 ACA violations exposures.

While many businesses as well as individual Americans have held off taking long overdue steps to comply with ACA’s mandates pending the Supreme Court’s King v. Burwell decision, the three agencies charged with enforcement of its provision – the IRS, Department of Labor and Department of Health and Human Service has been gearing up to enforce those provisions of ACA already in effect and to finalize implementation of others in the expectation of today’s ruling in favor of the Obama Administration. As a practical matter, businesses sponsoring group health plans and other ACA opponents need to recognize that the Supreme Court’s King decision realistically gives these agencies the go ahead to move forward with these plans for aggressive implementation and enforcement.

While technically only addressing a challenge to the Obama Administration’s interpretation of the individual tax credit (“Individual Subsidy”) ACA created under Code Section 36B, the Supreme Court’s decision realistically eliminates any realistic hope for that the Supreme Court will provide businesses or their group health plans with any meaningful past or current ACA violations by striking down the law itself. Of all of the currently pending challenges to ACA working their way to through the courts, the King case presented the best chance of a Supreme Court ruling that would wholesale invalidate ACA’s insurance reforms, if not the law itself, because of the importance of the Individual Subsidy to the intended workings of those reforms. By upholding the Obama Administration’s interpretation of Code Section 36B as allowing otherwise qualifying individuals living in states without a state run ACA health insurance exchange to claim the Individual Subsidy for buying health care coverage through the federal Healthcare.gov health insurance exchange, the Supreme Court effectively killed the best possibility that the Supreme Court would invalidate the insurance reforms or ACA itself. While various challenges to the law or certain of the Obama Administration’s interpretations of its provisions, none of these existing challenges present any significant possibility that the Supreme Court will strike down ACA.

While the Republicans in Congress have promised to take Congressional action to repeal or reform ACA since retaking control of the Senate in last Fall’s elections, meaningful legislative reform also looks unlikely. Its narrow majority in the Senate means that Republicans alone do not have sufficient votes to override President Obama’s promised veto of these efforts. Consequently, prospects for meaningful legislative relief or repeal of ACA’s mandates remain extremely dim even with Republicans holding the majority in both the House and Senate.

Deadline To Self-Report, Pay Excise Tax Penalties For 2014 Health Plan Violations Rapidly Approaching

In light of these developments, businesses must prepare both to meet their current and future ACA and other federal health plan compliance obligations and defend potential deficiencies in their previous compliance over the past several years. The importance of these actions take on particular urgency given the impending deadlines under the largely overlooked “Sox for Health Plans” rules of Code Section 6039D for businesses that sponsored group health plans after 2013.

Under Code Section 6039D, businesses sponsoring group health plans in 2014 must self-assess the adequacy of their group health plan’s compliance with a long list of ACA and other federal mandates in 2014 and to the extent that there exist uncorrected violations, to self-report these violations and self-assess on IRS Form 8928 and pay the required excise tax penalty of $100 for each day in the noncompliance period with respect to each individual to whom such failure relates. For ACA violations, the reporting and payment deadline generally is the original due date for the business’ tax return. Absent further regulatory or legislative relief, businesses providing group health plan coverage in 2014 or thereafter also should expect to face similar obligations and exposures. As a result, businesses that sponsored group health plans in 2014 or thereafter should take affirmative steps to act quickly to verify the adequacy of their group health plan’s compliance with all ACA and other group health plan mandates covered by the Code Section 6039D reporting requirements. Prompt action to identify and sel-correct covered violations may mitigate the penalties a company faces under Code Section 6039D as well as other potential liabilities associated with those violations under the Employee Retirement Income Security Act (ERISA), the Social Security Act, or other federal laws. On the other hand, failing to act promptly to identify and deal with these requirements and the potential reporting and excise tax penalty self-assessment and payment requirements imposed by Code Section 6039D can significantly increase the liability the business faces for these violations substantially both by triggering additional interest and late payment and filing penalties, as well as forfeiting the potential opportunities that Code Section 6039D otherwise might offer to qualify to reduce or avoid penalties through good faith efforts to comply or self-correct.

While current guidance allows businesses the opportunity to extend the deadline for filing of their Form 8928, the payment deadline for the excise taxes cannot be extended. Code Section 6039D provides opportunities for businesses to reduce their excise tax exposure by self-correction or showing good faith efforts to comply with the ACA and other group health plan mandates covered by Code Section 6039D. Businesses need to recognize, however, that delay in identification and correction of any compliance concerns less likely to qualify for this relief. Accordingly prompt action to audit compliance and address any compliance concerns is advisable to mitigate these risks as well as other exposures.

