Adopting an Inside Out Approach to Cybersecurity

Posted on September 30th, 2020

Cyber hygiene is a reference to the practices and steps that users of computers and other devices take to maintain system health and improve online security. These practices are often part of a routine to ensure the safety of identity, data and financial assets that could be stolen or corrupted. Much like physical hygiene, cyber hygiene is regularly conducted to ward off natural deterioration and common threats.

One can think of cyber hygiene as the countermeasures that are implemented on a network to keep the system and data safe from hackers, fraudsters and negligent employees. It is most effective when implemented in layers. These levels build up a protective defense against all network threats. The idea is to create robust detection and prevention measures that monitor, identify, alert and stop threats to the network.

Many Small and Medium-sized Enterprises do not have IT reporting to the C-Suite. Therefore, leaders tend to manage cybersecurity based on assumptions about the level and scope elements in place, such as:

All elements of the firewall are 100% activated
Malware detection is fully functional
Established access management parameters
Appropriate wireless security protocols
Endpoint security (mobile devices, tablets, laptops)
All software registration certificates are up-to-date
Vendor connections are working correctly and secure
Security patch management

What’s missing is the validation that the information surrounding an organization’s cyber defense is accurate. Therefore, businesses need to validate controls in a continuous manner, rather than viewing measurement of security as one snapshot at a time.

Understanding inside weaknesses and vulnerabilities is more important than ever. To truly prepare for the cyber threats, it’s crucial that organizations start operationalizing a view of security from the inside out while focusing on cyber hygiene right at the heart.

For this reason, Alera Group recommends all companies adopt Continuous Threat Monitoring (CTM). CTM is aligned to give real-time visibility into security systems. Instead of penetration tests or audits, which are static, continuous monitoring gives more holistic visibility into systems over a longer period of time. Businesses can then quantifiably validate whether their controls are protecting critical assets. At the same time, security leaders and teams can manage their cybersecurity programs with more meaningful metrics to drive decision-making, optimize operations, and, ultimately, improve their cyber posture over time.

Companies can approach cybersecurity with an “inside out” view by doing the following:

Identify exact points of vulnerability within the attack life cycle. For example, the first point of vulnerability is your organization’s own people. Security leaders should focus on helping their teams understand an attacker’s behavior in a particular segment they’re trying to defend. Then validate defenses by testing the incident response process. By understanding how teams currently respond to threats with practice scenarios, leaders can determine where to make defenses stronger. Then systematically proceed to identify points of entry and vulnerabilities.
Measure ROI on cybersecurity investments. Businesses must ensure trust with their partners and clients. At the same time, to ensure cybersecurity businesses are incurring new expenses that previously had not been contemplated. This is why it’s especially important to verify that your organization is attaining the expected ROI out of cybersecurity investments — rather than assuming so. Security leaders need data that shows exactly where the security gaps are and where you need to invest more heavily.
Apply risk-based decision-making, not compliance-based. Traditional models of measuring cybersecurity effectiveness tend to be siloed and compliance-based, where cybersecurity measures are managed across separate enterprise channels and important data is underutilized. This also tends to result in a “checklist” mentality, which can leave your company vulnerable. Instead, cybersecurity must be aligned with your organization’s biggest risks and mission-critical business needs with products that deliver holistic and actionable insights. Further, IT must have a seat at the management table to share knowledge and be held accountable.
Determine which technologies can be improved and which can be removed from the stack. For cybersecurity personnel, there are many products they have to manage. But it’s important to verify which products in the environment are working and which are not. Solutions for one organization may not be the right match for yours. Determine what technology products can give you the most value and what fits best with your current architecture so that you’re not purchasing redundant products that you already own. Having security controls mapped in an automated fashion also makes it easier to tag and label identified threats.
Develop close relationships with cybersecurity resources. When it comes to cyber threats, and how they continue to evolve, businesses are faced with the known and massive unknown. Many businesses are under-prepared and/or under-insured for their growing cyber peril. Therefore, it’s imperative for businesses to have a quantifiable way to understand their own digital network security posture. As cyber perils looms, the focus must shift from a reactive position to an intentional, proactive approach engaging risk management, incident prevention and response. Success is about integrating technology and forging relationships with third-party providers, such as Cybersecurity Operation (Sec Ops) experts. These Sec Ops deliver an end-to-end solution that identifies a company’s network vulnerability, closes gaps, educates employees on how to avoid exposing their network to hackers, provide 24×7 monitoring and establish a post-incident event plan. These best in class attributes reduce the chance of cyber disruption for an improved risk profile

When you approach security from the outside in, you’re simply trying to deny intrusion. When you approach from the inside out, you are protecting your mission-critical data by determining the most vital applications and using a risk-based strategy, which focuses on the most valuable and vulnerable assets.

About the Author

Steve Paulin, CIC is a Risk Management professional and Workers’ Compensation Practice Leader for Orion Risk Management, an Alera Group Company. Steve has over 35 years of experience helping mid-market businesses reach their profit goals by optimizing the insurance program’s financial efficiency and risk management outcomes. Steve has extensive experience with Cyber Risk, and Loss Sensitive plans, including Large Deductible and forming Captive programs.

