Privacy | | Page 2

Employers ACA Health Reforms Prohibit Using HRAs To Pay Individual Medical Policy Premiums & Impact Other HRA Arrangements

January 27, 2013

Since the enactment of the Patient Protection & Affordable Care Act (ACA), many employers searching for health plan solutions may have been asked to consider replacing or modifying their existing insured or self-insured group health plan with a “health reimbursement arrangement” (HRA) or other arrangement which would reimburse employees for premiums paid for individual health insurance policies. New guidance released on Thursday, January 24, 2013 indicates that such arrangements are prohibited as part of the ACA health care reforms.

“FAQS About Affordable Care Implementation (Part XI)” (FAQ) available here issued by the Departments of Labor, Health and Human Services (HHS), and the Treasury (collectively, the Agencies) on January 24, 2013 sends a clear message to employers that trying to escape ACA or other federal group health plan mandates by replacing their traditional insured or group health plans or policies with health reimbursement arrangements (HRAs) or other arrangements under which the employer agrees to provide a fixed defined contribution to be used to buy or reimburses employees for buying individual health insurance generally won’t pass legal muster. The FAQ also indicates that employers sponsoring HRAs that only reimburse medical expenses, not individual health insurance premiums also need to review their arrangements to verify that those programs also comply with ACA and other applicable rules.

Concerning the use of HRAs to pay for individual health insurance policy premiums, the FAQ states that PHS Act Section 2711 generally prohibits an employer-sponsored HRA cannot be integrated with individual market coverage or with an employer plan that provides coverage through individual policies. Under ACA, employers that improperly offer arrangements that violate PHS Section 2711 or other group health plans risk exposing themselves to liability for significant unanticipated health benefit claims, as well as other penalties and costs. Therefore, employers that have or are contemplating arrangements that provide or reimburse premiums for individual health insurance coverage are urged to contact qualified legal counsel with documented experience with ACA and other group health plan requirements for advice before establishing or continuing such arrangements.

The FAQ’s guidance about the use of individual insurance policies to arrange coverage for employees is one of several issues addressed in the FAQ and part of a wave of new guidance that has and is emerging as the Obama Administration moves to full implementation of the ACA reforms. Employers, plan fiduciaries, insurers, and others involved in the design or administration of health benefit programs need to monitor carefully this emerging guidance as they move quickly to tailor their programs in response to these evolving rules. For help monitoring or responding to these evolving rules, contact the author of this update, Cynthia Marcotte Stamer.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

If you need help with other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other human resources, employee benefit, or other compliance, risk management, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Nationally recognized for her extensive work, publications and leadership on HIPAA and other privacy and data security concerns, Ms. Stamer has extensive experience representing, advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical and other privacy and data security, employment, employee benefits, and to handle other compliance and risk management policies and practices; to investigate and respond to OCR and other enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

A Fellow in the American College of Employee Benefit Counsel, State Bar of Texas and American Bar Association, Vice President of the North Texas Health Care Compliance Professionals Association, the Former Chair of the ABA RPTE Employee Benefit & Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Council Representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer serves as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR. Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights on HIPAA and other data privacy and security concerns appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve in 2013 as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here.

In addition to this extensive HIPAA specific experience, Ms. Stamer also is recognized for her experience and skill aiding clients with a diverse range of other employment, employee benefits, health and safety, public policy, and other compliance and risk management concerns.

For help with these or other compliance concerns, to ask about compliance audit or training, or for legal representation on these or other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested in exploring other Solutions Law Press, Inc. ™ tools, products, training and other resources here and reading some of our other Solutions Law Press, Inc.™ human resources news here including the following:

Comments Off on Employers ACA Health Reforms Prohibit Using HRAs To Pay Individual Medical Policy Premiums & Impact Other HRA Arrangements | Corporate Compliance, Employers, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Risk Management, Whistleblower | Tagged: Backpay, Employer, Employment, employment law, Fair Labor Standards Act, FSLA, IT, Labor Department, Minimum Wage, Technology, Wage & Hour, wage and hour, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

Employer Deadline To Give ACA Notice of Exchange Coverage Options Delayed

January 25, 2013

The Department of Labor has extended the deadline for employers to notify employees about the existence of and their rights under the health exchanges required by new Section 18B of the Fair Labor Standards Act (FLSA), as added by Section 1512 of the Patient Protection & Affordable Care Act (ACA). The extension announced in Frequently Answered Question (FAQ) here provides a welcome temporary reprieve to employers who otherwise would have been required to notify employees by March 1, 2013.

As part of the impending implementation of ACA’s health care reform, FLSA § 18B generally requires each applicable employer provide each employee a written notice (Exchange Notice) in accordance with regulations promulgated by the Secretary of Labor:

Informing the employee of the existence of Exchanges including a description of the services provided by the Exchanges, and the way the employee may contact Exchanges to request assistance;
If the employer plan’s share of the total allowed costs of benefits provided under the plan is less than 60 percent of such costs, that the employee may be eligible for a premium tax credit under section 36B of the Internal Revenue Code (the Code) if the employee purchases a qualified health plan through an Exchange; and
If the employee purchases a qualified health plan through an Exchange, the employee may lose the employer contribution (if any) to any health benefits plan offered by the employer and that all or a portion of such contribution may be excludable from income for Federal income tax purposes. The Department of Labor expects that the timing for distribution of notices will be the late summer or fall of 2013, which will coordinate with the open enrollment period for Exchanges.

Before the Department’s announcement in the FAQ, the deadline for employers to begin giving employees Exchange Notices was the later of March 1, 2013 or at the time of hiring. The FAQ extends this deadline until a date to be set by the Department in future guidance, which the Department expects will require employers to distribute the notices in the late summer or fall of 2013 to coordinate with the open enrollment period for Exchanges.

According to the announcement of the delay, the Department delayed the impending March 1, 2013 deadline to give the (Exchange Notice) to better coordinate with related Health and Human Service and Internal Revenue Service efforts and to allow more time to comply and to distribute the Exchange Notices to employees at a meaningful time.

In addition to providing added time to provide the Exchange Notice, the Department also has announced that it is considering providing model, generic language that employers could use to provide the Exchange Notice. to satisfy the notice requirement. As a compliance alternative, the Department also is considering allowing employers to meet the Exchange Notice requirement by providing employees with information using the employer coverage template as discussed in the preamble to the Proposed Rule on Medicaid, Children’s Health Insurance Programs, and Exchanges: Essential Health Benefits in Alternative Benefit Plans, Eligibility Notices, Fair Hearing and Appeal Processes for Medicaid and Exchange Eligibility Appeals and Other Provisions Related to Eligibility and Enrollment for Exchanges, Medicaid and CHIP, and Medicaid Premiums and Cost Sharing (78 FR 4594, at 4641), which will be available for download at the Exchange web site as part of the streamlined application that will be used by the Exchange, Medicaid, and CHIP.

The Exchange Notice is just one of a multitude of notices and other mandates that ACA requires that employers or their health plans, insurers, or both to meet. Although the Exchange Notice gives employers a little more time to provide the Exchange Notices, employer and other health plan sponsors, fiduciaries, administrators and insurers are urged to continue to diligently move forward to update their plans, communications, processes and other arrangements to comply with existing and impending ACA mandates while keeping a watchful eye on for additional guidance that may require additional tailoring of these arrangements.

Stay tuned for updates about future guidance on complying with the notice requirement under FLSA section 18B and other developments.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

About Solutions Law Press, Inc.™

Comments Off on Employer Deadline To Give ACA Notice of Exchange Coverage Options Delayed | Corporate Compliance, Employers, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Risk Management, Whistleblower | Tagged: Backpay, Employer, Employment, employment law, Fair Labor Standards Act, FSLA, IT, Labor Department, Minimum Wage, Technology, Wage & Hour, wage and hour, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

Hear Stamer Speak On “Coping With Health Care Reform Now” At 2/14 Dallas ICEBS Meeting

January 23, 2013

Cynthia Marcotte Stamer will share key information and practical strategies for “Coping with Health Care Reform Now” at the Dallas Chaper ICEBS Valentines Day luncheon meeting on February 14, 2012. The meeting is scheduled from 11:30 a.m. to 1:30 p.m on February 14, 2012 at Haggar Clothing Company at 11511 Luna Road, Dallas, Texas . Interested persons may register or get other details at http://www.dfwiscebs.org.

With the initial debate about the Constitutionality of the Patient Protection & Affordable Care Act (ACA) decided and making a Congressional reprieve highly improbable, employer and other health plan sponsors, insurers, fiduciaries and administrators are scrambling to update plan documents, communications, processes and procedures to meet current ACA and other health plan rules, while bracing to cope with the sweeping health care reforms slated to take effect in 2014. These already daunting tasks are made more challenging by the continuing uncertainty of the constantly evolving regulations, evolving marketplace, increases in health plan costs and ever-shrinking corporate budgets.

To help health plan sponsors, fiduciaries, administrators and insurers deal with the tough business of implementation, attorney Cynthia Marcotte Stamer will discuss practical strategies, legal updates and other information needed for to cope with health care reform now and to prepare to meet future health plan regulations and challenges including:

The Latest On Key ACA & Other Health Care Reform Regulations Such As ACA’s Requirements On Fees Employers Sponsoring Self-Insured Health Plans & Insurers Must Pay To Fund The Patient-Centered Outcomes Research Institute, Contraceptive and Other Preventive Services, Nondiscrimination, Essential Health Benefits, Internal Claims and Appeals and External Review, Medical Loss Ratios, Large Employer Automatic Enrollment, Summary of Benefits & Coverage, Culturally & Linguistically Appropriateness, Value-Based Insurance Design, Wellness Programs, Exchanges, the Employer Pay-Or-Plan Mandates, Wellness Reporting, Wellness Programs, W-2 Reporting of Employer Provided Health Coverage, Employer Plan Minimum Value & The Premium Tax Credit And Other ACA & Other Federal Health Plan Mandates;
Key Changes To HIPAA Privacy Regulations & What Health Plans & Employers Should Expect To Be Required To Do To Comply With These Changes By the September, 2013 Deadline;
What’s Happened, Happening & Likely To Happen With Exchanges;
A 12-Step Practical Process For Helping Employers Managing ACA & Other Health Plan Compliance Responsibilities & Risks; and
Tips On What To Watch For And Options For Maintaining Flexibility To Respond To Evolving Rules; and
Answer Common Questions That Health Plan Sponsors and Administrators Are Struggling With Submitted By Audience Members

Registrants are encouraged to help shape the program to reflect their questions and concerns by e-mailing their proposed questions prior to the program to cstamer@solutionslawyer.net. The program’s educational* discussion will be tailored taking into account this input with significant time set aside to share practical information and possible approaches for addressing questions and concerns of shared concern identified from this audience input.

About Ms. Stamer

A Fellow in the American College of Employee Benefits Counsel, the American Bar Association & the State Bar of Texas, recognized in International Who’s Who, and Board Certified in Labor & Employment Law, Cynthia Marcotte Stamer is nationally and internationally recognized for her extensive and highly practical, solutions-oriented health plan work, advocacy, publications, programs and leadership.

For more than 25 years, Ms. Stamer has advised and represented private and public employers, employer and union plan sponsors, employee benefit plans, associations, their fiduciaries, administrators, and vendors, group health, Medicare and Medicaid Advantage, and other insurers, governments and others on health and other employee benefit, employment, insurance and health care compliance, risk management, public policy, administration and defense. Throughout her career, Ms. Stamer has worked extensively with employer and other health plan sponsors, insurers, plan administrators and other service providers, outsourcers and others to develop innovative health benefit programs and solutions and to document, administer and defend those arrangements in the mist of rising costs, evolving regulations and changing markets.

A primary drafter of the Bolivian Social Security privatization law with extensive regulatory and public policy experience, Ms. Stamer has been involved domestically and internationally as an advocate and advisor on health care, pension and Social Security, workforce and insurance reform and regulation. She presently serves as the scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights. She also represents clients in dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, Federal Trade Commission, HUD and Justice, as well as a state legislatures attorneys general, insurance, labor, worker’s compensation, and other agencies and regulators.

Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits Group, Ms. Stamer presently serves as Co-Chair of the ABA RPTE Section Welfare Plan Committee; Vice Chair of the ABA TIPS Employee Benefit Committee; as a Council Representative of the ABA Joint Committee on Employee Benefits; an Editorial Advisory Board Member for the Institute of Human Resources (IHR/HR.com), Employee Benefit News and Insurance Thought Leadership; Editor and Publisher of various Solutions Law Press, Inc. publications, and previously served on the Editorial Advisor Board of the the BNA Employee Benefits CD-Rolm.

A popular and prolific author and speaker, Ms. Stamer’s Solutions Law Press, Inc. HR & Benefits Update publication was recognized as one of the Top 50 Human Resources Blogs To Watch in 2012. Ms. Stamer regularly authors materials and conducts workshops and professional, management and other training on employee benefits, human resources and related topics for the ABA, Aspen Publishers, the Bureau of National Affairs (BNA), SHRM, World At Work, Government Institutes, Inc., the Society of Professional Benefits Administrators and many other organizations. She also regularly serves on the faculty and planning committees of a multitude of symposium and other educational programs. For more details about Ms. Stamer’s services, experience, presentations, publications, and other credentials or to inquire about arranging counseling, training or presentations or other services by Ms. Stamer, see www.CynthiaStamer.com.

* Registrants are reminded that this discussion is provided for general information and educational purposes. Accordingly, registrants are reminded that the discussion does not constitute legal advice, a substitute for legal advice or establish an attorney-client or other professional relationship.

About Solutions Law Press, Inc.™

Comments Off on Hear Stamer Speak On “Coping With Health Care Reform Now” At 2/14 Dallas ICEBS Meeting | Corporate Compliance, Employers, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Risk Management, Whistleblower | Tagged: Backpay, Employer, Employment, employment law, Fair Labor Standards Act, FSLA, IT, Labor Department, Minimum Wage, Technology, Wage & Hour, wage and hour, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

OCR Publishes Long-Anticipated Omnibus Restatement of HIPAA Privacy, Security, Breach Notification & Enforcement Rules

January 17, 2013

Health plans, their employer or other sponsors, insurers, fiduciaries, administrative service providers and other business associates have a lot of work to do.

Health plans, health care clearinghouses and their business associates will need to review and update their policies and practices for handling and disclosing personally identifiable health care information (“PHI”) in response to the omnibus restatement of the Department of Health & Human Services (“HHS”) Office of Civil Rights (“OCR”) of its of its regulations (the “2013 Regulations”) implementing the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Rulemaking announced January 17, 2013 may be viewed here.

The 2013 Regulations Overview

Since 2003, HIPAA generally has required that health care providers, health plans, health care clearinghouses and their business associates (“Covered Entities”) restrict and safeguard individually identifiable health care information (“PHI”) of individuals and afford other protections to individuals that are the subject of that information. The 2013 Regulations published today complete the implementation of changes to HIPAA that Congress enacted when it passed the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 as well as make other changes to the prior regulations that OCR found desirable based on its experience administering and enforcing the law over the past decade.

Since passage of the HITECH Act, OCR officials have warned Covered Entities to expect an omnibus restatement of its original regulations. While OCR had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to its HIPAA Rules. The 2013 Regulations published today fulfill that promise by restating OCR’s HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR’s interpretation and enforcement of HIPAA.

Among other things, the 2013 Regulations:

Revise OCR’s HIPAA regulations to reflect the HITECH Act’s amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA’s civil and criminal penalties for violating HIPAA’s Privacy, Security, and Breach Notification rules;
Update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose PHI is breached, HHS and in some cases, the media when a breach of unsecured information happens;
Update interim enforcement guidance OCR previously published to implement increased penalties and other changes to HIPAA’s civil and criminal sanctions enacted by the HITECH Act;
Implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose PHI for marketing and fundraising purposes and prohibit Covered Entities from selling an individual’s health information without getting the individual’s authorization in the manner required by the 2013 Regulations;
Update OCR’s rules about the individual rights that HIPAA requires that Covered Entities to afford to individuals who are the subject of PHI used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic PHI in electronic form;
Revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of PHI protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
Clarifies and revises other provisions to reflect other interpretations and information guidance that OCR has issued since HIPAA was passed and to make certain other changes that OCR found appropriate based on its experience administering and enforcing the rules.

Liability & Enforcement Risks Heighten Need To Act To Review & Update Policies & Practices

The restated rules in the 2013 Regulations make it imperative that Covered Entities review the revised rules carefully and updated their policies, practices, business associate agreements, training and documentation to comply with the updated requirements and other enforcement and liability risks. OCR even prior to the regulations has aggressively investigated and enforced the HIPAA requirements.

The commitment of OCR to enforcement most recently was demonstrated by its recent settlement with Hospice of North Idaho (HONI). On January 2, 2013, OCR announced HONI will pay OCR $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The HONI settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals.

While the HONI settlement marks the first settlement on a small breach, this is not the first time OCR has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a Laptop, storage device or other computer device. Rather, OCR continues to rollout a growing list of enforcement actions demonstrating the potential risks of HIPAA violations are significant and growing. OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach; OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website; Providence To Pay $100000 & Implement Other Safeguards.

Coupled with statements by OCR about its intolerance, the HONI and other settlements provide a strong warning to covered entities of the need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

In response to the 2013 Regulations and these expanding exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable. In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

If you need help with HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other human resources, employee benefit, or other compliance, risk management, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

About Solutions Law Press, Inc.™

Comments Off on OCR Publishes Long-Anticipated Omnibus Restatement of HIPAA Privacy, Security, Breach Notification & Enforcement Rules | Corporate Compliance, Employers, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Risk Management, Whistleblower | Tagged: Backpay, Employer, Employment, employment law, Fair Labor Standards Act, FSLA, IT, Labor Department, Minimum Wage, Technology, Wage & Hour, wage and hour, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

IRS Offers New Simplified Option For Businesses Claiming Home Office Deductions For Home-Based Business Owners & Workers

January 16, 2013

IRS Says Eligible Home-Based Businesses May Deduct up to $1,500; Saves Taxpayers 1.6 Million Hours A Year

The Internal Revenue Service (IRS) has announced a simplified option that many owners of home-based businesses and some home-based workers may use to figure their deductions for the business use of their homes.

In tax year 2010, the most recent year for which figures are available, nearly 3.4 million taxpayers claimed deductions for business use of a home (commonly referred to as the home office deduction).

The new optional deduction, capped at $1,500 per year based on $5 a square foot for up to 300 square feet, will reduce the paperwork and recordkeeping burden on small businesses by an estimated 1.6 million hours annually.

“This is a common-sense rule to provide taxpayers an easier way to calculate and claim the home office deduction,” said Acting IRS Commissioner Steven T. Miller. “The IRS continues to look for similar ways to combat complexity and encourages people to look at this option as they consider tax planning in 2013.”

The new option provides eligible taxpayers an easier path to claiming the home office deduction. Currently, the IRS generally requires a home-based business to fill out a 43-line form (Form 8829) often with complex calculations of allocated expenses, depreciation and carryovers of unused deductions. Taxpayers claiming the optional deduction will complete a significantly simplified form.

Though homeowners using the new option cannot depreciate the portion of their home used in a trade or business, they can claim allowable mortgage interest, real estate taxes and casualty losses on the home as itemized deductions on Schedule A. These deductions need not be allocated between personal and business use, as is required under the regular method.

Business expenses unrelated to the home, such as advertising, supplies and wages paid to employees are still fully deductible.

Current restrictions on the home office deduction, such as the requirement that a home office must be used regularly and exclusively for business and the limit tied to the income derived from the particular business, still apply under the new option.

The new simplified option is available starting with the 2013 return most taxpayers file early in 2014. Further details on the new option can be found in Revenue Procedure 2013-13, posted on IRS.gov. Revenue Procedure 2013-13 is effective for taxable years beginning on or after January 1, 2013, and the IRS welcomes public comment on this new option to improve it for tax year 2014 and later years. There are three ways to submit comments.

E-mail to: Notice.Comments@irscounsel.treas.gov. Include “Rev. Proc. 2013-13” in the subject line.
Mail to: Internal Revenue Service, CC:PA:LPD:PR (Rev. Proc. 2013-13), Room 5203, P.O. Box 7604, Ben Franklin Station, Washington, DC 20044.
Hand deliver to: CC:PA:LPD:PR (Rev. Proc. 2013-13), Courier’s Desk, Internal Revenue Service, 1111 Constitution Avenue NW, Washington, DC, between 8 a.m. and 4 p.m., Monday through Friday.

The deadline for comment is April 15, 2013.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

If you need help with these or other health benefit or other human resources, employee benefit, insurance, compensation or other compliance, risk management, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a member of the Editorial Advisory Board and expert panels of HR.com, Employee Benefit News, InsuranceThoughtLeadership.com, and Solutions Law Press, Inc., management attorney and consultant Ms. Stamer has 25 years of leading edge experience helping employers; health and other employee benefit plans and their sponsors, administrators, fiduciaries; TPAs, insurers, governments, employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit and management policies and practices. Her experience includes extensive work representing advising these and other clients, governmental bodies, insurance and financial services organizations, third party administrators and others to develop, design, defend and administer creative health, disability, severance and other employee benefit and compensation arrangements, products and services. She also helps these and other clients monitor, address and respond to federal, state, and international health care and insurance and other regulatory, legislative, audit and enforcement developments. Ms. Stamer has worked, extensively on these and other workforce and performance related matters. In addition to her continuous day-to-day involvement helping businesses to manage employment and employee benefit plan concerns, she also has extensive public policy and regulatory experience with these and other matters domestically and internationally. A former member of the Executive Committee of the Texas Association of Business and past Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, Ms. Stamer served as a primary advisor to the Government of Bolivia on its pension privatization law, and has been intimately involved in federal, state, and international workforce, health care, pension and social security, tax, education, immigration, education and other legislative and regulatory reform in the US and abroad. She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For more information about Ms. Stamer and her experience or to get access to other publications by Ms. Stamer see here or contact Ms. Stamer directly. Ms. Stamer regularly works with agencies, publishes and speaks extensively on human resources and employee benefits, medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights on HIPAA and other data privacy and security concerns appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her HIPAA and other experience here.

If you need help with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives. Solutions Law Press, Inc.™ also conducts and assists businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs. For additional information about upcoming programs, to explore becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship, to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com. CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Comments Off on IRS Offers New Simplified Option For Businesses Claiming Home Office Deductions For Home-Based Business Owners & Workers | Corporate Compliance, Employers, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Risk Management, Whistleblower | Tagged: Backpay, Employer, Employment, employment law, Fair Labor Standards Act, FSLA, IT, Labor Department, Minimum Wage, Technology, Wage & Hour, wage and hour, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

IRS Announces Cost of Living & American Taxpayer Relief Act Income Tax Adjustments

January 16, 2013

Revenue Procedure 2013-15 provides the 2013 cost-of-living adjustments for inflation for certain items. The guidance includes adjustments to the tax tables, including items whose values were specified in the American Taxpayer Relief Act of 2012 (ATRA), such as:

The beginning of the 39.6% income tax brackets;
The beginning income levels for the limitation on certain itemized deductions; and
The beginning income levels for the phaseout of the personal exemptions[

In addition Revenue Procedure 2013-5 modifies Revenue Procedure 2011-52 to reflect an amendment to section 132(f)(2) made by ATRA concerning qualified transportation fringe benefits. Specifically, for 2012, the monthly limitation regarding the aggregate fringe benefit exclusion amount for transit passes and transportation in a commuter highway vehicle is $240.

Revenue Procedure 2013-15 will be published in Internal Revenue Bulletin 2013-5 on January 28, 2013.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

About Solutions Law Press, Inc.™

About Solutions Law Press, Inc.™

Comments Off on IRS Announces Cost of Living & American Taxpayer Relief Act Income Tax Adjustments | Corporate Compliance, Employers, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Risk Management, Whistleblower | Tagged: Backpay, Employer, Employment, employment law, Fair Labor Standards Act, FSLA, IT, Labor Department, Minimum Wage, Technology, Wage & Hour, wage and hour, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

Tax-Related ID Theft Growing Problem For IRS, Taxpayers

January 14, 2013

Employers and others collecting, retaining or reporting employee or other tax identification numbers or other sensitive information for tax withholding or reporting purposes should take appropriate steps to protect that information against possible identity theft or other misuse.

The wealth of sensitive personal identification information and financial records makes tax records a highly attractive source of data for identity thieves. According to the Internal Revenue Service (IRS), tax-related identity theft incidents have risen significantly in recent years. Identity theft case receipts increased by more than 650 percent from FY 2008 to FY 2012. At the end of FY 2012, the IRS had almost 650,000 identity-theft cases in its inventory servicewide. The IRS reports the problem has grown worse as organized criminal actors have found ways to steal the Social Security numbers (SSNs) of taxpayers, file tax returns using those taxpayers’ names and SSNs, and obtain fraudulent tax refunds. Then, when the real taxpayer files a return claiming the refund, that return is rejected. The impact on victims is significant. More than 75 percent of taxpayers filing returns are due refunds, which average some $3,000 and are not paid until the IRS fully resolves a case.

When the IRS Commissioner testified in 2008 about identity theft before a Senate Finance Committee hearing. he stated: “My overall goal as the IRS Commissioner is that when a taxpayer [who is an identity theft victim] contacts us with an issue or concern, we have in place a seamless process that gets the issue resolved promptly.” Later that year, the IRS established an “Identity Protection Specialized Unit” (or “IPSU”), which was designed to provide centralized assistance to victims of identity theft. The National Taxpayer Advocate supported the commitment to centralized and prompt victim assistance.

Since that time, the IRS has created numerous task forces and other teams in recent years in an attempt to improve its identity theft processes, yet victims still face the same “labyrinth of procedures and drawn-out timeframes for resolution” that they faced five years ago. The IRS is instructing its employees to advise identity theft victims that it will take 180 days – half a year – to resolve their cases. Complicated cases inevitably will take longer. Thus, the IRS’s procedural changes are not providing faster relief.

The report also says the IRS has decided to reverse course and decentralize victim assistance. It recently created specialized units within each of 21 individual functions to work on identity theft cases, apparently under the belief that most identity theft cases involve a single issue that the relevant specialized unit can work most efficiently. The report expresses concern about this backtracking from a centralized approach.

The Taxpayer Advocate Service (TAS) itself handled nearly 55,000 identity theft cases in FY 2012, most of which involved multiple issues that required actions by multiple units. The report expresses concern that creation of 21 specialized units will erode the centralized role of the IPSU, require taxpayers to speak with multiple functions, increase the time it takes to resolve cases, and heighten the risk that some issues may not be addressed.

“Taxpayers need ‘one-stop shopping’ – a single point of contact they can work with to resolve all issues in their cases – and the IRS needs a ‘traffic cop’ to make sure that all units complete their actions and that parts of cases do not fall through the cracks,” Olson said. “And six months is an unacceptable period of time to expect taxpayer-victims to wait. The IRS must do more to provide the prompt and seamless assistance to identity theft victims that Commissioner Shulman promised.”

While the IRS continues to work on protecting taxpayer data against theft and investigating and resolving tax-related identity theft cases, businesses that collect, retain and report employee, contractor or other personal financial information for tax related or other purposes are urged to take steps to protect the data that they collect and retain against identity theft. Since identity theft may begin when a worker misrepresents his or her identity at the commencement of employment, many employers find it beneficial to take reasonable steps to verify the identity and veracity of the documentation that a worker presents when commencing employment. Once data is collected, businesses and others that have access to personal financial information or other data collected for tax purposes need to recognize their responsibility to safeguard that information against improper use and disclosure under the Internal Revenue Code as well as other applicable laws. If confronted with a “no-match” letter from the Social Security Administration or a complaint or other indication that a worker may have misrepresented his or her identity, or another indication of a breach of this data, businesses should contact experienced legal counsel to aid in the proper investigation of these concerns and the resolution of concerns resulting from this investigation. Where appropriate, the business may need to report its concerns to the IRS or advise a worker or other party reporting a likely identity theft of taxpayer information to the TAS or other appropriate officials.

Businesses needing assistance with investigation or mitigation of a potential theft of tax or other sensitive data, see www.cynthiastamer.com or contact attorney Cynthia Marcotte Stamer.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

About Solutions Law Press, Inc.™

About Solutions Law Press, Inc.™

Comments Off on Tax-Related ID Theft Growing Problem For IRS, Taxpayers | Corporate Compliance, Employers, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Risk Management, Whistleblower | Tagged: Backpay, Employer, Employment, employment law, Fair Labor Standards Act, FSLA, IT, Labor Department, Minimum Wage, Technology, Wage & Hour, wage and hour, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

Tax Saver’s Credit Helps Low & Moderate Income Workers Save For Retirement; Possible Tool To Help Boost Their Participation In Employer Plans

January 11, 2013

As part of its continuing effort to boost retirement savings among Americans, the Internal Revenue Service is reminding low- and moderate-income workers to take steps now to save for retirement and earn a special tax credit in 2012 and the years ahead. Employers sponsoring retirement plans where low participation by low- and moderate income workers adversely impacts the ability of the plan to meet applicable nondiscrimination tests may want to consider incorporating information about the availability of the saver’s credit into their plan related communications as an added tool for helping these workers recognize the potential benefits of contributing.

The saver’s credit helps qualifying low to moderate income workers offset part of the first $2,000 workers voluntarily contribute to IRAs and to 401(k) plans and similar workplace retirement programs. Also known as the retirement savings contributions credit, the saver’s credit is available in addition to any other tax savings that apply.

The saver’s credit can be claimed by:

Married couples filing jointly with incomes up to $57,500 in 2012 or $59,000 in 2013;
Heads of Household with incomes up to $43,125 in 2012 or $44,250 in 2013; and
Married individuals filing separately and singles with incomes up to $28,750 in 2012 or $29,500 in 2013.

Eligible workers still have until April 15, 2013 to make qualifying retirement contributions and get the saver’s credit on their 2012 tax return by setting up a new individual retirement arrangement or adding money to an existing IRA. However, elective deferrals (contributions) must be made by the end of the year to a 401(k) plan or similar workplace program, such as a 403(b) plan for employees of public schools and certain tax-exempt organizations, a governmental 457 plan for state or local government employees, and the Thrift Savings Plan for federal employees. Employees who are unable to set aside money for this year may want to schedule their 2013 contributions soon so their employer can begin withholding them in January.

Like other tax credits, the saver’s credit can increase a taxpayer’s refund or reduce the tax owed. Though the maximum saver’s credit is $1,000, $2,000 for married couples, the IRS cautioned that it is often much less and, due in part to the impact of other deductions and credits, may, in fact, be zero for some taxpayers.

A taxpayer’s credit amount is based on his or her filing status, adjusted gross income, tax liability and amount contributed to qualifying retirement programs. Form 8880 is used to claim the saver’s credit, and its instructions have details on figuring the credit correctly.

In tax-year 2010, the most recent year for which complete figures are available, saver’s credits totaling just over $1 billion were claimed on more than 6.1 million individual income tax returns. Saver’s credits claimed on these returns averaged $204 for joint filers, $165 for heads of household and $122 for single filers.

The saver’s credit supplements other tax benefits available to people who set money aside for retirement. For example, most workers may deduct their contributions to a traditional IRA. Though Roth IRA contributions are not deductible, qualifying withdrawals, usually after retirement, are tax-free. Normally, contributions to 401(k) and similar workplace plans are not taxed until withdrawn.

Other special rules that apply to the saver’s credit include the following:

Eligible taxpayers must be at least 18 years of age.
Anyone claimed as a dependent on someone else’s return cannot take the credit.
A student cannot take the credit. A person enrolled as a full-time student during any part of 5 calendar months during the year is considered a student.

Certain retirement plan distributions reduce the contribution amount used to figure the credit. For 2012, this rule applies to distributions received after 2009 and before the due date, including extensions, of the 2012 return. Form 8880 and its instructions have details on making this computation.

Begun in 2002 as a temporary provision, the saver’s credit was made a permanent part of the tax code in legislation enacted in 2006. To help preserve the value of the credit, income limits are now adjusted annually to keep pace with inflation. More information about the credit is on IRS.gov.

