Here is the latest issue of “This & That” Tuesday. I hope you find it to be informative and useful.

 

Announcements

You can always check out my website for upcoming speaking engagements that are guaranteed to be of value to business owners or for a list of topics that I can speak on at Chambers, Clubs, Business Associations, etc. More details about the events, topics and Human Resources 4U, in general, can be found on my website.

 

 

HIPAA Rule Alters Definition of ‘Breach’ 

In a final rule published in January, the U.S. Department of Health and Human Services (HHS) altered the definition of “breach” under the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules.

The department jettisoned a so-called “harm standard” to define when there is a breach requiring notification and replaced it with a more objective four-part standard.

The HITECH Act defined “breach” as the “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”

New Standard
The final rule kept the exceptions, but junked the harm standard, even though some health plans defended it, noting that the harm standard was consistent with many state breach notification laws.

First the HHS added language to the definition of “breach” to clarify that “an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.”

Instead of assessing the risk of harm to the individual, covered entities must assess the probability that the protected health information has been compromised based on a risk assessment that considers at least the following four factors:

• The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.

• The unauthorized person who used the protected health information or to whom the disclosure was made.

• Whether the protected health information was actually acquired or viewed.

• The extent to which the risk to the protected health information has been mitigated.

 

Three Exceptions
The final rule kept the three statutory exceptions to the definition of “breach”:

• A breach excludes any unintentional acquisition, access or use of protected health information by a workforce member (including volunteer or trainee) or person acting under the authority of a covered entity or business associate, if the acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the Privacy Rule. “The exception does not, however, cover situations involving snooping employees, because access as a result of such snooping would be neither unintentional nor done in good faith,” HHS clarified.

• A breach excludes inadvertent disclosures of protected health information from a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity, business associate or organized health care arrangement in which the covered entity participates.

• Also exempted are disclosures of protected health information where a covered entity or a business associate has a good-faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. “For example, if a covered entity, due to a lack of reasonable safeguards, sends a number of explanation of benefits (EOBs) to the wrong individuals and a few of the EOBs are returned by the post office, unopened, as undeliverable, the covered entity can conclude that the improper addresses could not reasonably have retained the information,” HHS stated. “The EOBs that were not returned as undeliverable, however, and that the covered entity knows were sent to the wrong individuals, should be treated as potential breaches.”

 

Train Employees
HHS added, “We emphasize the importance of ensuring that all workforce members are appropriately trained and knowledgeable about what constitutes a breach and on the policies and procedures for reporting, analyzing and documenting a possible breach of unsecured protected health information. We note that because this final rule modifies the definition of breach as stated in the interim final rule, covered entities will need to update their policies and procedures and retrain workforce members as necessary to reflect such modifications.”

Also, it recommended policies that require employees to return or destroy information to which they obtained unauthorized access.

The final rule also requires modifications to and redistribution of a covered entity’s notice of privacy practices. The final rule is effective March 26, 2013, but covered entities have until Sept. 23, 2013, to comply with its requirements.

 

Note: if your company falls under the HIPAA requirements you must train your employees on HIPAA Privacy every three years. Human Resources 4U can provide this training.

 

 

Altec to Pay $25,000 to Settle EEOC Religious Discrimination Suit

Altec  Industries, Inc., a Birmingham, Ala. based manufacturing company, will pay  $25,000 and furnish other relief to settle a religious discrimination lawsuit  filed by the EEOC.

 

According to the EEOC's suit, James Wright applied for employment at Altec's Burnsville, N.C., manufacturing  facility.  As a Seventh-day Adventist, Wright held the sincere religious belief that he could not work on his Sabbath, which runs from sundown on Friday until sundown on Saturday.  The EEOC alleged in its complaint that when  Altec learned during a job interview that Wright objected to working from  sundown on Friday to sundown on Saturday based on his religion, it decided not  to hire him.

 

Title VII of the Civil Rights Act prohibits employers from discriminating against individuals because of their religion at all stages of the employment process.  Title VII requires employers to reasonably accommodate an employee's sincerely-held religious beliefs unless doing so would impose an undue hardship on the employer.   The EEOC filed suit after first attempting to reach a pre-litigation settlement through conciliation.

 

In addition to paying monetary relief to Wright, the settlement requires Altec to take other actions, including providing annual training on religious discrimination to all of its managers and supervisors at its Burnsville, N.C. facility.  In addition, Altec must post a notice on employees' rights under federal anti-discrimination laws and provide periodic reports to the EEOC on individuals not hired and actions taken in response to employee requests for religious accommodations. 

 

An employer cannot refuse to hire an applicant to avoid making a religious accommodation.  Where there is a conflict between a religious belief and work rules, the law mandates that employers make a sincere effort to accommodate those beliefs, including at the application stage. 

 

Factoids

• 76% of baby boomers and 78% of gen Xers are somewhat to extremely confident they will be able to live comfortably in retirement

• However only 51% of boomers and 41% of gen Xers have actually calculated what they will need in retirement savings.

• Boomers aged 55-64 only have an average of $45,000 in lifetime savings

• The most urgent health care problem is Access to health care (23%) followed by Cost (19%) and then obesity (16%)

• EEOC will focus on investigating Hiring, Pay, and Harassment claims in 2013-2016

• PTO was offer by 51% of employers, up from 42% in 2009

 

Quotes

"When you stop doing things for fun you might as well be dead"

Ernest Hemingway