Commercial Umbrella Insurance

As the calendar flips its last page of 2022, it’s safe to say the word businesses heard most this past year was “inflation”. The good news is that November marked the fifth consecutive month the rate slowed in the United States, down to 7.1 percent its lowest since January (7.5%) and an improvement over June’s 9.1%.

According to the U.S. Bureau of Labor Statistics, the slowdown in inflation can be attributed to a decrease in energy costs for gasoline and electricity, although food shelter indexes rose. Rates remain higher than economists and businesses would like, but the reprieve was welcome.

Looking to 2023, additional challenges to plan for include potential legislation and government regulations on business that could impact how to classify workers, pay workers, and provide paid time off for workers.

Hundreds of in-house compliance professionals at Paychex compiled a list of regulatory issues that could impact businesses the most in 2023 to help employers and HR personnel prepare for what could be coming down the road. Regulatory issues are those that involve any interaction with a regulatory authority (e.g., federal or state department of Labor, the Internal Revenue Service) or compliance with regulatory requirements from such government agencies.

<iframe allow="autoplay *; encrypted-media *; fullscreen *; clipboard-write" frameborder="0" height="175" style="width:100%;max-width:660px;overflow:hidden;background:transparent;" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation" src="https://embed.podcasts.apple.com/us/podcast/top-regulatory-issues-facing-businesses-in-2023/id1507824762?i=1000590970291"></iframe>

What are examples of regulatory issues? Here are the top issues Paychex identified for 2023:

Small Business Funding

Despite the absence of any new federal programs, businesses can still take advantage of the opportunities to find funds for their business, including some that have carried over from the COVID-19 pandemic. Some of these funds exist as tax credits such as the Employee Retention Tax Credit (ERTC). Businesses that paid qualified wages to keep employees working from March 12, 2020 through Sept. 30, 2021 (and for some certain businesses identified as Recovery Startups, wages could be paid through Dec. 31, 2021) have until either April 15, 2024 (for three quarters of 2020) or April 15, 2025 (for all eligible quarters of 2021) to file amended returns and retroactively claim the credit.

Businesses have received anywhere between tens of thousands to hundreds of thousands – even millions – of dollars in credit to infuse back in their business as they continue to recover from the financial challenges created by the pandemic.

Legislation in 2021, particularly the Inflation Reduction Act, doubled the maximum amount of the Research and Development Tax Credit, giving businesses in tax year 2023 a chance to claim up to $500,000 annually for qualified research activities.

Some states also continue to sponsor programs that enhance funding efforts to help businesses, including 48 approved State Small Business Credit Initiative programs. The U.S. Treasury has pumped millions of dollars into each state to augment capital access programs, loan guarantee programs, and venture capital programs. Most of these initiatives are to support underserved communities that have had challenges in securing funding.

Businesses also should do their due diligence in researching state and local avenues of funding, including industry-specific opportunities.

Pay Equity

The U.S. Department of Labor (USDOL) reported in 2020 that women across all categories earned only 81% annually of earnings made by men. Pay equity continues to be a topic of discussion at the state and local level – even in 2022, with movement on getting more legislation passed expected in 2023. The goal of pay equity is to close the pay gap, plus pay equity is a strong recruitment and retention tool.

As of late 2022, seven states and several local jurisdictions have laws that require employer transparency, including amendments in Rhode Island, Washington, and California that take effect in 2023. Covered employers in these states must follow requirements that might include posting pay ranges on job postings and/or providing pay scales to candidates and existing employees who apply for open positions to remain compliant with this regulatory requirement.

Another more prevalent way states and localities have been addressing pay discrimination is the adoption of salary history bans, which generally prohibit an employer or hiring manager from inquiring about a job candidate’s pay history prior to an offer of employment or, in some instances, at all. This practice was often used to exclude individuals from a pool of candidates, as well as determine potential compensation, which helped to widen the pay gap between men and women.

As of December 2022, there are 28 states and two territories, including the District of Columbia, that have salary history bans.

As 2023 starts, employers also will need to stay abreast of continued efforts at the federal and state levels to counter discrimination in pay through annual pay data reporting laws intended to mitigate race and gender discrimination in pay.

