The impending imposition of Transitional Reinsurance Program assessments are only one of a myriad of federal health plan rules and associated market changes affecting the design of employer- and union-sponsored health plans. But the focus should go beyond the mandates and include the allocation of fiduciary and other responsibilities, liabilities and other plan and services agreements terms. Plan sponsors and their fiduciaries historically have underappreciated the significance of these allocations or presumed that their vendor contracts allocate responsibility to the service providers, in ways that match the sales pitch. The changes in the marketplace and the law make it more important to review plans and contractual terms carefully -- even for those that have carefully reviewed and negotiated responsibilities in past contracts.

Proper understanding of the Transitional Reinsurance Program is critical for plan sponsors and their fiduciaries to ensure that they don't unintentionally assume significantly greater liability for their self-insured health plans in an attempt to design around a relatively small, by comparison, ACA assessment.

Section 1341 of the Patient Protection & Affordable Care Act (ACA) requires the establishment of the reinsurance program to provide for stabilization of funding for exchanges. Funding of the program is accomplished through amounts assessed upon insurers and self-insured plan third party administrators. ACA § 1341 accomplishes this by providing for:

• The establishment for each state of a transitional reinsurance program to stabilize premiums for coverage in the individual market from 2014 through 2016;
• The requirement that all health insurance issuers and third party administrators on behalf of self-insured group health plans pay contributions to support reinsurance payments that cover high-cost individuals in non-grandfathered plans in the individual market.

Registration is now open for a series of webinars that the Department of Health & Human Services will host on "The Transitional Reinsurance Program: Contributing Entities and Counting Methods" on July 14, July 18 and July 23, 2014, from 2:00 p.m. - 3:30 p.m. EDT. The HHS webinars will focus on reinsurance contributions including who is a contributing entity and how a contributing entity can calculate its annual enrollment count to determine reinsurance contribution amounts. The intended audience for this webinar is health insurance issuers, self-insured group health plans, third party administrators (TPAs) and administrative services-only (ASO) contractors. To register for the HHS webinar and to obtain additional information, click here.

Understanding how the Transitional Reinsurance Program assessments will be calculated is one of many critical steps in making plan design changes. When considering whether to take advantage of options for minimizing these assessments, however, employer, union and other plan sponsors need to consider whether the liability and other consequences of meeting requirements for avoidance of the assessments is warranted by the anticipated savings. While superficially it might seem desirable to avoid the payment of a few dollars per covered lives associated with the assessment, employers and other sponsoring organizations and the officers or other leadership employees involved in plan design or administration should review the effect of meeting these requirements, as well as their proposed vendor contracts and associated plan documents and communications on their personal and organizations' fiduciary and other liabilities.

To the extent that existing or expanded fiduciary liability cannot be avoided, it will be critical that the sponsor and its leadership ensure that proper steps are taken to select, credential, bond and appoint the persons who will help carry out fiduciary or other plan-related responsibilities. Additionally, most plan sponsors will want to consider exploring the availability of fiduciary liability insurance coverage to help mitigate the potential liability risks associated with plan sponsorship.

When businesses treat workers as nonemployees, yet they render services in such a way that they likely qualify as a common law employees, the businesses run the risk of overlooking or underestimating the costs and liabilities of employing those workers.

The U.S. Department of Labor's Wage and Hour Division has an ever-lengthening record of businesses subjected to expensive backpay and penalty awards because the businesses failed to pay minimum wage or overtime to workers determined to qualify as common law employees entitled to minimum wage and overtime under the Fair Labor Standards Act. 

Originally announced on Sept. 22, 2011, the VCS program as modified by Announcement 2012-45 continues to offer businesses a carrot to reclassify as employees workers who had been misclassified for payroll tax purposes as independent contractors, leased employees or other nonemployee workers. That carrot came with a stick: the IRS’ promise to zealously impose penalties and interest against employers caught misclassifying workers. And the IRS is only one of many agencies on the alert for worker misclassification exposures -- worker misclassification also affects wage and hour, safety, immigration, worker’s compensation, employee benefits, negligence and a host of other obligations. Private plaintiffs are also pursuing businesses for misclassification.

All of these exposures carry potentially costly compensation, interest and civil and in some cases even criminal penalties for the businesses and their leaders. Consequently, businesses should act prudently and promptly to address all of these risks and manage their misclassification exposures. Because most businesses uniformly classify workers as either employees or nonemployees for most purposes, business leaders must understand the full scope of their businesses’ misclassification exposures.

