AHI's We Couldn't Make This Up

An employee of Ohio's Transportation Department whose job is to prevent discrimination repeatedly sent racist and sexist e-mails from his government e-mail account to fellow agency employees and non-state workers, reported the agency. As the equal employment opportunity contracts coordinator, it is his job to ensure that vendors with agency contracts comply with federal and state anti-discrimination laws. His actions shouldn't have come as a surprise, though. He received a verbal reprimand last year for sending an e-mail about giving jobs to women with big breasts and was suspended for 20 days without pay in 2004 for viewing sexually explicit websites at work. This time around, he was suspended with pay for 10 days and warned that another infraction could lead to termination. .

Live Web Conference

How The Stimulus Bill Dramatically Changes COBRA & HIPAA Compliance For Employers

Wednesday, March 18, 2009
1:00 PM to 2:30 PM Eastern
John Barlament, Esq.

The federal stimulus bill, known as the American Recovery and Reinvestment Act of 2009 (ARRA), makes dramatic changes to how employers need to administer COBRA and HIPAA.

Perhaps the biggest change for COBRA is that the federal government is providing a subsidy covering 65% of the COBRA premium for assistance eligible individuals.

For most employers, the COBRA subsidy rules took effect on March 1. Other changes require attention by April 18.

HIPAA changes include new security breach notification requirements, enhanced enforcement, new rules regarding "electronic health records", and the new requirement that business associates comply with HIPAA privacy and security requirements.

Learn what to steps you need to take now to get your COBRA and HIPAA policies, procedures, and documentation in compliance during this live web conference.

Click here for more information or to register for this event.

G14061

1. FEATURE STORY:
HIPAA RULES DRAMATICALLY MODIFIED BY STIMULUS BILL

The American Recovery and Reinvestment Act (ARRA) contains surprising modifications to the Health Insurance Portability and Accountability Act's (HIPAA) Privacy and Security Rules. The changes are significant to all covered entities, but are most challenging for business associates, who now face a host of new requirements. Here are some of the highlights.

Security Rules apply directly to business associates. For the first time, business associates must comply directly with many of HIPAA's Security Rules. This will require every business associate to take several actions, including appointing a security official, developing written policies and procedures, and training its workforce on how to protect electronic protected health information (EPHI). These provisions go well beyond the previous requirements for business associates, where business associates only had to comply with the written business associate agreement.

Business associates also will need to follow HIPAA's Security Rules relating to physical safeguards (such as locking computers that contain EPHI), technical safeguards (such as encrypting emails), and the requirement to adopt written policies and procedures. Failing to do so will — for the first time — subject a business associate to civil monetary penalties and criminal penalties for each notification.

New security breach rules. Under current law, the breach of the privacy or security of protected health information (PHI) often does not require significant action by a covered entity or business associate. Now, a covered entity or business associate that has a specified security breach will be required to notify each individual affected by the security breach. This can involve written notification by mail or, if specified by the individual, e-mail. If the covered entity or business associate lacks current contact information, it may be required to post notice of the breach on its website or in newspapers or other broadcast media (e.g., television). For certain large breaches (involving more than 500 residents in a particular area), a "prominent media outlet" must be notified of the breach. The U.S. Department of Health and Human Services (HHS) also must be contacted, and the HHS is to establish a website listing these breaches.

New rules regarding electronic health records. The Act creates a new term, "electronic health record," which is an electronic record of health-related information on an individual that is "created, gathered, managed, and consulted by authorized health care clinicians and staff."

The Act imposes significantly more disclosure accounting requirements relating to electronic health records. Currently, a covered entity or business associate need not track its disclosures of PHI if the PHI is used to carry out treatment, payment, or health care operations. This is very helpful, because most disclosures of PHI fall into one of these exceptions, so the disclosure need not be tracked. Now, under the Act, if the disclosure of an electronic health record is for treatment, payment, or health care operations, the covered entity (and perhaps also a business associate) must maintain an accounting of such a disclosure. There is a delayed effective date for this provision, such that it will apply sometime between January 1, 2011, and January 1, 2014.

Prohibition on sale of electronic health records or PHI. A covered entity or business associate cannot directly or indirectly receive remuneration in exchange for any PHI unless it first obtains a valid authorization from the individual whose PHI is being disclosed.

Significant overhaul of civil monetary penalties. Currently, the penalty is generally $100 for each violation. This $100 amount (and its related cap of $25,000 for multiple violations) increases to $1,000 per violation for a violation due to "reasonable cause and not to willful neglect" (with a maximum penalty of $100,000); $10,000 for each violation that was due to willful neglect and is corrected (subject to a $250,000 maximum penalty); and $50,000 for each violation if the violation is not corrected properly (subject to a maximum penalty of $1,500,000 during a calendar year). These changes are effective immediately.

In addition, state attorney generals can now bring a HIPAA enforcement action against a covered entity or business associate that violates these rules. Worse, the state attorney general can obtain attorney's fees under such an action (although the attorney's fees are discretionary and not mandatory).

The HHS — the main enforcer of HIPAA — now is required to conduct "periodic audits" to ensure that both business associates and covered entities are compliant with these new rules.

Individuals can receive compensation for breaches. The ARRA requires the HHS to establish a regulation within the next three years that provides that individuals affected by a HIPAA violation will be able to receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense. Previously, it was difficult, if not impossible, for individuals to receive such amounts.

Effective date. The general effective date for the ARRA is February 2010. However, many of the provisions have varying effective dates and others have an effective date that is unclear. Business associates and covered entities should examine each provision carefully.

This information was reprinted with permission by Michael Best & Friedrich LLP. Sign up today for a webinar on changes to HIPAA and COBRA under the stimulus bill, featuring John Barlament, Esq., a partner with Michael Best & Friedrich.

2. CATHIE'S CORNER:
JUST BECAUSE YOU'RE PARANOID DOESN'T MEAN THERE ISN'T A BLACKLIST

This is going to sound like an attempt at humor. It's not. I'm very serious, and I think you should all be aware of this, if you aren't already, because in the current economy it's likely to come up more and more....Continue the story.

3. CELL PHONE CAMERAS CAN DEVELOP INTO LEGAL, PR PROBLEMS

In an age where cellular telephones give directions and make dinner reservations, you'd be hard-pressed to find a phone that doesn't take pictures. As convenient as they might be outside the workplace, they can become a headache for employers....Continue the story.

4. FREE REPORT: PAY DISCRIMINATION AUDITS: ENSURING YOUR ORGANIZATION IS PROTECTED AGAINST LEDBETTER COMPLAINTS

Check out the new Free Report, "Pay Discrimination Audits: Ensuring Your Organization Is Protected Against Ledbetter Complaints," which guides you in conducting a voluntary pay audit. Learn when it's okay to pay different wages to similarly situated employees, and how to adapt OFCCP non-discrimination pay guidelines to the private sector.

5. HR SOAPBOX: "WE LIKE YOU! WE REALLY LIKE YOU! YOU'RE HIRED!"

"May the best man win." Really? How often does that actually happen? Take "American Idol" — there are lots of genuinely gifted voices eliminated during the early rounds each season, while less talented singers who possess that certain je ne sais quois move on each week towards the finals....Continue the story.

Like What You're Reading? Sign Up To Receive Our Free E-Mail Newsletters
Employment Law Today Benefits Alert HR Soapbox Blog E-Mail: Go

Brought to you by the Alexander Hamilton Institute