Erisa Solutions

The Root Causes of Low Employee Morale

The root causes of low employee morale are not what you think, but are surprisingly easy to fix by focusing on a few simple changes in communication style!

In the movie Multiplicity with Michael Keaton and Andie MacDowell, the character of Doug Kinney (Keaton) clones himself so he can get more work done while having more time for his family and to enjoy himself. As you can imagine, everything goes wrong and at the end there are four Dougs and craziness ensues! Things are pretty stressed at his job as a foreman for Del King Construction. One of the best lines is when his counterpart Ken comes up with an idea to get things moving (and to brown-nose the boss a little). Ken states proudly, “At my old job they used to say, ‘if you don’t show up for work on Saturday, don’t even bother coming in on Sunday!’” It was hysterical in the context of the movie (actually Doug wasn’t laughing), but it does lead to one of the root causes of low employee morale.

In these hectic, overworked, understaffed times, it’s easier than ever for managers (who are usually even more overworked than their subordinates) to come across something like the Quintus Arrius line to Roman slaves from Ben Hur, “ . . . we keep you alive to serve this ship, so row well and live!” It demonstrates how easy it is to come across as a leader who believes that everybody is lucky to have a job, so you better suck it up, keep your nose to the grindstone and don’t complain.

Sadly, this view, while effective during this struggling economy, is killing your productivity today, and will lead to significant retention, recruiting and training costs down the road. The moment your employees begin to feel that you don’t appreciate them and that they’re only on board to row, you have amplified the root cause of low employee morale and it’s going to cost you big time.

Here are five suggestions that will help you to avoid destroying morale and experiencing both the hard and soft costs of poorly engaged employees:

#1 – Form Relationships Built on Trust

Strong, effective relationships are built on trust. If you don’t have strong, trust-based relationships with your people, everything you do to recognize them will be seen as manipulation. When employees feel that you are using recognition to “get more out of them” rather than to show that you value them personally, they begin to emotionally disengage, and morale suffers. It’s not hard to develop trusting relationships with your people, but it does take time, consistency and integrity.

#2 – Show them Respect

The book The One Minute Manager introduces a theory of personal responsibility that allows managers to get maximum results with a minimum of time invested with each staff member. The secret is in showing them respect, defining their expectations and avoiding micro managing. Most employees respond well to being given enough rope to hang themselves, as long as their job is well defined and they are allowed to fail periodically without fear of unrealistic retribution. Respected employees are more alert, creative, and productive. When they do make a mistake, they’ll fix it, move on confidently and don’t make that mistake again.

#3 – Nurture Creativity

Once you’ve built trusting relationships and developed a foundation of respect, employees with automatically respond with more creativity. The best way to nurture and benefit from their new-found creativity is to go by the philosophy that there are no bad ideas, only undeveloped ones. Trusted and respected employees with managers who reinforce the fact that they have some flexibility to try new things will surprise you with the creative ingenuity that they bring to their work. The best part is that you get this for the same price you’re paying unhappy employees who are doing just enough to get by.

#4 – Build Effective Teams

Team building is a more complex challenge than fostering high morale in individual employees. Here are five problems that many teams develop that keep them from being as effective as they want to be in accomplishing company goals:

  • Absence of Trust – due to invulnerability
  • Fear of Conflict – artificial harmony
  • Lack of Commitment – ambiguity
  • Avoidance of Accountability – low standards
  • Inattention to Results – caused by individual status and ego

In the absence of trust, morale is at its lowest and self-protectionism becomes the rule. It doesn’t take a PhD in Psychology to realize that this will limit productivity and make work a lot less rewarding for both employees and their managers. This “every man for themselves” attitude destroys teams and makes it impossible to optimize goal setting and achieve corporate objectives in a timely manner; if at all.

By learning to communicate more effectively based on honesty, consistency, vulnerability and respect, your teams will be able to focus unselfishly on common results. This in turn keeps individual egos and agendas in check.

#5 – Make it Real

One of the first things to stress with your management team is what I call “Making it Real”. This means to be genuine and believable in interacting with their people. Employees tend to fall into some common negative habit patterns that employees experience when they feel underappreciated. When your managers understand how to be more open and vulnerable with their staff they work towards trust, respect and improved communication.

“Making it Real” is the answer to the question, “What is the root cause of low employee morale?” Maybe it’s because it’s so simple that it is so often missed, but without your people believing you are genuine, honest and practicing high levels of integrity, any efforts you make to improve morale will be suspect. If you keep this in mind in your dealings with your people, you will be surprised how easy it is to improve morale, so you can enjoy the benefits of higher productivity, better retention, lower costs and an overall happier, more satisfying workplace.

About HR Service, Inc.

HR Service provides broker and client solutions for benefit ERISA compliance and HR, insuring organizations meet ERISA and Department of Labor (DOL) requirements for:  Summary Plan Description Wraps (SPD Wraps), Employee Notifications, 125 Premium Only Plans (125 POP), Summaries of Material Modification (SMM), Health Insurance Portability & Accountability Act (HIPAA), ACA Reporting, and Employment Laws.  Our web-based SPD Wraps, Employee Notices, 125 POPs, and ACA Reporting tools make it easy to comply with ERISA.  Visit us online at or call (855) 447-3375 for SPD Wraps, 125 POPs, HR Support, ACA Reporting, HIPAA Solutions, HR Support, and more.