• California has a pay data reporting law
• Illinois has the Equal Pay Act

Employee Classification Guidance

In mid-October 2022, the U.S. DOL published a Notice of Proposed Rulemaking to revise the current guidance on how to determine whether an individual is an employee or an independent contractor under the Fair Labor Standards Act (FLSA). The proposal would rescind the current rule, aligning it with judicial interpretations of FLSA, and implement the multi-factor, “totality of circumstances” analysis. This approach is to ensure that no one factor is pre-assigned more weight than another and that all factors are analyzed before determining an individual’s classification.

With the public comment period completed, the USDOL is expected to issue its final rule in 2023, which would impact businesses’ regulatory compliance. Understand that the rule is only applicable when determining worker classification under the federal wage and hour law, so employers must be diligent in keeping up with compliance obligations regarding the complex tests for determining worker status under the many other federal, state, local, and industry-specific regulations and laws.

This rule could have major financial implications on employers where individuals formerly classified as independent contractors become classified as employees and are perhaps eligible for the employer’s health coverage and retirement benefits.

Encourage Retirement Savings

SECURE Act 2.0 of 2022, signed into law Dec. 29, 2022 as part of the omnibus spending package, provides businesses and their employees with added incentives with their retirement plans.

The law builds and expands upon the Setting Every Community Up for Retirement Enhancement (SECURE) Act, which went into effect in late 2019 to help counter the retirement crisis in the United States.

SECURE Act 2.0 expands eligibility for certain small businesses to qualify for a credit equal to 100 percent of the administrative costs for establishing a workplace retirement plan. Also in 2023, an employer contribution credit is available for eligible businesses based on their employee matching or profit-sharing contributions. Auto-enrollment of employees into a company's retirement plan is mandatory beginning in 2025, which is meant to encourage more individuals to participate in saving for retirement.

Additional changes include an increase in the age to begin required minimum distribution, more opportunities for part-time workers to participate in a plan, and a  student loan payment matching option that aims to counter two crises – student loan debt and retirement savings at the same time.

Paychex compliance professionals also continue to monitor the expansion and implementation of state-level retirement mandates. In 2023, Colorado, Connecticut, Illinois, Maine, Oregon, and Virginia have deadlines for their established plans or scheduled plans to launch their programs. Check out what’s happening in your state.

• Podcast: 8 Ways SECURE Act 2.0 Could Impact Your Workplace Retirement Plans

Wage and Hour Regulations

Based on listening sessions held in mid-2022, it’s anticipated that the USDOL will release proposed changes to the federal overtime regulations. The changes would reflect the current labor market, including an increase in the salary threshold for exempt workers. Paychex will continue to monitor the situation to help businesses navigate any additional regulatory compliance issues that could result from the changes.

At the state and local level, the wage and hour landscape remains active with minimum wage increases taking effect in almost half the states. All but a few of these increases already were scheduled to be implemented, but in Nevada’s case, its two-tiered minimum wage that factored in whether businesses provided qualifying health benefits was put to the voters in 2022. The ballot measure to establish a $12 minimum wage regardless of health benefits offered passed and will take effect July 1, 2024.

In Michigan, the 2023 minimum wage will depend ultimately on the outcome of ongoing litigation.

In certain jurisdictions, the elimination of sub-minimum wage and tip credits is also shaping the narrative around wages.

Businesses must also keep on top of industry-specific regulatory requirements regarding wages and hours worked – especially in the retail, hospitality, and healthcare industries. The pre-emptive move came from California when it enacted the Fast Food Accountability and Standards Recovery Act (FAST Act) in September 2022. The purpose of the law is to establish a council with the authority to set industry-wide standards that promote the health and safety of fast-food workers in the state.

Opponents of the law filed a voter referendum to block the law, securing more than the required number of verified signatures by Dec. 5, 2022, to block the law potentially from taking effective Jan. 1, 2023, and putting it as a ballot measure in the 2024 general elections. Check out what’s happening in your state.

Paid Leave

In the absence of any significant movement to adopt a federal paid leave program, further hindered by narrow margins for the majority party in either chamber of Congress, states have become more active in this area. When 2022 began, nine states and the District of Columbia had laws on mandated paid family leave – joined most recently by Maryland and Delaware.

