ProView Standard: CA Labor Commissioner on Reduction in Manager Hours and Compensation, Preparing Your Company for Swine Flu

September 2009

California Labor Commissioner Greenlights Proportionate Reduction in Managers’ Hours and Compensation

In an about-face that is certain to bring much-needed relief to California employers still struggling in the present economic downtown, the California Division of Labor Standards Enforcement (the “DLSE”) issued an Opinion Letter on August 19, 2009, concluding that an employer facing economic difficulties will not violate California law by reducing the work schedules (and compensation) of managers, supervisors, and other employees who are exempt from overtime.

In an earlier opinion letter from 2002, the DLSE took the opposite position and thereby put California at odds with federal law. In that earlier opinion, the DLSE relied on an opinion from a New York district court judge (which the DLSE now views as “not well-reasoned and misguided”) and concluded that reducing an exempt employee’s salary following a corresponding reduction in hours would violate the “salary basis” test, which requires that exempt employees be paid for the entire week if they work any part of it. However, several opinion letters from the U.S. Department of Labor as well as a pair of recent federal court decisions involving Wal-Mart reflect a broader interpretation of federal law on this topic. Those opinion letters and cases reasoned that so long as an employer does not alter its employees’ salaries so frequently as to render their exempt status a “sham,” an employer does not violate the salary-basis test by effecting such changes.

The practical impact of the DLSE’s new Opinion Letter is that employers who are facing economic difficulties are free to reduce exempt employees’ work schedules and salaries as a cost-savings measure – for example, an employer may instruct some or all of its exempt employees not to come to work on Fridays and reduce their salaries by a corresponding 20 percent. Employers should note that the Opinion Letter specifies several important caveats: (1) that the employer is experiencing “significant economic difficulties”; (2) that once business conditions permit, the employer intends to restore the prior workweek and salary levels; and (3) the affected employees will still be earning a monthly salary of at least twice the state minimum wage for full-time employment. Note also that this Opinion Letter does not involve non-exempt (so-called “hourly”) employees – in the absence of an agreement to the contrary, an employer always was and remains free to reduce their hours.

Note : The information in this Alert was provided to Precept by Proskauer Rose LLP. Proskauer is an international full-service law firm with over 60 employee benefits attorneys located in offices across the United States. The information in this article is not intended as legal advice nor is it intended to provide a comprehensive review of the legal matters discussed. For more information about Proskauer, please contact Peter Marathas at (617) 526-9704 or pmarathas@proskauer.com. ©2009 Proskauer Rose LLP. All rights reserved. Used with permission.

HHS and FTC Announce New Breach Notification Rules for Unsecured Protected Health Information

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning their unsecured protected health information (“PHI”). With its rule, HHS also provided guidance on securing PHI through “encryption” and “destruction” measures. While compliance with these security measures is not required, conformance to the guidance offers a relative safe harbor for covered entities and vendors in the event of a security breach.

In general, the HHS interim final rule (74 Fed. Reg. 42740, to be codified at 45 CFR pts. 160, 164) applies to HIPAA-covered entities and their business associates, while the FTC rule (74 Fed. Reg. 42962, to be codified at 16 CFR pt. 318) applies to PHR vendors, such as Google Health and Microsoft’s Health Vault, and their third-party service providers. Both rules implement provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”), the large economic stimulus bill signed into law by President Obama on February 17, 2009.

The HHS Rule

HSS issued its interim final rule pursuant to the Health Information Technology for Economic and Clinical Health Act (“HITECH”), a part of ARRA. HITECH’s prescriptive language gave HHS little discretion in how to implement the statute. Thus, the HHS interim final rule closely mirrors the statutory language. HHS offers one major point of clarification, however, by including a “risk of harm” threshold, which allows a covered entity to consider the potential harm of a security breach to affected individuals before triggering the notification requirements. This threshold is discussed in more detail below.

The HHS rule requires HIPAA-covered entities to provide affected individuals with timely notice (i.e., no later than 60 days) upon the discovery of a breach of their “unsecured” PHI. Generally, a covered entity is subject to the HHS notification obligations when: (1) an individual’s PHI has been breached; (2) the PHI was “unsecured”; and (3) such breach poses significant risk of financial, reputational, or other harm to the individual. These elements are also discussed in more detail below.

