Recovery Act: Big Compliance Changes, Coming Fast

The economic recovery bill signed into law last month promised all manner of stimulus and reforms to get America working again. And sure enough, compliance officers now have lots to do.

Formally known as the American Recovery and Reinvestment Act, the law imposes a slew of new compliance obligations—many taking effect right away, even though companies have little guidance about exactly what they’re supposed to do. Most notable so far have been the Recovery Act’s new rules for executive compensation at companies taking government bailout money. But the law also spells out new policies on corporate whistleblowers, data privacy, healthcare, taxes, and more.

Among the most sweeping changes are reforms to the privacy and security regulations of the Health Insurance Portability and Accountability Act. HIPAA already requires healthcare providers—hospitals, health plans, nursing homes, healthcare clearing houses, and some drug and device manufacturers—to protect consumers’ health and personal information. The Recovery Act now expands that to include the “business associates” of those covered entities: essentially anyone who handles protected heath information, including third-party vendors.

“That’s a huge change,” says Gina Kastel, a partner in the law firm Faegre & Benson.

Business associates previously had to enter into contracts with HIPAA-covered companies and had some obligations to maintain privacy and security. The Recovery Act now requires them to comply with HIPAA themselves. “That will affect law firms, accounting firms, consultants—anybody providing administrative services on behalf of—or to—covered entities,” Kastel says.

Shim

Rachel Cutler Shim, a lawyer at the law firm Reed Smith, says companies new to the HIPAA world will need to modify their privacy and security policies and procedures, amend their own business-associate contracts, retrain employees, and revise any HIPAA privacy notices they have.

Business associates previously had to enter into contracts with HIPAA-covered companies and had some obligations to maintain privacy and security. The Recovery Act now requires them to comply with HIPAA themselves.

The Recovery Act also imposes new requirements to alert the authorities when a breach of protected health information (“PHI,” yet another acronym compliance officers will come to know) happens. For breaches of unsecured PHI involving fewer than 500 individuals, companies must send notice to the individuals and notify the Department of Health and Human Services. For breaches involving the unsecured PHI of 500 or more individuals, local media must also be alerted.

Previously, Shim says, HIPAA-covered businesses were required to “mitigate the harmful effect of any breach,” but weren’t required to notify affected individuals.

The law expands HIPAA’s reach and costs in several other ways. It mandates HHS audits of HIPAA-covered companies to enforce privacy and security rules and to investigate any complaints; previously, Shim says, those audits were only permitted rather than required. Penalties for non-compliance are higher, and state attorneys general will now be able to enforce the law themselves. And for the first time, Kastel says, individuals will be able to recover monetary damages from a company for its HIPAA violations.

The Act also expands the rights of individuals to get information about how their PHI is used and disclosed. That will require covered entities to track more types of disclosures, Kastel says.

Kastel

Most of the provisions are subject to rulemaking, “so we have the broad contours of what this will look like, but we don’t know how the details will shake out,” Kastel says. And when the forthcoming security regulations are issued, she adds, companies will have a very short time to implement them. For instance, breaches that occur within 30 days of the publication of those regulations will be subject to the rules.

Sting of COBRA

Most companies that offer health insurance will also need to adapt their compliance programs to changes in the Consolidated Omnibus Budget Reconciliation Act, popularly known as COBRA. The law lets former employees remain on their companies’ health insurance plans if the worker pays the full premium plus a small monthly administrative fee.

RECOVERY ACT CHANGES TO WHISTLEBLOWER LAW

Corporations already have multiple laws that stop them from retaliating against employees who blow the whistle about fraud or similar abuses. Now the Recovery Act is getting in on the action.

Section 1553 of the law prohibits employers from taking any punitive action against a worker as a reprisal for engaging in protected whistleblower activity. It applies to any state agency or private-sector business receiving government funds from the Recovery Act, as well as any others acting directly or indirectly in the interest of an entity receiving funds under the Act.

