[firm] blog logo

EMPLOYEE BENEFIT/EXECUTIVE COMPENSATION CHANGES MADE BY THE CARES ACT

On March 27, 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”). This historic $2 trillion relief package received bipartisan support and is part of the third wave of federal government support as the nation copes with the acute economic fallout from the coronavirus (COVID-19) pandemic.  Some of the key provisions of the CARES Act that apply to health and welfare plans, educational assistance programs, retirement plans, executive compensation programs, and employment and payroll taxes are outlined below. Health and Welfare Plans Q1.      What COVID-19 testing and treatment is our company’s employer-sponsored group health plan required to cover? The Families First Coronavirus Response Act (“FFCRA”) requires an employer-sponsored group health plan (including a grandfathered plan under the Affordable Care Act (“ACA”)) (a “Plan”) to provide coverage for COVID-19 diagnostic testing and services related to the diagnostic testing without any cost sharing (including deductibles, copayments, and… Continue Reading

COVID-19 EMPLOYEE BENEFIT AND EXECUTIVE COMPENSATION QUESTIONS AND ANSWERS

In light of the recent economic developments stemming from the COVID-19 pandemic, many employers are evaluating their employee benefit plans and how employee and employer costs will be impacted. The following summary provides a list of questions we have been receiving from clients over the past week, along with action items to help employers address these issues. Health and Welfare Plans and Fringe Benefits Should benefits coverage continue while an employee is on an unpaid furlough? If so, how would the employee pay the employee’s portion of the premium? Could the employee elect to drop coverage due to the reduction in hours of active service? Could the employer pay for coverage for some or all of its furloughed employees? Continued eligibility for benefits will depend on whether the employer treats the furlough as a termination of employment or as an unpaid leave of absence. The terms of the plan, including… Continue Reading

HIPAA Covered Entity Settles Breach Notification Failure with OCR for $2.175 Million

The HHS Office for Civil Rights (“OCR”), which is the agency responsible for enforcement of the HIPAA privacy, security, and breach notification rules (“HIPAA Rules”), announced a recent $2.175 million settlement with a covered entity under HIPAA (the “Covered Entity”) for the Covered Entity’s failure to properly notify HHS of a breach of unsecured protected health information (“PHI”) as required by the HIPAA Rules, and other potential violations. Background OCR had investigated the Covered Entity in response to an individual complaint it received that alleged the Covered Entity had sent correspondence to the individual containing another person’s PHI. OCR’s investigation determined that the Covered Entity had mailed correspondence containing the PHI of 577 individuals to the wrong addresses. In some of the correspondence, the PHI consisted of the names and account numbers of the individuals and their dates of medical service. The Covered Entity had reported this incident to HHS… Continue Reading

OCR Provides Informal HIPAA Guidance Regarding Disposal of Electronic Devices and Media Containing PHI

In a July 2018 newsletter, the Office of Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”), the federal agency responsible for enforcement of the HIPAA privacy, security, and breach notification regulations (collectively, the “HIPAA Rules”), provided informal guidance to HIPAA “covered entities”, such as employer-sponsored group health plans (“Covered Plans”), regarding the disposal of electronic devices and media that house “protected health information” (“PHI”). Examples of such devices and media include desktop and laptop computers, tablets, copiers, servers, smart phones, hard drives, USB drives, and other electronic storage devices. Employer-sponsors of Covered Plans should take note of the following key points raised by the newsletter’s guidance: A covered entity’s performance of a “risk analysis” (which is a required step to comply with the HIPAA Rules) plays a critical role in determining how best to protect PHI stored on electronic devices and media that has reached… Continue Reading

OCR To Investigate HIPAA Breaches of Less Than 500 Individuals

The HHS Office for Civil Rights (“OCR“) recently announced an initiative to more widely investigate HIPAA privacy breaches affecting fewer than 500 individuals. Generally, all reported breaches involving 500 or more individuals are automatically investigated by OCR. Breaches involving less than 500 individuals will not automatically be investigated, but Regional Offices will increase efforts to investigate smaller breaches based on (1) the size of the breach, (2) theft or improper disposal of unencrypted protected health information (“PHI“), (3) breaches involving hacking, (4) the sensitive nature of the PHI involved, and (5) where numerous breach reports from the same entity raise similar issues. View additional information on OCR’s enforcement of HIPAA.

HHS Fact Sheet Provides Helpful Information in Addressing Ransomware Attacks under HIPAA

The U.S. Department of Health and Human Services (“HHS”) recently issued a “Fact Sheet” which discusses ransomware attack prevention and recovery under HIPAA, as well as the management of HIPAA breach notification procedures in response to a ransomware attack.  According to the Fact Sheet, “ransomware” is a type of malicious software by which a hacker gains access to electronic data and then encrypts it with a key known only to the hacker, such that the data owner is denied access to it. The Fact Sheet provides helpful descriptions and specific examples of how the requirements of the security regulations under HIPAA (the “Security Rules”), which govern the confidentiality of a HIPAA covered entity’s electronic protected health information (“EPHI”), may be applied to prevent, detect, and recover from infections of EPHI by ransomware.  Importantly, the Fact Sheet also explains HHS’s view that a ransomware infection of unsecured EPHI on a computer… Continue Reading

Largest Single-Entity Settlement to Date Due to HIPAA Non-Compliance

The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), recently entered into a $5.55 million settlement agreement with Advocate Health Care Network and its subsidiaries (“Advocate”) to resolve multiple potential violations of HIPAA involving electronic protected health information (“EPHI”). The settlement results from OCR’s investigation of Advocate which began in 2013 after Advocate submitted three breach notification reports to OCR within a three-month timespan. The reported breaches involved (1) the theft from one of Advocate’s support centers of four desktop computers containing unsecured EPHI of nearly four million individuals, (2) unauthorized access of unsecured EPHI from the computer network of Advocate’s business associate (“BA”), and (3) the theft of a laptop containing unsecured EPHI from an Advocate workforce member’s vehicle. Upon its investigation, OCR determined that Advocate failed to (a) conduct an accurate and thorough risk analysis related to its utilization of EPHI, (b) implement… Continue Reading

Two Covered Entities Settle Potential Violations of HIPAA Privacy and Security Rules For Approximately $2 Million

The U.S. Department of Health and Human Services (“HHS”) recently announced resolution agreements (“RAs”) with two covered entities, a health care provider and an insurer, under HIPAA’s privacy and security rules (the “Rules”), requiring combined payments of approximately $2 million to settle potential violations of the Rules.  Both RAs stemmed from investigations conducted by HHS as a result of breach notifications the covered entities submitted to report the thefts of laptop computers containing unencrypted electronic protected health information (“ePHI”).  Apart from the settlement payments, the RAs impose two-year corrective action plans, including the performance of risk analysis, implementation of risk management plans and training, and periodic follow up activities with HHS. Although failure to encrypt ePHI is not a per se violation of the Rules, the HHS news release regarding the RAs underscores HHS’ view that unencrypted laptops and other mobile devices pose significant risks to the security of ePHI,… Continue Reading

May 2020
S M T W T F S
« Apr    
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Archives