Don’t Get Stuck Paying Another Employer’s Overtime Or Other Backpay

January 13, 2020

No business wants to get hit with a bill or judgement for unpaid overtime or other wages and penalties under the Fair Labor Standards Act (“FLSA”). It’s even worse when the order to pay is for back pay another business owed but didn’t pay. New FLSA joint employer regulations released today update the rules about when your business could get stuck paying another business’ backpay. That’s why all U.S. employers should re-evaluate their potential minimum wage, overtime, recordkeeping and other Fair Labor Standards Acts (“FLSA”) liability exposure from work performed by workers employed by subcontractors or contractors, staffing, leasing, manpower and workforce and other separate business entities in light of the new Final Rule: Joint Employer Status under the Fair Labor Standards Act (“Final Rule”) on determining joint employer status under the FLSA released by the Department of Labor Wage and Hour Division (“Labor Department”).  The Labor Department released a copy of the Final Rule to the public today today (January 13, 2020) in anticipation of its scheduled official publication in the Federal Register on January 16, 2019.

Joint Employer Liability Long Standing FLSA Risk

Many businesses and their management are unaware that if their business meets the definition of a “joint employer” for purposes of the FLSA, their businesses could be required to pay unpaid wages and penalties another business owes for failing to pay minimum wage or overtime or other FLSA violations. even though their business never directly employed those workers.  This is because the FLSA also makes business that are “joint employers” as defined for purposes of the FLSA  jointly and severally liable with the direct employer for proper payment of wages and other compliance with the FLSA.  The FLSA requires covered employers to pay their employees at least the federal minimum wage for every hour worked and overtime for every hour worked over 40 in a workweek. To be liable for paying minimum wage or overtime, an individual or entity must be an “employer,” which the FLSA defines in Section 3(d) to include “any person acting directly or indirectly in the interest of an employer in relation to an employee[.]” Under the FLSA, an employee may have—in addition to his or her employer—one or more joint employers. A joint employer is any additional “person” (i.e., an individual or entity) who is jointly and severally liable with the employer for the employee’s wages under the applicable Labor Department regulations.

While both the Labor Department and private litigants have used the joint employer rules and precedent to nail businesses for other employer’s wage and hour liability frequently for the past sixty plus years, Obama Administration changes in the Labor Department’s interpretation and enforcement of the joint employer rule have significantly broadened the scope of relationships found to constitute joint employment to include a broad range of subcontractor and other business relationships not historically recognized as triggering joint employer liability.  Historically, joint employer determinations were reached by applying highly subjective, fact specific analysis heavily reliant upon decades of court decisions which required some evidence that the alleged joint employer possessed or exercised some control over the employees to support the finding of joint employment.   Under these historical tests, mere benefit from work performed by individuals employed by another employer did not establish a presumption, much less proof of joint employment.

During the Obama Administration, however, the Department of Labor both stepped up its efforts to identify and enforce these joint employer provisions and concurrently without formally issuing new regulations adopted interpretive and enforcement guidelines for finding joint employer status that that significantly broadened the employment relationships that the Labor Department treated as joint employers in a manner that presumed the existence of a joint employment relationship whenever the alleged joint employer benefitted from the performance of work even when the facts showed little or any evidence that the alleged joint employer possessed or exercised any control over the employee or the details of his work.  As a consequences, construction and other businesses uses contractors, health care organizations, and a host of other entities were surprised to be nailed with wage and hour liabilities arising from work performed by subcontractors, contractors, and other businesses including overtime liability attributable to work performed for the benefit of other customers of the employer.

Final Joint Employer Rule Changes Rules Effective March 16, 2020

Prompted by the Trump Administration’s broader effort to roll back these and other Obama Era pro-labor rulemaking and enforcement, the new Final Rule seeks to restore and reaffirm the requirement of evidence of the possession of authority or exercise of some traditional employer control by the alleged joint employer.  Scheduled to take effect on March 16, 2020, the new Final Rule will continue to recognize two potential scenarios where an employee may have one or more joint employers based on a highly subjective analysis of the factual realities of an alleged joint employer with another business or businesses under two scenarios:

  • The employee has an employer who suffers, permits, or otherwise employs the employee to work, but another individual or entity simultaneously benefits from that work (“Scenario One”); versus
  • One employer employs an employee for one set of hours in a workweek, and another employer employs the same employee for a separate set of hours in the same workweek (“Scenario Two”).

The Final Rule modifies and clarifies the Labor Department’s historical joint employer rule as it relates to the determination of joint employment status in Scenario One situations but leaves substantially unchanged its existing rules on joint employer determinations in Scenario Two situations.

Finally, the Final Rule provides several examples of how the Department’s joint employer guidance should be applied in various factual circumstances

Final Rule Modifications To Existing Rules On Joint Employment in Scenario One Situations

Under the Final Rule in a Scenario One situation under which an employee performs work for the employer that simultaneously benefits another individual or entity, the Final Rule adopts a four-factor balancing test to determine whether the potential joint employer is directly or indirectly controlling the employee, assessing whether the potential joint employer:

  • hires or fires the employee;
  • supervises and controls the employee’s work schedule or conditions of employment to a substantial degree;
  • determines the employee’s rate and method of payment; and
  • maintains the employee’s employment records.