VCS Program offers limited relief

Worker misclassification affects a broad range of tax and non-tax legal obligations and risks well beyond income tax withholding, payroll and other employment tax liability and reporting and disclosure. A worker classification challenge or necessity determination should prompt a business to address the worker reclassification and attendant risks in other areas.

Typically, in addition to treating a worker as a nonemployee for tax purposes, a business also will treat the worker as a nonemployee for immigration law eligibility to work, wage and hour, employment discrimination, employee benefits, fringe benefits, workers' compensation, workplace safety, tort liability and insurance and other purposes.

Healthcare reform increases risks

Businesses can look forward to these risks rising when the “pay or play” employer-shared responsibility, health plan non-discrimination, default enrollment and other new rules take effect under the Patient Protection & Affordable Care Act (ACA). Given these new ACA requirements and the government’s need to get as many workers covered as employees to make them work, the IRS and other agencies are expanding staffing and stepping up enforcement against businesses that misclassify workers. Businesses must understand how workers are counted and classified for purposes of ACA and other federal health plan mandates.

ACA and other federal health plan rules decide what rules apply to which businesses or health plans based on such factors as the number of employees a business is considered to employ, their hours worked and their seasonal or other status. The ACA and other rules vary in the relevant number of employees that trigger applicability of the rule and how businesses must count workers to decide when a particular rule applies. Consequently, trying to predict the employer shared responsibility payment, if any, under Internal Revenue Code (Code) Section 4980H or trying to model the cost of any other federal health benefit mandates requires each business know who counts and how to classify workers for each of these rules. Most of these rules start with a “common law” definition of employee then apply rules to add or ignore various workers. Because most federal health plan rules also take into account ”commonly controlled” and “affiliated” businesses’ employees, businesses also may need to know their information.

For instance, when a business along with all commonly controlled or affiliated employers employs a combined workforce of 50 or more “full-time” and “full-time equivalent employees” but does not offer “affordable,” “minimum essential coverage” to every full-time employee and his dependents under a legally compliant health plan, the business generally should expect to pay a shared responsibility payment for each month that any “full-time” employee receives a tax subsidy or credit for enrolling in one of ACA’s healthcare exchanges.

If the business intends to continue to offer health coverage, it similarly will need to accurately understand which workers count as its employees for purposes of determining who gets coverage and the consequences to the business for those workers that qualify as full-time, common law employees not offered coverage.

In either case, ACA uses the common law employee test as the basis for classification, and the already significant legal and financial consequences for misclassifying workers will rise considerably when ACA gets fully implemented.

Consider relief in the full context

As part of a broad effort, the IRS is offering certain qualifying businesses an opportunity to resolve payroll liabilities arising from past worker misclassifications. The VCS Program settlement opportunity emerged in 2011.Touted by the IRS as providing “greater certainty for employers, workers and the government,” the VCS Program offers eligible businesses the option to pay just more than 1% of the wages paid to the reclassified workers for the past year. The businesses also must meet other criteria. The IRS promises not to conduct a payroll tax audit or assess interest or penalties against the business for unpaid payroll taxes for the previously misclassified workers. 

Participation was low, partly because not all businesses with misclassified workers qualified to use the program. The original criteria to enter the VCS Program required that a business:

• Be treating the workers as nonemployees;
• Consistently have treated the workers as nonemployees;
• Have filed all required Forms 1099 for amounts paid to the workers;
• Not currently be under IRS audit;
• Not be under audit by the Department of Labor or a state agency on the classification of these workers or contesting the classification of the workers in court; and
• Agree to extend the statute of limitations on their payroll tax liabilities from three to six years.

After only about 1,000 employers used the VCS Program, the IRS modified it so that employers under IRS audit, other than an employment tax audit, now qualify. The IRS also eliminated the requirement that employers agree to extend their statute of limitations on payroll tax liability.

Many employers may still view use of the VCS Program as too risky because of uncertainties about the proper classification of certain workers in light of the highly specific nature of the determination. Employers may also have concerns about the effect that use of the VCS Program might have on non-tax misclassification exposures for workers who would be reclassified under the VCS Program.

Complications

One of the biggest challenges to getting businesses to change their worker classifications is getting the businesses to accept the notion that long-standing worker classification practices in fact might not be defensible. Although existing precedent and regulatory guidance makes clear that certain long-standing worker classification practices of many businesses would not hold up, business leaders understandably often discount the risk because these classifications historically have faced little or no challenge. Even when business leaders recognize that changing enforcement patterns merit reconsideration, they may be reluctant to reclassify the workers.

