Protecting Vision in the Workplace

Originally posted by Sandy Smith on February 10, 2015 on ehstoday.com.

The use of digital devices, including personal computers, tablets and cell phones, continues to increase. The impact of prolonged usage often can be felt in the eye.

According to a report from the Vision Council, extended use of these devices have caused as many as 70 percent of American adults to experience some form of digital eyestrain.

"By protecting our eyes at work and at home, we can help stay healthy and productive for years to come," said Hugh R. Parry, president and CEO of Prevent Blindness.

Prevent Blindness, the nation's oldest volunteer eye health and safety group, provides employers and employees with free information on topics ranging from eyestrain to industrial eye safety in order to promote eye health at work. The group even has declared March as Workplace Eye Wellness Month.

Steps You Can Take

Employers and office workers can take a few simple steps to help prevent eyestrain and fatigue from digital devices. Prevent Blindness suggests:

  • Visit an eye doctor for a dilated eye exam to make sure you 
 are seeing clearly and to detect any potential vision issues.
  • Place your screen 20 to 26 inches away from your eyes and a 
 little bit below eye level.
  • Use a document holder placed next to your computer screen. 
 It should be close enough that you don't have to swing your head back and forth or constantly change your eye focus.
  • Adjust the text size on the screen to a comfortable level.
  • Change your lighting to lower glare and harsh reflections. 
 Glare filters over your computer screen can also help.
  • Use a chair you can adjust.
  • Choose screens that can tilt and swivel. A keyboard that you 
can adjust also is helpful.

And the Vision Council recommends the 20-20-20 break: every 20 minutes, take a 20-second break and look at something 20 feet away.

Prevent Blindness strongly recommends the use of eye protection in the workplace, especially in industries such as construction, manufacturing or any profession where eye accidents and injuries may occur.  The U.S. Bureau of Labor Statistics reported that in 2012, there were 20,300 recorded occupational eye injuries that resulted in days away from work.

The organization offers two workplace programs:

The Healthy Eyes Educational Series (https://www.preventblindness.org/healthy-eyes-educational-series) is a free program that provides user-friendly, downloadable modules to conduct formal presentations or informal one-on-one sessions, including one titled "Work Safety." Each module includes a presentation guide and corresponding PowerPoint presentation on a relevant eye health topic such as adult eye disorders, eye anatomy, healthy living, low vision and various safety topics. Fact sheets can be downloaded at any time from the Prevent Blindness web site for use as handouts to accompany the presentation.

Prevent Blindness also offers Eye2Eye (https://www.eye2eyeprogram.com), a web-based educational resource that trains employees to communicate the importance of eye health and safety to each other, increases eye safety compliance and builds a stronger culture of safety in the workplace. The program features a peer-based, interactive curriculum and community-oriented forum enabling end users to share their learnings and best practices with each other.

Eye Injuries in the Workplace 
More than 2,000 people injure their eyes at work each day. About one in 10 injuries require one or more missed workdays for recovery. Of the total number of work-related injuries, 10-20 percent will cause temporary or permanent vision loss. Experts believe that the right eye protection could have lessened the severity or even prevented 90 percent of eye injuries. The common causes of eye injuries in the workplace are:

  • Flying objects (bits of metal, glass)
  • Chemicals
  • Tools
  • Harmful radiation
  • Particles
  • Any combination of these or other hazards

3 Ways to Prevent Eye Injuries

  1. Know the eye safety dangers at work by completing an eye hazard assessment.
  2. Use engineering and administrative controls to eliminate hazards before employees start work. Use machine guarding, work screens or other engineering controls, create policies that require 100 percent compliance with eye safety protective equipment use.
  3. Use proper eye protection.

by 6d-destani

Tips for Handling Employee Pay Issues Caused By Mother Nature

Originally post February 9, 2015 by Laura Kerekes on www.thinkhr.com.

If you are inclined to believe “Punxsutawney Phil,” we’re in for another six weeks of wintry weather. When the groundhog emerged from his dwelling at Gobbler’s Knob in west-central Pennsylvania on February 2nd, he did not see his shadow. Let’s all hope for an early spring while we stay vigilant for more bad weather. Super storms packed punches in the Midwest and Northeast to start the New Year and continue adding to the area’s already taxed weather relief efforts. While your business may not have been affected by the recent superstorms, it is a great wakeup call to think through how businesses should handle the employee relations and pay issues that arise when they are forced to close due to inclement weather and/or when employees simply cannot get to work due to transportation or personal difficulties.

