Cyber hygiene is a reference to the practices and steps that users of computers and other devices take to maintain system health and improve online security. These practices are often part of a routine to ensure the safety of identity, data and financial assets that could be stolen or corrupted. Much like physical hygiene, cyber hygiene is regularly conducted to ward off natural deterioration and common threats.
One can think of cyber hygiene as the countermeasures that are implemented on a network to keep the system and data safe from hackers, fraudsters and negligent employees. It is most effective when implemented in layers. These levels build up a protective defense against all network threats. The idea is to create robust detection and prevention measures that monitor, identify, alert and stop threats to the network.
Many Small and Medium-sized Enterprises do not have IT reporting to the C-Suite. Therefore, leaders tend to manage cybersecurity based on assumptions about the level and scope elements in place, such as:
What’s missing is the validation that the information surrounding an organization’s cyber defense is accurate. Therefore, businesses need to validate controls in a continuous manner, rather than viewing measurement of security as one snapshot at a time.
Understanding inside weaknesses and vulnerabilities is more important than ever. To truly prepare for the cyber threats, it’s crucial that organizations start operationalizing a view of security from the inside out while focusing on cyber hygiene right at the heart.
For this reason, Alera Group recommends all companies adopt Continuous Threat Monitoring (CTM). CTM is aligned to give real-time visibility into security systems. Instead of penetration tests or audits, which are static, continuous monitoring gives more holistic visibility into systems over a longer period of time. Businesses can then quantifiably validate whether their controls are protecting critical assets. At the same time, security leaders and teams can manage their cybersecurity programs with more meaningful metrics to drive decision-making, optimize operations, and, ultimately, improve their cyber posture over time.
Companies can approach cybersecurity with an “inside out” view by doing the following:
When you approach security from the outside in, you’re simply trying to deny intrusion. When you approach from the inside out, you are protecting your mission-critical data by determining the most vital applications and using a risk-based strategy, which focuses on the most valuable and vulnerable assets.
About the Author
Steve Paulin, CIC is a Risk Management professional and Workers’ Compensation Practice Leader for Orion Risk Management, an Alera Group Company. Steve has over 35 years of experience helping mid-market businesses reach their profit goals by optimizing the insurance program’s financial efficiency and risk management outcomes. Steve has extensive experience with Cyber Risk, and Loss Sensitive plans, including Large Deductible and forming Captive programs.
This is the seventh article in our Compliance 101 blog series where we use six questions to break down important compliance topics. Below you will learn more about the Affordable Care Act (ACA) Affordability Safe Harbors. Read more below!
Who needs to worry about affordability safe harbors?
Definition: ALE as defined in section 4980H(c)(2) of the Internal Revenue Code, enacted by the Affordable Care Act (ACA), with respect to a calendar year is an employer that employed an average of at least 50 full-time employees on business days during the preceding calendar year.
What is the purpose of an affordability safe harbor?
*FPL is also commonly referred to as the federal poverty level safe harbor. However, in the final IRS regulations and IRS Q&A 39 on employer shared responsibility provisions the safe harbor is referred to as the federal poverty line safe harbor.
Where is the affordability safe harbor used?
Why does it matter if an ALE offers affordable coverage?
IRC §4980H(b)—The “B” Penalty. This is also referred to as the “tack hammer” penalty. Full-time employees who were offered but declines employer coverage that does not provide minimum value or is not affordable will trigger the “B” penalty. The monthly penalty assessed on an ALE for each full-time employee who receives a subsidy will be 1/12 of $3,860 (in 2020) for any applicable month.
When is coverage considered affordable for the purposes of the employer shared responsibility provisions?
How are the safe harbors calculated?
Affordability safe harbors are used to determine whether the employer may be subject to an ACA shared responsibility penalty. It is possible for the employer’s coverage to be considered affordable under one of the three safe harbors (and therefore not liable for an ACA penalty) but unaffordable relative to the employee’s household income and the employee is still eligible for a marketplace/exchange subsidy.
Form W-2 Wages Safe Harbor
Rate of Pay Safe Harbor
NOTE: No guidance has been released that changes any of the affordability analyses for purposes of COVID-19. For instance, for purposes of the W-2 safe harbor, the amount in Box 1 could be significantly less if employee hours were reduced or they were furloughed or transitioned to some type of unpaid status. Employers should ensure they are in compliance with the ACA employer mandate to avoid penalties.