The Five Ws, and One H of Affordable Care Act (ACA) Affordability Safe Harbors

Posted on September 23rd, 2020

This is the seventh article in our Compliance 101 blog series where we use six questions to break down important compliance topics. Below you will learn more about the Affordable Care Act (ACA) Affordability Safe Harbors. Read more below!

Download this article.

Who needs to worry about affordability safe harbors?

Definition: ALE as defined in section 4980H(c)(2) of the Internal Revenue Code, enacted by the Affordable Care Act (ACA), with respect to a calendar year is an employer that employed an average of at least 50 full-time employees on business days during the preceding calendar year.

All applicable large employers (ALEs), including nonprofit, and government employers must offer minimum value (MV), affordable coverage to its full-time employees (defined as, for a calendar month, an employee employed on average at least 30 hours of service per week, or 130 hours of service per month) to avoid a penalty, also known as an employer shared responsibility payment.
Non-ALEs are not subject to the employer shared responsibility regulations.

What is the purpose of an affordability safe harbor?

ALEs when determining whether coverage is affordable for purposes of the ACA’s provisions, are not likely to know the household income of their employees, so the IRS provides three safe harbors: Form W-2 wages, an employee’s rate of pay, or the federal poverty line (FPL)* that an employer may use instead of household income in making the affordability determination.
*FPL is also commonly referred to as the federal poverty level safe harbor. However, in the final IRS regulations and IRS Q&A 39 on employer shared responsibility provisions the safe harbor is referred to as the federal poverty line safe harbor.

Where is the affordability safe harbor used?

Under the ACA, ALEs are required to report, typically using IRS Forms 1094C/1095-C, whether they did or did not offer minimal value, affordable coverage to each full-time employee (and dependents) for one or more months during the calendar year.
For a full-time employee who was offered minimal value, affordable coverage but declined, an employer on Form 1095-C, Part II, Line 16, will report to the IRS the reason, (i.e. how affordability was determined) why it should not be subject to an employer shared responsibility penalty with respect to the employee on whom it’s reporting using the applicable safe harbor code for each calendar month.

Why does it matter if an ALE offers affordable coverage?

Under the ACA, an employee is not eligible for subsidized Marketplace/exchange coverage for any month in which the employee is offered health coverage under an eligible employer-sponsored plan that provides MV and that is affordable relative to the employee’s household income.
If an employer offers MV coverage to at least 95% of its full-time employees in any given calendar month but that coverage is not affordable under one of the safe harbors and a full-time employee is approved for a premium tax credit for Marketplace/ exchange coverage, the employer may be subject to an employer shared responsibility payment, IRC §4980H(b)—The “B Penalty”.

IRC §4980H(b)—The “B” Penalty. This is also referred to as the “tack hammer” penalty. Full-time employees who were offered but declines employer coverage that does not provide minimum value or is not affordable will trigger the “B” penalty. The monthly penalty assessed on an ALE for each full-time employee who receives a subsidy will be 1/12 of $3,860 (in 2020) for any applicable month.

When is coverage considered affordable for the purposes of the employer shared responsibility provisions?

Employer-provided coverage is considered affordable for an employee if the employee’s required premiums for the lowest cost self-only ACA compliant coverage does not exceed 9.5% (as adjusted for inflation) of that employee’s household income. e.g.
- 9.78% for Tax Year 2020 (IRS Rev. Proc 2019-29)
- 9.83% for Tax Year 2021 (IRS Rev. Proc. 2020-36)

How are the safe harbors calculated?

Affordability safe harbors are used to determine whether the employer may be subject to an ACA shared responsibility penalty. It is possible for the employer’s coverage to be considered affordable under one of the three safe harbors (and therefore not liable for an ACA penalty) but unaffordable relative to the employee’s household income and the employee is still eligible for a marketplace/exchange subsidy.

An ALE may choose to use one safe harbor for all of its employees or to use different safe harbors for employees in different categories, provided that the categories used are reasonable and the employer uses one safe harbor on a uniform and consistent basis for all employees in a particular category. The final regulations clarify that reasonable categories generally include specified job categories, nature of compensation (for example, salaried or hourly), geographic location, and similar bona fide business criteria.
If an ALE offers multiple health care coverage options, the affordability test for a particular employee applies to the lowest-cost self-only coverage option that provides minimum value and that is available to that employee.

Form W-2 Wages Safe Harbor

Generally requires an employer to look at each employee’s wages at the end of the calendar year as reported on that employee’s Form W-2 in Box 1.
Coverage is affordable if the employee’s required premiums for the lowest cost self-only ACA compliant coverage does not exceed 9.5% (indexed) of that employee’s W-2 wages (as reported in Box 1)
This requires a retrospective analysis and an employer may not know if they passed until it’s too late.
A risky safe harbor to use, especially with an employee population whose schedules and income fluctuate.