Businesses should keep in mind that proof of the exercise of exercise direct control over these details of employment of an employee is not required for a finding of joint employment. Indirect exercise of control is sufficient.  Examples of indirect exercise of control recognized in the Final Regulations as supporting joint employer liability include control over an employee through mandatory directions to another employer that directly control the employee. However, indirect control does not include the direct employer’s voluntary decision to accommodate the potential joint employer’s request, recommendation, or suggestion. Similarly, acts that incidentally impact the employee do not indicate joint employer status. For example, a restaurant could request lower fees from its cleaning contractor, which, if agreed to, could impact the wages of the cleaning contractor’s employees. However, this request would not constitute an exercise of indirect control over the employee’s rate of payment.

Like under the prior rules and standards, whether a person is a joint employer under the new standards established in the Final Rule will continue to depend upon all the facts in a particular case, and the appropriate weight to give each factor will vary depending on the circumstances. Moreover, all of these factors need not be present for joint employment to exist.  However, the Final Rule states the potential joint employer’s maintenance of the employee’s employment records alone will not lead to a finding of joint employer status.  For purposes of its provisions, the Final Rule defines the “employment records” referred to in the fourth factor to mean only those records, such as payroll records, that reflect, relate to, or otherwise record information pertaining to the hiring or firing, supervision and control of the work schedules or conditions of employment, or determining the rate and method of payment of the employee.

Additionally, the Final Rule also notes that additional factors may also be relevant in determining whether another person is a joint employer in this situation, but only when they show whether the potential joint employer is exercising significant control over the terms and conditions of the employee’s work.

The Final Rule also identifies factors that are not relevant to the determination of FLSA joint employer status. For example, the Final Rule specifies that whether the employee is economically dependent on the potential joint employer, including factors traditionally used to establish whether a particular worker is a bona fide independent contractor (e.g., the worker’s opportunity for profit or loss, their investment in equipment and materials, etc.), are not relevant to determine joint employer liability. Economic dependence was an evidentiary factor promoted as evidence of joint employment in several Obama Administration era enforcement actions.

The Final Rule also identifies certain other factors that do not make joint employer status more or less likely under the Act which had been relied upon by the Labor Department under the Obama Administration era interpretation of the FLSA, including:

  • operating as a franchisor or entering into a brand and supply agreement, or using a similar business model;
  • the potential joint employer’s contractual agreements with the employer requiring the employer to comply with its legal obligations or to meet certain standards to protect the health or safety of its employees or the public;
  • the potential joint employer’s contractual agreements with the employer requiring quality control standards to ensure the consistent quality of the work product, brand, or business reputation; and
  • the potential joint employer’s practice of providing the employer with a sample employee handbook, or other forms, allowing the employer to operate a business on its premises (including “store within a store” arrangements), offering an association health plan or association retirement plan to the employer or participating in such a plan with the employer, jointly participating in an apprenticeship program with the employer, or any other similar business practice.

Additionally, the Final Rule makes clear that a finding of joint employer status in Scenario One situations must be based on an actual exercise of control by the alleged joint employer.  In this respect, the Final Rule provides that although an individual or entity’s power, ability, or reserved contractual right to exercise control relating to one or more of the factors may be relevant in determining whether they are an FLSA joint employer, such power, ability, or reserved contractual rights are not in themselves sufficient to establish FLSA joint employer status without some actual exercise of control.

Final Rule Retains Existing Rules On Joint Employment In Scenario Two Situations

The Final Rule did not make any substantive changes to the standard for determining joint employer liability in Scenario Two situations. If the employers are acting independently of each other and are disassociated with respect to the employment of the employee, the Final Rule continues to provide that each employer may disregard all work performed by the employee for the other employer in determining its liability under the FLSA. However, if the factual realities show that the employers are sufficiently associated with respect to the employment of the employee, the Final Rule continues to state that the two businesses are joint employers and must aggregate the hours worked for each for purposes of determining if they are in compliance.

For purposes of the Scenario Two analysis, the Final Rule provides that employers generally will be sufficiently associated if there is an arrangement between them to share the employee’s services, the employer is acting directly or indirectly in the interest of the other employer in relation to the employee, or they share control of the employee, directly or indirectly, by reason of the fact that one employer controls, is controlled by, or is under common control with the other employer.  Employers using manpower, staffing, employee leasing or other shared or part time workforces should keep in mind that a finding that their business is a joint employer with the supplier of the workers can result in liability for their business associated both for hours of work performed for the benefit of their business as well as any work the employee worked for another client of the supplier business.  As these shared workforces often perform work for several competitors, ironically this often means that a joint employer often ends up payment overtime liability attributable to unpaid overtime or other wages performed for a competitor business or businesses that also are clients of the same partial workforce supplier.

Businesses Should Act To Assess & Mitigate Joint Employer & Other FLSA Liability

The Labor Departments that its adoption of the revisions to the joint employer rule made by the Final Rule will add greater certainty regarding what business practices may result in joint employer status: and promote greater uniformity among court decisions by providing a clearer interpretation of FLSA joint employer status.  While the clarifications may help businesses to better predict certain relationships and arrangements that carry a higher risk of joint employer liability exposure, businesses must keep in mind that joint employer determinations under the Final Rule will continue to turn on highly subjective analysis of facts and circumstances that existing precedent suggests often finds the requisite evidence to find a joint employer relationship in many circumstances surprising to many business owners even taking into account the modifications made by the Final Rule,  For this reason, virtually all businesses generally will want to critically evaluate their existing and prospective relationships for potential joint employer liability under the FLSA in light of the Final Regulations.