Other Enforcement & Liability Risks

Beyond the impending Form 8928 excise tax responsibilities, employer and other health plan sponsors, fiduciaries, insurers and administrators also need to update their health plan compliance and risk management in anticipation of other challenges. Many health plan sponsors, fiduciaries, administrators, insurers and other vendors and advisors have allowed ongoing challenges and debates about ACA in the Courts, Congress and the media to lull them into delaying investing the money and other resources required to review and update of their programs for compliance with ACA and a host of other federal rules and court decisions impacting their programs and its associated risks. With their impending Form 8928 disclosures providing invaluable admissions of potential exposures and the Obama Administration and plaintiff’s bar likely to take King as a green light to enforce ACA and other group health plan mandates, plan sponsors, fiduciaries, insurers and administrators can expect greater scrutiny and challenges of their health plan design and administration by private plaintiffs, the Department of Labor, Department of Health & Human Services, IRS, and in the case of insured arrangements, state insurance regulators. Officers, directors and management leaders of employer or other sponsors of plans facing expenses from delayed or flawed compliance efforts, as well as their health plan insurers, administrative service providers, brokers, consultants, stop los insurers, auditors and other vendors and advisors also should brace for demands and other painful pushback from employers or health plan fiduciaries looking to shift liability to advisors or vendors for costs and damages resulting from claims or other enforcement liabilities resulting from delayed enforcement in alleged reliance upon the advisor or vendor. Strategic actions taken now could help mitigate potential exposures and other fallout of these and other health plan compliance delays.

Liabilities Make Advisable Engaging Legal Counsel For Privilege & Other Risk Management Assistance.

Businesses preparing to conduct audits also are urged to consider seeking the advice from qualified legal counsel experienced in these and other group health plan matters before initiating their audit as well as regarding the evaluation of any concerns that might be uncovered. While businesses inevitably will need to involve or coordinate with their accounting, broker, and other vendors involved with the plans, businesses generally will want to preserve the ability to claim attorney-client privilege to protect all or parts of their audit investigation and analysis and certain other matters against discovery as well as assistance with proper evaluation of options in light of findings and assistance from counsel to document the investigation and carefully craft any corrective actions for defensibility.

For Legal or Consulting Advice, Legal Representation, Training Or More Information

Recognized as a “Top” attorney in employee benefits, labor and employment and health care law extensively involved in health and other employee benefit and human resources policy and program design and administration representation and advocacy throughout her career, Cynthia Marcotte Stamer is a practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick │Soefje PLLC, author, pubic speaker, management policy advocate and industry thought leader with more than 27 years’ experience practicing at the forefront of employee benefits and human resources law.

A Fellow in the American College of Employee Benefit Counsel and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms.Stamer is recognized nationally and internationally for her practical and creative insights and leadership on health and other employee benefit, human resources and insurance matters and policy. Ms. Stamer uses her deep and highly specialized knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer helps management manage.Ms. Stamer’s legal and management consulting work throughout her 27 plus year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see www.cynthiastamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Comments Off on Businesses Must Confirm & Clean Up Health Plan ACA & Other Compliance Following Supreme Court’s King v. Burwell Decision | Affordable Care Act, Brokers, Employee Benefits, Employer, ERISA, Fiduciary Responsibility, Health Care Reform, Health Plans, Insurance, King V. Burwell, Patient Protection and Affordable Care Act, Supreme Court | Tagged: ACA, Affordable Care Act, King v. Burwell, subsidies | Permalink
Posted by Cynthia Marcotte Stamer

5/11 Deadline To Comment On Proposed Rule On Charter School Plan As Government Plan

May 6, 2015

Monday, May 11, 2015 is the deadline to submit comments about proposed regulations which would address the conditions under which a State or local retirement system that covers employees of a public charter school will qualify as a “government plan” under Internal Revenue Code (Code) Section 414(d). The Department of Treasury and Internal Revenue invited the comments on its proposed regulation in Notice 2015-7. Interested organizations concerned about the treatment of such arrangements should review the proposed regulations and comment as soon as possible and by May 11.

For Advice, Representation, Training & Other Resources

Recognized as a “Top” attorney in employee benefits, labor and employment and health care law, Ms. Stamer is a practicing attorney Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, author, pubic speaker,management policy advocate and thought leader with more than 25 years’ experience advising government contractors and other employers, their management, benefit plans and plan fiduciaries, vendors and service providers and others about OFCCP, EEOC, and other employment discrimination, government contracting compliance, and other workforce and operational performance, compliance, risk management, compensation, and benefits matters. As a part of this involvement, Ms. Stamer throughout her career specifically has advised and represented a broad range of employers across the U.S., their employee benefit plans and plan fiduciaries, insurers, health care providers and others about the implications of DOMA and other rules relating to rights and expectations of LBGT community members and others in federally protected classes under Federal and state employment, tax, discrimination, employee benefits, health care and other laws.