If you have additional questions on the content in this blog, please reach out to your Alera advisor or email us at info@aleragroup.com to be connected with a compliance expert in your area.
Disclaimer: This blog was written by Michelle Turner, MBA, CEBS, Compliance Consultant, Alera Group Central Region. This blog post intends to provide general information regarding the status of, and/or potential concerns related to, current employer HR & benefits issues. This blog should not be construed as, nor is it intended to provide, legal advice. The opinions expressed herein are based upon the author’s experience as a Compliance Consultant and may not reflect the opinions of your counsel.
The information contained herein should be understood to be general insurance brokerage information only and does not constitute advice for any particular situation or fact pattern and cannot be relied upon as such. Statements concerning financial, regulatory or legal matters are based on general observations as an insurance broker and may not be relied upon as financial, regulatory or legal advice. This document is owned by Alera Group, Inc., and its contents may not be reproduced, in whole or in part, without the written permission of Alera Group, Inc.
This article was last reviewed and up to date as of 09/22/2020.
I hope you all had a wonderful weekend! Below please find this week’s curated list of wellbeing resources. Feel free to share these resources, as appropriate, with your team.
Have a safe and healthy week!
Career Wellbeing
Social & Family Wellbeing
Financial Wellbeing
Physical Wellbeing
Emotional Wellbeing
Community Wellbeing
Employer Focused Wellbeing
About the Author
Andrea Davis, Director of Wellbeing
Andrea joined Alera Group Northeast (formerly CBP) in July 2013, bringing over 15 years of experience in management consulting and strategic solutions. As the Director of Wellbeing, she is responsible for assisting with the development, implementation and evaluation of comprehensive wellness strategies for existing and prospective Alera Group clients. She provides assistance and support to Alera Group clients by developing personalized programs that fit clients’ unique health management needs, wellness program implementation, committee development, promotion and marketing of their programs to encourage participation. In addition, Andrea conducts program analysis and generates reports related to program participation, health assessment and client utilization.
Our hearts go out to all of those affected by the wildfires spreading across the west coast. Currently, the fires have spread across California, Oregon, Washington, and other western states. Alera Group has clients and offices throughout those states and sympathy is with all those impacted by the destruction. If you live in the affected or surrounding areas, please take proper precautions and stay safe!
Trauma, disruption and displacement often cause increased stress, and an employee assistance program (EAP) can help employees develop coping skills to address real or perceived threats in a productive manner.
What is an EAP?
An Employee Assistance Program (EAP) is a confidential workplace service that offers free and confidential assessments, short-term counseling, referrals, and follow-up services to employees who have personal and/or work-related problems.
What does an EAP help with?
An EAP can help employees deal with work-life stressors, family issues, financial concerns, relationship problems, and even drug or legal concerns. Some EAPs also extend assistance to family members.
EAPs can assist with:
In response to the COVID-19 pandemic, many states are offering free support telephonically. The emotional and mental health toll of this crisis will be significant. Additional support and resources can help address the impacts of stress, fear, financial loss, illness, grief and loss, children out of school and isolation created by social distancing.
Please note: carriers may offer embedded EAP programs in your life, disability, medical plans at no cost to you or your employees. Standalone EAP solutions are also available typically based on a per-employee-per-month rate ranging from $1.10-$2.50 depending on services and needs. Contact your local Alera Group consultant for additional information or email us at info@aleragroup.com to be connected with an office near you.
To learn more about the western wildfires here are a few resources:
How to help those affected by the wildfires:
On September 11, 2020, the U.S. Department of Labor (“DOL”) released a temporary rule updating certain FFCRA regulations. The temporary rule is scheduled to be published on September 16, 2020, and will be effective immediately through the expiration of the FFCRA’s paid leave provisions on December 31, 2020.
The temporary rule updates FFCRA regulations issued in April 2020 in response to a recent federal District Court decision which found four portions of the initial regulations invalid: provisions related to whether the FFCRA applies if employers do not have work available for employees; the timing for which employees must request the need for leave; the definition of health care provider; and the availability of intermittent leave.