Businesses should look to the guidance in the new Final Rule initially to evaluate whether their existing or prospective relationships meet, or could be restructured to meet all of the requisites to avoid or reduce the risk of findings of joint employer status.  When possible, businesses should seek to structure their contractual relationships and business dealings with other businesses to fit as closely as possible with those arrangements that the new Final Regulations identify as not constituting joint employer relationships in form and operation.  When engaging in these efforts, businesses need to look beyond their contractual agreements to examine the factual realities of their relationships with other businesses realistically based upon a clear understanding of the historical precedent to avoid mischaracterizing their relationships and their associated risks.  For added protection, businesses also should consider seeking contractual representations of compliance, coupled with requirements that other businesses whose employment practices could create joint employment risk provide records and other documentation needed to verify compliance and defend against potential joint employer liability claims.

Concurrently, businesses looking at FLSA joint employer liability risk management also should keep in mind that the new Final Rule only addresses joint employer determinations under the FLSA.  This Final Rule does not address “joint employer” status or other characterizations of relationships under other federal employment laws, such as the National Labor Relations Act (NLRA), the Employee Retirement Income Security Act of 1974 (ERISA), the Migrant and Seasonal Agricultural Worker Protection Act, Title VII of the Civil Rights Act, state labor, tax, unemployment, workers’ compensation or other laws, which often apply different standards for finding joint employment or other imputed liability of businesses other than the direct or nominal employer.  While different rules apply for those laws, government agencies and private litigants also increasingly successfully assert joint employer or other theories to impute liability to businesses that are not the nominal employer of workers protected by these laws.  To effectively plan for a control their broader joint employer risk, most businesses benefit from looking at their exposure holistically taking into account the potential characterization and liabilities under all of these rules concurrently.

Before beginning these assessments, businesses and their leaders are encouraged to engage an attorney experienced in FLSA and other joint employer and other worker classification laws in light of the legally sensitive evidence and discussions inherently involved in this process.  Conducting this analysis within the scope of attorney-client privilege helps protector limit the discoverability of sensitive discussions and work product in the event of a Labor Department investigation or litigation.

For More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Law and Labor and Employment Law and Health Care; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services, construction, manufacturing, staffing and workforce and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international employer and other management, employee benefit and other clients to assess, manage and defend joint employer and other worker classifications and practices under the FLSA and other federal and state laws including both advising and and assisting employers to minimize joint employer and other FLSA liability and defending a multitude of employers against joint employer and other FLSA and other worker classification liability. She also has been heavily involved in advocating for the Trump Administration’s restoration of more historical principles for determining and enforcing joint employer liability over the past several years.

Author of hundreds of highly regarded books, articles and other publications, Ms. Stamer also is widely recognized for her scholarship, coaching, legislative and regulatory advocacy, leadership and mentorship on wage and hour, worker classification and a diverse range of other labor and employment, employee benefits, health and safety, education, performance management, privacy and data security, leadership and governance, and other management concerns within the American Bar Association (ABA), the International Information Security Association, the Southwest Benefits Association, and a variety of other international, national and local professional, business and civic organizations including highly regarded works on worker reclassification and joint employment liability under the FLSA and other laws published by the Bureau of National Affairs and others.  Examples of these involvements include her service as the ABA Intellectual Property Law Section Law Practice Management Committee; the ABA International Section Life Sciences and Health Committee Vice Chair-Policy; a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former JCEB Council Representative and Marketing Chair; Past Chair of the ABA RPTE Employee Benefits and Other Compensation Group and Vice Chair of its Law Practice Management Committee; Past Chair of the ABA Managed Care & Insurance Interest Group; former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Southwest Benefits Association Board member; past Texas Association of Business State Board Member, BACPAC Committee Meeting, Regional and Dallas Chapter Chair; past Dallas Bar Association Employee Benefits Committee Executive Committee; former SHRM Region IV Chair and National Consultants Forum Board Member; for WEB Network of Benefit Professionals National Board Member and Dallas Chapter Chair; former Dallas World Affairs Council Board Member; founding Board Member, past President and Patient Empowerment and Health Care Heroes founder for the Alliance for Health Care Excellence; former Gulf States TEGE Council Exempt Organizations Coordinator and Board member; past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2020 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.


DOL Aggressively Targeting Restaurants For Wage & Hour & Child Labor Law Violations

November 3, 2016

Restaurant employers beware! Restaurants are the target of a highly successful, U.S. Department of Labor Wage and Hour Division (WHD) restaurant enforcement and compliance initiative that WHD already has used to nail a multitude of restaurants across the country for “widespread violations” of Fair Labor Standards Act (FLSA) minimum wage, overtime, child labor and other wage and hour laws (WH Law).

Having reportedly found WH Law violations in “nearly every one” of the WH Law investigations conducted against restaurant employers during 2016 and recovered millions of dollars of back pay and penalties from restaurants caught through investigations conducted under its WHD Restaurant Enforcement Initiative, WHD Administrator Dr. David Weil recently confirmed WHD plans to expand the restaurant employers targeted for investigation and other efforts to punish and correct WH Law violations under the Restaurant Enforcement Initiative through 2017 in an October 5, 2016 WHD News Release: Significant Violations In The Austin Restaurant Industry Raise Concerns For Us Labor Department Officials (News Release).

The News Release quotes Administrator Weil as stating:

The current level of noncompliance found in these investigations is not acceptable …WHD will continue to use every tool we have available to combat this issue. This includes vigorous enforcement as well as outreach to employer associations and worker advocates to ensure that Austin restaurant workers receive a fair day’s pay for a fair day’s work.