Rate of Pay Safe Harbor

Provides employers with a method for satisfying affordability prospectively without having to analyze each employee's wages and hours.
Avoids the retrospective analysis required under the Form W-2 wages safe harbor and allows an employer to assume 130 hours/mo with some limitations (more below).
A beneficial safe harbor to use for employees whose work hours fluctuate.
Hourly employees
- Generally based on the employee’s rate of pay at the beginning of the coverage period, with adjustments permitted, if the rate of pay is decreased (but not if the rate of pay is increased).
- Coverage is affordable for a calendar month if the employee’s required premiums for the lowest cost self-only ACA compliant coverage does not exceed 9.5 percent (as adjusted) of an amount equal to 130 hours multiplied by the lower of the employee's hourly rate of pay as of the first day of the coverage period (generally the first day of the plan year) or the employee's lowest hourly rate of pay during the calendar month.
- If an hourly employee's hourly rate of pay is reduced during the year, the rate of pay is applied separately to each calendar month, rather than to the entire year and the employee's required contribution may be treated as affordable if it is affordable based on the lowest rate of pay for the calendar month multiplied by 130 hours.
- The affordability calculation is not altered by a leave of absence or reduction in hours worked.
  - Example: If a full-time hourly employee earns $10 per hour in a calendar month (and earned at least $10 per hour as of the first day of the coverage period) but has one or more calendar months in which the employee has a significant amount of unpaid leave or otherwise reduced hours, the employer may still require an employee contribution of up to 9.78% (in 2020) of $10 multiplied by 130 hours ($127.14).
Non-hourly employees
- Coverage to a non-hourly employee is treated as affordable for a calendar month if the employee’s required premiums for the lowest cost self-only ACA compliant coverage contribution for the calendar month does not exceed 9.5% (as adjusted) of the employee's monthly salary, as of the first day of the coverage period (instead of 130 multiplied by the hourly rate of pay).
- If the monthly salary is reduced, including due to a reduction in work hours, the rate of pay safe harbor is not available.
Tipped employees or commission only
- The rate of pay safe harbor cannot be used, as a practical matter, for tipped employees or for employees who are compensated solely on the basis of commissions. Employers can use the two other affordability safe harbors, Form W-2 wages and federal poverty line, for determining affordability for employees whose compensation is not based on rate of pay.
Federal Poverty Line Safe Harbor
- Intended to provide employers a predetermined maximum amount of employee contribution that in all cases will result in the coverage being deemed affordable.
- Only one calculation is required.
- Coverage is treated as affordable, if the employee's required monthly contribution for the lowest cost self-only ACA compliant coverage, does not exceed the federal poverty level for a single individual. (Calculated as 9.5 percent (as adjusted) of the most recently published poverty guidelines in effect within 6 months before the start of the plan year, divided by 12.)

Table of Values

NOTE: No guidance has been released that changes any of the affordability analyses for purposes of COVID-19. For instance, for purposes of the W-2 safe harbor, the amount in Box 1 could be significantly less if employee hours were reduced or they were furloughed or transitioned to some type of unpaid status. Employers should ensure they are in compliance with the ACA employer mandate to avoid penalties.

If you have additional questions on the content in this blog, please reach out to your Alera advisor or email us at info@aleragroup.com to be connected with a compliance expert in your area.

Download this article.

Disclaimer: This blog was written by Michelle Turner, MBA, CEBS, Compliance Consultant, Alera Group Central Region. This blog post intends to provide general information regarding the status of, and/or potential concerns related to, current employer HR & benefits issues. This blog should not be construed as, nor is it intended to provide, legal advice. The opinions expressed herein are based upon the author’s experience as a Compliance Consultant and may not reflect the opinions of your counsel.

The information contained herein should be understood to be general insurance brokerage information only and does not constitute advice for any particular situation or fact pattern and cannot be relied upon as such. Statements concerning financial, regulatory or legal matters are based on general observations as an insurance broker and may not be relied upon as financial, regulatory or legal advice. This document is owned by Alera Group, Inc., and its contents may not be reproduced, in whole or in part, without the written permission of Alera Group, Inc.

This article was last reviewed and up to date as of 09/22/2020.

Wellbeing Resources: Cable Alternatives, Video Calls and Yale Parenting Classes

Posted on September 21st, 2020

I hope you all had a wonderful weekend! Below please find this week’s curated list of wellbeing resources. Feel free to share these resources, as appropriate, with your team.

Have a safe and healthy week!

Career Wellbeing

The Right Way and the Wrong Way to Do Video Calls – None of us are meant to sit in zoom meetings for hours at a time. With a little bit of planning, you can get your team off the back-to-back meeting rollercoaster.

Social & Family Wellbeing

This (free!) Parenting Class from Yale Will Help You Eliminate Friction in Your House – “Everyday Parenting” is designed to give parents and caregivers of kids, from preschool to teens, a toolkit of techniques to make life at home a little smoother.

Financial Wellbeing

16 Cable Alternatives to Save You Money – Cable TV prices continue to soar so here is a list of the cost-effective alternatives that will enable you to finally cut the cord.

Physical Wellbeing

7 Functional Glutes Exercises to Try at Home + A Full Workout (by P.volve) – P.volve’s “pre-hab” method helps your body move the way it was physically designed to. These exercises help your overall mobility and support you in working on your postural imbalances.
How Movement Radically Transforms the Brain – In this 20-minute podcast, a functional medicine doctor, psychologist, and personal trainer discuss how exercise can improve the treatment outcomes for depression and anxiety, how exercise decreases our chance of cognitive decline, and simple ways to build exercise into your everyday life.

Emotional Wellbeing

Is it OK to Reveal Your Anxiety or Depression to Your Boss? Mental-health issues have soared during the pandemic and companies are providing benefits. But before asking for accommodations, consider whom to talk to and what you need.

Community Wellbeing

How to Help in the Aftermath of Hurricane Sally – On September 16th, hurricane Sally slammed Florida and Alabama leaving heavy flood, destruction, and more than 400,000 homes and businesses without power. Here’s how you can help.

Employer Focused Wellbeing

Real Stories of How Best WorkplacesTM Are Supporting Parents During COVID-19 – Among the Best Workplaces™ making pandemic pivots, many are helping moms and dads manage triple duty. From the need for drastic flexibility to talking to kids about racism — here are some creative and caring ways to support parents battling the legacies of COVID-19.
Why Adding a Human Layer is the Key to the “Great Reset” – “A company is only as resilient as its people. If employees are anxious, reactive and burned out, every business metric — from productivity to attrition to customer success — will be affected. That’s why people need to be at the center of whatever re-entry plans or digital transformation strategies companies are formulating right now.”

About the Author

Andrea Davis, Director of Wellbeing
Andrea joined Alera Group Northeast (formerly CBP) in July 2013, bringing over 15 years of experience in management consulting and strategic solutions. As the Director of Wellbeing, she is responsible for assisting with the development, implementation and evaluation of comprehensive wellness strategies for existing and prospective Alera Group clients. She provides assistance and support to Alera Group clients by developing personalized programs that fit clients’ unique health management needs, wellness program implementation, committee development, promotion and marketing of their programs to encourage participation. In addition, Andrea conducts program analysis and generates reports related to program participation, health assessment and client utilization.

What is an Employee Assistance Program?

Posted on September 18th, 2020

Our hearts go out to all of those affected by the wildfires spreading across the west coast. Currently, the fires have spread across California, Oregon, Washington, and other western states. Alera Group has clients and offices throughout those states and sympathy is with all those impacted by the destruction. If you live in the affected or surrounding areas, please take proper precautions and stay safe!

Trauma, disruption and displacement often cause increased stress, and an employee assistance program (EAP) can help employees develop coping skills to address real or perceived threats in a productive manner.

What is an EAP?

An Employee Assistance Program (EAP) is a confidential workplace service that offers free and confidential assessments, short-term counseling, referrals, and follow-up services to employees who have personal and/or work-related problems.

What does an EAP help with?

An EAP can help employees deal with work-life stressors, family issues, financial concerns, relationship problems, and even drug or legal concerns. Some EAPs also extend assistance to family members.

EAPs can assist with:

Health & Safety Concerns
Financial & Legal Topics
Work-Related Issues
Relationship & Family Matters

EAP Assistance Chart In response to the COVID-19 pandemic, many states are offering free support telephonically. The emotional and mental health toll of this crisis will be significant. Additional support and resources can help address the impacts of stress, fear, financial loss, illness, grief and loss, children out of school and isolation created by social distancing.

Please note: carriers may offer embedded EAP programs in your life, disability, medical plans at no cost to you or your employees. Standalone EAP solutions are also available typically based on a per-employee-per-month rate ranging from $1.10-$2.50 depending on services and needs. Contact your local Alera Group consultant for additional information or email us at info@aleragroup.com to be connected with an office near you.

To learn more about the western wildfires here are a few resources:

How to help those affected by the wildfires:

DOL Issues Updated FFCRA Regulations In Light Of Recent Federal Court Decision

Posted on September 15th, 2020

On September 11, 2020, the U.S. Department of Labor (“DOL”) released a temporary rule updating certain FFCRA regulations. The temporary rule is scheduled to be published on September 16, 2020, and will be effective immediately through the expiration of the FFCRA’s paid leave provisions on December 31, 2020.

The temporary rule updates FFCRA regulations issued in April 2020 in response to a recent federal District Court decision which found four portions of the initial regulations invalid: provisions related to whether the FFCRA applies if employers do not have work available for employees; the timing for which employees must request the need for leave; the definition of health care provider; and the availability of intermittent leave.

While many anticipated that the DOL would appeal the decision, the DOL elected to reaffirm and clarify its position on some of these issues, while choosing to revise or update others. Thus, while the court’s order was limited to companies operating in New York (or potentially only those in the Southern District of New York), the DOL’s revisions to the regulations apply to all employers subject to the FFCRA (inside and outside New York).

The District Court’s order and the updated regulations are discussed in more detail below.

New York Federal District Court Decision

Soon after the FFCRA regulations were implemented, the State of New York sued the DOL in the United Stated District Court for the Southern District of New York claiming the DOL exceeded its authority when it implemented several provisions of the FFCRA regulations. The District Court agreed in part and, in August, the court issued an order invalidating several portions of the FFCRA regulations.

