Tag Archives: cynthia marcotte stamer

IRS Set to Nail Employers on ACA

The Internal Revenue Service is acting to help individuals who are eligible for Patient Protection and Affordable Care Act (Obamacare) health subsidies and who live in regions where exchange insurers do not offer bronze (lowest-cost) coverage, even as it moves ahead to nail employers failing to comply with Obamacare’s employer shared responsibility rules (commonly referred to as the “employer mandate”).

IRS New Individual Obamacare Relief

Notice 2017-74  will provide that individuals who are not eligible for coverage under an eligible employer-sponsored plan and who lack access to affordable coverage should not be denied the use of the affordability exemption under § 5000A(e)(1) of the code and § 1.5000A-3(e) of the regulations merely because they reside in an area served by a marketplace that does not offer a bronze-level plan. Consequently, for purposes of the affordability exemption under § 5000A(e)(1) and § 1.5000A-3(e), if an individual resides in a rating area served by a marketplace that does not offer a bronze plan, the individual generally should use the lowest-cost metal-level plan available in the marketplace serving the rating area in which the individual resides.

Notice 2017-74 will be in IRB 2017-51, dated Dec. 18, 2017.

See also: Optimizing Financing in Healthcare  

Employers Still Face Obamacare Penalties

While the IRS has issued limited relief for individuals from the ACA’s individual mandate penalties, so far it has remained steadfast in its refusal to grant employers corresponding relief from the ACA employer-shared responsibility penalties or other ACA penalties. Instead, IRS officials continue to make clear that the IRS intends to enforce the ACA employer-shared responsibility rules against employers with 50 or more full-time employees (including full-time equivalent employees).

Under the Obamacare employer mandate rules, covered employers face significant federal tax penalties for (1) failing to offer minimal essential coverage to substantially all full-time employees and their dependents (the “A Penalty”), or (2) offering coverage that is either “unaffordable” or does not provide “minimum value” (the “B Penalty”) if a full-time employee enrolls in the health insurance marketplace and receives a premium tax credit.

While many employers assumed President Trump’s Jan. 20, 2017, executive order “Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal” would insulate them against enforcement of the employer mandate and other Obamacare penalties, the IRS doesn’t see the executive order as barring its enforcement of Obamacare against sponsoring employers or their group health plans. In an April 14, 2017, IRS Chief Counsel letter, for instance, the IRS announced it does not interpret its discretionary authority under Obamacare to allow waiver of the employer mandate tax imposed under Internal Revenue Code Section 4980H against covered employers that fail to provide the affordable minimum essential coverage required by the employer mandate. In keeping with this interpretation, the IRS has announced that it will begin enforcement of the employer mandate tax liability for plan years after 2015 against covered employers that failed to meet the employer mandate.

Of course, the employer mandate is not the only Obamacare provision that employers and their health plans need to worry about. In addition to the employer mandate, Obamacare imposed a host of patient protection and other federal mandates upon employer-sponsored plans, most of which apply to plans covering two or more employees. In addition to any benefit and other administrative penalties that otherwise arise under the Employee Retirement Income Security Act or the Social Security Act for violating these mandates, employers sponsoring plans that violate any of 40 listed mandates imposed by Obamacare or certain other federal laws also become liable under Internal Revenue Code Section 6039D to self-identify, self-assess, report on Form 8928 and pay an excise tax equal to $100 per person per uncorrected violation. The IRS, Department Of Labor and Department Of Health and Human Services have taken the position that the Jan. 20 executive order also does not bar enforcement of those Obamacare penalties. Accordingly, employers and their group health plans continue to face potentially substantial liability if their group health plan does not comply with Obamacare.

See also: U.S. Healthcare: No Simple Insurtech Fix  

In the face of these exposures, employers and their group health plan should carefully review their plans and their administration for compliance before the end of the plan year so as to be able to take appropriate and timely corrective action before penalties attach and while stop loss or other insurance is available to help mitigate the cost of these corrections. Employers preparing for health plan renewals also should review their group contracts and conduct due diligence to verify their group health plans terms and operations meet the mandates as they initiate new plan years. Employers also generally will want to review their compliance and take action to address any deficiencies against any vendors or advisers who may have culpability in the defective health plan design or administration. Prompt action against vendors who may be culpable for the design or administration defects is necessary to preserve potential claims for deceptive trade practices or other causes of action that an employer might have under state contract, tort or other law. Employers and health plan fiduciaries should consider engaging experienced legal counsel to conduct this review on behalf of the employer or other plan sponsor within the scope of attorney-client privilege so as to assess and address these potential risks on a timely basis.