While many anticipated that the DOL would appeal the decision, the DOL elected to reaffirm and clarify its position on some of these issues, while choosing to revise or update others. Thus, while the court’s order was limited to companies operating in New York (or potentially only those in the Southern District of New York), the DOL’s revisions to the regulations apply to all employers subject to the FFCRA (inside and outside New York).
The District Court’s order and the updated regulations are discussed in more detail below.
New York Federal District Court Decision
Soon after the FFCRA regulations were implemented, the State of New York sued the DOL in the United Stated District Court for the Southern District of New York claiming the DOL exceeded its authority when it implemented several provisions of the FFCRA regulations. The District Court agreed in part and, in August, the court issued an order invalidating several portions of the FFCRA regulations.
Updated Regulations
In the updated regulations, DOL reaffirms its regulations related to the work availability and intermittent leave requirements, but provided further clarification or explanation of its regulations. The DOL revised regulations related to the definition of “health care provider” and notice requirements. The rationale and changes are discussed more fully below:
Work Availability
Specifically, for purposes of the work availability requirement, the DOL affirms that neither emergency paid sick leave nor expanded FMLA under the FFCRA may be taken unless the employer has work available for the employee (the “work availability” requirement). The FFCRA statute provides that leave under the FFCRA is available if an employee is unable to work (or telework) “because of” or “due to” a qualifying reason under the FFCRA. The DOL cites to U.S. Supreme Court authority that interprets “because of” or “due to” language to create a “but for” test or analysis. Thus, FFCRA leave must be the “but for” cause of the employee’s inability to work. Furthermore, the DOL reasons that the plain meaning of the word “leave” in this context, and based on longstanding DOL interpretation, means that someone has to be absent from work at a time the employee would otherwise be working. Thus, the DOL stands by its original regulation and provides that an employee cannot take FFCRA leave if there was no work available from the employer for the employee to perform.
Finally, the DOL explains that this requirement was intended to apply for all qualifying reasons under the FFCRA, not just those that were initially listed in the original regulations.
Intermittent Leave
The FFCRA is silent about the availability of intermittent leave, but as the DOL notes in the preamble to the updated regulations, the DOL was given broad authority to develop rules under the law. Thus, consistent with FMLA regulations, the DOL interpreted the availability of intermittent expanded FMLA leave for employees working onsite similar to how it applies for purposes of FMLA, which may also require employer approval. For emergency paid sick leave, however, there is opportunity for spreading COVID-19 in the workplace. Thus, it would be contrary to the purpose of the FFCRA to allow someone to take emergency paid sick leave intermittently (unless caring for a child whose regular day care provider is unavailable due to COVID-19). Therefore, for employees working on-site, the DOL reaffirms its decision to only allow intermittent leave for expanded FMLA leave purposes. The DOL confirmed, however, as originally provided, that intermittent leave may be available for any FFCRA qualified reason if an employee is teleworking, as there is no risk the employee would spread COVID-19 at a worksite. In any intermittent leave context, however, permission from the employer is still required.
Health Care Provider Definition
In an effort to ensure the public health system could maintain its necessary function during COVID-19 pandemic, the FFCRA allowed employers to exclude employees who are “health care providers” or “emergency responders” from eligibility for expanded FMLA leave and emergency paid sick leave.
The DOL took an expansive approach in defining “health care provider” in its initial FFCRA regulations to ensure health care operations would not be hampered, such as ensuring maintenance to health care facilities, trash collection, food services for hospital workers, and other similar services. The District Court found this approach to be overly broad and, therefore, per the District Court’s order, the DOL opted to revise its definition of health care provider. In the updated regulations, health care providers include employees who are health care providers under existing FMLA regulations and “any other employee who is capable of providing health care services such as diagnostic services, preventive services, treatment services, and other services that are integrated with and necessary to the provision of patient care and, if not provided would adversely impact patient care.”
This could include a variety of health care practitioners other than doctors, including nurses, nurse assistants, medical technicians, and laboratory technicians. The preamble and rule provide numerous examples of what would constitute diagnostic, preventive or treatment services, and services integrated with these that are necessary for patient care, such as bathing, dressing, or feeding patients, among several others. Food service professionals, IT professionals, building maintenance workers, HR professionals, or other individuals who do not provide health care services even though their work impacts health care services are no longer included in the definition of health care providers.