The HHS regulations mandate that notice include certain information, including a brief description of the event that led to the breach, the specific PHI involved, and the steps affected individuals should take to protect themselves from further harm. In cases where such a breach involves more than 500 individuals, the covered entity is required to notify the media as well as the HHS Secretary. Breaches involving fewer than 500 individuals must be reported to the HHS Secretary annually. Business associates of covered entities (e.g., third-party administrators, pharmacy benefit managers) also are required to notify a related covered entity upon the discovery of a breach of unsecured PHI. The covered entity then must provide the affected persons with notice.

The existing business associate contract requirements already mandate that business associates notify covered entities of security incidents and unauthorized uses and disclosures. These requirements should be broad enough to include notification of breaches of unsecured PHI, as contemplated by HITECH and the HHS regulations. However, covered entities may wish to modify or expand these contractual notice obligations so as to ensure that covered entities can comply with the details of their regulatory obligations to notify individuals (as well as HHS and, as applicable, the media). Covered entities also may want to modify such agreements to ensure that business associates cover the costs of the required notice to individuals and media, as applicable.

Breach

A breach is generally defined as the unauthorized acquisition, access, use, or disclosure of protected health information that violates HIPAA’s Privacy Rule and compromises the PHI’s security or privacy.

HHS provides for three exceptions to the definition of “breach.” These are:

1. The unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of the covered entity or business associate (e.g., a nurse mistakenly sends a billing employee an e-mail containing a patient’s PHI)
2. The inadvertent disclosure of PHI from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate
3. Disclosures in which an unauthorized recipient would not reasonably have been able to retain the PHI (e.g., if a covered entity mistakenly sends an explanation of benefits to the wrong individual, which is then returned by the Post Office, unopened, as undeliverable)

Encryption, Destruction Guidance

Since notice must only be provided for breaches of “unsecured” PHI, there is no obligation to provide notice for breaches of “secured” PHI. To qualify as secured, a covered entity must use a technology or methodology specified by the Secretary of HHS to safeguard the PHI so that it is “unusable, unreadable, or indecipherable to unauthorized individuals.” The interim final rule repeats guidance issued by HHS in April 2009 (74 R 19006). The guidance specifies the HIPAA Security Rule’s encryption standard as the appropriate methodology for safeguarding electronic PHI (as well as PHR-identifiable health information). Hard copy PHI, such as paper, film, or other media, must be shredded or destroyed so that the PHI cannot be read or otherwise reconstructed. Redaction is specifically excluded as a means of destruction.

Although HIPAA’s Security Rule requires covered entities to safeguard electronic PHI, encryption is not required; rather, encryption is one of the Security Rule standards that are characterized as “addressable” rather than “required.” Comparable alternatives, such as firewalls and access controls, are also acceptable. However, if a covered entity chooses to encrypt PHI pursuant to this new HHS guidance, the PHI shall be considered “secure” for purposes of the breach notification rule. If a breach of that encrypted PHI is later discovered, then the covered entity is not required to provide notice since the information will not be considered “unsecured.” In this sense, encryption undertaken in conformance with the HHS guidance works as a safe harbor from the breach notification requirements of the interim rule.

Risk of Harm Threshold

As mentioned above, the preamble to the interim final rule recognizes that the HITECH statute encompasses a “harm threshold,” which limits notification to situations where it is reasonably necessary. Thus, the HHS rule clarifies that unauthorized use or disclosure of PHI only constitutes a breach if it “poses a significant risk of financial, reputational, or other harm to the individual.” In order to determine if such a risk exists, covered entities and business associates are required to perform a risk assessment. This harm threshold aligns the HHS regulation with many existing state breach notification laws, where risk of harm is also a key element in triggering notice.

In performing the risk assessment mentioned above, HHS notes that covered entities should consider a number of factors, including:

• Who impermissibly used or to whom the information was impermissibly disclosed (e.g., the risk of harm is reduced if the PHI was disclosed to or used by another HIPAA-covered entity, such as a physician’s office)

• The type, amount, and sensitivity of the PHI involved (e.g., if the disclosed PHI merely included a name and that he or she received services from a hospital, then it would likely not constitute a significant financial, or reputational risk (although it would violate the HIPAA privacy rule)

• Whether the covered entity has taken immediate steps to mitigate the situation (e.g., received satisfactory assurances, through a confidentiality agreement or other similar means, that the recipient would destroy the PHI and not further compromise its privacy)

• Whether the impermissibly disclosed PHI was returned prior to being improperly accessed (e.g., a stolen laptop is recovered and forensic analysis shows the PHI was not accessed or compromised)

Covered entities and business associates must document their risk assessment process so that they can demonstrate, if necessary, that the impermissible use or disclosure did not pose a significant risk of harm to the individual. HHS also notes that any risk assessment should be fact-specific, and reminds covered entities and their business associates that “many forms of health information, not just information about sexually transmitted diseases or mental health, should be considered sensitive for purposes of the risk of reputational harm – especially in light of fears about employment discrimination.”