What should an employer do? Pay employees to stay at home? After all, in most cases, they are not at work through no fault of their own. Many businesses, however, do not have the financial resources to pay employees not to work. What follows are the rules regarding paying employees who miss work due to Mother Nature, along with some practical tips. From an employee relations perspective, the more generous you can afford to be to your employees who are suffering as a result of a weather-related disaster, the better. Employees (and their families) do pay attention to how they are treated, and a little extra time off and compassion for individual circumstances can go a long way towards enhancing employee loyalty.

If the company has no power and sends employees home for the day, should they be paid? And does it matter if the employee is exempt or nonexempt?

In general, there are two sets of rules for paying employees depending upon their classification under the Fair Labor Standards Act (FLSA) as it relates to eligibility for overtime. With nonexempt employees (those eligible for overtime pay), there is no obligation under federal or state law to pay for time not worked. However, under certain state laws, employers may have an obligation to compensate nonexempt employees under call-in/reporting pay laws, especially if the employees were not advised that they should not report to work and were denied work upon arrival at the workplace.

These pay obligations vary by state. With respect to salaried exempt employees who must be paid on a “salary basis” under the FLSA, employers may not make salary deductions for absences that result from an employer’s partial-week closing of operations, including closings due to weather-related emergencies or disasters. The bottom line is that exempt employees must be paid their full salary if they perform any work in a workweek and only miss work time due to the employer’s closure of operations. Closures for a full workweek need not be paid if no work is performed.

Are these rules different if the company can tell the employee not to come to work the next day?

For nonexempt employees, if they are told in advance not to come to work and the employees stay home, then the employer is under no obligation to pay them for the time off. The employer and the employee can choose to use accrued paid time off to compensate the employee for the missed workdays.

For exempt employees, the “salary basis” rule still applies. In some cases the employee may be working from home during the bad weather days. If state laws permit employers to do so, employers may deduct from the exempt employees’ accrued paid time off balances to resolve the issues related to “salary basis” compliance. The employer should ensure, however, that these employees have not done any work from home during the office closure prior to deducting time from the accrued paid time off bank balances.

If an employee is on Family and Medical Leave Act (FMLA) leave, do those “bad weather days” count against the employee’s 12-week allotment of time off?

The FMLA regulations are silent about bad weather office closures. However, the regulations do allow for situations when the employer’s business stops operating for a period of time and employees are not expected to come to work (plants closing for a few weeks to retool, mandatory company-wide summer vacation, etc). In that case, the week the business is closed and no employees are reporting to work would not count against the employee’s FMLA leave entitlement. If the business is closed for a shorter period of time, the general thinking is that the FMLA regulations relating to holidays would likely apply. Under those rules, if the business is closed for a day or two during a week in which the employee is on FMLA leave, then the entire week would count against the employee’s FMLA leave entitlement. If, however, the employee is on intermittent FMLA leave, then only the days that the business is closed and the employee is expected to be at work would count against the leave entitlement.

How do we handle attendance issues where the office is open but public transportation is not available due to the weather and employees cannot come to work?

If the business remains open but employees cannot get to work because of the weather, employers will need to consider their own attendance policies and practices in determining what flexibility to give employees as it relates to attendance. Employers may encourage employees to car pool or assist them in establishing alternative methods of transportation to get to work.

Under the FLSA rules as it relates to pay, however, employers do not need to pay nonexempt employees if they perform no work. For exempt employees, if the business remains open but an employee cannot get to work because of the weather, an employer can deduct an exempt employee’s salary for a full day’s absence taken for personal reasons without jeopardizing the employee’s exempt status. Employers cannot, however, deduct an exempt employee’s salary for less than a full-day absence without jeopardizing the employee’s exempt status.

Does a company have to allow employees to work from home (exempt or nonexempt) if the office is closed due to bad weather?

No, the employer does not need to allow employee to work from home, regardless of their FLSA status (exempt or nonexempt). The employer can make those decisions based upon the work that can be done remotely and based on the needs of the business. The employer should have clearly communicated policies and expectations regarding working from home during office closures.

The bottom line is that every employer should think about the needs of the business, its financial resources, and employees’ needs and have plans in place to manage business issues due to inclement weather. Thinking through what the wage and hour laws require and developing your policies and then applying them consistently and fairly with all employees can reap huge dividends in employee loyalty and retention.

by 6d-destani

11 elements of a good enrollment plan

Originally posted February 9, 2015 by Marty Traynor on Benefits Pro.