In addition to her extensive client work Ms. Stamer also is a widely published author, management policy advocate and thought leader, and management policy advocate on these and other workforce and related matters who shares her experience and leadership in a wide range of contexts. A current or former author and advisory board member of HR.com, Insurance Thought Leadership, SHRM, BNA and several other the prominent publications, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, former President of the Richardson Development Center Board of Directors, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, An American College of Employee Benefit Counsel, American Bar Association (ABA) and State Bar of Texas Fellow, Martindale Hubble Premier AV Rated (the highest), Ms. Stamer publishes and speaks extensively on these and other staffing and human resources, compensation and benefits, technology, health care, privacy, public policy, and other operations and risk management concerns. Her publications and insights appear in the ABA and other professional publications, HR.com, SHRM, Insurance Thought Leadership, Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update here including:

About Solutions Law Press

Solutions Law Press, Inc. provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources at www.solutionslawpress.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information â€“ including your preferred e-mail â€“ by creating or updating your profile at here or e-mailing this information here.

Comments Off on 5/11 Deadline To Comment On Proposed Rule On Charter School Plan As Government Plan | church plan, Employee Benefits, government plan, health plan, retirement plan, Tax | Tagged: defined benefit plan, defined contributon plan, DOL, employee benefit, employee benefit plan, government plan, IRS, plan qualification, retirement plan | Permalink
Posted by Cynthia Marcotte Stamer

IRS Updates Procedures For 403(b) Opinions & Approvals

February 26, 2015

The Internal Revenue Service (IRS) is revising the application procedures for pre-approved 403(b) opinions and advisory letters. Revenue Procedure 2015-22 modifies Revenue Procedure 2013-22, 2013-18 I.R.B. 985, as modified by Revenue Procedure 2014-28, 2014-16 I.R.B. 944, and Revenue Procedure 2015-8, 2015-1 I.R.B. 235 to:

Update the addresses to which applications for opinion and advisory letters for § 403(b) pre-approved plans should be submitted; and

To insert a user fee that was omitted from Rev. Proc. 2015-8. Revenue Procedure 2015-22 will be officially published in Internal Revenue Bulletin 2015-11 dated March 16, 2015.

For Advice, Training & Other Resources

If you need assistance with plan design or qualification, monitoring and responding to these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, an ABA Joint Committee On Employee Benefits Council representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a Fellow in the American College of Employee Benefit Counsel, ABA, and State Bar of Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health plans and insurers about ACA, and a wide range of other plan design, administration, data security and privacy and other compliance risk management policies. Ms. Stamer also regularly represents clients and works with Congress and state legislatures, EBSA, IRS, EEOC, OCR and other HHS agencies, state insurance and other regulators, and others. She also publishes and speaks extensively on health and other employee benefit plan and insurance, staffing and human resources, compensation and benefits, technology, public policy, privacy, regulatory and public policy and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here.

NOTE: This article is provided for educational purposes. It is does not establish any attorney-client relationship nor provide or serve as a substitute for legal advice to any individual or organization. Readers must engage properly qualified legal counsel to secure legal advice about the rules discussed in light of specific circumstances.

The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. The Regulations now require that either we (1) include the following disclaimer in most written Federal tax correspondence or (2) undertake significant due diligence that we have not performed (but can perform on request).

ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, or (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Comments Off on IRS Updates Procedures For 403(b) Opinions & Approvals | Employee Benefits, Employers, ERISA, Form 5500, Health Plans, Human Resources, Insurance, MEWA, Reporting & Disclosure, Uncategorized | Tagged: 125 Plan, Annual Return, cafeteria plan, Data Breach, Dependent Care Assistance Plan, Disability Plan, EBSA, employee benefit plan, FLexible Spending Account Plan, Form 5500, Group Legal Services Plan, Group Term Life, Health FSA, Health Plan, Health Plans, information return, IRS, M-1, PBGC, penalties, pension plan, plan administrator, retirement plan | Permalink
Posted by Cynthia Marcotte Stamer

Tell Congress to protect wellness programs against EEOC attacks

January 28, 2015

The EEOC has declared war on many employer sponsored wellness programs. The Senate Health, Education, Labor, and Pensions Committee will hold a hearing about how to improve employer wellness programs on Thursday, January 29. Employers and others should urge the Committee and other Congressional leaders to overrule the EEOC’s attacks on wellness programs as illegal disability discrimination under the Americans with Disabilities Act.

