Health Plans & Business Associates Face 2/17 Deadline To Update Policies, Contracts & Procedures For HIPAA Privacy Rule Changes

February 15, 2010

Connecticut AG Lawsuit Highlights Expanding Civil Damage Exposure Risks Of Noncompliance 

By Cynthia Marcotte Stamer

By Wednesday, February 17, 2010, employer and other health plans and health insurers (“covered entities”) and service providers performing functions on behalf of these entities (“business associates”) must begin complying  with tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of the Health Insurance Portability & Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The changes scheduled to take effect February 17, 2010 are likely to require that health plans and their business associates update their written policies, operational procedures, privacy notices and business associate agreements in several respects.

While the HITECH Act gave covered entities and business associates a year to complete the necessary arrangements to comply with these impending HITECH Act changes, many health plans and business associates have not completed the necessary arrangements despite expanding liability exposures that can result from noncompliance. To mitigate these exposures, covered entities and their business associates should act quickly both to update their services agreements, plans and policies, practices, and procedures, and to implement the training, oversight, and other management procedures necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

2/17/10 Deadline To Comply With HITECH Act HIPAA Amendments

On February 17, 2010, health plans and other covered entities and their business associates will become subject to the latest to take effect in a series of amendments to the HIPAA enacted under the HITEC Act.  The new rules are part of a broader series of changes to HIPAA made by the HITECH Act that collectively both significantly expand the obligations of covered entities and their business associates to regarding the use, protection and disclosure of protected health information and the liability exposures that can result when covered entities or business associates violate these requirements.

The changes scheduled to take effect February 17, 2010 are likely to require that health plans and their business associates update their written policies, operational procedures, privacy notices and business associate agreements in several respects. For instance, effective February 17, 2010, the HITECH Act generally requires that covered entities and their business associates revise their written privacy policies, privacy notices and operating procedures:

  • To meet expanded requirements to honor individual’s requests for special restrictions on uses and disclosures of protected health information to health plans for payment purposes
  • To restrict protected health information disclosures to the minimum necessary required to accomplish otherwise allowable purpose;
  • To comply with new rules that require that the covered entity and its business associates treat any use, access or disclosure of any protected health information made for purposes of making communications about products or services as made for marketing, rather than operational, purposes which are prohibited by HIPAA except where HIPAA’s requirements are met;
  • To comply with new restrictions on certain fundraising communications made for operational purposes including expanded obligations to allow recipients to opt out of further fundraising communications;
  • To prohibit covered entities or business associates from selling protected health information without meeting the amended requirements of HIPAA that a valid HIPAA authorization from the subject of the information and specific reassurances from the purchaser concerning its subsequent use of the protected health information except as otherwise permitted by HIPAA;
  • To take into account these tightened restrictions on the use, access or disclosure of protected health information for purposes of complying with new HITECH Act breach notification requirements that took effect in September, 2009, which apply when a covered entity or its business associate knows or should know a breach of “unsecured protected health information” has occurred and for purposes of making the necessary changes in written policies and business associate agreements, training and operational procedures necessary to comply with these rules;
  • To directly require business associates comply with HIPAA’s requirements in the same manner as other covered entities and make it necessary or advisable that that service provider agreements between health plans and business associates be updated to reflect these and other changes to HIPAA; and
  • To implement the necessary written policy changes, notification updates, business associate agreement amendments, training, management oversight and other procedural changes necessary to demonstrate fulfillment with these requirements.

Noncompliance with these and other HIPAA requirements subjects covered entities and business associates to civil penalties, criminal prosecution, civil damage awards under lawsuits brought by state attorneys general, and other legal remedies.  In addition, timely update written policies, procedures, business associate agreements, training and documentation is imperative in order for covered entities and their business associates to fulfill their breach notification obligations under new rules enacted as part of the HITECH Act. 

Under the HITECH Act, health plans and other covered entities and their business associates have been obligated since September 23, 2009 to notify individuals who are the subject of protected health information, the Department of Health & Human Services and in some cases the media if and when a breach of “unsecured protected health information occurs. Failing to timely update written policies, procedures and training increases the likelihood that health plans, other covered entities or business associates will be obligated to provide breach notifications under these new rules, in addition to their otherwise applicable exposures under HIPAA.

HIPAA Enforcement & Liability Exposures Real and Rising

Health plans and other covered entities, their business associates and others involved in health plan design and operations generally should resist the temptation to underestimate their potential HIPAA exposure based on the limited enforcement of HIPAA by the Office of Civil Rights between 2003 and 2009 for a variety of reasons.

First, the changes taking effect on February 17, 2010 follow the implementation changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, when President Obama signed the HITECH Act into law and the new breach notification requirements added by the HITECH Act that took effect on September 23, 2009. The HITECH Act amendments to HIPAA’s remedies significantly increase the risk that health plans and other covered entities and their business associates will face civil lawsuits, civil or criminal penalties or other consequences for violating HIPAA. 

The expanded risks stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions.  Among other things, the HITECH Act amended HIPAA to:

  • Allow a State Attorney General to sue health plans or other covered entities, business associates or both that harm state citizens by committing HIPAA violations after February 16, 2009;
  • Expand the mandate by the Office of Civil Rights to investigate violations and audit compliance with HIPAA;
  • Require Office of Civil Rights to impose civil sanctions against health plans and other covered entities and their business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
  • Revise the criminal sanctions that the Department of Justice can seek against health plans and other covered entities, their business associates and others for violations of HIPAA;
  • Amend HIPAA to make clear that HIPAA’s criminal sanctions also can imposed on business associates, workforce members and other persons that improperly use, access and disclose protected health information in violation of HIPAA.

A HIPAA civil lawsuit filed on January 13, 2010 demonstrates the willingness of at least some states to exercise the new authority created by the HITECH Act on February 17, 2009 to sue covered entities and business associates that violate HIPAA for civil damages.

The HITECH Act empowers a state attorney general to sue covered entities or business associates engaging in HIPAA violations that harms citizens of the state for statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs

On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.   The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net.  The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers.

Even before the HITECH Act amendments, however, the Office of Civil Rights and Department of Justice already were stepping up HIPAA investigation and enforcement.  The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA.  See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health InformationMeanwhile, the Office of Civil Rights in February, 2009 announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges.  This announcement followed the Office of Civil Rights announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges.  While not resulting in the significant payments involved in CVS or Providence, the Office of Civil Rights also taken HIPAA enforcement actions against a broad range of other covered entities to redress HIPAA violations or other compliance concerns.  To review examples of these other actions, see here

Along side these governmental actions, state courts also increasingly are willing to allow individual plaintiffs to rely on violations of HIPAA as the basis for bringing state privacy, retaliation or other actions.  While prior to the recent HITECH Act amendments, federal courts had ruled that private plaintiffs could not sue under HIPAA for damages they incurred from a covered entity’s violation of HIPAA, state courts have allowed private plaintiff’s to use the obligations imposed by HIPAA as the basis of a covered entity’s duty for purposes of certain state law lawsuits.  In  Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim.  Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit.  Meanwhile, private plaintiffs employed by covered entities also are increasingly pointing to HIPAA as the basis for their retaliation claims. See, e.g.,  Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim.  Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for covered entities and their business associates that  fail to properly manage their HIPAA compliance obligations and risks.

Health Plans & Business Associates Should Take Timely Action To Comply & Manage Risks

As a consequence of these collective HITECH Act changes and growing HIPAA-related exposures, both health plans and business associates generally will find it necessary or advisable among other things to:

  • Conduct well-documented due diligence on each other’s practices and procedures to improve their ability to demonstrate both their commitment to compliance and their realistic efforts to ensure that these commitments are operationalized in performance;
  • Renegotiate their service provider agreements to detail the specific compliance obligations of each party relating to for auditing compliance, investigating potential breaches; providing required breach notifications; specify leadership and required cooperation in the event of a breach, charge, or other concern; indemnification and other liability allocations; and other related matters; and
  • Pursue appropriate liability and other protection as appropriate.

As part of these compliance and risk management efforts, most covered entities and their business associates will find it advisable to devote significant attention to the business associate relationship and its associated business associate agreements. 

Proper management of the expanded compliance obligations and liability exposures created by the HITECH Act generally will necessitate that health plans and other covered entities and their business associates focus significant attention on the reworking of their operating and contractual relationships. 

Even before the impending HIPAA changes scheduled to take effect on February 17, 2010, a strong need for more detailed contracting and planning of these relationships already existed. Since the enactment of HIPAA, the practice of many covered entities and their business associates of appending generic “business associate” representations onto existing services contracts without specific tailoring and planning has created undesirable ambiguities in these agreements.

Further updating and tailoring of these and other provisions of services agreements has become even more important over the past year in light of the new breach notification mandates that took effect under the HITECH Act in September, 2009, changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, and the impending extension by the HITECH Act to business associates of direct liability for compliance with HIPAA scheduled to occur on February 17, 2010.

Given these changes and the associated obligations and risks, both health plans and other covered entities and their business associates generally should act quickly to manage their own compliance and to minimize exposures that may result from the other’s compliance deficiencies.  As part of these efforts, both covered entities and their business associates generally should review and tighten business associate and other service agreement provisions to provide for more specific and comprehensive HIPAA-related contractual assurances, as well as improved cooperation, coordination, management and oversight.

Curran Tomko Tarski LLP Can Help

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.

A widely published author and speaker on HIPAA and other related matter, Ms. Stamer has extensive experience advising health plans, their employer and other sponsors, health insurers, TPAs and other business associates and others about HIPAA and other health plan and privacy matters. Currently serving as both Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and as an ABA Joint Committee on Employee Benefits Council representative and Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer has more than 23 years experience assisting employers, insurers, plan administrators and fiduciaries and others to design, implement, draft and administer health and other employee benefit plans and to defend audits, litigation or other disputes by private parties, the IRS, Department of Labor, Office of Civil Rights, Medicare, state insurance regulators and other federal and state regulators.  As part of this work, she regularly assists clients to review and update policies, practices, contracts, notices and procedures to comply with HIPAA and other requirements.  A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Examples of other recent updates that may be of interest include:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

 ©2010 Cynthia Marcotte Stamer. All rights reserved.


New Labor Department Rule Allows Employers 7 Days To Deliver Employee Contributions To Employee Benefit Plans

January 14, 2010

By Cynthia Marcotte Stamer

Regulations published by the Department of Labor today (January 14, 2010) offer employers the opportunity to know their deposit of employee contributions and other amounts withheld from wages or otherwise received from employees with a pension, profit-sharing, health, or other welfare benefit plan is timely for purposes of the fiduciary responsibility requirements of the Employee Retirement Income Security Act (“ERISA”) and the prohibited transaction rules of the Internal Revenue Code (the “Code”) by depositing those amounts with the plan within the seven day period specified in a new safe harbor included in the Regulations.

Certainty about the timeliness of these deposits is important, as mishandling of these employee contributions, participant loan repayments or other employee benefit plan assets frequently triggers judgments, fines and penalties against companies that sponsor employee benefit plans as well as owners, board members, or other members of management. See Mishandling Employee Benefit Obligations Creates Big Liabilities For Distressed Businesses & Their Leaders.  Consequently, businesses sponsoring employee benefit programs and owners, officers, directors or other members of management with authority over or responsibility for the handling or application of amounts withheld or collected from employees as employee contributions or plan loans should make arrangements for these amounts to be properly handled and timely deposited with the appropriate employee benefit plan in accordance with these new plan asset regulations.

Title I of ERISA generally requires that employee benefit “plan assets” be held in trust, prudently handled and invested, used for the exclusive benefit of the plan and its participants, and otherwise used and administered in accordance with ERISA’s fiduciary responsibility rules.  Meanwhile, the use of “plan assets” of certain employee benefit plans in a manner prohibited by the Code’s prohibited transaction rules also may trigger excise taxes and other penalties.

For purposes of both ERISA and the Code, Labor Department Regulation § 2510.3-102, specifies that amounts (other than union dues) that an employer withholds from wages or otherwise collects from employees as employee contributions or loan repayments to an employee benefit plan generally become plan assets subject to these fiduciary responsibility rules “as of the earliest date on which such contributions or repayments can reasonably be segregated from the employer’s general assets.”  Since employers, business owners, members of management can risk exposure to damages, administrative penalties and/or excise taxes, knowing when amounts collected from employees are considered plan assets is a critical first step to managing these risks.

Unfortunately, the subjectivity of this standard leaves room for much uncertainty and debate about the precise deadline by which employee contributions, plan loans and other amounts from employees must be received by the plan. The subjectivity inherent in this standard leaves many employers uncertain about the adequacy of their compliance efforts and frequently fuels debate among plans, debtors, creditors, regulators or others about the when amounts earmarked to be withheld from employee wages cease to be assets of the debtor employer and become plan assets.

To mitigate debate and uncertainty about the timing of these events, Labor Department Regulation § 2510.3-102 as published in final form today includes a new “safe harbor” rule for plans with fewer than 100 participants at the beginning of the plan year. Under the safe harbor, employee contributions, plan loans and other amounts withheld from wages or received from employees for payment to an employee benefit plan are treated as treated timely paid to the plan if deposited with the plan not later than the 7th business day following the day on which such amount is received by the employer (in the case of amounts that a participant or beneficiary pays to an employer), or the 7th business day following the day on which such amount would otherwise have been payable to the participant in cash (in the case of amounts withheld by an employer from a participant’s wages).  While this safe harbor assures employers and others that withhold from wages or receive employee contributions or participant loan payments owing to less than 100 participant plans that their deposit will be considered timely if received by the plan within seven days, the plan asset regulations leave open that deposit with the plan more than 7 after receipt might still be considered timely deposit with the plan under certain circumstance. 

Where deposit with the plan is not made within the seven-day period established by the safe harbor, the plan asset rules continue to leave room for great subjectivity in the determination of the deadline for deposit.  In addition to the seven-day safe harbor, the plan asset regulations clearly establish bright-line deadlines after which the deposit of employee contribution or plan loan amounts always will be considered untimely. Thus, the plan asset rules provide that the deadline for depositing employee contributions and plan loans with the plan in no event ever extends beyond the applicable of the following dates (the “Latest Date”)

  • For pension plans, the 15th business day of the month following the month in which the employee contribution or participant loan repayment amounts are withheld or received by the employer;
  • With respect to a SIMPLE plan that involves SIMPLE IRAs the 30th calendar day following the month in which the participant contribution amounts would otherwise have been payable to the participant in cash; and
  • For health and other welfare benefit plans, 90 days from the date on which the employee contribution is withheld or received by the employer.

In all other instances, the plan asset regulations leave open to uncertainty and debate when and if an employer’s deposit of employee contributions and plan loans more than seven-days after payroll deduction or receipt but before the Latest Date will qualify as timely for purposes of ERISA Title I or the Code’s prohibited transaction provisions.

Companies and owners, officers and directors of businesses that harm plans by failing to ensure that these amounts are timely deposited into an employee benefit plan or otherwise are involved in the mishandling of these funds frequently become subject to prosecution, damage awards, civil penalties and excise taxes.  To mitigate potential exposure to these risks, businesses and leaders of businesses that withhold from wages or collect employee contributions or plan loan payments from employees should make arrangements to ensure that these amounts timely are deposited with the appropriate plans and otherwise handled appropriately in accordance with ERISA and the Code.

If your business or employee benefit plan needs assistance evaluating or responding to these or other employee benefit, or other employment, workplace health and safety, corporate ethics and compliance or other concerns or claims, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer. 

Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group, a representative to the ABA Joint Committee on Employee Benefits Council, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer has advised and represented employers on these and other labor and employment, compensation, employee benefit and other personnel and staffing matters for more than 22 years. She is experienced with assisting employers, insurers, administrators, and others to design and administer group health plans cost-effectively in accordance with these and other applicable federal regulations as well as well as advising and defending employers and others against tax, employee benefit, labor and employment, and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor and other federal and state regulators.  Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Some other recent updates that may be of interested include the following, which you can access by clicking on the article title:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2010 Cynthia Marcotte Stamer. All rights reserved. 


DOL Shares 2010 Regulatory Plans Monday, December 7; Get A Sneak Peek on Its Plans

December 5, 2009

Get a peek at the U.S. Department of Labor’s (DOL’s) regulatory plans for 2010 on Monday, December 10, 2009.

On Monday, Dec. 7, the DOL will release its annual regulatory agenda for the upcoming year.  The same day, it also will video cast remarks by Secretary Hilda L. Solis outlining the department’s regulatory agenda beginning at 10 a.m. EST.  From 2 to 3 p.m. EST Ssecretary Solis alsowill host a live Web chat open to the public to discuss the contents of the agenda. Questions may be submitted in advance of the chat following the video presentation. Register to join the chat on Monday here.

If your organization needs assistance with assessing, managing or defending labor and employment, compensation or benefit practices, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer or another Curran Tomko Tarski LLP attorney of your choice.  Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization and Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group and a nationally recognized author and speaker, Ms. Stamer is experienced with advising and assisting employers with these and other labor and employment, employee benefit, compensation, risk management  and internal controls matters. Ms. Stamer is experienced with assisting employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, and other labor and employment laws, as well as advising and defending employers and others against tax, employment discrimination and other labor and employment, and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor and other federal and state regulators. She has counseled and represented employers on these and other workforce matters for more than 22 years. Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Examples of other recent updates you may have missed include:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2009 Cynthia Marcotte Stamer. All rights reserved.


Preventive HR Strategies to Minimize Post Holiday Celebration Legal Hangovers

November 30, 2009

As the 2009 Holiday Season moves into full swing, your company may want to take some common sense precautions to minimize the risk of waking up with a post-Holiday Season business liability hangover. The music, food, game playing, toasting with alcohol and other aspects of the celebratory atmosphere at holiday parties and in the workplace during the Holiday Season heighten the risk that certain employees or other business associates will engage in, or be subject to, risky or other inappropriate behavior that can create liability exposures or other business concerns for your business.

Discrimination & Sexual Harassment

Whether company-sponsored or not, holiday parties and other celebrations where employees celebrate with other employees or clients tend to fuel bad behavior by inviting fraternization, lowering inhibitions and obscuring the line between appropriate and inappropriate social and business behavior.

The relaxation of the environment heightens the risk that certain employees or clients will make unwelcome sexual advances, make sexually suggestive or other inappropriate statements, or engage in other actions that expose the business to sexual harassment or other employment discrimination liability. To minimize these exposures, businesses should take steps to communicate and reinforce company policies and expectations about sexual harassment, discrimination, fraternization and other conduct viewed as inappropriate by the company.  The company should caution employees that the company continues to expect employees and business partners to adhere to company rules against sexual harassment and other inappropriate discrimination at company sponsored and other gatherings involving other employees or business associates.  To enhance the effectiveness of these reminders, a company should consider providing specific guidance about specific holiday-associated activities that create heightened risks.  For instance, a business that anticipates its employees will participate in white elephant or other gift exchanges involving other employees or business associates may wish to specifically include a reminder to exercise care to avoid selecting a gift that may be sexually suggestive or otherwise offensive.  Businesses also may want to remind employees that the company does not expect or require that employees submit to unwelcome sexual or other inappropriate harassment when participating in parties or other social engagements with customers or other business partners. 

Businesses also should use care to manage other discrimination exposures in the planning of holiday festivities, gift exchanges, and other activities.  Exercise care to ensure that business connected holiday parties, communications, gifts and other December festivities reflect appropriate sensitivity to religious diversity.  Businesses also should be vigilant in watching for signs of inappropriate patterns of discrimination in the selection of employees invited to participate in company-connected social events as well as off-duty holiday gatherings sponsored by managers and supervisors.

Alcohol Consumption

The prevalence of alcohol consumption during the Holiday Season also can create a range of business concerns.  Most businesses recognize that accidents caused by alcohol intoxication at work or work-related functions create substantial liability exposures both to workers and any third parties injured by a drunken employee.  Businesses also may face “dram shop” claims from family members or other guests attending company sponsored functions injured or injure others after being allowed to over-imbibe.  To minimize these risks at company-sponsored events, many companies elect not to serve or limit the alcohol served to guests at company sponsored events.  To support the effectiveness of these efforts, many businesses also choose to prohibit or restrict the consumption of guest provided alcohol at company events.

Businesses concerned with these liability exposures should take steps to manage the potential risks that commonly arise when employees or clients consume alcohol at company sponsored events or while attending other business associated festivities. Businesses that elect to serve alcohol at company functions or anticipate that employees will attend other business functions where alcohol will be served need to consider the potential liability risks that may result if the alcohol impaired judgment of an employee or other guest causes him to injure himself or someone else.  Any company that expects that an employee might consume alcohol at a company sponsored or other business associated event should communicate clearly its expectation that employees not over-imbibe and abstain from driving under the influence.  Many businesses also find it beneficial to redistribute information about employee assistance programs (EAPs) along with this information.  You can find other tips for planning workplace parties to minimize alcohol related risks on the U.S. Department of Labor’s website here.