Spurred by time-saving devices such as smart phones and tablets, our pace of life has sped up. And enrollment is no exception.

In thinking about how to open this column, I took three minutes to look up the fact that Usain Bolt took 9.58 seconds in his world-record 100-meter run; it took Michael Phelps 49.82 seconds to set a world record in the 100-meter butterfly; and Abraham Lincoln delivered the Gettysburg Address in about two minutes. Add that all up and you have six minutes, which is about the time most employees who enroll online will spend making their voluntary benefit enrollment choices this fall.

Employees are making decisions that affect their financial security in six minutes. But how can they be expected to make a good decision in that time, especially when faced with a growing list of options?

We have to plan what we can do to help employees make good choices and provide them with information via a coordinated enrollment communications plan. These elements help:

  • Pre-enrollment communications such as email notices and web banners, and on-site promos like posters and table tents
  • Informational on-site group meetings and/or webinars covering all shifts
  • Access to a call center during open enrollment and a help line for new hires and life event changes during the year
  • Evening webinars or access to call/chat services for employees and their spouses
  • Engaging tools such as videos and calculators
  • Creative approaches such as contests or prize drawings for all who enter the system
  • Recommended product bundles based on key demographics of the employee and their family
  • Careful product ordering
  • Auto enrollment of prior year choices
  • Speaking of employees who have already selected a voluntary plan — make any buy-up option as easy as possible to encourage repeat purchases and accommodate growing needs
  • Internal response tracking inside enrollment systems so follow-up emails automatically go from HR to those who have not entered the system, and to those who have not completed the process

Employees have to make their benefits elections in a hurried, nearly thoughtless environment. We can help them make better decisions during that six-minute decision process by active support of an enrollment plan.

by 6d-destani

DOL Updates Definition of Spouse in FMLA Regulations

Originally posted February 24, 2015 by Rick Montgomery, JD on ThinkHR.com.

On June 26, 2013, in U.S. v. Windsor, 570 U.S. 12, 133 S. Ct. 2675 (2013), the U.S. Supreme Court struck down section 3 of the Defense of Marriage Act (DOMA) as unconstitutional under the Due Process Clause of the Fifth Amendment. Immediately following the decision in Windsor, the U.S. Department of Labor (DOL) announced what the then-current definition of “spouse” under the Family and Medical Leave Act (FMLA) allowed, given the decision: Eligible employees could take leave under the FMLA to care for a same-sex spouse, but only if the employee resided in a state that recognized same-sex marriage. This has been commonly referred to as the “state of residence” rule.

In order to provide FMLA rights to all legally married same-sex couples consistent with the decision in Windsor, the DOL issued a Final Rule on February 25, 2015, revising the definition of spouse under the FMLA. The Final Rule amends the definition of spouse in 29 C.F.R. §§ 825.102 and 825.122(b) to include all individuals in legal marriages, regardless of where they live. More specifically, the definition of spouse is now a husband or wife as defined or recognized in the state where the individual was married (“place of celebration”) rather than where the individual resides, and specifically includes individuals in same-sex and common law marriages. The Final Rule also defines spouse to include a husband or wife in a marriage that was validly entered into outside of the United States if it could have been entered into in at least one state.

The Final Rule goes into effect on March 27, 2015.

To assist employers, the DOL has released a Fact Sheet and Frequently Asked Questions about the Final Rule.

by 6d-destani

IRS Offers Relief for Small Employer Premium Reimbursement Arrangements

Originally posted February 25, 2015 by Laura Kerekes on ThinkHR.com.

On February 18, 2015, the IRS announced transition relief for certain small employers that subsidize the cost of individual health insurance policies for employees. Notice 2015-17 provides short-term relief from the $100 per employee per day excise tax that otherwise would apply to the employer.

Starting in 2014, employers of all sizes have been prohibited from making or offering any form of payment to employees for individual health insurance premiums, whether through reimbursement to employees or direct payments to insurance carriers. Employers also are prohibited from providing cash or compensation to employees if the money is conditioned on the purchase of individual health coverage. Employers that violate the prohibitions against these so-called “employer payment plans” are subject to an excise tax of $100 per day per affected employee. Exceptions are allowed for limited-scope dental or vision policies, supplemental plans, or retiree-only plans.