For Help or More Information

About Solutions Law Press, Inc.™

About Solutions Law Press, Inc.™

1 Comment | Corporate Compliance, Employers, GINA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Retirement Plans, Risk Management, Whistleblower | Tagged: Backpay, Employer, Employment, employment law, Fair Labor Standards Act, FSLA, IT, Labor Department, Minimum Wage, Technology, Wage & Hour, wage and hour, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

Self-Insured Health Plan Sponsors, Health Insurers Brace To Pay New ACA-Imposed Fees

January 10, 2013

Employers and other self-insured group health plan sponsors and health insurers, adjust your budgets and prepare to open up your wallets to pay additional fees mandated by the Patient Protection and Affordable Care Act (“PPACA”).

Self-insured employers and health insurers generally must begin paying a new fee imposed as part of PPACA. PPACA generally requires that health insurance policy issuers and plan sponsors of self-insured health plans pay the new fee for policy and plan years ending on or after October 1, 2012, and before October 1, 2019 or policy and plan years ending on or after October 1, 2012, and before October 1, 2019. July 31, 2013 is the deadline for reporting and payment of the first fee payment required by these provisions.

The Internal Revenue Service (IRS) and Department of Treasury published final regulations (“Regulations”) implementing these new rules on December 6, 2012. These Regulations include many provisions that are likely to come as a surprise to many employer and other health plan sponsors. Health insurers, employers and other sponsors of self-insured health plans and others responsible for their funding and administration need to review these regulations and make other arrangements to budget for and timely report and pay this required fee.

New Fees Help Fund New Patient-Centered Outcomes Research Institute

PPACA amended the Internal Revenue Code (“Code”) to require the new fee to help fund the establishment and operation of the new Patient-Centered Outcomes Research Institute (the ‘‘Institute’’) to be created by PPACA. Congress intends that the Institute will be a private, nonprofit corporation charged with conducting research to help assist patients, clinicians, purchasers, and policy-makers in making informed health decisions by advancing the quality and relevance of evidence-based medicine through the synthesis and dissemination of comparative clinical effectiveness research findings.

PPACA added new Sections 4375, 4376, and 4377 to the Code to provide a funding source for the Trust Fund. These new Code Sections impose require issuers of specified health insurance policies and plan sponsors of applicable self-insured health plans to pay the new fee by July 31, 2012 for each plan year beginning after September 30, 2012 and before October 1, 2019 to fund the Patient-Centered Outcomes Research Trust Fund (the “Trust Fund”), which in turn will help pay the costs of the Institute.

Code Section 4377(c) provides that the fees imposed by sections 4375 and 4376 are treated as taxes for purposes of subtitle F of the Code (sections 6001 through 7874 that set forth the rules of federal tax procedure and administration).

Fee Amount Calculation & Payment

As amended by PPACA, the Code requires that employers sponsoring self-insured group health plans and most health insurers file a return and pay a fee equal to $1 multiplied by the average number of lives covered under the plan or policy by July 31, 2012. The amount of this fee will increase to $2 multiplied by the average number of lives for post-September 30, 2013 plan years. For post-September 30, 2014 plan years, the Code provides for further adjustments in the fee based on increases in the projected per capita amount of National Health Expenditures.

To meet this requirement, health insurers and plan sponsors must file a Form 720, Quarterly Federal Excise Tax Return along with the required payment once a year on or before July 31 of the calendar year following the last day of the policy year or plan year for which the fee is required to report and pay the fee.

Overview of ACA Rules Requiring Payment of Fee

The Code now separately assesses a fee on issuers of health insurance policies and on plan sponsors of self-insured health plans for each policy year ending on or after October 1, 2012 and before October 1, 2019. Code Section 4375 requires payment of a fee by “issuers” of “specified health insurance policies.” Code Section 4376 requires “sponsors” of self-insured health plans to pay a fee.

Each of these Code Sections basically uses the same formula to calculate the required fee owing by a health insurance issuer or a self-insured plan sponsor. The amount of the required fee due on July 31, 2013 for plan years beginning on or before October 1, 2013 will be one dollar multiplied by the average number of lives covered by the policy or plan. The fee due on July 31, 2014 for plan years beginning between October 2, 2013 and October 1, 2014 is set to increase to two dollars multiplied by the average number of lives covered under the policy. For policy or plan years ending on or after October 1, 2014, PPACA provides for additional increases in the required fee based on increases in the projected per capita amount of National Health Expenditures. See Treas. Reg. §§ 46.4375–1; Rejecting arguments that Congress only intended to require that either the insurer or the plan sponsor pay a fee annually, the Regulations construe these requirements as obligating both a self-insured health plans sponsor and an insurer to pay a separate fee annually, even if the fee is assessed upon the same lives.

The Preamble to the Regulations states that a self-insured plan sponsor must pay the fee with respect to arrangements where the plan design layers a self-insured portion of the plan with an insured portion, even though the insurer also must pay the fee with respect to the insured portion.

The fee calculation differs slightly for purposes of determining the fee a self-insured plan sponsor owes versus the fee owed by an insurer. Regardless, however, the Regulations state that for purposes of calculating these numbers, retirees and beneficiaries continuing coverage under the group medical coverage continuation rules generally count. The Preamble to the Regulations states that the IRS views retiree-only plans and COBRA coverage subject to the tax imposed under Code § 4375 and plan sponsors may be required to pay the tax under Code § 4376. Concerning retiree-only coverage, the Preamble states:

Although group health plans that have fewer than two participants who are current employees (such as retiree-only plans) are excluded from the requirements of Code chapter 100 (setting forth requirements applicable to group health plans such as portability, nondiscrimination, and market reform requirements), this exclusion does not apply to Code §§ 4375 and 4376 because these sections are in chapter 34; and
For self-insured arrangements, Code § 4376(c)(2)(A) states explicitly that an applicable self-insured health plan includes a plan established or maintained by one or more employers for the benefit of their employees or former employees.

Section 4376 Fee For Self-Insured Plan Sponsors

Applicability of Code Section 4376 Fee To Self-Insured Health Plans. The fee under Code Section 4376 applies to the plan sponsor of an applicable self-insured health plan.

Section 4376(c) defines an applicable self-insured health plan as any plan for providing accident or health coverage if any portion of the coverage is provided other than through an insurance policy, and the plan is established or maintained by either:

One or more employers for the benefit of their employees or former employees;
One or more employee organizations for the benefit of their members or former members;
Jointly by one or more employers and one or more employee organizations for the benefit of employees or former employees;
By a voluntary employees’ beneficiary association described in Code Section 501(c)(9); or
By any organization described in section 501(c)(6), or (6) if not previously described, by a multiple employer welfare arrangement (as defined in section 3(40) of the Employee Retirement Income Security Act (“ERISA”), a rural electric cooperative under ERISA Section 3(40)(B)(iv), or a rural telephone cooperative association under ERISA Section 3(40)(B)(v). See Code § 4376; Regulation §46.4376–1(a), (b)(1).

Code Section 4376(b)(1) requires that the plan sponsor of a self-insured health plan pay the required fee for self-insured health plans imposed by Section 4376(a). For this purpose, Code Section 4376(b)(2) defines a plan sponsor as:

The employer in the case of a plan established or maintained by a single employer;
The employee organization in the case of a plan established or maintained by an employee organization;
The association, committee, joint board of trustees, or other similar group of representatives of the parties who establish or maintain the plan in the case of: (1) a plan established or maintained by two or more employers or jointly by one or more employers and one or more employee organizations; (2) a multiple employer welfare arrangement; or (3) a voluntary employees’ beneficiary association described in Code Section 501(c)(9); or
The cooperative or association that establishes the plan in the case of a plan established or maintained by a rural electric cooperative or rural telephone cooperative association within the meaning of ERISA.

Regulation § 46.4376-2(b)(2) defines plan sponsor to mean the following:

The employer for a self-insured health plan established or maintained by a single employer;
The employee organization for a self-insured health plan established or maintained by an employee organization;
The joint board of trustees for a multiemployer plan within the meaning of Code §414(f));
The committee, in the case of a multiple employer welfare arrangement within the meaning of Section 3(40) of the Employee Retirement Income Security Act (“ERISA”);
The cooperative or association that establishes or maintains an applicable self-insured health plan established or maintained by a rural electric cooperative under ERISA § 3(40)(B)(iv) or rural cooperative association under ERISA 3(40)(B)(v);
The trustee, in the case of an applicable self-insured health plan established or maintained by a voluntary employees’ beneficiary association under Code § 501(c)(9) not merely serving as a funding vehicle for a plan that is established or maintained by an employer or other person;
In the case of an applicable self-insured health plan the plan sponsor of which is not previously described, the person identified by the terms of the document under which the plan is operated as the plan sponsor, or the person designated by the terms of the document under which the plan is operated as the plan sponsor for Code § 4376 purposes, provided that designation is made in writing, and that person has consented to the designation in writing, by no later than the date by which the return paying the fee under section 4376 for that plan year is required to be filed, after which date that designation for that plan year may not be changed or revoked, and provided further that a person may be designated as the plan sponsor only if the person is one of the persons establishing or maintaining the plan (for example, one of the employers that establishes or maintains the plan with one or more other employers or employee organizations); or
Where an applicable self-insured health plan sponsor is not previously and for which no identification or designation of a plan sponsor has been made under the prior paragraph the plan sponsor means, each employer that establishes or maintains the plan with respect to employees of that employer, each employee organization that establishes or maintains the plan with respect to members of that employee organization, and each board of trustees, cooperative, or association that establishes or maintains the plan.

While the fee will impact most health insurance policies and self-insured plans, the Code does exempt a few arrangements. See Code § 4376. Regulation § 46.4376-1(b)(2) construes these exemptions to include the following categories of programs:

A plan that provides benefits substantially all of which are excepted benefits for purposes of the HIPAA Portability Rules under Code § 9832(c). Pursuant to this provision, for instance, the Regulations state that a health flexible spending arrangement (health FSA) under Code § 106(c)(2)) that satisfies the requirements to be treated as an excepted benefit under Code § 9832(c) and Regulation § 54.9831–1(c)(3)(v) is not an applicable self-insured health plan. However, a health FSA that is not treated as an excepted benefit under Code § 9832(c) and Regulation § 54.9831–1(c)(3)(v) is an applicable self-insured health plan.
An employee assistance program, disease management program, or wellness program if the program does not provide significant benefits in the nature of medical care or treatment.
A plan that, as demonstrated by the facts and circumstances surrounding the adoption and operation of the plan, was designed specifically to cover primarily employees who are working and residing outside the United States (as defined in § 46.4377–1(a)(3)). See Regulation § 46.4376–1(b)(ii).

Where the same plan sponsor maintains multiple self-insured arrangements Regulation § 46.4376(b)(iii) specifies that the employer may treat two or more arrangements established or maintained by the same plan sponsor that provide accident and health coverage other than through an insurance policy and that have the same plan year as a single applicable self-insured health plan for purposes of reporting and calculating the Code § 4376 fee.

Calculation Of Self-Insured Plan Fee Under Code § 4376

Regulation § 46.4376-1 requires that a self-insured plan sponsor determine the number of covered lives for purposes of calculating the fee using on of the following methods:

The actual count method where the plan sponsor adds the totals of lives covered for each day of the plan year and divides that total by the number of days in the plan year;
The snapshot method, the plan sponsor adds the totals of lives covered on a date during the first, second, or third month of each quarter of the plan year (or more dates in each quarter if an equal number of dates is used in each quarter), and divides that total by the number of dates on which a count was made in accordance with rules set forth in the Regulations. For instance, Each date used for the second, third and fourth quarter must be within three days of the date in that quarter that corresponds to the date used for the first quarter, and all dates used must fall within the same plan year. If a plan sponsor uses multiple dates for the first quarter, the plan sponsor must use dates in the second, third, and fourth quarters that correspond to each of the dates used for the first quarter or are within three days of such corresponding dates, and all dates used must fall within the same plan year. The 30th and 31st day of a month are treated as the last day of the month for purposes of determining the corresponding date for any month that has fewer than 31 days. The number of lives covered on a designated date using this method may be determined using either the snapshot factor method or the snapshot count method set forth in the Regulations. In the snapshot factor method, the number of lives covered on a date is equal to the sum of: (1) the number of participants with self-only coverage on that date; plus (2) the number of participants with coverage other than self-only coverage on the date multiplied by 2.35. In the snapshot count method, the number of lives covered on a date equals the actual number of lives covered on the designated date. The plan sponsor must use the same method of calculating the average number of lives covered under the plan consistently for the duration of the plan year. However, a plan sponsor may use a different method from one plan year to the next.
The Form 5500 method, where the plan sponsor determines the average number of lives covered under a plan for a plan year as the result of the sum of the total participants covered at the beginning and the end of the plan year, as reported on the Form 5500 or Form 5500–SF for the applicable self-insured health plan, divided by 2. This method is only available if the Form 5500 is filed by the due date for payment of the fee. This means where a plan administrator extends filing beyond July 31, the plan sponsor cannot use this method.

The Regulations establish a special rule for lives covered solely by the fully-insured options under an applicable self-insured health plan. Under this special rule, when an applicable self-insured health plan provides accident and health coverage through fully insured options and self-insured options, the plan sponsor is permitted to disregard the lives that are covered solely under the fully-insured options in determining the lives covered taken into account for the actual count method, the snapshot method, and the Form 5500 method.

As for insured plans, the Regulations also provide special rules for determining the fee the first year the fee is in effect. Under this rule, for a plan year beginning before July 11, 2012, and ending on or after October 1, 2012, a plan sponsor may determine the average number of lives covered under the plan for the plan year using any reasonable method.

Section 4375 Fee For Insurers

The fee under Code Section 4375 generally applies to issuers of a “specified health insurance policy.” Code Section 4375(c) generally defines a specified health insurance policy as any accident or health insurance policy (including a policy under a group health plan) issued with respect to individuals residing in the United States. Code Section 4377(a)(1) defines accident and health coverage as any coverage that, if provided by an insurance policy, would cause the policy to be a specified health insurance policy under Code Section 4375. See Treas. Reg. § 46.4375–1.

Policies Subject To Fee. Regulation § 46.4377–1(a) defines a “specified health insurance policy” as “any accident and health insurance policy (including a policy under a group health plan) issued with respect to individuals residing in the United States” other than those recognized as exempt by the Regulation. The Regulation makes clear that this includes any policy that provides accident and health coverage to an active employee, former employee, or qualifying beneficiary, as continuation coverage required under the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) or similar continuation coverage under other Federal law or state law.

However Regulation § 46.4377-1(a)(ii) exempts the following arrangements from the definition of a specified health insurance policy.

Any insurance policy if substantially all of its coverage is of excepted benefits described in Code Section 9832(c);
Any group policy issued to an employer where the facts and circumstances show that the group policy was designed and issued specifically to cover primarily employees who are working and residing outside of the United States for purposes of Regulation § 46.4377–1(a)(3);
Any stop loss or indemnity reinsurance policy; or
Any insurance policy to the extent it provides an employee assistance program, disease management program, or wellness program if the program does not provide significant benefits in the nature of medical care or treatment.

Fee Calculation. The amount of the fee an insurer must pay for a policy for a policy year under Code § 4375 is equal to the product of the average number of lives covered under the policy for the policy year, multiplied by the applicable dollar amount for that policy year.

The applicable dollar amount multiplier is $1 for the fee due on October 1, 2013; $2 for the fee due on October 1, 2014, and the adjusted amount for fees due after October 1, 2014.

Determination Of The Average Number Of Lives Covered. To determine the average number of lives covered under a specified health insurance policy during a policy year, the Regulation requires an issuer to use one of the following methods:

The actual count method, where the issuer determines the average number of lives covered under a policy for a policy year under the actual count method by adding the total number of lives covered for each day of the policy year and dividing that total by the number of days in the policy year;
The snapshot method, where the issuer determines the average number of lives covered under a policy for a policy year by adding the totals of lives covered on a date during the first, second, or third month of each quarter (or more dates in each quarter if an equal number of dates is used for each quarter), and dividing that total by the number of dates on which a count is made. Each date used for the second, third and fourth quarters must be within three days of the date in that quarter that corresponds to the date used for the first quarter, and all dates used must be within the same policy year. If an issuer uses multiple dates for the first quarter, the issuer must use dates in the second, third, and fourth quarters that correspond to each of the dates used for the first quarter or are within three days of such corresponding dates, and all dates used must be within the same policy year. The 30th and 31st day of a month are treated as the last day of the month for purposes of determining the corresponding date for any month that has fewer than 31 days (for example, if either March 30 or March 31 is used as a counting date for a calendar year policy, June 30 is the corresponding date for the second quarter);
The member months method, where the issuer determines the average number of lives covered under all policies in effect for a calendar year based on the member months (an amount that equals the sum of the totals of lives covered on prespecified days in each month of the reporting period) reported on the National Association of Insurance Commissioners (“NAIC”) Supplemental Health Care Exhibit filed for that calendar year. Under this method, the average number of lives covered under the policies in effect for the calendar year equals the member months divided by 12; or
The state form method, where an insurer not required to file NAIC annual financial statements may determine the number of lives covered under all policies in effect for the calendar year using a form filed with the issuer’s state of domicile and a method similar to the member months method if the form reports the number of lives covered in the same manner as member months are reported on the NAIC Supplemental Health Care Exhibit. See Regulation § 46.4375–1(c)(2)(i).

Issuers must use the same method of calculating the average number of lives covered under a policy consistently for the duration of the year and must use the same method of computing lives for all policies for which a liability is reported on a Form 720, “Quarterly Federal Excise Tax Return,” for a particular year. Regulation § 46.4375–1(c)(2)(ii). However, the Regulation allows an issuer that determines the average number of lives covered by using the actual count method or the snapshot method to change its method of computing the average lives covered to the snapshot method or actual count method, respectively, provided that the issuer uses the same method for computing the average lives covered for all policies for which a liability is reported on the Form 720 for that year. Regulation § 46.4375–1(c)(2).

The Regulations also impose various other special rules. For instance, the Regulations state that if the issuer elects to determine the average number of lives covered for all policies in effect during a calendar year using the member months method or the state form method, the applicable dollar amount with respect to such issuer’s policies for such calendar year is the applicable dollar amount for policy years ending on December 31 of such calendar year, except that the applicable dollar amount with respect to such an issuer’s policies for calendar year 2019 is the applicable dollar amount for policy years ending on September 30, 2019. The Regulations provide various examples of these calculations to illustrate the rules.

The Regulations also provide special rules for the first year and the last year the fee is in effect for an insurer. See Regulation § § 46.4375–1(c).

Plans, Insurers Should Evaluate Options, Plan To Pay Required Fees

The impending obligation provides yet another reason that employers and other self-insured plan sponsors, administrators, insurers, and vendors should re-evaluate their existing health plan designs and costs. Most health insurers and self-insured health plan sponsors will want not only to budget for the impending additional costs associated with these fees, but also evaluate options for mitigating their impact, as well as the costs and administrative burden of tracking and making the required filings. For instance, insurers and plan sponsors of programs subject to these new fees generally will want to evaluate which of the options for collecting the data and calculating the fees will most benefit them. Also, where plan designs used by particular employer or other plan sponsors include both insured and self-insured features, the insurer, plan sponsor and their advisors may want to consider the advisability of restructuring or redesigning plans to mitigate fees or administrative or other expenses. In all cases, parties should audit their programs to ensure that each program and its element is identified and properly taken into account to avoid inadvertent oversights resulting in penalties or other avoidable costs.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

About Solutions Law Press, Inc.™

About Solutions Law Press, Inc.™

Comments Off on Self-Insured Health Plan Sponsors, Health Insurers Brace To Pay New ACA-Imposed Fees | Corporate Compliance, Employers, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Risk Management, Whistleblower | Tagged: Backpay, Employer, Employment, employment law, Fair Labor Standards Act, FSLA, IT, Labor Department, Minimum Wage, Technology, Wage & Hour, wage and hour, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

1st OCR Small HIPAA Breach Settlement Shows Plans, Other Covered Entities At Risk From Small Breach Reports Too

January 3, 2013

$50K Settlement Shows Small Breach Reports Carry Enforcement Risk

Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums! That’s the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).

In announcing the settlement against HONI, OCR sent a clear message that OCR stands ready to penalize these health care providers, health plans, healthcare clearinghouses and their businesses associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

OCR Director Leon Rodriguez reiterated OCR’s expectation that covered entities will properly encrypt ePHI on mobile or other devices in OCR’s announcement of the HONI settlement. “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

In light of this latest clear warning, health plans and their fiduciaries, sponsors and administrators, health care providers, health care clearinghouses and their business associates should review plans, practices and data security as affecting ePHI and other protected health information on mobile and other devices.

HONI Settlement For Small Breach Notification

On January 2, 2013, OCR announced HONI will pay OCR $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The HONI settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.

OCR opened an investigation after HONI reported to HHS that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. HONI team members regularly use Laptops containing ePHI their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

HIPAA Security & Breach Notification For ePHI

The HONI settlement is notable because it marks the first time OCR has sanctioned a covered entity as a result of an OCR investigation stemming from the covered entity’s report of a breach of unsecured protected health information involving fewer than 500 individuals under new breach notification rules added to HIPAA in 2009.

Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis. Since the Breach Notification Rule took effect, OCR’s announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, OCR has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

While the HONI settlement marks the first settlement on a small breach, this is not the first time OCR has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a Laptop, storage device or other computer device. In fact, OCR’s first resolution agreement – reached before Congress added the HIPAA Breach Notification Rules to HIPAA – stemmed from such a breach. Providence To Pay $100000 & Implement Other Safeguards. Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect including breaches of ePHI involving compromised health plan information. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach. Coupled with statements by OCR about its intolerance, the HONI and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.

Furthermore, the HONI settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

In the face of rising enforcement and fines, OCR’s initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if additional steps are necessary or advisable.

New OCR HIPAA Mobile Device Educational Tool

While OCR enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of OCR.

To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The program offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. For more information, see here. For more information on HIPAA compliance and risk management tips, see here.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

If you need help monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other human resources, employee benefit, or other compliance, risk management, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

About Solutions Law Press, Inc.™

About Solutions Law Press, Inc.™

1 Comment | Corporate Compliance, Employers, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Risk Management, Whistleblower | Tagged: Backpay, Employer, Employment, employment law, Fair Labor Standards Act, FSLA, IT, Labor Department, Minimum Wage, Technology, Wage & Hour, wage and hour, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

New OCR HIPAA De-Identification Guidance Among Developments Covered In 12/12 HIPAA Update Web Workshop

November 27, 2012

Get Up To Date On Details of New De-Identification Guidance & Other HIPAA Developments By Participating In 12/12 HIPAA Update Web Workshop

Health care providers, health plans, health care clearinghouses (covered entities) and their business associates and leadership should check and update their policies and practices for the de-identification of protected health information (PHI) in light of newly-released Guidance Regarding Methods for De-identification of Protected Health Information in Accordance With the Health Insurance Portability and Accountablity Act (HIPAA) Privacy Rule (Guidance) released by the Department of Health & Human Services (HHS) Office of Civil Rights yesterday (November 26, 2012).

Solutions Law Press, Inc. will host a one-hour, online HIPAA Update Workshop on the Guidance and other recent regulatory and enforcement developments under HIPAA for covered entities and their business associates on Wednesday, December 12 beginning at Noon Central Time. To register, see here.

PHI collected by health care providers, health plans, their management, sponsors, and vendors often includes a wealth of information valuable for use for functions unrelated to the HIPAA-covered functions and activities that leads covered entities or their business associates to collect or keep this data. While it might be tempting to repurpose this information for business planning and marketing purposes, covered entities and their business partners or associates frequently assume that covered entities and others that they deal with must take proper steps to that no PHI is used, accessed, disclosed or shared unless that action is allowed under the Privacy Rules, properly de-identified, or both.

When planning to rely upon the de-identification of PHI to engage in these activities, parties planning to rely upon HIPAA’s exception for de-identified PHI will want to consult new guidance just released by OCR about the de-identification requirements before moving forward. Existing Privacy Rules and the Guidance recognize two alternative methods that covered entities and their business can use to properly de-identify PHI for purposes of the HIPAA Privacy Rule.

OCR published the Guidance to help covered entities to understand what qualifies as de-identification, the general process by which de-identified information is created, and the options available for performing de-identification for purposes of the HIPAA Privacy Rule. The publication of this guidance was mandated as part of amendments to HIPAA enacted by Health Information Technology for Economic and Clinical Health (HITECH) Act included in the American Recovery and Reinvestment Act of 2009 (ARRA). Section 13424(c) of the HITECH Act requires the HHS to issue guidance on how best to implement the requirements for the de-identification of health information contained in the Privacy Rule.

De-identification & Its Rationale Under Privacy Rule

The Privacy Rule was designed to protect individually identifiable health information through permitting only certain uses and disclosures of PHI provided by the Rule, or as authorized by the individual subject of the information. However, in recognition of the potential utility of health information even when it is not individually identifiable, §164.502(d) of the Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications in Privacy Rule §164.514(a)-(b). These provisions allow the entity to use and disclose information that neither identifies nor provides a reasonable basis to identify an individual provided the Covered Entity can show that the PHI has been de-identified in accordance with either the Expert Determination Method or the Safe Harbor Method of the de-identification standard of the Privacy Rule and is not re-identified. Regardless of the method used to de-identify PHI, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered PHI and is not re-identified.

Privacy Rule De-Identification Implementation Standards Permit Alternative Methods of De-identification

Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual. See Privacy Rule § 164.514.

Sections 164.514(b) and (c) of the Privacy Rule contain the implementation specifications that a covered entity must follow to meet the de-identification standard. As summarized in Figure 1, the Privacy Rule provides two methods by which health information can be designated as de-identified:

The formal determination by a qualified expert in accordance with the Privacy Rule (Expert Determination Method); or
The removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (Safe Harbor Method).

In order for PHI to qualify as de-identified under the “Expert Determination Method, Privacy Rule § 164.514(b)(1) requires that a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
Documents the methods and results of the analysis that justify such determination.

Alternatively, Privacy Rule § 164.514(b)(2) provides that PHI will qualify as de-identified under the Safe Harbor Method if:

All of an extensive list of identifiers of the individual or of relatives, employers, or household members of the individual, are removed from the data; and
The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

As long as the data is not re-identified, the Guidance indicates that a covered entity may prove fulfillment of the de-identification standard of Privacy Rule §164.514(a) by showing satisfaction of all applicable requirements of either method. Under the Privacy Rule, de-identified health information created following these methods is no longer protected by the Privacy Rule because it does not fall within the definition of PHI. Of course, de-identification leads to information loss which may limit the usefulness of the resulting health information in certain circumstances. Consequently, covered entities may wish to select de-identification strategies that minimize such loss.

Both alternatives for de-identification under the Privacy Rule require that covered entities and their business associates decide whether and how to keep the option for re-identification of PHI slated for de-identification and where applicable, appropriately manage the re-identification opportunity and data to avoid violation of the Privacy Rule.

According to the Privacy Rule, if a covered entity or business associate successfully undertook an effort to identify the subject of de-identified information it maintained, the health information now related to a specific individual would again be protected by the Privacy Rule, as it would meet the definition of PHI. Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified is also considered a disclosure of PHI. In this regard, Privacy Rule §164.514(c) specifies that if the covered entity assigns a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, themeans of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; it can’t use elements of the protected PHI as the re-identification key,must safeguard the key, and can’t use or disclose the key or other re-identification tool for any other purpose.

Preparing For, Guiding & Documenting The De-identification Process For Defensibility

The Guidance stresses that importance of documentation for which values in health data correspond to PHI, as well as the systems that manage PHI and its risk of identification or re-identification in the de-identification process cannot be overstated.

The Guidance provides guidance to help guide covered entities and their business associates through the steps and analysis of using the Expert Determination versus Safe Harbor Method. A review of this Guidance makes clear that the design and administration of the de-identification process under either method requires careful and well-documented planning, analysis and implementation to fulfill and to keep the documentation that a covered entity or business associate might need to defend its decision to treat and use PHI as de-identified under the Privacy Rule against a potential audit or enforcement inquiry. The Guidance also seeks to further illuminate the requirements for effective de-identification through a series of questions and answers, supplemented by work flow and other charts, examples and other illustrations and tips on the proper use of each alternative Method and managing risks and the process associated with that Method. A Glossary of Terms also is shared. The discussion in the Guidance makes clear that covered entities and their businesses associates using either Method to de-identify PHI should be prepared to make a number of judgments about which Method to use, whether and how to make arrangements for re-identification, and how to properly manage the process to meet the requirements of the implementation standard and manage re-identification or other risks.

Register For 12/12 HIPAA Update Web Workshop To Catch Up On De-Identification Guidance & Other HIPAA & Texas HIPAA Regulatory & Enforcement Developments

Training and compliance mandates applicable to covered entities and their business associates under the newly strengthened Texas HIPAA law and HIPAA’s Privacy and Breach Notification Rules make it more important than ever that covered entities and their business associates get the timely training and other assistance needed to properly comply with requirements for the protection of PHI under the new Guidance and other HIPAA and Texas HIPAA mandates.

To aid in this process, Solutions Law Press, Inc. will host a 2012 HIPAA Update Web Workshop covering the new Guidance on de-identification and other regulatory and enforcement developments under HIPAA and the newly amended Texas HIPAA law on December 12, 2012 from 1:00 P.M.-2:00 P.M. Eastern | Noon – 1:00 P.M. Central | 11:00 A.M-Noon Mountain | 10:00A.M-11:00 A.M. Pacific Time.

Expanded health care privacy mandates of the Texas Medical Records Privacy Act that take effect September 1, 2012 and HIPAA regulations require covered entities and their business associates conduct training and take other steps to protect the privacy and security of PHI.

Complete HIPAA Training While You Catch Up On The Latest On HIPAA & Texas Medical Records Privacy Rules & Get Helpful Compliance And Risk Management Tips!

Health care providers, health plans, health care clearinghouses face new imperatives to strengthen their HIPAA and other procedures for handling protected health information and other sensitive information to manage expanding risks and responsibilities arising from evolving rules, expanding enforcement and oversight, and rising penalties and other liabilities.

The $4.3 million HIPAA Civil Monetary Penalty and growing list of $1 million plus resolution payments announced by the Office of Civil Rights coupled with its commitment to investigate all large breaches reported under the HITECH Act Breach Notification Rule and other stepped up enforcement and newly initiated audit activities send a clear signal that HIPAA-covered entities and their business associates face significant exposures for failing to appropriately manage their HIPAA and other responsibilities when handling protected health information. Meanwhile, Texas House Bill 300 has raised maximum state civil penalties for unlawful disclosures of Protected Health Information under the Texas Medical Records Privacy Act to from $5,000 to $1.5 million per year. Meanwhile HITECH Act amendments to HIPAA require covered entities provide notification of certain breaches while Texas House Bill 300 adds its own specific requirements to provide notice of certain breaches of computerized data containing sensitive personal information.

With Texas House Bill 300 expanding covered entities responsibilities and liabilities and OCR issuing new regulations and other guidance to implement amendments to the HIPAA Privacy & Security Standards and implement and enforce the HITECH Act Breach Notification Rule, health care providers, health plans and insurers, their brokers, third-party administrators, and other covered entities, as well as their business associates and employer and union clients must review and tighten their policies, practices, business associate and other contracts, and enforcement to manage HIPAA and other compliance and manage risks arising from the access, collection, use, protection and disclosure of PHI to meet expanding mandates and to guard against growing liability exposures under HIPAA and other federal and state laws.

Solutions Law Press, Inc. invites you to catch up on the latest on these and other key HIPAA requirements and enforcement and learn tips for managing risks and liabilities by participating in the “HIPAA Update Workshop” on Wednesday, December 12, 2012 via WebEx for a registration fee of $125.00.