When addressing business related alcohol consumption, many businesses will want to consider not only alcohol consumption at business related events as well as potential costs that may arise from off-duty excess alcohol consumption. Whether resulting from on or off duty consumption, businesses are likely to incur significant health and disability related benefit costs if an employee is injured in an alcohol-related accident.  Furthermore, even when no injury results, productivity losses attributable to excess alcohol consumption, whether on or off duty, can prove expensive to business.  Accordingly, virtually all businesses can benefit from encouraging employees to be responsible when consuming alcohol in both business and non-business functions.

Businesses also may want to review their existing health and other benefit programs, liability insurance coverage and employment policies to determine to ensure that they adequately protect and promote the company’s risk management objectives.  Many health and disability plans incorporate special provisions affecting injuries arising from inappropriate alcohol use as well as mental health and alcohol and drug treatment programs.  Similarly, many businesses increasingly qualify for special discounts on automobile and general liability policies based upon representations that the business has in effect certain alcohol and drug use policies.  Businesses can experience unfortunate surprises if they don’t anticipate the implications of these provisions on their health benefit programs or liability insurance coverage. Reviewing these policies now to become familiar with any of these requirements and conditions also can be invaluable in helping a business to respond effectively if an employee or guest is injured in an alcohol-related accident during the Holiday Season.

Concerned employers may want to listen in on the “Plan Safe Office Parties this Holiday Season” seminar that the National Safety  Council plans to host on December 9, 2009 from 10:30 a.m. -11:30 a.m. Central Time. For more information or to register call (800) 621-7619 or see here.

Gift Giving & Gratuities

The exchange of gifts during the Holiday Season also can raise various concerns. As a starting point, businesses generally need to confirm that any applicable tax implications arising from the giving or receiving of gifts are appropriately characterized and reported in accordance with applicable tax and other laws.  Government contractors, health industry organizations, government officials and other entities also frequently may be required to comply with specific statutory, regulatory, contractual or ethical requirements affecting the giving or receiving of gifts or other preferences.  In addition to these externally imposed legal mandates, many businesses also voluntarily have established conflict of interest, gift giving or other policies to minimize the risk that employee loyalty or judgment will be comprised by gifts offered or received from business partners or other outsiders.   Businesses concerned about these and other issues may want to review the adequacy of current business policies affecting gifting and adopt and communicate any necessary refinements to these policies.  To promote compliance, businesses also should consider communicating reminders about these policies to employees and business associates during the Holiday Season. Even a simple e-mail reminder to employees that the company expects them to be familiar with and comply with these policies can help promote compliance and provide helpful evidence in the event that an employee engages in an unauthorized violation of these rules.

Performance, Attendance & Time Off

Businesses also commonly face a range of attendance and productivity concerns during December.  The winter cold and flu season and other post-celebration illnesses, vacations, and winter weather inevitably combine to fuel a rise in absenteeism in December. Managing staffing needs around the legitimate requests for excused time off by employees presents real challenges for many businesses.  Further complications can arise when dealing with employees suspected of mischaracterizing the reason for their absence or otherwise gaming the company’s time off policies.  Meanwhile, performance and productivity concerns also become more prevalent as workers allow holiday shopping, personal holiday preparations, and other personal distractions to distract their performance.  Businesses concerned with these challenges ideally will have in place well-designed policies concerning attendance, time off and productivity that comply with the Fair Labor Standards Act and other laws. Businesses should exercise care when addressing productivity and attendance concerns to investigate and document adequately their investigation before imposing discipline. Businesses also should ensure that their policies are appropriately and even-handedly administered.  They also should exercise care to follow company policies, to maintain time records for non-exempt workers, to avoid inappropriately docking exempt worker pay, and to provide all required notifications and other legally mandated rights to employees taking medical, military or other legally protected leaves. In the event it becomes necessary to terminate an employee during December, careful documentation can help the business to defend this decision.  Furthermore, businesses should be careful to ensure that all required COBRA notifications, certificates of creditable coverage, pension and profit-sharing notice and distribution forms, and other required employment and employee benefit processes are timely fulfilled.

Timely Investigation & Notification

Businesses faced with allegations of discrimination, sexual harassment or other misconduct also should act promptly to investigate any concerns and if necessary, take appropriate corrective action.  Delay in investigation or redress of discrimination or other improprieties can increase the liability exposure of a business presented with a valid complaint and complicate the ability to defend charges that may arise against the business.  Additionally, delay also increases the likelihood that a complaining party will seek the assistance of governmental officials, plaintiff’s lawyers or others outside the corporation in the redress of his concern.

If a report of an accident, act of discrimination or sexual harassment or other liability related event arises, remember to consider as part of your response whether you need to report the event to any insurers or agencies.  Injuries occurring at company related functions often qualify as occupational injuries subject to worker’s compensation and occupational safety laws.  Likewise, automobile, employment practices liability, and general liability policies often require covered parties to notify the carrier promptly upon receipt of notice of an event or claim that may give rise to coverage, even though the carrier at that time may not be obligated to tender a defense or coverage at that time.

If your organization needs assistance with assessing, managing or defending these or other labor and employment, compensation or benefit practices, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer or another Curran Tomko Tarski LLP attorney of your choice.  Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization and Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group and a nationally recognized author and speaker, Ms. Stamer is experienced with advising and assisting employers with these and other labor and employment, employee benefit, compensation, risk management  and internal controls matters. Ms. Stamer is experienced with assisting employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, and other labor and employment laws, as well as advising and defending employers and others against tax, employment discrimination and other labor and employment, and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor and other federal and state regulators. She has counseled and represented employers on these and other workforce matters for more than 22 years. Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Examples of other recent updates you may have missed include:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2009 Cynthia Marcotte Stamer. All rights reserved.


Proposed Chemical Facility Anti-Terrorism Bill Would Obligate Chemical Facilities To New Background Check, HR & Other Safety & Security Safeguards

November 16, 2009

“The Chemical Facility Anti-Terrorism Act of 2009” (“Act”) recently passed by the House of Representatives and awaiting Senate consideration, if enacted, will require U.S. businesses that own or operate “chemical facilities” to conduct security background checks on employees and certain other individuals and implement a detailed and expensive list of other new security processes.

By tightening the regulation of security practices at chemical facilities, Title XXI of the Act seeks to strengthen the security of chemical facilities against terroristic acts or other threats. Businesses manufacturing or handling chemicals or other substances that could cause them to be considered “chemical facilities” should carefully watch this legislation and, if appropriate, communicate any relevant input or concerns to members of the Senate promptly. 

The Act would require any facility (“chemical facility”) at which the owner or operator of the facility possesses or plans to possess at any relevant point in time a substance of concern or that that meets other risk-related criteria identified by the Secretary of Homeland Security (the “Secretary”) to implement processes and procedures that would comply with a broad range of risk-based standards established by the Secretary to ensure or enhance the security of a chemical facility against a chemical facility terrorist incident referred to in the Act as “chemical facility security performance standards” (the “Standards”). 

By their express terms and inherently as part of other requirements, the Standards would require that chemical facilities implement a host of new processes and procedures impacting on the selection, credentialing and management of employees and other service providers.  Among other things, for example, the Act would require chemical facilities to:

  • Administer a regularly updated identification system that checks the identification of chemical facility personnel and other persons seeking access to the chemical facility and that discourages abuse through established disciplinary measures;
  • Restrict access to facilities and secure site assets, systems, and technology;
  • Screen and control access to the facility and to restricted areas within the facility by screening or inspecting individuals and vehicles as they enter, measures to deter the unauthorized introduction of dangerous substances and devices that may facilitate a chemical facility terrorist incident or actions having serious negative consequences for the population surrounding the chemical facility;
  • Perform personnel surety for individuals with access to restricted areas or critical assets by conducting appropriate background checks and ensuring appropriate credentials for unescorted visitors and chemical facility personnel, including permanent and part-time personnel, temporary personnel, and contract personnel, including measures designed to verify and validate identity, to check criminal history, to verify and validate legal authorization to work and to identify people with terrorist ties;
  • Develop and require that employees and other member of the workforce comply with new processes, plans and procedures for preventing and responding to chemical facility terrorist incidents and other required procedures for deterring and responding to chemical facility terrorist incidents and threats of those incidents; and
  • Appoint new security officials responsible for overseeing and administering compliance under the Act.

Beyond these and other specific staffing requirements, the Act also would require chemical facilities implement, retrain and require that members of its workforce comply with a broad range of new procedures required under the Standards, including procedures to:

  • Deter chemical facility terrorist incidents through visible, professional, well-maintained security measures and systems, including security personnel, detection systems, barriers and barricades, and hardened or reduced value targets;
  • Deter theft or diversion of a substances of concern, insider sabotage, cyber sabotage, unauthorized onsite or remote access to critical process controls; and other critical product elements, data or systems; and
  • Comply with a host of other mandates.

As part of some of these required procedures, chemical facilities could expect to be required to adopt and train employees on their specific roles or responsibilities for deterring or responding to a chemical facility terrorist incident

Furthermore, the oversight and enforcement powers granted to the Secretary under the also would create a host of new employer retaliation and whistleblower exposures.  The Act would prohibit employer retaliation, implement new whistleblower safeguards and remedies and grant the Secretary the right to offer non-supervisory employees the opportunity to confidentially communicate information relevant to the employer’s compliance or non-compliance of the chemical facility with the Act or its implementing regulations;  It also would grant “an employee representative of each certified or recognized bargaining agent at the covered chemical facility, if any, or, if none, a non-supervisory employee … the opportunity to accompany the Secretary during a physical inspection of such covered chemical facility for the purpose of aiding in such inspection, if representatives of the owner or operator of the covered chemical facility will also be accompanying the Secretary on such inspection.”

These and other provisions could impose significant new burdens, costs and liabilities on businesses considered to be operating chemical facilities.  Since the precise list of businesses likely to fall within that definition would be decided by the Secretary, businesses in manufacturing, energy, pharmaceutical, or other industries that could fall within the scope of this definition should evaluate the potential implications and if appropriate, communicate any relevant input to Congress.