Small businesses in particular have been affected by the prohibition since many of them had subsidized individual policies for workers instead of offering a group health plan. Notice 2015-17 now offers short-term relief from tax penalties to give small employers additional time to comply with the prohibition. This relief applies only to small employers. Employers who are defined under the Affordable Care Act as applicable large employers (ALEs) — generally those with 50 or more full-time and full-time-equivalent employees — are not eligible for relief.

Specifically, the IRS will not impose excise taxes on employers that provide pretax reimbursement or payment of individual health insurance premiums as follows:

  • For 2014, employers that are not ALEs (based on employer size in 2013).
  • For January 1 through June 30, 2015, employers that are not ALEs (based on employer size in 2014).

Starting July 1, 2015, excise taxes may apply regardless of the employer’s size.

Note: This transition relief applies only to pretax reimbursement or payment of insurance premiums. It does not apply to after-tax reimbursements. It also does not apply to stand-alone health reimbursement arrangements (HRAs) or other arrangements to reimburse employees for expenses other than insurance premiums.

Additional Relief Provisions

Notice 2015-17 also provides relief for certain arrangements that reimburse premiums for 2-percent-or-more shareholders in Subchapter S corporations, and for certain employers that reimburse Medicare premiums or TRICARE expenses. These provisions are complex and affected employers should refer to their legal and tax advisors for guidance.

by 6d-destani

Responding to Flooding When Snow and Ice Melt

Originally posted January 15, 2015 by Insurance Institute for Business & Home Safety (IBHS).

Insurance Institute for Business & Home Safety - If temperatures begin to rise after severe winter weather, flooding due to snow and ice melting could result in widespread property damage.

The Insurance Institute for Business & Home Safety (IBHS) urges property owners who have experienced significant snowfall and freezing temperatures during the winter to evaluate their flood risks as warmer weather arrives.

“The most important things home and business owners can do from a safety perspective is to pay close attention to local weather reports and alerts from the National Weather Service,” said Julie Rochman, IBHS president and CEO. “In addition, we urge residents to follow the instructions of local emergency officials when flooding is imminent, and we especially caution everyone to obey all evacuation orders from local authorities.”

When temperatures rapidly increase, so does the rate at which snow and ice melt. This can be a serious problem for areas that have received large amounts of snow and ice throughout this severe winter season. Frozen soil also increases the risk of flood as water from melting snow and ice is not able to seep into the ground.

“If you still have snow piles surrounding your home, try to move those away from your foundation to avoid water from leaking into your home,” said Rochman. “Also, keep in mind that rain can cause snow to melt faster, which can contribute to possible flooding in your area.”

If flooding is imminent, find out how you can prevent damage using IBHS resources below. Additional IBHS winter weather resources are available at https://bit.ly/1zA3NTZ or on the IBHS Facebook page at https://on.fb.me/1Aoh2Le

HOW TO PREVENT PROPERTY DAMAGE WHEN FLOODING IS IMMINENT

  • Clear drains, gutters and downspouts of debris.
  • Move furniture and electronics off the floor, particularly in basements and first floor levels.
  • Roll up area rugs, where possible, and store these on higher floors or elevations. This will reduce the chances of rugs getting wet and growing mold.
  • Inspect sump pumps and drains to ensure proper operation.
  • If a sump pump has a battery backup, make sure the batteries are fresh or replace the batteries.
  • A sump pump needs to be away from basement walls to be effective.
  • Make sure the sump pump outlet pipe is clear and water flows freely away from your property.
  • Shut off electrical service at the main breaker if the electrical system and outlets may end up under water.
  • Place all appliances, including stoves, washers, dryers, etc. on masonry blocks or concrete at least 12 inches above the projected flood elevation.
  • Seal any cracks in walls, openings, or your foundation using masonry caulk or hydraulic cement.
  • Consider installing backflow valves, which are designed to prevent water from flowing into your house through local sewer lines.
  • Create an emergency preparedness kit and evacuation plan.

by 6d-destani

Identity-theft protection benefits boost business, satisfaction

Originally posted January 20, 2015 by Melissa A. Winn on www.ebn.benefitnews.com.

With employee news feeds brimming with headlines about recent computer hacks and data leaks, employers are showing a growing interest in offering identity theft protection services as a benefit to their worried workforce. Benefit industry experts say the relatively inexpensive voluntary benefit is not only highly-appreciated by employees, but it can also act as a differentiator in a benefit adviser’s sales portfolio.