Pre-approved for various types of continuing and professional education credit, the December 12, 2012 HIPAA Update Workshop will brief participants on the De-Identification Guidance as well as the latest on other regulatory and enforcement guidance under the HIPAA Privacy, Security and Breach Notification rules and guidance and share compliance and risk management lessons emerging from recent OCR enforcement and audit activities and other selected federal and state litigation and enforcement actions impacting the handling of protected health information. Among other things, the workshop will cover:

The De-Identification Guidance just released by OCR on November 26, 2012;
The latest HIPAA Privacy, Security & Breach Notification Guidance, Audits & Enforcement
Highlights Texas House Bill’s Amendments To Texas Medical Records Privacy Law That Took Effect September 1, 2012
Post HITECH Act Heightened Liability Risks: Audits, Civil Penalties, Criminal Penalties & State Lawsuits
Expansion of HIPAA Responsibilities & Liabilities To Business Associates & What Covered Entities & Business Associates Should Do In Response
HIPAA Data Breach Notification Requirements
Practical Challenges & Strategies For Managing These Responsibilities
Tips For Coordinating HIPAA & Other Federal & State Medical Privacy, Financial Information, Identity Theft & Date Security Compliance and Risk Management
Practical Strategies For Monitoring & Responding To New Requirements & Changing Rules
Participant Questions

About The Speaker

The workshop will be conducted by attorney Cynthia Marcotte Stamer. A Fellow in the American College of Employee Benefits Counsel, recognized in International Who’s Who, North Texas Health Care Compliance Professionals Association Vice-President and Board Certified in Labor & Employment Law, attorney Cynthia Marcotte Stamer has 25 years experience advising and representing private and public health care providers, employers, employer and union plan sponsors, employee benefit plans, associations, their fiduciaries, administrators, and vendors, group health, Medicare and Medicaid Advantage, and other insurers, governmental leaders and others on privacy and data security, health care, health and other employee benefit. employment, insurance and related matters. A well-known and prolific author and popular speaker, Ms. Stamer has worked extensively with heath care providers, health plans and other payers, health and insurance IT and data systems, and others on HIPAA and other privacy and data security concerns. She served as the scrivener for the ABA JCEB Agency Meetings with the Office of Civil Rights on HIPAA Privacy for the past two years. She presently serves as Co-Chair of the ABA RPTE Section Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Representative, an Editorial Advisory Board Member of the Institute of Human Resources (IHR/HR.com) and Employee Benefit News, and various other publications. A primary drafter of the Bolivian Social Security privatization law with extensive domestic and international regulatory and public policy experience, Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on HIPAA and other privacy and data security risks and requirements as well as a broad range of other health, employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with OCR and other HHS agencies, as well as the Departments of Labor, Treasury, Federal Trade Commission, HUD and Justice, Congress and state legislatures, and various state attorneys general, insurance, labor, worker’s compensation, medical licensure and disciplinary and other agencies and regulators. A prolific author and popular speaker, Ms. Stamer regularly authors materials and conducts workshops and professional, management and other training on HIPAA and other privacy, health care, employee benefits, human resources, insurance and related topics for the ABA, Aspen Publishers, the Bureau of National Affairs (BNA), SHRM, World At Work, Government Institutes, Inc., the Society of Professional Benefits Administrators and many other organizations. Her insights on privacy and other matters are quoted in Modern Healthcare, HealthLeaders, Benefits, Caring for the Elderly, The Wall Street Journal and many other publications. She also regularly serves on the faculty and planning committees of a multitude of symposium and other educational programs. For more details about Ms. Stamer’s services, experience, presentations, publications, and other credentials or to ask about arranging counseling, training or presentations or other services by Ms. Stamer, see www.CynthiaStamer.com.

Registration

The Registration Fee is $125.00 per person. Registration Fee Discounts available for groups of three or more. Pre-payment required via website registration required via website PayPal. No checks or cash accepted. Persons not registered at least 48 hours in advance will only participate subject to system and space availability.

Continuing Education Credit

The HIPAA Update Workshop is approved to be offered for general certification credit by the State Bar of Texas, Texas Department of Insurance, HRCI and WorldAtWork education credit for the time period offered subject to fulfillment all applicable accrediting agency requirements, completion of required procedures. Note that the applicable credentialing agency retain the final authority to determine whether an individual qualifies to receive requested continuing education credit. Neither Solutions Law Press, Inc., the speaker or any of their related parties guarantees the approval of credit for any individual or has any liability for any denial of credit. Special fees or other conditions may apply. CANCELLATION & REFUND POLICY: In order to receive credit, cancellation (either fax or mail) must be received at least 48 hours in advance of the meeting and are subject to a $10.00 refund processing fee. Refunds will be made within 60 days of receipt of written cancellation notice.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives. Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs. For additional information about upcoming programs, to explore becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship, to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com. If you would prefer not to receive communications from Solutions Law Press, Inc. send an e-mail with “Solutions Law Press Unsubscribe” in the Subject to support@solutionslawyer.net. CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request.

Comments Off on New OCR HIPAA De-Identification Guidance Among Developments Covered In 12/12 HIPAA Update Web Workshop | ADA, Civil Rights, Consumer Protection, Corporate Compliance, Data Security, Disease Management, Drug & Alcohol, Employers, ERISA, Fiduciary Responsibility, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Medicare Part D, Prescription Drugs, Privacy, Wellness Programs | Tagged: compliance, Health Care, Heatlh Plans, HIPAA, PHI, Texas Medical Records Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Employers & Plan Fiduciaries Reminded To Confirm Credentials & Bonding For Internal Staff, Plan Fidiciaries & Vendors Dealing With Benefits

August 13, 2012

Businesses sponsoring employee benefit plans and officers, directors, employees and others acting as fiduciaries with respect to these employee benefit plans should take steps to confirm that all of the appropriate fiduciary bonds required by the Employee Retirement Income Security Act of 1974, as amended (ERISA) are in place, that all employee benefit plans sponsored are appropriately covered, and that all individuals serving in key positions requiring bonding are covered and appropriately qualified to serve in that capacity under ERISA and the terms of the bond. Adequate attention to these concerns not only is a required component of ERISA’s fiduciary compliance, it also may provide invaluable protection if a dishonesty or other fiduciary breach results in a loss or other exposure.

ERISA generally requires that every employee benefit plan fiduciary, as well as every other person who handles funds or other property of a plan (a “plan official”), be bonded if they have some discretionary control over a plan or the assets of a related trust. While some narrow exceptions are available to this bonding requirement, these exceptions are very narrow and apply only if certain narrow criteria are met. Plan sponsors and other plan fiduciaries should take steps to ensure that all of the bonding requirements applicable to their employee benefit plans are met at least annually. Monitoring these compliance obligations is important not only for the 401(k) and other retirement plans typically associated with these requirements, but also for self-insured medical and other ERISA-covered employee benefit plans. This process of credentialing persons involved with the plan and auditing bonding generally should begin with adopting a written policy requiring bonding and verification of credentials and that that appropriate bonds are in place for all internal personnel and outside service providers.

Steps should be taken to ensure that the required fiduciary bonds are secured in sufficient amounts and scope to meet ERISA’s requirements. In addition to confirming the existence and amount of the fiduciary bonds, plan sponsors and fiduciaries should confirm that each employee plan for which bonding is required is listed in the bond and that the bond covers all individuals or organizations that ERISA requires to be bonded. For this purpose, the review should verify the sufficiency and adequacy of bonding in effect for both internal personnel as well as outside service providers. In the case of internal personnel, the adequacy of the bonds should be reviewed annually to ensure that bond amounts are appropriate. Unless a service provider provides a legal opinion that adequately demonstrates that an ERISA bonding exemption applies, plan sponsors and fiduciaries also should require that third party service providers provide proof of appropriate bonding as well as to contract to be bonded in accordance with ERISA and other applicable laws, to provide proof of their bonded status or documentation of their exemption, and to provide notice of events that could impact on their bonded status. When verifying the bonding requirements, it also is a good idea to conduct a criminal background check and other prudent investigation to reconfirm the credentials and suitability of individuals and organizations serving in fiduciary positions or otherwise acting in a capacity covered by ERISA’s bonding requirements. ERISA generally prohibits individuals convicted of certain crimes from serving, and prohibits plan sponsors, fiduciaries or others from knowingly hiring, retaining, employing or otherwise allowing these convicted individuals during or for the 13-year period after the later of the conviction or the end of imprisonment, to serve as:

An administrator, fiduciary, officer, trustee, custodian, counsel, agent, employee, or

representative in any capacity of any employee benefit plan,

A consultant or adviser to an employee benefit plan, including but not limited to any entity whose activities are in whole or substantial part devoted to providing goods or services to any employee benefit plan, or
In any capacity that involves decision-making authority or custody or control of the moneys, funds, assets, or property of any employee benefit plan.

Because ERISA’s bonding and prudent selection of fiduciaries and service provider requirements, breach of its provisions carries all the usual exposures of a fiduciary breach.

Bonding exposures can arise in audit or as part of a broader fiduciary investigation.The likelihood of discovery in an audit or investigation by the Labor Department in the course of an audit is high, as review of bonding is a standard part of audits and investigations. The Employee Benefit Security Administration (EBSA) Enforcement Manual specifies in connection with the conduct of a fiduciary investigation or audit:

… the Investigator/Auditor will ordinarily determine whether a plan is in compliance with the bonding, reporting, and disclosure provisions of ERISA by completing an ERISA Bonding Checklist … These checklists will be filled out in fiduciary cases and retained in the RO workpaper case file unless violations are uncovered, developed, and reported in the ROI.

In the best case scenario, where the bonding noncompliance comes to light in the course of an EBSA audit where no plan loss resulted, the responsible fiduciary generally runs at least a risk that EBSA will assess the 20 percent fiduciary penalty under ERISA Section 502(l). If the bonding lapse comes to light in connection with a fiduciary breach that resulted in damages to the plan by a fiduciary or other party, the bonding insufficiency may be itself a breach of fiduciary duty resulting in injury to the plan and where this breach left the plan unprotected against an act of dishonesty or fiduciary breach by an individual who should have been bonded, may spread liability for the wrongful acts of the wrongdoer to a plan sponsor, member of management or other party serving in a fiduciary role who otherwise would not be liable but for definiciences in the bonding or other credentialing responsibilities.

Under ERISA Section 409, a fiduciary generally is personally liable for injuries to the plan arising from his own breach (such as failure to properly bond) or resulting from breaches of another co-fiduciary who he knew or should have known through prudent exercise of his responsibilities.

Of course, in the most serious cases, such as embezzlement or other criminal acts by a fiduciary of ERISA, the consequences can be quite dire. Knowing or intentional violation of ERISA’s fiduciary responsibilities exposes the guilty fiduciary to fines of up to $10,000, imprisonment for not more than five years, or both. Even where the violation is not knowing or willful, however, allowing disqualified persons to serve in fiduciary roles can have serious consequences such as exposure to Department of Labor penalties and personal liability for breach of fiduciary duty for damages resulting to the plan if it is established that the retention of services was an imprudent engagement of such an individual that caused the loss. When conducting such a background check, care should be taken to comply with the applicable notice and consent requirements for conducting third party conducted background checks under the Fair Credit Reporting Act (FCRA) and otherwise applicable law. As such background investigations generally would be conducted in such a manner as to qualify as a credit check for purposes of the FCRA, conducting background checks in a manner that violates the FCRA credit check requirements itself can be a source of significant liability.

1 Comment | Affordable Care Act, Claims Administration, Corporate Compliance, Employers, ERISA, Excise Tax, Fiduciary Responsibility, Health Plans, Human Resources, Income Tax, Patient Empowerment, Patient Protection and Affordable Care Act, Payroll Tax, Preemption, Privacy, Reporting & Disclosure, Tax, Wellness | Tagged: compliance, Employee Benefits, Employer, Finance, Health Benefits, Health Care Reform, Health Care Reform. Employer, Health Plans, Management, Plan Sponosr, Risk Managment | Permalink
Posted by Cynthia Marcotte Stamer

Federal Mandate That Employer Health Plans Must Cover 100% Of Contraceptive, Other Women’s Health Services With No Cost Sharing Now Effective

August 6, 2012

August 1 Effective Date Of Obama Administration Addition of Contraception & Other Women’s Health Services To Already Lengthy List of Prevention Services Plans Must Cover

Effective August 1, 2012, federal regulators expanded the list of prevention-related services that the Patient Protection & Affordable Care Act (Affordable Care Act) requires that non-grandfathered group health plans cover in-network at no cost to covered persons to include eight more prevention-related health services for women including coverage for the mandate to cover certain contraceptive services that has engendered much debate and opposition from various religious organizations and others.

Employers and other sponsors and insurers of group health plans should review and update their health plan documents, contracts, communications and administration practices to ensure that their health plans and policies appropriately cover these and other prevention-related services that current federal regulations mandate that group health plans (other than grandfathered plans) must cover to comply with the Affordable Care Act.

Non-Grandfathered Health Plans Must Cover Expansive List of Prevention Services

As part of the sweeping reforms enacted by the Affordable Care Act, Congress has mandated that except for certain plans that qualify as “grandfathered,” group health plans and insurers generally must pay for 100% of the cost to cover hundreds of prevention-related health care services for individuals covered under their health plans without any co-payments or other cost-sharing.identified in the services without cost sharing.

Federal regulations have mandated since 2010 that group health plans and insurers provide in-network coverage in accordance with federal regulations implementing the Affordable Care Act’s prevention-related health services mandates for more than 800 prevention-related services listed in regulations originally published in 2009. See Agencies Release Regulations Implementing Affordable Care Act Preventive Care Mandates. The Affordable Care Act gives federal authorities the power to expand or modify this list. Following publication of the original list, the Obama Administration engaged in lengthy discussion considerations about the scope of contraceptive and other women’s health services that would qualify as prevention related services including lengthy discussions and negotiations about mandates to provide contraceptive services viewed as highly controversial by many religious organizations and several other employers. See Affordable Care Act To Require Health Plans Cover Contraception & Other Women’s Health Procedures.

Obama Administration Adds Contraceptive & Other Women’s Health Services To Required List Effective 8/1/2012

The Obama Administration moved forward on its promise to add contraceptive services and a broad list of other women’s health services to the list of prevention-related health services that employer-sponsored health plans must cover without cost to employees despite objections from religious organizations and others that the contraception mandate violates the Constitution’s freedom of religion protections.

The Obama Administration’s announcement earlier this year that it intended to move forward with plans to mandate that group health plans – including those of certain employers affiliated with religious organizations to cover contraceptive counseling and other services as prevention-related services has prompted outcry and legal challenges from a broad range of religious organizations and others. See e.g., University of Notre Dame v. Sebelius; Hercules Industries, Inc. v. Sebelius. On July 27, 2012, a Colorado District Court granted a temporary injunction barring enforcement of the contraceptive coverage mandate against a small, Catholic family-owned business challenging the mandate as a violation of the Constitutional religious freedoms of its owners. See Hercules Industries, Inc. v. Sebelius.

While these and other litigants continue to challenge the contraceptive mandates, Obama Administration officials continue to voice their commitment to standby and enforce the contraceptive and other prevention-related services mandates as implemented by current regulation. Employer and other health plan sponsors and fiduciaries that do not wish to risk exposure for violating these mandates should review and update their health plan documents, summary plan descriptions and other communications, and administrative and other procedures as necessary to comply with the applicable requirements of the regulations.

For Help or More Information

If you need help reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices to respond to emerging health plan regulations, monitoring or commenting on these rules, defending your health plan or its administration, or other health or employee benefit, human resources or risk management concerns, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 24 years of work, advocacy, education and publications on leading health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations. She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications. You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information concerning this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

1 Comment | Affordable Care Act, Claims Administration, Corporate Compliance, Employers, ERISA, Excise Tax, Fiduciary Responsibility, Health Plans, Human Resources, Patient Empowerment, Patient Protection and Affordable Care Act, Preemption, Privacy, Reporting & Disclosure, Tax, Wellness | Tagged: compliance, Employee Benefits, Employer, Finance, Health Care Reform. Employer, Health Plans, Management, Mandated Benefits, Plan Sponosr, preventive care, Risk Managment, Women's Health | Permalink
Posted by Cynthia Marcotte Stamer

12 Steps Every Employer With A Health Plan Should Do Now To Manage 2012-14 Health Plan Risks & Liabilities

August 1, 2012

August 1 marked the effective date of yet another Affordable Care Act mandate: the controversial contraceptive coverage and other women’s health preventive coverage benefits mandates. Although many mandates have taken effect over the past two years, few employer plans are adequately updated. Here’s some suggestions about what employers and fiduciaries responsible for group health plan sponsorship or administration and their vendors should do now to manage exposures arising from current Affordable Care Act and other federal health plan rules. Following the Supreme Court’s June 28, 2012 National Federation of Independent Business v. Sebelius ruling, most employers and insurers of employment based group health plans now are bracing to cope with radical changes in their health plan related responsibilities scheduled to take effect in 2014.

While anticipating and preparing to cope with these future changes health plan sponsors, fiduciaries, administrators and advisors need to manage the substantial and growing health plan related costs and liabilities that the sponsorship or administration of an employee health plan between now and 2014 is likely to create for their company and its management. Consequently, while planning for 2014, employers sponsoring health plans and their management, insurers, administrators and vendors must act now to update and administer their group health plans timely to comply with the requirements of the Affordable Care Act and other federal rules that have, or in coming months will, take effect pending the law’s full rollout in 2014.

For most health plans, these steps should include the following:

Know The Cast Of Characters & What Hat(s) (Including You) They Wear & Prudently Select, Contract With & Monitor Them To Manage Risks

Employers and their management rely upon many vendors and advisors and assumptions when making plan design and risk management decisions. Many times, employer and members of their management unknowingly assume significant risk because of misperceptions about these allocations of duties and operational and legal accountability. An correct understanding of these roles and responsibilities is the foundation for knowing where the risks come from, who and to what extent a business or its management can rely upon a vendor or advisor to properly design and administer a health plan or carry out related obligations, what risks cannot be delegated, and how to manage these risks.

Under the Employee Retirement Income Security Act (ERISA), party or parties that exercise discretion or control over health plan administration, funds or certain other matters are generally called “fiduciaries.” Fiduciaries generally are personally liable for prudently and appropriately administering their health plan related responsibilities prudently in accordance with ERISA and other applicable laws and the plan terms. Knowing who is acting as a fiduciary and understanding those duties and liabilities and how to manage these risks significantly affects the exposure that an employer or member of its management risks as a result of an employer’s sponsorship in a group health plan or other employee benefit program. Also, knowing what duties come first and how to prove that the fiduciary did the right thing is critical to managing risks when an individual who has fiduciary responsibilities under ERISA also has other responsibilities in the management of the sponsoring employer, a vendor or elsewhere that carries duties or interests that conflict with his health plan related fiduciary duties.

The plan sponsor or members of its leadership, a service provider or members of their staff generally may be a fiduciary for purposes of ERISA if it either is named as the fiduciary, it functionally exercises the discretion to be considered a fiduciary, or it otherwise has discretionary power over plan administration or other fiduciary matters. Many plan sponsors and their management unwittingly take on liability that they assume rests with an insurer or service provider because the company or members of its management are named as the plan administrator or named fiduciary with regard to duties that the company has hired an insurer or service provider to provide or allowed that service provider to disclaim fiduciary or discretionary status with regard to those responsibilities. Also, by not knowing who the fiduciaries are, plans and their fiduciaries often fail to confirm the eligibility of all parties serving as fiduciaries, to arrange for bonding of service providers or fiduciaries as required to comply with Title I of ERISA. Failing to properly understand when the plan sponsor, member of its management or another party is or could be a fiduciary can create unnecessary and unexpected risks and lead to reliance upon vendors who provide advice but leave the employer holding the bag for resulting liability.

In addition to fiduciary status, employer and other plan sponsors also need to understand the additional responsibilities and exposures that the employer bears as a plan sponsor. Beyond contractual and fiduciary liabilities, federal law increasingly imposes excise tax or other liability for failing to maintain legally compliant plans, file required reports, provide required notifications or fulfill other requirements. The Affordable Care Act, the Internal Revenue Code, the Social Security Act, the Privacy, Security, and Administrative Simplification For instance, the Health Insurance Portability & Accountability Act (HIPAA) and various other federal laws also impose certain health plan related obligations and liabilities on employer or other health plan sponsors and other parties. The Internal Revenue Service interprets Internal Revenue Code § 6039D as obligating employers sponsoring health plans that violate these and certain other federal health plan rules to self-identify, self-report, and self-assess and pay excise and other taxes due under the Internal Revenue Code as a result of this non-compliance. Knowing what everyone’s roles and responsibilities are is a critical first step to properly understanding and managing health plan responsibilities and related risks.

An accurate understanding of the risks and who bears them is critical to understand the risks, opportunities to mitigate risk through effective contracting or other outsourcing, when outsourcing does not effectively transfer risks, where to invest resources for contract, plan or process review and changes or other risk management, and where to expect costs and risks and implement processes and procedures to deal with risks that cannot be outsourced or managed.

Know What Rules Apply To Your Plan, The Sponsoring Employer, The Plan Its Fiduciaries & Plan Related Vendors & How This Impacts You & Your Group Health Plan

The requirements and rules impacting health plans and their liabilities have undergone continuous changes. Amid these changing requirements, health plans, their sponsors, fiduciaries, insurers, and service providers often may not have kept their knowledge, much less their plan documents, summary plan descriptions and other communications, administrative forms and procedures and other materials and practices up to date. These requirements and their compliance and risk management significance may vary depending upon whether the reviewing or regulated party is the plan, its sponsor, fiduciary, insurer or services in some other rules; how the plans are arranged and documented, the risk and indemnification allocations negotiated among the parties, the risk tolerance of the party, and other factors. Proper understanding of these rules and their implications is critical to understand and manage the applicable risks and exposures.

Review & Update Health Plan Documents, SPDs & Other Communications, Administrative Forms & Procedures, Contracts & Processes To Meet Requirements & Manage Exposures

Timely updating written plan documents, communications and administration forms, administrative practices, contracts and other health plan related materials processes and procedures has never been more critical.

Federal law generally requires that health plan be established, maintained and administered in accordance with legally complaint, written plan documents and impose a growing list of standards and requirements governing the design and administration of these programs. In addition, ERISA, the Internal Revenue Code, the Social Security Act, federal eligibility and coverage continuation mandates of laws like the Consolidated Omnibus Budget Reconciliation Act (COBRA), the Health Insurance Portability & Accountability Act, the Family & Medical Leave Act, Michelle’s Law and others require that health plan administrators or sponsors communicate plan terms and other relevant information to participants and beneficiaries.

Failing to update documents, communications, administrative forms and processes and other materials and practices can unleash a host of exposures. Among other things, noncompliant plans, communications and practices can trigger unanticipated costs and liabilities by undermining the ability to administer plan terms and conditions. They also may expose the plan, plan fiduciaries and others to lawsuits, administrative enforcement and sanctions and other enforcement liabilities.

Beyond these exposures, employers who sponsor group health plans that violate certain federal group health plan mandates have a duty to self-report certain regulatory plan failures and pay excise taxes where such failures are not corrected in a timely fashion once discovered, or are due to willful neglect. Internal Revenue Code Section 6039D imposes excise taxes for failure to comply with health care continuation (COBRA) , health plan portability (HIPAA), genetic nondiscrimination (GINA), mental health parity (MHPAEA) , minimum hospital stays for newborns and mothers (Newborns’ and Mothers’ Health Protection Act), coverage of dependent students on medically necessary leaves of absence (Michelle’s Law), health savings account (HSA) and Archer medical savings account (Archer MSA) contribution comparability and various other federal requirements incorporated into the Internal Revenue Code. Since 2010, Internal Revenue Service regulations have required employers sponsoring group health plans not complying with mandates covered by Internal Revenue Code Section 6039D to self-report violations and pay related excise taxes. Under these regulations, the sponsoring employer (or in some cases, the insurer, HMO or third-party administrator) must report health plan compliance failures annually on IRS Form 8928 (“Return of Certain Excise Taxes Under Chapter 43 of the Internal Revenue Code”) and self-assess and pay resulting excise taxes. The potential excise tax liability that can result under these provisions can be significant. For example, COBRA, HIPAA, and GINA violations typically carry excise tax liability of $100 per day per individual affected. Compliance with applicable federal group health plan mandates is critical to avoid these excise taxes as well as other federal group health plan liabilities.

For this purpose of deciding what and how much to do, it is critical to keep in mind the devil is in the details. Not only must the documentation meet all technical mandates, the language, its clarity and specificity, and getting the plan document to match the actual processes that will be used to administer the plan and ensuring that the plan documents and processes match the summary plan description, summary of benefits and coverage, administrative forms and documentation and other plan communications and documentation in a legally compliant way significantly impacts the defensibility of the plan terms and the cost that the plan, its sponsor and fiduciaries can expect to incur to defend it.

Update & Tighten Claims and Appeals Plan & SPD Language, EOBs & Other Notifications, Processes, Contracts & Other Practices For Changing Compliance Requirements & Enhanced Defensibility

Proper health plan claims and appeals plan and summary plan description language, procedures, processing, notification and documentation is critical to maintain defensible claims and appeals decisions required to enforce plan terms and manage claims denial related liabilities and defense costs. Noncompliance with these requirements may prevent health plans from defending their claims or appeals denials, expose the plan administrator and plan fiduciaries involved or responsible for these activities to penalties, prompt unnecessary lawsuits, Labor Department enforcement or both; and drive up plan administration costs.

Unfortunately, most group health plans, their insurers and administrators need to substantially strengthen their plan documentation; handling; timeliness; notifications and other claims denials; and other claims and other appeals processes and documentation to meet existing regulations and otherwise strengthen their defensibility. Among other things, existing court decisions document that many plans existing plan documents, summary plan descriptions and explanations of benefits, claims and appeals investigations and documentation and notifications often need improvement to meet the basic plan document, summary plan description and reasonable claims rules of the plan document, summary plan description, fiduciary responsibility, reasonable claims and appeals procedures of ERISA and its implementing regulations. Court precedent shows that inadequate drafting of these provisions, as well as specific provisions coverage and benefit provisions frequently undermines the defensibility of claims and appeals determinations. In addition to requiring that claims be processed and paid prudently in accordance with the terms of written plan documents, ERISA also requirements that plan fiduciaries decide and administer claims and appeals in accordance with reasonable claims procedures. Although the Labor Department updated its regulations implementing this reasonable claims and appeals procedure requirement more than 10 years ago, the Department of Labor updated its ERISA claims and appeals regulations to include detailed health plan claims and appeals requirements, many group health plans, their administrators and insurers still have not updated their health plans, summary plan descriptions, claims and appeals notification, and claims and appeals procedures to comply with these requirements. The external review and other detailed additional requirements that the Affordable Care Act dictates that group health plans not grandfathered from its provisions and its provisions holding these non-grandfathered plans strictly liable for deficiencies in their claims and appeals procedures makes the need to address inadequacies even more imperative for those non-grandfathered group health plans. Inadequate attention to these concerns can force a plan to pay benefits for claims otherwise not covered as well as other defense costs and penalties.

Consistency Matters: Build Good Plan Design, Documentation & Processes, Then Follow Them.

Defensible health plan administration starts with the building and adopting strong, legally compliant plan terms and processes that are carefully documented and communicated in a prudent, legally compliant way. The next key is to actually use this investment by conducting plan administration and related operations consistent with the terms and allocated responsibilities to administer the plan in a documented, legally compliant and prudent manner. Good documentation and design on the front end should minimize ambiguities in the meaning of the plan and who is responsible for doing what when. With these tools in place, delays and other hiccups that result from confusion about plan terms, how they apply to a particular circumstance or who is responsible for doing what, when should be minimized and much more easily resolved by timely, appropriate action by the proper responsible party. This facilitation of administration and its consistency can do much to enhance the defensibility of the plan and minimize other plan related risks and costs.

Ensure Correct Party Carefully Communicates About Coverage and Claims in Compliant, Timely, Prudent, Provable Manner

Having the proper party respond to claims and inquiries in a compliant, timely, prudent manner is another key element to managing health plan risk and promoting enforceability. Ideally, the party appointed to act as the named fiduciary for purposes of carrying out a particular function also should conduct all plan communications regarding that function in terms that makes clear its role and negates responsibility or authority of others. When an employer or other plan sponsor goes to the trouble to appoint a committee, service provider or other party to serve as the named fiduciary then chooses to communicate about the plan anyway, the Supreme Court in FMC v. Halliday made clear it runs the risk that the plan related communications may be considered discretionary fiduciary conduct for which it may be liable as a functional fiduciary. Meanwhile, these communications by non-fiduciaries also may create binding obligations upon the plan and its named fiduciaries to the extent made by a plan sponsor or conducted by a staff member or service provider performing responsibilities delegated by the plan fiduciary. Beyond expanding the scope of potential fiduciaries, communications conducted by nonfiduciaries also tend to create defensibility for many other reasons. For instance, allowing unauthorized parties to perform plan functions may not comport with the plan terms, and are less likely to create and preserve required documentation and follow procedures necessary to promote enforceability. Also, the communications, decisions and other actions by these non-fiduciary actors also are unlikely to qualify for discretionary review by the courts because grants of discretionary authority, if any in the written plan document to qualify the decisions of the named fiduciary for deferential review by courts typically will not extend to actions by these non-fiduciary parties. Furthermore, the likelihood that the communication or other activity conducted will not comply with the fiduciary responsibility or other requirements governing the performance of the plan related functions is significantly increased when a plan sponsor, service provider, member of management, or other party not who has not been appointed or accepted the appointment act as a named fiduciary undertakes to speak or act because that party very likely does not accept or fully appreciate the potential nature of its actions, the fiduciary and other legal rules applicable to the conduct, and the potential implications for the non-fiduciary actor, the plan and its fiduciaries.

Design and Implement Updated, Properly Secured Payroll, Enrollment, Eligibility and Other Data Collection Features To Meet New Requirements and Prepare For Added Affordable Care Act Data Gathering and Reporting Requirements.

Existing and impending Affordable Care Act mandates require that group health plans, their sponsors collect, maintain and administer is exploding. Existing eligibility mandates, for example, already require that plans have access to a broad range of personal indentifying, personal health and a broad range of other sensitive information about employees and dependents who are or may be eligible for coverage under the plan. While employers and their health plans historically have collected and retained the names, place of residence, family relationships, social security number, and other similar information about employees and their dependents, these data collection, retention and reporting requirements have and will continued to expand dramatically in response to evolving legal requirements. Already, health plans also from time to time need employee earnings, company ownership, employment status, family income, family, medical, military, and school leave information, divorce and child custody, enrollment in Medicare, Medicaid and other coverage and a broad range of other additional information. Under the Affordable Care Act, these data needs will explode to include a whole new range of information about total family income, availability and enrollment in other coverage, cultural and language affiliations, and many other items. Collecting, retaining and deploying this information will be critical to meeting existing and new plan administration and reporting requirements. How this data collection is conducted, shared, safeguarded against misuse or other legally sensitive contact by the employer, service providers, the plan and others will be essential to mitigate exposures to federal employment and other nondiscrimination, HIPAA and other privacy, fiduciary responsibility and other legal risks and obligations. To the extent that payroll providers, third party administrators or other outside service providers will participate in the collection, retention, or use of this data, time also should be set aside both to conduct due diligence about their suitability, as well as to negotiate the necessary contractual arrangements and safeguards to make their involvement appropriate. Finally, given the highly sensitive nature of this data, employers, health plans and others that will collect and use this data will need to implement appropriate safeguards to prevent and monitor for improper use, access or disclosure and to conduct the necessary training to suitably protect this data.

Monitor, Assess Implications & Provide Relevant Input to Regulators About Emerging Requirements & Interpretive Guidance Implementing 2014 Affordable Care Act & Other Mandates.

While the Supreme Court’s decision upholds the constitutionality of the Affordable Care Act’s individual mandates, many opportunities to impact its mandates remain. Beyond the highly visible, continuing and often heated debates ranging in Congress and the court of public opinion concerning whether Congress should modify or repeal its provisions, a plethora of regulatory interpretations issued or impending release by the implementing agencies, the Internal Revenue Service, Department of Health & Human Services, Department of Labor and state insurance regulators will significantly impact what requirements and costs employers, insurers, individuals and governments will bear when the law takes effect. Businesses sponsoring health plans should carefully scrutinize this regulatory guidance and provide meaningful, timely input to Congress, the regulators or both as appropriate to help influence the direction of regulatory or Congressional actions that would materially impact these burdens.