1 Comment | ADA, Affordable Care Act, Disability, Discrimination, EEOC, EEOC, Employee Benefits, Employers, ERISA, GINA, Health Care Reform, Health Plans, Human Resources, Insurance, Internal Controls, MEWA, Patient Empowerment, Patient Protection and Affordable Care Act, Privacy, Rehabilitation Act, Wellness, Wellness Programs | Permalink
Posted by Cynthia Marcotte Stamer

Stamer Recognized As A “Top” Labor & Employment Lawyer

January 7, 2015

Cynthia Marcotte Stamer is recognized among the “Top Rated” Labor & Employment Lawyers in Texas in the 2014 LexisNexis® Martindale-Hubbell® list of Top Rated Lawyers. An AV® Preeminent™ (the highest Peer Review Rating available) rated lawyer, Ms. Stamer earned the “Top Rated” Distinction based on confidential Martindale-Hubbell Peer Review Ratings opinions about her skills and experience submitted by other AV® Preeminent™ lawyers and members with professional knowledge of her work.

A noted Texas-based management lawyer and consultant, author, lecturer and policy advocate, Ms. Stamer is nationally and internationally known for her innovative leadership and work helping businesses, governments, and communities manage workforce and other performance and other labor and employment, employee benefits and workforce related representations.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, and a Fellow in the American Bar Association, Texas Bar Association, and the American College of Employee Benefit Counsel, Ms. Stamer’s legal and management consulting work focuses on helping employers, insurers, employee benefit plans and their administrators, fiduciaries and advisors, community leaders and governments manage people, process and risk. Throughout her more than 25 year career, Ms. Stamer has helped management deal with all aspects of human resources and workforce management, including employment and outsourcing contracting and performance management, reengineering and other change management, internal controls, compliance and risk management, compensation and employee benefits, communications, worker classification, tax, government relations, enforcement and litigation defense, and other related matters. Drawing upon her extensive knowledge base of knowledge and wealth of practical skills, Ms. Stamer helps businesses and their leaders manage their employees and other workers and service providers, their performance, compliance, compensation, benefits, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and operations crises large and small that arise in the course of operations.

In addition to her more traditional legal, internal controls and other management consulting work, Ms. Stamer also extensively works with a broad range of business and government clients on health care, pension, social security, workforce, insurance and many other related policy matters critical to their business success and liability management. She both only helps her clients anticipate, monitor and cope with emerging laws, regulations and enforcement and respond to and resolve government investigations and enforcement actions, she also helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American College of Employee Benefit Counsel, the American Bar Association (ABA) and the State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting. She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA,HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. She also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves as Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Committee and its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its representative to the ABA Joint Committee on Employee Benefits; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division and as a faculty member, editorial advisory board member, speaker and author for numerous human resources, employee benefits, insurance, technology and data security and other professional associations, programs, and publications. She previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early retirement intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association.

2 Comments | Employee Benefits, Employers, ERISA, Form 5500, Health Plans, Human Resources, Insurance, MEWA, Reporting & Disclosure, Uncategorized | Tagged: defined benefit, IRC 412, Pension, Pension Funding, Qualified Plans, Retirement Plans, Tax | Permalink
Posted by Cynthia Marcotte Stamer

IRS Gives Guidance On When Defined Benefit Funding Method Changes Due Actuary Change Automatically Approved

January 6, 2015

The Internal Revenue Service (IRS) today (January 6, 2015) published guidance on when a change in a single-employer defined benefit plan’s funding method due to a change in the plan’s enrolled actuary will qualify for automatic approval. For additional details, see Announcement 2015-03, which is scheduled for official publication in Internal Revenue Bulletin 2015-3 on January 20, 2015.

For Advice, Training & Other Resources

If you need assistance resolving past Form 5500 or other filing exposures, or monitoring and responding to these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here.

Comments Off on IRS Gives Guidance On When Defined Benefit Funding Method Changes Due Actuary Change Automatically Approved | Employee Benefits, Employers, ERISA, Form 5500, Health Plans, Human Resources, Insurance, MEWA, Reporting & Disclosure, Uncategorized | Tagged: defined benefit, IRC 412, Pension, Pension Funding, Qualified Plans, Retirement Plans, Tax | Permalink
Posted by Cynthia Marcotte Stamer

Newly-Medicare Eligible Not Driving Medicare Advantage Enrollment Increases

January 5, 2015

Findings of a just-released Kaiser Family Foundation study, At Least Half of New Medicare Advantage Enrollees Had Switched from Traditional Medicare During 2006-11, disputes the popular misperception that Baby Boomers’ overwhelmingly choice of private plans accounts for the steady rise in Medicare Advantage enrollment. Instead, Study reports that seniors switching from traditional Medicare account for the majority of new enrollees in Medicare Advantage each year.