Effective Date

Although the HHS regulations are technically effective 30 days after publication (i.e., September 23, 2009), HHS stated it would not impose sanctions for noncompliance until February 22, 2010. This will allow covered entities and their business associates time to implement compliance measures.

The FTC Rule

The FTC final rule addresses entities that offer services to store individuals’ health information online, as well as service providers of these entities. Although the rule does not apply to HIPAA-covered entities or their business associates, it does apply to entities that heretofore have been beyond the FTC’s jurisdiction, such as nonprofit organizations.

The FTC’s notification rule only applies to breaches of “unsecured” PHR, defined as identifiable PHR information “that is not protected through the use of technology or methodology specified by the Secretary of [HHS].” As discussed above, HHS has identified encryption and destruction as the appropriate means for securing such information. Therefore, like the HIPAA-covered entities regulated by the HHS rule, PHR vendors may seek safe harbor from the notice requirements by encrypting PHR.

Personal health records vendors, as well as “PHR-related entities,” are required to notify affected individuals upon the discovery of a “breach of security” of unsecured PHR identifiable health information. The FTC defines “PHR-related entities” as entities that (1) offer products or services through a PHR vendor’s website, (2) offers products or services through the websites of HIPAA-covered entities that offer individuals’ PHRs, or (3) access information in PHR or send information to a PHR. These may include Web-based applications that help consumers manage medications, a website offering online personalized health checklists, or even a brick-and-mortar company advertising dietary supplements online.

The FTC regulations require PHR vendors to notify affected customers following the discovery of a “breach of security” concerning a customer’s PHR. More specifically, a “breach of security” is defined as the unauthorized acquisition of an individual’s unsecured PHR-identifiable health information. Examples include the theft of a laptop containing unsecured PHR, unauthorized downloading of such records by an employee, or remote copying of PHR by a hacker.

The FTC rule presumes that where there has been unauthorized access (i.e., the opportunity to view data), there also has been unauthorized acquisition (i.e., the actual viewing or reading of data). This presumption is rebuttable, however, if the vendor “has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.” For example, if an employee inadvertently accesses a customer’s PHR, but logs off without reading, using, or disclosing such data, then no breach of security has occurred.

As in the HHS rule, a PHR vendor must provide an individual with prompt notice upon discovery of a security breach. The notice must include pertinent information, such as a description of what happened, the type of PHR involved, and steps the individuals can take to protect themselves from further harm. The FTC also must be notified using a form that can be found at http://www.ftc.gov/os/2009/08/R911002hbnform.pdf. In the case of a breach involving 500 or more people, entities must notify the media. Likewise, a third party service provider must notify the relevant vendor or PHR-related entity upon discovery of a security breach; in turn, the vendor or PHR-related entity must notify the affected individuals.

There is one critical difference between the HHS and FTC regulations: the FTC’s final rule does not include a risk of harm threshold. Therefore, even where a PHR vendor might reasonably conclude that a security breach presents a small risk of harm to a consumer, the vendor is still required to notify the affected individual. The FTC noted that its standard does take harm into account, given that, as described above, entities can rebut a presumption of harmful acquisition of PHR. However, because of the sensitivity of health information, the FTC believes “the standard for notification must give companies the appropriate incentive” to safeguard such information.

Effective Date

The FTC’s notification requirements are effective September 23, 2009 (i.e., 30 days from publication). In the preamble to the final rule, however, the FTC stated it would not begin enforcing the notification standards until February 22, 2010.

Closing Thoughts

Both HIPAA-covered entities and vendors of personal health records should begin putting policies and procedures in place to comply with the standards articulated by the HHS and the FTC rules. Covered entities, PHR vendors, and PHR-related entities also should consider encrypting personal health records pursuant to HHS guidance. Such encryption will provide entities with safe harbor-like protection in the event of a security breach to unsecured PHR. HIPAA-covered entities also may want to revisit contracts with business associates in light of the HHS notification requirements.

Proskauer Rose LLP is closely monitoring developments in connection with the HHS and FTC security breach requirements. If you have further questions concerning either agency’s requirements, please contact your Precept Account Manager.