Each state’s program is different, including eligibility requirements, coverage, and implementation dates, but every program is or will be funded through payroll taxes paid by employees. In some cases, employer-paid payroll taxes also will help fund the programs.

On Jan. 1, 2023, New Hampshire begins open enrollment for the country’s first opt-in, voluntary paid family leave insurance program. The Granite State Paid Family and Medical Leave program will be available to employers or directly to employees. The private market plan won’t require an income tax or automatic payroll deduction. Similarly, Vermont announced plans to create the Vermont Family and Medical Leave Insurance program, which also will be a voluntary medical leave program. Benefits will be available beginning in July 2023.

Privacy/Cybersecurity

With the growth and continued norm of a hybrid and remote workforce, businesses face new challenges, including the need to adapt privacy policies and cybersecurity practices. These policies and practices should balance the needs of the business against employee and customer expectations regarding the safeguarding of personal information.

No industry or business sector was safe in 2022 from cyberattacks. A quick glance at national and international headlines proved that: the Los Angeles Unified School District had a significant infrastructure disruption. An Australian telecom company suffered the largest cyber breach in the country’s history. Health insurers, educational institutions, and even an IT services consulting company – all hacked.

According to the National Conference on State Legislatures, states continued to introduce or consider cybersecurity legislation, including at least 40 states that produced more than 250 bills or resolutions. However, only a little more than half those states combined to enact 41 of the bills in 2022 – a majority centered on cybersecurity training and funding for cybersecurity programs.

Without a federal privacy law, states have looked to broaden the scope of data protection laws. In step with that, the marketplace has seen a flood of technology solutions designed to assist a business with its obligations. However, businesses need to be mindful that using these solutions might entail new privacy considerations, so it’s imperative to confirm that the solution complies with the rules and regulations of your state and local jurisdictions.

• Article: A cybersecurity plan can be a key productivity hack for your business
• Article: What is Cyber Liability Insurance and Why is It Important
• Podcast: Cybersecurity: What Small Businesses Need to Know
• Paychex can help: Cyber liability insurance

Other Areas of Interest for Businesses To Consider

New Tax Laws: Many states are reviewing potential inflationary adjustments to personal income tax withholding rates, so employers should remain watchful for changes impacting employee withholding tax calculations.

The COVID-19 pandemic forced many states to borrow funds from the federal government to pay unemployment benefits. Employers in states where these Title XII loans are not repaid by Nov. 10, 2023, might owe additional FUTA tax amounts in January 2024. This is commonly known as FUTA credit reduction.

As a helpful budgetary practice is to prepare for an additional tax bill if your state doesn’t repay its outstanding loan amount by the deadline. As of December 2022, the following states could be impacted: California, Connecticut, Illinois, and New York.

Hybrid and Remote Work: In the post-pandemic environment, the remote and hybrid model is a workforce structure employers should have to consider and adapt to, including any compliance obligations that might exist if your employees do not live in the same geographical area as the business. Employment regulations based on an employee’s location can vary state to state and even at the local level.

The laws and even interaction between geographies can be complex, impacting tax considerations such as reporting and remittance, workers’ compensation coverage, paid sick leave, family and medical leave, wage and hour laws, as well as anti-discrimination and pay equity protections.

• Related content: New benefits for remote workers

Healthcare Reform: Covered employers have Employer Shared Responsibility (ESR) reporting obligations under the Affordable Care Act and must ensure the furnishing and filing of timely and correct information returns, especially with increased scrutiny by the IRS. This heightened scrutiny follows the discontinuation of the good faith transition relief from penalties that began in 2021, following several years where businesses were not penalized for incomplete or incorrect returns.

Starting with plan years beginning in 2023, there is a lower affordability rate and a greater risk of an ESR assessment due to the continuation of the Enhanced Premium Tax Credit, so Applicable Large Employers (ALEs) might want to reevaluate employee health contributions to determine if adequate affordable coverage is being offered to full-time employees.

It’s in the news almost daily now, cyberattacks. Making the big headlines are those instances that paralyze the operations of some of the world’s major corporations. What you don’t often hear — and these attacks are far more frequent — are those that impact small and midsized businesses.