If you have questions about or need assistance with evaluation and responding to the provisions of the Act or any other employment, compensation, employee benefit, workplace health and safety, corporate ethics and compliance practices, concerns or claims, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer.  Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization and Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is experienced with assisting employers and others about compliance with federal and state equal employment opportunity, compensation and employee benefit, workplace safety, and other labor and employment, as well as advising and defending employers and others against tax, employment discrimination and other labor and employment, and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor and other federal and state regulators. Ms. Stamer has advised and represented employers on these and other labor and employment, compensation, employee benefit and other personnel and staffing matters for more than 20 years. Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Some other recent updates that may be of interested include the following, which you can access by clicking on the article title:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2009 Cynthia Marcotte Stamer. All rights reserved. 


EEOC Prepares To Broaden “Disability” Definition Under ADA Regulations

September 18, 2009

Proposed regulations modifying existing Equal Employment Opportunity Commission (EEOC) rules concerning the conditions that an individual must meet to qualify as having a “disability” for purposes of claiming protection under the Americans with Disabilities Act (ADA) are expected to be published in the Federal Register the week of September 21, 2009.

On September 16, 2009, the EEOC announced that Commissioners had approved a Notice of Proposed Rulemaking (Proposed Regulation) which would make several significant changes to the its current regulatory definition of the term “disability” for purposes of the ADA.  The EEOC announced this week that the Proposed Regulation is expected to be published in the Federal Register the week of September 21, 2009.  Interested persons will have 60 days from the publication date of the Proposed Rule to submit comments to the EEOC concerning the Proposed Regulation.

Why The Change?

The proposed changes are intended to respond to amendments enacted under the ADA Amendments Act (ADAAA), which took effect January 1, 2009.   Enacted on September 25, 2008, the ADAAA made a number of significant changes to the definition of “disability” in the ADA as well as directed EEOC to amend its existing ADA regulation to reflect the changes made by the ADAAA.

The ADAAA amendments to the ADA definition of “disability” make it easier for certain individuals alleging employment discrimination based on disability to establish disability status under the ADA’s definition of “disability” by overruling various Supreme Court holdings and portions of EEOC’s existing ADA regulations considered by many members of Congress as too narrowly applying the definition of “disability.”  

While the ADAAA retains the ADA’s basic definition of “disability” as an impairment that substantially limits one or more major life activities, a record of such an impairment, or being regarded as having such an impairment, provisions of the ADAAA that took effect on January 1, 2009 change the required interpretation of these terms.  Under the ADAAA, “major life activities” now include both many activities that the EEOC has recognized (e.g., walking) as well as activities that EEOC has not specifically recognized (e.g., reading, bending, and communicating), as well as major bodily functions (e.g., “functions of the immune system, normal cell growth, digestive, bowel, bladder, neurological, brain, respiratory, circulatory, endocrine, and reproductive functions”). 

In addition to these clarifications, the ADAAA also broadens the reach of the ADA’s definition of “disability” in various other respects.  For instance, the ADAAA:

  • Asserts that mitigating measures other than “ordinary eyeglasses or contact lenses” shall not be considered in assessing whether an individual has a disability;
    Clarifies that an impairment that is episodic or in remission is a disability if it would substantially limit a major life activity when active;
  • Changes the definition of “regarded as” so that it no longer requires a showing that the employer perceived the individual to be substantially limited in a major life activity, and instead says that an applicant or employee is “regarded as” disabled if he or she is subject to an action prohibited by the ADA (e.g., failure to hire or termination) based on an impairment that is not transitory and minor; and
  • Provides that individuals covered only under the “regarded as” prong are not entitled to reasonable accommodation.

As part of the required implementation of its provisions, the ADAAA also mandates that the EEOC revise that portion of its existing regulations defining the term “substantially limits” and “major life activities” to comport to the changes enacted by the ADAAA.  In response to this statutory direction, the Proposed Regulation to be published next week proposes changes both to the ADA regulation itself and to the Interpretive Guidance (also known as the Appendix) that was published at the same time as the original ADA regulation. See 29 C.F.R. section 1630.  The Appendix provides further explanation from the EEOC on how its ADA regulations should be interpreted.

About The New Guidance and Proposed Regulations

In anticipation of the publication of the Proposed Regulation, the EEOC on September 16, 2009 sought to provided a peek into its new post-ADAAA construction of the ADA definition of disability by releasing its “Questions and Answers on the Notice of Proposed Rulemaking for the ADA Amendments Act of 2008” Questions and answers on the Notice of Proposed Rulingmaking for the ADA Amendments Act of 2008 (the “Q&As”). 

The Q&As and other EEOC statements released this week indicate that the Proposed Regulation will emphasize that the definition of disability — an impairment that poses a substantial limitation in a major life activity — must be construed broadly. It will provide that that major life activities include “major bodily functions;” that mitigating measures, such as medications and devices that people use to reduce or eliminate the effects of an impairment, are not to be considered when determining whether someone has a disability; and that impairments that are episodic or in remission, such as epilepsy, cancer, and many kinds of psychiatric impairments, are disabilities if they would “substantially limit” major life activities when active. The regulation also will provides a streamlined means through which persons claiming disability may demonstrate a substantial limitation in the major life activity of working, and implements the ADAAA’s new standard for determining whether someone is “regarded as” having a disability.