Hard Lessons on Protecting Health Data

The $2.5 million payment and corrective action plan that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) required for CardioNet to settle potential charges of noncompliance with the Health Insurance and Portability Act (HIPAA) Privacy and Security Rules contains many important lessons for other healthcare providers, health plans, healthcare clearinghouses (Covered Entities) and their business associates.

A remote cardiac monitoring provider, CardioNet is paying the $2.5 million settlement payment and implementing a corrective action plan to settle potential OCR charges it violated HIPAA by impermissible disclosure of unsecured electronic protected health information (ePHI).

The first OCR HIPAA settlement involving a wireless health services provider, the CardioNet Resolution Agreement and Corrective Action Plan (Resolution Agreement) announced by OCR on April 24, 2017, adds to the rapidly growing list of announced OCR HIPAA enforcement actions that clearly show all covered entities and their business associates the substantial enforcement liability risks of failing to finalize and actually adopt, implement, administer and maintain the necessary HIPAA Privacy and Security policies and procedures required by HIPAA as well as some of the steps OCR expects to fulfill these requirements.

CardioNet OCR Investigation and Resolution Agreement

As has become increasingly common in recent years, the CardioNet settlement arose from concerns initially brought to OCR’s attention in connection with a HIPAA breach notification report. On Jan. 10, 2012, OCR received notification from the provider of remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias that a workforce member’s laptop with the ePHI of 1,391 individuals was stolen from a parked vehicle outside of the employee’s home. CardioNet subsequently notified OCR of a second breach of ePHI 2,219 individuals.

The facts outlined in the resolution agreement highlight compliance weaknesses existing in the operations of many HIPAA covered entities and business associates. According to the resolution agreement, OCR’s investigation in response to these breach reports revealed a series of continuing compliance concerns, including:

  • CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities;
  • CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented;
  • CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices;
  • CardioNet failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of its facilities, the encryption of such media, and the movement of these items within its facilities until March 2015; and
  • CardioNet failed to safeguard against the impermissible disclosure of protected health information by its employees, thereby permitting access to that information by an unauthorized individual, and failed to take sufficient steps to immediately correct the disclosure.

See also: Healthcare Buyers Need Clearer Choices

To resolve these OCR charges, CardioNet agrees to pay $2.5 million to OCR and implement a corrective action plan. Among other things, the corrective action plan requires CardioNet to complete the following actions to the satisfaction of OCR:

  • Prepare a current, comprehensive and thorough risk analysis of security risks and vulnerabilities that incorporates its current facility or facilities and the electronic equipment, data systems and applications controlled, currently administered or owned by CardioNet, that contain, store, transmit, or receive electronic protected health information (“ePHI”) and update that risk analysis annually or more frequently, if appropriate in response to environmental or operational changes affecting the security of ePHI.
  • Assess whether its existing security measures are sufficient to protect its ePHI and revise its risk management plan, policies and procedures and training materials and implement additional security measures, as needed.
  • Develop and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis as required by the risk management plan.
  • Review and, to the extent necessary, revise, its current security rule policies and procedures based on the findings of the risk analysis and the implementation of the risk management plan to comply with the HIPAA Security Rule.
  • Provide certification to OCR that all laptops, flashdrives, SD cards and other portable media devices are encrypted, together with a description of the encryption methods used.
  • Review and revise its HIPAA security training to include a focus on security, encryption and handling of mobile devices and out-of-office transmissions and other policies and practices required to address the issues identified in the risk assessment and otherwise comply with the risk management plan and HIPAA train its workforce on these policies and practices.
  • Investigate all potential violations of its HIPAA policies and procedures and notify OCR in writing within 30 days of any violation.
  • Submit annual reports to OCR, which must be signed by an owner or officer of CardioNet attesting that he or she has reviewed the annual report, has made a reasonable inquiry regarding its content and believes that the information is accurate and truthful.
  • Maintain for inspection and copying, and provide to OCR, upon request, all documents and records relating to compliance with the corrective action plan for six years.