The common law employment test often relies on a subjective, highly fact-specific analysis of the circumstances of the worker. The business, rather than the IRS or other agency, generally bears the burden of proving the correctness of its classification of a worker. So, a business must ensure that its decisions can withstand scrutiny under all applicable tests and must retain evidence. Businesses also should exercise special care to avoid relying on overly optimistic assessments of the facts and circumstances.

When the factual evidence creates significant questions, an employing business generally should consider reclassifying or restructuring the position. Often, it also may be desirable to incorporate certain contractual, compensation and other safeguards into the worker relationship, both to support the nonemployee characterization and to minimize future challenges and exposures.

Importance of attorney-client privilege for risk management

Because of the broad exposures arising from misclassification, business leaders generally should work to ensure that their risk analysis and decision-making discussion is positioned for protection under attorney-client privilege and attorney work product privilege. 

The interwoven nature of the tax and non-tax risks merits particular awareness by business leaders of the need to use care in deciding the outside advisers that will help in the evaluation of the risks and structuring of solutions. While appropriately structured involvement by accountants and other non-legal consultants can be a valuable tool, the blended nature of the misclassification exposures means that the evidentiary privileges that accountants often assert to help shield their tax-related discussions from discovery are likely to provide inadequate protection. For this reason, business leaders are urged to require that any audits and other activities by these non-legal consultants to evaluate or mitigate exposures be conducted whenever possible within attorney-client privilege. Accordingly, while businesses definitely should use appropriate tax advisers, they will want to first engage counsel and coordinate non-attorney advisers' activities within the protection of attorney-client privilege

Here are the 13 steps you should take now:

1. Know Your Workforce and Proper Worker Classifications

ACA decides what rules apply to which businesses or health plans based on the number of employees a business is considered to employ, their hours worked, their seasonal or other status and other relevant classification. Rules vary in the relevant number of employees that trigger applicability of the rule and how businesses must count workers to decide when a particular rule applies.

While employers historically have collected and retained the names, place of residence, family relationships, Social Security number and other information about employees, these requirements will continue to expand dramatically.

That is one of the key lessons that leaders of health plans, health care providers, health care clearinghouses ("covered entities") and their business associates should take away from the Department of Health and Human Services Office for Civil Rights (OCR)'s April 22 announcement that Concentra Health Services and QCA Health Plan of Arkansas collectively are paying $2 million under separate resolution agreements stemming from thefts of unencrypted laptops.

The agreements contain equally significant, more broadly applicable lessons about some of the specific processes, actions and documentation that OCR wants covered entities and associates to implement. They must be prepared to defend the adequacy of their Health Insurance Portability and Accountability Act (HIPAA) "culture of compliance" if they file a breach report or otherwise face a HIPAA audit or investigation from OCR.

Consequently, covered entities and their leaders should also consider using these and other resolution agreements as a road map for reviewing and tightening their management oversight and other HIPAA compliance documentation and practices generally.

Concentra Resolution Agreement

Under the Concentra Resolution Agreement, Concentra agrees to pay OCR $1.7 miliion and adopt a corrective plan to settle potential violations of the HIPAA Privacy and Security Rules and evidence their remediation of OCR’s findings.

OCR opened a compliance review of Concentra after receiving a breach report that an unencrypted laptop was stolen from its Springfield Missouri Physical Therapy Center on Nov. 30, 2011. OCR’s investigation concluded that Concentra previously had recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent, leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information.

QCA Resolution Agreement

QCA’s much smaller $250,000 monetary penalty under the QCA Resolution Agreement also resulted from a breach notification of the theft of an unencrypted laptop and also requires corrective actions. OCR opened its investigation after QCA reported in February 2012 that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. OCR’s investigation revealed that while QCA encrypted its devices following discovery of the breach, QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012.

To resolve OCR’s charges that it violated HIPAA, QCA agreed to the $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures substantially similar to those imposed on the Concentra Resolution Agreement to reduce the risks to and vulnerabilities of  ePHI. QCA is also required to retrain its workforce and document its continuing compliance efforts.

Lessons 

Unquestionably, encryption of laptops and other mobile device is a key takeaway of the resolution agreements against Concentra and QCA. OCR Deputy Director of Health Information Privacy Susan McAndrew made this point clear in the announcement of the agreements, stating: “Covered entities and business associates must understand that mobile device security is their obligation,” and, “Our message to these organizations is simple: Encryption is your best defense against these incidents.”

However, leaders of covered entities and business associates must not overlook the more subtle but equally important messages in these resolution agreements about the management oversight and other specific actions, documentation and other evidence that OCR may expect organizations to produce. The Concentra and QCA resolution agreements, as well as their predecessors, contain detailed information about various other processes and procedures that OCR views as necessary or helpful to compliance efforts. 

Both the Concentra and QCA agreements, as well as the Skagit County Resolution Agreement announced in March 2014, require specific attestations from an officer of the entity that she reviewed reports, made reasonable inquiry regarding their content and believes them to be accurate. These attestation requirements send a clear message that OCR views leaders as responsible for taking ownership of HIPAA compliance in the same manner as typically applies to other federal sentencing guideline compliance efforts. See HIPAA Covered Entities Should Review & Correct HIPAA Policies In Response To New County Hospital Resolution Agreement, Other Developments. In light of this, leadership of all covered entities and their business associates should evaluate the adequacy of their current management oversight and documentation in proving the “culture of compliance” expected by HIPAA.

Both resolution agreements require that Concentra and QCA conduct and document and report to OCR on a series of specific steps toward compliance. OCR requires Concentra and QCA, among other things, to conduct a "thorough risk assessment" of the potential vulnerabilities to the confidentiality, integrity and availability of all ePHI, then develop and implement a "detailed risk management plan" that addresses the identified compliance concerns, the plan and timeline for their redress and steps for monitoring and verifying that those actions are taken.

From the resolution agreements' discussion, leaders should expect that the documentation and evidence that OCR may require their organizations to produce will include:

• A detailed risk management plan that explains the strategy for implementing appropriate security measures;
• Evidence of all implemented and all planned remediation actions, along with timelines for their expected completion; compensating controls must be identified that will be in place in the interim to safeguard Concentra ePHI;
• For any changes to information technology (IT) infrastructure, software or other components, an updated risk analysis must be prepared for ePHI;
• Documentation of the encryption status of mobile and other devices and PHI; an organization must track compliance with requirements to encrypt devices containing ePHI and must require specific review and documentation that ePHI will not be used on computer or other devices that are unencrypted.
• Documentation that required workforce training is completed, along with the training materials used, the topics covered, the length of the session(s), when training session(s) were held and attestations or other documentation from individual workforce members that verifies participation, understanding and affirmation of the need to comply with HIPAA.

The resolution also suggests what OCR expects from privacy officers in terms of periodic reports about compliance with HIPAA, and some of the types of information that should be included:

• A summary of the organization’s security management process and the security measures taken during the reporting period, including, if applicable, any documentation of training related to those measures;
• A summary of the organization’s encryption efforts taken during the reporting period; and
• A summary of the organization’s security awareness training efforts taken during the reporting period.

So, leaders of covered entities or business associates should consider requiring periodic reporting to management on their organization’s ePHI and other privacy and security compliance that will produce documentation.

Because the Concentra and QCA& resolutions are only two of several existing ones, and likely will be supplemented by others, management also should ensure that resolution agreements and other guidance and developments under HIPAA are systematically reviewed and responded to in a well-documented manner.

A series of supplemental guidance issued by the Department of Health and Human Services Office of Civil Rights (OCR) in recent weeks is giving healthcare providers, health plans, healthcare clearinghouses (covered entities) and their business associates even more to do. They must review and update their policies, practices and training for handling protected health information. This is beyond bringing their policies and practices into line with OCR’s restatement and update to the Omnibus Final Rule that OCR published Jan. 25, 2013.

Covered entities generally had to be in compliance by Sept. 23, 2013, but many covered entities and business associates have yet to complete the policy, process and training updates required to comply with the modifications implemented in the Omnibus Final Rule.

Even if a covered entity or business associate completed the updates, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance concerning its interpretation and enforcement of HIPAA against covered entities and business associates published by OCR since Jan. 1, 2014 alone:

·         HIPAA Privacy Rule and Sharing Information Related to Mental Health

·         Spanish Language Model Notices of Privacy Practices

·         CLIA Program and HIPAA Privacy Rule; Patients' Access to Test Reports

·         Proposed Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS)

Beyond this 2014 guidance, covered entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule, such as:

·         HIPAA Privacy Rule: Disclosures for Emergency Preparedness - A Decision Tool

·         The HIPAA Privacy Rule and Refill Reminders and Other Communications About a Drug or Biologic Currently Being Prescribed for the Individual

·         Health Information of Deceased Individuals

·         Student Immunizations

·         Model Notices of Privacy Practices (English)

With OCR stepping up both audits and enforcement and penalties for violations, covered entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, covered entities and business associates should not only carefully watch for and react promptly to new OCR guidance and enforcement actions but should document their commitment and continuing compliance and risk-management activities, while taking well-documented, reasonable steps to encourage business associates to do the same. This documentation could help demonstrate that an organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation.   

When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws, such as: the privacy and data security requirements that often apply to personal financial information; trade secrets or other sensitive data; and judicial precedent.

Since 2003, HIPAA generally has required that health care providers, health plans, health care clearinghouses and their business associates ("Covered Entities") restrict and safeguard individually identifiable health care information ("PHI") of individuals and afford other protections to individuals that are the subject of that information. The 2013 Regulations published today complete the implementation of changes to HIPAA that Congress enacted when it passed the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 as well as make other changes to the prior regulations that the Office of Civil Rights found desirable based on its experience administering and enforcing the law over the past decade.

Since passage of the HITECH Act, Office of Civil Rights officials have warned Covered Entities to expect an omnibus restatement of its original regulations. While the Office of Civil Rights had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to its HIPAA Rules. The 2013 Regulations published today fulfill that promise by restating the Office of Civil Rights' HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR's interpretation and enforcement of HIPAA.

Highlights Of Changes
Among other things, the 2013 Regulations:

• revise the Office of Civil Rights' HIPAA regulations to reflect the HITECH Act's amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA's civil and criminal penalties for violating HIPAA's Privacy, Security, and Breach Notification rules;
• update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose personally identifiable health care information is breached, the Department of Health & Human Services and in some cases, the media when a breach of unsecured information happens;
• update interim enforcement guidance the Office of Civil Rights previously published to implement increased penalties and other changes to HIPAA's civil and criminal sanctions enacted by the HITECH Act
• implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose personally identifiable health care information for marketing and fundraising purposes and prohibit Covered Entities from selling an individual's health information without getting the individual's authorization in the manner required by the 2013 Regulations;
• update the Office of Civil Rights' rules about the individual rights that HIPAA requires that Covered Entities afford to individuals who are the subject of personally identifiable health care information used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic personally identifiable health care information in electronic form;
• revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of personally identifiable health care information protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
• clarifies and revises other provisions to reflect other interpretations and information guidance that the Office of Civil Rights has issued since HIPAA was passed and to make certain other changes that the Office of Civil Rights found appropriate based on its experience administering and enforcing the rules.

Covered Entities And Business Associates Must Act To Review And Update Policies And Practices
The restated rules in the 2013 Regulations make it imperative that Covered Entities review the revised rules carefully and updated their policies, practices, business associate agreements, training and documentation to comply with the updated requirements and other enforcement and liability risks. The Office of Civil Rights, even prior to the regulations, has aggressively investigated and enforced the HIPAA requirements.

The commitment of the Office of Civil Rights to enforcement most recently was demonstrated by its recent settlement with Hospice of North Idaho (HONI). On January 2, 2013, the Office of Civil Rights announced that the Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing electronic personally identifiable health care information. The Hospice of North Idaho settlement is the first settlement involving a breach of electronic personally identifiable health care information affecting fewer than 500 individuals.

While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. Rather, the Office of Civil Rights continues to roll out a growing list of enforcement actions demonstrating that the potential risks of HIPAA violations are significant and growing. See also:

• OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach
• OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks
• $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report
• HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website
• Providence To Pay $100000 & Implement Other Safeguards.

Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities of the need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

In response to the 2013 Regulations and these expanding exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights' investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to decide if additional steps are necessary or advisable.

That's the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).

The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a "breach," of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.

Since the Breach Notification Rule took effect, the Office of Civil Rights' announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.

The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.

Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. In fact, the Office of Civil Rights' first resolution agreement — reached before the enactment of the HIPAA Breach Notification Rules — stemmed from such a breach (see Providence To Pay $100000 & Implement Other Safeguards).

Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach. Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.

Furthermore, the Hospice of North Idaho settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; and, HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warnings by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

Office of Civil Rights Director Leon Rodriguez, in OCR's announcement of the Hospice of North Idaho settlement, reiterated the Office of Civil Rights' expectation that covered entities will properly encrypt ePHI on mobile or other devices. "This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information." said Rodriguez. "Encryption is an easy method for making lost information unusable, unreadable and undecipherable."

In the face of rising enforcement and fines, the Office of Civil Rights' initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights' investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

New Office Of Civil Rights HIPAA Mobile Device Educational Tool
While the Office of Civil Rights' enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of the Office of Civil Rights.

To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The program offers health care providers and organizations practical tips on ways to protect their patients' health information when using mobile devices such as laptops, tablets, and smartphones. For more information, see here.

For more information on HIPAA compliance and risk management tips, see here.

Buyer's Obligations To Honor Seller's Collective Bargaining Obligations
Under the National Labor Relations Act, new owners of a union facility that are "successors" of the seller generally must recognize and bargain with the existing union if "the bargaining unit remains unchanged and a majority of employees hired by the new employer were represented by a recently certified bargaining agent." See National Labor Relations Board v. Burns Sec. Servs., 406 U.S. 272, 281 (1972).

In assembling its workforce, a successor employer also generally "may not refuse to hire the predecessor's employees solely because they were represented by a union or to avoid having to recognize a union." U.S. Marine Corp., 293 National Labor Relations Board 669, 670 (1989), enfd., 944 F.2d 1305 (7th Cir. 1991).

Nasaky, Inc. National Labor Relations Board Order
September's National Labor Relations Board Order requires Nasaky, Inc., the buyer of the Yuba Skilled Nursing Center in Yuba City, California, to recognize and honor collective bargaining obligations that the seller Nazareth Enterprises owed before the sale and rehire and pay backpay and interest to make whole 50 of the seller's former employees who the National Labor Relations Board determined Nasaky, Inc. wrongfully refused to hire when it took over the facility from the prior owner, Nazareth Enterprises.

Before Nasaky, Inc. bought the nursing home, many of the employees at the nursing home were represented by the Service Employees International Union, United Healthcare Workers West (Union). After Nasaky, Inc. agreed to buy the facility but before it took control of its operations, Nasaky, Inc. advertised in the media for new workers to staff the facility and told existing employees at the facility that they must reapply to have a chance of keeping their jobs under the new ownership.

When Nasaky, Inc. took operating control of the facility, facility operations continued as before with the same patients receiving the same services. The main difference was the workforce. The new staff included 90 employees in erstwhile bargaining unit positions, of which forty were former employees of the predecessor employer and fifty were newcomers. Nasaky, Inc. then took the position that the change in the workforce excused it from responsibility for recognizing or bargaining with the union or honoring the collective bargaining agreement between the union and seller Nazareth Enterprises.

When the union demanded that Nasaky, Inc. recognize the union and honor the union's collective bargaining agreement with Nazareth Enterprises, Nasaky, Inc. refused. Instead, Nasaky, Inc. notified the union that it would not allow the union on its premises, would not honor the union's collective bargaining agreement with the seller, and did not accept any of the predecessor's terms and conditions of employment. The union then filed charges with the National Labor Relations Board, charging that Nazareth Enterprises had breached its obligations as a successor under the National Labor Relations Act.

After National Labor Relations Board Regional Director Joseph F. Frankl agreed and issued a complaint, California Administrative Law Judge Gerald Etchingham found all the allegations true based on a two-day hearing. He rejected all of Nasaky's explanations for why it declined to hire most of those who had worked for the previous employer. See the Administrative Law Judge Decision. Since Nasaky, Inc did not file exceptions, the National Labor Relations Board ordered Nasaky, Inc. immediately to recognize and bargain with the union, hire the former employees and make them whole. The amount of backpay and interest is expected to approximate $1.25 million.

Managing Labor Exposures In Business Transactions
The National Labor Relations Board's order against Nasaky, Inc. highlights some of the business and operational risks that buyers and sellers can face if labor-management relations are misperceived or mismanaged in connection with business transactions. Because the existence of collective bargaining agreements or other labor obligations can substantially affect the operational flexibility of a buyer, buyers need to investigate and carefully evaluate the potential existence and nature of their obligations as part of their due diligence strategy before the transaction. A well-considered understanding of whether the structure of the transaction is likely to result in the buyer being considered a successor for purposes of union organizing and collective bargaining obligations also is very important so that the buyer and seller can properly appreciate and deal with any resulting responsibilities.

Beyond the potential duty to recognize a seller's collective bargaining obligations, buyers and sellers also should consider the potential consequences of the proposed transaction on severance, pension, health, layoff and recall and other rights and obligations that may arise. At minimum, the existence of these responsibilities and their attendant costs are likely to impact the course of the negotiations.

When a worksite is union-organized, for instance, additional obligations may arise in the handling of reductions in force or other transactions as a result of the union presence. For example, in addition to otherwise applicable responsibilities applicable to non-union affected transaction, the Worker Adjustment Retraining Act (WARN) and other plant-closing laws and/or collective bargaining agreements may impose special notification or other requirements before a reduction in force or other transaction related activities.

Similarly, the existence of collective bargaining agreements also may trigger obligations for one or both parties to engage in collective bargaining over contemplated changes in terms and conditions of employment, to provide severance, to accelerate or fund severance, benefits or other obligations, to provide continued health or other coverage, to honor seniority, recall or other rights or deal with a host of other special contractual obligations.

Where the collective bargaining arrangements of the seller currently or in the past have included obligations to contribute to a multiemployer, collectively-bargained pension or welfare plan, the buyer and seller also need to consider both the potential for withdrawal liability or other obligations and any opportunities to minimize these exposures in structuring the allocation of the arrangement. In this case, both parties need to recognize that differences exist between the federals for determining when successor liability results under the withdrawal liability rules than typically apply to other labor and employment law purposes.

While buyers and sellers often presume that the stock versus assets sale distinction that typically applies for many other legal purposes will apply, this can be an expensive mistake in the case of determining a buyer's obligation to honor the seller's collective bargaining obligations post deal. Likewise, buyers can be exposed to multiemployer successor liability from asset transactions, although it may be possible to mitigate or avoid such liabilities by incorporating appropriate representations in the sale documents or through other steps. Since these multiemployer withdrawal and contribution liabilities generally attach on a controlled group basis, both parties need to properly appreciate and address these concerns early in the transaction to mitigate their risks and properly value the transaction.

In light of these and other potential labor-related risks that may affect corporate and other business transactions, parties contemplating or participating in these transactions are urged to engage and consult with competent legal counsel with specific experience in such labor-management relations and multiemployer benefit plan matters early in the process.

Fair Labor Standards Act Wage & Hour Laws Big Business Responsibility
The Fair Labor Standards Act generally requires that an employer pay each covered employee at least the federal minimum wage of $7.25 per hour as well as time and one-half their regular rates for every hour they work beyond 40 per week. When the state minimum wage is higher than the federally mandated wage, and employees work more than 40 hours in a week calculated in accordance with applicable state laws, employees paid at the minimum permissible level are entitled to overtime compensation based on the higher state minimum wage. Time credited may be determined differently under state law versus the Fair Labor Standards Act. Employers must ensure proper crediting, recordkeeping and payment in time to meet both applicable requirements.

The Fair Labor Standards Act also requires employers to maintain accurate records of covered employees' wages, hours and other conditions of employment and prohibits employers from retaliating against employees who exercise their rights under the law. Special rules also may apply to the employment of children or other special populations.

The rules generally establish a legal presumption that a worker performing services is working as a covered employee of the recipient. Unfortunately, many businesses that receive services often unintentionally incur liability because they ill-advisedly misclassify workers as performing services as independent contractors, salaried employees or otherwise exempt by failing to recognize the implications of this presumption. The presumption that a worker is a covered employee generally means that an employer that treats a worker as exempt bears the burden of proving that a worker is not a covered employee and of keeping accurate records to show that it has properly tracked the hours of and paid each covered employee.

The Fair Labor Standards Act provides that employers who violate the law are, as a general rule, liable to employees for back wages and an equal amount in liquidated damages. State wage and hour laws also typically provide for back pay and liquidated damage awards. Attorneys' fees and other costs often also are recoverable. In certain instances where the violations are knowing, deliberate and intentional, violators often may risk criminal as well as civil liability.

Labor Department Sues Boston Hides and Furs Ltd For Knowing, Deliberate & Willful Fair Labor Standards Act Violations
The Labor Department lawsuit seeks to recover more than $1 million from Boston Hides and Furs Ltd and various company officials for allegedly engaging in knowing and deliberate violations of the Fair Labor Standards Act minimum wage, overtime and retaliation rules.

The Labor Department filed the lawsuit in federal court in the U.S. District Court for the District of Massachusetts after a Labor Department Wage & Hour Division investigation found the employer committed willful and repeated violations of the minimum wage, overtime and record-keeping provisions of the Fair Labor Standards Act including offering for shipment or sale "hot goods" produced in violation of the law during a period spanning at least three years. The suit also asserts that the company unlawfully retaliated against several workers by firing them after they cooperated with the federal investigation.

In its complaint, the Labor Department claims the investigation found that 14 Boston Hides & Furs employees worked approximately 10 hours per day, six days per week processing hides and furs for shipping to tanneries. These workers were paid a daily cash wage of $50 to $70, which amounted to an hourly pay rate far below the federal minimum wage of $7.25 per hour. The employees also were not paid time and one-half the required state minimum wage of $8 applicable for those hours worked above 40 in a week. Additionally, the defendants failed to keep adequate records of the workers' employment, work hours and pay rates, and a representative of the defendants falsely told investigators that the company's payroll records included all employees.