Employer concern about employee identity theft has been on the uptick recently, says Nick Park, voluntary benefits specialist at Corporate Synergies. “It has definitely been a topic of conversation more in the last year,” he says.

Identity theft fraud claims a new victim every two seconds, according to the 2014 Identity Fraud Report issued by financial research firm Javelin Strategy and Research. The Bureau of Justice Statistics, the government research agency for the Justice Department, found that 16.6 million American adults experienced identity theft in 2012 alone.

“In a group of 10 people there’s always at least one or two people who have a personal experience with an identity theft situation in some form or fashion,” says Kelly Fristoe, president and CEO of Financial Partners in Wichita Falls.

Fristoe sells the identity theft product LifeLock, which can be sold to individuals or offered to groups as a value added voluntary or employer paid product.

“[T]here are agents I know that do sell a ton of it,” he says. “Theirs and my experience is that it is a high-value product.”

While some employers choose to add identity theft protection services as a new benefit offering in their voluntary benefit package during annual open enrollment, Park says employers have also approached his firm for information on the benefit throughout the year, particularly if somebody in the organization suffers from an identity theft.

“They don’t want that to happen to any other employee in their organization,” he says.

Employees rely on their employer for “a host of financial needs: planning for retirement, protecting against the costs of health care, or even accidents and illness; not to mention, their paycheck. Identity theft can represent a threat to all aspects of financial security and is right in line with benefits [employer clients] can offer their employees,” according to identity theft protection services provider LifeLock.

Employee satisfaction

“It is a ‘nice to have’ benefit,” says Park. “I don’t know if it would be considered a necessity at this point, but employees like it.”

The monthly premiums are usually pretty affordable, he says and the benefit “typically has very little dissatisfaction once you have placed it in the employee population,” says Park. “It’s not something I hear negative feedback on ever.”

For benefit advisers, identity theft protection can be a good differentiating benefit offering, and “is a simple tool to give your clients satisfaction.”

With some insurance products there is a risk, he says, but not so much with identity theft protection.

“Sometimes, when you introduce a product to an employee population it may be complex or confusing and people don’t understand it, they don’t understand the coverage type. [Identity theft protection] is something everybody understands,” says Park.

by 6d-destani

Technology plays growing role in benefits

Originally posted January 27, 2015 by Mike Nesper on www.ebn.benefitnews.com.

Employers of all sizes are increasingly shifting toward using technology for enrolling in and managing their employee benefits. The market for technology-based platforms has been “growing leaps and bounds over past the five-plus years,” says Mark Rieder, an Austin-based senior vice president at NFP.

Ten to 15 years ago, he says, only large groups were focused on technology. Today, “they’re all very much interested in becoming more efficient,” Rieder says. “Technology has become affordable enough to [deploy] regardless of size.”

Offering a variety of support tools is important to help employees make the best selections, Rieder says. Employees want to be able to compare the cost of a procedure at various providers, he says. “Transparency tools are becoming more and more of a hot topic,” Rieder says. “Folks want to know what they’re buying.”

Employees also want to manage all of their needs — payroll, HR, benefits — in one location, Rieder says. The goal is to have a useful platform when it’s needed but not be in the employee’s face when they don’t, says Michael Askin, senior consultant with Mind Over Machines, a Maryland-based software development technology company.

The fact that many employers are still using paper isn’t necessarily a bad thing, Askin says. “There are lessons to be learned from other industries,” he says. Perhaps more importantly, paper protects employee information from hackers, Askin says. Ultimately, the goal of a technology-based platform is to increase employee engagement without increasing security exposure, he says.

A common misconception about security breaches is where the vulnerability lies, Askin says. “Most security issues are actually internal,” he says. For consumers, Askin recommends having a credit card for Internet-only purchases.

by 6d-destani

Do You Know The Way To HSA?

Originally posted by Patty Kujawa on January 28, 2015 on www.workforce.com.

With the rapid growth in high-deductible health plans, health savings accounts provide an option to pay medical bills and save for the future.

Corey Barnett is an avid saver, but doesn't like the idea of stashing his retirement reserves in one place.

That's why when he left his steady job to create a digital marketing company in February 2014, the 25-year-old rolled his 401(k) into an individual retirement account and specifically looked for a high-deductible health plan so he could continue using his health savings account as a way to pay for current medical bills as well as save and invest money for retiree health costs.