Implications of CardioNet and Other HIPAA Enforcement For Covered Entities and Business Associates

The CardioNet resolution agreement contains numerous lessons for other covered entities and their business associates, including:

  • Like many previous resolution agreements announced by OCR, the resolution agreement reiterates the responsibility of covered entities and business associates to properly secure their ePHI and that as part of this process OCR expects all laptop computers and other mobile devices containing or with access to ePHI will be properly encrypted and secured.
  • It also reminds covered entities and their business associates to be prepared for, and expect an audit from, OCR when OCR receives a report that the organization experienced a large breach of unsecured ePHI.
  • The resolution agreement’s highlighting of the draft status of CardioNet’s privacy and security policies also reflects that OCR expects covered entities to actually finalize policies, procedures and training for maintaining compliance with HIPAA.
  • The discussion and requirements in the corrective action plan relating to requirements to conduct comprehensive risk assessments at least annually and in response to other events, and to update policies and procedures in response to findings of these risk assessments also drives home the importance of conducting timely, documented risk analyses of the security of ePHI, taking prompt action to address known risks and periodically updating the risk assessment and the associated privacy and security policies and procedures in response to the findings of the risk assessment and other changing events.
  • The requirement in the resolution agreement of leadership attestation and certification on the required annual report reflects OCR’s expectation that leadership within covered entities and business associates will make HIPAA compliance a priority and will take appropriate action to oversee compliance.
  • Finally, the $2.5 million settlement payment required by the resolution agreement and its implementation against CardiNet makes clear that OCR remains serious about HIPAA enforcement.

While the $2.5 million settlement payment sends a strong message about the risks of violating HIPAA by itself, this lesson takes on even greater significance when considered in light of OCR’s January 2017 announcement of its imposition of another HIPAA civil monetary penalty against Children’s Medical Center of Dallas and the growing list of expensive settlement payments that OCR has exacted from other covered entities wishing to avoid CMPs for their alleged HIPAA violations.

In January 2017, for instance, OCR announced Children’s paid a $3.2 million CMP assessed by OCR for failing to adequately secure electronic protected health information (ePHI) and correct other HIPAA compliance deficiencies that resulted from its failure to take appropriate, well-documented actions to timely to secure ePHI on systems and mobile devices and other actions needed to comply with other HIPAA privacy or security requirements.

Of course, covered entities and business associates need to keep in mind that that actions and inactions that create HIPAA liability risks also carry many other potential legal and business risks. For instance, since PHI records and data involved in such breaches usually incorporates Social Security Numbers, credit card or other debt or payment records or other personal consumer information, and other legally sensitive data, covered entities and business associates generally also may face investigation, notification and other responsibilities and liabilities under confidentiality, privacy or data security rules of the Fair and Accurate Credit Transaction Act (FACTA), the Internal Revenue Code, the Social Security Act, state identity theft, data security, medical confidentiality, privacy and ethics, insurance, consumer privacy, common law or other state privacy claims and a host of other federal or state laws. Depending on the nature of the covered entity or its business associates, the breach or other privacy event also may trigger fiduciary liability exposures for health plan fiduciaries in the case of a health plan, professional ethics or licensing investigations or actions against health care providers, insurance companies, administrative service providers or brokers, shareholder or other investor actions, employment or vendor termination or disputes and a host of other indirect legal consequences.

See also: Healthcare Disruption: Providers Are Making Newspaper Industry Mistakes  

Beyond, and regardless of the technical legal defensibility of its actions under these and other laws, however, the most material and often most intractable consequences of a HIPAA or other data or other privacy breach report or public accusation, investigation, admission also typically are the most inevitable:

  • The intangible, but critical loss of trust and reputation that covered entities and business associates inevitably incur among their patients, participants, business partners, investors and the community; and
  • The substantial financial expenses and administrative and operational disruptions of investigating, defending the actions of the organization and implementation of post-event corrective actions following a data or other privacy breach, audit, investigation or charge.

In light of these risks, covered entities business associates and their management should use the experiences of CardioNet and other covered entities or business associates caught violating HIPAA or other privacy and security standards to reduce their HIPAA and other privacy and data security exposures. Management of covered entities and their business associates should take steps to ensure that their organizations policies, practices and procedures currently are up-to-date, appropriately administered and monitored, and properly documented. Management should ensure that their organizations carefully evaluate and strengthen as necessary their current HIPAA risk assessments, policies, practices, record keeping and retention and training in light of these and other reports as they are announced in a well-documented manner. The focus of these activities should be both to maintain compliance and position their organizations efficiently and effectively to respond to and defend their actions against a data breach, investigation, audit or accusation of a HIPAA or other privacy or security rule violation with a minimum of liability, cost and reputational and operational damages.