The lawsuit also charges that the defendants ordered employees to hide in a nearby house when Labor Department Wage and Hour Division investigators first arrived at Boston Hides & Furs so they could not be interviewed. Two days after investigators subsequently interviewed the workers, the defendants fired the workers. During their employment, Labor Department claims the workers were threatened and subjected to verbally abusive treatment on an ongoing basis, particularly when they asked about their pay rates.

In addition to back wages and liquidated damages, the Labor Department lawsuit seeks to permanently prohibit the defendants from future Fair Labor Standards Act violations — including a prohibition against shipping any goods handled by workers who were paid in violation of the law — and compensatory and punitive damages for the workers on account of their unlawful firing. The Wage and Hour Division also has assessed $100,000 in civil money penalties against Boston Hides & Furs Ltd. for willful violations of the Fair Labor Standards Act.

Overtime & Other Wage & Hour Enforcement Risks Rising
Employers increasingly risk triggering significant liability by failing to properly characterize, track and pay workers for compensable time in violation of the Fair Labor Standards Act or other laws. Unfortunately, many employers often are overly optimistic or otherwise fail to properly understand and apply Fair Labor Standards Act rules for characterizing on-call or other time, classifying workers as exempt versus non-exempt or making other key determinations.

Employers wearing rose tinted glasses when making wage and hour worker classification or compensable time determinations tend to overlook the significance of the burden of proof they can expect to bear should their classification be challenged. These mistakes can be very costly. Employers that fail to properly pay employees under Federal and state wage and hour regulations face substantial risk. In addition to liability for back pay awards, violation of wage and hour mandates carries substantial civil — and in the case of willful violations, even criminal — liability exposure. Civil awards commonly include back pay, punitive damages and attorneys' fees.

The potential that noncompliant employers will incur these liabilities has risen significantly in recent years.

Under the Obama Administration, Labor Department officials have made it a priority to enforce overtime, recordkeeping, worker classification and other wage and hour law requirements. While all employers face heightened prosecution risks, federal officials specifically are targeting government contractors, health care, technology and certain other industry employers for special scrutiny. The Labor Department is also using smart phone applications, social media and a host of other new tools to educate and recruit workers in its effort to find and prosecute violators. See, e.g. New Employee Smart Phone App New Tool In Labor Department's Aggressive Wage & Hour Law Enforcement Campaign Against Restaurant & Other Employers.

Meanwhile, private enforcement of these requirements has also soared following the highly-publicized implementation of updated Fair Labor Standards Act regulations regarding the classification of workers during the last Bush Administration. See Texas Landscaper's $106,000 In Minimum Wage & Overtime Settlement Reminds Employers To Prepare For FLSA Enforcement, Minimum Wage, Overtime Risks Highlighted By Labor Department Strike Force Targeting Residential Care & Group Homes, Review & Strengthen Defensibility of Existing Worker Classification Practices In Light of Rising Congressional & Regulatory Scrutiny, 250 New Investigators, Renewed DOL Enforcement Emphasis Signal Rising Wage & Hour Risks For Employers, and Quest Diagnostics, Inc. To Pay $688,000 In Overtime Backpay.

Employers Should Strengthen Practices For Defensibility
To minimize exposure under the Fair Labor Standards Act, employers should review and document the defensibility of their existing practices for classifying and compensating workers under existing Federal and state wage and hour laws and take appropriate steps to minimize their potential liability under applicable wages and hour laws. Steps advisable as part of this process include, but are not necessarily limited to:

• Audit of each position currently classified as exempt to assess its continued sustainability and to develop documentation justifying that characterization;
• Audit characterization of workers obtained from staffing, employee leasing, independent contractor and other arrangements and implement contractual and other oversight arrangements to minimize risks that these relationships could create if workers are recharacterized as employed by the employer receiving these services;
• Review the characterization of on-call and other time demands placed on employees to confirm that all compensable time is properly identified, tracked, documented, compensated and reported;
• Review of existing practices for tracking compensable hours and paying non-exempt employees for compliance with applicable regulations and to identify opportunities to minimize costs and liabilities arising out of the regulatory mandates;
• If the audit raises questions about the appropriateness of the classification of an employee as exempt, self-initiation of appropriate corrective action after consultation with qualified legal counsel;
• Review of existing documentation and recordkeeping practices for hourly employees;
• Exploration of available options and alternatives for calculating required wage payments to non-exempt employees; and
• Reengineering of work rules and other practices to minimize costs and liabilities as appropriate in light of the regulations.

Because of the potentially significant liability exposure, employers generally will want to consult with qualified legal counsel prior to the commencement of their assessment and to conduct the assessment within the scope of attorney-client privilege to minimize risks that might arise out of communications made in the course of conducting this sensitive investigation.