According to the study published January 5, 2015 in the journal Health Affairs, fewer than one-quarter of people newly-eligible for Medicare enrolled in Medicare Advantage from the outset, and these newly-Medicare eligible comprised less than half of all new Medicare Advantage enrollees each year between 2006 and 2011. However the study also reports that the share of seniors who switch between traditional Medicare and Medicare Advantage is relatively small, reinforcing the notion that most Medicare beneficiaries make a coverage choice and stick with it.

Other findings reported in the study include:

The share of people newly eligible for Medicare that elected Medicare Advantage plan coverage instead of traditional Medicare at initial enrollment rose slightly from 15 percent in 2006 to 22 percent in 2011;

In each year between 2006 and 2011, the majority of new Medicare Advantage enrollees were people who had switched from traditional Medicare; seniors in their first few years on Medicare (in their late sixties) switched from traditional Medicare to Medicare Advantage at higher than average rates;

In each year between 2006 and 2011, fewer than 5 percent of traditional Medicare beneficiaries switched to Medicare Advantage, and a similar percentage of Medicare Advantage enrollees switched to traditional Medicare, suggesting that initial coverage decisions made by Medicare beneficiaries have long-lasting effects;

People dually eligible for Medicare and Medicaid (“dual eligibles”) and Medicare beneficiaries under age 65 and disabled disenrolled from Medicare Advantage at higher than average rates.

Understanding Medicare Advantage enrollment preferences and trends is of growing importance to Congress as well as private insurers and plan sponsors as the Obama Administration – long hostile to Medicare Advantage plans – is expected to continue to try to curb the growth of Medicare Advantage enrollment, cut Medicare Advantage expenditures and tighten regulations and enforcement against these private sector alternatives to traditional Medicare implemented as part of Republican-lead health care reforms during the Bush Administration.

For Advice, Training & Other Resources

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here.

Comments Off on Newly-Medicare Eligible Not Driving Medicare Advantage Enrollment Increases | Employee Benefits, Employers, ERISA, Form 5500, Health Plans, Human Resources, Insurance, MEWA, Reporting & Disclosure, Uncategorized | Tagged: 125 Plan, Annual Return, cafeteria plan, Data Breach, Dependent Care Assistance Plan, Disability Plan, EBSA, employee benefit plan, FLexible Spending Account Plan, Form 5500, Group Legal Services Plan, Group Term Life, Health FSA, Health Plan, Health Plans, information return, IRS, M-1, PBGC, penalties, pension plan, plan administrator, retirement plan | Permalink
Posted by Cynthia Marcotte Stamer

Advance Copies Of 2014 Form 5500s Reminder To Avoid Penalties By Confirming Compliance

December 16, 2014

Employers and other sponsors, plan administrators, third party administrators, and other service providers of employee benefit plans will want to check out the relevant advance informational copies of the 2014 Form 5500 and 5500-SF and final copy of the 2014 Form M-1 annual returns released by the U.S. Departments of Employee Benefits Security Administration, the Internal Revenue Service, and the Pension Benefit Guaranty Corporation December 15, 2015.

Subject to certain exceptions, federal law generally requires that the plan administrator of a pension as well as health and welfare benefit plan electronically file the appropriate annual return/report about the employee benefit plan’s financial conditions, investments and operations along with any required attachments satisfy annual reporting requirements under Title I and Title IV of the Employee Benefit Security Act (ERISA) and under the Internal Revenue Code (Code). Late or non-filing a required Form 5500 can be an expensive mistake. ERISA subjects the plan administrator of an employee benefit plan that fails to file required Form 5500s on time to penalties of up to $1,100 per day. Meanwhile, violations of the Code’s Form 5500 requirements by late filing or non-filing of a Form 5500 also carries its own penalties. In addition to DOL penalties, the IRS may impose a penalty of:

$1 for each participant for whom the plan fails to file a Form 8955-SSA statement for each day the failure continues, up to $5,000 for any plan year
$1 for each day for not filing a notification of change of status, up to $1,000
$1,000 for each failure to file an actuarial report by the required deadline and
$25 each day the Form 5500-series return is not filed, up to a maximum of $15,000.Copies of the current Form 5500 Forms and associated schedules are available here.
A quick review of the advance copies of the 2014 Form 5500s that plan administrators will be required to file for 2014 plan years reveals various changes compared to the 2013 Form 5500s. “The Changes to Note” discussion in the Instructions to the 2014 instructions to the Forms highlights these changes, which include:
In light of these penalties, plan administrators need to ensure that all required Form 5500s and other annual returns are appropriately completed and filed on a timely basis. To the extent that any previously required Form 5500s were not filed or were filed late, the plan administrator also will want to correct this deficiency promptly using the Voluntary Compliance Resolution Programs currently offered by the Internal Revenue Service and Department of Labor. See Labor Department Delinquent Filer Voluntary Compliance Program; IRS Notice 2014-35.