HIPAA- Compliance Assessment

HIPAA (Health Insurance Portability & Accountability Act) drives the Standards for Privacy of Individual Health Information (“Privacy Rule”). These standards, along with the HITECH (Health Information Technology for Economic and Clinical Health) “Security Rule” standards, address the security, use, and disclosure of individual’s health info “PHI” (personal health information) by organizations subject to the privacy rules. PHI is defined as individually identifiable health information from their past, present or future physical or mental health conditions.

HIPAA’s three compliance areas include:

  1. The Privacy Rule, which restricts covered entities’ and business associates’ use and disclosure of an individual’s PHI)
  2. The Security Rule, which requires covered physician practices to implement “administrative, technical, and physical safeguards” to ensure the confidentiality, integrity, and availability of electronic
  3. The Breach Notification Rule, which requires covered entities to notify affected individuals, the Secretary of the U.S. Department of Health & Human Services (HHS), and in some cases — the media when they discover a breach of a patient’s unsecured

How Does HIPAA Apply to Your Company?

The level and extent of HIPAA compliance requirements vary based on whether your company is considered a “covered entity”. However, even businesses not considered covered entities and those excluded from HIPAA requirements should still take basic steps to ensure the protection of employee’s information.

Who and What is Excluded from HIPAA?

Any company or plan that does not meet the definition of covered entity or business associate is exempt from HIPAA rules. Exceptions include:

  • Employers who don’t offer any HIPAA covered benefits like medical, dental, vision, or
  • Non HIPAA plans like Short-term and Long-term Disability, Worker’s Compensation, Life insurance, Accidental Death and Dismemberment, OSHA required testing, Auto liability insurance that contains payment for medical damages, and Stop-loss coverage
  • Plans with less than 50 participants that are administered and maintained solely by the employer that established the plan, no outside third party vender (TPA) are used in the administration of the plan

If you fall into any of these categories, you are excluded from HIPAA regulations. Document your determination of exclusion from HIPAA regulations and retain for your records.

Covered entities fall into three categories:

  1. Health plans
  2. Health care providers that conduct certain types of transactions in electronic form
  3. Health care clearinghouses

Health plans include private health insurance companies, government health insurers, employer-sponsored group health plans or HMO’s (both fully insured and self-funded plans), FSA’s, dental and vision plans, EAP programs (unless referral only), HRA, HSA and typically insured supplement plans.

A business which is a medical office, in the medical field, insurance provider, insurance issuer, broker, hybrid entity (an organization that has a component that is a “covered” health care provider, and whose activities include both “covered” and “non-covered” functions) or agency which processes medical and/or claims information, would need to ask themselves a more comprehensive set of questions to determine their level of compliance need to ensure proper steps are taken for compliance with HIPAA.

Covered entities have the flexibility and freedom to design their privacy policies and procedures as they see fit, as long as they are reasonably designed to ensure compliance with HIPAA requirements.

HIPAA Requirements for Most Employers

In general, most employers, those who offer fully-insured health benefits like medical, dental, or FSA to their employees, will fall into the “Health Plans” category under HIPAA regulations. However, their level of HIPAA requirements depends on how they maintain, transmit and receive PHI. Organizations can greatly minimize requirements by restricting their personal involvement in handling PHI. As long as the company doesn’t keep, transmit or receive PHI, their level of HIPAA obligation is minimal. The following steps will help these organizations comply with HIPAA:

Compliance Steps:

  1. Define a HIPAA Privacy Officer responsible for handling and overseeing PHI relationships and dealings for the
  2. Review relationships with brokers, insurance providers and outside third party administrators to identify any areas of PHI transmission or use and obtain assurance of HIPAA
  3. Review the following company practices and procedures to verify if PHI is used, stored or transmitted by the company to outside insurance providers, TPA (third party) venders or medical facilities:
    1. Enrollment process for PHI sent or received in electronic or paper form
    2. Billing, invoicing, premium collection and remittance processes for any
    3. HR processes for employee file management, benefit management, and COBRA management for PHI
  4. Take steps to eliminate handling of PHI, and where necessary secure all minimal PHI handlings protecting employee’s privacy
  5. Create a HIPAA policy added to employee and leader
  6. Provide the HIPAA Privacy Notice to all participants, unless provided by the insurer. Note, this notice is done as part of the all-in-one employee notification service provided by HR Service, Inc., and is included in our SPD Wrap documents or a template sample notice is available under HIPAA

Sample policy, procedures and documentation form can be found in the Compliance Basics Center under “HIPAA Tools”, “HIPAA Forms, Documents and Policies”, “Limited or Non-Covered Entity HIPAA Guidance Sample

Plans that require full HIPAA compliance

If your plan falls into a covered entity which keeps, receives and/or transmits PHI, full HIPAA requirements apply and should, at a minimum, have policies and procedures in writing which include:

  • An established Privacy Officer, contact person and/or office designated to receive complaints and provide information regarding privacy policy practices and procedures
  • Document your covered entity assessment process and findings
  • Conduct a risk assessment and analysis to include:


  • Facilities or other places where patient/employee health data is accessed
  • Computer equipment, servers, mobile/portable devices like tablets and cell phones
  • Physical, visual or auditory access to employee/patient data


  • Designated Security Officer
  • Workforce training and oversight
  • Work information access controls
  • Scheduled/Periodic Security reassessment


  • Secure, authorized electronic exchange of employee/patient information
  • Measures that keep electronic employee/patient information from improper or unapproved changes
  • Controls for access to employee/patient information
  • User access and activities audit logs
  • Data loss measures

Policies and Procedures

  • Clearly written work flow policies and procedures
  • HIPAA security compliance procedures (employee/patient notifications and breach compliance)
  • Documentation of policies and procedures

There are many other requirements for those entities held to full HIPAA compliance. For a complete list of HIPAA requirements, forms, policies, and templates visit the “HIPAA Tools” section in the Compliance Basics Center available to all HR Service clients. The HIPAA Tools is a new resource available to Compliance Basic users found by logging at: and accessing the HIPAA Tools dropdown bar.