Numbers can vary from year and study, but according to research conducted by Paychex for its guide on cybersecurity, cyberattacks on small and midsized businesses are on the rise from the 70-plus percent in 2020. However, a recent report by CNBC based on their study showed that 56% of small-business owners say they are not concerned about being the victim of a hack in the next 12 months, and only 28% have a response plan in place in the event of a cyberattack.

This confidence that an attack won’t occur flies in the face of the 2021 Hiscox Small Business Cyber Risk Report that found many businesses experienced more than one cyberattack in the past year, and 1 in 6 businesses said an attack threatened their survival. The report found that small businesses in particular felt a substantial impact from cybercrime, with some small firms suffering losses of up to $308,000.

Is your business prepared to withstand a cyberattack? Having a strong cybersecurity posture can help your organization defend itself against cyberattacks, secure important information related to the business and your customers and maintain the integrity of your business.

<iframe allow="autoplay *; encrypted-media *; fullscreen *; clipboard-write" frameborder="0" height="175" style="width:100%;max-width:660px;overflow:hidden;background:transparent;" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation" src="https://embed.podcasts.apple.com/us/podcast/cyber-security-what-small-businesses-need-to-know/id1507824762?i=1000583429510"></iframe>

Cybersecurity Tips for Your Business

Cybersecurity can be defined as the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks, unauthorized access, or criminal use. The Small Business Administration (SBA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Trade Commission are excellent resources that offer additional tips for combating cyberattacks.

IT experts agree that employees are often the weakest link in the fight against cybercrime. They often make critical mistakes because they lack the knowledge and training to recognize warning signs or avoid improper behavior while working online.

Here's a list of tips to aid in cybersecurity training and greatly enhance the security of your business data:

Cybersecurity Dos

• Use strong passwords and regularly change them. Also, use strong password managers (security questions)
• Use good internet browsing practices
• Keep software up to date, including latest anti-spyware and anti-virus software, that secures your computers, phones, and tablets
• Enable authentication tools (e.g., authentication apps, multi-factor authentication, and more)
• Enable your operating system's firewall, which can prevent outsiders from accessing data on a private network
• Limit access to PII and PHI. Only employees whose job responsibilities explicitly require access to Personal Identifiable Information (e.g., Social Security number, bank account number) and Protected Health Information (e.g., health records, other medical information) should be granted it.

One key component is to provide cybersecurity tips for employees such as training and encourage reporting of suspicious emails or online content. Implement regular courses through a Learning Management System and update the training regularly.

Cybersecurity Don’ts

• Downloading software from the internet or clicking on internet links that launch websites or web ads
• Don't respond to emails, open email attachments, or click links embedded in emails that include typos, spelling errors, incorrect grammar, or pop-up windows. Beware of suspicious subject lines and "urgent" calls to action.
• Don't enter personal or financial information into web forms that don't come from a trusted source.
• Don't respond to the IRS by email or social media. The IRS does not initiate contact with taxpayers by email, social media, or even by phone. Any contact in this manner is a scam.

What are the Risks of a Cybersecurity Threat?

Cybersecurity threats loom over every business, large and small. And the proliferation of connected systems and devices makes cybercrime and disruption more tempting for those intent on committing a crime. A story reported by the BBC in February of 2022 cited new analysis that nearly 75 percent of the money made from ransomware attacks in 2021 went to hackers linked to Russia, and other statistics report that ransomware in Russia is a projected $21 billion industry in 2022.

In the event of a business cybersecurity breach, there are many potential ramifications for an organization. Some of the consequences might include:

• Revenue loss: Shutting down a compromised website could hinder sales or cause website visitors to take their business elsewhere. Repairing damaged systems could come with a hefty price tag. Hiscox found that 71% of U.S. firms targeted in a ransomware attack paid a ransom to either recover data or to prevent publication of sensitive information.
• Reputational damage: The Hiscox report also noted that nearly a quarter of businesses that were attacked received negative publicity as a result.
• Regulatory costs: With recent laws enacted such as the California Consumer Privacy Act (CCPA), businesses could face penalties in the wake of a security breach. Hiscox reported that 18% of U.S. firms targeted paid a substantial fine that had a significant impact on the financial health of the business.
• Lost customers: A security breach can impede an organization's ability to attract and keep customers. Hiscox reported that 19% of respondents who suffered a cyberattack lost customers, with nearly just as many (18%) saying they had greater difficulty attracting new customers after the fact.

