Federal court decision paves way for 2012 do-over
Howard Rubin and Don Stait
The Daily Record Newswire
In January 2012, President Obama, acting to prevent the loss of a quorum, appointed three new members to the NLRB. Normally, as part of the federal government’s system of checks and balances, the Senate would have advice-and-consent authority over these appointments. However, if the Senate is not in session and the number of board members falls below the three required for a quorum, the president has authority to fill the vacant seats without the Senate’s consent.
At issue in this case is the meaning of “not in session.”
The Senate was not recessed when Obama made his appointments. It was merely holding short sessions, leading the court to observe that the president’s interpretation of “not in session” gives him “free rein to appoint his desired nominees at any time he pleases, whether that time be a weekend, lunch, or even when the Senate is in session and he is merely displeased with its inaction.”
According to the D.C. Circuit opinion, Obama’s recess appointment authority is limited to periods when the Senate has actually adjourned its session, and only with respect to vacancies that “happen” or arise during such recess.
If the U.S. Supreme Court declines to hear the case on appeal or affirms the appellate court decision, the case could have a significant impact on all decisions issued by the NLRB since January 2012.
Under similar circumstances, following the 2010 Supreme Court decision establishing that three board members are required for a quorum, the NLRB had to revisit and resolve more than 600 cases heard previously. In recent months, the board has issued a number of precedent-setting decisions on such topics as social media, union dues and non-union activity that could meet the same fate.
According to a statement issued by the NLRB, it will continue to perform its statutory duties and issue decisions.
Final rule issued for HIPAA and HITECH
At slightly more than 500 pages, the new rule governing health information privacy is not an easy read. In-house employment, benefits and privacy lawyers — as well as human resources and benefits professionals — are discovering this as they try to determine the rule’s practical implications.
This extensive rule comprises four final privacy-related regulations, makes major modifications to the Health Insurance Portability and Accountability Act (HIPAA), incorporates amendments made by the Health Information Technology for Economic and Clinical Health Act (HITECH), and addresses new privacy protections granted under the Genetic Information Nondiscrimination Act of 2008 (GINA). What does all this mean for employers?
Like most HIPAA-related guidance, the final rule focuses on health care providers, with only a small portion of regulations aimed at employers. Moreover, a detailed reading of the final rule reveals dozens of technical changes with little or no practical impact on employers.
Here are five “big picture” tidbits for employers that sponsor HIPAA-covered plans:
1. Not that much has changed. The compliance framework remains fundamentally unchanged. Employers have substantially the same compliance obligations and plan participants have substantially the same rights with respect to their protected health information (PHI).
2. Employers have some time to comply. The earliest compliance deadline is Sept. 23, 2013. Employers generally will have additional time to comply with the changes likely to have the greatest impact on them — i.e., the distribution of updated privacy notices and the modification of business associate agreements.
3. Not every “HIPAA violation” is a security breach. A covered entity confronted with an unauthorized use or disclosure of PHI can avoid providing notice of a security breach if, after conducting a risk assessment, it determines that there is a low probability the PHI has been compromised. The risk assessment must include four risk factors: 1, the nature and extent of the PHI involved; 2, the unauthorized person who used the PHI or to whom the disclosure was made; 3, whether the PHI was actually acquired or viewed; and 4, the extent to which the risk to the PHI has been mitigated.
4. Employers will need to issue revised privacy notices. Any employer that maintains a benefits website must post the revised notice by Sept. 23, 2013, and include the revised notice in its next annual mailing to plan participants. Employers with no benefits website, and that wait until Sept. 23 for their revised privacy notice to become effective, will have until Nov. 22, 2013 to distribute the updated notice. The revised notices will need to inform recipients of: 1, their right to receive security breach notification; 2, HIPAA’s new prohibition on the use of genetic information; and 3, the requirement that the employer obtain the subject’s authorization before using PHI for marketing purposes or before selling PHI.
5. Employers should review and possibly amend business associate agreements. The final rule modifies the minimum required contents of agreements with service providers who receive PHI from a covered entity, such as third-party administrators and insurance brokers. In addition to previously required provisions, these service provider agreements must now include provisions requiring them to: 1, comply with the HIPAA Security Rule’s requirements; 2, report any security breach to the covered entity; 3, enter into an agreement with any subcontractor that receives the covered entity’s PHI; and 3, comply with the provisions of the HIPAA Privacy Rule applicable to any obligation that the covered entity delegates to the service provider.
Although there are other changes that may impact employers, these are the ones with the most significant practical impact on HIPAA-covered employers.
—————
Howard Rubin is a shareholder in Littler Mendelson’s Portland office. Contact him at 503-221-0309 or hrubin@littler.com. Don Stait is Special Counsel in Littler Mendelson’s Portland office. Contact him at 503-221-0309 or dstait@littler.com.