Work Availability Requirement – The original regulations limited the availability of emergency paid sick leave and expanded FMLA leave to certain situations where the employer’s business is open or the employer has work for the employee, but employee is unable to work due to a COVID-19 qualifying reason. The court vacated this requirement, making the FFCRA available even if the employer does not have work for the employee, such as situations where the employee is furloughed or the business is closed.
Documentation – The FFCRA statute requires employees to notify an employer of the need for leave “after the first workday” during which an employee requires paid sick time; however, the initial FFCRA regulations required documentation to be provided to the employer before any sick time is taken. The court determined this was beyond the scope of the statute and vacated this requirement. The content of the documentation and the need for documentation was not eliminated, just the timing of when it must be provided.
Definition of Health Care Provider – The initial FFCRA regulations used an expansive definition of health care provider, which included individuals who work in support of health care operations, such as cleaning staff, food service professionals and cooks, maintenance workers, IT staff, or other administrative support staff who support health care operations. The district court vacated the definition of health care provider, finding it overbroad.
Intermittent Leave – The initial regulations allowed employees to take intermittent leave in certain situations with employer approval/agreement. The court found this inconsistent with the statute and rejected this aspect of the regulation as an impermissible limitation on the availability of intermittent leave.

Updated Regulations

In the updated regulations, DOL reaffirms its regulations related to the work availability and intermittent leave requirements, but provided further clarification or explanation of its regulations. The DOL revised regulations related to the definition of “health care provider” and notice requirements. The rationale and changes are discussed more fully below:

Work Availability

Specifically, for purposes of the work availability requirement, the DOL affirms that neither emergency paid sick leave nor expanded FMLA under the FFCRA may be taken unless the employer has work available for the employee (the “work availability” requirement). The FFCRA statute provides that leave under the FFCRA is available if an employee is unable to work (or telework) “because of” or “due to” a qualifying reason under the FFCRA. The DOL cites to U.S. Supreme Court authority that interprets “because of” or “due to” language to create a “but for” test or analysis. Thus, FFCRA leave must be the “but for” cause of the employee’s inability to work. Furthermore, the DOL reasons that the plain meaning of the word “leave” in this context, and based on longstanding DOL interpretation, means that someone has to be absent from work at a time the employee would otherwise be working. Thus, the DOL stands by its original regulation and provides that an employee cannot take FFCRA leave if there was no work available from the employer for the employee to perform.

Finally, the DOL explains that this requirement was intended to apply for all qualifying reasons under the FFCRA, not just those that were initially listed in the original regulations.

Intermittent Leave

The FFCRA is silent about the availability of intermittent leave, but as the DOL notes in the preamble to the updated regulations, the DOL was given broad authority to develop rules under the law. Thus, consistent with FMLA regulations, the DOL interpreted the availability of intermittent expanded FMLA leave for employees working onsite similar to how it applies for purposes of FMLA, which may also require employer approval. For emergency paid sick leave, however, there is opportunity for spreading COVID-19 in the workplace. Thus, it would be contrary to the purpose of the FFCRA to allow someone to take emergency paid sick leave intermittently (unless caring for a child whose regular day care provider is unavailable due to COVID-19). Therefore, for employees working on-site, the DOL reaffirms its decision to only allow intermittent leave for expanded FMLA leave purposes. The DOL confirmed, however, as originally provided, that intermittent leave may be available for any FFCRA qualified reason if an employee is teleworking, as there is no risk the employee would spread COVID-19 at a worksite. In any intermittent leave context, however, permission from the employer is still required.

Health Care Provider Definition

In an effort to ensure the public health system could maintain its necessary function during COVID-19 pandemic, the FFCRA allowed employers to exclude employees who are “health care providers” or “emergency responders” from eligibility for expanded FMLA leave and emergency paid sick leave.

The DOL took an expansive approach in defining “health care provider” in its initial FFCRA regulations to ensure health care operations would not be hampered, such as ensuring maintenance to health care facilities, trash collection, food services for hospital workers, and other similar services. The District Court found this approach to be overly broad and, therefore, per the District Court’s order, the DOL opted to revise its definition of health care provider. In the updated regulations, health care providers include employees who are health care providers under existing FMLA regulations and “any other employee who is capable of providing health care services such as diagnostic services, preventive services, treatment services, and other services that are integrated with and necessary to the provision of patient care and, if not provided would adversely impact patient care.”

This could include a variety of health care practitioners other than doctors, including nurses, nurse assistants, medical technicians, and laboratory technicians. The preamble and rule provide numerous examples of what would constitute diagnostic, preventive or treatment services, and services integrated with these that are necessary for patient care, such as bathing, dressing, or feeding patients, among several others. Food service professionals, IT professionals, building maintenance workers, HR professionals, or other individuals who do not provide health care services even though their work impacts health care services are no longer included in the definition of health care providers.

Employees falling within the new definition of health care provider can work in a variety of settings including, but not limited to, hospitals, clinics, doctor’s offices, medical schools, local health departments, nursing or retirement facilities, nursing homes, home health providers, laboratories, or pharmacies.

Notice of the Need for Leave

In the updated regulations, the DOL clarifies that notice of the need for emergency paid sick leave must be provided as soon as practicable (instead of before emergency sick leave is taken), which is consistent with the position the plaintiffs took when they challenged the original regulations.

Additionally, the DOL revised the regulations regarding notice of expanded FMLA leave. For a foreseeable need to expanded FMLA leave, the employee must provide notice as soon as is practicable, which may mean the employee may have to provide advance notice of the need for leave if the facts and circumstances support prior notice. Prior notice is not required for unforeseeable need for expanded FMLA leave. Finally, the employer may require an employee to substantiate the need for leave as soon as practicable, which may be at the same time notice is provided.

The DOL also updated its FFCRA FAQ’s consistent with the updated regulations.