The above information is a simplification of “Health Plan” HIPAA requirements. Covered Entities, especially health care providers and clearing houses, should refer to “Covered Entity Determination” for a comprehensive checklist to determine HIPAA applicability under the Federal HIPAA Privacy, Security and Breach Notification Rules. Other resource include a “HIPAA Privacy and Security Compliance Guide Checklist” with additional resources, guidance, forms/tools and steps in establishing, implementing and maintaining a HIPAA compliance program.

About HR Service, Inc.

HR Service provides broker and client solutions for benefit ERISA compliance and HR, insuring organizations meet ERISA and Department of Labor (DOL) requirements for:  Summary Plan Description Wraps (SPD Wraps), Employee Notifications, 125 Premium Only Plans (125 POP), Summaries of Material Modification (SMM), Health Insurance Portability & Accountability Act (HIPAA), ACA Reporting, and Employment Laws.  Our web-based SPD Wraps, Employee Notices, 125 POPs, and ACA Reporting tools make it easy to comply with ERISA.  Visit us online at or call (855) 447-3375 for SPD Wraps, 125 POPs, HR Support, ACA Reporting, HIPAA Solutions, HR Support, and more.

SPD ERISA Requirements- Are You Compliant?

ERISA (Employee Retirement Income Security Act) governs both welfare benefit and retirement plans.

This article focuses on the ERISA Summary Plan Description (SPD) and 5500 reporting requirements for welfare benefit plans.

A welfare benefit plan includes any of the following group benefits: health, life, dental, vision, disability insurance plans, flexible spending accounts (FSAs), health reimbursement accounts (HRAs), employee assistance plans (EAPs), and other fringe benefit plans where the employer contributes to the cost.

With the introduction of the Affordable Care Act, ERISA SPD requirements are receiving new attention and enforcement. Employers are required to provide a SPD for each plan or they can use an SPD wrap document to include all welfare benefit plans.

Common Misconceptions

According to Bernard Kearse, JD, LLM, founder of ERISA Pros, “The most common misconception held is that an insurance company’s Certificate of Insurance is an SPD.” Another common misperception is who is responsible for preparing, filing, and delivering SPDs and Form 5500s. Most employers believe their insurance carrier, accountant, or broker is handling this. However, the employer is solely responsible for ERISA compliance. These misunderstandings can result in costly fines should they be discovered by the Department of Labor (DOL). The penalty for late delivery of SPD can be as much as $110/day per plan.

Who Must Comply with ERISA

ERISA requirements apply to virtually all organizations, except governmental entities and churches regardless of the number of employees or how many employees participate.

SPD Requirements

An employer must have a written Summary Plan Description (SPD) for each separate welfare benefit plan communicating plan rights and obligations to participants and beneficiaries. These documents must contain ERISA wrapper language, along with the certificate of insurance to constitute a SPD.

A wrap SPD may encompass all of your welfare benefit plans under one ERISA plan number and one Form 5500 filing. The SPD must be disclosed to participants informing them of eligibility requirements, benefits, claims and appeals procedures, and rights under ERISA. Other SPD requirements include: the name of the plan, plan sponsor, plan administrator, plan year, employer tax identification number, type of welfare plan, type of administration, summary of the benefits, detailed description of plan benefits for group health plans, provider network availability for group health plans, procedures for Qualified Medical Child Support Orders (QMCCOS), COBRA rights, plan contributions, and claims procedures. A Statement of ERISA Rights is also required.

SPD Delivery

ERISA requires that a SPD is distributed to covered participants within 90 days after becoming newly covered by a plan, or within 120 days of a new plan being established. An updated SPD must be furnished to all covered participants every five years, and every 10 years even if the SPD has not changed.

An employer should be prepared to prove it furnished a SPD to participants in a way “reasonably calculated to ensure actual receipt,” using a method “likely to result in full distribution.” Acceptable methods of delivery include: first-class mail, hand-delivery, and electronic distribution, if the employees have access to computers in the workplace and can print a copy easily.

Summary of Material Modifications

Any change in your plan that materially affects the design or pricing must be communicated to participants in a Summary of Material Modifications (SMM). The SMM must be distributed to covered participants within 210 days after the end of the plan year in which a material modification has been made. If the material modification is a reduction in group health plan benefits, the SMM must be distributed to participants within 60 days of the adoption date. Examples of SMM include: the elimination of benefits payable, reduction of benefits payable, increases in premiums, deductions, co- payments or coinsurance, or a new requirement (i.e., preauthorization) to obtain services under the plan. There is a penalty of up to $110/day for not delivering a SMM within 30 days after a Participant or Beneficiary requests it.²

5500 Reporting

ERISA further requires employers with 100 or more participants to report certain information to the DOL annually on Form 5500.