Help Employees & Their Families Build Their Health Care Coping Skills With Training & Supportive Tools

Whether or not your company plans to continue to sponsor employee health coverage after 2014, providing training and tools to help employees and their families strengthen their ability to understand and manage their health, health care needs and benefits can pay big dividends. Beyond the financial costs to employees and employers of paying to care for a serious illness or injury, productivity also suffers while employees dealing with their own or a family member’s chronic or serious health care condition. Wellness programs that encourage and support the efforts of employees and their families to stay healthy may be one valuable part of these efforts. Beyond trying to prevent the need to cope with illness behind wellness programs, however, opportunities to realize big financial, productivity and benefit value recognition rewards also exist in the too often overlooked opportunity to provide training, education and tools that employees and their families need to better understand and self-manage care, benefits, finances and life challenges that commonly arise when dealing with their own or a family member’s illness. Providing education, tools and other resources that can help employees access, organize and effectively use health care and benefit information to manage care and the consequences of illness, their benefits and how to use them, to take part more effectively in care and care decisions, to recognize and self-manage financial, lost-time and other challenges associated with the illness not addressable or covered by health benefit programs, and other practical skills can help reduce lost time and other productivity impacts while helping employees and their families get the most out of the health care dollars spent.

Pack Your Parachute & Locate The Nearest Exit Doors

With the parade of expenses and liabilities associated with health plans, businesses sponsoring health plans and the management, service providers and others involved in their establishment, continuation, maintenance or administration are well advised to pack their survival kit and develop their exit strategies to position to soften the landing in case their health plan experiences a legal or operational disaster.

Employers and other health plan sponsors and fiduciaries typically hire and rely upon a host of vendors and advisors to design and administer their health plans. When selecting and hiring these service providers, health plan sponsors and fiduciaries are well-advised to investigate carefully their credentials as well as require the vendors to provide written commitments to stand behind their advice and services. Too often, while these service providers and advisors encourage plan sponsors and fiduciaries to allow the vendor to lead them or even handle on an ongoing basis plan administration services by touting their services, experience, expert systems and process and commitment to stand behind the customer when making the sale or encouraging reliance upon their advice when tough decisions are made, they rush to stand behind exculpatory and on-sided indemnification provisions in their service contracts to limit or avoid liability, demand indemnification from their customer or both when things go wrong. While ERISA may offer some relief from certain of these exculpatory provisions under some circumstances, plan sponsors and fiduciaries should work to credential service providers and require service providers to commit to being accountable for their services by requiring contracts acknowledge all promised services and standards of quality, require vendors to commit to provide legally compliant and prudently designed and administered services that meet or exceed applicable legal requirements, to provide liability-backed indemnification or other protection for damages and costs resulting from vendor imprudence or malfeasance, to allow for contract termination if the vendor becomes unsuitable for continued use due to changing law or other circumstances and requiring the vendor to return data and other documentation critical to defend past decisions and provide for ongoing administration. Keep documentation about advice, assurances and other relevant evidence received from vendors which could be useful in showing your company’s or plan’s efforts to make prudent efforts to provide for the proper administration of the plan. When concerns arise, use care to investigate and redress concerns in a timely, measured fashion which both shows the prudent response to the concern and reflects sensitivity to the fiduciary and other roles and responsibilities of the employer sponsor and other parties involved.

Get Moving Now On Your Compliance & Risk Management Issues.

Since many compliance deadlines already have past and the impending deadlines allow plan sponsors and fiduciaries limited time to finish arrangements, businesses, fiduciaries and their service providers need to get moving immediately to update their health plans to meet existing and impending compliance and risk management risks under the Affordable Care Act and other federal laws, decisions and regulations.

Monitor, Assess Implications & Provide Relevant Input to Regulators About Emerging Requirements & Interpretive Guidance Implementing 2014 Affordable Care Act & Other Mandates.

While the Supreme Court upheld the individual mandate, employer and other health plan sponsors, Congress continues to debate changes to the Affordable Care Act and other federal health plan rules. Meanwhile, significant opportunity still exists to provide input to federal and state regulators on many key aspects of the Affordable Care Act and its relationship to other applicable laws even as court challenges to contraceptive coverage and other specific requirements are emerging. Businesses and other health plan sponsors, plan fiduciaries, insurers and administrators, and other vendors must stay involved and alert. Zealously monitor new developments and share timely input with Congress and regulators about existing and emerging rules that present concerns and other opportunities for improvement even as you position to respond to these rules before they become fully implemented.

For Help or More Information

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 24 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations. She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications. You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and registerto receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

Comments Off on 12 Steps Every Employer With A Health Plan Should Do Now To Manage 2012-14 Health Plan Risks & Liabilities | Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Employers, ERISA, Excise Tax, Fiduciary Responsibility, Health Plans, Human Resources, Income Tax, Patient Empowerment, Patient Protection and Affordable Care Act, Payroll Tax, Preemption, Privacy, Reporting & Disclosure, Tax, Wellness | Tagged: compliance, Employee Benefits, Employer, Finance, Health Benefits, Health Care Reform, Health Care Reform. Employer, Health Plans, Management, Plan Sponosr, Risk Managment | Permalink
Posted by Cynthia Marcotte Stamer

OCR 1st HIPAA Privacy, Security & Breach Notification Compliance Audits Begin

November 9, 2011

The kickoff of a new compliance audit pilot program provides another reason for health care providers, health plans, healthcare clearinghouses and their business associates to get serious about compliance with the privacy, security and data breach requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

OCR Pilot Audit Program Begins

On November 8, 2011, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) announced that it will begin auditing HIPAA compliance this month under a new pilot program.

As amended by the American Recovery and Reinvestment Act of 2009 in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to make sure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To carry out this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance between November 2011 and December 2012.

The commencement of OCR HIPAA compliance audits is yet another sign that covered entities and their business associates should get serious about HIPAA compliance. The audit program serves as a new part of OCR’s health information privacy and security compliance program. While OCR says that it presently views the pilot audits as primarily a compliance improvement tool, this does not mean violators should expect a free walk.

Even before the impending audits, HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. Earlier this year, OCR imposed a $4.3 Million Civil Money Penalty (CMP) against Cignet Health of Prince George’s County (Cignet) for violating HIPAA. Meanwhile, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. Under amendments made by the HITECH Act, state attorneys general also now are empowered to bring civil lawsuits against covered entities and business associates that commit HIPAA violations that injure citizens in their state under certain circumstances. Eventually, individuals injured by HIPAA violations also will get the right to share in a portion of certain HIPAA recoveries.

These and other audit and enforcement activities send a strong message that covered entities and their business associates need to get serious about HIPAA compliance. As stated by OCR Director Georgina Verdugo when announcing the Mass General Resolution Agreement, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” Verdugo added, “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.” Learn more here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Vice President of the North Texas Health Care Compliance Professionals Association, a member of the American College of Employee Benefit Counsel, Past Chair of the ABA RPTE Employee Benefits & Other Compensation Arrangements Group, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies. Ms. Stamer also regularly helps clients deal with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. Her insights on the required “culture of compliance” with HIPAA are frequently included in medical privacy related publications of the Atlantic Information Service, Modern Health Care, HealthLeaders and many others. Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here or may contact her at (469) 767-8872 or via e-mail here.

You can review other selected publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Comments Off on OCR 1st HIPAA Privacy, Security & Breach Notification Compliance Audits Begin | Data Security, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, Health Plans, Human Resources, Internal Controls, Internal Investigations, Patient Empowerment, Privacy, Tax | Tagged: Data Breach, Health Care Provider, Health Plans, HHS, HIPAA, OCR, Privacy, Privacy Rules | Permalink
Posted by Cynthia Marcotte Stamer

Spectrum Healthcare NLRB Charge Settlement Highlights Need To Defend Against Possible Unfair Labor Practices & Other Union Exposures

May 20, 2011

The National Labor Regulations Board (NLRB)’s announcement of a settlement against a Connecticut nursing home operator this week in conjunction with a series of other enforcement actions highlight the need for businesses to tighten defenses and exercise other caution to minimize their organization’s exposure to potential NLRB charges or investigation. As reflected by many of these enforcement acts, the exposures arise both from active efforts by businesses to suppress union organizing or contracting activities, as well as the failure to identify and manage hidden labor law exposures in the design and administration of more ordinary human resources, compliance, business operations and other policies and practices.

On May 17, 2011, the NLRB announced here that Connecticut nursing home operator Spectrum Healthcare has agreed to settle a NLRB case involving multiple allegations of unlawful suspensions, discharges and unilateral changes in violation of the National Labor Relations Act and other federal labor laws by offering reinstatement and back pay to all discharged and striking workers and signing a new three-year collective bargaining agreement with its employees’ union, New England Health Care Employees Union District 1199, SEIU.

Along with the contract and reinstatement of all employees, the company agreed to pay $545,000 in back pay and pension benefits to employees who were harmed by the unfair labor practices, and to expunge any disciplinary records related to the case. As a result, all NLRB charges against the company have been withdrawn. Spectrum admits to no wrongdoing in the settlement.

The settlement, reached midway through a hearing before an NLRB administrative law judge in Connecticut and approved by the judge yesterday, ends a long-running dispute which grew into a strike by almost 400 employees at four nursing homes in Connecticut operated by Spectrum Healthcare, LLC. Complaints issued by the NLRB Regional Office in Hartford alleged that, beginning in the fall of 2009, several months after the prior collective bargaining agreement expired, Spectrum discharged seven employees and suspended three others to retaliate against their union activities and to discourage other employees from supporting the union. In addition, one employee was discharged and seven others were suspended after the employer unilaterally changed its tardiness discipline policy without first bargaining with the union.

The complaints further alleged that in April 2010, employees at the four nursing homes — in Derby, Ansonia, Winsted, and Hartford — went on strike to protest the unfair labor practices. When the strikers offered unconditionally to return to work in late August, the employer refused to take them back. Under federal labor law, if a strike is called because of an unfair labor practice, employees are entitled to reinstatement after an unconditional offer to return to work.

The reinstated employees are due to return to the facilities this week.

The Spectrum Healthcare settlement is reflective of the growing number of NLRB enforcement orders against employers generally and health care providers specifically under the Obama Administration. The Obama Administration has close ties and has expressed its strong and open support for union and union organizing activities. The adoption of a series of union friendly labor law reforms was one of the key campaign promises of President Obama during his election campaign. While other legislative priorities and the change in the leadership of the House of Representatives appears to have slowed efforts to push through this agenda, it has not slowed the Administration’s efforts to support unions with strong enforcement activities. Empowered by a difficult economic and job situation and an awareness of the Obama Administration’s strong support for union organizing and other activities, unions are stepping up organizing efforts and more aggressively challenging employers actions.

Over the past few months, public awareness of the Obama Administration’s aggressive enforcement agenda on behalf of unions has drawn new attention as a result of the widespread media coverage of NLRB actions challenging Boeings planned relocation of certain manufacturing jobs intervention in a planned relocation of certain manufacturing operations. See, e.g., Acting General Counsel Lafe Solomon releases statement on Boeing complaint; National Labor Relations Board issues complaint against Boeing Company for unlawfully transferring work to a non-union facility. However, the Boeing and Spectrum Healthcare actions represent only the tip of the iceberg of the rising number of NLRB enforcement activities, most of which take place with little media or public attention.

Along side the Spectrum Healthcare and Boeing actions, in recent weeks, the NLRB also has been busy with several other enforcement activities. For instance:

On May 9 2011, the NLRB issued a complaint against Hispanics United of Buffalo (HUB), a nonprofit that provides social services to low-income clients, that alleges that HUB unlawfully discharged five employees after they took to Facebook to criticize working conditions, including work load and staffing issues. The case involves an employee who, in advance of a meeting with management about working conditions, posted to her Facebook ; and
On May 17, the NLRB secured a temporary injunction from a U.S. District Court in San Jose California against San Jose area waste hauling company OS Transport LLC, charged with engaging in unfair labor practices including the termination of a lead organizer and another Union supporter, retaliation against Union efforts in the form of unfavorable assignments, threats to Union supporters, and promises of improved treatment of employees who disavow the Union for the alleged purpose of defeating a union. o offer reinstatement to two drivers and restore full assignments to other drivers who had expressed support for a union during an organizing campaign. More Details here.,

In addition, in recent weeks, the NLRB also has:

Sued the state of Arizona on amendment limiting method for choosing union representation on May 5, 2011;
Secured an order requiring a Milwaukee job training center to pay back pay and reinstate workers fired for complaining about bounced paychecks on May 3, 2011;
Ordered a concrete supplier to rehire employees in Indianapolis on May 2, 2011;
Found a New York egg processing plant of unlawful interference and ordered a third election ohm April 27, 2011; and
Secured a settlement from Build.com of unlawful dischrage charges for firing employee based on Facebook comments on April 20

Amid this difficult enforcement environment, business leaders should exercise special care to prepare to defend their actions against both potential organizing efforts, to understand the types of actions and activities that may help fuel charges, and take steps to manage these and other union organization and other labor risks.

For Help With Labor & Employment, Employee Benefits Or Other Risk Management and Defense

If you need assistance in auditing or assessing, updating or defending your labor and employment, employee benefits, compliance, risk manage or other internal controls practices or actions, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469)767-8872.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 23 years of work helping employers; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit and management policies and practices. Her experience includes extensive work helping employers implement, audit, manage and defend wage and hour and other workforce and internal controls policies, procedures and actions. The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on wage and hour, worker classification and other human resources and workforce, employee benefits, compensation, internal controls and related matters. She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

About Solutions Law Press

Comments Off on Spectrum Healthcare NLRB Charge Settlement Highlights Need To Defend Against Possible Unfair Labor Practices & Other Union Exposures | 105(h), Absenteeism, ADA, Affirmative Action, Affordable Care Act, ARRA, Bankruptcy, Cafeteria Plans, Child Labor, CHIP, Claims Administration, COBRA, COBRA Subsidy, Corporate Compliance, Data Security, Defined Benefit Plans, Defined Contribution Plans, Disability, Disability, Disability Plans, Discrimination, Disease Management, Drug & Alcohol, E-Verify, EEOC, Employee Benefits, Employers, Employment Agreement, Employment Tax, ERISA, Excise Tax, Fair Labor Standards Act, family leave, Fiduciary Responsibility, FMLA, GINA, Government Contractors, H.R. 4872, Health Care Reform, Health Plans, HIPAA, Human Resources, I-9, Immigration, Income Tax, Insurance, Internal Controls, Internal Investigations, Labor Management Relations, Leave, Malpractice, medical leave, Medicare Part D, Mental Health, Mental Health Parity, Military Leave, Non-Compete, Non-Competition Agreement, Nonresident aliens, OFCCP, OSHA, Pandemic, Patient Empowerment, Patient Protection and Affordable Care Act, Payroll Tax, Preemption, Prescription Drugs, Privacy, Professional Liability, Protected Health Information, Public Policy, Refunds, Rehabilitation Act, Reporting & Disclosure, Restructuring, Retaliation, Retirement Plans, Risk Management, Safety, Sexual Harassment, Stimulus Bill, Swine Flu, Tax, Tax Credit, Tax Qualification, Telecommuting, Uncategorized, Unemployment Benefits, Unemployment Insurance, Union, USERRA, VEVRRA, Wage & Hour, Wellness, Wellness Programs, Whistleblower | Tagged: ADAAA, Americans With Disabiltiies Act, Employer, employment discrimination, facebook, HR, Human Resources, NLRA, social medial, unfair labor practices, Union | Permalink
Posted by Cynthia Marcotte Stamer

OCR’s McAndrew Speaks At 5/16 JCEB HIPAA Teleconference; OCR/NIST To Share Other HIPAA Training On Line

May 10, 2011

The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) are making presentations from the 4th annual conference on “Safeguarding Health Information: Building Assurance through HIPAA Security” co-hosted in Washington, D.C. on May 10 & 11, 2011 available on line for review. The training is part of a series of continuing efforts by the agencies to outreach to various parties on the Privacy and Security Rules of the Health Insurance Portability & Accountability Act of 1996, as amended (HIPAA). Meanwhile, OCR’s Susan McAndrew is scheduled to share insights on OCR’s HIPAA regulatory and enforcement agenda at a teleconference to be hosted by the American Bar Association Joint Committee on Employee Benefits at Noon Central on May 16, 2011.

The Security Rule sets federal standards to protect the confidentiality, integrity and availability of electronic protected health information by requiring HIPAA covered entities and their business associates to implement and maintain administrative, physical and technical safeguards. Presentations cover a variety of current topics including updates on HHS health information privacy and security initiatives, OCR’s enforcement of health information privacy and security activities, integrating security safeguards into health IT and security automation, insider threat trends and safeguards, and more.

The conference is designed to explore the current health information technology security landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the agencies share their practical strategies, tips and techniques for implementing the HIPAA Security Rule.

For details about reviewing the May 10-11 presentations, see the 2011 HIPAA Conference website here. For details about the May 16 teleconference, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, On May 3, 2011, Ms. Stamer served as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR and will moderate a teleconference featuring comments by OCR’s Susan McAndrew for the Joint Committee on Employee Benefits scheduled for May 16. Her insights on the required “culture of compliance” with HIPAA also recently were quoted in medical privacy related publications of the Atlantic Information Service. Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Comments Off on OCR’s McAndrew Speaks At 5/16 JCEB HIPAA Teleconference; OCR/NIST To Share Other HIPAA Training On Line | Data Security, GINA, Health Plans, HIPAA, Human Resources, Privacy, Uncategorized, Wellness Programs | Tagged: Health Care, Health Care Provider, Health Plans, HIPAA, OCR, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans & Employers Beware! $4.3 Million Civil Penalty Shows OCR Serious About HIPAA Enforcement

February 23, 2011

A $4.3 million civil monetary penalty (CMP) imposed by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) against Cignet Health of Prince George’s County, Md., (Cignet) signals the growing need for health plans and their sponsors, health care providers, health care clearinghouses and their business associates covered by the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule to get serious about HIPAA compliance.

The first CMP ever assessed by OCR under the HIPAA Privacy Rule, the Cignet CMP assessment announced February 22, 2011, the $4.3 million CMP against Cignet announced February 22, 2011 applies the expanded HIPAA violation categories and increased HIPAA civil monetary penalty amounts authorized as part of the expansion of HIPAA obligations and penalties enacted as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.

The Cignet penalty announcement is the latest in a series of developments documenting the rising risks that health care providers, health plans, health care clearinghouses and their business associates (“covered entities”) face for violations of HIPAA.

Even before the announcement of the Cignet CMP, the HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. While OCR had not assessed any civil monetary penalties against any covered entity for violation of HIPAA before Cignet, OCR’s collection of $1 Million from Rite Aid in a 2010 Resolution Agreement, $2.25 million from CVS Pharmacy, Inc. under a 2009 Resolution Agreement and $100,000 from Providence Health & Services under a 2008 Resolution Agreement demonstrated that covered entities could face significant civil liability for willful violations of the Privacy Rules. In addition, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. OCR data confirms that the covered entities involved in these actions included health care providers, health plans, and others.

Health plans and other covered entities as well as their business associates should tighten privacy policies, breach and other monitoring, training and other practices to mitigate against exposures in light of recently tightened requirements and new enforcement risks. To minimize the potential that the health plan’s sharing of information with the employer will create or spread HIPAA or other privacy risks to the employer or members of its workforce, employers and other plan sponsors and members of their workforce also should take steps to ensure not only that their health plan documents, policies and procedures, as well as those policies and practices applicable to employer, its human resources, and benefits advisors when accessing or handling health plan or other medical information on behalf of the employer, rather than the plan, are appropriately designed and administered.

Read more details and get tips here.

For Help With Investigations, Policy Review & Updates Or Other Needs

If you need assistance in auditing or assessing, updating or defending your HIPAA or other health plan, or other labor and employment, employee benefit, compensation, privacy and data security, or other internal controls and practices, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469)767-8872.

Ms. Stamer, a noted Texas-based employee benefits and employment lawyer Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, will discuss HIPAA and other privacy risks and risk management strategies for employers, health and employee benefit plan sponsors and their administrators at the Southwest Benefits Association/IRS Plan Administrator Skills Workshops to be held February 25 in Dallas and March 4 in Houston.

For more than 23 years, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters. She also is recognized for her publications, industry leadership, workshops and presentations on privacy and data security and other human resources, employee benefits and health care concerns. Her many highly regarded publications on privacy and data security concerns include “Privacy Invasions of Medical Care-An Emerging Perspective.” ERISA Litigation Manual. BNA, 2003-2009; “Privacy & Securities Standards-A Brief Nutshell.” BNA Tax Management and Compliance Journal. February 4, 2005; “Cybercrime and Identity Theft: Health Information Security beyond HIPAA.” ABA Health eSource. May, 2005 and many others. She also regularly conducts training on HIPAA and other privacy and data security compliance and other risk management matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others.t Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

About Solutions Law Press

Comments Off on Health Plans & Employers Beware! $4.3 Million Civil Penalty Shows OCR Serious About HIPAA Enforcement | ARRA, Employee Benefits, Employers, ERISA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Protected Health Information, Stimulus Bill, Tax | Tagged: Employer, Health Plans, HIPAA, OCR, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Update Employment Practices To Manage Genetic Info Discrimination Risks Under New EEOC Final GINA Regulations

November 9, 2010

The U.S. Equal Employment Opportunity Commission (EEOC) today issued final regulations (“Final Regulations”) implementing the employment provisions (Title II) of the Genetic Information Nondiscrimination Act of 2008 (GINA). Employers, employment agencies, labor organizations, joint labor-management committees, and others impacted by GINA should carefully review and update their hiring and background check, sick and family leave, disability accommodation, and other existing policies and practices to comply with the updated guidance provided by the Final Regulations to avoid liability under new GINA’s rules governing genetic information collection, use, protection and disclosure

Effective since November 21, 2009, Title II of GINA prohibits employers of 15 or more employees from discriminating in employment based on genetic information and restricts the acquisition and disclosure of genetic information by covered employers and certain other parties.

Under GINA, employers, employment agencies, labor organizations and joint labor-management committees face significant liability for violating the sweeping nondiscrimination and confidentiality requirements of GINA concerning their use, maintenance and disclosure of genetic information. Under GINA, employees and individuals can sue for damages and other relief like currently available under Title VII of the Civil Rights Act of 1964 and other nondiscrimination laws.

Meanwhile, Title I of GINA prohibits group health plans and health insurers from discriminating in eligibility or premium based on genetic information and requires these plans and insurers to protect the privacy of genetic information (Title I) for plan years beginning after May 20, 2009.

When assessing potential GINA risks and exposures, employers and others covered by its provisions must exercise care not to overlook or underestimate the genetic information collected or possessed by their organizations and the risks attendant to collecting or using this information. Many employers will be surprised by the breadth of the depth of “genetic information.” Because of GINA’s broad definition of “genetic information,” its provisions create potential liability concerns for a surprisingly wide range of employment and health plan practices.

The Final Regulations published today implement the employment discrimination rules of GINA Title II. The EEOC previously published proposed regulations interpreting Title II of GINA in March, 2009. Concurrent with its release of the Final Regulations, the Commission also issued two question-and-answer documents on the final GINA regulations. For links to today’s guidance and more details, see here.

Failing to properly address GINA compliance could expose employers to substantial risk. Violation of the employment provisions of Title II subjects an employer to potentially significant civil judgments like those that generally are available for race, sex, and other federal employment discrimination claims covered by the Civil Rights Act. Accordingly, employers and others who have not already done so should act quickly to review and update their policies and procedures to manage their new compliance and liability exposures under GINA. Employers and others covered by GINA also should assess their leave and other records and practices for data that could be considered genetic information and take appropriate steps to safeguard this information to comply with the confidentiality, nondiscrimination and anti-retaliation rules of GINA, the Americans with Disabilities Act and other applicable laws.

For More Information Or Assistance

If you need assistance evaluating or defending existing or proposed practices under GINA or with other workforce, employee benefit, compensation, internal controls or risk management practices, please contact the author of this update, Board Certified Labor & Employment attorney Cynthia Marcotte Stamer at (469) 767-8872 or via e-mail here.

About Ms. Stamer

Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization, Chair of the American Bar Association (ABA) RPTE Employee Benefit & Other Compensation Group, a Council Member of the ABA Joint Committee on Employee Benefits, Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, management attorney and consultant Cynthia Marcotte Stamer has more than 23 years experience advising and representing employers, health and other employee benefit plans, their sponsors, fiduciaries and plan administrators, consultants, vendors, outsourcers, insurers, governments and others about employment, employee benefit, compensation, and a wide range of other performance, legal and operational risk management practices and concerns. As a part of this work, Ms. Stamer has worked extensively with client to manage risks and defend practices under GINA, the ADA and a wide range of employment discrimination, privacy and other laws. A prolific author and popular speaker, Ms. Stamer also publishes, conducts client and other training, speaks and consults extensively on GINA and other employment and employee benefit risk management practices and concerns for the ABA, World At Work, SHRM, American Health Lawyers Association, Institute of Internal Auditors, Society for Professional Benefits Administrators, HCCA, Southwest Benefits Association and many other organizations. Her insights on these and related topics have appeared in Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, Managed Healthcare, Health Leaders, various ABA publications and a many other national and local publications. To learn more about Ms. Stamer, her experience, involvements, programs and publications, see here or contact Ms. Stamer.

Other Resources & Developments

If you found this information of interest, you also may be interested in reviewing other recent Solutions Law Press updates including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available for review here. If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. For important information concerning this communication click here.

If you or someone else you know would like to receive future updates and notices about upcoming programs and events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. To unsubscribe, send an e-mail with “Unsubscribe” in the subject here. For important information concerning this communication click here.

Comments Off on Update Employment Practices To Manage Genetic Info Discrimination Risks Under New EEOC Final GINA Regulations | Disability, Discrimination, EEOC, Employee Benefits, Employers, GINA, Human Resources, Privacy, Risk Management, Union | Tagged: ADA, EEOC, Emloyment Discrimination, Employment, GINA, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Register Now For 8/24 2010 Health Plan Update Briefing

July 30, 2010

Learn If Your Plan Will Be Grandfathered Plan & What You Must Do Now To Meet Key 2010/2011 Affordable Care Act & Other Federal Health Plan Compliance Deadlines

A Solutions Law Press Live Internet Broadcast Briefing

August 24, 2010

10:00 A.M.-12:30 P.M. Eastern

11:00 A.M.- 1:30 P.M. Central

9:00 A.M-11:30 A.M. Pacific

Solutions Law Press invites you to catch up on the latest guidance about the new group health plan mandates imposed under the Patient Protection and Affordable Care Act (Affordable Care Act) and other federal health plan regulations by participating in a live “2010 Health Plan Update” internet[*] broadcast briefing on Tuesday, August 24 2010. The briefing will be conducted via live video broadcast from 11:00 A.M.-1:30 P.M. Central Time. Register here for a registration fee of $150.00[†] per participant.

Affordable Care Act Requires Prompt Action By Group Health Plans, Sponsors, Fiduciaries & Administrators

The Affordable Care Act and other impending federal health plan changes will require employment-based group health plans, their employer and other plan sponsors, plan fiduciaries, plan administrators and other service providers and insurers to make quick decisions and to act quickly to meet impending federal compliance deadlines while preserving flexibility. All employer and other group health plan sponsors, fiduciaries, insurers and administrators must act quickly to update their health plan documents, communications, insurance and vendor agreements and other practices to comply with new federal requirements that become effective under the Affordable Care Act on the first day of the plan year beginning after September 22, 2010 and various other changes in federal health plan rules effective or scheduled to take effect during 2010 or 2011 plan years. Many plan sponsors also may need to act quickly to cancel or revise plan design or vendor changes planned or already implemented since March 23, 2010 to position their health plan to qualify for grandfather status. Quick action also may be needed to claim small employer tax credits, retiree medical subsidies or other benefits.

Register Now To Get Key Information In August 24 Internet Briefing

The August 24, 2010 “2010 Health Plan Update” briefing will cover the latest guidance on Affordable Care Act and other federal health plan regulatory changes impacting employment-based group health plans and their sponsors for plan years beginning between September 23, 2010 and September 22, 2011 and other key information to help employers, group health plans, insurers, plan administrators, fiduciaries, broker and others working with these plans to understand and respond to these new requirements including:

How to qualify your health plan as a grandfathered plan under Affordable Care act
How to decide if maintaining grandfathered plan status is worthwhile
Claims & appeals requirements for grandfathered & non-grandfathered plans
Preventive care coverage mandates & wellness program requirements & rules under Affordable Care Act & other federal regulations
Updated dependent child eligibility, pre-existing condition & other requirements for grandfathered & non-grandfathered plans
Special enrollment, preexisting condition & other eligibility mandates for grandfathered & non-grandfathered plans under new Affordable Care Act, new FMLA, COBRA, Michelle’s Law, HIPAA & other federal regulations
Mental health & substance abuse, provider choice & other benefit mandates under Affordable Care Act, Mental Health Parity & other federal rules
Update on other recent & pending Affordable Care Act group health plan rule guidance
Tips to review & update your plans, vendor agreements & processes to meet Affordable Care Act & other federal group health plan dictates
Expected future Affordable Care Act & other federal rule changes & tips for preparing
Practical strategies for responding to new requirements & changing rules
Participant questions

About The Presenter

The program will be conducted by attorney Cynthia Marcotte Stamer. With more than 23 years of experience advising employers, group health plans, plan fiduciaries, plan administrators and vendors, insurers and others about health plan and managed care matters, Ms. Stamer is nationally known for her work, publications and presentations on health plan and other employee benefit, health care and insurance matters.

Current Chair of the American Bar Association (ABA) RPTE Employee Benefit & Other Compensation Committee, a Council Member of the ABA Joint Committee on Employee Benefits and Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer continuously advises employers, health plans, plan sponsors, fiduciaries, plan administrators, plan vendors, insurers and others about health program related legal, operational, documentation, public policy, enforcement, privacy, technology, litigation and risk management and other concerns. Ms. Stamer also publishes and speaks extensively on these and other health and managed care program concerns and practices. Her insights on these and related topics have appeared in Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, Managed Healthcare, Health Leaders, various ABA publications and a many other national and local publications. To contact Ms. Stamer or for additional information about Ms. Stamer, her experience, involvements, programs or publications, contact Ms. Stamer at (469) 767-8872 or via e-mail here, or see here.

About Solutions Law Press

[*] A limited number of participants on a space available basis will have the opportunity to participate in the briefing as a member of the live studio audio audience in Plano, Texas. Interested persons should e-mail support@solutionslawyer.net.

[†] Discounts available for groups registering three or more participants. Sponsorship opportunities also available. For information, E-mail support@solutionslawyer.net.

Comments Off on Register Now For 8/24 2010 Health Plan Update Briefing | ADA, Affordable Care Act, COBRA, Disease Management, Employee Benefits, Employers, ERISA, Excise Tax, family leave, Fiduciary Responsibility, FMLA, GINA, HIPAA, Human Resources, Insurance, Internal Controls, Leave, medical leave, Mental Health, Patient Protection and Affordable Care Act, Payroll Tax, Privacy, Protected Health Information, Risk Management, Tax, Wellness | Tagged: Affordable Care Act, COBRA, FLSA, GINA, grandfathered plan, Health Plan, HIPAA, Mental Health Parity, Michelle's Law | Permalink
Posted by Cynthia Marcotte Stamer

Stamer Speaks June 9 On “Health Care Reform’s Implications For Employers, Health Plans & Employee Benefits Practitioners” In Houston

May 19, 2010

Cynthia Marcotte Stamer will discuss “Health Care Reform’s Implications for Employers, Health Plans and Employee Benefits Practitioners” at the June 9, 2010 meeting of Houston WEB. The program is scheduled for Wednesday, June 9, 2010 at the DoubleTree Guest Suites, 5353 Westheimer, Houston, Texas from 11:30 a.m. to 1:30 pm.