Conclusion

As mentioned previously, the DOL’s updated regulations impact all employers subject to the FFCRA, not just those with employees in New York. Thus, all impacted employers should familiarize themselves with the updated regulations and administer them accordingly moving forward.

To the extent an employer has employees impacted by the revised regulations, such as individuals previously included in the DOL’s broad definition of health care provider or employees who were denied emergency paid sick leave for failing to provide advance notice, they should consult directly with counsel to discuss how to address those specific situations.

About the Author. This alert was prepared by Marathas Barrow Weatherhead Lent LLP, a national law firm with recognized experts on the Affordable Care Act. Contact Danielle Capilla (danielle.capilla@aleragroup.com) with questions.

The information provided in this alert is not, is not intended to be, and shall not be construed to be, either the provision of legal advice or an offer to provide legal services, nor does it necessarily reflect the opinions of the agency, our lawyers or our clients. This is not legal advice. No client-lawyer relationship between you and our lawyers is or may be created by your use of this information. Rather, the content is intended as a general overview of the subject matter covered. This agency and Marathas Barrow Weatherhead Lent LLP are not obligated to provide updates on the information presented herein. Those reading this alert are encouraged to seek direct counsel on legal questions.

The Five Ws, and One H of Medicare Part D Creditable Coverage Notices

Posted on September 15th, 2020

This is the sixth article in our Compliance 101 blog series where we use six questions to break down important compliance topics. Below you will learn more about Medicare Part D Creditable Coverage Notices. Read more below!

Download this article.

Who is required to provide a Medicare Part D Creditable Coverage Notice?

All group plan sponsors (i.e. employers) that provide prescription drug coverage are required to provide a disclosure notice to all Part D eligible individuals who are covered under, or who apply for, the employer’s prescription drug coverage.
Part D eligible individuals are those who are eligible for Medicare A or B, and include COBRA participants, retirees, covered spouses and dependents, and employees. Because the list of Medicare-eligible individuals is broad, many employers choose to provide all participants with a Part D notice.
While the plan sponsor that provides the coverage is responsible for providing the notice, nothing in the regulation prevents that employer from arranging to have it provided by a third party.

What does creditable or non-creditable coverage mean?

Creditable coverage means that on average, the actuarial value of the coverage under the employer’s plan equals or exceeds the actuarial value of standard prescription drug coverage under Medicare Part D.
In general, if an employer’s plan is creditable, it will pay at least as much for prescription drug claims as the expected amount of paid claims under the standard Medicare Part D benefit.
Some carriers will provide guidance on whether their plans are creditable or may provide a calculator for determining credibility. These calculators have not been formally approved by CMS, so risk adverse employers should consider paying for an actuarial analysis in the event their carrier does not provide the actuarial determination for them and the plan does not meet the simplified determination of the creditable coverage safe harbor. Information on the safe harbor can be found on the CMS website.

Where does an employer obtain model disclosure notices?

CMS has provided model/sample language that entities can (but are not required to) use when disclosing creditable coverage status to beneficiaries. The model notices are posted on the CMS website.
Employers that choose not to use the model/sample disclosure notice language must ensure the disclosure notices they provide meet minimum content standards prescribed by CMS.

Why is a notice required to be provided?

Disclosure of whether prescription drug coverage is creditable provides Medicare beneficiaries with important information relating to their Medicare Part D enrollment. Beneficiaries who do not have creditable prescription drug coverage and who choose not to enroll before the end of their initial enrollment period for Part D may pay a higher premium on a permanent basis if they subsequently enroll in a Part D drug plan.

When is the notice required to be provided?

There are five times that creditable coverage determinations must be provided to Part D eligible beneficiaries:

Prior to the Medicare Part D Annual Coordinated Election Period–beginning October 15 – December 7th of each year;
Prior to an individual’s Initial Enrollment Period for Part D;
Prior to the effective date of coverage for any Medicare-eligible individual that joins the plan;
Whenever the entity no longer offers prescription drug coverage or changes the coverage offered so that it is no longer creditable or becomes creditable; and
Upon request by the individual.

If the creditable coverage disclosure notice is provided to all plan participants annually, prior to October 15th of each year, for instance during open enrollment, CMS will consider items 1 and 2 to be met.

How does the notice need to be distributed?

The notice need not be sent as a separate mailing. The disclosure notice may be provided with other plan participant information materials (including enrollment and/or renewal materials).
If employers choose to incorporate disclosures with other plan participant information, the disclosure must be prominent and conspicuous. This means that the disclosure notice portion of the document (or a reference to the section in the document being provided to the individual that contains the required statement) must be prominently referenced in at least 14-point font in a separate box, bolded, or offset on the first page of the provided plan participant information.
An employer may provide a single disclosure notice to the covered Medicare individual and all his/her Medicare-eligible dependent(s) covered under the same plan. However, the employer is required to provide a separate disclosure notice if it is known that any spouse or dependent that is Medicare eligible resides at a different address than from where the participant/policyholder materials were provided.
Employers may provide the notices electronically, if the plan participants have the ability to access electronic documents at their regular place of work and if they have access to the plan sponsor’s electronic information system on a daily basis as part of their work duties. If this electronic method of disclosure is chosen, the plan sponsor must inform the plan participant that the participant is responsible for providing a copy of the electronic disclosure to their Medicare-eligible dependents covered under the group health plan.
Notices to non-employee participants (e.g. COBRA, retirees) or participants who do not access the plan sponsor’s electronic information system as a regular part of their work duties, may also be provided electronically, however, electronic consent from the participant must be obtained prior to the notices being provided.

If you have any questions, please contact your local advisor or email us at info@aleragroup.com to be connected with a compliance consultant and Alera firm near you.

Download this article.

This article was last reviewed and up to date as of 09/08/2020.

When to Create a Home Inventory

Posted on September 14th, 2020

Creating a home inventory may seem like a bother, but the day will come when you will be glad you did. If you ever need to file a claim your inventory will make it easy and efficient. Plus, it doesn’t have to be such a bother. Yes, you can write everything down on a list, keep your receipts in a folder and update that regularly. Or you can use technology and tour your house with a smartphone or digital camera, making comments and recording your items and receipts and related information as needed— and update that regularly.

Be sure to include some of the following details about items in your inventory:

A Description
Receipts (much of the information in the next two items may even be on the receipt)
Make, model, serial number
Date and place of purchase
Appraisals (for antiques, jewelry and similar high-valued items) and estimated replacement cost.

When to Create your Inventory. Now!

Here are three very practical reasons not to put off this important task any longer if you haven’t done it already.

A home inventory will:

Help you purchase the right amount and type of insurance. Having an accurate list of all your possessions will help you and your agent make decisions about purchasing the right homeowners or renters' insurance coverage. After all, if you don’t know what you have, how can you insure it adequately?
Make filing a claim as simple as possible. Most people cannot remember what they had for breakfast much less recall the contents of their attic, kitchen cabinets or downstairs closet after a fire, storm or other catastrophes. Disasters are scary and stressful, which can make trying to list damaged property for a claims form even more challenging. Having your belongings already documented in your home inventory can be a huge relief at times like these.
Substantiate financial losses for tax purposes or when applying for financial assistance. Following a catastrophe, the only way to determine whether you qualify for a tax break or disaster assistance is to substantiate your financial losses. A well-organized home inventory can be an extremely useful tool in this process.

Weekly Wellbeing Resources – 9/14/20

Posted on September 14th, 2020

I hope you all had a wonderful weekend!

If you only read one of the articles posted below this week, I highly recommend Tara Haelle’s piece on ‘surge capacity’. ‘Surge Capacity’ is defined as “a collection of adaptive systems — mental and physical — that humans draw on for short-term survival in acutely stressful situations, such as natural disasters.” But what do we do in a pandemic, when the disaster stretches out indefinitely? Or as Haelle says “how do you adjust to an ever-changing situation where the ‘new normal’ is indefinite uncertainty?”. She likens it to trying to stand in a dinghy on rough seas, not knowing when the storm will pass. This piece does a wonderful job trying to explain the toll that the pandemic is taking on us and offers some tangible thoughts on how to continue to move forward.

Below please find this week’s curated list of wellbeing resources. Feel free to share these resources, as appropriate, with your team.

Have a safe and healthy week!

Career Wellbeing

Dealing with a Crushing Workload – Workloads and expectations are increasing. If that statement feels true to you, you are not alone. This brief podcast by the Accidental Creative shares some practical ways to deal with increasing workloads and decreasing resources.

Social & Family Wellbeing

The Power of Showing Up – Dr. Daniel Siegel, an internationally acclaimed author and child psychologist, will explain how to be present for our kids so that they can build social and emotional intelligence, leadership skills, meaningful relationships, and happiness. Tuesday, September 15th at 8 PM ET. RSVP HERE.

Financial Wellbeing

Does It Make Sense to Pay for Childcare? – With many children doing remote learning or hybrid learning models, many families with two incomes are questioning if it makes financial sense for one of them to take time away from their current job to work inside the home on childcare. Does it make financial sense to pay for childcare? Is the cost of childcare worth it?

Physical Wellbeing

Why Aren’t We Talking More About Nutrition Amid COVID-19? – Focusing on diet amid COVID-19 is both a necessity and an opportunity. Dr. David Katz gives some tips on what you can do today.

Emotional Wellbeing

Your ‘Surge Capacity’ Is Depleted – It’s Why You Feel Awful – The Reason you feel unmotivated, angry, and tired? You’ve depleted your ‘surge capacity’. Learn more about what this means and how you can take steps to move yourself forward.

Community Wellbeing

How to Help Victims of the West Coast’s Wildfires – As unprecedented wildfires have been spreading across the West Coast of the United States, hundreds of thousands have fled their homes and tens of thousands have gone without power in a historic heatwave. Here’s how you can help the victims of this crisis.

Employer Focused Wellbeing

Parenting in a Pandemic: Supporting Working Parents & Their Mental Health – It's no secret that the pandemic has overly burdened working parents feeling more stressed and anxious. With more limited family support options, parents are overwhelmed with juggling virtual or in-person schooling, the challenges of remote work, and keeping their families safely sheltered. This webinar, sponsored by Lyra Health and Cleo, will discuss practical ways employers can support working parents to mitigate mental health challenges and build resilience. RSVP HERE.