As the conduct of these activities generally will involve the collection and analysis of legally sensitive matters, most covered entities and business associates will want to involve legal counsel experienced with these matters and utilize appropriate procedures to be able to use and assert attorney-client privilege and other evidentiary privileges to mitigate risks associated with these processes. To help plan for and mitigate foreseeable expenses of investigating, responding to or mitigating a known, suspected or asserted breach or other privacy event, most covered entities and business associates also will want to consider the advisability of tightening privacy and data security standards, notification, cooperation and indemnification protections in contracts between covered entities and business associates, acquiring or expanding data breach or other liability coverage, or other options for mitigating the financial costs of responding to a breach notification, investigation or enforcement action.

Restaurant Employers: Beware!

Restaurant employers, beware! Restaurants are the target of a highly successful, U.S. Department of Labor Wage and Hour Division (WHD) restaurant enforcement and compliance initiative that WHD already has used to nail a multitude of restaurants across the country for “widespread violations” of Fair Labor Standards Act (FLSA) minimum wage, overtime, child labor and other wage and hour laws (WH Law).

Having reportedly found WH Law violations in “nearly every one” of the WH Law investigations conducted against restaurant employers during 2016 and recovered millions of dollars of back pay and penalties from restaurants caught through investigations conducted under its WHD Restaurant Enforcement Initiative, WHD Administrator Dr. David Weil recently confirmed WHD plans to expand the restaurant employers targeted for investigation and other efforts to punish and correct WH Law violations under the Restaurant Enforcement Initiative through 2017 in an October 5, 2016 WHD News Release: Significant Violations In The Austin Restaurant Industry Raise Concerns For Us Labor Department Officials (News Release).

The News Release quotes Administrator Weil as stating:

“The current level of noncompliance found in these investigations is not acceptable …WHD will continue to use every tool we have available to combat this issue. This includes vigorous enforcement as well as outreach to employer associations and worker advocates to ensure that Austin restaurant workers receive a fair day’s pay for a fair day’s work.”

Given the substantial back pay, interest, civil or in the case of willful violations, criminal penalties, costs of defense and prosecution and other sanctions that restaurant employers, their owners and management can face if their restaurant is caught violating FLSA or other WH Laws, restaurants and their leaders should arrange for a comprehensive review within the scope of attorney-client privilege of the adequacy and defensibility of their existing policies, practices and documentation for classifying, assigning duties, tracking regular and overtime hours, paying workers and other WH Law compliance responsibilities and opportunities to mitigate risks and liabilities from WH Law claims and investigations.

See also: Boston Furs Sued For $1M For Violations of Fair Labor Standards Act  

Many Restaurants Already Nailed Through Restaurant Enforcement Initiative

Even before the planned 2017 expansion of its Restaurant Enforcement Initiative, WHD’s enforcement record shows WHD’s efforts to find and punish restaurants that violate WH Laws are highly successful. Restaurant employers overwhelmingly are the employers targeted by WHD in the vast majority of the WH Law settlements and prosecutions announced in WHD News Releases published over the past two years, including aggregate back pay and penalty awards of more than $11.4 million recovered through the following 31 actions announced by WHD between January 1, 2016 and October 31, 2016:

 

Enforcement Actions Highlight Common Restaurant WH Law Compliance Concerns

Restaurant employers, like employers in most other industries, are subject to a host of minimum wage, overtime and other requirements including the FLSA requirement that covered, nonexempt employees earn at least the federal minimum wage of $7.25 per hour for all regular hours worked, plus time and one-half their regular rates, including commissions, bonuses and incentive pay, for hours worked beyond 40 per week. Employers also are required to maintain accurate time and payroll records and must comply with child labor, anti-retaliation and other WH Law requirements.

  • The News Release identified some of the common violations WHD uncovered in these investigations included employers:
  • Requiring employees to work exclusively for tips, with no regard to minimum-wage standards;
  • Making illegal deductions from workers’ wages for walkouts, breakages, credit card transaction fees and cash register shortages, which reduce wages below the required minimum wage;
  • Paying straight-time wages for overtime hours worked.
  • Calculating overtime incorrectly for servers based on their $2.13 per hour base rates before tips, instead of the federal minimum wage of $7.25 per hour.
  • Failing to pay proper overtime for salaried non-exempt cooks or other workers;
  • Creating illegal tip pools involving kitchen staff;
  • Failing to maintain accurate and thorough records of employees’ wages and work hours.
  • Committing significant child labor violations, such as allowing minors to operate and clean hazardous equipment, including dough mixers and meat slicers.

Use Care To Verify Tipped Employees Paid Properly

Based on the reported violations, restaurants employing tipped employees generally will want to carefully review their policies, practices and records regarding their payment of tipped employees. Among other things, these common violations reflect a widespread misunderstanding or misapplication of special rules for calculating the minimum hourly wage that a restaurant must pay an employee that qualifies as a tipped employee. While special FLSA rules for tipped employees may permit a restaurant to claim tips (not in excess of $5.12 per hour) actually received and retained by a “tipped employee,” not all workers that receive tips are necessarily covered by this special rule. For purposes of this rule, the definition of “tipped employee” only applies to an employee who customarily and regularly receives more than $30 per month in tips.

See also: Workplace Retaliation: A Major Source Of Employer Exposure  

Also, contrary to popular perception, the FLSA as construed by the WHD does not set the minimum wage for tipped employees at $2.13 per hour. On the contrary, the FLSA requirement that non-exempt workers be paid at least the minimum wage of $7.25 per hour for each regular hour worked also applies to tipped employees. When applicable, the special rule for tipped employees merely only allows an employer to claim the amount of the tips that the restaurant can prove the tipped employee actually received and retained (not in excess of $5.13 per hour) as a credit against the minimum wage of $7.25 per hour the FLSA otherwise would require the employer to pay the tipped employee. Only tips actually received by the employee may be counted in determining whether the employee is a tipped employee and in applying the tip credit. If a tipped employee earns less than $5.13 per hour in tips, the restaurant must be able to demonstrate that the combined total of the tips retained by the employee and the hourly wage otherwise paid to the tipped employee by the restaurant equaled at least the minimum wage of $7.25 per hour.

Furthermore, restaurant or other employers claiming a tip credit must keep in mind that the FLSA generally provides that tips are the property of the employee. The FLSA generally prohibits an employer from using an employee’s tips for any reason other than as a credit against its minimum wage obligation to the employee (“tip credit”) or in furtherance of a valid tip pool.

Also, whether for purposes of applying the tip credit rules or other applicable requirements of the FLSA and other wage and hour laws, restaurant employers must create and retain appropriate records and other documentation regarding worker age, classification, hours worked, tips and other compensation paid and other evidence necessary to defend their actions with respect to tipped or other employees under the FLSA and other WH Law rules. Beyond accurately and reliably capturing all of the documentation required to show proper payment in accordance with the FLSA, restaurants also should use care to appropriately document leave, discipline and other related activities as necessary to show compliance with anti-retaliation, equal pay, family and medical leave, and other mandates, as applicable. Since state law also may impose additional minimum leave, break time or other requirements, restaurants also generally will want to review their policies, practices and records to verify their ability to defend their actions under those rules as well.

Child Labor Rules Require Special Care When Employing Minors

While hiring workers under the age of 18 (minors) can help a restaurant fulfill its staffing needs while providing young workers valuable first time or other work experience, restaurants that hire minors must understand and properly comply with any restrictions on the duties, work hours or other requirements for employment of the minor imposed by federal or state child labor laws.

As a starting point, the legal requirements for employing minors generally greater, not less, than those applicable to the employment of an adult in the same position. Employers employing workers who are less than 18 years of age (minors) should not assume that the employer can pay the minor less than minimum wage or skip complying with other legal requirements that normally apply to the employment of an adult in that position by employing the minor in an “internship” or other special capacity. The same federal and state minimum wage, overtime, safety and health and nondiscrimination rules that generally apply to the employment of an adult generally will apply to its employment of a worker who is a minor.

Beyond complying with the rules for employment of adults, restaurants employing minors also must ensure that they fully comply with all applicable requirements for the employment of minors imposed under the FLSA child labor rules and applicable state law enacted to ensure that when young people work, the work is safe and does not jeopardize their health, well-being or educational opportunities. Depending on the age of the minor, the FLSA or state child labor rules may necessitate that a restaurant tailor the duties and hours of work of an employee who is a minor to avoid the substantial liability that can result when an employer violates one of these child labor rules.

The FLSA child labor rules, for instance, impose various special requirements for the employment of youth 14 to 17 years old. See here. As a starting point, the FLSA child labor rules prohibit the any worker less than 18 years of age from operating or cleaning dough mixers, meat slicers or other hazardous equipment. Depending on the age of the minor worker, the FLSA child labor rules or state child labor laws also may impose other restrictions on the duties that the restaurant can assign or allow the minor to perform. Restaurants hiring any worker that is a minor must evaluate the duties identified as hazardous “occupations” that the FLSA child labor rules prohibit a minor of that age to perform here as an “occupation” and take the necessary steps to ensure the minor is not assigned and does not perform any of those prohibited activities in the course of his employment.