Form 5500 returns ask for information about the plan, including the plan name, plan year, plan sponsor, plan number, participants, insurance costs, and financial data.

Late filing of form 5500 can result in fines as high as $1,100 per day.

Summary Annual Report

Once a Form 5500 is completed and filed, you must prepare a Summary Annual Report (SAR) for each of your welfare benefit plans subject to ERISA reporting. The SAR summarizes the Form 5500 information and notifies participants that the Form 5500 has been filed and a copy is available to participants who request a copy.  SARs must be distributed to covered participants within nine months after the end of the plan year. A sample SAR format is available from the DOL. A SAR is not required for plans that are not required to file a Form 5500.

Compliance with ERISA is not optional, it is the law. Employers will avoid costly fines by following the requirements described in this article.

About HR Service, Inc.

HR Service provides broker and client solutions for benefit ERISA compliance and HR, insuring organizations meet ERISA and Department of Labor (DOL) requirements for:  Summary Plan Description Wraps (SPD Wraps), Employee Notifications, 125 Premium Only Plans (125 POP), Summaries of Material Modification (SMM), Health Insurance Portability & Accountability Act (HIPAA), ACA Reporting, and Employment Laws.  Our web-based SPD Wraps, Employee Notices, 125 POPs, and ACA Reporting tools make it easy to comply with ERISA.  Visit us online at or call (855) 447-3375 for SPD Wraps, 125 POPs, HR Support, ACA Reporting, HIPAA Solutions, HR Support, and more.


HIPAA- Privacy & Security

Health Insurance Portability & Accountability Act (HIPAA) drives the standards for privacy of individual health information “Privacy Rule” along with the addition of the Health Information Technology for Economic & Clinical Health (HITECH) “Security Rule”. The Privacy & Security Rule standards address the security, use, & disclosure of individuals’ health info personal health information (PHI) by organizations subject to the privacy rules.  The HIPAA Security Standards consist of five major sections: Administrative safeguards, physical safeguards, technical safeguards, organizational requirements, & policy & document requirements.

A good HIPAA policy will address, develop, & put steps in place which deal with each of these areas of risk.

HIPAA also governs the requirement to allow employees to transfer from one medical plan to another, without being subject to pre-existing conditions if they had creditable coverage, which will no longer be relevant for plans starting 1/1/2014 or upon renewing in 2014 with the pre-existing conditions being eliminated under the Patient Protection & Affordable Care Act (PPACA).

Who is Covered by the Privacy Rule?

The Privacy Rule, as well as all the Administrative Simplification rules, applies to business associates, health plans, healthcare clearinghouses, & to any healthcare providers “covered entities” who transmit health info in electronic form as defined by Health & Human Services (HHS). A “business associate” is a person or entity which performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity.

Employers offering group health plans such as medical, dental, vision, Flexible Spending Account (FSA), Health Reimbursement Account (HRA) & Employee Assistance Plan (EAP) become a covered entity by virtue of their roles as plan sponsors & administrators, thus must take precautions in the handling of PHI & interactions with business associates. There is an exception for a health plan having less than 50 participants, which is administered & funded solely by the employer. However, the vast majority of employer-sponsored health plans are governed by HIPAA.

What is Required?

In general, the Privacy Rule requires covered entities to take reasonable steps to limit the use or disclosure of, & requests for, PHI to the minimum necessary to accomplish the intended purpose.  Each organization should perform a risk analysis to

assess vulnerabilities in practices & procedures. The minimum necessary standard risk analysis should include:

  • a review of the type & level of PHI received & or transmitted;
  • a review of employee tasks that may include use, disclosure, or transmission of PHI;
  • review IT & security practices & procedures for transition of e-PHI & Breach Notification;
  • review HIPAA Privacy Policy notification procedures & practices for notification compliance
  • review written & oral disclosure practices &

What Information is Protected?

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or business associate in any form or media, whether electronic, paper, or oral. Individually identifiable health information includes demographic data relating to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of healthcare to the individual,
  • or the past, present, or future payment for the provision of healthcare to the individual, & identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual, such as name, address, birth date, Social Security

Limit Use & Disclosure to Minimum

When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose unless it can specifically justify the whole record as the amount reasonably needed for the purpose. A covered entity may also reasonably rely on a public official’s determination that the info requested is the minimum necessary for the public health purpose.

Use & Disclosure

Covered entity may not use or disclose PHI, except as permitted or required by the Privacy & Administrative Rule or as the individual who is the subject of the information (or their personal representative) authorizes in writing.

A covered entity must disclose PHI in only two situations:

  • to individuals (or personal representatives) specifically when they request access to, or an accounting of disclosures of their PHI; and
  • to HHS when it is undertaking a compliance investigation or review or enforcement

Written authorization may allow use & disclosure of PHI by the covered entity seeking the authorization, or by a third party. The content by a consent form, & the process for obtaining consent, are at the discretion of the covered entity electing to seek consent. However, all authorizations must be in plain language & contain specific info regarding:

  • the info to be disclosed or used,
  • the person(s) disclosing & receiving the info,
  • expiration, their right to refuse to sign the authorization without negative consequences to treatment, payment, or health plan enrollment or benefit eligibility, except under specific circumstances,
  • right to revoke at any time, in writing, & how to exercise that right, & any applicable exceptions,
  • other data such as explaining the potential for the info to be subject to redisclosure by recipient & no longer protected by the Privacy

Business Associate Agreements

HIPAA requires employers offering group health plans to enter into agreements with business associates governing the associate’s obligations to protect plan PHI, the distribution of a plan HIPAA notice of privacy practices, & safeguards protecting group health plan PHI. Anyone outside of an employer’s workforce who performs functions or activities that involves the use or disclosure of PHI, such as claims processing; data analysis; utilization review & billing is considered a business associate (e.g., insurance brokers, legal counsel, etc.). The HITECH Act imposes direct liability on business associates & business associate subcontractors for a specific set of obligations under HIPAA’s Privacy, Security & Breach Reporting Rules.