Required Response

Employers face increasing exposure to disability claims as a result of the ADAAA amendments, new genetic information nondiscrimination rules enacted under the Genetic Information Nondiscrimination Act (GINA), and a heightened emphasis on disabilities discrimination law enforcement by the Obama Administration.  In light of this rising exposure, employers and others covered by the ADA should evaluate their existing practices in light of the Q&As and make adjustments, submit comments regarding the Proposed Regulations or both as part of their efforts to manage their organization’s ADA liability exposure.  Because the ADAAA already is in effect, employers already face the possibility of being called upon to defend their hiring and employment practices under the amended ADAAA definition of disability, even though the EEOC has not issued final guidance.  For this reason, it is important that employers take timely action both to update relevant written policies and procedures, as well as to change hiring and other operational processes, conduct training, implement appropriate oversight and monitoring and take other steps to mitigate these exposures.

If you have questions about or need assistance evaluating, commenting on or responding to the  Proposed Regulations, the Q&As, or other employment, compensation, employee benefit, workplace health and safety, corporate ethics and compliance practices, concerns or claims, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer.  Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization and Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is experienced with assisting employers and others about compliance with federal and state equal employment opportunity, compensation and employee benefit, workplace safety, and other labor and employment, as well as advising and defending employers and others against tax, employment discrimination and other labor and employment, and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor and other federal and state regulators. Ms. Stamer has advised and represented employers on these and other labor and employment, compensation, employee benefit and other personnel and staffing matters for more than 20 years. Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Some other recent updates that may be of interested include the following, which you can access by clicking on the article title:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2009 Cynthia Marcotte Stamer. All rights reserved. 


Employer & Other Health Plans & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 23

August 24, 2009

Employer and other health plans, health care providers, health clearinghouses and their business associates must start complying with new federal data breach notification rules on September 23, 2009.   

The new “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here  in today’s Federal Register requires health plans, health care providers, health care clearinghouses and their business associates (Covered Entities) covered under the personal health information privacy and security rules of the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information.The Breach Regulation is part of a series of guidance that HHS is issuing to implement new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA). 

You are invited to catch up on what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9 2009 from Noon to 1:30 P.M. Central Time.  

HITECH Act Data Breach and Unsecured PHI Rules 

Published in the August 24, 2009 Federal Register, the new Breach Regulation implements the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, when a breach of “unsecured protected health information” happens and the form, manner, and timing of that notification. Covered Entities must begin complying with the new Breach Regulation on September 23, 2009.

Part of a series of new HHS rules implementing recent changes to HIPAA enacted under the HITECH Act to strengthen existing federally mandates requiring Covered Entities to safeguard protected health information, the Breach Regulation will obligate Covered Entities and business associates to provide certain notifications following a breach of “protected health information” that not secured at the time of the breach through the use of a technology or methodology meeting minimum standards issued by HHS pursuant to other provisions of the HITECH Act.

Under the HITECH Act, the breach notification obligations contained in the Breach Notification only apply to a breach of “unsecured protected health information.” The Breach Regulation exempts breaches of protected health information that qualify as “secured” under separately issued HHS and Federal Trade Commission (FTC) standards for encryption and destruction of protected health information from its breach notification requirements.  

 For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the Covered Entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act.  Earlier this year, HHS and the FTC issued interim rules defining the minimum encryption and destruction technologies and methodologies that Covered Entities must use to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals for purposes of determining when protected health information is “unsecured” for purposes of the HITECH Act.  Concurrent with its publication of the Breach Regulation, HHS also released guidance updating and clarifying this previously issued guidance. 

Read the Breach Regulation here .  To review the HITECH Act Breach Notification Guidance and Request for Information, see here .

Register For September 9, 2009  “HITECH Act Health Data Security & Breach Update”

Interested persons are invited to register here now  to learn what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201.  For questions or other information about this program, e-mail here.

Conducted by Curran Tomko and Tarski LLP Partner Cynthia Marcotte Stamer, the briefing will cover: 

  • Who must comply
  • What your organization must do
  • How to qualify protected health information as exempt from the breach regulations as “secure” protected health information
  • What is considered a breach of unsecured protected health information
  • What steps must a covered entity take if a breach of unsecured protected information happens
  • What liabilities do covered entities face for non-compliance
  • What new contractual requirements, policies and procedures Covered Entities and Business Associates will need
  • How the Breach Regulation, the Privacy Regulation, impending FTC red flag rules and state data breach and privacy rules interrelate
  •  Other recent developments
  • Practical tips for assessing, planning, moving to and defending compliance
  • Participant questions
  • More

About The Presenter

The program will be presented by Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.  Ms. Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts. 

 Past Chair of the ABA Health Law Section Managed Care & Insurance Section and currently the Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Section and a Council Representative of the ABA Joint Committee On Employee Benefits, Ms. Stamer has more than 20 years experience advising clients about health and other privacy and security matters.  A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters.  Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications.  For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.  

We hope that this information is useful to you.  If you need assistance monitoring, evaluating or responding to these or other compliance, risk management, transaction or operation concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or another Curran Tomko Tarski LLP Partner of your choice.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Curran Tomko Tarski LLP publications available for review here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@cttlegal.com.

©2009 Cynthia Marcotte Stamer.   All rights reserved.