Narrowly passed by Congress in March after a year of contentious debate, the comprehensive health care reform legislation imposes a complex array of reforms impacting employment based health plans, employers, and the insurers and other vendors and administrators of these programs. Ms. Stamer will explore key elements of these reforms impacting employers and employment based health coverage and their implications for employers, employment based health plans, and employee benefits and other attorneys providing advice about these arrangements.

To register or for more information about this event, see here. If you need assistance reviewing or responding to these or other employee benefit, compensation or labor and employment concerns, contact the author of this update, Cynthia Marcotte Stamer, for assistance at (469) 767-8872 or here.

About Ms. Stamer

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 23 years of work helping businesses manage labor and employment, employee benefits, performance management and discipline, compliance and internal controls, risk management, and public policy matters including significant, cutting edge experience advising employer and other health plan sponsors, fiduciaries, insurers, administrators and others design, administer, and defend defensible, cost-effective health and other employee benefit programs.

As a core focus of her practice, Ms. Stamer works extensively with employer and other health plan sponsors, fiduciaries, administrative and other service providers, insurers, and other clients on health benefit program and product design, documentation, administration, compliance, risk management, and public policy matters. The publisher of Solutions Law Press, Ms. Stamer also publishes, conducts training and speaks extensively on these and related concerns for the ABA, the Bureau of National Affairs and many other organizations. Please join us for what promises to be a most interesting discussion

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, and the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, Ms. Stamer also is recognized for her publications, industry leadership, workshops and presentations on these and other health industry and human resources concerns. She regularly speaks and conducts training for the ABA, Institute of Internal Auditors, Society for Professional Benefits Administrators, Southwest Benefits Association and many other organizations. Publishers of her many highly regarded writings on health industry and human resources matters include the Bureau of National Affairs, Aspen Publishers, ABA, AHLA, Aspen Publishers, Schneider Publications, Spencer Publications, World At Work, SHRM, HCCA, State Bar of Texas, Business Insurance, James Publishing and many others. You can review other highlights of Ms. Stamer’s experience here. Her insights on these and other matters appear in Managed Care Executive, Modern Health Care, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, MDNews, Kentucky Physician, and many other national and local publications.

If you need help with human resources or other management, concerns, wish to ask about compliance, risk management or training, or need legal representation on other matters please contact Cynthia Marcotte Stamer here or (469)767-8872.

Other Resources

If you found this information of interest, you also may be interested in reviewing other updates and publications by Ms. Stamer including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to receive our Solutions Law Press distributions here. For important information about this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

Comments Off on Stamer Speaks June 9 On “Health Care Reform’s Implications For Employers, Health Plans & Employee Benefits Practitioners” In Houston | Affordable Care Act, CHIP, COBRA, COBRA Subsidy, Corporate Compliance, Employee Benefits, Employers, Employment Tax, ERISA, Fiduciary Responsibility, FMLA, HIPAA, Human Resources, Insurance, Internal Controls, Medicare Part D, Mental Health, Mental Health Parity, Payroll Tax, Prescription Drugs, Privacy, Protected Health Information, Public Policy, Risk Management, Tax, Uncategorized, Wellness, Wellness Programs | Tagged: Affordable Care Act, Employee Benefits, Employers, ERISA, Fiduciary, Health Care Reform, Health Insurance, Health Plan, Health Plans, Insurer | Permalink
Posted by Cynthia Marcotte Stamer

CBO Raises Estimated Cost of Health Care Reforms As Employers, Health Plans Brace Costs Of Newly Effective & Impending Mandates

May 15, 2010

By Cynthia Marcotte Stamer

New analysis released Tuesday, May 11 by the non-partisan Congressional Budget Office shows H.R. 3590, the Patient Protection and Affordable Care Act, Public Law 111-148 (Health Care Reform Law) passed in March will cost $115 Billion more than originally estimated in the CBO’s March 15, 2010 discretionary spending analysis. News of the cost estimate increase comes as U.S. employer and other health plan sponsors, insurers and others are bracing for the first wave of new federal health plan mandates enacted as part of the Health Care Reform Law to take effect in September and a host of other federal mandates previously enacted that take effect in the 2009 and 2010 plan years.

Projected Cost of Health Care Reform Increased

According to CBO, additional information about the potential effects of the Health Care Reform Law on spending funded through the annual appropriation process (discretionary spending). By their nature all such potential effects on discretionary spending are subject to future appropriation actions, which could result in greater or smaller costs than the sums authorized by the legislation. While still limited in certain respects, the updated CBO analysis provides information on the major components of such costs in three general categories:

The costs that will be incurred by federal agencies to implement the new policies established by the Health Care Reform Law, such as administrative expenses for the Department of Health and Human Services and the Internal Revenue Service for carrying out key requirements of the legislation.
Explicit authorizations for future appropriations for a variety of grant and other program spending for which the act identifies the specific funding levels it envisions for one or more years. (Such cases include provisions where a specified funding level is authorized for an initial year along with the authorization of such sums as may be necessary for continued funding in subsequent years.)
Explicit authorizations for future appropriations for a variety of grant and other program spending for which no specific funding levels are identified in the legislation. That type of provision generally includes legislative language that authorizes the appropriation of “such sums as may be necessary,” often for a particular period of time.

According to the updated analysis, CBO estimates that total authorized costs in the first two categories probably exceed $115 billion over the 2010-2019 period. CBO still does not have an estimate of the potential costs of authorizations in the third category.

CBO previously issued an estimate of the Health Care Reform Law’s direct spending and revenue effects in combination with the Reconciliation Act of 2010 (Public Law 111-152), which amended it. (Direct spending effects are those that do not require subsequent appropriation action.) CBO estimated that those two laws, in combination, would produce a net reduction in federal deficits of $143 billion over the 2010-2019 period as a result of changes in direct spending and revenues.

Impending Federal Health Plan Mandate Changes Bring New Costs, Risks Now

CBO’s adjustment to its cost projections comes as U.S. employers and insurers already are bracing to cope with a host of new federally imposed health plan mandates and accompanying costs that already have or will in the next 12-months impact their existing health benefit programs. Examples of these new mandates include:

COBRA Stimulus Bill Premium Subsidy and Other Mandates
New FMLA and USERRA Coverage Continuation Mandates
Dependent Care Coverage Extension Mandates For Students Requiring Medical Leave Effective
Genetic and Other Disability Discrimination Mandates under GINA, ADA Amendments Act of 2008, HIPAA Portability and Other Federal Mandates
Expanded Mental Health Parity Mandates
HIPAA Data Breach and Other Protected Health Information Privacy and Data Security Mandates
New IRS Excise Tax Self-Assessment & Reporting Mandates For Plans Violating COBRA, Mental Health Parity and Wide Range of Other Federal Mandates
Changes To Retiree Medical Subsidy Rules
Early Retiree Medical Reinsurance Program For Employers Providing Qualifying Retiree Coverage
New Small Employer Tax Credit Rules
Mandated extension of dependent coverage to age 26
Prohibition of Pre-Existing Condition Limits on Dependent Coverage
New restrictions on annual and lifetime benefit limitations
Mandate to cover 100% of preventative care
Prohibition against coverage rescissions
Primary Care Physician choice mandates
Restrictions on coverage limitations for emergency and obstetrical care
Extension of Internal Revenue Code Section 105(h) nondiscrimination mandates to certain insured health plans
Many others

Employer and other health plan sponsors, their insurers, administrators and others responsible for updating and administering group and other health plans must move immediately to meet these evolving mandates while bracing for anticipated increased costs and other obligations expected to result as the Health Care Reform Law takes effect over the next few years. Employers, administrators and insurers needing additional information about these changes can review the resources and training materials available here and/or contact the author of this update, attorney and consultant Cynthia Marcotte Stamer, for assistance at (469) 767-8872 or here

Responsible & Prompt Action Needed

Employer and other health plan sponsors, administrators, fiduciaries and insurers both should act quickly to update their programs, plan documents, communications and practices to comply with federal mandates that have and are scheduled to take effect and stay involved with regulators and Congress as the regulatory rules and processes to implement the Health Care Reform Law are developing. Ultimately, the cost and other implications of the Health Care Reform Law will depend largely upon how its provisions are construed and implemented by federal and state regulators, along with any subsequent adjustments, if any that Congress may elect to enact. With federal officials hard at work preparing implementing regulations and other guidance and procedures, health industry leaders and other concerned Americans should stay informed and continue to share their input on these critical issues as these decisions are shaped. Join the discussion by participating in the Coalition For Responsible Health Care Policy linked in group and/or its subgroup, Project COPE: Coalition for Patient Empowerment and/or register to receive updates Coalition for Responsible Heath Care Policy by RSS Feed.Coalition for Responsible Health Care Policy Coalition for Responsible Health Care Policy Coalition for Responsible Health Care Policy

The author of this update, Cynthia Marcotte Stamer, recently has conducted briefings on the implications of the Affordable Care Act and other regulatory changes impacting health plans and their employer and other sponsors, insurers, administrators and others for the Society of Professional Benefits Administrators, the Dallas Bar Association and others. Several other presentations and update are scheduled in the upcoming months. For information about these programs or to register to receive information about these programs, see here.

About Ms. Stamer

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 22 years of work helping businesses manage labor and employment, employee benefits, performance management and discipline, compliance and internal controls, risk management, and public policy matters including significant, cutting edge experience advising employer and other health plan sponsors, fiduciaries, insurers, administrators and others design, administer, and defend defensible, cost-effective health and other employee benefit programs.

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, and the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications Ms. Stamer also is recognized for her publications, industry leadership, workshops and presentations on these and other health industry and human resources concerns. She regularly speaks and conducts training for the ABA, American Health Lawyers Association (AHLA), Health Care Compliance Association, Institute of Internal Auditors, Harris County Medical Society, the Medical Group Management Association, Society for Professional Benefits Administrators, Southwest Benefits Association, Harris County Medical Society, Medical Group Management Association, Society of Human Resources Management, and many other organizations. Publishers of her many highly regarded writings on health industry and human resources matters include the Bureau of National Affairs, Aspen Publishers, ABA, AHLA, Aspen Publishers, Schneider Publications, Spencer Publications, World At Work, SHRM, HCCA, State Bar of Texas, Business Insurance, James Publishing and many others. You can review other highlights of Ms. Stamer’s experience here. Her insights on these and other matters appear in Managed Care Executive, Modern Health Care, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, MDNews, Kentucky Physician, and many other national and local publications.

Other Resources

If you found this information of interest, you also may be interested in reviewing other updates and publications by Ms. Stamer including:

Comments Off on CBO Raises Estimated Cost of Health Care Reforms As Employers, Health Plans Brace Costs Of Newly Effective & Impending Mandates | Affordable Care Act, ARRA, CHIP, COBRA, COBRA Subsidy, Disease Management, Employee Benefits, Employers, Employment Tax, ERISA, Excise Tax, family leave, Fiduciary Responsibility, FMLA, GINA, H.R. 4872, Health Plans, HIPAA, Human Resources, Income Tax, Leave, medical leave, Medicare Part D, Mental Health, Mental Health Parity, Military Leave, Payroll Tax, Prescription Drugs, Privacy, Protected Health Information, Public Policy, Risk Management, Stimulus Bill, Tax, Uncategorized, Wellness | Tagged: Affordable Care Act, dependent coverage, Employer, Health Care Reform, Health Plans, Insurer, Mental Health Parity, preexisting condition | Permalink
Posted by Cynthia Marcotte Stamer

Stamer To Speak About TPA & Other Plan Services Agreement Contracting Strategies For Managing Risks & Improving Effectiveness At 2010 Great Lakes Benefits Conference

March 13, 2010

Curran Tomko Tarski LLP Labor & Employment Practice Chair and Solutions Law Press Publisher Cynthia Marcotte Stamer will discuss “TPA & Other Plan Services Agreements- Managing Risks & Improving Effectiveness” At 2010 Great Lakes Benefits Conference to be held at the Wyndham Chicago Hotel on June 16-17, 2010.

Growing regulatory, fiduciary and other compliance risks magnify the importance of the careful negotiation and documentation of third party administration and other plan-related service agreements for plans, plan sponsors, plan fiduciaries and service providers. Careful credentialing, negotiation and documentation of administrative and other services relationships plays an increasingly key role in the ability of plan sponsors, plans, fiduciaries and service providers to allocate and efficiently manage plan operations, meet compliance obligations, and allocate and manage fiduciary and other legal risks.

Ms. Stamer’s workshop will examine key concerns like how administrative services contract terms, plan terms, the parties of actions and other factors help determine which parties are exposed to fiduciary and other liabilities; who is responsible for fiduciary, administrative, reporting and disclosure, bonding, indemnification and other responsibilities; and terms and processes that may help parties manage their relationships and legal risks by exploring some of the common issues and concerns that need to be considered when entering into these contractual arrangements.

Co-hosted by the Internal Revenue Service and ASPPA, this two day Conference features presentations on regulatory, legislative, administrative and actuarial and other employee benefit issues lead by local, regional and national government representatives from the Internal Revenue Service and the Department of Labor and nationally recognized employee benefit leaders from private industry. To register for the Conference or for additional information, see here.

Chair of the American Bar Association RPTE Employee Benefits & Compensation Committee, an ABA Joint Committee on Employee Benefits Council member, Chair of the Curran Tomko Tarski Labor, Employment & Employee Benefits Practice and former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is nationally recognized for more than 22 years domestic work with employer and other plan sponsors, fiduciaries, administrative and other service providers, insurers, and other clients on employee benefit program and product design, documentation, administration, compliance, risk management, and public policy matters. The publisher of Solutions Law Press, Ms. Stamer also publishes, conducts training and speaks extensively on these and related concerns. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly. For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

If you need assistance with vendor or other outsourcing contracts, or other employee benefits, employment, compensation or other management concerns, wish to inquire about compliance, risk management or training, or need legal representation on other matters please contact Cynthia Marcotte Stamer, CTT Labor & Employment Practice Chair at cstamer@cttlegal.com, 214.270.2402; or your other preferred Curran Tomko Tarski LLP attorney.

If you found this information of interest, you also may be interested in reviewing other updates and publications by Ms. Stamer including:

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here and learn more about other Curran Tomko Tarski LLP attorneys here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information to Cstamer@CTTLegal.com or registering to participate in the distribution of these and other updates on our Solutions Law Press distributions here. For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

Comments Off on Stamer To Speak About TPA & Other Plan Services Agreement Contracting Strategies For Managing Risks & Improving Effectiveness At 2010 Great Lakes Benefits Conference | CHIP, COBRA, Corporate Compliance, Defined Benefit Plans, Disability Plans, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, FMLA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Malpractice, Medicare Part D, Mental Health, Mental Health Parity, Preemption, Prescription Drugs, Privacy, Professional Liability, Reporting & Disclosure, Retirement Plans, Risk Management, Tax, Wellness Programs | Tagged: administrative services agreement, bonding, compliance, ERISA, Fiduciary Responsibility, Health Plans, Insurance, Retirement Plans, Risk Management, tpa, trustees | Permalink
Posted by Cynthia Marcotte Stamer

Privacy Rule Changes & Posting of Breach Notices On OCR Website Signal New Enforcement Risks For Health Plans, Their Sponsors & Business Associates

February 23, 2010

By Cynthia Marcotte Stamer

The Department of Health and Human Services Office of Civil Rights (OCR) has begun disclosing on its website the employer and other health plans, health care providers, health care clearinghouses and their business associates (Covered Entities) that report breaches of unsecured protected health information (UPIC) affecting more than 500 individuals as required by new rules enacted as part of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This posting of Covered Entities reporting breaches comes just days after these and other Covered Entities became subject on February 17, 2010 to a host of other tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of the Health Insurance Portability & Accountability Act (HIPAA) also enacted as part of the HITECH Act. As failing to comply with the amended rules effective February 17, 2010 can trigger obligations under the Breach Regulations and other exposures, prompt action to manage risk under both the Breach Regulations and the revised HIPAA rules is critical to minimize Covered Entity and business associate exposures under both these rules. With criminal, administrative and civil prosecutions of such violations increasing and likely to expand, timely action to manage compliance and other risks is warranted. Health plans and their business associates also should prepare for increased awareness and oversight of the adequacy of their medical information safeguards as these disclosures and other enforcement actions heighten interest and awareness of employees and others in these rules.

Covered Entity Breach Notification Requirements

OCR posted the initial list of Covered Entities disclosing these breaches on its website for the first time yesterday (February 22, 2010) to comply with breach notification requirements imposed by Section 164.408 of the interim “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here.

The Breach Regulation requires Covered Entities subject to the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals, OCR and certain other parties following a “breach” of “unsecured” protected health information occurring on or after September 23, 2009. The Breach Regulation implements new breach notification requirements added to HIPAA by Section 13402(e)(3) of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). It and the posting of Covered Entities reporting breaches of protected health information are part of the ongoing implementation and enforcement of new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under provisions of the HITECH Act and expanded remedies for violations signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).

You can review the list of Covered Entities that have reported breaches on the OCR website here. Learn more about the Breach Regulation requirements here.

Broader & Stricter Medical Privacy Mandates Effective 2/17/210

Just last Wednesday (February 17, 2010) Covered Entities and their business associates also became subject to tighter federal requirements for the use, access, protection and disclosure of protected health information under amendments to HIPAA’s Privacy & Security Standards enacted by the HITECH Act. The changes that became effective on February 17, 2010 generally require that Covered Entities and their business associates make specific changes to update their written policies, operational procedures, privacy notices, business associate agreements, training, and other management procedures in several respects. For more details, see here.

While the HITECH Act gave Covered Entities and business associates a year to complete the necessary arrangements to comply with these HITECH Act changes, many Covered Entities and business associates have remain unnecessarily exposed under these new requirements by not completing or otherwise failing to adequately implement the necessary arrangements despite expanding liability exposures that can result from noncompliance. To mitigate these exposures, Covered Entities and their business associates should act quickly to review and update their policies, procedures, training, business associate and other services agreements, and other practices and procedures, as well as to implement the training, oversight, and other management necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

Exposures Significant & Growing

Covered Entities and business associates failing to devote adequate attention and resources to managing HIPAA compliance and associated risks risk increasing peril. Aside from the potential implications that disclosures of violations may have on patients and others impacting their business, the legal risks of noncompliance for Covered Entities, business associates and others mishandling protected health information are real and growing.

Timely action to comply with the amended HIPAA requirements and Breach Regulations is important both to preserve critical trust in the business, to avoid triggering breach notifications that can undermine this trust and fuel legal complaints, and to avoid exposure to an expanding range of sanctions that can result when a violation occurs.

Amendments made under the HITECH Act have expanded the size and availability of remedies that can be imposed for HIPAA violations as well as the parties empowered to pursue these remedies. Wrongful use, access or disclosure of protected health information in violation of HIPAA subjects participating health plans, health care providers, health care clearinghouses, their business associates and other workforce members and others to civil penalties, criminal prosecution and, since February 17, 2009, civil lawsuits brought by state attorneys general on behalf of citizens of their states whose HIPAA rights were violated. Since September 23, 2009, health plans and other HIPAA Covered Entities as well as their business associates also became obligated to provide breach notification under new mandates imposed by the HITECH Act. Coupled with increased enforcement emphasis by regulators, these expansions to HIPAA’s remedy provisions increase the risk that Covered Entities or business associates violating HIPAA face investigation and sanction. Furthermore, the wrongful use, access or disclosure of protected health information or other confidential information also increasingly is the basis of civil or criminal actions brought under a variety of other federal and state laws.

Expanded HIPAA & Other Federal Prosecutions & Remedies

The expanded requirements imposed under the Breach Regulation and the other HITECH Act changes that took effect on February 17, 2010 follow the implementation changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, when President Obama signed the HITECH Act into law. The HITECH Act amendments to HIPAA’s remedies significantly increase the risk that health plans and other Covered Entities and their business associates will face civil lawsuits, civil or criminal penalties or other consequences for violating HIPAA. Noncompliance with these and other HIPAA requirements subjects Covered Entities and business associates to civil penalties, criminal prosecution, civil damage awards under lawsuits brought by state attorneys general, and other legal remedies. In addition, timely update written policies, procedures, business associate agreements, training and documentation is imperative in order for Covered Entities and their business associates to fulfill their breach notification obligations under new rules enacted as part of the HITECH Act.

HITECH Amendments Expand Liability Exposures

The expanded risks stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions. Among other things, the HITECH Act amended HIPAA to:

Allow a State Attorney General to sue health plans or other Covered Entities, business associates or both that harm state citizens by committing HIPAA violations after February 16, 2009;
Expand the mandate by OCR to investigate violations and audit compliance with HIPAA;
Require Office of Civil Rights to impose civil sanctions against Covered Entities and business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
Revise the criminal sanctions that the Department of Justice can seek against Covered Entities, their business associates and others for violations of HIPAA; and
Amend HIPAA to make clear that HIPAA’s criminal sanctions also can imposed on business associates, workforce members and other persons that improperly use, access and disclose protected health information in violation of HIPAA.

State Attorney General Lawsuit Exposures

Covered Entities and their business associates now also need to be concerned about the potential that a state Attorney General may bring civil suit to remedy damages caused to state citizens by a breach of HIPAA.

The HITECH Act empowers a state attorney general to sue Covered Entities or business associates engaging in HIPAA violations that harms citizens of the state for statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs

A HIPAA civil lawsuit filed on January 13, 2010 demonstrates the willingness of at least some states to exercise the new authority created by the HITECH Act on February 17, 2009 to sue Covered Entities and business associates that violate HIPAA for civil damages.

On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach. The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net. The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers.

Stepped Up Federal Enforcement

Even before the HITECH Act amendments, however, OCR and Department of Justice already were stepping up HIPAA investigation and enforcement. The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA. See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information. Meanwhile, OCR also is emphasizing HIPAA enforcement. In February, 2009, for instance, OCR announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges. This announcement followed OCR’s announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges. OCR also has taken HIPAA enforcement actions against a broad range of other Covered Entities to redress HIPAA violations or other compliance concerns. To review examples of these other actions, see here. While not resulting in the significant payments involved in CVS or Providence, all Covered Entities involved in these and other enforcement actions or investigations have incurred significant legal and other defense costs, loss of community trust, or both.

In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can give rise to liability for health plans and other Covered Entities, business associates, employees and other members of their workforce and others improperly using, accessing or disclosing protected health information. Federal and state prosecutions may and increasingly do criminally prosecute individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws . See e.g., Cybercrime & Identity Theft: Health Information Security Beyond HIPAA; NY AG Cuomo Announcement of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year. Additionally, State courts also increasingly are permitting individuals harmed by HIPAA violations to use HIPAA as the foundation of state law duties used to maintain state negligence, invasion of privacy, retaliation or other claims for damages. Read more here.

State Civil Lawsuits

Meanwhile, disgruntled employees or other business partners also increasingly raise alleged HIPAA misconduct as a basis of their legal complaints. For instance, private plaintiffs employed by Covered Entities also are increasingly pointing to HIPAA as the basis for their retaliation or wrongful discharge claims. See, e.g., Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim. Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for Covered Entities and their business associates that fail to properly manage their HIPAA compliance obligations and risks.

Given these and other developments, Covered Entities and their business associates generally should resist the temptation to underestimate their potential HIPAA exposure for a variety of reasons. In fact, a number of factors demonstrate that the risks are significant and growing for Covered Entities, business associates and others that breach HIPAA’s mandates or otherwise inappropriately access protected health information.

Covered Entities & Business Associates Urged To Act Promptly To Manage Expanded HIPAA Risks & Obligations

As a consequence of these collective HITECH Act changes and growing HIPAA-related and other exposures, Covered Entities, their business associates and business associates generally will find it necessary or advisable among other things to:

Conduct well-documented due diligence within the scope of attorney-client privilege on their own practices and procedures;
Review the adequacy of the practices, policies and procedures of the Covered Entities, business associates, and others that may come into contact with protected health information;;
Renegotiate their service provider agreements to detail the specific compliance obligations of each party relating to for auditing compliance, investigating potential breaches; providing required breach notifications; specify leadership and required cooperation in the event of a breach, charge, or other concern; indemnification and other liability allocations; and other related matters;
Update policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility;
Conduct well-documented training as necessary to ensure that business associates and other members of the Covered Entity’s workforce understand and are prepared to comply with the expanded requirements of HIPAA, can detect potential breaches or other compliance concerns, and understand and are prepared to follow appropriate procedures for reported suspected violations; and
Pursue appropriate liability and other protection as appropriate to improve their ability to demonstrate both their commitment to compliance and their realistic efforts to ensure that these commitments are both appropriately documented on paper and operationalized in performance.

As part of these compliance and risk management efforts, most Covered Entities and their business associates will find it advisable to devote significant attention to the business associate relationship and its associated business associate agreements. Proper management of the expanded compliance obligations and liability exposures created by the HITECH Act generally will necessitate that Covered Entities and their business associates focus significant attention on the reworking of their operating and contractual relationships including the definition of detailed procedures for monitoring, reporting, investigating, and resolving potential breaches or other compliance concerns.

Even before the impending HIPAA changes scheduled to take effect on February 17, 2010, a strong need for more detailed contracting and planning of these relationships already existed. Since the enactment of HIPAA, the practice of many Covered Entities and their business associates of appending generic “business associate” representations onto existing services contracts without specific tailoring and planning has created undesirable ambiguities in these agreements. Further updating and tailoring of these and other provisions of services agreements has become even more important over the past year in light of the new breach notification mandates that took effect under the HITECH Act in September, 2009, changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, and the impending extension by the HITECH Act to business associates of direct liability for compliance with HIPAA scheduled to occur on February 17, 2010.

These and other stepped up oversight and enforcement activities make it critical that all Covered Entities and their business associates update their policies and practices, conduct training, tighten their compliance and data breach monitoring processes, strengthen their internal controls and documentation, and take other steps to prepare to defend their actions under the newly strengthened Privacy Rules. Covered Entities and their business associates more than ever must ensure their ability to demonstrate to federal regulators the effectiveness of their HIPAA compliance efforts by both adopting the written policies and procedures required by HIPAA and continuously monitoring and administering these safeguards. Covered Entities should consider reviewing the adequacy of their current HIPAA Privacy and Security compliance practices taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

For Assistance With Compliance Or Other Concerns

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting the author of this article, Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer at (214) 270-2402 or via e-mail here.

Ms. Stamer is nationally known for her work, training and presentations, and publications on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 22 years experience advising clients about health and other privacy and security matters. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

Other Recent Developments

If you found this information of interest, you also may be interested in information about upcoming programs to be presented by Ms. Stamer, acquiring a copy of a recording or materials from previous programs she has presented, or arranging training for your organization. For more information about these opportunities, contact Ms. Stamer directly.

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

Curran Tomko Tarski LLP Can Help

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.

A widely published author and speaker on HIPAA and other employee benefit and human resources related matters, Ms. Stamer has extensive experience advising health plans, their employer and other sponsors, health insurers, TPAs and other business associates and others about HIPAA and other health plan and privacy matters. Currently serving as both Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and as an ABA Joint Committee on Employee Benefits Council representative and Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer has more than 23 years experience assisting employers, insurers, plan administrators and fiduciaries and others to design, implement, draft and administer health and other employee benefit plans and to defend audits, litigation or other disputes by private parties, the IRS, Department of Labor, Office of Civil Rights, Medicare, state insurance regulators and other federal and state regulators. A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly. For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here. Examples of other recent updates that may be of interest include:

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

Comments Off on Privacy Rule Changes & Posting of Breach Notices On OCR Website Signal New Enforcement Risks For Health Plans, Their Sponsors & Business Associates | Corporate Compliance, Data Security, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Privacy, Risk Management, Wellness Programs | Tagged: Corporate Compliance, Employee Benefits, Employer, ERISA, GINA, Health Care Reform, Health Insurance, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Medical Coverage, Privacy, Risk Management | Permalink
Posted by Cynthia Marcotte Stamer

Health Plan Liability Heats Up As Plans & Businesses Face New Obligations, Costs & Exposures under New HIPAA Privacy Rules Effective 2/17 & Other Expanding Federal Health Plan Mandates

February 17, 2010

Today (February 17, 2010), employer and other health plans and health insurers (“covered entities”) and service providers performing functions on behalf of these entities (“business associates”) must begin complying with tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of the Health Insurance Portability & Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Coming as U.S. employers continue to struggle to provide health benefits in the face of skyrocketing health benefit costs, these and other new federal regulations impacting employment-based health plans and their sponsoring businesses, fiduciaries and administrators are forcing U.S. business leaders to make appropriate health plan cost and compliance management a key management priority.

2/17/10 & Other HIPAA Privacy Rule Changes Require Prompt Attention

The HIPAA Privacy Rule changes scheduled to take effect February 17, 2010 are likely to require that health plans and their business associates update their written policies, operational procedures, privacy notices and business associate agreements in several respects.

While the HITECH Act gave covered entities and business associates a year to complete the necessary arrangements to comply with these impending HITECH Act changes, many health plans and business associates have not completed the necessary arrangements despite expanding liability exposures that can result from noncompliance. To mitigate these exposures, covered entities and their business associates should act quickly both to update their services agreements, plans and policies, practices, and procedures, and to implement the training, oversight, and other management procedures necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

The risks of noncompliance for health plans, business associates and others mishandling protected health information are real and growing. Wrongful use, access or disclosure of protected health information in violation of HIPAA subjects participating health plans, health care providers, health care clearinghouses, their business associates and other workforce members and others to civil penalties, criminal prosecution and, since February 17, 2009, civil lawsuits brought by state attorneys general on behalf of citizens of their states whose HIPAA rights were violated. Since September 23, 2009, health plans and other HIPAA covered entities as well as their business associates also became obligated to provide breach notification under new mandates imposed by the HITECH Act.

In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can give rise to liability for health plans and other covered entities, business associates, employees and other members of their workforce and others improperly using, accessing or disclosing protected health information. Federal and state prosecutions may and increasingly do criminally prosecute individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws . See e.g., Cybercrime & Identity Theft:Health Information Security Beyond HIPAA; NY AG Cuomo Annoucment of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year. Additionally, State courts also increasingly are permitting individuals harmed by HIPAA violations to use HIPAA as the foundation of state law duties used to maintain state negligence, invasion of privacy, retaliation or other claims for damages. Read more here.

To manage these and other HIPAA-related risks, sponsoring employers, fiduciaries, administrators, insurers and their vendors should begin with carefully and timely reviewing and updating existing plan documents, vendor agreements, privacy notices and other communications and associated practices and policies. The focus of these efforts definitely should seek both to adopt the specific technical changes necessary to make the health plans and their contracts technically comply on paper with these and other HIPAA mandates, and to tailor these documents, communications and practices promote operational compliance and minimize exposure to associated risks. In relation to these efforts, sponsoring employers, insurers, fiduciaries and administrators also should ensure that required certifications from employers and other plan sponsors, representations from business associates, training and other compliance conditions are properly in place. In this respect, employers sponsoring health plans should not overlook the potential need to adopt appropriate policies and implement needed training and safeguards to enable the health plan and the employer demonstrate, if necessary that HIPAA’s requirements for sharing protected health information with members of the employer’s workforce for plan administration, underwriting or certain other purposes have been satisfied.

Other Health Plan Updates Also Required

The HIPAA Privacy Rule changes effective today are only part of the ever-growing list of federal mandates that group health plan sponsors, fiduciaries, insurers, administrators and service providers need to be concerned about. In addition to the new HIPAA Privacy Rule requirements taking effect today, health plans, their sponsors, administrators, fiduciaries, insurers, business associates and other service providers face a host of other new federal health plan and privacy mandates that have taken effect over the past year, and will become subject to additional mandates in upcoming months. Consequently, while focusing on HIPAA compliance, health plans, their employer or other sponsors, insurers, fiduciaries, administrators and service providers also should not overlook the need to review and update their health plans in response to a host of other changes in federal health plan mandates.

In addition to otherwise applicable civil damage awards and civil penalty exposures that can result from violations of these requirements, new Internal Revenue Service regulations that took effect January 1, 2010 also require that employers, health plans or others self-report violations of certain of these requirements and self assess and pay resulting excise taxes arising under the Internal Revenue Code. See, e.g., COBRA, HIPAA, GINA, Mental Health Parity or Other Group Health Plan Rule Violations Trigger New Excise Tax Self-Assessment & Reporting Obligations.

The highly volatile health plan regulatory environment makes it likely that many health plans are not appropriately updated to comply with these and other federal requirements. In recent months, health plans, their employer or other sponsors, administrators and others also have become obligated to comply with a host of other expanded federal health plan rules and requirements. See e.g., New Mental Health Parity Regulations Require Health Plan Review & Updates; New Labor Department Rule Allows Employers 7 Days To Deliver Employee Contributions To Employee Benefit Plans; Newly Extended COBRA Subsidy Rules Require Employers, Administrators Send Required Notices & Update Health Plan Documents & Procedures Quickly; Employer & Other Health Plans & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 23.

These and other developments make it imperative that health plans, their employer or other sponsors, administrators, insurers, fiduciaries and service providers get serious about complying with these and other federal health plan mandates and managing health plan related liabilities and costs. Sponsors, insurers, fiduciaries and administrators should ensure that health plan documents, insurance and other vendor contracts, policies, procedures and communications are timely updated to comply with these and other emerging mandates. When implementing these updates, parties concerned about costs or liabilities also should exercise care to ensure that plan documents, communications, contracts, administrative forms and procedures are optimally designed and drafted not only to be technically compliant, but also to support the enforceability of plan design and cost expectations, minimize administrative and other avoidable costs, and minimize liability exposures. In furtherance of these efforts, employer and other plan sponsors also should consider tightening their practices and requirements for credentialing, selection, oversight and contracting with administrators and vendors, and take other prudent steps to manage health plan related risks.

Curran Tomko Tarski LLP Can Help

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.

Other Information & Resources

For important information concerning this communication click here.

Comments Off on Health Plan Liability Heats Up As Plans & Businesses Face New Obligations, Costs & Exposures under New HIPAA Privacy Rules Effective 2/17 & Other Expanding Federal Health Plan Mandates | COBRA, Corporate Compliance, Data Security, ERISA, Fiduciary Responsibility, FMLA, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Prescription Drugs, Privacy, Wellness Programs | Tagged: Corporate Compliance, Employer, Health Plans, HIPAA, internal control, Mental Heatlh Parity, Privacy, Privacy Standards, Risk Management | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans & Business Associates Face 2/17 Deadline To Update Policies, Contracts & Procedures For HIPAA Privacy Rule Changes

February 15, 2010

Connecticut AG Lawsuit Highlights Expanding Civil Damage Exposure Risks Of Noncompliance

By Cynthia Marcotte Stamer

By Wednesday, February 17, 2010, employer and other health plans and health insurers (“covered entities”) and service providers performing functions on behalf of these entities (“business associates”) must begin complying with tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of the Health Insurance Portability & Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The changes scheduled to take effect February 17, 2010 are likely to require that health plans and their business associates update their written policies, operational procedures, privacy notices and business associate agreements in several respects.

2/17/10 Deadline To Comply With HITECH Act HIPAA Amendments

On February 17, 2010, health plans and other covered entities and their business associates will become subject to the latest to take effect in a series of amendments to the HIPAA enacted under the HITEC Act. The new rules are part of a broader series of changes to HIPAA made by the HITECH Act that collectively both significantly expand the obligations of covered entities and their business associates to regarding the use, protection and disclosure of protected health information and the liability exposures that can result when covered entities or business associates violate these requirements.

The changes scheduled to take effect February 17, 2010 are likely to require that health plans and their business associates update their written policies, operational procedures, privacy notices and business associate agreements in several respects. For instance, effective February 17, 2010, the HITECH Act generally requires that covered entities and their business associates revise their written privacy policies, privacy notices and operating procedures:

To meet expanded requirements to honor individual’s requests for special restrictions on uses and disclosures of protected health information to health plans for payment purposes
To restrict protected health information disclosures to the minimum necessary required to accomplish otherwise allowable purpose;
To comply with new rules that require that the covered entity and its business associates treat any use, access or disclosure of any protected health information made for purposes of making communications about products or services as made for marketing, rather than operational, purposes which are prohibited by HIPAA except where HIPAA’s requirements are met;
To comply with new restrictions on certain fundraising communications made for operational purposes including expanded obligations to allow recipients to opt out of further fundraising communications;
To prohibit covered entities or business associates from selling protected health information without meeting the amended requirements of HIPAA that a valid HIPAA authorization from the subject of the information and specific reassurances from the purchaser concerning its subsequent use of the protected health information except as otherwise permitted by HIPAA;
To take into account these tightened restrictions on the use, access or disclosure of protected health information for purposes of complying with new HITECH Act breach notification requirements that took effect in September, 2009, which apply when a covered entity or its business associate knows or should know a breach of “unsecured protected health information” has occurred and for purposes of making the necessary changes in written policies and business associate agreements, training and operational procedures necessary to comply with these rules;
To directly require business associates comply with HIPAA’s requirements in the same manner as other covered entities and make it necessary or advisable that that service provider agreements between health plans and business associates be updated to reflect these and other changes to HIPAA; and
To implement the necessary written policy changes, notification updates, business associate agreement amendments, training, management oversight and other procedural changes necessary to demonstrate fulfillment with these requirements.

Noncompliance with these and other HIPAA requirements subjects covered entities and business associates to civil penalties, criminal prosecution, civil damage awards under lawsuits brought by state attorneys general, and other legal remedies. In addition, timely update written policies, procedures, business associate agreements, training and documentation is imperative in order for covered entities and their business associates to fulfill their breach notification obligations under new rules enacted as part of the HITECH Act.

Under the HITECH Act, health plans and other covered entities and their business associates have been obligated since September 23, 2009 to notify individuals who are the subject of protected health information, the Department of Health & Human Services and in some cases the media if and when a breach of “unsecured protected health information occurs. Failing to timely update written policies, procedures and training increases the likelihood that health plans, other covered entities or business associates will be obligated to provide breach notifications under these new rules, in addition to their otherwise applicable exposures under HIPAA.

HIPAA Enforcement & Liability Exposures Real and Rising

Health plans and other covered entities, their business associates and others involved in health plan design and operations generally should resist the temptation to underestimate their potential HIPAA exposure based on the limited enforcement of HIPAA by the Office of Civil Rights between 2003 and 2009 for a variety of reasons.

First, the changes taking effect on February 17, 2010 follow the implementation changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, when President Obama signed the HITECH Act into law and the new breach notification requirements added by the HITECH Act that took effect on September 23, 2009. The HITECH Act amendments to HIPAA’s remedies significantly increase the risk that health plans and other covered entities and their business associates will face civil lawsuits, civil or criminal penalties or other consequences for violating HIPAA.

The expanded risks stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions. Among other things, the HITECH Act amended HIPAA to:

Allow a State Attorney General to sue health plans or other covered entities, business associates or both that harm state citizens by committing HIPAA violations after February 16, 2009;
Expand the mandate by the Office of Civil Rights to investigate violations and audit compliance with HIPAA;
Require Office of Civil Rights to impose civil sanctions against health plans and other covered entities and their business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
Revise the criminal sanctions that the Department of Justice can seek against health plans and other covered entities, their business associates and others for violations of HIPAA;
Amend HIPAA to make clear that HIPAA’s criminal sanctions also can imposed on business associates, workforce members and other persons that improperly use, access and disclose protected health information in violation of HIPAA.

A HIPAA civil lawsuit filed on January 13, 2010 demonstrates the willingness of at least some states to exercise the new authority created by the HITECH Act on February 17, 2009 to sue covered entities and business associates that violate HIPAA for civil damages.

The HITECH Act empowers a state attorney general to sue covered entities or business associates engaging in HIPAA violations that harms citizens of the state for statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs

Even before the HITECH Act amendments, however, the Office of Civil Rights and Department of Justice already were stepping up HIPAA investigation and enforcement. The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA. See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information. Meanwhile, the Office of Civil Rights in February, 2009 announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges. This announcement followed the Office of Civil Rights announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges. While not resulting in the significant payments involved in CVS or Providence, the Office of Civil Rights also taken HIPAA enforcement actions against a broad range of other covered entities to redress HIPAA violations or other compliance concerns. To review examples of these other actions, see here.

Along side these governmental actions, state courts also increasingly are willing to allow individual plaintiffs to rely on violations of HIPAA as the basis for bringing state privacy, retaliation or other actions. While prior to the recent HITECH Act amendments, federal courts had ruled that private plaintiffs could not sue under HIPAA for damages they incurred from a covered entity’s violation of HIPAA, state courts have allowed private plaintiff’s to use the obligations imposed by HIPAA as the basis of a covered entity’s duty for purposes of certain state law lawsuits. In Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim. Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit. Meanwhile, private plaintiffs employed by covered entities also are increasingly pointing to HIPAA as the basis for their retaliation claims. See, e.g., Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim. Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for covered entities and their business associates that fail to properly manage their HIPAA compliance obligations and risks.

Health Plans & Business Associates Should Take Timely Action To Comply & Manage Risks

As a consequence of these collective HITECH Act changes and growing HIPAA-related exposures, both health plans and business associates generally will find it necessary or advisable among other things to:

Conduct well-documented due diligence on each other’s practices and procedures to improve their ability to demonstrate both their commitment to compliance and their realistic efforts to ensure that these commitments are operationalized in performance;
Renegotiate their service provider agreements to detail the specific compliance obligations of each party relating to for auditing compliance, investigating potential breaches; providing required breach notifications; specify leadership and required cooperation in the event of a breach, charge, or other concern; indemnification and other liability allocations; and other related matters; and
Pursue appropriate liability and other protection as appropriate.

As part of these compliance and risk management efforts, most covered entities and their business associates will find it advisable to devote significant attention to the business associate relationship and its associated business associate agreements.

Proper management of the expanded compliance obligations and liability exposures created by the HITECH Act generally will necessitate that health plans and other covered entities and their business associates focus significant attention on the reworking of their operating and contractual relationships.

Further updating and tailoring of these and other provisions of services agreements has become even more important over the past year in light of the new breach notification mandates that took effect under the HITECH Act in September, 2009, changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, and the impending extension by the HITECH Act to business associates of direct liability for compliance with HIPAA scheduled to occur on February 17, 2010.

Given these changes and the associated obligations and risks, both health plans and other covered entities and their business associates generally should act quickly to manage their own compliance and to minimize exposures that may result from the other’s compliance deficiencies. As part of these efforts, both covered entities and their business associates generally should review and tighten business associate and other service agreement provisions to provide for more specific and comprehensive HIPAA-related contractual assurances, as well as improved cooperation, coordination, management and oversight.

Curran Tomko Tarski LLP Can Help

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.

A widely published author and speaker on HIPAA and other related matter, Ms. Stamer has extensive experience advising health plans, their employer and other sponsors, health insurers, TPAs and other business associates and others about HIPAA and other health plan and privacy matters. Currently serving as both Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and as an ABA Joint Committee on Employee Benefits Council representative and Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer has more than 23 years experience assisting employers, insurers, plan administrators and fiduciaries and others to design, implement, draft and administer health and other employee benefit plans and to defend audits, litigation or other disputes by private parties, the IRS, Department of Labor, Office of Civil Rights, Medicare, state insurance regulators and other federal and state regulators. As part of this work, she regularly assists clients to review and update policies, practices, contracts, notices and procedures to comply with HIPAA and other requirements. A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly. For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

Comments Off on Health Plans & Business Associates Face 2/17 Deadline To Update Policies, Contracts & Procedures For HIPAA Privacy Rule Changes | ARRA, Employers, ERISA, Fiduciary Responsibility, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Protected Health Information, Risk Management, Stimulus Bill | Tagged: Breach Notice, Corporate Compliance, Data Breach, Employee Benefits, Employers, ERISA, GINA, Health Insurance, Health Plans, HIPAA, Human Resources, Insurance, Insurer, Internal Controls, Internal Investigations, Managed Care, Medical Coverage, PHI, Privacy, Privacy Rule, Risk Management, Security Rule | Permalink
Posted by Cynthia Marcotte Stamer

Stamer Speaks To CPAs About “Privacy & Information Security: Managing Your Accounting Practice’s Liabilities & Counseling Your Clients” January 12, 2010

December 28, 2009

Accountants and their clients face increasing regulatory and business pressures to protect the sensitive business and personal information collected and maintained in the course of their operation to minimize their exposure to personal identity theft and other cybercrime scams by employees, business partners and others. Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer will speak about “Privacy & Information Security: Managing Your Accounting Practice’s Liabilities & Counseling Your Clients” to members of the Dallas CPA Society on January 12, 2010 beginning at 2:00 p.m.

Part of the Dallas CPA Society Member Appreciation CPE Series Meeting, Ms. Stamer’s presentation will be part of four hours of free CPE training to be provided at a program open to members only at the Hilton Lincoln Centre Hotel located at 5410 LBJ Freeway, Dallas TX 75240 from 1 p.m. to 4:50 p.m. Central Time. (Parking at the facility costs $5.00). To register or for additional information, see here.

If you need help responding to these developments or other legislative, regulatory or enforcement concerns, Curran Tomko Tarski LLP can help. Curran Tomko and Tarski LLP and its attorneys have significant experience assisting businesses and business leaders to manage and defend privacy, data security, tax employee benefit, employment, health care, environmental, safety, securities and other compliance and risk management concerns.

Curran Tomko Tarksi LLP Partner Cynthia Marcotte Stamer has more than 22 years experience helping businesses to use the law, process and technology to manage people and processes, and to manage technology, privacy and data security, employment and other legal and operational risks affecting their businesses. Author of “Privacy & Securities Standards-A Brief Nutshell,” “Privacy Invasions of Medical Care-An Emerging Perspective,” and “E-Health Business and Transactional Law Other Liability-Tort and Regulatory;” published by The Bureau of National Affairs, Inc., and many other publications, Ms. Stamer has extensive experience advising a accounting firms, law firms, banks and financial services organizations, insurers, consultants, health plans, health care providers and others about HIPAA, FACTA, and other privacy, trade secret and other information security and data breach risk management and compliance concerns. Ms Stamer also speaks, publishes and provides public policy input extensively on data security, technology and other internal controls and risk management matters. Chair of the American Bar Association RPTE Employee Benefits & Compensation Committee, an ABA Joint Committee on Employee Benefits Council member, and Chair of the Curran Tomko Tarski Labor, Employment & Employee Benefits Practice, Ms. Stamer also is Board Certified in Labor & Employment law. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly. For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

If you need assistance with these or other compliance concerns, wish to inquire about federal or state regulatory compliance audits, risk management or training, assistance investigating or responding to a known or suspected compliance or risk management concern, or need legal representation on other matters please contact the author of this update, Cynthia Marcotte Stamer, CTT Labor & Employment Practice Chair at cstamer@cttlegal.com, 214.270.2402; or your other preferred Curran Tomko Tarski LLP attorney.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here /the Curran Tomko Tarski LLP attorneys here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information to Cstamer@CTTLegal.com or registering to participate in the distribution of these and other updates on our Solutions Law Press HR & Benefits Update distributions here. For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

Comments Off on Stamer Speaks To CPAs About “Privacy & Information Security: Managing Your Accounting Practice’s Liabilities & Counseling Your Clients” January 12, 2010 | Corporate Compliance, Data Security, EEOC, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, GINA, Health Plans, Human Resources, Internal Controls, Malpractice, Privacy, Professional Liability, Protected Health Information, Risk Management | Tagged: Acountant's Liability, Corporate Compliance, CPA, CPE, Employee Benefits, Employer, GINA, Health Insurance, Health Plans, Human Resources, Internal Controls, Medical Coverage, Privacy, Risk Management, Tax | Permalink
Posted by Cynthia Marcotte Stamer

Rising Enforcement and Changing Rules Require Prompt Review & Update of Health Plan Privacy & Data Security Policies & Procedures

December 25, 2009

Health plans and their business associates should review and update their practices and policies concerning the use access and disclosure of protected health information in response to changing requirements and expanding enforcement exposures under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

A series of Office of Civil Rights (OCR) enforcement action against health plans highlights the need for group health plans and insurers to exercise care to comply with HIPAA’s Privacy & Security Rules. For example, OCR recently required a HMO to take a series of corrective actions based on findings from its investigation of a complaint that the HMO impermissibly disclosed a member’s protected health information by sending her entire medical record to a disability insurance company without her authorization. Based on its investigation, OCR found the HMO violated HIPAA by relying on a form to make the disclosure that failed to meet the Privacy Rule requirements to qualify as a valid authorization under the Privacy Rule. Based on these findings, OCR required the HMO among other things:

To create a new HIPAA-compliant authorization form that specifies what records and/or portions of the files will be disclosed, that the respective authorization will be kept in the patient’s record, together with the disclosed information and otherwise to meet the content requirements of the Privacy Rule for an authorization; and
To implement a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own “authorization” form.

Another action resulted after a national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant’s unauthorized family member. OCR’s investigation determined that a flaw in the health plan’s computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Privacy Rule. To resolve this case, OCR required among other things that the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information.

In yet another case, OCR found an employee of a major health insurer impermissibly disclosed the PHI of one of its members without following the insurer’s authorization and verification procedures. Among other corrective actions to resolve the specific issues in the case, OCR required the health insurer to train its staff on the applicable policies and procedures, to take action to mitigate the harm to the individual and to counsel and give a written warning to an employee who made the disclosure.

While OCR declined to impose any civil penalties in any of these three instances, violations of the Privacy Rules have resulted in both criminal prosecutions by the Department of Justice and the payment of large civil settlements to OCR. See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information HIPAA Risks Soar As CVS Agrees to Pay $2.25 Million To Resolve HIPAA Charges & Stimulus Bill Amends HIPAA. Furthermore, recent amendments to the Privacy Rules increase the likelihood that health plans and other covered entities violating the Privacy Rules will incur civil penalties. The American Recovery and Reinvestment Act of 2009 (ARRA) amended the Privacy Rules effective October, 2009 to increase the civil penalties for Privacy Rule violations and to include new breach notification requirements for covered entities. Additional ARRA amendments to HIPAA scheduled to take effect February 17, 2010 will further tighten the conditions under which covered entities may use, access or disclose PHI under the Privacy Rules, will expand the circumstances under which health plans and other covered entities will be required to account for dealings with PHI under HIPAA, and will extend the duty to comply with and liability for violations of the Privacy Rules to business associates. In the meanwhile, employees increasingly are alleging Privacy Rule violations as part of their whistleblower or other wrongful discharge claims. See, e.g. Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim.

In light of these changing rules and expanding liabilities, health plans and their business associates need to review and update their Privacy and Security practices, business associate agreements and privacy notices for compliance in light of the expanding enforcement activities of OCR and these evolving Privacy and Security Rules. These and other developments make it imperative that health plans and other covered entities and their business associates immediately review and update their HIPAA and other data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws.

If your organization needs assistance reviewing, updating, administering or defending privacy and data security practices under HIPAA, state data breach or other laws, Curran Tomko Tarski LLP can help. The author of this update, Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer has extensive experience advising and assisting health plans, health insurers, and other covered entities and business associates to review, update, document, enforce and defend their HIPAA and other privacy and data security policies and practices. The author of numerous publications on HIPAA and other privacy and data security rules, she also speaks and conducts training extensively on these concerns.

Ms. Stamer is experienced with assisting employers, insurers, administrators, and others to design and administer group health plans cost-effectively in accordance with HIPAA and other applicable federal regulations as well as well as advising and defending employers, health plans, insurers and others against privacy, tax, employment discrimination and other labor and employment, and other related audits, investigations and litigation, charges, audits, claims and investigations by the OCR, DOJ,IRS, Department of Labor and other federal and state regulators.. Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group, a representative to the ABA Joint Committee on Employee Benefits Council, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer has advised and represented employers on these and other labor and employment, compensation, employee benefit and other personnel and staffing matters for more than 22 years. Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly. For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here. Some other recent updates that may be of interested include the following, which you can access by clicking on the article title:

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

Comments Off on Rising Enforcement and Changing Rules Require Prompt Review & Update of Health Plan Privacy & Data Security Policies & Procedures | Corporate Compliance, Data Security, Employee Benefits, Employers, ERISA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Privacy, Protected Health Information, Risk Management | Tagged: ARRA, Health Plans, HIPAA, OCR, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Preventive HR Strategies to Minimize Post Holiday Celebration Legal Hangovers

November 30, 2009

As the 2009 Holiday Season moves into full swing, your company may want to take some common sense precautions to minimize the risk of waking up with a post-Holiday Season business liability hangover. The music, food, game playing, toasting with alcohol and other aspects of the celebratory atmosphere at holiday parties and in the workplace during the Holiday Season heighten the risk that certain employees or other business associates will engage in, or be subject to, risky or other inappropriate behavior that can create liability exposures or other business concerns for your business.

Discrimination & Sexual Harassment

Whether company-sponsored or not, holiday parties and other celebrations where employees celebrate with other employees or clients tend to fuel bad behavior by inviting fraternization, lowering inhibitions and obscuring the line between appropriate and inappropriate social and business behavior.

The relaxation of the environment heightens the risk that certain employees or clients will make unwelcome sexual advances, make sexually suggestive or other inappropriate statements, or engage in other actions that expose the business to sexual harassment or other employment discrimination liability. To minimize these exposures, businesses should take steps to communicate and reinforce company policies and expectations about sexual harassment, discrimination, fraternization and other conduct viewed as inappropriate by the company. The company should caution employees that the company continues to expect employees and business partners to adhere to company rules against sexual harassment and other inappropriate discrimination at company sponsored and other gatherings involving other employees or business associates. To enhance the effectiveness of these reminders, a company should consider providing specific guidance about specific holiday-associated activities that create heightened risks. For instance, a business that anticipates its employees will participate in white elephant or other gift exchanges involving other employees or business associates may wish to specifically include a reminder to exercise care to avoid selecting a gift that may be sexually suggestive or otherwise offensive. Businesses also may want to remind employees that the company does not expect or require that employees submit to unwelcome sexual or other inappropriate harassment when participating in parties or other social engagements with customers or other business partners.

Businesses also should use care to manage other discrimination exposures in the planning of holiday festivities, gift exchanges, and other activities. Exercise care to ensure that business connected holiday parties, communications, gifts and other December festivities reflect appropriate sensitivity to religious diversity. Businesses also should be vigilant in watching for signs of inappropriate patterns of discrimination in the selection of employees invited to participate in company-connected social events as well as off-duty holiday gatherings sponsored by managers and supervisors.

Alcohol Consumption

The prevalence of alcohol consumption during the Holiday Season also can create a range of business concerns. Most businesses recognize that accidents caused by alcohol intoxication at work or work-related functions create substantial liability exposures both to workers and any third parties injured by a drunken employee. Businesses also may face “dram shop” claims from family members or other guests attending company sponsored functions injured or injure others after being allowed to over-imbibe. To minimize these risks at company-sponsored events, many companies elect not to serve or limit the alcohol served to guests at company sponsored events. To support the effectiveness of these efforts, many businesses also choose to prohibit or restrict the consumption of guest provided alcohol at company events.

Businesses concerned with these liability exposures should take steps to manage the potential risks that commonly arise when employees or clients consume alcohol at company sponsored events or while attending other business associated festivities. Businesses that elect to serve alcohol at company functions or anticipate that employees will attend other business functions where alcohol will be served need to consider the potential liability risks that may result if the alcohol impaired judgment of an employee or other guest causes him to injure himself or someone else. Any company that expects that an employee might consume alcohol at a company sponsored or other business associated event should communicate clearly its expectation that employees not over-imbibe and abstain from driving under the influence. Many businesses also find it beneficial to redistribute information about employee assistance programs (EAPs) along with this information. You can find other tips for planning workplace parties to minimize alcohol related risks on the U.S. Department of Labor’s website here.

When addressing business related alcohol consumption, many businesses will want to consider not only alcohol consumption at business related events as well as potential costs that may arise from off-duty excess alcohol consumption. Whether resulting from on or off duty consumption, businesses are likely to incur significant health and disability related benefit costs if an employee is injured in an alcohol-related accident. Furthermore, even when no injury results, productivity losses attributable to excess alcohol consumption, whether on or off duty, can prove expensive to business. Accordingly, virtually all businesses can benefit from encouraging employees to be responsible when consuming alcohol in both business and non-business functions.

Businesses also may want to review their existing health and other benefit programs, liability insurance coverage and employment policies to determine to ensure that they adequately protect and promote the company’s risk management objectives. Many health and disability plans incorporate special provisions affecting injuries arising from inappropriate alcohol use as well as mental health and alcohol and drug treatment programs. Similarly, many businesses increasingly qualify for special discounts on automobile and general liability policies based upon representations that the business has in effect certain alcohol and drug use policies. Businesses can experience unfortunate surprises if they don’t anticipate the implications of these provisions on their health benefit programs or liability insurance coverage. Reviewing these policies now to become familiar with any of these requirements and conditions also can be invaluable in helping a business to respond effectively if an employee or guest is injured in an alcohol-related accident during the Holiday Season.

Concerned employers may want to listen in on the “Plan Safe Office Parties this Holiday Season” seminar that the National Safety Council plans to host on December 9, 2009 from 10:30 a.m. -11:30 a.m. Central Time. For more information or to register call (800) 621-7619 or see here.

Gift Giving & Gratuities

The exchange of gifts during the Holiday Season also can raise various concerns. As a starting point, businesses generally need to confirm that any applicable tax implications arising from the giving or receiving of gifts are appropriately characterized and reported in accordance with applicable tax and other laws. Government contractors, health industry organizations, government officials and other entities also frequently may be required to comply with specific statutory, regulatory, contractual or ethical requirements affecting the giving or receiving of gifts or other preferences. In addition to these externally imposed legal mandates, many businesses also voluntarily have established conflict of interest, gift giving or other policies to minimize the risk that employee loyalty or judgment will be comprised by gifts offered or received from business partners or other outsiders. Businesses concerned about these and other issues may want to review the adequacy of current business policies affecting gifting and adopt and communicate any necessary refinements to these policies. To promote compliance, businesses also should consider communicating reminders about these policies to employees and business associates during the Holiday Season. Even a simple e-mail reminder to employees that the company expects them to be familiar with and comply with these policies can help promote compliance and provide helpful evidence in the event that an employee engages in an unauthorized violation of these rules.

Performance, Attendance & Time Off

Businesses also commonly face a range of attendance and productivity concerns during December. The winter cold and flu season and other post-celebration illnesses, vacations, and winter weather inevitably combine to fuel a rise in absenteeism in December. Managing staffing needs around the legitimate requests for excused time off by employees presents real challenges for many businesses. Further complications can arise when dealing with employees suspected of mischaracterizing the reason for their absence or otherwise gaming the company’s time off policies. Meanwhile, performance and productivity concerns also become more prevalent as workers allow holiday shopping, personal holiday preparations, and other personal distractions to distract their performance. Businesses concerned with these challenges ideally will have in place well-designed policies concerning attendance, time off and productivity that comply with the Fair Labor Standards Act and other laws. Businesses should exercise care when addressing productivity and attendance concerns to investigate and document adequately their investigation before imposing discipline. Businesses also should ensure that their policies are appropriately and even-handedly administered. They also should exercise care to follow company policies, to maintain time records for non-exempt workers, to avoid inappropriately docking exempt worker pay, and to provide all required notifications and other legally mandated rights to employees taking medical, military or other legally protected leaves. In the event it becomes necessary to terminate an employee during December, careful documentation can help the business to defend this decision. Furthermore, businesses should be careful to ensure that all required COBRA notifications, certificates of creditable coverage, pension and profit-sharing notice and distribution forms, and other required employment and employee benefit processes are timely fulfilled.

Timely Investigation & Notification

Businesses faced with allegations of discrimination, sexual harassment or other misconduct also should act promptly to investigate any concerns and if necessary, take appropriate corrective action. Delay in investigation or redress of discrimination or other improprieties can increase the liability exposure of a business presented with a valid complaint and complicate the ability to defend charges that may arise against the business. Additionally, delay also increases the likelihood that a complaining party will seek the assistance of governmental officials, plaintiff’s lawyers or others outside the corporation in the redress of his concern.

If a report of an accident, act of discrimination or sexual harassment or other liability related event arises, remember to consider as part of your response whether you need to report the event to any insurers or agencies. Injuries occurring at company related functions often qualify as occupational injuries subject to worker’s compensation and occupational safety laws. Likewise, automobile, employment practices liability, and general liability policies often require covered parties to notify the carrier promptly upon receipt of notice of an event or claim that may give rise to coverage, even though the carrier at that time may not be obligated to tender a defense or coverage at that time.

If your organization needs assistance with assessing, managing or defending these or other labor and employment, compensation or benefit practices, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer or another Curran Tomko Tarski LLP attorney of your choice. Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization and Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group and a nationally recognized author and speaker, Ms. Stamer is experienced with advising and assisting employers with these and other labor and employment, employee benefit, compensation, risk management and internal controls matters. Ms. Stamer is experienced with assisting employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, and other labor and employment laws, as well as advising and defending employers and others against tax, employment discrimination and other labor and employment, and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor and other federal and state regulators. She has counseled and represented employers on these and other workforce matters for more than 22 years. Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly. For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

Comments Off on Preventive HR Strategies to Minimize Post Holiday Celebration Legal Hangovers | Absenteeism, Disease Management, EEOC, Employers, Human Resources, Internal Controls, Internal Investigations, Leave, OSHA, Privacy, Risk Management, Safety, Sexual Harassment, Wage & Hour, Wellness | Tagged: COBRA, Corporate Compliance, Employee Benefits, Employment, Health Plans, Human Resources, Internal Controls, Internal Investigations, Labor, Minimum Wage, Occupational Injury, Privacy, Risk Management, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

Employer H1N1 Virus Risk Management Requires Employer Care To Manage Virus Risks Without Violating Employment Discrimination or Other Laws

November 30, 2009

As the Centers for Disease Control (CDC) continues cautioning Americans to expect a resurgence of the H1N1 virus, employers should continue to take prudent steps to defend their organization and their workers against a widespread H1N1 outbreak and the attendant lost time, health and disability costs, OSHA and other liability exposures and other personal and financial consequences likely to result from an outbreak.

Employers wishing to deter the spread of the disease in their workplace should educate workers about these recommendations and consider taking steps to encourage workers to comply with these recommendations. When planning or taking steps to protect their workplaces from the H1N1 virus pandemic or other outbreaks of communicable diseases, however, employers must use care to avoid violating the Americans With Disabilities Act or other employment laws.

Preventing, Recognizing & Mitigating Risks of H1N1

Although the number of reported cases of H1N1 virus cases has declined in many states in recent weeks, CDC officials are warning American’s that the crisis is not over yet. CDC officials last week warned Americans to expect H1N1 infection to rise as the holiday approaches and the winter progresses. With flu activity already higher than what is seen during the peak of many regular flu seasons and the H1NA virus accounting for almost all of the flu viruses identified so for this season, Accordingly, the CDC continues to encourage Americans to be alert for symptoms of H1N1 or other flu and to take other precautions including to get vaccinated.

Employers should continue to encourage workers and their families to take precautions to avoid catching the virus, to be on the watch for H1N1 virus or other flu infection and to respond appropriately if they, members of their families or others in the workplace exhibit these symptoms. To help promote health habits within their workforce, many businesses may want to download and circulate to employees and families the free resources published by the CDC here. Businesses and other concerned parties also can track governmental reports about the swine flu and other pandemic concerns at here.

For those not already suffering from the virus and particularly for those at higher risk, the CDC continues to recommend vaccination. People recommended by the CDC to receive the vaccine as soon possible include: health care workers; pregnant women; people ages 25 through 64 with chronic medical conditions, such as asthma, heart disease, or diabetes; anyone from 6 months through 24 years of age; and people living with or caring for infants under 6 months old. As the vaccine becomes available, many employers are encouraging workers and their families to get vaccinated by offering vaccination clinics at or near their worksites, arranging for health plan coverage for vaccinations with reduced or no co-payments or deductibles, and/or sharing information about government sponsored or other vaccination clinics.