Notice & Other Individual Rights

The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use & disclose PHI about the individual, as well as his/her rights & the covered entity’s obligations with respect to that info. Most covered entities must develop & provide individuals with a notice of their privacy practices.

Content of the Notice: Covered entities are required to provide a notice in plain language that describes how PHI may be used & disclosed, an individual’s rights & processes, covered entities’ legal duties around PHI, & a single point of contact for explanation of privacy policy & practices. Other notice requirements & specifications can be found in 45 CFR 164.520(b).

Providing the Notice: A covered entity must make its notice available to any person who requests it, & must prominently post & make available its notice on any website it maintains that provides info about its services or benefits. A covered entity may email the notice to an individual if the individual agrees to receive an electronic notice.

Administrative Requirements

What is appropriate for one covered entity verses another will depend on the nature of the covered entity’s business, size, & resources. Each covered entity must analyze their own needs, compare those to the administrative requirements indicated

here, & implement a solution appropriate for their own environment.

  • Privacy Policies & Procedures: Develop & implement written privacy policies & procedures that are consistent with the Privacy
  • Privacy Personnel: Designate a privacy official responsible for developing & implementing privacy policies & procedures, as well as a contact person or department responsible for receiving complaints & providing individuals with info about privacy
  • Workforce Training & Management: Train all workforce members on its privacy policies & procedures, as necessary & appropriate for them to carry out their functions; have & apply appropriate sanctions against workforce members who violate its privacy policies & procedures or the Privacy
  • Mitigation: Mitigate, to the extent practicable, any harmful effect learned, caused by use or disclosure of PHI by its workforce or business associates in
  • Data Safeguards: Maintain reasonable & appropriate administrative, technical, & physical safeguards to prevent intentional or unintentional use or disclosure of PHI & to limit its incidental use & disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing PHI to dispose of them, securing medical records with lock & key or pass code, & limiting access; secure or encrypt all data stored or transferred electronically; maintain a separate section marked “confidential” in employee files for PHI, & secure all files; restrict access to confidential section of employee files to HR & those who have a legitimate need to
  • Complaints: Have procedures for individuals with complaint about compliance of privacy policies & procedures, explain procedures in privacy practices notice, identify who to submit complaints to at the covered entity & inform that complaints may be submitted to the Secretary of
  • Retaliation & Waiver: Retaliation against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice the person believes in good faith violates the Privacy Rule, or to require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, & enrollment or benefits eligibility, is not permitted under any
  • Documentation & Record Retention: Retain documents & records until six years after the latter of the date of creation or last effective date, its privacy policies & procedures, its privacy practices notices, disposition of complaints, & other actions, activities, & designations that the Privacy Rule requires to be documented.
  • Fully-Insured Group Health Plan Exception: The only administrative obligations with which a fully- insured group health plan with no more than enrollment data & summary health info is required to comply are:

1) ban on retaliatory acts & waiver of individual rights, and 2) documentation requirements with respect to plan documents, if such documents are amended to provide for the disclosure of PHI to the plan sponsor by a health insurance issuer or HMO that services the group health plan.

Notification of Breach

The HITECH Act imposes data breach notification requirements for unauthorized uses & disclosures of “unsecured PHI.” Under the HITECH Act “unsecured PHI” essentially means “unencrypted PHI.”

Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the Secretary of HHS, & in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.

Individual Notice: Covered entities must provide individual notice in written form by first-class mail, or alternatively, by email, if the affected individual has agreed to receive notices electronically.

  • If there is insufficient or out-of-date contact info for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside, & must include a toll-free phone number that remains active for at least 90
  • If there is insufficient or out-of-date contact info for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other

Individual notifications must be provided without unreasonable delay & in no case later than 60 days following the discovery of a breach & must include, to the extent possible, a brief description of breach, the type of info involved, steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, & prevent further breaches, as well as contact info for the covered entity (or business associate, as applicable).

Media Notice: Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are required to provide notice to prominent media outlets serving the state or jurisdiction. This notification must be provided without unreasonable delay & in no case later than 60 days following the discovery of a breach, & must include the same info required for the individual notice.

Notice to the Secretary of HHS: In addition to notifying affected individuals & the media (if applicable), covered entities must notify the Secretary of breaches of unsecured PHI. Covered entities will notify the Secretary by visiting the HHS website & filling out & electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay & in no case later than 60 days following a breach.  For a breach affecting fewer than 500 individuals, the

covered entity may notify the Secretary of such breaches on an annual basis, no later than 60 days after the end of the calendar year in which the breach is discovered.

Notification by a Business Associate: If a breach of unsecured PHI occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay & no later than 60 days from the discovery of the breach.