Types of Cyber Attacks You Should Know About

Digital malicious attacks come in an array of forms. Innumerable computer viruses, codes, and applications of malware are unleashed on the public every single day. Some of the most common and dangerous forms employ similar tactics.

Smishing

Smishing is the latest technique by bad actors to gain access to information. It’s like phishing but comes via text where there are fewer protections in place and uses all the hallmarks of phishing; demands for urgency, appearance that text is coming from trusted source, links to malicious websites.

Phishing or Business Email Compromise

One of the most invaluable business cybersecurity tips is handling any suspicious email with great care. Experts urge people looking at iffy emails to hover over hyperlinks (without clicking on them) to determine whether they'll send you to an unfamiliar or suspicious web page. If it is an email that originates from your ISP, bank, or credit card company, remember that these institutions will never ask for sensitive information like your password or Social Security number. According to FBI statistics for 2019, business email compromise accounted for $1.7 billion in fraud losses.

Malware (Adware, Spyware, Ransomware)

These insidious attacks assume many guises, the most pernicious of which is called ransomware. When opened, this malicious software seizes crucial files and keeps those files "hostage" until the victim pays ransom to decrypt them. Ransomware gets into a business system when unsuspecting users:

• Download materials from a compromised website.
• Open a fraudulent email attachment.
• Employ an unauthorized USB stick or some other external media device.

Social Engineering (Identity Theft)

Cyber criminals exploit our natural tendency to trust a message we receive and/or assist someone we believe to be in need. If someone you know sends you an email containing a link they want you to click on, or an attachment contains what you're told is a photo or other attachment they want you to see, don't do it if there's the slightest suspicion that something's wrong.

Distributed Denial of Service (DDoS)

Cyber criminals barrage a company's server, overwhelming it so that it slows significantly or even crashes. The system stops working at this point. This is perhaps the most common form of assault on cloud infrastructure and storage.

Password attacks (or Brute Force)

This type of cyberattack occurs when a hacker uses software to determine (and then steal) working passwords.

Data leaks

A data leak, which is the intentional or unintentional release of secure or confidential information to an untrusted third party, can damage both a business as well as its employees and customers.

Viruses

There are many ways that a computer virus can spread: a user can open an attachment in a phishing email, run an executable file, visit an infected website, or use an infected removable storage devices, such as a USB drive.

Develop an Effective Cybersecurity Plan

Cybersecurity for your business could be simplified to mean just good decision-making. And not just by employees but by business owners as well. Think: Have you taken the cybersecurity threats seriously enough? Do you have up-to-date software to protect your business from the types of cyberattacks that could catastrophically damage it? If the answer is no or you're unsure, develop a cybersecurity plan.

These tips might increase the odds of adequate data protection in your favor:

1. Regularly assess existing risks and update IT systems.

It's essential to conduct a thorough assessment once a year (or every six months, preferably), with an emphasis on exposing vulnerabilities of those key assets containing confidential information and intellectual property. Also, commit to routine maintenance and regular software updates on all company devices.

2. Back up your systems in the cloud.

Businesses with a cybersecurity plan that store data properly are far less vulnerable to ransomware. Files should be backed up daily in multiple secure locations, such as the cloud or a hybrid data center, to ensure you have continual, uninterrupted access to the data you need if an attack occurs.

3. Undertake an aggressive employee cybersecurity training program.

Security is frequently compromised by user mistakes or carelessness. Consider implementing a cybersecurity training program that takes place on a regular basis so employees understand how critically important it is to maintain vigilance and to use good judgment with sensitive business data.

4. Install mobile-device security measures.

Use of mobile devices to work and communicate throughout the company increases the likelihood of a malicious attack because the channels are unsecured. Establish policies to:

• Restrict the types of information these devices can access and share
• Determine whether mobile devices provided by the business can be taken off-site
• Enforce network access control, whereby employees can access your business's VPN and email in a secure, reliable manner.

5. Plan a response to an unauthorized intrusion.

A comprehensive incident response plan that stresses the need to immediately contact the help desk or IT team might significantly curtail the effects of an attempted data breach. Taking a proactive, strategically defensive stance can typically minimize the risk to your business and customers, enabling you to continue to focus on other vital aspects of operations.