Given the substantial back pay, interest, civil or in the case of willful violations, criminal penalties, costs of defense and prosecution and other sanctions that restaurant employers, their owners and management can face if their restaurant is caught violating FLSA or other WH Laws, restaurants and their leaders should arrange for a comprehensive review within the scope of attorney-client privilege of the adequacy and defensibility of their existing policies, practices and documentation for classifying, assigning duties, tracking regular and overtime hours, paying workers and other WH Law compliance responsibilities and opportunities to mitigate risks and liabilities from WH Law claims and investigations.

Many Restaurants Already Nailed Through Restaurant Enforcement Initiative

Even before the planned 2017 expansion of its Restaurant Enforcement Initiative, WHD’s enforcement record shows WHD’s efforts to find and punish restaurants that violate WH Laws are highly successful. Restaurant employers overwhelmingly are the employers targeted by WHD in the vast majority of the WH Law settlements and prosecutions announced in WHD News Releases published over the past two years, including aggregate back pay and penalty awards of more than $11.4 million recovered through the following 31 actions announced by WHD between January 1, 2016 and October 31, 2016:

Enforcement Actions Highlight Common Restaurant WH Law Compliance Concerns

Restaurant employers, like employers in most other industries, are subject to a host of minimum wage, overtime and other requirements including the FLSA requirement that covered, nonexempt employees earn at least the federal minimum wage of $7.25 per hour for all regular hours worked, plus time and one-half their regular rates, including commissions, bonuses and incentive pay, for hours worked beyond 40 per week. Employers also are required to maintain accurate time and payroll records and must comply with child labor, anti-retaliation and other WH Law requirements.

The News Release identified some of the common violations WHD uncovered in these investigations included employers:

  • Requiring employees to work exclusively for tips, with no regard to minimum-wage standards;
  • Making illegal deductions from workers’ wages for walkouts, breakages, credit card transaction fees and cash register shortages, which reduce wages below the required minimum wage;
  • Paying straight-time wages for overtime hours worked.
  • Calculating overtime incorrectly for servers based on their $2.13 per hour base rates before tips, instead of the federal minimum wage of $7.25 per hour.
  • Failing to pay proper overtime for salaried non-exempt cooks or other workers;
  • Creating illegal tip pools involving kitchen staff;
  • Failing to maintain accurate and thorough records of employees’ wages and work hours.
  • Committing significant child labor violations, such as allowing minors to operate and clean hazardous equipment, including dough mixers and meat slicers.

Use Care To Verify Tipped Employees Paid Properly

Based on the reported violations, restaurants employing tipped employees generally will want to carefully review their policies, practices and records regarding their payment of tipped employees. Among other things, these common violations reflect a widespread misunderstanding or misapplication of special rules for calculating the minimum hourly wage that a restaurant must pay an employee that qualifies as a tipped employee.  While special FLSA rules for tipped employees may permit a restaurant to claim tips (not in excess of $5.12 per hour) actually received and retained by a “tipped employee,” not all workers that receive tips are necessarily covered by this special rule. For purposes of this rule, the definition of “tipped employee” only applies to an employee who customarily and regularly receives more than $30 per month in tips.

Also, contrary to popular perception, the FLSA as construed by the WHD does not set the minimum wage for tipped employees at $2.13 per hour. On the contrary, the FLSA requirement that non-exempt workers be paid at least the minimum wage of $7.25 per hour for each regular hour worked also applies to tipped employees. When applicable, the special rule for tipped employees merely only allows an employer to claim the amount of the tips that the restaurant can prove the tipped employee actually received and retained (not in excess of $5.13 per hour) as a credit against the minimum wage of $7.25 per hour the FLSA otherwise would require the employer to pay the tipped employee. Only tips actually received by the employee may be counted in determining whether the employee is a tipped employee and in applying the tip credit.  If a tipped employee earns less than $5.13 per hour in tips, the restaurant must be able to demonstrate that the combined total of the tips retained by the employee and the hourly wage otherwise paid to the tipped employee by the restaurant equaled at least the minimum wage of $7.25 per hour.

Furthermore, restaurant or other employers claiming a tip credit must keep in mind that the FLSA generally provides that tips are the property of the employee. The FLSA generally prohibits an employer from using an employee’s tips for any reason other than as a credit against its minimum wage obligation to the employee (“tip credit”) or in furtherance of a valid tip pool.

Also, whether for purposes of applying the tip credit rules or other applicable requirements of the FLSA and other wage and hour laws, restaurant employers must create and retain appropriate records and other documentation regarding worker age, classification, hours worked, tips and other compensation paid and other evidence necessary to defend their actions with respect to tipped or other employees under the FLSA and other WH Law rules. Beyond accurately and reliably capturing all of the documentation required to show proper payment in accordance with the FLSA, restaurants also should use care to appropriately document leave, discipline and other related activities as necessary to show compliance with anti-retaliation, equal pay, family and medical leave, and other mandates, as applicable.  Since state law also may impose additional minimum leave, break time or other requirements, restaurants also generally will want to review their policies, practices and records to verify their ability to defend their actions under those rules as well.

Child Labor Rules Require Special Care When Employing Minors

While hiring workers under the age of 18 (minors) can help a restaurant fulfill its staffing needs while providing young workers valuable first time or other work experience, restaurants that hire minors must understand and properly comply with any restrictions on the duties, work hours or other requirements for employment of the minor imposed by federal or state child labor laws.