About the Author

HIPAA Guidance Amended During COVID 19 Pandemic

Posted on September 11th, 2020

On August 24, 2020, amended guidance was provided by the Office for Civil Rights (OCR) of the US Department of Health & Human Services, the agency that has jurisdiction to enforce HIPAA. The new guidance allows covered health care providers (e.g., hospitals, pharmacies, laboratories) and health plans to use without an individual’s authorization, protected health information (PHI) to identify and contact individuals who have recovered from COVID-19 to inform them about how they can donate their plasma containing antibodies (known as "convalescent plasma") to help treat others with COVID-19.

Download this article.

Background – Use Or Disclosure of PHI

The HIPAA Privacy Rule permits HIPAA-covered entities (or their business associates on the covered entities’ behalf) to use or disclose PHI without an individual’s authorization for:

Treatment,
Payment and,
Health care operations (e.g. case management and care coordination activities that do not meet the definition of treatment)

When using or disclosing PHI for one of these three purposes, the covered entity (e.g. health plan) must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure.

Amended Guidance

Under the Department of Health and Human Services (HHS) guidance, health plans may use PHI to identify and contact individuals who have recovered from COVID-19 to inform them about how to donate plasma. This is considered a permitted health care operations activity to the extent that facilitating the supply of donated plasma would be expected to improve the health plan’s ability to conduct case management for patients or beneficiaries that have or may become infected with COVID-19.

Limitations On The Use of PHI Without Authorization

A covered entity may identify and contact individuals, without authorization, to the extent that the activity does not constitute marketing. (Marketing is a communication about a product or service that encourages the recipient of the communication to purchase or use the product or service.) Thus, a health plan could inform or encourage individuals who have recovered from COVID-19 regarding the means and benefits of donating plasma, but cannot encourage such individuals to use any particular blood or plasma donation center(s) if they receive any compensation (direct or indirect) from the donation center.

HIPAA Privacy Rule Reminder

A covered entity generally cannot disclose PHI to a third party, including another HIPAA-covered entity, without the individuals’ authorization. Therefore, a health plan should not disclose PHI about individuals who have recovered from COVID-19 directly to a blood or plasma donation center, for the donation center’s own purposes (unless the participant has authorized this disclosure).

Download this article.

This article was last reviewed and up to date as of 09/03/2020.

13 Tips for Avoiding Identity Theft

Posted on September 10th, 2020

As more and more parts of daily life transition to online, data security is becoming more and more important! Here are 13 tips to protecting your identity.

14.4 million consumers were victims of identity fraud in 2018, according to the 2019 Identity Fraud Study from Javelin Strategy & Research.

Here are some tips:

Minimize how much personal information you carry in your purse or wallet. Limit the credit cards you carry, and don’t carry your social security card or passport unless necessary.
Guard your credit card. When you make a purchase keep your wallet in your hand until the clerk gives back your card. Don’t let nearby “shoulder surfers” look at your card while making a transaction. Shield your hand when using ATM machines. Be alert to those around you when giving out personal information on the phone.
Be careful with credit card and ATM receipts. Don’t leave them behind or throw them into public trash containers or put them in your shopping bag where they can easily fall out or get stolen.
Do not give out personal information — unless you initiated the contact. Be sure you know who you’re dealing with on the phone, through the mail or over the Internet. Be sure your connection is secure, and you’re not being overheard.
Be careful when shopping online. Be sure the website you’re using has the locked padlock image in the browser status bar or displays https:// (rather than http://), which indicates that it has a high level of security.
Be aware of phishing and pharming scams. Criminals use fake emails and websites to impersonate legitimate organizations. It happens a lot. If you don’t know the source, be extremely careful when opening emails, attachments and instant messages from unknown sources. Criminals use the illusion of familiarity that they represent organizations you do business with. Be very suspicious! Never give out personal, financial or password related information via email.
Keep your computer security up to date. Install firewall, anti-spyware and anti-virus programs on your computer and update them regularly.
Monitor your accounts. Your credit card companies and banks can alert you to suspicious activity. But don’t rely on them. Read your bank and credit card statements carefully to make sure all transactions are accurate. If you suspect a problem, contact the companies immediately.
Order copies of your credit report and review for errors. Preferably, get one from each of the three major credit reporting bureaus (Equifax, Experian, TransUnion). By law, you should be able to get at least one for free, and many banks and other financial institutions provide them as a service to their customers.
Be sure your credit reports are accurate. They contain not only information about credit accounts that have been opened in your name and how you pay your bills, but also where you work and live, and whether you’ve been sued, arrested or filed for bankruptcy. Go over every detail and make sure they are accurate. Contact them about anything that isn’t.
Place fraud alerts at the major credit bureaus. A fraud alert goes out to creditors telling them to contact you before they open any new accounts or before making any changes (like changes of address) to your existing accounts. This is intended to make it more difficult for identity thieves to open accounts in your name. You just need to contact one bureau; by law, the agency you contact is required to contact the other two.
Use secure passwords on your credit card, bank and phone accounts. “Password” is not a good password. Also avoid using easily available information like your mother’s maiden name, your birth date, any part of your Social Security number or phone number. If you suspect a problem with your credit card, change your password.
Shred documents with personal information before disposing of them. This includes any paperwork with credit card numbers, bank statements, charge receipts or credit card applications.