Hamid

“It’s uncertain how broadly the definition of covered employers will be interpreted,” says Jyotin Hamid, a partner in the law firm Debevoise & Plimpton. “It’s possible that the definition may be interpreted to cover individual supervisors as well. That will be clarified as claims are made and we see how different federal agencies, and eventually courts, interpret the definition and provide guidance.”

Most notable about Section 1553, Hamid says, is its broad scope—broader in several important respects than similar protections offered in the Sarbanes-Oxley Act and state whistleblower protection laws.

“The statute defines the scope of subject matter of protected disclosures very broadly,” he says. For example, it includes disclosures about gross mismanagement and gross waste, in addition to disclosures about illegal activity.

The provision also expands the list of people whistleblowers can confide in, beyond blowing the whistle to law enforcement agencies. “Employees are protected even if a complaint is made to a direct supervisor and even if it’s made in the ordinary course of their work,” Hamid says. And unlike the whistleblower protections in Title VII of the Civil Rights Act, the new law doesn’t cap compensatory damages for any retaliation proved in court.

Hamid recommends that employers look at their policies and procedures related to whistleblower retaliation and “make sure they’re broad enough to be consistent with the requirements of the provision.”

For instance, companies should review the language in their employee handbook that addresses whistleblowing and retaliation. They should also ensure that if they have employee hotlines (and SOX-compliant companies already should), the instructions and related literature are consistent with the law. Any training employers do related to whistleblower and retaliation issues should be consistent with the requirements.

“It’s likely in certain circumstances that some tweaks may be necessary,” Hamid says.

—Melissa Aguilar

The Recovery Act, however, creates a new, temporary federal subsidy to help workers keep their coverage. Employers would pay 65 percent of the COBRA premium for certain “assistance-eligible individuals” for up to nine months, and then be re-imbursed by the government through a credit against their payroll tax liability (or a direct government payment if the credit isn’t large enough).

Assistance-eligible individuals are workers who lose their jobs between Sept. 1, 2008, and Dec. 31, 2009, along with their spouses and dependent children, says Mona Clee, a lawyer at the law firm Fenwick & West. The subsidy phases out based on a person’s modified adjusted gross income as defined in the statute.

King

The subsidy creates compliance obligations for any company subject to the federal COBRA law or to state “mini-COBRA” laws, including private companies, tax-exempt businesses, and government agencies, notes Sally Doubet King, a partner in the law firm McGuireWoods.

“The administrative issues are huge,” King says. They include communicating the change to current and former employees, coordinating the notice and working with COBRA administrators and payroll vendors to send it, collecting the premiums, and applying for the reimbursement, among others.

Experts say one of the biggest compliance headaches companies will face is identifying employees who might be eligible for the subsidy—and doing so quickly, since the COBRA provisions went into effect March 1—and notifying those people that the subsidy is available.

Companies are still waiting on further guidance from the Internal Revenue Service and the Department of Labor on specific details.

“We’re expecting more guidance daily,” says Clee.

For instance, at press time, employers were still waiting for clarity on the Recovery Act’s definition of “involuntary termination” and for sample language for the Labor Department of how the COBRA subsidy should be explained to workers. That model language is due out by March 17, and companies have only 60 days from the effective date of the Recovery Act (Feb. 17) to provide the notice to eligible employees.

In other words, Corporate America is still waiting for help from the Labor Department to send out a notice due to millions of workers in only five weeks’ time.

Clee says companies should simply send the notice to all employees terminated since Sept. 1, 2008, to avoid missing an eligible person by mistake. And the Recovery Act also gives some ex-employees a second chance to choose COBRA coverage if they didn’t elect to do so in the usual 60-day window after they’re first dismissed. Those former workers must receive notice of their new rights, too, she says.

Lastly, employers must also decide whether to give terminated employees covered by a more expensive insurance plan the option to select a cheaper alternative without waiting for the open enrollment period.