As a starting point, the legal requirements for employing minors generally greater, not less, than those applicable to the employment of an adult in the same position.  Employers employing workers who are less than 18 years of age (minors) should not assume that the employer can pay the minor less than minimum wage or skip complying with other legal requirements that normally apply to the employment of an adult in that position by employing the minor in an “internship” or other special capacity. The same federal and state minimum wage, overtime, safety and health and nondiscrimination rules that generally apply to the employment of an adult generally will apply to its employment of a worker who is a minor.

Beyond complying with the rules for employment of adults, restaurants employing minors also must ensure that they fully comply with all applicable requirements for the employment of minors imposed under the FLSA child labor rules and applicable state law enacted to ensure that when young people work, the work is safe and does not jeopardize their health, well-being or educational opportunities.   Depending on the age of the minor, the FLSA or state child labor rules may necessitate that a restaurant tailor the duties and hours of work of an employee who is a minor to avoid the substantial liability that can result when an employer violates one of these child labor rules.

The FLSA child labor rules, for instance, impose various special requirements for the employment of youth 14 to 17 years old. See here.  As a starting point, the FLSA child labor rules prohibit the any worker less than 18 years of age from operating or cleaning dough mixers, meat slicers or other hazardous equipment. Depending on the age of the minor worker, the FLSA child labor rules or state child labor laws also may impose other restrictions on the duties that the restaurant can assign or allow the minor to perform.  Restaurants hiring any worker that is a minor must evaluate the duties identified as hazardous “occupations” that the FLSA child labor rules prohibit a minor of that age to perform here as an “occupation” and take the necessary steps to ensure the minor is not assigned and does not perform any of those prohibited activities in the course of his employment.

In addition to ensuring that minors don’t perform prohibited duties, restaurants employing minors also comply with all applicable restrictions on the hours that the minor is permitted to work based on the age of the minor worker.  For instance, the FLSA and state child labor rules typically prohibit scheduling a minor less than 16 years of age to work during school hours and restrict the hours outside school hours the minor can work based on his age.  Additional restrictions on the types of jobs and hours 14- and 15-year-olds may work also may apply.

Compliance with the FLSA child labor rules is critically important for any restaurant or other employer that employs a minor, particularly since the penalties for violation of these requirements were substantially increased in 2010, as Streets Seafood Restaurant learned earlier this year.

According to a WHD News Release, Street’s Seafood Restaurant paid $14,288 in minimum wage and overtime back wages and an equal amount in liquidated damages totaling $28,577 to eight employees, and also was assessed a civil money penalty of $14,125 for FLSA child labor violations committed in the course of its employment of four minors ages 15 to 17. Specifically, investigators found Street’s Seafood Restaurant:

WHD’s announcement of the settlement resolving these child labor laws quotes Kenneth Stripling, director of the division’s Birmingham District Office as stating:

Employing young people provides valuable experience, but that experience must never come at the expense of their safety …Additionally, employers have an obligation to pay employees what they have legally earned. All workers deserve a fair day’s pay for a fair day’s work. Unfortunately, Street’s Seafood violated not only child labor laws, but has also shorted workers’ pay. The resolution of this case sends a strong message that we will not tolerate either of those behaviors.

Restaurants Must Act To Minimize Risks

Beyond WHD’s direct enforcement actions, WHD also is seeking to encourage private enforcement of WH Law violations by conducting an aggressive outreach to employees, their union and private plaintiff representatives, states and others. Successful plaintiffs in private actions typically recover actual back pay, double damage penalties plus attorneys’ fees and costs. The availability of these often lucrative private damages makes FLSA and other WH Law claims highly popular to disgruntled or terminated workers and their lawyers.  When contemplating options to settle claims WH Law claims made by a worker, employers need to keep in mind that WHD takes the position that settlements with workers do not bar the WHD from taking action unless the WHD joins in the settlement and in fact, past settlements may provide evidence of knowingness or willfulness by the employer in the event of a WHD prosecution.  The substantial private recoveries coupled with these and other WHD enforcement and other compliance actions mean bad news for restaurant employers that fail to manage their FLSA and other WH Law compliance.  Restaurant employers should act within the scope of attorney-client privilege to review and verify their compliance and consult with legal counsel about other options to minimize their risk and streamline and strengthen their ability to respond to and defend against audits, investigations and litigation.

Beyond verifying the appropriateness of their timekeeping and compensation activities and documentation, restaurants and staffing or management organizations working with them also should use care to mitigate exposures that often arise from missteps or overly aggressive conduct by others providing or receiving management services or staffing services. All parties to these arrangements and their management should keep in mind that both parties participating in such arrangements bear significant risk if responsibilities are not properly performed.   Both service and staffing providers and restaurants using their services should insist on carefully crafted commitments from the other party to properly classify, track hours, calculate and pay workers, keep records, and otherwise comply with WH Laws and other legal requirements.  Parties to these arrangements both generally also will want to insist that these contractual reassurances are backed up with meaningful audit and indemnification rights and carefully monitor the actions of service providers rendering these services.

About The Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,”“Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely known for work, teachings and publications.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment, employee benefits, compensation, and other regulatory and operational risk management. Examples of her many highly regarded publications on these matters include the “Texas Payday Law” Chapter of Texas Employment Law, as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved.