Administrative Requirements & Burden of Proof: Covered entities & business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured PHI did not constitute a breach. Maintain documentation stating all required notifications were made, or alternatively, documentation demonstrating that notification was not required, risk assessment demonstrating a low probability that PHI has been compromised by impermissible use or disclosure or application of any other exceptions to the definition of “breach.”

Civil & Criminal Penalties

Civil penalties will vary significantly depending upon the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was willful. Persons who knowingly obtain or disclose individually identifiable health info in violation of the Privacy Rule may face criminal penalties of up to $50,000 & up to one-year imprisonment. Criminal penalties increase to $100,000 & up to a five-year imprisonment if the conduct involves false pretenses, & $250,000 & up to a 10- year imprisonment if conduct involves intent to sell, transfer, or use identifiable health info for commercial advantage, personal gain, or malicious harm.

State Law

In general, state laws contrary to the Privacy Rule are preempted by the federal requirement, which means the federal requirement will apply.

Covered entities, including employers who sponsor a group health plan should take action to ensure compliance with HIPAA Rule. Key steps include review & amendment of Business Associate Agreements, existing group health plan HIPAA policies & procedures, assigning a compliance officer, training those handling PHI, & other actions covered within this article.

Background Checks: What Employers Need to Know

It is a common, recommended business practice for employers to conduct background checks on potential employees. Employment background checks, also known as consumer reports, can include criminal records, credit report, work history, educational background, and even social media use. However, employers must be diligent in adhering to strict guidelines regarding background checks. Any time you use an applicant’s or employee’s background information to make an employment decision − regardless of how you got the information, you must comply with federal laws.

The information used to make employment decisions must be jobrelated and not based on any protected category, to avoid discriminatory hiring practices.


Background information used in hiring decisions must plainly and clearly be relevant to the job tasks. Recent guidance from the EEOC and the Federal Trade Commission, agencies with jurisdiction over background check compliance, clearly states that a policy that excludes everyone with a criminal record, for instance, from employment that is not “job- related and consistent with business necessity” is unlawful (unless it is required by federal law).

A conviction must be directly related to the job in question to be considered relevant in an employment decision. For example, a DUI conviction may be relevant for someone who drives a van as part of his job, but NOT for someone who is a custodian and not required to drive.  Therefore, a candidate cannot be rejected based on such a conviction.  Further, an arrest record alone may not be used to make hiring decisions. An arrest record does not establish that a person actually engaged in criminal conduct. However, an arrest may trigger an inquiry into whether the conduct

Underlying the arrest justifies an adverse employment action.

As an employer, you must prove a decision not to hire or promote someone based on his or her background check results is indeed job-related and consistent with business necessity. For a criminal conviction, the employer can prove this if it: (1) considers at least the nature of the crime, time since the criminal conduct occurred, and the nature of the job in question, and (2) gives an individual who may be excluded an opportunity to show why he or she should not be excluded.

Except in rare circumstances, disregard any information revealed about applicants or employees genetic information, which includes family medical history. Don’t ask medical questions unless you have objective evidence that he or she is unable to do the job or poses a safety risk because of the medical condition.


Discrimination based on race, color, national origin, sex, religion, disability, genetic information (including family medical history), and age (40 or older) is prohibited. Discrimination related to background checks can take different forms.

Treating job applicants with the same criminal records differently because of their race, color, religion, sex, national origin, or another protected characteristic is considered “disparate treatment discrimination.” For example, asking only people of a certain race about their financial histories or criminal records is evidence of discrimination.

Employers should also ensure that their policies do not significantly disadvantage people of a particular race, national origin, or another protected characteristic. This is known as “disparate impact discrimination.”  For example, employers may not enforce a policy that excludes people with certain criminal records if the policy or practice significantly disadvantages individuals of a particular race.

Be prepared to make exceptions for problems revealed during a background check that were caused by a disability. For example, if you are inclined not to hire a person because of a problem caused by a disability, you should allow the person to demonstrate his or her ability to do the job − despite the negative background information − unless doing so would cause significant financial or operational difficulty to the company.

While laws prohibiting employment discrimination technically apply to private employers with 15 or more employees, it is recommended that companies of all sizes abide by them.


Employers must have written permission from job applicants and employees before getting background reports. This permission must be in writing and in a stand-alone document, not as part of another document such as an employment application. If you want the authorization to allow you to get consumer reports throughout the person’s employment, make sure the documents state this clearly.

Also, include a description of the nature and scope of the background investigation.

Before you reject a job applicant or employee based on results from a background check, you must provide all of the following:

  • a copy of A Summary of Your Rights Under the Fair Credit Reporting Act (downloadable here or available from screening company);
  • a copy of the consumer report you relied on to make your decision, including the name, address, and phone number of the company that sold the report;
  • notice that the hiring decision was made by your company based on specific information in the report;
  • notice that he or she has a right to dispute the accuracy or completeness of the report;
  • Notice that he or she can get an additional free report from the reporting company upon request within 60


Background check results and all other hiring records (regardless of whether the applicant was hired or not) must be retained for one year after the records were made or after a personnel action was taken, whichever comes later (record retention requirements may be longer in certain circumstances, such as for educational institutions and federal contractors). If the applicant or employee files a charge of discrimination, you must maintain the records until the case is concluded.

After the retention period has lapsed, you must securely dispose of the background check results report and any information you gathered from it. That can include burning, pulverizing, or shredding paper documents and disposing of electronic information so that it can’t be read or reconstructed.