In addition to ensuring that minors don’t perform prohibited duties, restaurants employing minors also comply with all applicable restrictions on the hours that the minor is permitted to work based on the age of the minor worker. For instance, the FLSA and state child labor rules typically prohibit scheduling a minor less than 16 years of age to work during school hours and restrict the hours outside school hours the minor can work based on his age. Additional restrictions on the types of jobs and hours 14- and 15-year-olds may work also may apply.

See also: What Happens When Technology and Workers’ Comp Law Collide?  

Compliance with the FLSA child labor rules is critically important for any restaurant or other employer that employs a minor, particularly since the penalties for violation of these requirements were substantially increased in 2010, as Streets Seafood Restaurant learned earlier this year.

According to a WHD News Release, Street’s Seafood Restaurant paid $14,288 in minimum wage and overtime back wages and an equal amount in liquidated damages totaling $28,577 to eight employees, and also was assessed a civil money penalty of $14,125 for FLSA child labor violations committed in the course of its employment of four minors ages 15 to 17. Specifically, investigators found Street’s Seafood Restaurant:

WHD’s announcement of the settlement resolving these child labor laws quotes Kenneth Stripling, director of the division’s Birmingham District Office as stating:

“Employing young people provides valuable experience, but that experience must never come at the expense of their safety …Additionally, employers have an obligation to pay employees what they have legally earned. All workers deserve a fair day’s pay for a fair day’s work. Unfortunately, Street’s Seafood violated not only child labor laws, but has also shorted workers’ pay. The resolution of this case sends a strong message that we will not tolerate either of those behaviors.”

Restaurants Must Act To Minimize Risks

Beyond WHD’s direct enforcement actions, WHD also is seeking to encourage private enforcement of WH Law violations by conducting an aggressive outreach to employees, their union and private plaintiff representatives, states and others. Successful plaintiffs in private actions typically recover actual back pay, double damage penalties plus attorneys’ fees and costs. The availability of these often lucrative private damages makes FLSA and other WH Law claims highly popular to disgruntled or terminated workers and their lawyers. When contemplating options to settle claims WH Law claims made by a worker, employers need to keep in mind that WHD takes the position that settlements with workers do not bar the WHD from taking action unless the WHD joins in the settlement and in fact, past settlements may provide evidence of knowingness or willfulness by the employer in the event of a WHD prosecution. The substantial private recoveries coupled with these and other WHD enforcement and other compliance actions mean bad news for restaurant employers that fail to manage their FLSA and other WH Law compliance. Restaurant employers should act within the scope of attorney-client privilege to review and verify their compliance and consult with legal counsel about other options to minimize their risk and streamline and strengthen their ability to respond to and defend against audits, investigations and litigation.

Beyond verifying the appropriateness of their timekeeping and compensation activities and documentation, restaurants and staffing or management organizations working with them also should use care to mitigate exposures that often arise from missteps or overly aggressive conduct by others providing or receiving management services or staffing services. All parties to these arrangements and their management should keep in mind that both parties participating in such arrangements bear significant risk if responsibilities are not properly performed. Both service and staffing providers and restaurants using their services should insist on carefully crafted commitments from the other party to properly classify, track hours, calculate and pay workers, keep records, and otherwise comply with WH Laws and other legal requirements. Parties to these arrangements both generally also will want to insist that these contractual reassurances are backed up with meaningful audit and indemnification rights and carefully monitor the actions of service providers rendering these services.

Healthcare Case on Cutting Corners

Healthcare providers, health plans, healthcare clearinghouses (covered entities) and business associates that provide services that deal with protected health information received another reminder to be prepared to prove they are properly handling and administering electronic and other protected health information. This came after the Department of Health & Human Services Office of Civil Rights (OCR) announced its latest in a growing series of high-dollar resolution agreements with a covered entity that was charged with violating the privacy and security standards of the Health Insurance Portability and Accountability Act (HIPAA).

Raleigh Orthopaedic Charges and Resolution Agreement

The Resolution Agreement and Corrective Action Plan announced by OCR on April 20 requires the Raleigh Orthopaedic Clinic, P.A. to pay $750,000 to settle charges that it violated the privacy rule. The clinic handed over the protected health information of approximately 17,300 patients to a potential business partner without first executing a business-associate agreement.

Raleigh Orthopaedic is a provider group practice that operates clinics and a surgery center in the Raleigh, NC, area. OCR’s investigation indicated that Raleigh Orthopaedic violated privacy rules by releasing X-ray films and related protected health information of patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the X-ray films. Raleigh Orthopaedic failed to execute a business associate agreement with this entity before turning over the X-rays and protected health information (PHI).