Brace For Health Plan OCR HIPAA Audits

March 22, 2016

healthinsurance 10

Employer and union sponsored health plans, their sponsors, fiduciaries, and business associates should brace for audits and enforcement of the Privacy, Security, and Breach Notification rules by the Department of Health & Human Service Office of Civil Rights (OCR) follow OCR’s 2016 audit program on the heels of its announcement last week of two large HIPAA settlements last week.

OCR confirmed today it is sending emails notifying health plans, healthcare providers, healthcare clearing houses (Covered Entities) and their business associates identified as part of the kickoff of its next phase of audits of Covered Entities.  In light of the  HIPAA verification rules  and the notorious spread of opportunistic identity theft and other fraud by opportunistic Cybercriminals following these types of announcements, Covered Entities and business associates should carefully verify the requests validity and manage the response to avoid violating HIPAA in responding and position for defensibility against potential penalties.

Even if health plans or other Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever-expanding list of enforcement actions by OCR.

To catch up on this latest guidance, Solutions Law Press, Inc. ™ invites you to register to participate in a special WebEx briefing on “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” on Wednesday, March 30, 2016 beginning at Noon Central Time on Wednesday, March 30, 2016.

2016 Audit Program 

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by Covered Entities  and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. OCR says it will primarily conduct these audits as desk audits, although some on-site audits will be conducted.

According to today’s announcement, the 2016 audit process begins with verification of an entity’s address and contact information. OCR is sending emails to Covered Entities and business associates requesting that contact information be provided to OCR on time. OCR will then send a pre-audit questionnaire to gather data about the size, type, and operations of potential audit targets.  OCR says this data will be used with other information to create potential audit subject pools.  Recipients should contact qualified legal counsel immediately for advice and assistance about proper procedures to verify the email is in fact from OCR and for assistance in responding.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review. Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, OCR expects entities to check their junk or spam email folder for emails from OCR.

The announcement also reflects that OCR is still developing other aspects of the audit program. OCR will post updated audit protocols on its website closer to conducting the 2016 audits. The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.

OCR says its audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits. Through the information gleaned from the audits, OCR will develop tools and guidance to aid the industry in compliance self-evaluation and in preventing breaches. OCR plans to use results and procedures used in the phase 2 audits to develop its permanent HIPAA audit program.

OCR Settlements Show Enforcement Risk

The audit program announcement comes less than a week after OCR announced millions of dollars of new penalties under settlements with two Covered Entities:

  • A $1,555,000 settlement with North Memorial Health Care of Minnesota;
  • A $3.9 million settlement with Feinstein Institute for Medical Research.

The two settlements drive home again the substantial liability that health care providers, health plans, health care clearinghouses and their business associates risk for violating HIPAA.

Feinstein Settlement

Feinstein is a biomedical research institute organized as a New York not-for-profit corporation sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York comprised of 21 hospitals and over 450 patient facilities and physician practices.

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information about potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Feinstein/index.html.

North Memorial

The Feinstein settlement announcement follows yesterday’s announcement of a $1.5 million plus settlement with North Memorial to resolve HIPAA charges that it failed to implement a business associate agreement with a major contractor and failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.

The settlement highlights the importance for healthcare providers, health plans, healthcare clearinghouses and their business associates to comply with HIPAA’s business associate agreement and other HIPAA organizational, risk assessment, privacy and security, and other requirements.

OCR’s announcement emphasizes the importance of meeting these requirements. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Director Samuels. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

The settlement comes from charges filed after OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the ePHI of 9,497 individuals.

OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.

The Resolution Agreement and Corrective Action Plan can be found on the HHS website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html.
Settlement Latest Reminder To Manage HIPAA Risks.

Following up on OCR’s imposition of its second-ever HIPAA Civil Monetary Penalty (CMP) and the latest in an ever-growing list of settlements by Covered Entities under HIPAA, these latest  settlements illustrate the substantial liability that Covered Entities face for violating HIPAA. To avoid these liabilities, Covered Entities must constantly be diligent to comply with the latest guidance of OCR about their obligations under HIPAA.

As OCR continues to issue additional guidance as well as supplement this guidance through information shared in settlement agreements like the North Memorial settlement, even if Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever-expanding list of enforcement actions by OCR.

Since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA, Covered Entities face growing responsibilities and liability for maintaining the security of ePHI.

In response to HITECH, OCR continues to use a carrot and stick approach to encouraging and enforcing compliance. As demonstrated by OCR’s imposition of the second-ever HIPAA Civil Monetary Penalty (CMP) of $239,000 against Lincare and the ever-growing list of Resolution Agreements OCR announces with other Covered Entities, OCR continues to step up enforcement against Covered Entities that breach the Privacy and Security Rules. See OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000.

On the other hand, OCR also continues to encourage voluntary compliance by Covered Entities by sharing guidance and tools to aid Covered Entities to understand fulfill their HIPAA responsibilities such as the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (Crosswalk) unveiled by OCR on February 24, 2016.The crosswalk that maps the HIPAA Security Rule to the standards of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) as well as mappings to certain other commonly used security frameworks.

While stating that the HIPAA Security Rule does not require use of the NIST Cybersecurity Framework, OCR says it hopes the Crosswalk will provide “a helpful roadmap” for HIPAA Covered Entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help Covered Entities safeguard health data in a time of increasing risks and help them to identify potential gaps in their programs.

At the same time, OCR’s announcement of its release of the Crosswalk also cautions users that “use of the Framework does not guarantee HIPAA compliance.” Rather, OCR says “the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.