Note : The information in this Alert was provided to Precept by Proskauer Rose LLP. Proskauer is an international full-service law firm with over 60 employee benefits attorneys located in offices across the United States. The information in this article is not intended as legal advice nor is it intended to provide a comprehensive review of the legal matters discussed. For more information about Proskauer, please contact Peter Marathas at (617) 526-9704 or pmarathas@proskauer.com. ©2009 Proskauer Rose LLP. All rights reserved. Used with permission.

DOL Provides Relief to 403(b) Plans from Form 5500 Reporting Requirements

The U.S. Department of Labor (the “DOL”) recently released a Field Assistance Bulletin (FAB 2009-02) that provides much needed guidance and relief in response to concerns expressed by 403(b) plan administrators and their accountants regarding the expanded annual Form 5500 reporting requirements for 403(b) plans beginning in 2009. Prior to 2009, 403(b) plans were subject to very limited Form 5500 reporting requirements.

Beginning in 2009, large 403(b) plans (generally plans with 100 or more participants) that are subject to the Employee Retirement Income Security Act of 1974, as amended (“ERISA”) are required to include audited financial statements, prepared by an independent auditor, with their annual Form 5500 filing. Small 403(b) plans (generally plans with fewer than 100 participants), while now subject to the same annual Form 5500 requirements as other small retirement plans, are eligible for a waiver of the audit requirement and will generally be able to use the Form 5500-SF (Short Form 5500), a new simplified form for small plans invested in certain types of assets.

Recognizing that administrators of 403(b) plans may face challenges in transitioning to compliance with the heightened filing requirements, the DOL has provided the following transition relief for 403(b) plan administrators that make “good faith efforts” to comply with the expanded annual reporting requirements.

Relief for Pre-2009 Contracts and Accounts

A 403(b) plan administrator may elect not to treat annuity contracts and custodial accounts as part of the employer’s ERISA plan or as plan assets for purposes of the annual Form 5500 reporting requirements, provided that:

1. The annuity contract or custodial account was issued to a current or former employee before January 1, 2009
2. The employer ceased to have any obligation to make contributions (including employee salary reduction contributions) and, in fact, ceased making contributions to the contract or account before January 1, 2009
3. The employee (or former employee) can legally enforce all of his or her rights and benefits under the annuity contract or custodial account against the insurer or custodian without any involvement by the employee
4. The individual owner of the contract is fully vested in the contract or account

Notwithstanding the enforcement relief announced by the DOL, auditors have noted that FAB 2009-02 does not change the audit requirements for 403(b) plans. The auditor is still required to conduct an audit in conformity with generally accepted auditing standards, and the DOL relief does not appear to extend to the compliance or fiduciary conduct requirements of an audit on a contract.

Owners of Excluded Contracts Not Counted as Participants

In addition, current or former employees with only contracts or accounts that are excludable from the Form 5500 or Form 5500-SF reporting requirements under the above transition relief do not need to be counted as participants covered under the 403(b) plan for Form 5500 reporting purposes. The ability to exclude such current or former employees may cause some plans to be treated as small plans (plans with fewer than 100 participants), relieving these plans from the audit requirement.

Qualified Audit Opinions Due to Pre-2009 Contracts Will Not Be Rejected

The DOL has stated that it will not reject a Form 5500 on the basis of a “qualified,” “adverse,” or disclaimed opinion if the accountant expressly states that the sole reason for a limited opinion was because pre-2009 contracts were not covered by the audit or included in the plan’s financial statements. Except with respect to this relief, an accountant engaged to perform the 403(b) plan audit must perform audit procedures and report in accordance with generally accepted auditing standards as required by ERISA.

Relief Extends Past 2009

Although not specifically stated in FAB 2009-02, the DOL subsequently announced that the transition relief provided under FAB 2009-02 is not intended to be limited to the 2009 plan year, but also applies to future years beyond the 2009 plan year.

Guiding Principles for Compliance Difficulties Regarding Post-2009 Contracts

The DOL also stated that it recognizes that plan sponsors may encounter compliance issues unrelated to pre-2009 contracts in making the transition to the new reporting requirements. Acknowledging that there may be instances when full annual reporting compliance by 403(b) plans may not be possible for the 2009 plan year, the DOL stated that “the guiding principle must be to ensure that appropriate efforts are made to act reasonably, prudently, and in the interest of the plan’s participants and beneficiaries.” The DOL asserts that although ERISA’s annual reporting requirements may result in added costs to a plan, an administrator of a 403(b) plan should be able to prepare an acceptable 2009 Form 5500 or Form 5500-SF without undue expense or burden.

