[firm] blog logo

EMPLOYEE BENEFIT/EXECUTIVE COMPENSATION CHANGES MADE BY THE CARES ACT

On March 27, 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”). This historic $2 trillion relief package received bipartisan support and is part of the third wave of federal government support as the nation copes with the acute economic fallout from the coronavirus (COVID-19) pandemic.  Some of the key provisions of the CARES Act that apply to health and welfare plans, educational assistance programs, retirement plans, executive compensation programs, and employment and payroll taxes are outlined below. Health and Welfare Plans Q1.      What COVID-19 testing and treatment is our company’s employer-sponsored group health plan required to cover? The Families First Coronavirus Response Act (“FFCRA”) requires an employer-sponsored group health plan (including a grandfathered plan under the Affordable Care Act (“ACA”)) (a “Plan”) to provide coverage for COVID-19 diagnostic testing and services related to the diagnostic testing without any cost sharing (including deductibles, copayments, and… Continue Reading

COVID-19 EMPLOYEE BENEFIT AND EXECUTIVE COMPENSATION QUESTIONS AND ANSWERS

In light of the recent economic developments stemming from the COVID-19 pandemic, many employers are evaluating their employee benefit plans and how employee and employer costs will be impacted. The following summary provides a list of questions we have been receiving from clients over the past week, along with action items to help employers address these issues. Health and Welfare Plans and Fringe Benefits Should benefits coverage continue while an employee is on an unpaid furlough? If so, how would the employee pay the employee’s portion of the premium? Could the employee elect to drop coverage due to the reduction in hours of active service? Could the employer pay for coverage for some or all of its furloughed employees? Continued eligibility for benefits will depend on whether the employer treats the furlough as a termination of employment or as an unpaid leave of absence. The terms of the plan, including… Continue Reading

HIPAA Covered Entity Settles Breach Notification Failure with OCR for $2.175 Million

The HHS Office for Civil Rights (“OCR”), which is the agency responsible for enforcement of the HIPAA privacy, security, and breach notification rules (“HIPAA Rules”), announced a recent $2.175 million settlement with a covered entity under HIPAA (the “Covered Entity”) for the Covered Entity’s failure to properly notify HHS of a breach of unsecured protected health information (“PHI”) as required by the HIPAA Rules, and other potential violations. Background OCR had investigated the Covered Entity in response to an individual complaint it received that alleged the Covered Entity had sent correspondence to the individual containing another person’s PHI. OCR’s investigation determined that the Covered Entity had mailed correspondence containing the PHI of 577 individuals to the wrong addresses. In some of the correspondence, the PHI consisted of the names and account numbers of the individuals and their dates of medical service. The Covered Entity had reported this incident to HHS… Continue Reading

Annual Increases in Civil Monetary Penalties for Violations of HIPAA Privacy and Security Rules

HHS recently issued a final rule (the “HHS Rule”) that sets out the inflation-adjusted civil monetary penalty (“CMP”) amounts that HHS is authorized to assess or enforce, including for violations of the HIPAA privacy and security rules. The adjusted CMP amounts are applicable to HIPAA violations by a HIPAA covered entity or business associate that occur after November 2, 2015, for which a CMP is assessed on or after November 5, 2019  The HHS Rule is available here.

OCR Issues Fact Sheet on Direct Liability for Business Associates under HIPAA

HHS’s Office for Civil Rights(“OCR”), which is the government agency responsible for enforcement of the HIPAA privacy, security, breach notification, and enforcement rules (the “HIPAA Rules”), recently issued a new fact sheet (“Fact Sheet”). The Fact Sheet recaps the provisions in the HIPAA Rules for which a HIPAA business associate may be held directly liable for compliance. HIPAA business associates of an employer-sponsored group health plan, which is a “covered entity” under HIPAA, would include, for example, the health plan’s third-party claims administrator, a health plan consulting firm, a benefits broker, and the health plan’s outside legal counsel, if such persons or entities create, receive, maintain, or transmit HIPAA protected health information (“PHI”) on behalf of the health plan. The Fact Sheet clarified that OCR has authority to take enforcement action against business associates only for certain requirements and prohibitions of the HIPAA Rules as listed in the Fact Sheet,… Continue Reading

Legal Requirements Triggered by HIPAA Breach

An impermissible acquisition, access, use, or disclosure of HIPAA “protected health information” (“PHI”) under an employer’s group health plan (which is a “Covered Entity” under HIPAA) is not uncommon. If such a breach occurs with respect to the PHI of a Covered Entity, the employer needs to know that the Covered Entity may be required by HIPAA’s breach notification rules (the “Breach Rules”) to issue certain notices and perform other tasks. Analysis of the Impermissible Acquisition, Access, Use, or Disclosure of PHI An impermissible acquisition, access, use, or disclosure of PHI is presumed to be a “breach” unless the Covered Entity demonstrates that there is a low probability that the PHI has been compromised. The Breach Rules outline the four-factor risk assessment that a Covered Entity must perform (and document) in order to make such a demonstration. If, after completing the step above, the Covered Entity determines that a “breach”… Continue Reading

OCR Provides Informal HIPAA Guidance Regarding Disposal of Electronic Devices and Media Containing PHI

In a July 2018 newsletter, the Office of Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”), the federal agency responsible for enforcement of the HIPAA privacy, security, and breach notification regulations (collectively, the “HIPAA Rules”), provided informal guidance to HIPAA “covered entities”, such as employer-sponsored group health plans (“Covered Plans”), regarding the disposal of electronic devices and media that house “protected health information” (“PHI”). Examples of such devices and media include desktop and laptop computers, tablets, copiers, servers, smart phones, hard drives, USB drives, and other electronic storage devices. Employer-sponsors of Covered Plans should take note of the following key points raised by the newsletter’s guidance: A covered entity’s performance of a “risk analysis” (which is a required step to comply with the HIPAA Rules) plays a critical role in determining how best to protect PHI stored on electronic devices and media that has reached… Continue Reading

$4.3 Million in Civil Monetary Penalties Awarded for Encryption Failures under HIPAA

An administrative law judge for HHS upheld an award of $4.3 million in civil monetary penalties (the “Penalties”) against a Texas-based healthcare provider for violations of the HIPAA privacy and security rules (the “HIPAA Rules”). The provider is a “covered entity” under HIPAA (“CE”), and the Penalties are the fourth largest ever awarded to the Office of Civil Rights (“OCR”), the HHS agency that enforces the HIPAA Rules, by an administrative law judge or secured via a settlement for HIPAA violations. The Penalties stemmed from an OCR investigation of the CE in response to three separate HIPAA breach reports the CE filed with OCR during 2012 and 2013 involving the theft of an unencrypted laptop computer and the loss of two unencrypted thumb drives, which resulted in the impermissible disclosure of electronic protected health information (“EPHI”) of over 33,500 individuals. OCR’s investigation found that, although the CE had written encryption… Continue Reading

Settlement of HIPAA Privacy and Security Rule Violations Costs Covered Entities $3.5 Million

HHS recently entered into a $3.5 million settlement agreement with a health care provider (the “Provider”) on behalf of five entities under its common ownership and control for violations of the HIPAA privacy and security rules. Each of the five entities constituted a “covered entity” under HIPAA. In 2013, the Provider filed five breach reports with HHS, each of which pertained to a separate incident that implicated the “electronic protected health information” (“EPHI“) of one of those covered entities. HHS’s subsequent investigation of the breaches revealed a number of violations of the HIPAA privacy and security rules, including that certain of the covered entities: Failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI; Provided unauthorized access to EPHI for a purpose not permitted by the HIPAA privacy rules; Failed to implement policies and procedures to address security… Continue Reading

Court Requires EEOC to Reconsider Wellness Program Regulations

Generally, the Americans with Disabilities Act (the “ADA“) and the Genetic Information Non-Discrimination Act (“GINA“) permit employers to offer certain wellness programs if they are “voluntary.” The EEOC issued regulations in 2016, which we discussed here, permitting wellness programs to have incentives of up to 30 percent of the cost of health plan coverage in order to align with permitted incentives under the Health Insurance Portability and Accountability Act (“HIPAA“). The AARP sued the EEOC claiming that this 30 percent limit was still coercive and was contrary to the “voluntary” requirement under the ADA and GINA. The U.S. District Court for the District of Columbia granted AARP’s motion for summary judgment, concluding that the EEOC failed to adequately explain its decision to interpret “voluntary” as permitting a 30 percent incentive level. Although governmental agencies are generally given deference, the “EEOC does not appear to have considered any factor that actually… Continue Reading

April 2020
S M T W T F S
« Mar    
 1234
567891011
12131415161718
19202122232425
2627282930  

Archives