In addition to adherence to these federal guidelines related to the use of consumer reports in employment decisions, you should also review the laws of your state and municipality regarding background reports or information. Currently, ten states limit employers’ use of credit information in employment decisions, and several states limit the use of criminal records.

Leader Legal Sensitivity- What They Can & Can’t Say or Do

I was assisting a manager, Jim, with an interview when he asked the job candidate, who was female, “if she had children or had plans to have them.” In Jim’s mind, he felt it was job-related to ask questions about children because he had experienced challenges with one of his former employees who was late and had absenteeism problems, in part, related to her not having arranged sufficient childcare for her young children. What this manager did not realize is he put the company at risk of being sued for discrimination in their hiring practices, potentially violating Title VII of the Civil Rights Act, and the Pregnancy Discrimination Act.

Why We Care What Supervisors Say & Do

What supervisors say and do is binding on the organization, as they are legal representatives of the business. Their statements and actions may end up costing the company millions in lawsuits, fines and attorney fees.  The average lawsuit in 2010 was over $326,000 for discrimination related complaints. Not only are there legal risks, but supervisor actions and statements have strong impacts on employee engagement, morale, productivity, quality, service, sales, and profitability.

When to Be Most Careful

Anytime supervisors are involved in employment decisions, care must be taken to ensure they operate within the law. Employment decisions include, but are not limited to such things as: interviewing, hiring, training, appraisals, corrective action, terminations, pay, promotions, performance management, or coaching.

The following are other risky areas where supervisors need to handle things correctly:

  • Job Classifications: If supervisors are involved in determining if someone is exempt or non-exempt from the Fair Labor Standards Act (FLSA) or in determining independent contractors, care must be taken to ensure they follow the correct processes/laws.
  • Work Hours Tracking/Handling: Often leaders are involved in determining what work time is tracked and reported. They further influence if overtime hours are tracked and reported correctly. For example, if supervisors allow someone to work off the clock, with or without permission, they create risk of violating the
  • Leave of Absence/Family Leave/Disability Request Handling: Supervisors are the first line of defense where employees go to request time off or ask for reasonable accommodations related to medical challenges. Leaders must make sure they are not violating the Family Medical Leave Act, Worker’s Compensation Laws, or the American’s Disability
  • Response to Complaints: How leaders respond to employee complaints creates or eliminates risk for the company. For example, here’s a risky situation: The employee tells her supervisor, “Joe keeps asking her out and putting his arm on her shoulder.” The supervisor responds by saying, “That is just the way Joe is, go back to work and don’t worry about it.” Attorney’s love it when leaders react this way. Take all complaints seriously and involve professionals and senior leaders in these
  • Retaliation: How the leader treats and responds to employees who whistle-blow on legal violations, complains of harassment, or in some other way exercises a legal right, can create risk of a retaliation lawsuit. Most discrimination lawsuits nowadays include retaliation as part of the claim. Care must be taken to not treat employees differently or violate their rights after a complaint.

What Leaders Can’t Say or Do

Leaders are sure to get themselves and their company in trouble by making comments about any of the following topics or in some way implying they are included in employment decisions:

  • Age, religion, national origin, gender, skin color, pregnancy, race, or sexual preference
  • Health or comments about someone’s disability
  • Imply bias or prejudice
  • Promise or imply permanent employment
  • Statements or actions that imply retaliation
  • Inconsistent statements or treatment of employees

The following are risky leader behaviors:

  • Being unfair or inconsistent with employees
  • Making promises that are contrary to policy
  • Taking corrective action when someone is out on medical leave or disability
  • Not responding correctly to requests for medical leave or disability accommodations
  • Not acting immediately upon complaints
  • Not documenting coaching, corrective actions or discharges
  • Asking different interview questions from candidates for the same position
  • Making decisions using non-job-related information
  • Being biased or prejudice
  • Being dishonest
  • Inflating appraisals or performance feedback
  • Ignoring nonverbal signs they see in employees or not resolving conflict
  • Discharging someone on the spot
  • Allowing harassing behaviors
  • Talking bad about others
  • Being negative or not supporting senior management
  • Being “one of the gang” or trying to be liked
  • Being harsh or disrespectful (attacking)

How to Keep Leader Statements/Actions Legal

Leaders are generally pretty safe, if they keep all employment related decisions and statements job related. Certainly they should avoid the risky statements and actions covered in this article. In addition leaders should be trained and have clear guidelines.

Leader Training

Not only should leaders be trained in what they can and cannot say in a work environment, they should be trained in these key areas:

  • Employment laws that apply to them
  • Interviewing, selection, and hiring
  • New hire orientation
  • Handling corrective actions
  • Documentations
  • Conducting appraisals
  • Performance management and coaching
  • Conducting discharges
  • Responding to complaints
  • Resolving conflict
  • Employee relations, engagement, and reinforcement

Leader Guidelines – Handbook

Organizations go to great length to make sure they have clear policy guidelines for employees, but fall short when it comes to defining leader policies and procedures related to the above training topics. We recommend creating a leader handbook defining policy and procedures for the above training items.

Organizations cannot afford to assume leaders are skilled in employment related decisions and overall handling of people practices. They really are the true HR managers in organizations as they are more and more involved in key employment decisions/actions.

What leaders say and do creates legal risk or creates a positive, productive work environment. Invest in your leaders, making sure they are trained and skilled in working with your employees.