While the CDC says getting employees and their families to get a flu shot remains the best defense against a flu outbreak, it also says getting employees and family members to consistently practice good health habits like covering a cough and washing hands also is another important key to prevent the spread of germs and prevent the spread of respiratory illnesses like the flu. Employers should encourage employees and their families to take the following steps:

Avoid close contact with people who are sick. When you are sick, keep your distance from others to protect them from getting sick too;
Stay home when you are sick to help prevent others from catching your illness;
Cover your mouth and nose;
Cover your mouth and nose with a tissue when coughing or sneezing. It may prevent those around you from getting sick;
Clean your hands to protect yourself from germs;
Avoid touching your eyes, nose or mouth;
Germs are often spread when a person touches something that is contaminated with germs and then touches his or her eyes, nose, or mouth; and
Practice other good health habits. Get plenty of sleep, be physically active, manage your stress, drink plenty of fluids, and eat nutritious food.

Employers also should encourage workers and their families to be alert to possible signs of H1N1 or other flu symptoms and to respond appropriately to possible infection. According to the CDC, all types of flu including H1NA typically include many common symptoms, including:

Fever
Coughing and/or sore throat
Runny or stuffy nose
Headaches and/or body aches
Chills
Fatigue

Patients suffering from H1N1 flu usually report these same symptoms, but the symptoms often are more severe. In addition to the above symptoms, a number of H1N1 flu cases reported vomiting and diarrhea.

CDC recommends individuals diagnosed with H1N1 flu should:

Stay home and avoid contact with others for at least 24 hours after a fever (100°F or 37.8°C) is gone without the use of fever reducing medicine except to get medical care or for other things that must be done that no one else can do;
Avoid close contact with others, especially those who might easily get the flu, such as people age 65 years and older, people of any age with chronic medical conditions (such as asthma, diabetes, or heart disease), pregnant women, young children, and infants;
Clean hands with soap and water or an alcohol-based hand rub often, especially after using tissues or coughing/sneezing into your hands;
Cover coughs and sneezes;
Wear a facemask when sharing common spaces with other household members to help prevent spreading the virus to others. This is especially important if other household members are at high risk for complications from influenza;
Drink clear fluids such as water, broth, sports drinks, or electrolyte beverages made for infants to prevent becoming dehydrated;
Get plenty of rest;
Follow doctor’s orders; and
Watch for signs for a need for immediate medical attention. Suffers should get medical attention right away if the sufferer has difficulty breathing or chest pain, purple or blue discoloration of the lips, is vomiting and unable to keep liquids down, or shows signs of dehydration, such as feeling dizzy when standing or being unable to urinate.

In seeking to contain the spread of the virus within their workplace, employers also should be sensitive to workplace policies or practices that may pressure employees with a contagious disease to report to work despite an illness and consider whether the employer should adjust these policies temporarily or permanently in light of the ongoing pandemic. For instance, financial pressures and the design and enforcement of policies regarding working from home and/or qualifying for paid or unpaid time off significantly impact the decisions employees make about whether to come to work when first experiencing symptoms of illness. Employers of workers who travel extensively – may wish to delay or restrict travel for some period.

Employers Must Employment Discrimination & Other Legal Compliance Risks

Many employers may want to evaluate and appropriately revise existing policies with an eye to better defending their workforce against a major outbreak. Whether or not the disease afflicts any of its workers, businesses can anticipate the swine flu outbreak will impact their operations – either as a result of occurrences affecting their own or other businesses or from workflow disruptions resulting from safeguards that the business or other businesses implement to minimize swine flu risks for its workforce or its customers. Many businesses also will want to prepare backup staffing and production strategies to prepare for disruptions likely to result if a significant outbreak occurs.

Employers planning for or dealing with an H1N1 or other epidemic in their workplace should exercise care to avoid violating the nondiscrimination and medical records confidentiality provisions of the Americans with Disabilities Act (ADA) and/or the Genetic Information Nondiscrimination Act (GINA), the Family & Medical Leave Act of 1990 (FMLA), the Fair Labor Standards Act (FLSA) and applicable state wage and hour laws, and other employment and privacy laws.

Improperly designed or administered medical inquiries, testing, vaccination mandates and other policies or practices intended to prevent the spread of disease may expose an employer to disability discrimination liability under the ADA or GINA. For instance, the ADA generally prohibits an employer from making disability-related inquiries and requiring medical examinations of employees, except under limited circumstances permitted by the ADA. Likewise, improperly designed or communicated employer inquiries into family medical status which could be construed as inquiring about family medical history also may raise exposures under genetic information nondiscrimination and privacy mandates of GINA that took effect November 21, 2009.

During employment, the ADA prohibits employee disability-related inquiries or medical examinations unless they are job-related and consistent with business necessity. Generally, a disability-related inquiry or medical examination of an employee is job-related and consistent with business necessity when an employer has a reasonable belief, based on objective evidence, that:

An employee’s ability to perform essential job functions will be impaired by a medical condition; or
An employee will pose a direct threat due to a medical condition.

This reasonable belief “must be based on objective evidence obtained, or reasonably available to the employer, prior to making a disability-related inquiry or requiring a medical examination.”

Additionally, the ADA prohibits employers from making disability-related inquiries and conducting medical examinations of applicants before a conditional offer of employment is made. It permits employers to make disability-related inquiries and conduct medical examinations if all entering employees in the same job category are subject to the same inquiries and examinations. All information about applicants or employees obtained through disability-related inquiries or medical examinations must be kept confidential. Information regarding the medical condition or history of an employee must be collected and maintained on separate forms and in separate medical files and be treated as a confidential medical record. The EEOC Pandemic Preparedness In The Workplace and The Americans With Disabilities Act Guidance makes clear that employer inquiries and other H1N GINA’s inclusion of information about the “manifestation of a disease or disorder in family members” is likely to present a liability trap door for many unsuspecting employers H1N1 and other epidemic planning and response activities should be carefully crafted to avoid violating these proscriptions.

GINA’s inclusion of information about the “manifestation of a disease or disorder in family members” also could present a liability trap door for some employers designing pandemic or other workplace wellness, disease management or other programs. GINA defines “genetic information” broadly as including not only information about genetic tests about an individual or his family member as well as information about the “manifestation of a disease or disorder in family members of such individual, GINA also specifies that any reference to genetic information concerning an individual or family member includes genetic information of a fetus carried by a pregnant woman and an embryo legally held by an individual or family member utilizing an assisted reproductive technology. For more information about the new GINA genetic information employment discrimination rules, see here.

As part of their pandemic planning, employers also generally should review their existing wage and hour and leave of absence practices. Employers should ensure that their existing or planned practices for providing paid or unpaid leave are designed to comply with the FLSA and other wage and hour and federal and state leave of absence laws. Employers also should review and update family and medical leave act and other sick leave policies, group health plan medical coverage continuation rules and notices and other associated policies and plans for compliance with existing regulatory requirements, which have been subject to a range of statutory and regulatory amendments in recent years. If considering allowing or requiring employees to work from home, employers also need to implement appropriate safeguards to monitor and manage employee performance, to protect the employer’s ability to comply with applicable wage and hour, worker’s compensation, OSHA and other safety, privacy and other legal and operational requirements.

Businesses, health care providers, schools, government agencies and others concerned about preparing to cope with pandemic or other infectious disease challenges also may want to review the publication “Planning for the Pandemic” authored by Curran Tomko Tarski LLP partner Cynthia Marcotte Stamer available at here. FLU.gov is a one-stop resource with the latest updates on the H1N1 flu. An additional resource is CDC INFO, 1-800-CDC-INFO (1-800-232-4636), which offers services in English and Spanish, 24 hours a day, 7 days a week. Schools, health care organizations, restaurants and other businesses whose operations involve significant interaction with the public also may need to take special precautions. These and other businesses may want to consult the special resources posted here.

Cynthia Marcotte Stamer and other members of Curran Tomko and Tarski LLP are experienced with advising and assisting employers with these and other labor and employment, employee benefit, compensation, and internal controls matters. If your organization needs assistance with assessing, managing or defending these or other labor and employment, compensation or benefit practices, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer. Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization and Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group and a nationally recognized author and speaker, Ms. Stamer is experienced with assisting employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, and other labor and employment laws, as well as advising and defending employers and others against tax, employment discrimination and other labor and employment, and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor and other federal and state regulators. Ms. Stamer has advised and represented employers on these and other labor and employment, compensation, health and other employee benefit and other personnel and staffing matters for more than 22 years. Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly. For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

Comments Off on Employer H1N1 Virus Risk Management Requires Employer Care To Manage Virus Risks Without Violating Employment Discrimination or Other Laws | ADA, COBRA, Disease Management, EEOC, Employee Benefits, Employers, family leave, FMLA, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Leave, medical leave, OSHA, Pandemic, Privacy, Protected Health Information, Risk Management, Safety, Swine Flu, Wage & Hour, Wellness | Tagged: ADA, COBRA, Corporate Compliance, Disability Discrimination, Disease Management, Employee Benefits, Employers, Employment, Health Insurance, Health Plans, Human Resources, Internal Controls, Labor, Medical Coverage, Minimum Wage, Pandemic, Privacy, Risk Management, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

New GINA Genetic Information Based Employment Discrimination & Confidentiality Mandates Take Effect

November 24, 2009

Updated Employment Poster, Policies & Procedures Required Immediately

Employers, unions, employment agencies, employment training agencies and their agents face significant new employment discrimination liability risks if they violate new genetic information-based employment non-discrimination or fail to comply with genetic information confidentiality requirements that took effect under Title II of the Genetic Information Nondiscrimination Act (GINA) on Saturday, November 21, 2009. Employers need immediately to update their employment posters, carefully audit their existing records and practices to identify existing information and practices that may create special risks under GINA and take appropriate action to comply with the GINA rules. Employers needing an updated poster can find a copy on the Equal Employment Opportunity Commission website here.

Under the newly effective employment provisions of Title II of GINA, Federal law now prohibits employers of 15 or more employees and certain other entities from using individuals’ “genetic information” when making hiring, firing, job placement, or promotion decisions, requires “genetic information” be kept separately and confidential, and prohibits retaliation.

When assessing their risk under GINA, employers should be careful not to overlook or underestimate the genetic information collected or possessed by their organizations and the risks attendant to this information. Many employers will be surprised by the breadth of the depth of “genetic information.” GINA defines “genetic information” broadly as including not only information about genetic tests about an individual or his family member as well as information about the “manifestation of a disease or disorder in family members of such individual. GINA also specifies that any reference to genetic information concerning an individual or family member includes genetic information of a fetus carried by a pregnant woman and an embryo legally held by an individual or family member utilizing an assisted reproductive technology. Pending issuance of regulatory guidance, GINA’s inclusion of information about the “manifestation of a disease or disorder in family members” is likely to present a liability trap door for many unsuspecting employers.

While the agency responsible for construing and enforcing Title II of GINA, the Equal Employment Opportunity Commission (EEOC), to date has published only limited guidance about it, the absence of this final guidance should not be read by employers as a sign their compliance may be delayed. While not yet issued in final form, proposed regulations interpreting Title II of GINA accessible here published by the EEOC in March, 2009 and a subsequently released factsheet accessible here published by the EEOC in May, 2009 titled “Background Information for EEOC Notice of Proposed Rulemaking On Title II of the Genetic Information Nondiscrimination Act of 2008” provide insights about how the EEOC may be expected to view its provisions. While many employers have delayed taking action to update their policies and procedures in hopes that final guidance would be forthcoming before Title II took effect, time has now run out. Accordingly, employers who have not already done so should act quickly to implement all necessary changes to position themselves to defend against a potential claim that their organization may have violated GINA Title II.

Employment-Related Genetic Information Nondiscrimination Rules In Focus

Applicable to employers, unions, employment agencies, employment training agencies and their agencies based on genetic information by employers, Title II imposes sweeping prohibitions against employment discrimination based on genetic information. Title II generally has three components:

Employment Discrimination Prohibited. Section 202 of GINA makes it illegal for an employer:

To fail or refuse to hire, or to discharge, any employee, or otherwise to discriminate against any employee with respect to the compensation, terms, conditions, or privileges of employment of the employee, because of genetic information with respect to the employee;
To limit, segregate, or classify the employees of the employer in any way that would deprive or tend to deprive any employee of employment opportunities or otherwise adversely affect the status of the employee as an employee, because of genetic information with respect to the employee; or
To request, require, or purchase genetic information with respect to an employee or a family member of the employee except as specifically permitted by GINA and otherwise applicable law.

GINA §§ 203 and 204 extend similar prohibitions to employment agencies, labor unions and training programs.

Confidentiality Mandates. Under GINA § 206, an employer, employment agency, labor organization, or joint labor-management committee that possesses genetic information about an employee or member must protect the confidentiality of that information. Under its provisions, employers and other covered entities must:

Treat the genetic information as a confidential medical record of the employee or member and maintain it on separate forms and in separate medical files in the same manner as required for other medical records required to be maintained as confidential by Americans With Disabilities Act § 102(d)(3)(B); and
Only disclose it in the narrow circumstances specifically allowed by GINA.

Anti-Retaliation. GINA also prohibits retaliation or other discrimination against any individual because such individual has opposed any act or practice prohibited by GINA, for making a charge, testifying or assisting or participating in any manner in an investigation, proceeding, or hearing under GINA.

GINA’s Additional Group Health Plan Nondiscrimination & Privacy Rules Also Require Attention

In addition to taking appropriate steps to comply with the employment rules of Title II of GINA, employers and their group health plan fiduciaries and service providers also should ensure that the group health plan has been appropriately updated to comply with the group health plan nondiscrimination and privacy mandates of Title I of GINA.

Effective for all group health plan years beginning on or after May 21, 2009, GINA’s new restrictions on the collection and use of genetic information by group health plans added under Title I of GINA are accomplished through the expansion of a series of already existing group health plan nondiscrimination and privacy rules. GINA’s group health plan provisions amend and expand the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Employee Retirement Income Security Act of 1974 (ERISA), Title VII of the Civil Rights Act, the Public Health Service Act, the Internal Revenue Code of 1986, and Title XVIII (Medicare) of the Social Security Act to implement sweeping new federal restrictions on the collection, use, and disclosure of information that falls within its broad definition of “genetic information” by group health plans. For individual health insurers, GINA’s restrictions take effect May 22, 2009. The broad definition of the term “genetic information” in GINA will require group health plan sponsors and insurers to carefully review and update their group health plan documents, communications, policies and practices to comply with forthcoming implementing regulations to avoid liability under new GINA’s rules governing genetic information collection, use, protection and disclosure in a series of areas.

In this respect, wellness and disease management programs are likely to require special scrutiny and attention. GINA’s inclusion of information about the “manifestation of a disease or disorder in family members” raises potential challenges for a broad range of group health plan health assessment and other wellness and disease management programs which provide financial incentives or condition eligibility on the provision of family health histories or other information that could be construed as genetic information. The implications of these GINA prohibitions are further complicated by recent changes in the disability nondiscrimination rules and guidance under the Americans With Disabilities Act.

Title I of GINA generally prohibits group health plans from collecting genetic information for underwriting or eligibility purposes. It also expands already existing federal rules prohibiting group health plans from discriminating among individuals for purposes of determining eligibility or setting premiums based on health status previously enacted as part of HIPAA. These existing rules already prohibit group health plans and health insurance issuers from discriminating based on health related factors including genetic information for purposes of determining eligibility or premiums. GINA expands these existing nondiscrimination requirements to further regulate group health plan’s use and collection of genetic information. Under GINA’s nondiscrimination rules, group health plans and health insurers may not:

Request, require or purchase genetic information for underwriting purposes or in advance of an individual’s enrollment;
Adjust premiums or contribution amounts of the group based on genetic information;
Request or require an individual or family member to undergo a genetic test except in limited situations specifically allowed by GINA;
Impose a preexisting condition exclusion based solely on genetic information, in the absence of a diagnosis of a condition;
Discriminate against individuals in eligibility and continued eligibility for benefits based on genetic information; or
Discriminate against individuals in premium or contribution rates under the plan or coverage based on genetic information, although such a plan or issuer may adjust premium rates for an employer based on the manifestation of a disease or disorder of an individual enrolled in the plan.

GINA also prohibits insurers providing individual health insurance from establishing rules for eligibility, adjusting premiums or contribution amounts for an individual, imposing preexisting condition exclusions based on, requesting or requiring individuals or family members to undergo genetic testing.

Of particular concern to many plan sponsors and fiduciaries are the potential implications of these new rules on existing wellness and disease management features group health plans. Of particular concern is how regulators will treat the collection of family medical history and certain other information as part of health risk assessments used in connection with these programs. Although official guidance is still pending, many are concerned that regulators will construe certain commonly used practices of requiring covered persons to provide family medical histories or other genetic information through health risk assessments (HRAs) to qualify for certain financial incentives as a prohibited underwriting practice under GINA. Even where health risk assessments are not used, however, most group health plan sponsors should anticipate that GINA will require specific amendments to their plan documents, communications and processes.

Taking timely action to comply with these nondiscrimination and collection prohibitions is important. Under amendments to ERISA made by GINA, group health plan noncompliance can create significant liability for both the plan and its sponsor. Participants or beneficiaries will be able to sue noncompliant group health plans for damages and equitable relief. If the participant or beneficiary can show an alleged violation would result in irreparable harm to the individual’s health, the participant or beneficiary may not have to exhaust certain otherwise applicable Department of Labor administrative remedies before bringing suit. In addition to these private remedies, GINA also authorizes the imposition of penalties against employers and other sponsors of group health plans that violate applicable requirements of GINA of up to $500,000. The minimum penalties generally are set at the greater of $100 per day or a minimum penalty amount ranging from $2,500 for de minimus violations corrected before the health plan received notice of noncompliance to $15,000 in cases in which the violations are more than de minimus. GINA also includes language allowing the Secretary of Labor to reduce otherwise applicable penalties for violations that could not have been identified through the exercise of due diligence or when the plan corrects the violation quickly.

GINA Amendments To Health Plan Privacy Rules Under HIPAA

In addition to its nondiscrimination rules, GINA also amends HIPAA to make clear that “genetic information” as defined by HIPAA is protected health information protected by HIPAA’s Privacy & Security Standards of HIPAA. This means that it will require that all genetic information be treated as protected health information subject to the Privacy and Security Standards applicable to group health plans covered by HIPAA. Although the statutory provisions that accomplish these changes are deceptively simple, compliance with these requirements likely will require group health plans and their business associates to amend existing privacy policies, notices and practices to appropriately restrict disclosures for underwriting, operations and certain other uses to withstand scrutiny under the GINA privacy rule amendments.

When contemplating these changes, many plan sponsors and administrators also will want to consider and begin preparing to comply with other refinements to their existing privacy and security practices required in response to HIPAA privacy and security rule amendments enacted as part of the HITECH Act provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) provisions of the American Recovery and Reinvestment Act of 2009 (ARRA). As GINA specifies that violations of its privacy rule restrictions trigger the same sanctions as other privacy rule violations, group health plans and their business associates also should give due consideration to these penalty exposures. The HITECH Act amended and increased civil penalties for HIPAA privacy violations in many circumstances effective February 17, 2009.

GINA’s fractured assignment of responsibility and authority to develop, implement and enforce regulatory guidance of its genetic information rules can create confusion for parties involved in compliance efforts. Because the group health plan requirements of Title I of GINA are refinements to the group health plan privacy and nondiscrimination rules previously enacted as part of HIPAA, GINA specifically assigned authority to construe and enforce its group health plan requirements to the agencies responsible for the interpretation and enforcement of those original rules: (1) the Department of Labor Employee Benefit Security Administration (EBSA); (2) the Internal Revenue Services (IRS), and (3) the Department of Health & Human Services.

These three agencies in early October published the interim final regulations construing the group health plan manatees of Title II of GINA, which are available for review here. Group health plans, their employer and other sponsors, fiduciaries and service providers should act quickly to review and update their group health plan documents, procedures and other materials to comply with these new mandates.

Other Information & Resources

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

Comments Off on New GINA Genetic Information Based Employment Discrimination & Confidentiality Mandates Take Effect | ADA, Corporate Compliance, EEOC, Employee Benefits, Employers, ERISA, GINA, Health Plans, HIPAA, Human Resources, Immigration, Privacy | Tagged: ADA, Disease Management, EEOC, Employee Benefits, Employer, Employers, Employment, Employment Agreements, Genetic Inforamtion, GINA, Health Insurance, Human Resources, Insurance, Insurer, Risk Management, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

Register Now For HITECH Act Health Data Security & Breach Update: Learn What You Must Do This Month To Comply With New Health Data Breach Regulations

September 2, 2009

September 10, 2009 – Noon to 1:30 P.M. Central Time Participate In Person or Via Remote!

Health care providers, health plans, health clearinghouses and their business associates (Covered Entities) must comply with the new “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) by September 23, 2009.

Catch up on what the Breach Rule means for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Thursday, September 10, 2009 from Noon to 1:30 P.M. Central Time for a registration fee of $45.00. Registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201. For information about registering for this program or other questions here,

The Breach Rule requires Covered Entities to notify affected individuals following a “breach” of “unsecured” protected health information. Just published August 24^th, the Breach Regulation is part of a series of guidance that HHS is issuing to implement new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA). The briefing will cover:

Who must comply, health plans, employers, others?
What your organization must do
How to qualify protected health information as exempt from the breach regulations as “secure” protected health information
What is considered a breach of unsecured protected health information
What steps must a covered entity take if a breach of unsecured protected information happens
What liabilities do covered entities face for non-compliance
What new contractual requirements, policies and procedures Covered Entities and Business Associates will need
How the Breach Regulation, the Privacy Regulation, impending FTC red flag rules and state data breach and privacy rules interrelate
Other recent developments
Practical tips for assessing, planning, moving to and defending compliance
Participant questions
More

About The Presenter

The program will be presented by Curran Tomko and Tarski LLP Health Care & Employee Benefits Practice Leader and Partner Cynthia Marcotte Stamer. Ms. Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts. Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, a ABA Joint Committee on Employee Benefits Council Representative, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 20 years experience advising clients about health and other privacy and security matters. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

We hope that this information is useful to you. If you need assistance monitoring, evaluating or responding to these or other compliance, risk management, transaction or operation concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or another Curran Tomko Tarski LLP Partner of your choice.

Other Helpful Resources & Other Information

If you find this of interest, you also be interested in one or more of the following other recent articles published on our electronic Curran Tomko Tarski LLP publications available for review here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@cttlegal.net.

Comments Off on Register Now For HITECH Act Health Data Security & Breach Update: Learn What You Must Do This Month To Comply With New Health Data Breach Regulations | Corporate Compliance, Data Security, Disease Management, Employers, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Privacy, Protected Health Information | Tagged: Corporate Compliance, Employee Benefits, Employer, Employers, Employment, ERISA, GINA, Health Care Reform, Health Insurance, Health Plans, Human Resources, Insurance, Insurer, Internal Controls, Managed Care, Medical Coverage, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Employer & Other Health Plans & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 23

August 24, 2009

Employer and other health plans, health care providers, health clearinghouses and their business associates must start complying with new federal data breach notification rules on September 23, 2009.

The new “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here in today’s Federal Register requires health plans, health care providers, health care clearinghouses and their business associates (Covered Entities) covered under the personal health information privacy and security rules of the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information.The Breach Regulation is part of a series of guidance that HHS is issuing to implement new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).

You are invited to catch up on what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9 2009 from Noon to 1:30 P.M. Central Time.

HITECH Act Data Breach and Unsecured PHI Rules

Published in the August 24, 2009 Federal Register, the new Breach Regulation implements the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, when a breach of “unsecured protected health information” happens and the form, manner, and timing of that notification. Covered Entities must begin complying with the new Breach Regulation on September 23, 2009.

Part of a series of new HHS rules implementing recent changes to HIPAA enacted under the HITECH Act to strengthen existing federally mandates requiring Covered Entities to safeguard protected health information, the Breach Regulation will obligate Covered Entities and business associates to provide certain notifications following a breach of “protected health information” that not secured at the time of the breach through the use of a technology or methodology meeting minimum standards issued by HHS pursuant to other provisions of the HITECH Act.

Under the HITECH Act, the breach notification obligations contained in the Breach Notification only apply to a breach of “unsecured protected health information.” The Breach Regulation exempts breaches of protected health information that qualify as “secured” under separately issued HHS and Federal Trade Commission (FTC) standards for encryption and destruction of protected health information from its breach notification requirements.

For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the Covered Entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act. Earlier this year, HHS and the FTC issued interim rules defining the minimum encryption and destruction technologies and methodologies that Covered Entities must use to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals for purposes of determining when protected health information is “unsecured” for purposes of the HITECH Act. Concurrent with its publication of the Breach Regulation, HHS also released guidance updating and clarifying this previously issued guidance.

Read the Breach Regulation here . To review the HITECH Act Breach Notification Guidance and Request for Information, see here .

Register For September 9, 2009 “HITECH Act Health Data Security & Breach Update”

Interested persons are invited to register here now to learn what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201. For questions or other information about this program, e-mail here.

Conducted by Curran Tomko and Tarski LLP Partner Cynthia Marcotte Stamer, the briefing will cover:

Who must comply
What your organization must do
How to qualify protected health information as exempt from the breach regulations as “secure” protected health information
What is considered a breach of unsecured protected health information
What steps must a covered entity take if a breach of unsecured protected information happens
What liabilities do covered entities face for non-compliance
What new contractual requirements, policies and procedures Covered Entities and Business Associates will need
How the Breach Regulation, the Privacy Regulation, impending FTC red flag rules and state data breach and privacy rules interrelate
Other recent developments
Practical tips for assessing, planning, moving to and defending compliance
Participant questions
More

About The Presenter

The program will be presented by Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer. Ms. Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts.

Past Chair of the ABA Health Law Section Managed Care & Insurance Section and currently the Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Section and a Council Representative of the ABA Joint Committee On Employee Benefits, Ms. Stamer has more than 20 years experience advising clients about health and other privacy and security matters. A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

We hope that this information is useful to you. If you need assistance monitoring, evaluating or responding to these or other compliance, risk management, transaction or operation concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or another Curran Tomko Tarski LLP Partner of your choice.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Curran Tomko Tarski LLP publications available for review here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

Comments Off on Employer & Other Health Plans & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 23 | ARRA, Corporate Compliance, Data Security, Employee Benefits, Employers, ERISA, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Preemption, Privacy, Protected Health Information, Risk Management, Stimulus Bill, Tax | Tagged: Corporate Compliance, Data Security, Employee Benefits, Employer, Employers, Employment, ERISA, GINA, Health Care Reform, Health Insurance, Health Plans, HealthP Plans, Human Resources, Insurance, Insurer, Internal Controls, Internal Investigations, Labor, Managed Care, Medical Coverage, Privacy, Risk Management, Subsidy Bill, Tax | Permalink
Posted by Cynthia Marcotte Stamer

House Democratic Majority Hopes To Iron Out Differences In Key Health Care Reform Legislation During August Recess

August 4, 2009

Democratic Leaders in the House of Representatives plan to hammer out differences three versions of the America’s Affordable Health Choices Act (H.R. 3200) as separately passed by three key House Committees in July before House members return from their August recess in hopes of bringing the agreed to version of H.R. 3200 to the full house in September. Each version of H.R. 3200 would impose significant new obligations, regulations and costs on employers, health insurers and health plans, and employees.

After negotiating a last minute pre-August recess deal with certain Blue Dog Democrat Committee members, the House Energy and Commerce Committee on July 31, 2009 passed its version of H.R. 3200, the America’s Affordable Health Choices Act (H.R. 3200). The version of H.R. 3200 passed by the House Energy and Commerce Committee incorporates a series of amendments to the language of H.R. 3200 as originally introduced. For instance, this version of H.R. 3200 provides incentives for states to adopt certain tort reforms, provides for a public plan option that would reimburse physicians based on negotiated rates rather Medicare rates, and would allow states to offer both state-based heath insurance exchanges and health insurance co-ops. To review H.R. 3200 as amended by the House Energy and Commerce Committee, see here.

The approval by the Energy and Commerce Committee of its version of H.R. 3200 follows the July 17, 2009 approval by the House Ways and Means Committee and Education and Labor Committee of their own versions of H.R. 3200. For details on the version of H.R. 3200 approved by the House Ways and Means Committee, see here. For details on the version of H.R. 3200 approved by the House Education and Labor Committee, see here.

Leading House Democrats have announced their intention to work to resolve differences between these three versions of H.R. 3200 as passed by these Committees during August recess in hopes of bringing the agreed to version of H.R. 3200 to a vote of the full House of Representatives in September.

Meanwhile, House members from both parties also generally are using the August recess as an opportunity to reconnect with local constituents on health care reform and other core issues.

For More Information

The author of this article, Curran Tomko and Tarski LLP Partner Cynthia Marcotte Stamer has extensive experience advising and assisting employers and other health plan sponsors, insurers and others about health benefit and other benefits, human resources and health care matters. The current Chair of the American Bar Association Real Propoerty, Probate & Trust Section Employee Benefit Plans and Other Compensation Committee and former Chair of the ABA Health Law Section Managed Care & Insurance Group, she regularly advises these and other clients about the design, administration, defense and regulation of health benefit, wellness and disease management, managed care, onsight wellness, and other benefit and insurance regulations, legislative and regulatory reforms impacting these and other arrangements, and related matters.

We hope that this information is useful to you. If you need assistance monitoring, evaluating or responding to these or other proposed health care or other regulatory reforms or with other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or your other favorite Curran Tomko Tarski LLP Partner.

We also encourage you and others to join the discussion about these and other health care reform proposals and concerns by joining the Coalition for Responsible Health Care Reform Group on Linkedin, registering to receive these updates here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information to cstamer@cttlegal.com. If you prefer not to receive these updates via e-mail in the future, e-mail your request with “remove” in the subject to support@solutionslawyer.net.

Comments Off on House Democratic Majority Hopes To Iron Out Differences In Key Health Care Reform Legislation During August Recess | Disease Management, Employee Benefits, Employers, ERISA, Health Care Reform, Health Plans, Insurance, Malpractice, Preemption, Privacy, Public Policy, Tax, Wellness | Tagged: Employee Benefits, Employer, Employers, Employment, ERISA, Health Care Reform, Health Insurance, Health Plans, Human Resources, Insurance, Insurer, Managed Care, Medical Coverage, Tax | Permalink
Posted by Cynthia Marcotte Stamer

HHS Reassignment Of HIPAA Enforcement Duties Signals Rising Seriousness of Enforcement Commitment

August 3, 2009

The Department of Health & Human Services (HHS) today (August 3, 2009) transferred authority for the administration and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to the Office for Civil Rights (OCR). Prior to this announcement, responsibility for interpretation and enforcement of the Security Rule rested with the Centers for Medicare & Medicaid Services (CMS). The change reflects the growing seriousness of HHS and others about enforcing federal privacy and data security mandates for health information. HHS anticipates the transfer of authority will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected.

HHS has the authority for administration and enforcement of the federal standards for health information privacy called for in HIPAA. The Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. OCR has been responsible for enforcement of the Privacy Rule since 2003. The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of the Privacy Rule and the Security Rule.

Through a separate delegation, CMS continues to have authority for administration and enforcement of the HIPAA Administrative Simplification regulations, other than privacy and security of health information.

The transfer of Security Rule enforcement authority comes as guidance about new data breach rules for electronic protected health information is impending. This impending guidance relates to the implementation of new breach notification rules for covered entities and their business associates concerning their obligation to use of technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by amendments to HIPAA enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA) last February. OCR officials have stated that they are working to publish the next set of regulations regarding these new breach notifications before the end of August, 2009.