Barnett likes the HSA because he finds it tax-savvy and flexible; money goes in, grows and goes out tax-free for medical bills: He can use the money today if he gets sick or he can save it for tomorrow's retiree health bills.

Read full article here.

by 6d-destani

Employer FAQs: Responding to the Anthem Breach

Originally posted February 9, 2015 by The National Law Review - National Law Forum LLC.

The first massive data breach of 2015 hit one of the country’s largest insurance issuers, Anthem, Inc., including Anthem Blue Cross and Blue Shield and other related entities (Anthem). The incident reportedly affected over 80 million persons who are or were covered under a policy or program insured or serviced by Anthem. The personal note from Anthem's CEO, Joseph R. Swedish, and the Anthem Facts (or FAQs) seek to provide helpful information to the millions of individuals affected. These communications address what is known about the incident, describe the kinds of information compromised, warn affected persons about potential email attacks, and advise that there is more information coming.

But there is not much information at this point for employers that are plan sponsors of group health plans and other welfare plans serviced by Anthem either as an insurance issuer or a third party claims administrator (TPA). Below are some FAQs about the Anthem breach for affected employers.

Isn't this really Anthem's problem?

From a legal compliance standpoint, the answer largely depends on whether the plan is insured or self-funded. For example, as discussed below, in the case of a self-funded group health plan, the HIPAA breach notification rules place the obligation to notify affected persons on the covered entity (i.e., the plan, and practically the plan sponsor) and not on the business associate (i.e., the TPA). However, contract obligations in the business associate agreement (or administrative services only agreement) have to be considered. Finally, as a practical matter, because employees and other persons covered under the plan(s) will be concerned and have questions, employers will need to have a strategy for addressing those concerns.

Is the information involved subject to HIPAA; the Anthem FAQs say Anthem does not believe diagnosis or treatment information was compromised?

According to the Anthem FAQs:

the member data accessed included names, dates of birth, member ID/ social security numbers, addresses, phone numbers, email addresses and employment information...[but its] investigation to date indicates there was no diagnosis or treatment data exposed.

Many maintain the mistaken belief that, in the case of a group health plan, a covered person’s name and social security number, alone, is not “protected health information” (PHI) under the privacy regulations issued under the Health Insurance Portability and Accountability Act (HIPAA). The absence of diagnosis or treatment data does not make information any less PHI. This is because the regulatory definition includes not only information about a person’s physical or mental health condition, but also how care is paid for and provided. Thus, data elements that relate to the payment or provision of health care, such as address and email address, could constitute PHI even if not as sensitive as a covered person’s diagnosis information.

What about the state breach notification laws, do they apply?

The Anthem breach involves personal information of individuals, such as names, member ID/social security numbers and other data, the kind of information protected by state breach notification laws, which currently exist in 47 states. Given the massive scale of the breach, it is likely that there are affected individuals residing in all 50 states and beyond.

Some of those state laws have exceptions when HIPAA or other federal regulations apply. Some do not. According to the Anthem FAQs, all product lines have been affected, not just health insurance (medical, dental and vision). This includes life, disability, workers compensation and other policies and products which typically are not subject to HIPAA. Thus, regardless of the Anthem policy or product at issue, the applicable state laws will need to be considered to determine their application in this case.

Our plan is/was insured by Anthem, what should we be doing?

Under HIPAA, both the employer’s group health plan under ERISA and the health insurance issuer that provides the insurance for that ERISA plan are covered entities under HIPAA. Covered entities have the primary breach notification obligations. Under state breach notification laws, the primary notification obligation generally falls on the entity that owns or licenses the data, not necessarily the entity that held the data at the time of the incident. However, in the case of a breach experienced by an insurer, and not the employer sponsoring the plan, the insurer generally is considered to be responsible for responding to the breach. Even if not entirely clear in the applicable statutes or regulations, this makes practical sense because the carrier is in control of the investigation and the facts, and usually is in the best position to work with law enforcement. Carriers can typically disseminate notifications more efficiently across the affected policies, as well as to federal and state agencies, and the media.

To date, Anthem appears to be taking the lead on the investigation and notifying affected persons. For example, its FAQs inform members that they can expect to “receive notice via mail which will advise them of the protections being offered to them as well as any next steps”. Because this incident affects both HIPAA-covered and non-HIPAA plans, it is likely the notices will address the applicable HIPAA and state law requirements.