Make Sure Your Business is Protected from a Cyberattack

Your current business insurance coverage might not include the range of expenses incurred by many types of cyberattacks — from interruption of business operations and the need for customer notifications to comprehensive security upgrades and the effort required to restore your company's damaged brand. For these reasons, consider cyber liability insurance as part of a broader cybersecurity plan and in tandem with your regular business insurance and employment liability policies.

An effective cybersecurity policy can help secure business interruption protection and cover legal fees incurred by judgments or settlements. Contact a professional to learn more about cyber liability coverage.

Does your organization have obligations under HIPAA? If so, you'll need to fully understand the current HIPAA law and employers must know what steps to take to protect employees' personal health information.

What Does HIPAA Stand For?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996.

What Is HIPAA Law and What Does HIPAA Protect?

According to the U.S. Department of Health and Human Services (HHS), HIPAA allows for necessary information sharing to ensure individuals receive access to high-quality health care, while also protecting their right to privacy. Any provider or company with access to protected health information must put measures in place to comply with HIPAA.

Who Does HIPAA Apply To?

Health care is one of the most highly regulated industries when it comes to the protection of private information. Patients and employees have come to expect that medical practitioners and other healthcare companies have adequate measures in place to protect their personal data. Employers may also be subject to privacy regulations that fall under HIPAA if they are considered a covered entity or business associate, or through the administration of a group health plan. Employers need to understand any applicable HIPAA rules — particularly during public health emergencies such as the COVID-19 pandemic — and put the correct tools and protocols in place to protect their employees' health information.

What Are Some Misconceptions About HIPAA Laws and Rules?

There are some myths about HIPAA laws and rules for employers. The HHS sets the record straight on its site that HIPAA doesn't:

• Prevent an employer from asking for a doctor's note for an absence, although this practice may create other exposures for employers.
• Affect your ability to request information needed to administer benefits programs, such as healthcare coverage, workers' compensation claims, or sick leave, although employers should consider other risk factors around these types of requests.
• Cover all employee benefit information. For example, employee life insurance, disability and workers' compensation, and wellness programs are generally not covered under this legislation.
• Cover protection of data maintained in employment records. HIPAA rules for employers only apply to medical or health plan records of employees participating as a member of the company's healthcare plan.

What Is the Purpose of HIPAA Laws and Rules in the Workplace?

HIPAA laws and regulations are used in the workplace to protect the health and medical records of employees participating in an employer-sponsored healthcare plan. The laws regulate how individuals' protected healthcare information maintained by a healthcare plan can be shared with employers.

Which Organizations Are Impacted by HIPAA Law?

There are two types of organizations that are subject to HIPAA: covered entities and business associates. Employer-sponsored health plans are considered covered entities. This means that the exchange of information between employers and health plans may be subject to additional safeguards compared to other benefit plans.

What Is a Covered Entity Under HIPAA?

This refers to healthcare organizations, including but not limited to healthcare providers, hospitals, employer-sponsored health plans, and pharmacies.

What Are Business Associates Under HIPAA?

This is a category that refers to any person or business that provides services to or works with covered entities or other business associates. If you perform services on behalf of a covered entity or business associate that involves the use or disclosure of protected health information (PHI), and fall into categories such as service providers (e.g., accountants), consultants, or technical support (like cloud storage), your business associate contract likely contains provisions that relate to HIPAA.

Does HIPAA Law Apply to All Employers?

Due to the complexities of HIPAA regulations, employers are wise to assume that if they possess health information about employees, they will need to spend time ensuring compliance. HIPAA imposes a range of requirements, but the provisions that are relevant to all subject entities pertain to the security and privacy of health-related information. By understanding applicable HIPAA rules for employers, it's possible to identify your potential risks and put a plan into place to help mitigate your exposure.

Becoming HIPAA-Compliant

Although HIPAA's primary intent is to improve the portability and continuity of healthcare insurance plans, employers should still be familiar with the law and potential areas that may affect them. HIPAA compliance for employers can often result in stronger data security and standardized processes that benefit an employer's benefits administration procedures.

What Are Some Common Employer HIPAA Violations?