Creating Legally Compliant Employment Practices



 We read about multi-million dollar laws suits almost daily where organizations are sued or fined for wrongful termination, discrimination, not properly handling a claim of harassment or many other law violations. The list of possible offences is large with numerous complex laws, rules and regulations that seem to be constantly changing.

Which Laws Apply to Me?

The laws and regulations that apply to each organization are based primarily on three things:

  • The number of employees
  • The states in which you conduct business
  • Whether or not you conduct business with the government

Even organizations with one employee must comply with over 13 federal laws and almost as many state  laws and regulations. When companies hit 15 employees, they must comply with Title VII of  the Civil Rights Act, Pregnancy Discrimination Act and Americans with Disabilities Act. At 20 employees, the Age Discrimination in Employment Act (ADEA) and Consolidated Omnibus Budget Reconciliation Act (COBRA) applies. At 50 employees, the Family & Medical Leave Act comes into play, and at 100 employees everything else is added like EEO-1 Reporting requirements and Worker Adjustment & Retraining Notification Act (WARN).

State Laws

Each state can establish their own laws and regulations covering all employment practices, as long as they at least follow Federal laws. You will typically find differences in practice details for such things as breaks, final paychecks, and other employment practices.

Government Business

Depending on the size of government contract and the number of employees determines whether or not you must comply with such laws and requirements as affirmative action or VETS 100 Reporting. Generally, anyone with 50 or more employees and annual government contracts/business in excess of $50,000 will need to have an affirmative action plan and comply with other federal contractor laws, rules and regulations.

Where Do Laws Come From?

The laws come from the Constitution (State and Federal), Statutes (laws passed by legislatures), Common Law (prior court decisions), Administrative Regulations/Rulings and Court Orders.

Law Enforcers

The following organizations are picking up their compliance efforts: IRS, Department of Labor, OSHA, OFCCP, INS, EEOC, National Labor Relations Board, SS Administration and Federal and State Court.

How Do I Comply?

The following are suggestions to help you create legally compliant employment practices and overall work environment:

1) Know Which Laws Apply – Someone needs to be aware of the laws, rules and regulations that apply to your organization, keep up on changes, and actively implement the steps needed to ensure compliance.

2)    Align Practices to Comply – Once familiar with the laws that apply, evaluate current practices and make needed changes to follow the requirements.

3) Establish & Follow Consistent Practices, Procedures and Guidelines – One of the best techniques to drive and communicate consistency is to create good employment practices in an employee handbook. Equally important is to provide leaders with guidelines on how to handle important employment practices for things like hiring, interviewing, orientations, training, performance management, appraisals, layoffs, corrective actions, pay, terminations and discharges. This can be accomplished in a leader handbook or training program.

  • Train Supervisors – What supervisors say and do will either help or hinder your legal compliance and best practices. Supervisor actions are one of an organization’s greatest liabilities, if they violate employee

Leaders should be trained in employment laws that apply to them, employment practices (described in 3 above), how to monitor risky situations and how to respond to employee complaints.

  • Base Employment Decisions on Job-Related Factors – Every employment decision related to hiring, appraisal, corrective action, training, discharges, pay, etc. must be based solely on job-related reasons/information.  Any implication that decisions are based on sex, age, national origin, religion, color or other protected category is a recipe for a law suit and a hefty fine.
  • Keep Good Documentation – Organizations and leaders who clearly document employment decisions and actions are best prepared to defend employment practices and to make informed decisions. Keep files on each employee recording key performance measures and feedback (constructive & praise). Individuals involved in hiring, pay, disciplinary action and termination decisions should also document information needed to demonstrate that decisions were job-related and supported by facts, not

7) Establish a Grievance and Complaint Process

If employees have a place to complain and are given fair consideration, the need to seek outside assistance from attorneys or compliance organizations is lessoned. Equally important to having a process is to make sure that all complaints are taken seriously, investigated and are acted upon.

  • Monitor the Work Environment – Organizations and leaders need to monitor the work environment and keep in touch with employees so they are aware when unsafe, legally risky practices are taking place (e.g. harassment). Once aware of risky practices, supervisors need to take the necessary steps to eliminate them. Maintain a safe, hostile-free work place by communicating expectations, training employees and monitoring, to ensure compliance.
  • Seriously Evaluate Disciplinary Actions/Discharges – Perhaps the two most risky employment practices are corrective actions and discharges. These are the times when tempers can flare and individuals can say and do things that escalate to possible legal actions. It is a good practice to not allow anyone to fire on the spot. All employment violations and performance issues should be thoroughly reviewed before action is taken in anger or spite. Get all sides of the story, know the laws that apply and make an informed decision.
  • Be Respectful, Fair, Honest and Kind – As obvious as it may seem, it is when a company neglects to be respectful, fair, honest and kind that employees complain to outside agencies, seek attorney’s or
  • Review Current Practices With an Outside Professional – It is good business practice to utilize an outside organization, like HR Service, to review current practices, identify risks and help make needed
  • Align Yourself with Experts – There are so many possible areas where things can go wrong, it is imperative to either have an expert on-site or align yourself with someone who can assist with challenging employee issues, risks and compliance
  • Do the Right Thing – If you think about it, most of the laws, rules and regulations are not only required, but are good practices that treat people with respect and dignity. Eliminate bias, discrimination and prejudice from your workplace and promote a positive work environment that rewards performance and results, not color of skin, age or gender.