With a USA Today report attributing more than 40 percent of data breaches to the healthcare industry over the last three years 91 percent of all health organizations having reporting breaches over the last two years, OCR has made clear that it intends to zealously investigate and enforce the Security Rules against Covered Entities that violate the Security Rules against Covered Entities that fail to take suitable steps to safeguard the security of PHI as required by the HIPAA Security Rule.

To meet these requirements, the HIPAA Security Rule requires that Covered Entities conduct and be prepared to product documentation of their audit and other efforts to comply with the Security Rule Most Covered Entities will want to consider including an assessment of the adequacy of their existing practices under the Crosswalk and other requirements disclosed by OCR in these assessments to help position the Covered Entity to defend or mitigate HIPAA CMP and other liabilities in the event of a HIPAA breech or audit.

Changing Rules Complicate Compliance

In addition to maintaining adequate security, HIPAA also requires Covered Entities to provide individuals with the right to access and receive a copy of their health information from their providers, hospitals, and health insurance plans in accordance with the HIPAA Privacy Rule. In response to recurrent difficulties experienced by individuals in exercising these rights, OCR recently published supplemental guidance to clarify and promote better understanding and compliance with these rules by Covered Entities.   OCR started this process in January, 2015 by releasing a comprehensive fact sheet (Access fact sheet) and the first in a series of topical frequently asked questions (FAQs) addressing patients’ right to access their medical records, which set forth requirements providers must follow in sharing medical records with patients, including that they must do so in a timely manner and in a format that works for the patient.

Earlier this month, OCR followed up by publishing on March 1, 2016 a second set of FAQs addresses additional issues, including the fees individuals may be charged for copies of their health information and the right of individuals to have their health information sent directly to a third party if they so choose.

Covered entities and their business associates should expect OCR to ask about use of these tools in audits and investigations.  Accordingly, they should move quickly to review and update their business associate agreements and other practices to comply with this new guidance as well as watch for further guidance and enforcement about these practices from OCR.

Other Key HIPAA Regulatory & Enforcement Changes Raise Responsibilities & Risks

OCR’s new guidance on access to PHI follows a host of other regulatory and enforcement activities. While the particulars of each of these new actions and guidance vary, all send a very clear message: OCR expects Covered Entities and their business associates to comply with HIPAA and is offering tools and other guidance to aid them in that process. In the event of a breach or audit, Covered Entities and their business associates need to be prepared to demonstrate their efforts to comply.

Those that cannot show adequate compliance efforts should be prepared for potentially substantial CMP or Resolution Agreement payments and other sanctions.

Register For 3/30 Webex Briefing

Solutions Law Press, Inc.™ invites to catch up on the latest guidance on the Covered Entities’ responsibility under HIPAA to provide access to patients to PHI by registering here to participate in the “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” Webex briefing by attorney Cynthia Marcotte Stamer that Solutions Law Press, Inc.™ will host beginning at Noon Central Time on Wednesday, March 30, 2016.

About The Author

Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.
Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, the Co-Managing Member of Stamer Chadwick Soefje PLLC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served for several years as the scrivener for the ABA JCEB’s meeting with OCR for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com  such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.  ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved.


Strengthen Your Cyber Security By Sharing National Cyber Security Awareness Month Resources This Week

October 25, 2015

Halloween’s annual celebration of spooks and goblins peak is a perfect time to promote awareness and help American businesses and citizens build their skills to guard against the real and growing menace of identity thieves and other cybercriminals by getting involved with the 12th annual National Cyber Security Awareness Month (NCSAM) in October, begin preparing to participate in the next annual “Data Privacy Day” on January 28, 2016 and joining in other activities highlighted through NCSAM and Data Privacy Day to help deter Cybercrime and identity theft threats. Even if your organization or family choose not to participate in any official or public way, checking out and using the many free resources provides an invaluable, free opportunity to raise your defenses against this rising risk.

With virtually every American business and citizen now connected to and using the Internet to conduct key personal and business transactions and the constant drive by government and business to digitize regular business transactions, no one agency, business or individual alone can truly know where and who has their sensitive data, much less reliably can defend this data against the identity and other theft and other cybercriminals lurking in the digital world’s virtual streets waiting to strike, then disappear in “Jack The Ripper” style into the darkness of the Internet.  That’s why every American and American business should take time to participate and urge others to Get Involved in the 12th Annual NCSAM activities this month and use the supportive resources offered through that involvement throughout the year.

Celebrated annually in October, NCSAM was created to provide resources to help Americans stay safer and more secure online through public-private collaboration between the U.S. Department of Homeland Security and industry led by the National Cyber Security Alliance (NCSA). NCSAM and its associated activities outreach to consumers, small and medium-sized businesses, corporations, educational institutions and young people across the nation.  NCSAM 2015 particularly focuses on the consumer and his/her needs regarding cybersecurity and safety continuing the overall message of STOP. THINK. CONNECT. Campaign founded in 2010 and its capstone concepts: “Keep a Clean Machine,” “Protect Your Personal Information,” “Connect with Care,” “Be Web Wise” and “Be a Good Online Citizen.” NCSAM seeks to remind Americans to incorporate “STOP. THINK. CONNECT.” into their online routines and offers resources to help individuals understand and put these principles into practice into their online routine at the home, the office and elsewhere.