Reported incidents are generally categorized by the following types:

• Hacking/IT incidents: Improper data access resulting from an outside intrusion in the form of malware or other system break-ins.
• Theft/loss: For example, when devices storing protected health information are lost or stolen.
• Unauthorized access/disclosure: The disclosure of an individual's private information to an entity without proper approval to receive such information.
• Improper disposal: When protected health information is disposed of without the implementation of reasonable safeguards, such as shredding paper documents.

Five Important HIPAA Rules for Employers

There are five rules to pay close attention to in regard to HIPAA law. Employers should consider each of these rules carefully when it comes to compliance.

Privacy and Personal Health Information Rule (45 CFR §164.530)

HIPAA defines PHI broadly. However, some examples of PHI under HIPAA include demographic and contact information, such as a name, address, and a Social Security number that relates to an individual's past, present, or future health status. The definition of PHI also encompasses information related to payments made for the provision of health care.

HIPAA also specifically defines with whom protected health information can be shared. Primarily, covered entities and business associates can share PHI only in the following situations:

• With the person in question for treatment, billing, and healthcare operations;
• With descendants in the case of death;
• To a designated personal representative; or
• In response to a court order.

HIPAA rules require that covered entities provide notice regarding privacy practices and how PHI may be used or shared. The law is very specific regarding patient rights, what must be included, and when information must be presented.

Electronic Security Rule (45 CFR §164.308)

This rule requires physical, technical, and administrative safeguards be put into place to protect individuals' health information. The responsibility is placed on covered entities and their business associates to secure protected health information in electronic form. Organizations are expected to take the necessary steps to ensure privacy, protect against threats, ensure employee compliance, and protect against prohibited electronic uses or disclosures. Compliance is taken very seriously by regulators, with enforcement and penalties ranging up to $50,000 per violation and the potential of enforcement action in egregious cases.

Breach Notification Rule (45 CFR §§ 164.400-414)

Under this rule, covered entities and business associates are required to report any breach that compromises an individual's protected health information. In the event of a breach, proper notification must be made to affected individuals, and copies of the notifications must be submitted by the covered entity to the secretary of the HHS.

Administrative Simplification Regulation (45 CFR 160, 45 CFR 162, and 45 CFR 164)

The Administrative Simplification provisions standardize the electronic exchange of healthcare information. National standards were set for electronic transactions, code sets, and unique identifiers. Employers must use their Employer Identification Number used for tax reporting as their identifier for all HIPAA transactions.

Omnibus Rule (45 CFR § 164.308, 164.312 and 164.316)

This rule expanded liability for business associates and instituted greater penalties for noncompliance. Additional rules prevent certain information from being shared about an employee's health plan when they pay for medical services out of pocket. Companies that may be defined as a business associate will need to understand how their responsibilities have changed and make appropriate adjustments to their HIPAA policies or procedures.

How Does HIPAA Apply to Employers During Events Causing Public Health Concerns?

While HIPAA requirements still apply during public health emergencies, employers may be permitted to disclose PHI to certain individuals or organizations without an employee's or patient's permission. Such examples include:

• At the direction of public health authorities, information may be disclosed to foreign government agencies;
• Individuals at risk of spreading the disease; and
• A patient's family members, relatives, friends, or others involved in the patient's care.

Although HIPAA restricts the sharing and use of personal health information by covered entities and business associates, the law doesn't apply to employment records. Using COVID-19 as an example, the current HIPAA regulation does not prohibit employers from requesting vaccine information from employees. Also, HIPAA doesn't prevent individuals from voluntarily sharing vaccination status in the workplace, as individuals are not considered covered entities.

Employers should note that other state or federal rules may apply. For more information on HIPAA and COVID-19 vaccine employer guidelines, please visit our COVID-19 Vaccine: Frequently Asked Questions.

HIPAA Compliance in the Workplace

HIPAA compliance for employers is critical, whether they are a covered entity or business associate, offer a group health plan, or are operating during a public health emergency. Proactively addressing HIPAA may yield additional benefits for your organization, such as enhanced data security and a more efficient flow of information stemming from the use of standardized procedures and data identifiers.

If your business operates in the healthcare space or contractually works with a company that does, it's important that you determine your HIPAA obligations and risk exposure. An experienced HR professional or business attorney can help you map the risks, as well as develop and implement a plan to stay HIPAA-compliant.