Although the resolution only addresses charges OCR brought against the covered entity (Raleigh Orthopaedic), business associates need to keep in mind that both covered entities and business associates are now responsible for ensuring compliance with the business associate agreement requirements of the privacy rules — ever since the stimulus bill amended HIPAA to make most provisions of the privacy rule directly applicable to business associates, as well as covered entities.

Takeaways for Covered Entities and Their Business Associates

The resolution agreement includes a strong message for other covered entities and business associates: It’s important for an entity to take seriously its responsibility under the privacy rule to ensure the business associate agreement requirements of the privacy rule are met before business associates are allowed to receive, access or use protected health information. Jocelyn Samuels, the director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), said, “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected,” and “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.”

In many cases, the process of evaluating the adequacy of current arrangement and of considering the advisability of changes to tighten existing practices will result in the discovery and discussion of potentially sensitive information. For example, it is possible that, in the course of review, parties may be unable to locate a signed business associate agreement that governs a relationship, or, in the course of review, information indicates breaches of protected health information or other privacy rule violations may have occurred. For this reason, most covered entities and their business associates will want to consider arranging it so this review and analysis is conducted within the scope of attorney-client privilege or under the direction of qualified legal counsel with HIPAA experience who has entered into a business associate agreement.

Rising Risks of Medicare Audits

Texas physician Dennis B. Barson Jr. and his medical clinic administrator are headed to prison. The 10-year prison sentence imposed against Barson, like an $8 million-plus healthcare fraud civil settlement announced by the Justice Department on July 24, 2014, illustrate the significant legal risks that physicians and other healthcare providers face when physician charges are improperly billed to Medicare, Medicaid, Tricare or other federal or state healthcare programs for services actually provided by non-physician staff.

Physicians and others should heed the lessons from these and other similar federal and state healthcare fraud enforcement actions when deciding when it is appropriate to bill federal healthcare programs for physician services where physicians assistants, nurse practitioners or other nursing staff or other non-physicians perform part or all of the procedures billed.

Dr. Barson Prison Sentence Highlights Criminal Risks

On Monday, July 27, 2015, U.S. District Court Judge Melinda Harmon ordered Barson to serve 120 months in prison, followed by three years of supervised release, and to pay restitution of approximately $1.2 million for his Nov. 5, 2014, conviction on all 20 counts of conspiracy to defraud Medicare of $2.1 million.

With Judge Harmon presiding, a Houston jury found Barson and his medical clinic administrator, Dario Juarez, 55 years old, guilty on the Medicare fraud charges last November. Another co-defendant, Edgar Shakbazyan, entered a guilty plea to the 21-count original indictment on Oct. 27, 2014. Shakbazyan, of Glendale, CA, was sentenced to 97 months in prison, while Juarez, of Beeville, Texas, received 130 months. Both will also serve three years of supervised release.

The jury convictions of Barson and Juarez followed a trial where Department of Justice prosecutors proved the healthcare fraud charges based on evidence that Barson, Juarez and Shakbazyan fraudulently billed Medicare for rectal sensation tests and electromyogram (EMG) studies of the anal or urethral sphincter that were never performed. Shakbazyan was additionally charged and pled guilty to conspiracy to pay kickbacks for payments made to recruiters and beneficiaries.

According to the testimony at trial, Barson was the only doctor affiliated with the medical clinic located at 8470 Gulf Freeway in Houston. However, Juarez represented himself to be a doctor and was the one who actually saw patients at the clinic. Barson, Juarez and Shakbazyan caused Medicare to be billed for procedures on 429 patients in just two months. The three men also billed Medicare for seeing more than 100 patients on 13 different days, including a high of 156 patients on July 13, 2009.

Barson’s defense attempted to convince the jury that he was a victim of identity theft and was not the perpetrator of the crimes. The conviction shows the jurors did not believe his story. The criminal charges are the result of a joint investigation conducted by agents of the FBI, Department of Health and Human Services-Office of Inspector General and the Medicaid Fraud Control Unit of the Texas Attorney General’s Office.

Margossian Settlement Shows Even More Common Civil Penalty Risks

Barson’s sentencing is one of a growing series of criminal convictions and sentencing of physicians and other healthcare providers for healthcare fraud by participating in arrangements where Medicare, Medicaid or other federal healthcare programs are billed for services not provided or not provided as required to qualify for reimbursement. On July 24, 2015, for instance, the U.S. Attorney for the Eastern District of New York and the State of New York announced that Brooklyn, NY, OB/GYN Haroutyoun Margossian will pay $8 million as part of a civil settlement with the U.S. and the state of New York. The settlement resolves charges brought under the federal False Claims Act and the New York False Claims Act that Margossian wrongfully billed Medicare and Medicaid for physician services for treatments of women suffering from urinary incontinence that unlicensed and often unsupervised staff, rather than Margossian or another physician, actually administered. The government has also filed a criminal charge against Margossian for making false statements to Medicare and entered into a deferred prosecution agreement with him.