Plan Auditors Expected to Notify Plan Administrators of Irregularities

The DOL reiterates in FAB 2009-02 that, as a general rule, it expects that accountants engaged to conduct employee benefit plan audits will notify plan administrators of questions, issues, and irregularities discovered as part of the audit engagement that could materially affect the plan’s audit expenses or other costs associated with making the transition to ERISA’s generally applicable annual reporting regime. The DOL has indicated that it believes that providing plan administrators with such compliance assistance information will help them ensure that decisions regarding use of plan assets to defray annual reporting costs are reasonable, prudent, and in the interest of the plan’s participants and beneficiaries.

The DOL relief, which is based on the contract with a participant, is inconsistent with the relief granted by the IRS in Revenue Procedure 2007-71, which provided transitional relief from the written document requirement for contracts that were issued or exchanged before January 1, 2009 by vendors that were no longer being used, as long as the employer made a good faith effort to include those contracts as part of its 403(b) plan. This may pose an auditing challenge, because if a plan sponsor keeps records for IRS purposes, those records would be considered plan records that from the DOL’s perspective should be audited.

Note : The information in this Alert was provided to Precept by Proskauer Rose LLP. Proskauer is an international full-service law firm with over 60 employee benefits attorneys located in offices across the United States. The information in this article is not intended as legal advice nor is it intended to provide a comprehensive review of the legal matters discussed. For more information about Proskauer, please contact Peter Marathas at (617) 526-9704 or pmarathas@proskauer.com. ©2009 Proskauer Rose LLP. All rights reserved. Used with permission.

Doctor’s Orders: Swine Flu is Coming Back: Get Ready

By Christopher H. Coulter, MD, MPH, Chief Medical Officer

The swine flu first made its appearance in the U.S. earlier this year, resulting in over 1 million cases and 350 deaths. Since we reviewed swine flu a few months ago, the possibility of a very serious outbreak has increased. Flu is seasonal, and experts are preparing for a swine flu epidemic as early as October that could be much worse this time around. We are already seeing outbreaks in summer camps, prisons, and other settings. Predictions are as high as 30,000-90,000 U.S. deaths, especially if there is a delay in the vaccine. You and your employees should prepare, as you would for any natural disaster. Here’s what you should do:

• Get vaccinated against the regular flu, and consider offering on-site flu shots for your employees. There will be shots for the seasonal flu starting in early September, the kind you may have gotten in the past. While this immunization provides little direct protection against swine flu, it will help prevent getting both at once, and it will also prevent having to seek medical attention for the regular flu at a time when your doctor and local hospitals may be overwhelmed.
• Educate yourself and your employees about swine flu, how it is spread, what the symptoms are, how to treat it, and the warning signs that you may require immediate medical care. Your best options are not to get infected and not to spread it to others.
• Get vaccinated against swine flu, if a vaccine becomes available. Right now supplies are uncertain, and preference will be given to children and pregnant women, since these groups are particularly vulnerable. If additional vaccine is available, get it, and consider offering on-site swine flu vaccinations for your employees, if possible.
• If you or a family member has a chronic illness like diabetes or lung disease, it may make sense to have medication on hand. Both Tamiflu and Relenza have activity against swine flu and you should ask your doctor for a prescription now. These medications will be gone quickly in an epidemic.
• Next, prepare for a scenario where as many as 40% of individuals in your area may be sick with the flu at one time. If that happens, medical services will be swamped, so make sure you have your prescriptions for your other medical conditions filled. Stock up on over-the-counter medications for flu symptoms, fever, diarrhea, and electrolyte replacement, and buy a thermometer. This could also mean that 40% of your employees could be out sick at the same time, so make sure your disaster preparedness policies are up-to-date.

The swine flu pandemic may move quickly, so it is also important to know where you can get good, accurate, up-to-the-minute information. The best sites are:

• The Centers for Disease Control for information in the U.S.: http://www.cdc.gov/swineflu/
• The World Health Organization addresses the issues relating to global spread and pandemics: http://www.who.int/topics/influenza/en/
• WebMD is also a great source for the latest information: http://www.webmd.com/cold-and-flu/swine-flu/default.htm

For additional information on swine flu for employers, please read this Pandemic Flu Special Report.