The MEWA Form M-1 compliance information that was filed as an attachment for 2013 now appears as three new questions on the Form 5500.
The Form 5500 and Form 5500-SF instructions for “Signature and Date” have been updated to caution filers to check the Filing Status. If the filing status is “Processing Stopped” or “Unprocessable,” the submission may not have had a valid electronic signature, and depending on the error, may be considered not to have been filed.
Filers are now required to provide the total number of active participants at the beginning of the plan year and at the end of the plan year on both forms.
Form 5500-SF filers now must provide the number of participants that terminated employment during the plan year with accrued benefits that were not fully vested.
Multiple-Employer Plan Information. In accordance with the Cooperative and Small Employer Charity Pension Flexibility Act, the Form 5500 and Form 5500-SF now require multiple-employer pension plans and multiple-employer welfare plans to include an attachment that generally identifies each participating employer, and includes a good faith estimate of each employer’s percentage of the total contributions during the year.
The instructions for line 1c(13) have been enhanced to set out what is an investment company registered under the Investment Company Act of 1940.
New Line 4f requires plans in critical status to indicate the plan year in which a plan is projected to emerge from critical status or, if the rehabilitation plan is based on forestalling possible insolvency, the plan year in which insolvency is expected.
Schedule SB, line 3 has been modified so that the funding target is reported separately for each type of participant (active, retired, or terminated vested). Schedule SB, Line 11b has been split into two parts: the calculation based on the prior year’s effective interest rate, and the calculation based on the prior year’s actual return. Modifications to Form 5500 and Form 5500-SF, and their schedules and instructions for plan year 2014 are described under “Changes to Note” in the 2014 instructions. Examples of these changes include:
DOL Form M-1 Compliance Information. The MEWA Form M-1 compliance information that was filed as an attachment for 2013 now appears as three new questions on the Form 5500.
Signature and Date. The Form 5500 and Form 5500-SF instructions for “Signature and Date” have been updated to caution filers to check the Filing Status. If the filing status is “Processing Stopped” or “Unprocessable,” the submission may not have had a valid electronic signature, and depending on the error, may be considered not to have been filed.
Active Participant Information. Filers are now required to provide the total number of active participants at the beginning of the plan year and at the end of the plan year on both forms.
Terminated Participant Vesting Information. Form 5500-SF filers now must provide the number of participants that terminated employment during the plan year with accrued benefits that were not fully vested.
Multiple-Employer Plan Information. In accordance with the Cooperative and Small Employer Charity Pension Flexibility Act, the Form 5500 and Form 5500-SF now require multiple-employer pension plans and multiple-employer welfare plans to include an attachment that generally identifies each participating employer, and includes a good faith estimate of each employer’s percentage of the total contributions during the year.
Schedule H. The instructions for line 1c(13) have been enhanced to set out what is an investment company registered under the Investment Company Act of 1940.
Schedule MB. New Line 4f requires plans in critical status to indicate the plan year in which a plan is projected to emerge from critical status or, if the rehabilitation plan is based on forestalling possible insolvency, the plan year in which insolvency is expected.
In Schedule SB, line 3 has been modified so that the funding target is reported separately for each type of participant (active, retired, or terminated vested); line 11b has been split into two parts: the calculation based on the prior year’s effective interest rate, and the calculation based on the prior year’s actual return; line 15 instructions have been expanded to address situations in which the AFTAP was not certified for the plan year; and line 27 and related instructions have been modified to reflect funding changes under the CSEC Act for defined benefit pension plans impacted by the act.
Line 15 instructions have been expanded to address situations in which the AFTAP was not certified for the plan year. Line 27 and related instructions have been modified to reflect funding changes under the CSEC Act for defined benefit pension plans impacted by the act.