Healthcare Fraud Investigations Raise Other Licensing and Practice Risks

The Barson and Margossian actions are just two of the already long and ever-growing list of criminal convictions, civil sanctions and civil settlements that federal and state healthcare fraud fighters already can count as notches of success in their war against healthcare fraud by physicians and other healthcare providers. With these successes fueling more investigations, physicians and others should be prepared to “do time” for improperly billing physician fees to federal healthcare programs for services not provided by the billing physician or for engaging in other inappropriate billing practices. Targets of audits and investigations also must prepare to deal with a host of other threats to their practices that almost inevitably arise regardless of whether the government investigation leads to a conviction, civil sanctions or a settlement.

As demonstrated by the Margossian settlement, even if physicians, practice management and others swept up into these investigations escape being criminally charged, subjected to civil sanctions or penalties or suspended or excluded from Medicare or other federal healthcare programs, healthcare fraud investigations or charges still will carry a heavy cost. Healthcare fraud warriors are realizing great success in securing civil sanctions and settlements, federal program exclusions and other civil and administrative punishments against physicians and other healthcare providers that the government accuses of violating the False Claims Act or other federal healthcare fraud rules.

Of course, whether healthcare fraud investigations ultimately result in any civil or criminal prosecution, conviction or settlement, physicians and other licensed healthcare providers under suspicion of healthcare fraud inevitably must deal with a broad range of other professional fallout. These activities almost always trigger scrutiny or other actions by employers and medical practices, healthcare organizations and licensing boards.

Act to Strengthen Your Defenses

Physicians and others should take steps to minimize the risk of an investigation or audit as well as take steps to help ensure sufficient resources to defend themselves if the government comes knocking.

Of course, the first step should be to take proper, well-documented efforts to comply with the rules. Physicians and the clinics, hospitals and management working with them should carefully evaluate what can be defensibly billed as physician services to Medicare or another federal healthcare program — keeping in mind that the billing party, not the government, generally bears the burden of proving that the amount bill qualifies for coverage. Physicians and others must carefully consider the adequacy of the physician’s involvement in prescribing and delivering services intended to be billed as physician services. In areas where questions could be raised, physicians and their organizations are strongly urged to take extra care to retain documentation of their analysis and efforts to verify their compliance, including consulting legal counsel for advice within the scope of attorney-client privilege.

Physicians and others working with them also should familiarize themselves with their obligations and rights under employment agreements, shareholder or partnership agreements, medical staff bylaws, managed care contracts, medical licensing board rules and the Health Care Quality And Improvement Act. In many cases, these arrangements will compel a physician to provide notice of an investigation, audit, allegation or charge, will trigger separate investigatory or disciplinary action against the physician, or both.

Along with the stiff civil sanctions or settlements imposed, physicians and others investigated or charged with healthcare fraud often incur significant legal and other costs. Physicians and others should consider if they can expect to have sufficient funds to pay the legal and other costs of their defense. Physicians and their organizations concerned about the adequacy of these resources may wish to explore, where available, raising their malpractice policy coverage limits, purchasing other supplemental coverage and taking similar steps to better position themselves. Physicians generally will want to review the adequacy and limits of the coverages that their practices provide, as well as consider the reliability of that coverage in the event that the physician is terminated or leaves the practice.

Because of the 10-year statute of limitations applicable to False Claims Act claims, billings can come back to haunt a physician 10 years after their submission. With this tremendously long liability period, even in the absence of government investigation, a significant risk exists that a physician may experience a practice relocation or other change that would affect his coverage during this period. When an investigation happens, the possibility that the physician will relocate his practice skyrockets. Consequently, physicians should consider purchasing tail coverage, maintaining separate, portable professional liability coverage or both.

Physicians and their practices also should consider the adequacy of the coverage provided by their professional liability or other policies. If the policy provides no or limited coverage, both the physician and his associated organization or practice may want to explore purchasing additional riders on the existing policy, purchasing separate coverage or both, as well as to raise the limits on the coverages.

Practice leaders, hospitals and other organizations that would be swept up into these investigations generally share an interest in ensuring that the physician possesses adequate resources to defend herself, as their organization and its billings are likely to be hurt if the physician is unable to defend the billings.