Still, there are some action items for affected employers to consider:

  • Stay informed. Closely follow the developments reported by Anthem, including coordinating with your benefits broker who might have additional information.

  • Consult with counsel. Experienced counsel can help employers properly identify their obligations and coordinate with Anthem as needed.

  • Communicate with employees. Be prepared to respond to employee questions – consider providing a short summary of the incident to employees along with links to the Anthem materials and FAQs.

  • Evaluate vendors. Use this incident as a reason to examine more closely the data privacy and security practices of all third party vendors that handle the personal information of your employees and customers, including insurance companies. Of course, a data breach is generally not a reason, by itself, to switch vendors. With breaches of all sizes affecting many companies, there is no telling whether the grass will be greener. But making inquiries and pressing vendors to do more, including by contract, is a prudent course of action, and even required in some states.

  • Revisit your own data security compliance measures. Employers should take this as an opportunity to assess or reassess their own data security compliance measures. As many have noted, it is not just large companies that are vulnerable to these kinds of attacks.

Our plan is/was self-insured and Anthem was our TPA, what should we be doing?

In this case, whether the plan is a health plan covered by HIPAA or another employee welfare benefit, as TPA, Anthem maintains the personal information of covered persons on behalf of the employer. In that case, Anthem’s legal obligations under HIPAA and state law, as applicable, generally require only that it notify the employer concerning the circumstances of the breach – how it happened, the kind of information breach, who was affected, etc. Then it is up to the employer/covered entity to carry out an appropriate investigation, provide notice to affected persons and otherwise comply with the applicable federal and state laws. However, administrative service agreements and in the case of health plans, business associate agreements, may delegate some of these responsibilities to the TPA, as well as indemnification obligations. So, in addition to some of the steps listed above, employers have a number of things to consider and steps to take:

  • Determine if plans have been affected. Employers might soon be receiving communications from Anthem concerning whether their plans have been affected. They also may want to reach out to Anthem and inquire.
  • Act quickly. HIPAA and state breach notification laws generally require that notices be provided without unreasonable delay, as well as place outside limits on when such notices can be provided – e.g., 60 days following discovery under HIPAA, and 30 days in Florida.
  • Examine the administrative services agreement and/or business associate agreement. For plans have been affected, employers need to review the related agreements as they could place certain obligations either on the employer or Anthem. The agreements also could be silent, in which case the plan/employer likely has the obligations to notify participants, agencies and media.
  • If Anthem is responsible for responding, employers should consider taking certain steps to ensure Anthem’s reaction is compliant – e.g., has it protected data from further attacks, completed the investigation, identified all affected persons, crafted content-compliant notifications (HIPAA and some state laws have specific content requirements), and notified the applicable federal and state agencies.
  • If the employer retained the responsibility to respond, it should be taking steps immediately to determine what happened and coordinate with Anthem concerning the response. This includes some of the steps listed above. For instance, in the case of group health plans under HIPAA, employers will need to confirm with Anthem whether Anthem or the employer/group health plan will be notifying the Department of Health and Human Services. Also, employers that have developed a data breach response plan (a good idea for all employers) should review that plan and follow it.

However, as a practical matter and regardless of what is in the services agreement, Anthem may decide to take the lead on the response, and not give employers much choice in shaping the communications made to persons covered under the plans.

  • Communicate with covered persons. If it turns out that the employer will be notifying plan participants, in addition to the notification letters referred to above, employers also need to be prepared to address participant questions about the incident. Designating certain individuals or outside vendors to handle these questions and creating a script of anticipated questions and answers would facilitate a consistent and controlled response.

  • Evaluate insurance protections. Some employers may have purchased “cyber” or “breach response” insurance which could cover some of the costs related to responding to the breach or defending litigation that may follow. Employers should review their policy(ies) with their brokers to understand the potential coverage and what steps, if any, they need to take to confirm coverage.

  • Document steps taken. Employers should document the steps they take to investigate and respond to the incident, particularly if it affects one of their group health plans covered by HIPAA.

    Some employees have complained about our data security practices, how should we respond?

    Take them seriously! Data security has been recognized at the federal, state and local levels as an important public policy concern, most recently by President Obama at the recent State of Union Address. Disciplining or taking adverse action against an employee who has raised these concerns could expose the employer to retaliation claims or violations of employee whistleblower protections.

by 6d-destani