The Form 5500 annual filing requirements are only one of a growing series of informational returns and reports that employee benefit plan sponsors or administrators are likely to be required to file concerning their employee benefit plans annually or in response to other specified events depending on the nature of the plan and the circumstances. In the case of health plans, for instance, the health care reforms of the Patient Protection & Affordable Care Act have resulted in a proliferation of new reporting requirements. Underfunding, plan termination or a series of other events also can trigger special reporting requirements for defined benefit pension plans. Other special rules also may apply for profit-sharing defined contribution pension plans, as well as other types of employee benefit plans. As proper understanding and timely fulfillment of these requirements is key to avoiding potentially significant liabilities, plan administrators, plan fiduciaries, employers or other plan sponsors and their service providers should consult with qualified experienced legal counsel to confirm they understand these requirements, conduct documented due diligence to confirm timely fulfillment of past filing requirements, take prompt action to correct any past deficiencies, and plan ahead and prepare for the upcoming 2014 filing deadlines by scheduling preparations and arranging to collect the necessary data to timely meet these deadlines now.

For Advice, Training & Other Resources

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here.

Comments Off on Advance Copies Of 2014 Form 5500s Reminder To Avoid Penalties By Confirming Compliance | Employee Benefits, Employers, ERISA, Form 5500, Health Plans, Human Resources, Insurance, MEWA, Reporting & Disclosure, Uncategorized | Tagged: 125 Plan, Annual Return, cafeteria plan, Data Breach, Dependent Care Assistance Plan, Disability Plan, EBSA, employee benefit plan, FLexible Spending Account Plan, Form 5500, Group Legal Services Plan, Group Term Life, Health FSA, Health Plan, Health Plans, information return, IRS, M-1, PBGC, penalties, pension plan, plan administrator, retirement plan | Permalink
Posted by Cynthia Marcotte Stamer

Out-Of-Date, Unpatched Software Triggers HIPAA Security Sanction

December 11, 2014

Health plans, health care providers ealth care clearinghouses (covered entities) and their business associates need to watch for and protect protected health information (PHI) against security exposures from unpatched or unsupported software and other weaknesses in their data security protections as part of their compliance obligations under the Security Rules of the Health Insurance Portability & Accountability Act (HIPAA).

The need to monitor and address data security threats associated with unpatched or unsupported software is demonstrated by the December 9, 2014 announcement by the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR) that Anchorage Community Mental Health Services (ACMHS) will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program resulting from unpatched and unsupported software.

OCR opened an investigation against the five-facility, nonprofit provider of behavioral health care services to children, adults, and families in Anchorage, Alaska after receiving notification from ACMHS of a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources.

According to the OCR announcement of the ACMHS Resolution Agreement with OCR, OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but failed to follow these procedures. Moreover, OCR found that the reported security incident directly resulted of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” said OCR Director Jocelyn Samuels. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

In an effort to promote awareness of the need to assess and monitor the security of ePHI by covered entities and business associates, OCR continues to encourage covered entities and business associates to conduct regular documented evaluations of the adequacy of their ePHI safeguards and systems. To aid in this process, OCR and the Office of the National Coordinator for Health Information Technology have created a Security Rule Risk Assessment Tool available here to assist organizations that handle PHI in conducting a regular review of the administrative, physical and technical safeguards they have in place to protect the security of the information. Since OCR points to the Tool as a resource, covered entities and business associates should anticipate that their failure to identify and address any deficiencies in the areas identified by the tools as a potentially serious compliance issue. As a result, covered entities and business associates likely will want to take steps to ensure that their records include documented review of the adequacy of the security safeguards identified in the Tool. At the same time, covered entities and their business associates should not assume that the Tool adequately covers all potential HIPAA Security Rule exposures. OCR has made clear in this and other Resolution Agreements that HIPAA’s Security Rule requires ongoing monitoring and assessment of the adequacy of security in response to changes in software or system, emerging threats and other developments.

For Advice, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here.

Comments Off on Out-Of-Date, Unpatched Software Triggers HIPAA Security Sanction | Employee Benefits, Employers, ERISA, Health Plans, Human Resources, Insurance, MEWA, Reporting & Disclosure, Uncategorized | Tagged: Data Breach, Health Plans, HIPAA, Mileage, OCR employer, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

2015 Tax Standard Mileage Rates Announced

December 10, 2014

Employers should review and update mileage reimbursement policies and rates in light of the 2015 standard mileage rates that the Internal Revenue Service (IRS) just announced will apply for federal tax deduction purposes in 2015. Meanwhile, employees and other individuals also will want to review these updated rates for purposes of estimating their expected mileage-related income and deductions for 2015.

Notice 2014-79 scheduled for official publication in Internal Revenue Bulletin 2014-53 on December 29, 2014 sets the optional standard mileage rates for substantiating the amount of deductible expenses for using an automobile for business, moving, medical, or charitable purposes. For 2015, the standard mileage rates are 57.5 cents for business use of an automobile, 14 cents for use of an automobile as a charitable contribution, and 23 cents for use of an automobile as a medical or moving expense. s

Notice 2014-79 also provides the amount a taxpayer must use in calculating reductions to basis for depreciation taken under the business standard mileage rate and the maximum standard automobile cost that a taxpayer may use in computing the allowance under a fixed and variable rate plan.

When projecting expected income or deductions based on the 2015 number, individuals planning to claim deductions for mileage and employers responsible for reporting income on taxable mileage reimbursements to employees and other service providers should keep in mind that the standard deductible mileage rates for medical travel mileage differ from those for other business purposes. The rules for using the optional standard mileage rates to calculate the amount of a deductible business, moving, medical, or charitable expense are in Rev. Proc. 2010-51.

For Advice, Training & Other Resources

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here.

Comments Off on 2015 Tax Standard Mileage Rates Announced | Employee Benefits, Employers, ERISA, Health Plans, Human Resources, Insurance, MEWA, Reporting & Disclosure, Uncategorized | Tagged: Employer, Health Plans, Mileage | Permalink
Posted by Cynthia Marcotte Stamer

12/5 Deadline For Insurers, Certain Self-Insured Health Plans To Submit 2014 Transitional Reinsurance Program Contribution Data

December 3, 2014

Friday, December 5, 2014 is the last day for health insurers and certain self-insured group health plans that are “contributing entities” to submit their required 2014 enrollment counts for the transitional reinsurance program contributions under 45 CFR 153.405(b).

Section 1341 of the Patient Protection & Affordable Care Act (ACA) established the transitional reinsurance program to help stabilize premiums in the individual market by partially offsetting issuers’ risk associated with high-cost enrollees.

The transitional reinsurance program will collect contributions from health insurance issuers and certain self-insured group health plans offering major medical coverage for the 2014, 2015 and 2016 benefit years. Under Final Rules published March 5, 2014, the insurer pays the fee for insured plans but where a group health plan is self-insured, the plan itself pays the fee.

In preparation for the collection of the transition reinsurance program fees, the Department of Health & Human Services (HHS) required that contributing entities, or third party administrators or administrative services-only contractors on their behalf, to complete the reinsurance contributions submission process through the Pay.gov website starting October 24, 2014. Subsequently, HHS extended the 2014 data submission deadline to submit the 2014 enrollment counts for transitional reinsurance program contributions but to date has not modified the deadline for making the required transition reinsurance program fees.

The reinsurance fee equals the yearly rate times the number of plan participants. The yearly rate is $63 for 2014, $44 for 2015, and to be announced for 2016.

Final Rules published March 5, 2014 provide that self-insured plans that are self-administered plans are exempt from the fees in 2015 and 2016. Since the guidance about these determinations is impacted by the allocation of fiduciary responsibilities under the plan and its associated vendor contracts, plan sponsors need to verify both whether their existing obligations qualifies as exempt and that any planned changes in their vendor contracts and other associated allocation of duties for its administration will not impact this determination. Employers and others sponsoring self-insured plans should consult with qualified counsel about whether they fall into this exception under the applicable rules, as well as to confirm that their program meets these and other applicable requirements.

Self-insured group health plan sponsors, fiduciaries and administrators should confirm with qualified legal counsel whether their program is a contributing entity required covered by the program and if so, both include the expected cost of the required payments in their budgets and obtain written confirmation from their third party administrator that the data reporting is completed and all other required steps to calculate, pay required contributions and fulfill reporting and other requirements of the program are completed for their records.

For Advice, Training & Other Resources

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here.

Comments Off on 12/5 Deadline For Insurers, Certain Self-Insured Health Plans To Submit 2014 Transitional Reinsurance Program Contribution Data | Employee Benefits, Employers, ERISA, Health Plans, Human Resources, Insurance, MEWA, Reporting & Disclosure, Uncategorized | Tagged: 105(h), ACA, Affordable Care Act, Code Section 4980H, Health Care Reform, Health Plans, Insurer, issuer, Patient Protection and Affordable Care Act, Pay or Play, Reinsurance Fee, Risk ADjustment, Skinny Plans, tpa | Permalink
Posted by Cynthia Marcotte Stamer

Trump Executive Order Promises But Gives No ACA Health Plan Relief Until Agencies Act

HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments

Email Subscription

Pages

Recent Posts

Archives

Share this blog

Solutions Law Press HR & Benefits Update