Designed to be accessible and understandable by consumers, many business and government organizations may want to support and promote their Cyber Security employee and customer training and awareness efforts by participating annually in NCSAM in October, signing up your organization to Data Privacy Day Champion and/or participating in Data Privacy Day on January 28, 2016, or otherwise using and sharing tips, tools and other resources in the Privacy Library such as:

General Privacy & Cyber Security Awareness

Keep a Clean Machine/Cookies & Behavioral Tracking

  • Malware & Botnets
  • A video about cookies and why they matter created by the Wall Street Journal.
  • Information about the Network Advertising Initiative (NAI) offering opt-out of online behavior advertising and provides factual information about online behavioral advertising, privacy, cookies.

Health Privacy

Identity Theft Prevention & Clean Up

Mobile App Privacy & Security

Student & Educational Privacy & Security

  • I want to each online safety for Grades K-2,  Grades 3-5  Middle and High School Higher Education and CSave Volunteer Lesson Plans & Materials
  • The Protecting Privacy in Connected Learning toolkit is an in-depth, step-by-step guide to navigating the Family Education Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA) and related privacy issues.
  • Securing Your Home Network
  • The Family Educational Rights and Privacy Act, or FERPA, is the main federal law that deals with education privacy, but there are a host of other laws, best practices, and guidelines that are essential to understanding education privacy. FERPA|SHERPA aims to provide service providers, parents, school officials, and policymakers with easy access to those materials to help guide responsible uses of student’s data.
  • General guidance for parents provided by the department of education Family Educational Rights and Privacy Act (FERPA)
  • Student Privacy 101: FERPA for parents and students – Ever have questions about your rights regarding education records? This short video highlights the key points of the family education rights and privacy act (FERPA).

Other Resources 

About the Author

Cynthia Marcotte Stamer is a practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick │Soefje PLLC, author, pubic speaker, management policy advocate and industry thought leader with more than years’ experience helping business and government organizations and their leaders manage. Ms. Stamer’s legal and management consulting work throughout her 28 plus year career has focused on helping organizations and their management understand and use the law and process to manage people, process, compliance, operations and risk including significant work in the prevention, investigation and remediation of data breach and other Cybercrime events.

Scribe responsible for leading the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) annual agency meeting with the Department of Health & Human Services Office of Civil Rights,Scribe responsible for leading the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) annual agency meeting with the Department of Health & Human Services Cynthia Marcotte Stamer’s practice has focused on advising and representing government and private technology, security, health care providers, health plans, health, schools and other educational organizations, insurance, banking and financial services, retail, employer and other organizations about privacy and data security compliance and risk management, breach and other investigations and enforcement, workforce and performance management and other risk management, compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

With data and technology use, protection and management imbedded in virtually every aspect of her client’s operations, data and other confidential information and systems use, protection, breach or other abuse investigation and response, enforcement and liability mitigation and defense and other Cybercrime and Cyber Security challenges are a continuous component of Ms. Stamer’s management work.  Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce, data breach and Cybercrime, and other legal and operational crises large and small that arise in the course of operations.  Ms. Stamer regularly helps clients design, administer and defend HIPAA, FACTA, data breach, identity theft and other risk management, compliance and other privacy, data security, confidential information and other data security, technology and management policies and practices affecting their operations.   She also helps clients prevent, investigate and mitigate HIPAA, FACTA, PHI and other data breach hacking, identity theft, data breach, data loss or destruction, theft of trade secrets or other sensitive data, spoofing, industrial espionage, insider and other parties misuse of data or technology and other cybercrime and technology use concerns.  Best-known for her extensive work helping health care, insurance and other highly regulated entities manage both general employment and management concerns and their highly complicated, industry specific corporate compliance, internal controls and risk management requirements, Ms. Stamer’s clients and experience also includes a broad range of other businesses.  Her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes.  Common engagements include internal and external privacy and data security compliance, risk management, investigation and remediation, workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other legal and operational compliance, risk management, disaster preparedness and response, and liability defense and mitigation concerns arising out of organization’s operations.

Cindy also is widely recognized for her regulatory and public policy advocacy, publications, and public speaking on privacy and other compliance, risk management concerns. Among others, she is the author of “Privacy & Securities Standards-A Brief Nutshell,” “Privacy Invasions of Medical Care-An Emerging Perspective,” the E-Health Business and Transactional Law Chapter on Other Liability-Tort and Regulatory;” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA;” “Personal Identity Management Legal Demands and Technology Solutions;” “Tailoring A Records Management Plan And Process To Meet Your Legal And Operational Needs;” “Brokers & Insurers Identity Theft and Privacy Perils;” “HR’s Role In Personal Identity Theft & Cyber Crime Prevention;” “Protecting & Using Patient Data In Disease Management Opportunities, Liabilities And Prescriptions;” “Why Your Business Needs A Cybercrime Prevention and Compliance Program;” “Leveraging Your Enterprise Digital Identity Management Investments and Breaking though the Identity Management Buzz;” “When Your Employee’s Private Life Becomes Your Business;” and hundreds of other works. Her insights on privacy, data security, and other matters have appeared in The Wall Street Journal, Business Insurance, the Dallas Morning News, Spencer Publications, and a host of other publications. She speaks and has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer works with businesses and government organizations and their management, employee benefit plans, schools, financial institutions, retail, hospitality, and other organizations deal with all aspects of these and other operations performance and compliance management.  She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.  She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see here, or the Stamer Chadwick Soefje PLLC website here.  To contact Ms. Stamer, e-mail her at here or telephone (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™  provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

©2015 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.. All other rights reserved.