Employees falling within the new definition of health care provider can work in a variety of settings including, but not limited to, hospitals, clinics, doctor’s offices, medical schools, local health departments, nursing or retirement facilities, nursing homes, home health providers, laboratories, or pharmacies.
Notice of the Need for Leave
In the updated regulations, the DOL clarifies that notice of the need for emergency paid sick leave must be provided as soon as practicable (instead of before emergency sick leave is taken), which is consistent with the position the plaintiffs took when they challenged the original regulations.
Additionally, the DOL revised the regulations regarding notice of expanded FMLA leave. For a foreseeable need to expanded FMLA leave, the employee must provide notice as soon as is practicable, which may mean the employee may have to provide advance notice of the need for leave if the facts and circumstances support prior notice. Prior notice is not required for unforeseeable need for expanded FMLA leave. Finally, the employer may require an employee to substantiate the need for leave as soon as practicable, which may be at the same time notice is provided.
The DOL also updated its FFCRA FAQ’s consistent with the updated regulations.
Conclusion
As mentioned previously, the DOL’s updated regulations impact all employers subject to the FFCRA, not just those with employees in New York. Thus, all impacted employers should familiarize themselves with the updated regulations and administer them accordingly moving forward.
To the extent an employer has employees impacted by the revised regulations, such as individuals previously included in the DOL’s broad definition of health care provider or employees who were denied emergency paid sick leave for failing to provide advance notice, they should consult directly with counsel to discuss how to address those specific situations.
About the Author. This alert was prepared by Marathas Barrow Weatherhead Lent LLP, a national law firm with recognized experts on the Affordable Care Act. Contact Danielle Capilla (danielle.capilla@aleragroup.com) with questions.
The information provided in this alert is not, is not intended to be, and shall not be construed to be, either the provision of legal advice or an offer to provide legal services, nor does it necessarily reflect the opinions of the agency, our lawyers or our clients. This is not legal advice. No client-lawyer relationship between you and our lawyers is or may be created by your use of this information. Rather, the content is intended as a general overview of the subject matter covered. This agency and Marathas Barrow Weatherhead Lent LLP are not obligated to provide updates on the information presented herein. Those reading this alert are encouraged to seek direct counsel on legal questions.
© 2020 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved.
This is the sixth article in our Compliance 101 blog series where we use six questions to break down important compliance topics. Below you will learn more about Medicare Part D Creditable Coverage Notices. Read more below!
If you have any questions, please contact your local advisor or email us at info@aleragroup.com to be connected with a compliance consultant and Alera firm near you.
Disclaimer: This blog was written by Michelle Turner, MBA, CEBS, Compliance Consultant, Alera Group Central Region. This blog post intends to provide general information regarding the status of, and/or potential concerns related to, current employer HR & benefits issues. This blog should not be construed as, nor is it intended to provide, legal advice. The opinions expressed herein are based upon the author’s experience as a Compliance Consultant and may not reflect the opinions of your counsel.
The information contained herein should be understood to be general insurance brokerage information only and does not constitute advice for any particular situation or fact pattern and cannot be relied upon as such. Statements concerning financial, regulatory or legal matters are based on general observations as an insurance broker and may not be relied upon as financial, regulatory or legal advice. This document is owned by Alera Group, Inc., and its contents may not be reproduced, in whole or in part, without the written permission of Alera Group, Inc.
This article was last reviewed and up to date as of 09/08/2020.
Creating a home inventory may seem like a bother, but the day will come when you will be glad you did. If you ever need to file a claim your inventory will make it easy and efficient. Plus, it doesn’t have to be such a bother. Yes, you can write everything down on a list, keep your receipts in a folder and update that regularly. Or you can use technology and tour your house with a smartphone or digital camera, making comments and recording your items and receipts and related information as needed— and update that regularly.
Be sure to include some of the following details about items in your inventory:
When to Create your Inventory. Now!
Here are three very practical reasons not to put off this important task any longer if you haven’t done it already.
A home inventory will:
I hope you all had a wonderful weekend!