In addition to adding the breach notification requirements, the HITECH Act also tightened the HIPAA mandates in several other respects. Among other things, it amended HIPAA to:

Broaden the applicability of the HIPAA’s Privacy Rules and penalties to include business associates;
Clarify that HIPAA’s criminal sanctions apply to employees or other individuals that wrongfully use or access PHI held by a covered entity;
Increase criminal and civil penalties for HIPAA Privacy Rules violators;
Allow State Attorneys General to bring civil damages actions on behalf of certain state citizens who are victims of HIPAA Privacy and Security Rule violations;
Modify certain HIPAA use and disclosure and accounting requirements and risks;
Prohibits sales of PHI without prior consent;
Tighten certain other HIPAA restrictions on uses or disclosures;
Tighten certain HIPAA accounting for disclosure requirements;
Clarify the definition of health care operations to excludes certain promotional communications; and
Expand the Business Associates Agreement Requirements.

These and other developments make it imperative HIPAA covered entities and their business associates take prompt action to immediately review and update their data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws. Covered entities must update policies and practices to avoid these growing liabilities. Business associates that have not already done so also must appoint privacy officers and adopt and implement privacy and data security policies and procedures fully compliant with HIPAA and other applicable federal and state rules, including amendments enacted as part of the American Recovery and Reinvestment Act of 2009 signed into law on February 17, 2009.

For more information about today’s announcement, see here. See here for the initial guidance and request for comments issued by HHS regarding these new security standards.

Chair Elect of the American Bar Association RPTE Employee Benefits & Compensation Committee, an ABA Joint Committee on Employee Benefits Council member, and Chair of the Curran Tomko Tarski Labor, Employment & Employee Benefits Practice, Cynthia Marcotte Stamer is nationally and internationally recognized for her work assisting businesses, employee benefit plan fiduciaries and vendors, governments, and other entities to develop administer and defend cost-effective employee benefit other human resources programs, policies and procedures to meet their budgetary, risk management and compliance and other objectives. Board certified in Labor & Employment law, Ms. Stamer applies her extensive experience regarding employment, employee benefit, tax, privacy and data security and other related laws to assists clients in a wide range of business and litigation contexts. The co-founder of the Solutions Law Consortium, Ms. Stamer also makes extensive use of cloud computing and other technology in her own practice and provides input to human resources and other clients others about the use of these and other technology tools to manage employee benefit, human resources, internal controls and other operations. In connection with this work, Ms. Stamer has works, writes and consults extensively with a diverse range of clients about the development, use technology and other processes to streamline health and other benefit, payroll and other human resources, employee benefits, tax, compliance and other business processes and the management and protection of sensitive personal and other information and data.

If your organization or employee benefit plan needs assistance managing or evaluating options or responsibilities associated with the use of technology and data in connection with its health care, employee benefits, tax or other operation or other human resources, employee benefits or and compliance concerns, please contact Ms. Stamer at cstamer@cttlegal.com, (214) 270-2402; or your favorite Curran Tomko Tarski, LLP attorney. For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi, LLP team, see here.

More Information & Resources

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here /the Curran Tomko Tarski LLP attorneys here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information to Cstamer@CTTLegal.com or registering to participate in the distribution of these and other updates on our Solutions Law Press HR & Benefits Update distributions here. For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@SolutionsLawyer.net.

Comments Off on HHS Reassignment Of HIPAA Enforcement Duties Signals Rising Seriousness of Enforcement Commitment | Employee Benefits, HIPAA, Human Resources, Insurance, Internal Controls, Privacy | Tagged: Employee Benefits, Employer, Employers, ERISA, GINA, Health Care Reform, Health Insurance, Health Plans, HIPAA, Human Resources, Insurance, Insurer, Internal Controls, Managed Care, Medical Coverage, Privacy, Risk Management | Permalink
Posted by Cynthia Marcotte Stamer

Stamer, Others To Discuss Technology Use/Risks in Employee Benefits, Tax & HR Consulting & Administration

July 29, 2009

Cynthia Marcotte Stamer will speak about “Technology Issues for Tax Attorneys and their Clients” on September 26, 2009 at the American Bar Association 2009 Fall Joint Tax Meeting in Chicago.

The September 26 program will feature a panel discussion of:

Research tools, anti-virus, encryption and other technology practice aids, tools and tricks tax practitioners;
IRS, DOL and other rules impacting opportunities for employers and employee benefit plan administrators to use electronic communications to reduce employment and employee benefit plan communication expenses;
Electronic communications with government agencies and the need to be prepared to provide electronic records for tax audits;
Expanding personal information privacy and data security considerations; and
More.

Moderated by Frank Palmieri of Palmieri & Eisenberg, Alexandria, VA, the confirmed panelists include:

Catherine Sanders Reach of the American Bar Association, Chicago, IL;
Cynthia Marcotte Stamer of Curran Tomko Tarksi LLP, Dallas, TX;
Joy M. Mercer of Joy M. Mercer, PC, Florham Park, NJ; and
Danny A. Martin, Jr. of Shell Oil Company, Houston, TX.

The session is scheduled to take place from 2:30 p.m. – 4:00 p.m. on Saturday, September 26, 2009. To register for the meeting or other details, see here.

More Information & Resources

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here /the Curran Tomko Tarski LLP attorneys here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information to Cstamer@CTTLegal.com or registering to participate in the distribution of these and other updates on our Solutions Law Press HR & Benefits Update distributions here. For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@SolutionsLawyer.net.

Comments Off on Stamer, Others To Discuss Technology Use/Risks in Employee Benefits, Tax & HR Consulting & Administration | Employee Benefits, Employers, Employment Tax, ERISA, Health Plans, Income Tax, Internal Controls, Privacy, Professional Liability, Risk Management, Tax, Wage & Hour | Tagged: Data Security, Employee Benefit Communications, Employee Benefits, Health Care, Health Plans, Privacy, Retirement Plans, Tax, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Registration Open For June 23 Dallas HR 2009 Health Plan Eligibility Update Program

June 9, 2009

Amid soaring health care costs and tightening corporate budgets, employers and other group health plan sponsors, fiduciaries and administrations now also must update their group health plan eligibility and enrollment practices to comply with the American Recovery and Reinvestment Act of 2009 (the “Stimulus Bill”), COBRA subsidy mandates, HIPAA special enrollment rule amendments and a host of other changes to federal eligibility mandates that already have or will take effect this year. Meanwhile, employers must keep a careful watch on Congress as it considers enacting sweeping health care reforms that are likely to place more obligations on employers.

Health plan eligibility design and administration plays a critical role in controlling health benefit costs and is a leading and growing source of health plan legal risk for employers, fiduciaries and administrators. Understanding and properly managing these concerns is imperative for employers and others sponsoring or administering these programs.

Stamer Discusses Health Plan Eligibility Rules June 23

Cynthia Marcotte Stamer will explain newly effective COBRA Subsidy Rules, genetic information nondiscrimination rules and other recent and impending changes to federal health plan eligibility mandates will be explained on June 23, 2009 during a 2009 Health Plan Eligibility Update briefing hosted by the Dallas Human Resources Management Association including:

Cynthia Stamer will explain to attendees what they need to know and do about:

New Stimulus Bill COBRA Subsidy Rules and other special COBRA rules that took effect on February 17
New GINA group health plan information scheduled to take place in 2009
Changes to HIPAA special enrollment and nondiscrimination rules
Implications for group health plans based on recent changes to FMLA and USERRA regulations
Medicare, Medicaid and CHIP nondiscrimination rules
Impending college student continuation mandates
And more….

Get details or register on line here or by telephoning Dallas Human Resources Management Association at 214-631-8775.

Stamer’s Health Plan Experience Extensive

The immediate past Chair of the American Bar Association’s Managed Care & Insurance Section, Cynthia Marcotte Stamer is a highly regarded legal advisor, author and speaker recognized both nationally and internationally for her expertise in the areas of health benefits and other human resource compliance matters. Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization, “Cindy” recently joined Curran Tomko Tarski, LLP as the Chair of its Labor & Employment and Health Care Practices April 1, 2009.

The Managing Editor of Solutions Law Press and an Editorial Advisory Board Member and author for Employee Benefit News and other publications, Ms. Stamer is a widely published author and popular speaker. In addition to hundreds of publications on health plan and other human resources, employee benefit and internal controls issues, Ms. Stamer is the author of the “Health Plan Eligibility Toolkit.” Her work has been featured and published by the American Bar Association, BNA, SHRM, World At Work, Employee Benefit News and the American Health Lawyers Association. Her insights on human resources risk management matters have been quoted in The Wall Street Journal, the Dallas Business Journal, Managed Care Executive, HealthLeaders, Business Insurance, Employee Benefit News and the Dallas Morning News.

Ms. Stamer also serves in a number of professional leadership roles including the leadership council of the ABA Joint Committee on Employee Benefits, Vice Chair of the ABA Real Property, Probate & Trust Section and Employee Benefits & Compensation Group.

Cynthia Marcotte Stamer and other members of Curran Tomko and Tarski LLP are experienced with advising and assisting employers with these and other health plan and other employee benefit, labor and employment, compensation, and internal controls matters. If your organization needs assistance with assessing, managing or defending its wage and hour or other labor and employment, compensation or benefit practices, please contact Ms. Stamer via e-mail here, or by calling (214) 270-2402. For additional information about the experience, services, publications and involvements of Ms. Stamer specifically or to access some of her many publications, see here, For more information and other members of the Curran Tomko Tarksi, LLP team, see the Curran Tomko Tarski Website.

We hope that this information is useful to you. For additional information about the experience, services, publications and involvements of Ms. Stamer specifically or to access some of her many publications, see here, For more information and other members of the Curran Tomko Tarksi, LLP team, see the Curran Tomko Tarski Website.

You can register to receive future updates and information about upcoming programs, access other publications by Ms. Stamer and access other helpful resources here. If you or someone else you know would like to receive updates about developments on these and other human resources and employee benefits concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. If you would prefer not to receive these updates, please send a reply e-mail with “Remove” in the subject line to support@SolutionsLawyer.net. You also can register to participate in the distribution of these updates by registering to participate in the Solutions Law Press HR & Benefits Update Blog here.

Comments Off on Registration Open For June 23 Dallas HR 2009 Health Plan Eligibility Update Program | Absenteeism, ADA, COBRA, Disease Management, Employee Benefits, Employers, Employment Tax, ERISA, family leave, GINA, Health Care Reform, Health Plans, Human Resources, Income Tax, Insurance, Internal Controls, medical leave, Military Leave, Privacy, Risk Management, Stimulus Bill, Tax | Tagged: ADA, COBRA, Corporate Compliance, Disability Discrimination, Employee Benefits, Employer, Employers, Employment, Employment Agreements, ERISA, Health Insurance, HealthP Plans, Human Resources, Insurance, Insurer, Internal Controls, Labor, Managed Care, Medical Coverage, Military Leave, Occupational Injury, Premium Subsidy, Risk Management, Stimulus Bill, Subsidy Bill, Tax | Permalink
Posted by Cynthia Marcotte Stamer

New GINA Health Plan Nondiscrimination Rules Effective For Plan Years Beginning On or After Today

May 21, 2009

New restrictions on the collection, use and disclosure of genetic information applicable to employer and union-sponsored group health plans enacted under Title I of the Genetic Information Nondiscrimination Act of 2008, Public Law No. 110-233 (GINA) for group health plan years that begin on or after today (May 21, 2009). For non-calendar year plans with plan years beginning between June 1 and December 1, the effective date occurs on first day of their 2009 plan year. For example, the effective date will be June 1, 2009 for a plan with a 2009 plan year that begins June 1. For calendar year plans, the compliance deadline is January 1, 2010. All employer-sponsored group health plans are required to comply with GINA. There are no small group exceptions.

GINA In A Nutshell

GINA amended federal law to include specific prohibitions against certain discrimination based on genetic information by group health plans and health insurers (Title I) and to prohibit discrimination based on genetic information by employers of 15 or more employees (Title II).

Meanwhile, employers, unions and others face their own new prohibitions against genetic information based employment discrimination added by Title II of GINA, which take effect November 21, 2009. The Equal Employment Opportunity Commission (EEOC) published proposed regulations interpreting Title II of GINA in March, 2009.

Broad Definition of “Genetic Information”

The broad range of information included within GINA’s broad definition of “genetic information” means its new restrictions have a sweeping reach when applied to most group health plans. GINA defines “genetic information to include with respect to any individual, information about:

Such individual’s genetic tests;
The genetic tests of family members of such individual; and
The manifestation of a disease or disorder in family members of such individual.

GINA also specifies that any reference to genetic information concerning an individual or family member includes genetic information of a fetus carried by a pregnant woman and an embryo legally held by an individual or family member utilizing an assisted reproductive technology.

Pending issuance of regulatory guidance, GINA’s inclusion of information about the “manifestation of a disease or disorder in family members” raises potential challenges for a broad range of group health plan health assessment and other wellness and disease management programs which provide financial incentives or condition eligibility on the provision of family health histories or other information that could be construed as genetic information.

Group Health Plan Genetic Testing Collection and Nondiscrimination Rules

Under GINA’s nondiscrimination rules, group health plans and health insurers may not:

Request, require or purchase genetic information for underwriting purposes or in advance of an individual’s enrollment;
Adjust premiums or contribution amounts of the group based on genetic information;
Request or require an individual or family member to undergo a genetic test except in limited situations specifically allowed by GINA;
Impose a preexisting condition exclusion based solely on genetic information, in the absence of a diagnosis of a condition;
Discriminate against individuals in eligibility and continued eligibility for benefits based on genetic information; or
Discriminate against individuals in premium or contribution rates under the plan or coverage based on genetic information, although such a plan or issuer may adjust premium rates for an employer based on the manifestation of a disease or disorder of an individual enrolled in the plan.

GINA Amendments To Health Plan Privacy Rules Under HIPAA

The HITECH Act amended and increased civil penalties for HIPAA privacy violations in many circumstances effective February 17, 2009.

Regulatory Guidance Status

As the the deadline for compliance for post May 20, 2009 plan years is rapidly approaching, however, many group health plans and their sponsors will need forward with their compliance arrangements in the absence of regulatory guidance interpreting these requirements.

The Department of Labor Employee Benefit Security Administration (EBSA);
The Internal Revenue Services (IRS), and
The Department of Health & Human Services.

While these three agencies previously published a request for public comments about issues under Title I’s provisions, see http://edocket.access.gpo.gov/2008/pdf/E8-24194.pdf, none of these three agencies as of May 20, 2009 has published interim or other regulations interpreting the GINA provisions within their scope of responsibility since the formal comments period ended December 9, 2009. Although the EBSA Spring 2009 regulatory agenda reflected it intended to publish interim regulations by today and agency officials continue to indicate they intend to publish guidance “soon,” no guidance had been published as of May 20, 2009.

Even if the agencies issue guidance by the end of May plan sponsors and administrators of group health plans with new plan years beginning in the next 60 to 90 days are expressing concern that they will have inadequate time to complete compliance arrangements. As a result, in addition to guidance about GINA’s requirements generally, some are hopeful that the guidance with include transition rules or other relief to allow more time to comply with the regulations when finally issued. Regulators as of May 20, 2009 had not given any indication that they plan or perceive that they are authorized to provide such relief.

Other Information & Resources

We hope that this information is useful to you. You can register to receive future updates and information about upcoming programs, access other publications by Ms. Stamer and access other helpful resources at CynthiaStamer.com For additional information about Ms. Stamer and her experience, see here or contact Ms. Stamer directly. If you or someone else you know would like to receive updates about developments on these and other human resources and employee benefits concerns, please be sure that we have your Currant contact information – including your preferred e-mail- by creating or updating your profile at CynthiaStamer.com. If you would prefer not to receive these updates, please send a reply e-mail with “Remove” in the subject line to support@SolutionsLawyer.net. You also can register to participate in the distribution of these updates by registering to participate in the Solutions Law Press HR & Benefits Update Blog here.

Comments Off on New GINA Health Plan Nondiscrimination Rules Effective For Plan Years Beginning On or After Today | Corporate Compliance, EEOC, Employee Benefits, Employers, GINA, Health Plans, Privacy, Risk Management, Wellness | Tagged: Corporate Compliance, Disability Discrimination, Disease Management, Employee Benefits, Employer, Employers, Employment, ERISA, GINA, Health Insurance, Health Plans, Human Resources, Insurance, Insurer, Managed Care, Medical Coverage, Risk Management, Tax | Permalink
Posted by Cynthia Marcotte Stamer

EEOC GIVES EMPLOYERS LIMITED EMPLOYER GUIDANCE ABOUT ADA ISSUES IN SWINE FLU RESPONSE

May 13, 2009

Recent concerns over the H1N1 Swine Flu (swine flu) pandemic and warnings of a possible resurgence of the swine flu pandemic or some other pandemic in the future is forcing many employers to question when concerns that an employee suffers from a contagious disease can justify the employer making inquires about the health of an employee or the exclusion of the employee from the workplace. New guidance set forth in the “U.S. Equal Employment Opportunity Commission ADA-Compliant Employer Preparedness For the H1N1 Flu Virus” (Guidance) published by the U.S. Department of Labor Equal Employment Opportunity Commission (EEOC) on May 4, 2009 provides some insights for employers about the EEOC’s perspective on these questions.

The Guidance details the EEOC’s answers to certain basic questions about when the EEOC views certain workplace preparation strategies for responding to the 2009 flu virus as compliant with the Americans with Disabilities Act (ADA). Employers considering updates to their current pandemic and infectious disease response plans are cautioned that in addition to potential ADA exposures, practices for periods after November 21, 2009 also generally must be tailored to comply with new restrictions on employer’s collection of and discrimination based on genetic information based on the Genetic Information Nondiscrimination Act of 2008 (GINA). Proposed regulations interpreting the employment provisions of GINA published by the EEOC in March 2009 do not specifically address the implications of GINA on employer planning or response to pandemic concerns.

ADA Concerns Apply To Employers Planning For & Applying Swine Flu Response

Title I of the Americans with Disabilities Act (ADA) protects applicants and employees from disability discrimination. Among other things, the ADA regulates when and how employers may require a medical examination or request disability-related information from applicants and employees, regardless of whether the individual has a disability. The Guidance confirms that the EEOC views this requirement as affecting when and how employers may request health information from applicants and employees regarding H1N1 flu virus.

Effective January 1, 2009, Congress amended the Americans with Disabilities Act pursuant to the Americans with Disabilities Act Amendments Act of 2008 (ADAAA) to change the way that the ADA’s statutory definition of the term “disability” historically has been interpreted by certain courts. The ADAAA amendments generally are intended and expected to make it easier for certain individuals to qualify as disabled under the ADA. While the Guidance announces that the EEOC intends to revise its ADA regulations to reflect the broader group of persons protected as disabled under the ADAAA amendments, it also indicates that the EEOC does not perceive that the ADAAA changes the actions prohibited by the ADA as they relate to common pandemic planning and response activities. Consequently, the Guidance states that the EEOC views the guidance in “Disability-Related Inquiries & Medical Examinations of Employees Under the ADA” published by the EEOC in 2000 and its “Enforcement Guidance: Preemployment Disability-Related Questions & Medical Examinations” published in 1995 as setting forth the governing rules for medical testing, inquires and other pandemic response planning under the ADA.

Under the ADA, an employer’s ability to make disability-related inquiries or require medical examinations is analyzed in three stages: pre-offer, post-offer, and employment.

At the first stage (prior to an offer of employment), the ADA prohibits all disability-related inquiries and medical examinations, even if they are related to the job.
At the second stage (after an applicant is given a conditional job offer, but before s/he starts work), an employer may make disability-related inquiries and conduct medical examinations, regardless of whether they are related to the job, as long as it does so for all entering employees in the same job category.
At the third stage (after employment begins), an employer may make disability-related inquiries and require medical examinations only if they are job-related and consistent with business necessity.
The ADA requires employers to treat any medical information obtained from a disability-related inquiry or medical examination (including medical information from voluntary health or wellness programs), as well as any medical information voluntarily disclosed by an employee, as a confidential medical record. Employers may share such information only in limited circumstances with supervisors, managers, first aid and safety personnel, and government officials investigating compliance with the ADA.

Employers deviating from these requirements when administering their pandemic planning or response risk disability discrimination liability under the ADA unless they otherwise can defend their action under one of the exceptions to the ADA’s disability discrimination prohibitions. When making post-offer inquiries or requiring post offer examinations or imposing other conditions for safety reasons, the Guidance and EEOC in unofficial discussions have emphasized the importance of the employer’s ability to demonstrate the job or safety relevance of the medical inquiry or examination based on credible scientific evidence such as the latest scientific evidence available from the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC).

Other than emphasizing the importance of acting appropriately in response to credible scientific evidence and pointing to preexisting guidance, the Guidance does not extensively address with specificity the circumstances under which the EEOC will view any particular action taken by an employer as defensible under the safety or other exceptions of the ADA. Likewise, the Guidance does not discuss in any details the conditions, if any, under which the EEOC would view suffering, a history of suffering or association with or exposure to swine flu as qualifying an individual as disabled or perceived to be disabled for purposes of the ADA. Consequently, employer must rely on other less specifically tailored guidance for purposes of assessing the defensibility of a proposed action on these grounds.

Planning for Absenteeism Under ADA

When planning for a possible pandemic, employers must be careful about when and how they ask employees about factors, including chronic medical conditions that may cause them to miss work in the event of a pandemic. According to the Guidance, an employer may survey its workforce to gather personal information needed for pandemic preparation if the employer asks broad questions that are not limited to disability-related inquiries. An inquiry would not be disability-related if it identified non-medical reasons for absence during a pandemic (e.g., mandatory school closures or curtailed public transportation) on an equal footing with medical reasons (e.g., chronic illnesses that weaken immunity). The Guidance includes a sample of what the EEOC views as ADA-compliant survey that could be given to all employees before a pandemic.

The Guidance also indicates that where appropriate safeguards are applied to comply with the ADA, it also may be appropriate for an employer under certain limited circumstances, to require entering employees to have a medical test post-offer to determine their exposure to the influenza virus. According to the EEOC, the ADA permits an employer to require entering employees to undergo a job relevant medical examination after making a conditional offer of employment but before the individual starts work, if all entering employees in the same job category must undergo such an examination. Thus, the Guidance reflects that the requirement by an employer as part of its pandemic influenza preparedness plan that all entering employees in the same job categories undergo the same post offer medical testing for the virus in accordance with recommendations by the WHO and the CDC in response to a new influenza virus may be ADA-compliant.

Infection Control in the Workplace Under the ADA

The Guidance also discusses the EEOC’s perceptions about the ADA implications of employer use of certain infection control practices in the workplace during a pandemic provided that the requirements are applied in a nondiscriminatory fashion consistent with the ADA. For instance, the Guidance states that employers generally may apply with following infection control practices without implicating the ADA:

Require all employees to comply with certain infection control practices, such as regular hand washing, coughing and sneezing etiquette, and tissue usage and disposal without implicating the ADA;
May require employees to wear personal protective equipment provided that where an employee with a disability needs a related reasonable accommodation under the ADA (e.g., non-latex gloves, or gowns designed for individuals who use wheelchairs), employer provides these accommodations absent undue hardship;
Encourage or require employees to telework as an infection-control strategy, based on timely information from public health authorities about pandemic conditions or offer telework as a possible reasonable accommodation.

In all cases, of course, the Guidance cautions that employers must not single out employees either to telework or to continue reporting to the workplace on a basis prohibited by the ADA or any of the other federal Equal Employment Opportunity laws.

Impending GINA Rules

As signed into law, GINA amends Title VII of the Civil Rights Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Employee Retirement Income Security Act of 1974 (ERISA), the Public Health Service Act, the Internal Revenue Code of 1986, and Title XVIII (Medicare) of the Social Security Act to implement sweeping new federal restrictions on the collection, use, and disclosure of “genetic information” by employers, employment agencies, labor organizations, joint labor-management committees, group health plans and insurers and their agents. GINA’s group health plan restrictions are scheduled to take effect May 21, 2009. The employment related genetic testing rules of GINA take affect November 21, 2009. Employers and other covered entities will need to carefully review and timely update their pandemic and other infectious disease response practices as well as their group health plan, family leave, disability accommodation, and other existing policies in light of these new federal rules.

Although EEOC has not finalized its implementing regulations for GINA yet, employers should anticipate that GINA will impact their pandemic and other related practices. The implications of GINA for employers and other entities covered by its provisions because of its broad definition of genetic information.

Under GINA, “genetic information” is defined to mean with respect to any individual, information about:

Such individual’s genetic tests;
The genetic tests of family members of such individual; and
The manifestation of a disease or disorder in family members of such individual.

Pending issuance of final regulatory guidance, Gina’s inclusion of information about the “manifestation of a disease or disorder in family members” raises potential challenges for a broad range of wellness and safety, leave, and other employment and benefit practices, particularly as apparently will reach a broader range of conditions than those currently protected under the disability discrimination prohibitions of the Americans With Disabilities Act (“ADA”).

Depending on the contemplated inquiry or practice, certain inquiries or actions intended for use as part of an employer’s pandemic preparedness or response activities could fall within the scope of GINA’s protections. For this reason, employers also should consider the potential treatment of a proposed pandemic preparation or response activity intended to be applied after GINA takes effect in light of GINA. Additionally, employers also should consider the risk that information collected under existing or previously applied pandemic or other infectious disease prevention and response activities might qualify for additional protection when GINA takes effect in November, 2009.

Other Resources

“Planning for the Pandemic” authored available at http://www.cynthiastamer.com/documents/speeches/20070530%20Pan%20Flu%20Workplace%20Privacy%20Issues%20Final%20Merged.pdf;
“Dealing With Leave & Other Workplace Fallout of Swine Flu Pandemic Response” available at http://cttlegalhr.wordpress.com/2009/05/04/dealing-with-leave-other-workplace-fallout-of-swine-flu-pandemic-response; and
“Workforce Swine Flu Pandemic Survival Preparedness Tips For Business” available at http://cttlegalhr.wordpress.com/2009/04/29/hello-world.

Comments Off on EEOC GIVES EMPLOYERS LIMITED EMPLOYER GUIDANCE ABOUT ADA ISSUES IN SWINE FLU RESPONSE | Absenteeism, ADA, Disease Management, EEOC, Employee Benefits, GINA, Health Plans, Human Resources, Internal Controls, Pandemic, Privacy, Risk Management, Swine Flu, Telecommuting | Tagged: ADA, Corporate Compliance, Disability Discrimination, Disease Management, Employee Benefits, Employers, Employment, ERISA, genetic testing, GINA, Health Insurance, Health Plans, Human Resources, Internal Controls, Labor, Light Duty, Medical Coverage, Pandemic, Risk Management, Swine Flu, Wellness | Permalink
Posted by Cynthia Marcotte Stamer

Some Sexual Harassment Policy Violations Carry Criminal Risks For Employers

May 12, 2009

The recent sentencing of a West Texas man on a child pornography conviction serves as an important reminder to employers of the need to consider the potential criminal exposures and responsibilities of their organization and its management under the Federal Sentencing Guidelines when an investigation of sexual harassment policy violations uncovers evidence that an employee may have engaged in the transmission or receipt of pornography on company computers or systems.

On May 8, 2009, U.S. District Judge Sam R. Cummings sentenced Rory Dale Worthan, of Big Spring, Texas, to 78 months in prison followed by a 30-year term of supervised release illegal possession of child pornography. Worthan pled guilty in January to one count of possession of child pornography. He admitted that on February 8, 2007, he had an image of child pornography on his computer’s hard drive that he had downloaded from the Internet. His conviction was part of a series of convictions resulting from a West Texas child pornography sting operation.

Although Worthan’s conviction related to his use of his personal computer system, statistics show that workplace access of child and other pornography during company hours is common. In fact, some studies report that 70 percent of all Web traffic to Internet pornography sites occurs between the traditional work hours of 9 a.m. and 5 p.m. See “Workplace Web Use: Give ‘em an inch …,” Douglas Schweitzer, SearchSecurity.com (Sept. 27, 2004).

While most employers already are aware of the substantial employment discrimination and sexual harassment liability exposures that employee access, possession and transmission of pornography and other sexually explicit or suggestive content can create under Title VII and other federal and state employment discrimination laws, many are unaware that the use by employees of their computers to access, store, transmit or engage in other activities involving child pornography or other sexually explicit materials also may have criminal implications for their organization under certain circumstances.

As part of broader prohibitions against activities involving the sexual exploitation of minors, for instance under the U.S. Criminal Code, Title XVIII makes the creation, receipt, transmission possession, retention, transmission and certain other activities involving child pornography or certain other visual depictions involving the use or depiction of a minor engaging in sexually explicit conduct under certain circumstances a felony under federal law.

Under the organizational provisions of the Federal Sentencing Guidelines, a business that employs an employee or agent who engages in these activities during working hours or using company systems or equipment may face vicarious liability for the wrongful criminal actions by its employee in violation of these or other federal laws where the criminal action engaged in by the employee is a Felony or Class A misdemeanor. Under such circumstances, the liability exposure of the employer generally depends upon its ability to demonstrate that it had suitable policies and procedures in place to prohibit and prevent the activity, whether it timely investigated and took appropriate measures to report the violation to federal law enforcement officials and cooperate with them in their investigation and prosecution of the offending employee and other factors.

In addition to these criminal liability risks, employers also may face exposure to civil judgments in lawsuits brought by families of children victimized by employees using employer computers or operating systems. In Doe v. XYC Corp., 887 A.2d 1156 (N.J. Super. Ct. App. Div. 2005), for example, a New Jersey appellate court ruled that an employer could be held liable in a negligence action to a victim of child pornography based on the actions of one of its employees. In Doe, the wife of an employee who used his workstation computer at work to view and circulate nude photographs of his 10-year old stepdaughter sued the employer for negligence claim. The mother claimed the employer acted negligently by failing to detect and stop her husband from using his work computer to interact with child pornography Web sites, thereby allowing him to “continue clandestinely photographing and molesting” his 10-year-old stepdaughter.

For this reason, employers who uncover evidence that an employee or agent during working hours or using company equipment or systems may have created, received, transmitted, or stored child pornography or other sexually explicit materials must take prompt action to mitigate both their civil and criminal liability exposure. In addition to taking prompt action to prevent, investigate and discipline employees and agents that violate employer policies against using or possessing sexually inappropriate materials, businesses also should promptly seek the assistance of competent legal counsel to evaluate whether the prohibited conduct violated federal child pornography or other criminal laws. Where an investigation uncovers evidence of a potential violation of such laws, employers should seek assistance of counsel experienced with both employment and white collar criminal laws about the advisability of notifying federal law enforcement officials about that evidence and the best procedures to use to make those disclosures. In addition, employers should implement reasonable procedures to prevent and minor activities that may suggest employees or others granted access to company systems may be engaging in prohibited actions and take well documented action to investigate and redress this suspected misconduct.

As the monitoring and investigation of these concerns typically will require that an employer search or monitor employee e-mail or other files, employers also should ensure that they have in place appropriate privacy disclaimer, system use and background check and investigations that empower the employer to minimize potential exposures to privacy or other employment claims by employees or others whose e-mail or other files or activities are scrutinized in connection with these activities.

Chair of the Curran Tomko LLP Labor and Employment Practice and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Cynthia Marcotte Stamer regularly assists U.S. businesses to investigate and redress sexual harassment and other employment and internal controls matters. If your organization needs assistance with investigating or responding to a suspected sex discrimination or sexual harassment matter involving pornography or other suspected employee misconduct under company policies or applicable federal or state law, please contact Ms. Stamer at cstamer@cttlegal.com, (214) 270-2402 or your favorite Curran Tomko Tarski, LLP attorney. For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarski, LLP team, see the www.cttlegal.com.

Comments Off on Some Sexual Harassment Policy Violations Carry Criminal Risks For Employers | Corporate Compliance, EEOC, Employers, Internal Controls, Internal Investigations, Privacy | Tagged: Computer Use, Corporate Compliance, Corporate Ethics, Federal Sentencing Guidelines, Internal Investigations, Pornography, Risk Management, Sex Discrimination, Sex Disriminaioin, Sexual Harassment | Permalink
Posted by Cynthia Marcotte Stamer

$50K Settlement Shows Small Breach Reports Carry Enforcement Risk

Get Up To Date On Details of New De-Identification Guidance & Other HIPAA Developments By Participating In 12/12 HIPAA Update Web Workshop

Email Subscription

Pages

Recent Posts

Archives

Share this blog

Solutions Law Press HR & Benefits Update