If you only read one of the articles posted below this week, I highly recommend Tara Haelle’s piece on ‘surge capacity’. ‘Surge Capacity’ is defined as “a collection of adaptive systems — mental and physical — that humans draw on for short-term survival in acutely stressful situations, such as natural disasters.” But what do we do in a pandemic, when the disaster stretches out indefinitely? Or as Haelle says “how do you adjust to an ever-changing situation where the ‘new normal’ is indefinite uncertainty?”. She likens it to trying to stand in a dinghy on rough seas, not knowing when the storm will pass. This piece does a wonderful job trying to explain the toll that the pandemic is taking on us and offers some tangible thoughts on how to continue to move forward.
Below please find this week’s curated list of wellbeing resources. Feel free to share these resources, as appropriate, with your team.
Have a safe and healthy week!
Career Wellbeing
Social & Family Wellbeing
Financial Wellbeing
Physical Wellbeing
Emotional Wellbeing
Community Wellbeing
Employer Focused Wellbeing
About the Author
Andrea Davis, Director of Wellbeing
Andrea joined Alera Group Northeast (formerly CBP) in July 2013, bringing over 15 years of experience in management consulting and strategic solutions. As the Director of Wellbeing, she is responsible for assisting with the development, implementation and evaluation of comprehensive wellness strategies for existing and prospective Alera Group clients. She provides assistance and support to Alera Group clients by developing personalized programs that fit clients’ unique health management needs, wellness program implementation, committee development, promotion and marketing of their programs to encourage participation. In addition, Andrea conducts program analysis and generates reports related to program participation, health assessment and client utilization.
On August 24, 2020, amended guidance was provided by the Office for Civil Rights (OCR) of the US Department of Health & Human Services, the agency that has jurisdiction to enforce HIPAA. The new guidance allows covered health care providers (e.g., hospitals, pharmacies, laboratories) and health plans to use without an individual’s authorization, protected health information (PHI) to identify and contact individuals who have recovered from COVID-19 to inform them about how they can donate their plasma containing antibodies (known as "convalescent plasma") to help treat others with COVID-19.
Background – Use Or Disclosure of PHI
The HIPAA Privacy Rule permits HIPAA-covered entities (or their business associates on the covered entities’ behalf) to use or disclose PHI without an individual’s authorization for:
When using or disclosing PHI for one of these three purposes, the covered entity (e.g. health plan) must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure.
Amended Guidance
Under the Department of Health and Human Services (HHS) guidance, health plans may use PHI to identify and contact individuals who have recovered from COVID-19 to inform them about how to donate plasma. This is considered a permitted health care operations activity to the extent that facilitating the supply of donated plasma would be expected to improve the health plan’s ability to conduct case management for patients or beneficiaries that have or may become infected with COVID-19.
Limitations On The Use of PHI Without Authorization
A covered entity may identify and contact individuals, without authorization, to the extent that the activity does not constitute marketing. (Marketing is a communication about a product or service that encourages the recipient of the communication to purchase or use the product or service.) Thus, a health plan could inform or encourage individuals who have recovered from COVID-19 regarding the means and benefits of donating plasma, but cannot encourage such individuals to use any particular blood or plasma donation center(s) if they receive any compensation (direct or indirect) from the donation center.
HIPAA Privacy Rule Reminder
A covered entity generally cannot disclose PHI to a third party, including another HIPAA-covered entity, without the individuals’ authorization. Therefore, a health plan should not disclose PHI about individuals who have recovered from COVID-19 directly to a blood or plasma donation center, for the donation center’s own purposes (unless the participant has authorized this disclosure).
The information contained herein should be understood to be general insurance brokerage information only and does not constitute advice for any particular situation or fact pattern and cannot be relied upon as such. Statements concerning financial, regulatory or legal matters are based on general observations as an insurance broker and may not be relied upon as financial, regulatory or legal advice. This document is owned by Alera Group, Inc., and its contents may not be reproduced, in whole or in part, without the written permission of Alera Group, Inc.
This article was last reviewed and up to date as of 09/03/2020.
As more and more parts of daily life transition to online, data security is becoming more and more important! Here are 13 tips to protecting your identity.
14.4 million consumers were victims of identity fraud in 2018, according to the 2019 Identity Fraud Study from Javelin Strategy & Research.
Here are some tips: