Zoom Webinar, Wednesday, February 18, 2026 10 am – 12:15 pm

​Featuring Marilyn Monahan, Monahan Law Office

The course will cover

• A roundup of new federal developments impacting employee benefits, including status updates on new developments from the Departments of Treasury, Labor, and Health and Human Services relating to the design and implementation of health and welfare plans, including (as applicable) updates on the Employee Retirement Income Security Act of 1974 (ERISA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Consolidated Appropriations Act, 2021 (CAA), and related federal benefit laws and regulations
• Upcoming deadlines
• An update on ACA compliance, including section 4980H and the IRS Forms 1094/1095
• A summary of the bills recently passed by the California legislature which will impact benefits and the workplace

This program has been pre-approved for 2 Hours of HRCI General Credit toward aPHR®, aPHRi™, PHR®, PHRca®, SPHR®, GPHR®, PHRi™ and SPHRi™ recertification through HR Certification Institute® (HRCI®)

ABC Clients and Broker Co-Op Members No Charge. All others $49.

Register Now!

States Begin to Enact Workplace Violence Prevention Laws July 1, 2024

By:  Dorothy Cociu, RHU, REBC, GBA, RPA, LPRT
President, Advanced Benefit Consulting & Insurance Services, Inc.

It’s the middle of the afternoon and you’re having a really good day at work.  You turned in your report that resulted in high praise earlier, you closed a huge sale and you and your team just received a very loud, standing ovation at your staff meeting.  Everyone seems happy.  There are smiles all around; the atmosphere is positive and invigorating, and you’ve never been so happy in the workplace.  What more could you ask for?  Perhaps the answer to that question could be simply to feel safe.

Your company has grown significantly, and you can no longer have staff meetings in a training or conference room.  You are in the open in the warehouse, which is the only place large enough to gather the entire warehouse day shift, office/administration staff, sales and all other personnel.  As the applause begins to dissipate, there is a loud series of pop-pop-pop sounds followed by screams of terror, and everyone begins running, but no one knows where to run to.  Eyes are filled with horror and tears, and people are literally shoving and pushing others to get to an exit.  There are people lying on the floor being trampled, and there are large warehouse shelving units  and cabinets that are toppled over and inventory is crashing onto people before hitting the floor.

Everyone appears to be in shock, and no one knows what to do.  After a few seconds it begins to register that something really bad is happening.  Then you hear people screaming “Shooter” and then more shots are heard, closer this time.  You see people with splatters of something red on their clothing as they run by, and you realize that it must be blood.  You instinctively turn toward the direction they are running from and you see something that should only be seen in a movie, but instead, it’s right in front of you.  Four people are lying on the floor, injured or possibly worse.  Then you see the barrel of a very large gun coming from around the corner and out into the open toward you.  You watch in what appears to be slow motion and you see the gun being fired, and it’s aiming in your direction.  At that point, it all becomes a blur, as  you feel something hit your leg and your body begins to shake as the pain surges through you.  Before you black out, you see images of your family flash before your eyes….

Most of us think of our top two priorities in life as our family and our jobs.  Both should be safe and secure, and both should be filled with a healthy combination of joy, frustration and stress.  We all hope that the joy far outweighs the frustration and stress.  But what happens when somewhere we are all supposed to feel safe turns into a place of chaos and trauma, violence and disaster?

Workplace Violence & Workplace Violence Plans

What is Workplace Violence? As taken from California’s Cal-OSHA website, Per Labor Code section 6401.9, “workplace violence” is defined as any act of violence or threat of violence that occurs in a place of employment. This includes, but is not limited to, the following:

• The threat or use of physical force against an employee that results in, or has a high likelihood of resulting in, injury, psychological trauma, or stress, regardless of whether the employee sustains an injury.
• An incident involving a threat or use of a firearm or other dangerous weapon, including the use of common objects as weapons, regardless of whether the employee sustains an injury.
• The four types of workplace violence defined in Labor Code section 6401.9.

Why is all of this so important now?  As stated on the Cal-OSHA website, On September 30, 2023, California Senate Bill 553 (Cortese) was signed into law and California Labor Code section 6401.9 will be in effect and enforceable on July 1, 2024. Employers that fall within the scope of this law must establish, implement, and maintain an effective written Workplace Violence Prevention Plan that includes but is not limited to the following:

• Identifying who is responsible for implementing the plan
• Involving employees and their representatives
• Accepting and responding to reports of workplace violence and prohibit employee retaliation
• Communicating with employees regarding workplace violence matters
• Responding to actual and potential emergencies
• Developing and providing effective training
• Identifying, evaluating, and correcting workplace violence hazards
• Performing post incident response and investigations

Categories of Workplace Violence

Unfortunately, these scenarios, as well as overall violence in the workplace, have become far too common.  There are four categories of workplace violence, according to the National Institute for Occupational Safety and Health:  1) Criminal Intent; 2) Customer/Client; 3) Worker-on-Worker, and 4) Personal Relationship, which overwhelmingly targets women.

I was shocked when I read some of the statistics on workplace violence while researching for this article.  Assaults resulted in 57,610 injuries in the workplace in 2021-2022, according to the National Safety Council (NSC).  In 2022, 525 fatalities due to assault were reported, according to Injury Facts.  Every year, according to NSC, thousands of American workers report having been victims of workplace violence.  Certain industries, including health, service providers and education, are more prone to violence than others.  OSHA reports that taxi drivers, for example, are more than 20 times more likely to be murdered on the job than other workers.  The Centers for Disease Control and Prevention (CDC)’s National Institute for Occupational Safety and Health (NIOSH)  reports that in 2020, health care and social assistance workers had an incidence rate of 10.3 out of 10,000 full-time workers) for injuries resulting from assaults and violent acts by others.  The rate for nursing and personal care facility workers was 21.8.  According to the NSC, assault is the fifth leading cause of workplace deaths.

Active Shooter v Other Workplace Violence

The deadliest situations of course involve an active shorter.  The US Department of Homeland Security defines an active shooter as someone “actively engaged in killing or attempting to kill people in a confined and populated area.”

The US Bureau of Labor Statistics states that 20,050 workers in the private industry experienced trauma from nonfatal workplace violence in 2020, which required days away from work.  Of these victims who experienced trauma from workplace violence, 73% were female, 62% were aged 25 to 54, 76% worked in the healthcare and social assistance industry, and 22% required 31 or more days away from work to recover, and 22% involved 3 to 5 days away from work.  That same Bureau reports that 392 US workers were workplace homicide victims in 2020 that died from homicide.  Of those, 81% were men, 44% were aged 25 to 44, 28% were Black and 18% Hispanic.

According to The Economics Daily (TED) of the Bureau of Labor Statistics, the five occupational groups with the most workplace homicides in 2020 were sales and related (92), transportation and material moving (51), management (29), construction and extraction (20), and production (18).   Non-fatal workplace intentional injuries by another person that required at least one day away from work in 2020, included 18,690 in Service, 8,590 in Healthcare Practitioners  and Technical, 5,470 in Education instruction and libraries, 1,560 in transportation and material moving, and 1,360 in management, business or financial areas.

The statistics are overwhelming, but we care mostly about how it affects us, our workplace and our lives.

Cal-OSHA has posted this on their website:  “According to the latest data, in 2021, 57 working people died from acts of workplace violence in California. In the United States, an average of 1.3 million nonfatal violent crimes in the workplace occurred annually from 2015 to 2019. For further details see Indicators of Workplace Violence, 2019 (published 2022).”

I recently spoke with Michael Julian, CEO from ALIVE Active Shooter Survival Training Program, MPS Security and Protection and National Business Investigations, Inc. and Tony Clubb, Active Shooter Master Trainer from ALIVE Active Shooter Survival Training Program about workplace violence and active shooter situations.  Michael was a guest on my Benefits Executive Roundtable podcast this past season (S5 E16) and was very passionate about protecting workers from active shooter situations, and how common they have become, particularly when comparing to a decade ago, which mirror some of the statistics stated above.

“There are roughly 2 million victims of workplace violence annually in the United States Each year,” stated Michael. “According to Safety and Health Magazine ‘over the last six years of the study period, workplace violence-related deaths rose 11%, from 409 in 2014.’ In addition, we have seen a steady rise in the number of active shooter incidents over the last 20+ years. From 2000 through 2019, there were 333 active shooter incidents in the US. From 2020 through 2022, there have been 151.’”

Workplace violence can  happen in any city, any state, any type of workplace.  All you need is a disgruntled current or former employee or a family member of such, and extenuating circumstances which cause that person to take drastic measures.

California’s SB 553- Workplace Violence Prevention

California is leading the nation (no surprise there) with legislation (SB 553) set to go into effect on July 1, 2024, which includes massive requirements for workplace violence training, logging and other tedious requirements.  Although I’ll be discussing the upcoming California state legislation, the same circumstances may happen in whatever state you are in, regardless of whether or not you have state laws to help educate or prevent certain activities.

Workplace Violence Plans  and California’s SB 553

I asked Michael Julian how other states are responding to workplace violence in general and if they have or expect to have similar laws to CA’s SB 553 in the near future.

“There are currently no other states mandating such stringent workplace violence prevention laws as SB 553,” Michael replied, “but California is somewhat of a trend-setter in areas like this, so most states will begin to follow suit by implementing similar laws.”

So how comprehensive is SB 553?  I asked Michael about this and some of the requirements he felt employers aren’t and won’t be ready for by the July 1, 2024 deadline.  “SB 553 requires organizations to develop a Workplace Violence Prevention Plan, establish effective training, maintain a Violent Incident Log, investigate incidents, and retain records for specific lengths of time. I think the infrastructure the organization has in place will determine which component will cause an organization the most trouble. For example, a larger organization with HR resources in place may have the most trouble getting their staff the required training annually. The training must be interactive, and the employees need to be able to ask questions. On the other hand, a smaller organization may find it easier to give the training to their staff but may struggle with the more technical parts such as developing the WVPP with input from employees/bargaining units, completing the physical security audit and providing the active shooter training.”

Are most California employers ready to implement SB 553?  “I think organizations that have a fully staffed HR department or have an HR firm providing consultation, are probably moving in the right direction. However, it appears that many businesses that do not have these resources currently in place are unaware of the requirements this legislation mandates,” stated Michael. 

I also asked our Benefits Attorney, Marilyn Monahan, the same.  “I suspect many employers are not prepared. Cal-OSHA is working to get the word out, and so are many law firms, HR consultants, and other service providers. And we do know that many employers have gotten the message and are starting to work on implementation.  However, the law is sweeping in its application, and I would not be surprised if many employers—especially those who do not have a lot of resources available to them—are unaware or unprepared for implementation.”

Implementation is always the key to law enactment and enforcement.  This law is wide-reaching and will require a tremendous amount of management and Human Resources labor hours to understand and implement.

“This new law will add a massive amount of new work to many HR departments that are already overtaxed, especially if they try to create and implement what is necessary to fulfill these new requirements themselves,” stated Tony Clubb.  “They will have three choices; completely create everything from scratch themselves, obtain a package of templated documents and the training presentation to complete and deliver themselves, or hire an outside consultant to do all the work for them, which could be quite expensive.”

Marilyn Monahan was concerned about the complexities of the law and made these comments:  “Employers need a written workplace policy, and there are numerous steps involved in putting the policy together.  For example, they have to develop procedures to obtain the active involvement of employees and authorized employee representatives in developing and implementing the policy.  Once the policy is written, they have to implement it.  An important part of implementation is mandatory training.  To start the process, Cal-OSHA has issued a model policy.  While the model policy is a helpful starting point, it must be tailored to address the specific circumstances of the employer’s workplace—and for employers with multiple facilities, that means multiple policies or procedures. The law also includes detailed record-keeping requirements.”

The Cal-OSHA Model policy and related documents can be found at:  https://www.dir.ca.gov/dosh/Workplace-Violence.html.

What Employers Must Know; Even Those Who Don’t Believe it Could Happen to Them

In my recent podcast interview with Michael Julian (Benefits Executive Roundtable, S5 E16) we talked in detail about workplace violence, active shooter situations and the reality of today’s world, as well as the inability or unwillingness of some employers to actually perceive that events like active shooters could happen in their workplace.  I asked Michael in the podcast, and again recently for this article, if he thinks most employers are equipped to handle an active shooter situation.

“No,” said Michael, absolutely.  “A small percentage of employers have implemented proper physical security apparatus to harden themselves as a target or provided adequate active shooter response/survival training. Per statistics published on Zippia.com, ‘Although 62% of companies view an active shooter as a top threat, as many as 79% of businesses report feeling unprepared for an active shooter, meanwhile, 61% of these companies do not run any proactive active shooter preparedness drills or training for their employees.’” 

If the unthinkable happens, there are things an employer should know to do immediately after an Active Shooter is known to be on the premises.  I asked Tony Clubb to walk us through those first critical steps.

“Previous to any type of catastrophic violent event, all employees should be trained on the appropriate way to respond to such an event,” stated Tony. “Employers and employees should follow these steps upon learning of the presence of an active shooter:

• ASSESS the situation to determine which of the following next steps are appropriate and call 911 immediately.
• If possible, LEAVE the danger zone as quickly and safely as possible, notifying others of the danger.
• If leaving is not possible, attempt to IMPEDE the killer’s ability to get to you by creating time and space.
• If no other option is available, commit to VIOLENCE against the killer to neutralize the threat.
• When you believe the threat is over, EXPOSE your position carefully. There may still be a threat, and law enforcement will not know who the threat is so they may treat you as one.”

Can the risk of an active shooter be minimized or prevented?  Are there steps that can be taken to decrease your risk of an active shooter?  I asked Michael what he thought the five best things an employer can do to minimize the risk of an active shooter, if that’s at all possible.  Michael didn’t even hesitate or have to think about it when I asked.  “An employer must…

• Provide effective training to staff on how to prepare for and respond to an incident.
• Ensure your site is hardened by making it difficult for someone to gain unauthorized access and setting up safe rooms where staff can shelter in place.
• Ensure resources are available for staff that are struggling, ensure they know how to utilize them, and ensure they know how to refer people to them.
• Establish an effective reporting system that allows staff to remain anonymous if they choose.
• Develop a timely process to investigate reports of workplace violence or concerns for workplace violence.”

None of that sounds easy and it all sounds very time-consuming and stressful for the employer; particularly their HR Department.  Does SB 553 apply to all employers or are there employers who are exempt from the law?  Marilyn Monahan advised “Exempt employers include:  health care facilities that are in compliance with an existing mandate that they have a workplace violence policy in place; employees teleworking from a location of the employee’s choice, which is not under the control of the employer; and places of employment where there are less than 10 employees working at the place at any given time and that are not accessible to the public, if the places are in compliance with existing rules on Injury and Illness Prevention Programs.”

Michael Julian and Marilyn Monahan provided me with a list of the types of exempted employers for SB 553 requirements:

• Health care facilities, service categories, and operations covered by Section 3342 of Title 8 of the California Code of Regulations.
• Employers that comply with Section 3342 of Title 8 of the California Code of Regulations.
• Facilities operated by the Department of Corrections and Rehabilitation, if the facilities are in compliant with Section 3203 of Title 8 of the California Code of Regulations.
• Employers that are law enforcement agencies that are a “department or participating department,” as defined in Section 1001 of Title 11 of the California Code of Regulations and that have received confirmation of compliance with the Commission on Peace Officer Standards and Training (POST) Program from the POST Executive Director in accordance with Section 1010 of Title 11 of the California Code of Regulations. However, an employer shall be exempt pursuant to this subparagraph only if all facilities operated by the agency are in compliance with Section 3203 of Title 8 of the California Code of Regulations.
• Employees teleworking from a location of the employee’s choice, which is not under the control of the employer.
• Places of employment where there are less than 10 employees working at the place at any given time and that are not accessible to the public, if the places are in compliance with Section 3203 of Title 8 of the California Code of Regulations.

Workplace Violence Prevention Implementation, Training & Resources

Whether the employer is in California and must meet the SB 553 requirements or is located in another state, most of the things discussed in this article would be relevant (other than those specific requirements of SB 553) to any employer, anywhere.  Whether you’re in California or not, but want to address the possibility of workplace violence and create a plan on what to do if the unthinkable happens, human resources departments, which are already spread too thin, probably aren’t going to be able to do this on their own.  Nor would their executives want them to.  These are complex issues and preparation is exhaustive.  If you have to or want to implement a workplace violence prevention program, an easy place to start is at the Cal-OSHA website, where they have posted Fact Sheets and have created model prevention plan samples, depending on industry.  You can find these at:  https://www.dir.ca.gov/dosh/Workplace-Violence.html

However, it’s important to keep in mind, these are just models.  I asked Marilyn if she had words of caution or advice for employers when using the government-provided models.  “The guidance and the models are a good starting point, but more work will have to be done. Employers may need to work with outside counsel, an HR consultant, or a workplace safety consultant in order to put an effective and compliant policy in place.”

I also asked if Marilyn would have any recommendations for employers when determining whether to try to do the implementations themselves in-house or hire outside experts.  Marilyn recommended:  “As is the case with any service provider, compare experience, references, and cost to ensure the employer is retaining the services of a competent and effective partner in this process.”

I also asked Tony what they would recommend.  “If an employer has adequate resources in-house, they should use them,” stated Tony. “If not, for something as serious as workplace violence prevention, we recommend using consultants with the appropriate expertise and experience to address this issue.”

The Aftermath

The actual event is only the beginning for some.  Often it involves ongoing medical care and therapy, grief counseling, treatment/counseling for post traumatic stress or depression or survivor guilt syndrome, just to name a few.

… You open your eyes and realize everything is a bit blurry.  You feel groggy and heavily medicated.  Then you begin to realize that you’re in a hospital.  Why am I here, you ask yourself?  Then you begin to recall.  Work, people running, scared, gun, pain and then… nothing.  You passed out from the pain and blood loss from a gunshot wound to the leg.  You look down and are relieved to see that your limbs seem to be in tact, but your leg is heavily wrapped with something and is elevated.  You can’t quite process it yet. 

The nurse, who had been doing work on a monitor by the cabinet a few feet from you, now turns to you and speaks.  “You’re awake,” she states.  “It’s ok.  There was an incident, you were hurt, but you’re better now.  You had surgery.”  She goes on to explain that you were shot in the leg, and although you lost a lot of blood, they were able to surgically repair your leg, but you should be prepared for some long-term therapy and a somewhat long road to recovery.

“My family,” you reply in a soft and raspy voice you don’t recognize.  “Are they ok?  Do they know?  Are they afraid?  I have to talk to them!”

“It’s ok,” says the nurse calmingly.  “They are here.  That’s a big-hearted bunch out there.  You’ve got family, friends and co-workers out there, all worried about you.  I’ll go out and let them know you’re awake and talking, and soon I can let them in to see you, two at a time.”

“Wait,” you ask, “the others?  Is everyone ok?  I saw… I saw blood, and a gun, and a shooter… Did everyone make it?  Is everyone ok?  What happened?”

The nurse’s face suddenly looks sad.  “You were one of the lucky ones.  You were shot in the leg… Others weren’t so lucky.  I’m afraid there were some casualties, and a lot more injuries.  We’ll fill you in later, after you’ve been able to see some family.  Sound good?  I’ll be right back.”

As soon as the nurse leaves the room, it all begins to come back to you, and you start to feel overwhelmed, frightened, and very sad.  But you’re full of questions and simply overwhelmed.  Who died?  Who is also injured?  Who was the shooter, and why did he do this?  Just as you start to cry, the smiling faces of your wife and your daughter run into the room to greet you.  You fight back the tears, and open your arms for them…

Three months later, you still aren’t back to work, as the intense physical therapy for your leg injury continues.  You tried working remotely from home, but you just can’t seem to concentrate.  You have also been seeing a therapist about your post-traumatic stress disorder and your survivor’s guilt, which developed after you discovered nine people died that day, and three were your friends.  17 others were injured, and 11 still haven’t returned to work.  Your company offered an employee assistance program and brought in special counselors, but it just hasn’t been the same. …

The violent event may be over, but the recovery will take much more than surgery to heal.  The emotional part of workplace violence will be with you for the rest of your life, and it’s after the event, that’s where the real work begins.

Employers may want to consider, both inside California where required and out,  if they’ve done enough to prevent this type of thing from happening, and how they should prepare and train their employees.  Maybe some prevention steps could decrease the likelihood, and if it does happen, decrease the number of casualties and injuries.  We all want to feel safe at our jobs.

##

Author’s Note:  I’d like to thank Marilyn Monahan, Monahan Law Office, Michael Julian and Tony Clubb from ALIVE Active Shooter Survival Training Program, MPS Security and Protection and National Business Investigations, Inc. for their assistance with this article.  Marilyn can be reached at:  marilyn@monahanlawoffice.com.  Michael can be reached at:  mjulian@investigations-nbi.com, or Michael Julian, CPI PPS CSP, CEO, at 866-624-8050 x26, and Tony Clubb can be reached at:   tclubb@aliveactiveshooter.com.   Michael and Tony offer A.L.I.V.E. Active Shooter Survival Training Program at:  www.ActiveShooterSurvivalTraining.com

Reference Sources: 

Cal OSHA website and California Department of Industrial Relations Division of Occupational Safety & Health, Fact Sheet, Workplace Violence Prevention in General Industry (Non-Health Care Settings)- Information for Employees; California Department of Industrial Relations Division of Occupational Safety & Health, Fact Sheet, Workplace Violence Prevention in General Industry (Non-Health Care Settings)- Information for Employers; Cal-OSHA’s Workplace Prevention Model Plan, available at:  https://www.dir.ca.gov/dosh/Workplace-Violence/General-Industry.html.  Other reference Sources Mentioned in this Article:  https://www.nsc.org/workplace/safety-topics/workplace-violence#:~:text=Every%20year%2C%20thousands%20of%20American,according%20to%20Injury%20Facts%C2%AE. https://www.cdc.gov/niosh/topics/violence/fastfacts.html

TED:  The Economics Daily, US Bureau of Labor Statistics, Workplace Violence:  Homicides and nonfatal Intentional Injuries by Another Person in 2020, November 21, 2022

US Centers for Disease Control and Prevention, National Institute for Occupational Safety and Health (NIOSH) website

NSC Injury Facts, Assault at Work Federal Agencies Release Joint Study on Workplace Violence, July 21, 2022, Bureau of Justice Statistics, Department of Justice, Fast Facts 

In Part One of a 2-Part Series, in honor of Cybersecurity Awareness Month, Host Dorothy Cociu discusses the US Department of Labor/EBSA Cybersecurity Guidance with an expert panel, including Marilyn Monahan, ESQ of Monahan Law Office, Ted Flittner and Ted Mayeshiba, Principals of Aditi Group, ABC’s partner IT, Cybersecurity and Technology firm. In part one, we discuss the background of the cybersecurity guidance, what’s included in the Guidance, who has to comply, recent court cases setting precedents, Tips for Hiring a Service Provider with strong cybersecurity practices and the role of fiduciaries in this function, including selection and monitoring. We also discuss the importance of cyber liability insurance and what you need to do to get it, and the importance of contract terms with service providers. Join us for Part One of this important and informational podcast!

Show Notes

Download Show Notes (PDF)

Advanced Benefit Consulting offers its Cybersecurity Program Guide for Plan Fiduciaries and Plan Sponsors on a retail basis (this is complementary for health benefits broker clients, along with assistance completing the Cybersecurity Program documentation).  If you’d like to order our Cybersecurity Program Guide, including the ABC Cybersecurity Service Provider Questionnaire and Vendor Comparison Chart, click here.  If you’d like to order just our ABC Cybersecurity Service Provider Questionnaire and Comparison Chart, click here.

Published in HR Tech Outlook, June 2023.

By:  Dorothy Cociu, RHU, REBC, GBA, RPA, President, Advanced Benefit Consulting & Insurance Services, Inc.

Ask and you shall receive?  Well, although that does not happen as frequently as we’d like, sometimes we are surprised, and it does.  In the spring (April) of 2021, the US Department of Labor (DOL) released a much needed (although maybe not wanted by some) guidance package on cybersecurity for plan sponsors and plan fiduciaries.  This release didn’t get as much press or attention as some releases; perhaps because COVID was still very much a part of our everyday lives at that time.  One thing COVID did was bring out more and more bad actors involved with ransomware, malware and other cyber and online threats, perhaps in part because more and more people were working remotely, and where there are remote employees, there is a greater chance of risk and exposure to cyber- attacks. In some cases, examples made national and worldwide news, and affected many of our daily lives.  But attacks can and do happen in our offices as well.  Keep in mind, where there is data, there is risk of someone gaining access to that data.

Most of us remember the Colonial Pipeline ransomware event in May, 2021.  This seemed to be the first of many cyber attacks hitting us that year, but this one really hit home to many.  As you’ll recall, the Colonial attack is the largest publicly disclosed cyber-attack against critical infrastructure in the United States, attacking the company’s IT systems and causing fuel shortages for weeks in the eastern United States.  We found out later in news reports that the attack was due to a leaked password, an inactive VPN account and a lack of multifactor authentication.  You may also recall that Colonial paid a ransom of millions of dollars to get their systems back up and running.  Lucky for them, much of those funds were actually recovered through the tracing of cryptocurrency.  Still, the breach could have been avoided if Colonial had used basic cybersecurity practices that experts have been preaching for years.  Could have, would have, should have been avoided…  Yet, these cyber criminals continue to do their damage and far too many companies have been subject to similar circumstances.  No one wants to face that moment of shear panic when your systems won’t come up, or when they do, and you get a strange and frightening  video or screen-shot of someone telling you they now have your data and you must pay to get it back.

The DOL Cybersecurity Guidance was primarily aimed at protecting retirement plans, due to their high financial values and the financial security of so many individuals and families, but the DOL wrote the guidance in such a way to apply to all ERISA Plans, including health and welfare plans, because all benefit plans have valuable information (and assets) that cyber criminals want to have their hands on.  This has become evident based on the high number of breaches in the health care and health insurance industry in recent years.  Remember Anthem, Primera Blue Cross, UCLA Medical Center, New York Presbyterian/Columba Medical Center, Children’s Medical Center of Dallas and so many more.  ERISA plans not only have financial assets, but personal information that criminals want to exploit.  The bottom line is that the DOL has made it clear that plan sponsors and plan fiduciaries have a responsibility and duty to protect the plan and participants, and therefore have a duty to mitigate cybersecurity risk. 

ERISA and Plan Fiduciary Overview and Background

Before I get into the guidance and how it affects employer plan sponsors and plan fiduciaries, I want to provide a brief background that should help you understand the significance of the role of plan sponsors and their plan fiduciaries in employee benefits.

The Employee Retirement Income Security Act of 1974 (ERISA) includes reporting and disclosure requirements enforced by the Department of Labor (DOL), Employee Benefits Security Administration (EBSA).  ERISA is a federal law that regulates employer-sponsored (a) pension plans and (b) employee welfare benefit plans—whether fully insured or self-funded.

Welfare benefit plans include medical, dental, vision, health FSAs, HRA, LTD, STD, life, AD&D, pre-paid legal, some EAPs and some wellness programs.

Federal oversight is needed to protect benefit programs.  So what government entities are involved, who audits what, and what areas are subject to review?  ERISA Reporting, Disclosure, and Fiduciary (operational) requirements, and now Cybersecurity, is enforced by the US Department of Labor.  The IRS, Department of Health & Human Services (HHS) and DOL oversee the Affordable Care Act.  HIPAA Privacy and Data Security are enforced by HHS and OCR (Office of Civil Rights – which operates under HHS).  Cafeteria Plans and Nondiscrimination Testing fall under the IRS.  Wellness programs are the responsibility of the DOL and IRS, and Mental Health Parity, Voluntary Benefits and Claims Procedures overseen by the DOL.

So, what is a Fiduciary and why is it so important?  First off, all ERISA-covered benefit plans are required to have fiduciaries.  There are various fiduciary roles under ERISA (both named and functional), including the requirement for each plan to have at least one named fiduciary that must be identified in the plan document  (ERISA § 402). The fiduciary is the Plan Administrator (ERISA § 3(16)).  A fiduciary has discretionary authority or control over plan management (ERISA § 3(21)), and a fiduciary is someone who provides investment advice for compensation.  Mostly, it’s important to note that Fiduciary status is based on the functions performed for the plan, not just a person’s title.  One thing I always say when discussing the role of fiduciaries, either with an employer client or when teaching a class, is that If it looks like a duck, walks like a duck, acts like a duck, it’s a duck!  Therefore, if you are performing any of these tasks, whether or not you’ve been given the title, you are, indeed, a fiduciary.

There are four main fiduciary duties under ERISA: 1) the Duty of undivided loyalty to plan participants and beneficiaries (exclusive benefit rule), including acting for the sole purpose of providing benefits to plan participants, which includes the requirement that you must only pay reasonable plan expenses; 2) Duty of prudence (Prudent Man/Person Standard of Care).  ERISA requires that plan fiduciaries must act with the care, skill, prudence, and diligence under the circumstances then prevailing, that any prudent person acting in a like capacity and familiar with such matters would use.  What has now been added to these duties is an obligation to ensure “proper mitigation of cybersecurity risks.”  3) Duty to diversify assets of the plan; 4) Duty to administer the plan in conformity with governing documents.  The DOL understands and encourages plan fiduciaries to get help if and when they need it from experts.

Why Cybersecurity Compliance Matters

For an employer sponsoring an ERISA benefit plan, cybersecurity compliance matters because It’s the legal standard, it is part of the Plan Administrator’s fiduciary responsibility, it’s an employer obligation – not an insurer or broker obligation, it’s needed and expected to fix problems, be ready to respond to participant inquiries or complaints, as well as be ready in the event of a lawsuit.  In addition, compliance matters so that you’re prepared in the event of a DOL, IRS, or HHS/OCR audit, prepared in the event of a merger, or wish to be a hero to the CEO/CFO, and if self-funded, it is required to be complaint with stop loss requirements, to name a few reasons.

Real-World Applications of Cybersecurity Compliance

As I said previously, the DOL released their Cybersecurity Guidance in April, 2021 for plan fiduciaries, plan sponsors, recordkeepers and plan participants.  Why have they released them?

Without sufficient protections, “participants and assets may be at risk from both internal and external cybersecurity threats. ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.”  In addition, “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats.”

I asked Marilyn Monahan, our Benefits Attorney, if she thinks plan sponsors and plan fiduciaries should be taking this seriously and if so, why? “By issuing this summary of ‘best practices,’ the DOL has announced that this is an area of concern and focus. Further, in the introductory paragraph of the guidance, the DOL clearly ties these best practices to existing ERISA fiduciary standards:  ‘Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.’ Responsible plan fiduciaries would be well advised to take note.”

I asked our technology/IT and cybersecurity partners, Ted Flittner and Ted Mayeshiba of Aditi Group, if they thought plan sponsors and plan fiduciaries should be taking this cybersecurity guidance seriously, and if so, why.

“Dorothy, I have money in a plan.  If it goes missing, you can bet I’m coming after my money,” stated Ted Mayeshiba, Principal.  “Plan fiduciaries are named that [fiduciaries] because there is a responsibility to safeguard MY MONEY.  There are too many horror stories which relate fiduciaries having individual accounts under their control  hacked and money stolen.  Now, with these guidelines, the legal standard of “duty of prudence” have been clarified.  Meaning, if you don’t follow these guidelines, you are more likely to be on the losing end of a judgement.”

His partner Ted Flittner continued: “This is the DOL’s way of making Cybersecurity an official, formal and now expected part of doing business in employer/employee related areas.  Not following guidance is asking for investigation, judgement against you and penalties. But aside from the “legal” or DOL impact, the guidance offered is just plain SMART and good for everyone.”

For another opinion, I spoke with Adriana Mendieta, an industry friend and fellow cybersecurity business associate, who is a database manager for Colonial Life and also specializes in cyber liability insurance coverage.  “Plan sponsors and plan fiduciaries should indeed give serious consideration to the Department of Labor’s requirement for Cybersecurity Policies and Programs,” stated Adriana. “Cyber threats pose a substantial risk to ERISA plans, and it is crucial for sponsors to prioritize the protection of assets, compliance, and safeguards. In my role, I strongly believe that cyber insurance plays a vital role in ensuring the cybersecurity of the plan.”

The guidance “complements EBSA’s regulations on electronic records and disclosures to plan participants and beneficiaries. These include provisions on ensuring that electronic recordkeeping systems have reasonable controls, adequate records management practices are in place, and that electronic disclosure systems include measures calculated to protect Personally Identifiable Information.”

I asked our Benefits Attorney, Marilyn Monahan, if she agreed with me that the release of such guidance means that they are putting a much higher emphasis on cybersecurity in benefit plans.  “Yes,” Marilyn replied. “In fact, it is clear that cybersecurity is a priority not only with the DOL, but also with other federal agencies and at the state level as well. (The California Consumer Privacy Act of 2018 (CCPA)—as modified by the California Privacy Rights Act (CPRA)—is an example of the increasing interest in cybersecurity at the state level.) While this interest can seem to create significant challenges for employers and producers as they work to understand how multiple—and potentially overlapping—standards apply to them and their benefit plans, taken together they do also send a clear message that cybersecurity is a priority to regulators and must be to employers as well.”

The DOL/EBSA Guidance divides the Guidance into three sections, which I will divide by topic for readers.  I asked Marilyn to give me her thoughts on why it is important that you, as a plan sponsor or plan fiduciary, to create a complete  Cybersecurity Program now.  “The guidance was issued in 2021—a couple of years ago,”  Marilyn stated.  “The COVID-19 National Emergency and PHE are now over. With things getting back to ‘normal,” this is a good time for employers to turn their attention to all aspects of compliance, including cybersecurity.”

Tips for Hiring a Service Provider with Strong Cybersecurity Practices

In the first of the 3-part guidance, the DOL focuses on tips for hiring service providers with strong cybersecurity practices.  Business owners have a fiduciary responsibility under ERISA to prudently select and monitor service providers.  The guidance makes it clear that each plan sponsor must have a process in place for selecting your service providers.  One question you need to ask them is if their “process” is completely documented? This should be made a part of your RFP process.  Then you need to find out from the service provider how they monitor their electronic files and data and be sure that every step is completely documented.  Plan sponsors/fiduciaries should monitor not only new service providers, but current providers as well.

The service provider or providers should have in place a recognized standard of information security and outside monitoring procedure.  Do they have a documented standard of information security that tracks the who, how, why, when for everything they have in their possession?  Lastly, you should ask who is overseeing the process? Each service provider should assign an individual or team to oversee the process, and the employer/plan sponsor/fiduciary should be asking for details on this procedure (or procedures).

Another step in hiring a service provider with strong cybersecurity practice, according to the DOL Guidance, is to be sure they have in place a vendor/service provider validation of practices, so that you can see their track record, their past security breaches and how they mitigated those breaches.  Is there public information regarding security incidents or breaches, other litigation and/or legal proceedings related to the vendor’s services? You want to be sure to ask them what their internal process is for all of these items, and perhaps do some google and other types of public searches as well, and not rely entirely on what the vendor tells you.  My motto for this is trust, but verify!

Other things you can do as a plan sponsor/fiduciary is to check the HHS “Wall of Shame” for Large Breaches (those covered under HIPAA Privacy & Security rules are required to report their breaches to HHS/OCR; those with over 500 affected by the breach are posted on their “Wall of Shame” – a term that the industry coined for the website pages on breaches), google newspapers that monitor breaches, and check newspaper articles to see if their name comes up related to breaches that may have been smaller than those posted on Wall of Shame.  In addition, you can ask for client references and ask questions about whether they know of any security breaches.  What happened?  How was it documented and reported?  How did the service provider respond overall?  How was it mitigated?

We all know that things can happen, no matter how secure you may think you are.  After all, we’re all dealing with the “weakest link,” which is human beings; our employees.  That’s why it’s important to have insurance policies in place to cover losses.  Therefore, the Guidance asks if you’re verifying if the service provider has cyber liability insurance.  In order to be approved for cyber liability coverage, you must have written procedures in place, so having it tells you a lot.  You may want to ask them for a copy of their cyber liability policy… If you have that, you can check to see what their policy covers.  Will it cover losses caused by cybersecurity and identity theft breaches (including breaches caused by their own internal threats, such as misconduct by the service provider’s own employees or contracted vendors, and breaches caused by outside threats, such as a third party hijacking a plan participant’s account)?

The Guidance also suggests that you have contract terms that actually require certain cybersecurity standards.  A plan fiduciary should review their agreements and see if they have added cybersecurity standards to your vendor agreements.  If not, that is something you want to add to them, sooner rather than later.

Process for Comparing and Selecting a Service Provider

So how do you do all of this, and how can you do it consistently, with the same process for all vendors?  I highly suggest that you have in place a standardized questionnaire that you ask all current and all potential new vendors to complete and provide to you, so that you can verify and compare vendors properly.

The first step is to look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate their cybersecurity practices.  You can do this with annual audit reports that verify information security, system/data availability, processing integrity, and data confidentiality.

Next, you want to know how the service provider validates its practices, and what levels of security standards it has met and implemented.  In doing this, you should be sure you have contract provisions that allow you the right to review audit results demonstrating compliance with the standard.  You may want to verify that the contract requires ongoing compliance with cybersecurity and information security standards and watch for and beware of contract provisions that limit the service provider’s responsibility for IT security breaches.  You should have a consultant or attorney review the contract to see if it has or you can add appropriate terms to enhance cybersecurity protection for the Plan and its participants, including information security reporting, clear provisions on the use and sharing of information and confidentiality of information. Does it meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification or misuse?  Does the contract require that they notify you about cybersecurity breaches, and if so, when/how quickly?  You will also want provisions to assure that the service provider will ensure their cooperation with investigations and responsibly address the cause of the breach, and how they mitigate such breaches.

Additional contract terms of a Service Provider to look for includes looking to see if they require ongoing cybersecurity and information security standards and compliance.  Do their contracts limit the service provider’s responsibility for IT security breaches?  That could be a reg flag and prompt to check into it further.  You should consider including terms that would enhance cybersecurity protection for the Plan and its participants, including (but not limited to): Information Security Reporting – annually obtaining third-party audits to determine compliance with IT P&Ps; Clear Provisions on the  Use and Sharing of Information & Confidentiality – spell out service provider’s obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a strong standard of care to protect the confidential information against unauthorized access, loss, disclosure, modification, or misuse.

While you are looking at contracts, you should Include terms that would enhance cybersecurity protection for the Plan and its participants, including (but not limited to): Notification of Cybersecurity Breaches – identify how quickly you would be notified of any cyber incident or data breach, and ensure the service provider’s cooperation to investigate and reasonably address the cause of the breach; Compliance with Records Retention & Destruction, Privacy & Information Security Laws – specify the service provider’s obligations to meet all applicable federal, state and local laws, rules, regulations, directives and other governmental requirements pertaining to the privacy, confidentiality or security of participants’ personal information; Insurance – you as a Plan Sponsor or Fiduciary may want to require insurance coverage such as professional liability, E&O, cyber liability, and privacy breach insurance, and/or fidelity bond/blanket crime coverage.  Be sure you understand the terms and limits of each before relying on these as protection from loss.

Cyber insurance in today’s world is critical for most, if not all, service providers.  “One vital aspect of a well-rounded cybersecurity plan is being prepared for every possible scenario,” stated Adriana. “Cyber insurance can play a crucial role in reducing the financial impact of a cyber incident. It offers coverage for various expenses, such as legal and forensic services, breach notification, credit monitoring, public relations, and potential regulatory fines. By obtaining cyber insurance, plan sponsors and fiduciaries can transfer some of the financial risks associated with cyber incidents to an insurance provider, providing an additional layer of protection for plan assets. Furthermore, cyber insurance can provide additional benefits beyond financial protection. Many insurance providers offer proactive risk management services and resources to policyholders, such as cybersecurity training, vulnerability assessments, and incident response support. These services can assist organizations in strengthening their cybersecurity posture and enhancing their overall resilience against cyber threats. However, it is important to acknowledge that cyber insurance should not be viewed as a substitute for a comprehensive cybersecurity plan. It is merely a component of a broader strategy that encompasses preventive measures, employee education, regular system updates, and ongoing monitoring. Having a formal cybersecurity plan in place provides a structured approach to safeguarding critical assets and minimize the potential impact of cyber incidents, including the role of insurance.”

The guidance states that when you contract with a service provider that the plan sponsor/fiduciary makes sure that the contract requires ongoing compliance with cybersecurity and information security standard, and be aware of provisions limiting the service provider’s responsibility for IT security breaches.  I asked Marilyn, as an attorney, what kind of provisions she would recommend be included in vendor contracts related to these requirements?  “If the draft agreement comes from the service provider, do not take the contract terms for granted. Be certain that the contract addresses the issues that are most important to you, and provides you with assurances that security compliance will satisfy designated industry standards, not only as of the date the contract was signed, but on an on-going basis. The DOL’s guidance provides some terms to consider.”  Again, trust, but verify!

A standardized questionnaire should allow you to compare each service provider based on how they answered their questionnaire.  With this, you can then have a committee meeting or meetings to compare and evaluate the submitted questionnaire, document the positives and negatives of each, and place a value or score on each for comparison purposes.  After discussions and evaluations, you should make your service provider selection based on the final “value” or “score” of each to justify why this selection was made.

If a service provider refuses to complete your questionnaire, consider that there is likely a reason for them not to complete it… Quite likely, they are not doing everything that they should be doing to protect client (your) data, and therefore, you may not want to use them.  If it’s an in-place vendor, you should definitely be looking at replacement vendors and a safe and efficient transition method to move the data from your old to your new service provider.

Why is it important to hire service providers with strong cybersecurity practices?  “For two key reasons,”  stated Monahan. “First, because choosing the right service provider is a fiduciary function. (This point was also emphasized by the new CAA compensation disclosure rules.) Second, because loose cybersecurity practices by a service provider create vulnerabilities, and vulnerabilities could result in a breach that could harm the employer and plan participants.”

To make this process easier for our clients, ABC has developed a sample questionnaire and chart for comparison for our clients to assist them in their selection of service providers, and to be sure the employer client is fully documenting their cybersecurity program based on the DOL guidance. 

“A checklist or questionnaire would be a great idea,” commented Mayeshiba, when I informed Aditi of ABC’s intention to create tools for compliance with the Guidance.  “It will give the uninitiated a baseline to begin asking the right questions of their IT staff.  Every company is different.  Every company does things differently.  A checklist or questionnaire will help get everyone on the same page to tackle a tricky problem.  One size does not fit all.”

Service Provider Monitoring

The DOL Guidance also requires plan sponsors/fiduciaries to create a cybersecurity service provider monitoring process.  Questions to ask yourself include:  a) what categories are you monitoring?, b) how often are you monitoring?, c) who is assigned to monitor?, d) do you have a documented process for all of this?

As a Plan Sponsor/Fiduciary, what will you do when you see insufficiencies or failures to perform?  What is your process in reporting this to the service provider and getting resolution or improvements?  Have you looked for who, what, when, and how?  Again, you should have all of these processes in place, and the ability to make corrections and changes as needed.

The Guidance makes it clear that you as a plan sponsor/plan fiduciary have an obligation to be sure that your vendor/servicer providers are using a recognized standard of information security and one or more outside third party auditors to review and validate cybersecurity.

As a plan sponsor/fiduciary, your confidence in a service provider increases if the security of its systems and practices are backed by annual audit reports that verify information security, system/data availability, processing integrity, and data confidentiality.  Therefore, you will want to verify if the service provider has annual audits and who the outside auditor is; then, be sure that you follow normal credentialling/fact checking/due diligence to be sure they are reputable and use NIST (National Institute of Standards and Technology and other security standards.

Other overall tips for Hiring a Service Provider with strong Cybersecurity Practices include of course, checking references, getting a consultant Seal of Approval, and using Legal Counsel when appropriate.  We also suggest that you keep your eyes open and don’t hire service providers only based on friendship, family relations, golf or sports buddies; you need to hire experts if you want to prove you have taken the guidance and your fiduciary roles seriously. 

Cybersecurity Program Best Practices

A Formal, Well-Documented Cybersecurity Program

The Guidance calls for a formal, well documented cybersecurity program.  According to the DOL, a sound cybersecurity program identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity or availability of stored nonpublic information.  Under the program, the organization fully implements well-documented information security policies, procedures, guidelines and standards to protect the security of the IT infrastructure and data stored on the system.

A “prudently designed” program will protect the infrastructure, information systems and information in the systems from “unauthorized access, use, or other malicious acts by enabling the organization to identify the risks to assets, information and systems; protect each of the necessary assets, data and systems; detect and respond to cybersecurity threats; recover from the event, should one occur; disclose the event as appropriate; restore normal operations and services and quickly and efficiently as possible.”

Why is this formal program so important in protecting plan assets and overall ERISA compliance?  “There are several good reasons for having a written program,” stated Marilyn.  “One of those reasons is that the drafting process, on its own, is an important tool that can be used to identify and address both cybersecurity vulnerabilities and corresponding solutions. In addition, a written standard gives you a starting point for compliance, as well as a reference point for on-going risk analysis and upgrades. Finally, if you are audited, a well-written and well-thought-out program will provide proof of your commitment to cybersecurity.”

Should plan sponsors and plan fiduciaries be taking this seriously and if so, why? “By issuing this summary of ‘best practices,’ the DOL has announced that this is an area of concern and focus,” stated Marilyn. “Further, in the introductory paragraph of the guidance, the DOL clearly ties these best practices to existing ERISA fiduciary standards:  ‘Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.’ Responsible plan fiduciaries would be well advised to take note.”

Interestingly and consistently, the DOL’s guidance on cybersecurity best practices mirror what ABC and Aditi Group (our Technology/IT/Cybersecurity partners) have been preaching since HITECH was enacted in 2009, and HIPAA related final regulations which were released in 2013 (with of course updates based on current threats, etc.).

A formal, well-documented cybersecurity program should establish strong security policies, procedures, guidelines and standards that meet the following criteria:

• Approval by senior leadership
• Review at least annually with updates as needed
• Terms are effectively explained to users
• Review by an independent third-party auditor who confirms compliance
• Documentation of the particular framework(s) used to assess the security of its systems and practices.

Again, consistent with the educational materials and trainings of ABC and Aditi Group, the DOL’s best practices guidance states that you should have formal and effective policies and procedures in place that govern things like data governance and classification; access controls and identity management; business continuity and disaster recovery; configuration management; asset management; risk assessment; data disposal; incident response; systems operations; vulnerability and patch management; system, application  and network security and monitoring; systems and application development and performance; physical security and environmental controls; data privacy; vendor and third party service provider management; consistent use of multi-factor authentication; cybersecurity awareness training, which is given to all personnel at least annually; encryption to protect all sensitive information being transmitted and at rest.

“It’s important to note that cybersecurity is a complex and ever-changing field,” stated Adriana. “Striking the right balance between regulation and innovation is crucial. Overly burdensome regulations could stifle innovation and impose significant costs on businesses, particularly small and medium-sized enterprises. Any government efforts to enhance cybersecurity requirements should be carefully crafted, taking much into consideration. It may be beneficial for the government to reassess and potentially enhance their requirements should be done thoughtfully, in collaboration with industry experts, and with a clear understanding of the potential impact on businesses and the overall digital ecosystem. Cyber Insurance providing financial backing should also be considered as a part of the solution.”

I asked Aditi Group Principals how important it is to have Senior Leadership involved with the cybersecurity program and why? “The company is at risk,” replied Mayeshiba.  “Addressing that risk must be made by Senior Leadership.  Assigning ultimate responsibility for the various cybersecurity functions must be made so that the POSITION, not the person, is the RIGHT person to take action.”

“We also know that actions speak louder than words,” commented Flittner.  “When we see people at the top involved, we know it’s important.”

This sentiment was echoed by Adriana Mendieta, cyber liability insurance expert.  “Having Senior Leadership engaged in the cybersecurity program is crucial. Leadership sets the tone, allocates resources, makes decisions and are key in incident response and compliance + legal considerations.”

Prudent Annual Risk Assessments

Again, 100% consistent with what ABC and Aditi Group have been training on since 2009, risk assessments are necessary and of the utmost importance.  In a risk assessment, you can identify, estimate, and prioritize information system risks.  IT and cyber risks are constantly changing, and your risk assessment schedule should reflect that.  If you want to be safe, you must constantly adapt to new threats and know how to mitigate them.  Waiting only puts your firm and your assets, including your data, at greater risk.

Why is this documentation and annual risk assessment so important?  “When you’re standing in front of a judge, they want to see evidence that you’ve at least made a good faith effort to comply.  This is your vehicle,” stated Mayeshiba.

Flittner commented:  “Remember the mantra: If it’s not in writing, it didn’t happen. Assessments, action plans, and notes along the way become the evidence that a program IS real.  Investigators look for these documents right off the bat.  Every business changes and technology evolves so quickly year after year that what we thought was “safe” last year may not be now.  Risk assessment MUST be a repeated action or risk will grow and grow over time.

So what does a Prudent Annual Risk Assessment accomplish?  “The environment is constantly changing,” stated Mayeshiba.  “Cybercriminals are improving their techniques, software and attacks.  As we know more, we need to assess differently.  It’s ‘whack-a-mole.’”

“Documentation and annual risk assessments are critical components of a proactive cybersecurity approach,” stated Adriana. “They help organizations identify and mitigate risks, ensure compliance with regulations, enable effective incident response, and enhance the prospects of obtaining adequate cyber insurance coverage.”

Adriana continued,” Prudent Annual Risk Assessment is a vital tool in the world of cyber, particularly when it comes to qualifying for cyber insurance. It enables organizations to identify, quantify, and mitigate risks, and are prepared or not to respond to any cyber incidents.”

A Reliable Annual Third-Party Audit of Security Controls

It’s vitally important that you have an independent auditor assess an organization’s security controls which provides a clear, unbiased report of existing risks, vulnerabilities and weaknesses.  As I always say in training, an in-house IT Team should NEVER evaluate its own in-house security.  It’s like putting a proverbial chicken in charge of watching the hen house… or in more corporate terms, an IT Team is stressed enough.  If they know that an outside audit could result in them having to do more work, or modify or change what they spent months or longer putting in place, they tend to be a bit  protective of their work, and time and energy put into it.  Therefore, in their eyes, and in reports to senior management, they are less likely to report their own weaknesses.  Sometimes it takes an outside auditor to put the spark under them to make them tighten things up to be more secure.

“Involving an independent third-party in reviewing a cyber program and policies brings objectivity, expertise, credibility, compliance verification, and risk mitigation to the process. Their involvement strengthens the overall effectiveness of the program, instills confidence and helps organizations stay resilient,” commented Adriana.

The Best Practices guidance states that the program and policies should be reviewed by an independent third- party auditor who can confirm compliance.  I asked Aditi Group why is this third party so important, and is this something that Aditi Group does for employer plan sponsors?

Flittner responded:  “The outside viewer can spot things that insiders look past or forget about.  And insiders often just assume something has to be a certain way – “it’s always been this way.”  And impartiality allows an outside viewer to highlight and include things that may be too sensitive or political hot potatoes.

“Yes, we have done these audits,” confirmed Mayeshiba.  “Sometimes, the company comes to us and says, ‘we’ve done our best, can you please review our situation and documentation?’  We have also started from scratch with companies that have nothing in place and want us to build something for them.”   So there is help out there, if you need it.

Clearly Defined and Assigned Information Security Roles and Responsibilities

The DOL Guidance clearly states that for a cybersecurity program to be effective, it must be managed at the senior executive (fiduciary) level and be executed by qualified personnel.  The Guidance calls for the Chief Information Security Officer (CISO) to establish and maintain the vision, strategy, and operation of the cybersecurity program which is performed by qualified personnel who should have sufficient experience and the necessary certifications; the program should be subject to initial and periodic background checks (because, let’s face it, things happen since people were  hired); the program should include regular updates and training to address current cybersecurity risks; the program should reflect current knowledge of changing cybersecurity threats and countermeasures.

Strong Access Control Procedures

Access control, says ABC, Aditi Group and the DOL, is a method guaranteeing that users are who they say they are and that they have the appropriate access to the systems and data.  This includes two main components:  authentication and authorization.  The Guidance provides best security practices for access control, which again, is consistent with those provided by ABC and Aditi Group.  They include access to systems limited to authorized users, process, devices, activities and transactions; access privileges, which are reviewed at least quarterly; a requirement for complex and unique passwords; multi-factor authentication; P&Ps and controls to monitor activity and detect unauthorized access, use of or tampering with nonpublic information; procedures that ensure sensitive data about a participant or beneficiary in the service provider’s records matches the information that the plan maintains; confirmation of identity of the authorized recipient of any funds.

Assets or Data Stored in a Cloud or Managed by a Third-Party Service Provider Subject to Appropriate Security Reviews and Independent Security Assessments

Cloud computing always has dangers and challenges.  A cloud means that a third-party is storing the data.  Organizations must understand the security posture of the cloud service provider in order to make sound decisions on their services.  Best practices include requiring a risk assessment of third-party service providers; defining minimum cybersecurity practices; periodically assessing third party providers based on potential risks; and ensuring that guidelines and contractual provisions protect all parties.  Be sure to have a HIPAA Business Associates Agreement in place with your cloud providers if there is any HIPAA or related information stored there.

Why is it best to have a third-party cloud provider reviewed and have independent security assessments?  “The “Cloud” is too easily out of sight and out of mind,” commented Flittner.  “It’s too easy to ignore risks that can be understood and addressed.  Sometimes an assessment leads us to make big changes.  And change can mean more work for someone for a time.  It’s easier to not look and pretend that it’s all ok…”

Mayeshiba commented:  “Cloud computing has become very powerful and ubiquitous in the business.  Everywhere your data resides, every link from your business to that data, is at risk.  Do you have an agreement in place with your cloud provider that insures your data from breach?  Probably not.  No one can realistically take that bet, because you (the user) may well be culpable for the data breach on their cloud system.  So could others in the supply chain.  Yes, a security assessment should be done on all ‘third party vendors’ including cloud providers.”

“When an organization entrusts its data to a cloud provider or a third-party service, it essentially transfers some level of control and responsibility for the security of that data,” Adriana commented. “Then it becomes essential to thoroughly review and assess the security measures implemented by these providers to the same accountability of other 3^rd party providers.”

Cybersecurity Awareness Training Conducted At Least Annually

As we’ve been saying at ABC and Aditi for over a decade, the weakest link of any organization’s cybersecurity is their own employees.  How well or how little you train them will determine your fate in most cases.  It’s imperative that you train your employees at all levels of the risks, what to look for, and what to do and not to do (such as clicking on links that may result in malware, ransomware or other cyber threats entering your systems).  I’m happy that finally the federal government has put a priority on training and is stating that it should be done at least annually.  Without prior guidance, some firms went years before re-training their staff.

Secure System Development Life Cycle Program

The DOL’s Guidance recommends a secure SDLC process that ensures that security assurance activities such as penetration testing, code review, and architectural analysis are an integral part of the system development effort.   This includes such protections as configuring system alerts to trigger when an individual’s account information has been changed; requiring additional validation for distributions; requiring additional validation if personal information has been changed prior to a request for a distribution from an account; periodic reviews and updates; a vulnerability management plan; and annual penetration tests.

Business Resiliency Program Which Effectively Addresses Business Continuity, Disaster Recovery and Incident Response

Business resiliency is the ability to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and data.  You should, at minimum, have in place a Business Continuity Plan, a Disaster Recovery Plan, and an Incident Response Plan.

I asked Aditi Group how high of a priority should business continuity, disaster recovery and incident response be to plan sponsors/plan fiduciaries?  “The greatest chance for a criminal to get into your system is when you aren’t looking,” replied Mayeshiba.  “You’re too busy with an earthquake, storm, flooding, etc.  A plan for everyone to lock down the data when an exogenous event occurs is critical.”

“Given the potential financial and reputational impact of cyber incidents, the Business Resiliency Program should be treated as a high priority by plan sponsors and fiduciaries,” informed Adriana. “Investing in proactive measures, including cyber insurance, demonstrates a commitment to protecting the organization, its stakeholders, and the beneficiaries of the plan. It also helps fulfill their fiduciary duty to act in the best interest of the plan participants and beneficiaries by safeguarding their data and assets.”

Encryption of Sensitive Data Stored and in Transit

It’s no secret that the best way to protect non-public information is to encrypt it.  Organizations should implement current, prudent standards for encryption keys, message authentication and hashing to protect the confidentiality and integrity of the data at rest or in transit.

Strong Technical Controls Implementing Best Security Practices

Technical security solutions are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.  Best practices for technical security, again, consistent with ABC/Aditi recommendations, include:  Keeping your hardware, software and firmware models and versions up to date; using reputable vendor-supported firewalls, intrusion detection and prevention tools or appliances; using current and regularly updated antivirus software; implementing routine patch management (preferably automated); implementing network segregation; using system hardening; and having routine data backup (preferably automated).

Responsiveness to Cybersecurity Incidents or Breaches

It’s usually not if, but when a cybersecurity breach or incident occurs, and when it does, you should be taking appropriate actions to protect the plan and it’s participants, including: informing law enforcement; notifying the appropriate insurer; investigating the incident; giving affected plans and participants the information necessary to prevent or reduce injury; honoring any contractual or legal obligations with respect to the breach, including complying with notification requirements; fixing the problems that caused the breach to prevent its recurrence.

Online Security Tips

The third of the three DOL Guidances provided online security tips, which are 100% consistent with our current training tips provided by ABC and Aditi Group.  The guidance states that you can reduce the risk of fraud and loss to your retirement account (or other plans), if you follow their (and our) online security tips, including registering, setting up and routinely monitoring your online account, using strong and unique passwords, using multi-factor authentication, keeping personal contact information current, closing or deleting unused accounts, being wary of free wifi, being aware and taking efforts to eliminate or reduce phishing attacks, using antivirus software and keep apps and software current, and knowing how to report identity theft and cybersecurity incidents.

Of course, phishing attacks are aimed to trick you into sharing your passwords, account numbers, and sensitive information, which allow the “bad actors” to gain access to your accounts.  You should always be aware of these, and train your staff to be wary of messages that may look like it comes from a trusted organization, to lure you into clicking on a dangerous link or passing along confidential information.  Warning signs include a text message or email that you didn’t expect or that comes from a person or service you don’t know or use; spelling errors or poor grammar; mismatched links (a link that sends you to an unexpected address; watch for those by hovering your mouse over the link without clicking on it, so that your browser displays the actual destination); shortened or odd links or addresses; an email request for your account number or personal information; offers or messages that seem too good to be true, express great urgency, or are aggressive and perhaps scary; strange or mismatched sender addresses; or anything else that makes you feel uneasy.

We always suggest that you check with your IT department or your Security Officer if something doesn’t look or feel right, and always be cautious, and DON’T CLICK unless you are 100% sure that the email is legitimate.

I asked Aditi if there were additional tips/suggestions for online safety they’d like to share, in addition to what is stated in the guidance.  “The tips are all good ones,” stated Flittner.  “But there are other factors to remember, such as the security of the device they are using.  Is it shared with others?  Is it up to date with security patches and releases?  Is it still supported? Think Microsoft Windows 7, not end of life for software updates.  Does it have other vulnerable software on it that hackers can exploit (think multiplayer games for example)?  Be aware of who may be looking over your shoulder when you are online as well.  Keep it to yourself. Don’t look for anti-virus alone to catch all malware that you might innocently download or flaws that hackers may exploit.  Reduce risks in ALL areas”.

Overall Policies and Procedures for Cybersecurity and Their Importance

All three sets of guidance are very helpful and much-needed.  I for one have been saying (and writing) for years that we needed more federal action and guidance on privacy and security.  Knowing that the DOL/EBSA has made it clear that plan sponsors and fiduciaries need to pay more attention to cybersecurity, and adding this to DOL audits, should hopefully increase overall awareness and prioritize cybersecurity as you prioritize protecting your other assets.  It does make me feel good that the DOL has affirmed everything we’ve been teaching for so many years in our electronic security training.  I asked Aditi if they feel it’s about time that the government stepped up their requirements for cybersecurity.

“Absolutely,” replied Flittner.  “Can we get an AMEN?!”

“Plan sponsors and plan fiduciaries should indeed give serious consideration to the Department of Labor’s requirement for Cybersecurity Policies and Programs,” stated Adriana. “Cyber threats pose a substantial risk to ERISA plans, and it is crucial for sponsors to prioritize the protection of assets, compliance, and safeguards.”

I asked Marilyn Monahan, on a scale of 1-10, 10 being of highest importance how she would rank the importance of Cybersecurity. “How can a compliance lawyer pick a favorite? Isn’t that like asking a parent to choose a favorite child? Let’s just say the time is right to make this a priority.”

The bottom line is, had Colonial Pipeline, Anthem, a myriad of health insurance companies and providers and many others practiced what this guidance is asking plan sponsor and plan fiduciaries to do, their breaches and ransom situations may not have happened, or may have been mitigated sooner and been less costly.  So, learn from those who didn’t practice the policies and procedures and awareness of the importance of cybersecurity in the past, and hopefully, your data will be protected.  ##

About the Author: Dorothy Cociu is the President of Advanced Benefit Consulting, which was honored by HR Tech Outlook in 2023 for Top Employee Benefits Solutions Provider and in 2022 for Top Employee Benefits Service Company.  Dorothy is a proud member of the Professionals in Human Resources Association (PIHRA), Self-Insurance Institute of America, National Association of Benefits & Insurance Professionals, California Association of Health Insurance Professionals (CAHIP), and current VP of Communications for CAHIP-Orange County, CA. 

Author’s Note:  I’d like to thank Marilyn Monahan, Aditi Group and Adriana Mendieta for their assistance with this article.  Marilyn can be reached at Marilyn@monahanlawoffice.com, Ted Flittner can be reached at ted.flittner@aditigroup.com, Ted Mayeshiba at ted.mayeshiba@aditigroup.com, and Adriana Mendieta at adriana@mendieta.net. The author can be reached at (714) 693-9754 x 3, or toll free at 866 658-3835, or by email at dmcociu@advancedbenefitconsulting.com.  Be sure to listen to ABC’s informative benefits and compliance podcast, the Benefits Executive Roundtable, to stay up to date.  It can be found on all major podcast platforms, and ABC begins Season 5 in the fall, 2023. 

June 20, 2023

This is a 2 hour program, with additional time allocated for webinar participant questions. 

10:00-12:00 program, 12:00-12:15 Q&A

2 Hours of HRCI General Credit Available
2 Hours of CA Agent CE Credit Available

Business Management (Life & Health licenses) Course Number 389268 or Property & Casualty Course Number 389267.

“The use of this official seal confirms that this Activity has met
HR Certification Institute’s® (HRCI®)  criteria for recertification credit pre-approval.”

Zoom Livestream Webinar

Featuring
Host: Dorothy Cociu, President, Advanced Benefit Consulting.
Speaker panelists: Marilyn Monahan, ESQ, Monahan Law Office, Ted Mayeshiba, Principal, Aditi Group, Ted Flittner, Principal, Aditi Group

Learning Objectives:

• To understand the requirements specified in the DOL cybersecurity guidance package
• To understand the Plan Sponsor and Plan Fiduciary Responsibilities regarding Cybersecurity
• To help the HR professional create internal Cybersecurity Best Practices and implement a comprehensive Cybersecurity program
• To understand the HR professional’s role in implementing a formal, documented cybersecurity program
• To understand the HR professional’s role by assisting in creating real-world procedures, establishing steps to identify and address risks
• To understand and clearly define and assign roles to individuals responsible for each aspect of the cybersecurity risk management
• To understand the need for strong access control procedures to protect confidential data
• To understand the complexity and need for the IT Department’s co-operation with Human Resources to implement cybersecurity best practices

Guest Speaker Bios

Marilyn Monahan, ESQ, Monahan Law Office
Marilyn A. Monahan is the owner of the Monahan Law Office in San Marcos.  Marilyn focuses her law practice on advising employers and consultants on compliance with employee benefit and insurance laws, including ACA, ERISA, HIPAA, and COBRA.  Her volunteer activities include serving as Secretary of the Employee Benefit Planning Association (EBPA).  Marilyn has also served on the Board of Directors of the Professionals in Human Resources Association (PIHRA) (2008-2018).  She has represented Advanced Benefit Consulting since its inception in 1995.

Ted Mayeshiba, Principal of Aditi Group, has over thirty years of management experience in operations engineering and management from various industries from automotive to satellite to biopharmaceutical and clinical medical practices. He has proven that he can direct and launch new initiatives which transform operations, improve productivity, reduce cycle time or improve decision making capabilities within highly technical, competitive and legacy entrenched organizations. His latest efforts involve the successful transformation of a Lean Health Care Academy, built upon the successful Lean Academy for Operations under the auspices of the Lean Advancement Initiative based out of MIT. As West Coast Director of LAI EdNet based at USC, Ted plans and executes Operational Academies to improve outcomes for various groups both in manufacturing, engineering and now, health care.  He is a Fellow with the Institute of Industrial Engineers.

Ted Flittner, Principal of Aditi Group, has broad experience with increasing the value of all types of processes by providing clients with sustainable and continued improvements. His philosophy is that any process can be improved upon, and that every process can be profitable, rewarding, and stress-free. Ted enjoys coaching groups of all sizes to reach higher performance and to develop confidence to broaden their horizons.

Ms Cociu bio available here

Host Dorothy Cociu discusses with Marilyn Monahan of Monahan Law Office all of the Employer Requirements for the Transparency in Coverage Machine Readable Files Disclosures and CAA Pharmacy Benefits Reporting Requirements for employers and their vendors. Whether you are fully insured or self-funded, there are a myriad of new requirements that have employers, third party administrators, pharmacy benefits managers and others scrambling to understand and implement. What’s required and who needs to perform these tasks, and what are the due dates? Do you have the proper contracts in place? We will dive into the details!

No Surprises Act Final Rules and DaVita v. Marietta SCOTUS update from SIIA’s Ryan Work & Chris Condeluci

https://advancedbenefitconsulting.com/s4e4-no-surprises-act-final-rules-and-davita-v-marietta-scotus-update

Host Dorothy Cociu interviews Ryan Work, Senior VP Government Relations and Chris Condeluci, Esquire, Washington Counsel for the Self Insurance Institute of America (SIIA), on the No Surprises Act Final Rules and how they impact health plans, including updates on the Federal Independent Dispute Resolution (IDR) Process, which finally opened in April, 2022. How was the Federal Portal’s operations in its first quarter? We’ll give you the inside scoop and first quarter result summary. In addition, Chris and Ryan give us an update on how the DaVita v. Marrietta SCOTUS decision impacts self-funded health plans. This ruling was considered a huge victory for the self-insured industry! Ryan and Chris give us their insight from inside the heart of the self-insured industry!

Show Notes

• Supreme Summer Article

A Detailed Look Into This Summer’s Supreme Court Decisions that Affect Employer Health Benefits and Plan Decisions

(SCOTUS Cases Dobbs v. Jackson Women’s Health, Marietta Memorial Hospital Employee Health Plan v. DaVita, Inc.)

By:  Dorothy M. Cociu, RHU, REBC, GBA, RPA, President, Advanced Benefit Consulting & Insurance Services, Inc

Published in America’s Benefit Specialists

As if all of this wasn’t enough, there has been a lot in the news causing discord and overall political controversy across the nation.  On June 24, 2022, although there had been rumors of it for weeks in the news after a leaked draft of the decision, the U.S. Supreme Court upheld Mississippi restrictions on abortions, in the Dobbs v. Jackson Women’s Health Organization decision.  As I’m sure all of you know by now, the Dobbs case overturned the Roe v. Wade and Planned Parenthood of Southeastern Pennsylvania v. Casey decisions from 1973 and 1992, respectively, which pre-empted state restrictions on abortion, and determined that access to pregnancy terminations/abortions is not a constitutionally protected right.

In another case that was decided this summer, which was announced just prior to the Dobbs decision, but was quickly overshadowed in the news and therefore in the minds of many, the U.S. Supreme Court decision on June 21, 2022 found in favor of an employer’s health plan (Marietta) in a 7-2 opinion, which stated that the Marietta Hospital Employee Health Benefit Plan did not violate the Medicare Secondary Payer Act (MSPA) in limiting dialysis payments to DaVita dialysis centers.  This was a huge victory for the self-insurance industry, as well as ERISA protections.

Where Dobbs caused stress and anxiety, Marietta v. Davita should have been cause for celebration for many health plans, but again, many are not even aware of this because the spotlight turned almost immediately to the Dobbs decision.  I will attempt to provide information on both cases.

Dobbs v. Jackson Women’s Health Organization

Before we dive into the Dobbs case, I think it’s important that we look back briefly in history on cases involving federal reproductive rights.

Historical Cases Related to Federal Reproductive Rights & How They Relate to Dobbs v. Jackson Women’s Health Organization

In the first case, Griswold v. Connecticut, way back in 1965, the Supreme Court ruled that a state’s ban on the use of contraceptives violated the right to marital privacy. The case concerned a Connecticut law that criminalized the encouragement or use of birth control.  The court determined that the Constitution does not explicitly protect a general right to privacy, the various guarantees within the Bill of Rights create what they call penumbras, or zones, that establish a right to privacy.  Put together, the First, Third, Fourth, and Ninth Amendments create the right to privacy in marital relations.  The Connecticut statute they said conflicted with the exercise of this right and was therefore held null and void.

This was followed by Roe v. Wade in 1973, which found that the Constitution of the United States conferred the right to have an abortion.  According to Wikepedia, “On January 22, 1973, the Supreme Court issued a 7–2 decision holding that the Due Process Clause of the Fourteenth Amendment to the United States Constitution provides a fundamental “right to privacy”, which protects a pregnant woman’s right to an abortion. The Court also held that the right to abortion is not absolute and must be balanced against the government’s interests in protecting women’s health and prenatal life. The Court resolved these competing interests by announcing a pregnancy trimester timetable to govern all abortion regulations in the United States. The Court also classified the right to abortion as “fundamental,” which required courts to evaluate challenged abortion laws under the “strict scrutiny” standard, the most stringent level of judicial review in the United States.”

In 1992, a third federal reproductive rights case, Casey v. Planned Parenthood, the Court upheld the right to have an abortion as established by the “essential holding” of Roe v. Wade (1973) and issued as its “key judgment” the imposition of the undue burden standard when evaluating state-imposed restrictions on that right.  Wikepedia summarizes that the Court overturned the Roe trimester framework in favor of a viability analysis, thereby allowing states to implement abortion restrictions that apply during the first trimester of pregnancy. In its “key judgment,” the Court overturned Roe‘s strict scrutiny standard of review of a state’s abortion restrictions with the undue burden standard, under which abortion restrictions would be unconstitutional when they were enacted for “the purpose or effect of placing a substantial obstacle in the path of a woman seeking an abortion of a nonviable fetus.” Applying this new standard of review, the Court upheld four provisions of the Pennsylvania law, but invalidated the requirement of spousal notification. Four justices wrote or joined opinions arguing that Roe v. Wade should have been struck down, while two justices wrote opinions favoring the preservation of the higher standard of review for abortion restrictions.

Today, we have a new law of the land; the Dobbs v. Jackson Women’s Health decision, where the Court upheld the Mississippi law (Mississippi Gestational Act) in a 6-3 decision, stating that “except in a medical emergency or in the case of a severe fetal abnormality,” abortions are prohibited, “if the probable gestational age of the unborn human being has been determined to be greater than 15 weeks.”  That same case overturned Roe v. Wade 5-4.

So what does this mean?  I asked my benefits and insurance attorney, Marilyn Monahan, of Monahan Law Office, to explain:  “The Dobbs case overturned Roe v. Wade and Casey v. Planned Parenthood, returning the the issue of whether a woman has a right to an abortion to the states.  So rather than relying on a federal standard–a federal right to abortion established by Roe—it is now up to each state to determine whether the women in that state are entitled to get an abortion, and under what circumstances.”

In the Dobbs case, Justice Samuel Alito, Jr. stated that “We hold that Roe and Casey must be overruled.  The Constitution makes no reference to abortion, and no such right is implicitly protected by any constitutional provision, including the one which the defenders of Roe and Case now chiefly rely- the Due Process Clause of the 14^th Amendment.”

The end result:  No more federal protections on abortions. 

So where do we go from here, and what is the current state of the nation after this ruling?  Obviously, this case resulted in high levels of emotion and debate.

State Immediate Actions on Abortion Following Dobbs v. Jackson

Amidst the media frenzy, frantic women’s rights movements and shouting matches across the nation, we have had numerous state actions on both sides.  Surprisingly to some, the state of Kansas, a red state, voted on an August 2, 2022 ballot measure the “Kansas No State Constitutional Right to Abortion and Legislative Power to Regulate Abortion Amendment.”   Simply stated, a “yes” vote supported amending the Kansas Constitution to state that nothing in the state constitution creates a right to abortion or requires government funding for abortion, and states that the legislature has the authority to pass laws regarding abortion.  A “no” vote opposed amending the Kansas Constitution, thereby maintaining the legal precedent established in a prior case, Hodes & Nauser v. Schmidt in 2019 that the Kansas Bill of Rights provides a right to abortion.  In a 59% majority, the NO votes won, maintaining the right to an abortion.  This case also took over the news cycle for at least two weeks.

Other states with similar measures on the ballot in upcoming elections include California, Kentucky, Montana and Vermont.

State Access to Abortions

The status of state abortion access has never been more in the forefront.  In a recent study by Kaiser Family Foundation, as of August 17, 2022 (this is changing frequently), abortion is banned in 9 states, status of the pre-Roe ban is unclear in 2 states, abortions are banned/restricted but not yet implemented in 2 states, abortion bans are temporarily blocked, with abortions legal in 4 states, and various other statistics.  California is one of 24 states (as of this writing) and DC that have abortions widely available.  This map can be found at:  https://www.kff.org/womens-health-policy/dashboard/abortion-in-the-u-s-dashboard/.

KFF also produced an interactive map showing each state’s policies on abortion, which is available at:  https://www.kff.org/womens-health-policy/issue-brief/interactive-how-state-policies-shape-access-to-abortion-coverage/ .

Certain states have enacted or are considering enacting laws that greatly restrict or completely ban abortion access for women.  Other states have enacted (or are considering) laws that would make it a civil or criminal violation to “aid and abet” or otherwise assist an individual in accessing abortions.  Currently, these include Texas and Oklahoma.  Missouri is considering expanding prohibitions on abortions on state residents performed outside of the state’s borders.  Texas is threatening to limit companies from doing business in their state based on covering, supporting, or permitting access to abortions.

I asked Marilyn Monahan about the current landscape in the states.  “Some of the issues of most concern center on the civil and criminal penalties that some states are imposing.   Various states, such as Texas, have passed or are looking into imposing civil  penalties that could be levied on those who assist a woman who obtains an abortion. In other circumstances, criminal penalties could be imposed for performing an abortion, or assisting someone who obtains an abortion, when the procedure is illegal in the state.  Two factors that complicate the situation are that the laws vary from state-to-state and that they are constantly changing. Whether and when these penalties might be imposed are some of the most critical open issues we are facing right now. Women seeking medical care, their families, providers, and health plans are among those who are attempting to understand and comply with the new standards that are being put in place. While many people are analyzing these issues, we don’t have definitive answers with regard to a number of these questions yet.”

Employer Health Plans and Dealing with Abortion

Many employers are now scrambling to make plan changes that allow for access to abortions since the Dobbs v. Jackson decision, due to employee pressure or their management’s stance on the issue.  Many large employers have recently made public statements that of course hit the news cycles, about providing access to abortions to their employees who may reside in a state where the state law does not allow for abortions, including Amazon, Apple, Citigroup, Disney, Microsoft and others.

What can employers do?  Much of that depends on whether the employer’s health plan is fully-insured or self-funded.  Options being considered include a) amending existing plans to enhance or expand travel and out-of-area and expanding prescription drug benefits to cover pharmaceutical abortion options, b) offering a travel benefit by means of a secondary health plan, c) providing a medical travel reimbursement benefit through a non-traditional type of health program, d) making travel and lodging expenses reimbursable through a Health Savings Account (HSA) or Health Care Flexible Spending Account (FSA), e) establishing a separate, stand-alone travel expense reimbursement program, f) including travel expenses in an existing taxable reimbursement program.

It’s important to note that travel can be a valid medical expense under certain plans.  Section 213-D of the IRS code allows for travel expenses, but there are limits.  There are other issues that will need to be discussed, however.  Will there be a Mental Health Parity issue if the medical/surgical benefit for abortion does not match the mental health benefits?  Is Aiding and Abetting a concern, or should it be?

The Dobbs v. Jackson case will impact covered services in health plans within certain states most definitely, particularly when they have significant restrictions in place on abortion.  Some states will attempt to block patients and health plan beneficiaries from traveling across state lines for abortions.   Others may restrict patients or health plan beneficiaries from receiving abortion-producing drugs through mail order or telehealth services.  ERISA self-funded plans will likely have the most flexibility, and will likely argue that ERISA pre-emptions will protect them; at least in non-criminal cases.  We’ll discuss potential criminal issues below.

I asked Marilyn Monahan about the ERISA argument regarding pre-emption in the states and whether that would apply in these types of state abortion issues.  “If the travel costs are part of an ERISA plan, an argument could be made that ERISA pre-empts any criminal or civil penalties that might apply under state law. That is one of the arguments that has been presented but, so far as I know, it hasn’t been explicitly tested yet.”

It’s important to note that fully insured health plans are of course subject to state laws.  Some states that do not provide for abortion coverage allow for certain abortion riders.

Let’s talk first about amending existing medical plans to enhance travel and out-of-area benefits and prescription benefits.  If self-funded, plans may be able to expand travel benefits to include travel to out-of-state providers, including network providers, in other states where abortions are legal.  Before making drastic changes immediately, I’d suggest (I’m not an attorney, but I’m sure attorneys would likely agree with me on at least this) that the plan sponsor first discuss in detail with their brokers/consultants, third party administrators and benefits attorney.  The benefits attorney may also suggest consultation with one or more other attorneys to be sure the plan’s ducks are in a proverbial row.  Does the plan already cover travel for benefits and if so, what are the current restrictions?  Does the plan even cover abortions now, and if so, does it allow for surgical abortions, pharmaceutical abortions (i.e. the morning after pill) or both?  Do the states that plan participants would be likely to travel to or from contain laws such as criminal penalties against aiding and abetting or other criminal laws that could get pulled into this?  Does the plan currently cover pharmaceutical abortions in your drug plan?  What about your telehealth plan?

“If you are adding travel benefits to your plan, you want to make certain that the travel benefits are structured to comply with any limitation contained within Section 213(d) of the Internal Revenue Code, as well as any other rules or limitations that might apply,” stated Marilyn.  “For example, if you’re reimbursing milage, there is a specific standard reimbursement rate for medical purposes, which is different from the business reimbursement rate that the IRS announces every year.  Also, there are limitations on reimbursements for lodging. While you can reimburse lodging expenses, the Code imposes certain limitations on the terms and conditions under which you can do so, as well as a limit on the total amount you can reimburse. You generally can’t reimburse meals, unless they are part of in-patient care.”

Fully insured plans are of course limited to the insurance carrier provisions and state laws, so the plan sponsor’s choices may be more limited.

Does it make sense to look at a travel benefit through a separate health plan, or a medical travel reimbursement?  Can it be added to existing or newly added EAP programs, telehealth programs, HRA or FSA plans?  Again, consultation with the broker consultant, TPA and one or more attorneys is recommended because of issues or potential issues with a variety of laws, including the ACA, COBRA, HIPAA Privacy & Security, etc.  Many of these arrangements are considered group health plans, so ERISA and these various other federal laws may be applicable.

I recently discussed this with Jeff Strong, Vice President of Sales, Sterling Administrators.  “As an HSA, FSA & HRA administrator, we have seen a lot questions and inquires into the travel for abortion due to the system change and now it being legal in some states and not in others,” commented Jeff.  “Right now it is a bit of a moving ball; it reminds me a lot of the early days of the ACA with continual change.  Dorothy had talked about all the tools that are defined and out there through IRS section 213 and blanketed by IRS Revenue Ruling 73-201.  One thing we recommend to keep in mind is the definition of abortion being legal in that state.  Where the challenge resides is in the definition of ‘legal’ in the state.  Is the legal state the one where the medical care is, or if the employee is in a state that abortion is not legal and the company is situs in that state would it make it not legal to reimburse for claims and expense for travel to a legal state?   If one gets drugs for abortion is it where they get the drugs, or where the drugs start to work?  Then finally, how much enforcement will there be with this?   Employers with a strong legal arm will find they are busy as things continue to change and there is not a clean line of sight at this time.”

Would the employer benefit from an outside stand-alone plan for travel expenses?  In all travel plans, you need to look at reasonable expenses for each expense, including mileage rates, lodging rates, whether it would be tax-free or taxable, etc.  A broader travel plan may be wise.

“It could be advantageous to make your travel reimbursement policy broader than just applying it to abortion services,” stated Marilyn.  “You need to look at the big picture and consider whether you should extend travel benefits to other covered items and services, such as centers of excellence, transplant centers, and the like.  When designing these benefits, remember that one size does not fit all.”  As Marilyn and I discussed in a recent podcast (Benefits Executive Roundtable, Season 4, episodes 1 and 2), employers should not be rushing to make decisions.  Take a deep dive with your broker consultant and related vendors (including your attorney) and consider all of your options.

California State Laws Related to Abortions

As of now, California state law requires that all private insurance plans cover abortion coverage, including full-insured group health plans, ACA Marketplace plans and in all Medi-Cal plans.  Self-funded  health plans in California are of course subject to federal ERISA laws, and are pre-empted from state mandates (more to come on how far that pre-emption will go related to abortion issues).

Primary Legal & Possible Criminal Issues

I will attempt to frame some of the most important legal issues today related to abortions and crossing state lines to get them.

In a nut-shell, federal laws in place include of course ERISA (and the pre-emption issues that go with that), as well as the Pregnancy Discrimination Act issues, which was passed in the 1970s and requires plans to cover abortions if the life of the mother is at risk. There are of course restrictions on travel benefits, no matter how and in what type of plan they are included in.

Let’s talk more about the potential for other legal issues, including possible criminal issues, which I mentioned briefly above. Some states have and more will be adding criminal liabilities for people who assist someone in getting abortions.  Some have existing and others are considering adding aiding and abetting laws related to abortions.

In a state such as Texas, could an Uber or Lift or taxi driver be held liable for driving a patient across one or more state lines to receive an abortion?  It’s certainly possible with current aiding and abetting laws.  What if it’s your spouse, your sister, your daughter, your cousin, or a close friend that you’ve had discussions with about whether to get an abortion?  What about a health benefit broker/consultant and/or their benefits attorney discussing the pros and cons of health plan provisions that could potentially circumvent state laws disallowing abortions and finding ways to get the abortion covered under the health plan? Does that broker/consultant or attorney, simply providing information on what states allow and do not allow certain types of abortions have liability?  Would a plan’s Third-Party Administrator have liability if they discussed certain scenarios with the plan sponsor or covered plan beneficiaries?  Would there be TPA or PBM liabilities for shipping or delivering abortion pharmaceutical drugs?  Again, I referred to Marilyn for her opinion.

“I’m not a criminal lawyer, but I do understand that the potential for criminal liability is one of the areas, for example, that doctors are worried about.  This could also potentially be an issue for health plans, if states that outlaw abortion view payment for abortion services to constitute aiding and abetting a criminal act. For example, could a state deem a health plan to have aided and abetted a criminal act if the health plan pays the expenses for a woman to travel from a state that outlaws abortion to one that permits abortions? These issues could also arise in the case of a medical abortion.  We don’t really have definitive answers to these questions.”

Biden Administration Guidance & Executive Orders to Protect Access to Abortion & Contraception

Just two weeks after SCOTUS’ decision in the Dobbs v. Jackson case, President Biden signed an executive order to protect a woman’s access to reproductive health care services.  The only way to truly secure that right, of course, would be to restore Roe v. Wade, but the Biden Administration says it’s committed to defending reproductive rights and protecting access to a safe and legal abortion.

The executive order contains a 5-point action plan in response to the Dobbs v. Jackson case.  These steps include safeguarding access to reproductive health care services, including abortion and contraception, by directing Secretary of Health & Human Services’ Xavier Becerra, to report to him within 30 days on efforts to protect access to medication abortion, ensure all patients have access to the full rights and protection of emergency medical care, expend access to a full range of reproductive health services, including family planning services and providers, including access to emergency contraception and long-acting reversible contraception like IUDs.  As these are preventive services, they should be covered with no co-pay under the ACA for non-grandfathered plans.  Given the current state of the divided houses in Congress on this issue, I’m not convinced anything will happen on this any time soon, but they have promised something will be forthcoming in the way of regulations or guidance.  How far the guidance will go and what precise guidance will be issued is unknown. We’ll have to wait to see what HHS develops.

Marietta Memorial Hospital Employee Health Plan v. DaVita, Inc.

The first of the two SCOTUS decisions, which again was overshadowed by the Dobbs case, was the Marietta Memorial Hospital Employee Health Plan v. DaVita, Inc.

This case, which mentioned above, hit the news on June 21, 2022, and found in favor of an employer’s health plan (Marietta) in a 7-2 opinion.  In this case, which stated that the Marietta Hospital Employee Health Benefit Plan did not violate the Medicare Secondary Payer Act (MSPA) in limiting dialysis payments to DaVita dialysis centers, was a big win for self-funded health plans.

Brief History/Background of DaVita cases 

DaVita v. Marrietta Hospital was one of three federal appeals court cases by DaVita, challenging plan sponsor’s authority to carve out benefits for high-cost treatments under the Medicare Secondary Payor Act (MSPA).  In 2020, two out of three judges announced a new interpretation of the MSPA, which turns it into an antidiscrimination law that prohibits plans from taking financial risks into account in designing benefits for members who have end-stage renal disease (ESRD).  The plan and administrator asked the full court to reverse that decision.  The Self-Insurance Institute of America (SIIA) joined other industry stake-holders in co-sponsoring an amicus brief in support of a petition for reconsideration in DaVita v. Marrietta Hospital.

Marietta Hospital is an opinion from the federal Sixth Circuit that was a dramatic departure from precedent and long-established deference to plan sponsors in plan design, according to SIIA.  The other two cases related to these issues were DaVita v. Amy’s Kitchen and DaVita v. Virgina Mason, both in the Ninth Circuit.  Marietta hospital was not biding on them.

The MSPA has always been interpreted as the statute defining the basics of coordination of benefits with Medicare for plan members that are entitled to dual plan/Medicare coverage for any reason.  Dialysis companies have for some time promoted a competing theory that what Congress really intended was for the MSPA to prohibit plans from discriminating against members who have end stage renal disease.  (Incidentally, from my own personal experience in seeing self-funded health benefit claims over the years, DaVita is widely known in the industry as a primary over-charging chain of dialysis centers, with prices far exceeding usual, customary and reasonable rates.  With the increase in self-funded plans moving to some sort of reference-based pricing, which uses a percentage over Medicare rates for claim payment, such as 130-175% of Medicare rates, we’ve seen the charges of DaVita escalate even more.  If comparing to Medicare rates, I’ve seen DaVita’s bills exceed 1,000% of Medicare, and even as high as 2,000% of Medicare rates).    DaVita’s alternate theory that it was promoting was that for members who have ESRD, by paying dialysis benefits differently from the way other benefits are paid, such plans were discriminating against dialysis claim payments.  To date, no court or regulatory agency had ever interpreted the MSPA that way.  SIIA then co-sponsored amicus briefs in all of the cases above in support of the self-funded group health plans.  The goal of the DaVita theory was to increase dialysis provider revenues by preventing plans from implementing any kind of cost containment provisions.  The worst part of it was that over the years, dialysis costs have seen severe inflation, and only two providers (DaVita is one of the 2) controls nearly 90% of dialysis facilities (i.e. a major near-monopoly).  The dialysis charges have traditionally been so high that even PPO discounts can’t offer plans much relief.  Self-funded health plans therefore adopted cost containment strategies, including network carve-outs and Medicare-rate based pricing (RBP).  DaVita sued health plans using this method arguing that any dialysis cost containment strategy violates the MSPA.

In the 2020 opinion in the Marietta case, 2 of 3 judges accepted the theory of DaVita and held that the MSPA is an antidiscrimination statute that prohibits sponsors from carving dialysis out of the network and requires dialysis benefits to be paid at the “same” rate as other benefits. Under that opinion, plan sponsors could not take financial risks into account in dialysis benefits.  If a plan treated dialysis differently from other benefits, for any reason, the courts are to order the sponsor to re-write the plan.

The 2020 opinion also allowed dialysis providers to sue plans directly if a member should terminate plan coverage before the end of the coordination period. The prior opinion assumed that the plan’s failure to comply “forced” the member to “switch” to Medicare.  The opinion basically let a provider sue for twice the amount of anything Medicare paid for any service the plan would have covered, not just the dialysis, after the member terminated plan coverage.

SIIA and other stakeholder’s view of the 2020 opinion was a serious break from all precedents not only on the MSPA, but from established ERISA laws and principals deferring to plan sponsors in benefits design.  SIIA feared that while the case officially limited to members with ESRD and dialysis, since the MSPA also applied to members eligible for Medicare due to age or disability, it could open the door to suits for preferential benefits for almost all serious medical conditions.  SIIA and other stakeholders felt that this opinion did not consider any of those factors, and suffered from a number of basic legal flaws.

DaVita V. Marietta Hospital, June  21, 2022 Decision

Much to the relief of the Self-Insurance Industry, as well as self-funded plan sponsors and the ERISA world in general, the Supreme Court, in a 7-2 decision, found in favor of arguments put forward by SIIA and other industry participants in the DaVita v. Marietta Hospital plan case, finding that the Marietta Hospital Employee Health Benefit Plan did NOT violate the Medicare Secondary Payor Act (MSPA) in limiting dialysis payments to DaVita, because it provides the same benefits, including the same outpatient dialysis benefits, to individuals with and without end-stage renal disease.  The Court upheld that group health plans like Marietta’s can utilize cost-control designs under the MSPA so long as the plans offer the same terms of coverage for outpatient dialysis to all of its participants.

I asked Marilyn Monahan to summarize the case for us: “Under the Medicare Secondary Payer Rules, one of the things a plan cannot do when structuring and designing its benefits is “take into account” that someone is eligible for or entitled to Medicare, whether the person is on Medicare due to age, disability, or ESRD.  In short, when structuring benefits, the plan cannot do so in a way that would treat someone who is on Medicare differently from someone is not on Medicare.  Under the facts of the Marrietta case, Marietta was a self-funded health plan and DaVita argued that the Murietta health plan set very low reimbursement rates for dialysis services, and DaVita argued that this was a violation of the Medicare Secondary Payer rules.  The Supreme Court determined that it wasn’t.”

This case, again one of 3 federal appeal cases by DaVita, challenged the authority of plan sponsors to carve out benefits for high cost treatments under the MSPA.  The court’s decision can be found at:  https://www.supremecourt.gov/opinions/21pdf/20-1641_3314.pdf.

The June 21, 2022 decision by the Supreme Court ensures that self-funded plan designs can continue to appropriately manage and pay for dialysis treatment for patients, without unnecessary payment increases to dialysis providers.

I asked Ryan Work, Senior Vice President, Government Relations of the Self-Insurance Institute of America (SIIA), what the Davita case does for the self-insured industry.  “The Supreme Court decision in the DaVita case ensures that self-insured plan designs can continue to appropriately manage and pay for dialysis treatment for patients, without unnecessary payment increases to dialysis providers. SIIA is pleased that the ruling confirmed the ability of health plans to provide common-sense cost containment measures when it comes to high-cost services such as dialysis for those patients that need it the most. Nothing about this decision impacts the quality and care of patients, rather it allows plans to better serve all patients and continue to provide quality, affordable benefits.”

The coordination of benefits issue with Medicare Secondary Payer rules has always been a sticking point with many self-funded health plans.  “It is clear that the MSPA outlines coordination of benefits with Medicare for plan members entitled to dual plan/Medicare coverage for any reason,” stated Ryan. “For some time, dialysis companies have promoted an idea that Congress intended the MSPA to restrict group health plans from setting reimbursement rates for dialysis services at anything other than an unspecified ‘most favored nation’ rate, which simply drives up costs unnecessarily.”

So, what is the bottom line for the Murietta v. DaVita decision for self-funded health plans?  Marilyn Monahan stated: “Here is the bottom line:  As a result of the DaVita case, self-funded health plans now have more flexibility in how they set rates for dialysis reimbursement.”

Ryan Work and SIIA were obviously very pleased with the outcome.  “Under DaVita’s interpretation of the MSPA, self-insured plans, which generally have great flexibility in determining healthcare coverage, would have to sacrifice coverage of other medical services to pay for dialysis services at a rate hundreds of times that of Medicare. These substantial cost increases would not benefit individuals with end-stage renal disease, who would continue to receive the same services. Nor would it save Medicare money. Rather, it would financially benefit dialysis providers.”

Ryan continued: “With only two dialysis providers controlling nearly 90% of dialysis facilities, it is becoming increasingly necessary that self-insured health plans have the ability to appropriately control dialysis cost, which have risen exponentially against inflation,” stated Ryan. “Put simply, plans adopting cost containment strategies such as network carve-outs and Medicare-rate based pricing, should not be in violation of the MSPA”.

Conclusion

The summer is coming to end, but the stress of 2022 is not over.  We’re still dealing with inflation, high gas prices, high interest rates, increasing rent and mortgage costs, the overall cost of goods and services increasing, often beyond family budgets.  Many people I know that were retired have gone back to work, at least part-time, just to survive.  As we tighten our purse strings or wallets and re-examine our spending and savings habits, we should pay close attention to what’s happening around us; both in the news and in our communities.  We may discover that by paying closer attention to details, we may yet find at least a glimmering light at the end of the tunnel.

With the Dobbs v. Jackson case still hovering over us, we have a lot of unanswered questions, and only time and many court and other decisions will determine the fate of many unanswered questions.  Employers should not be rushing to make any quick decisions on health plan changes regarding abortion coverage just yet.  Take some time, breathe, and have some conversations with trusted brokers, consultants and attorneys, and see what the states and the Biden Administration bring to the table in the next few months.

The DaVita case, however, should be a relief to many in the self-insured industry, and plan sponsors should be in a much better mood after this decision.  On a personal note, and on behalf of my own self-insured clients, I am relieved that at least some of the high pricing of dialysis centers who have historically overcharged health plans have been curtailed from at least some of these practices.

As for self-funded health plans and other ERISA plans, you may be able to take a look at your plan benefits to see what cost containment provisions you can add for high-cost benefits, and seek the advice of reputable consultants and experts like ABC!

##

Disclaimer:  This article is not intended to provide legal advice of any kind.  We always recommend that you seek the advice of legal counsel before finalizing plan decisions.

Author’s Note:  I’d like to thank Marilyn Monahan, Jeff Strong and Ryan Work for their assistance with this article.  They can be reached at marilyn@monahanlawoffice.com, jeff.strong@sterlingadministration.com and rwork@siia.org.  I can be reached at (714) 693-9754 x 3, or by email at dmcociu@advancedbenefitconsulting.com.

Sources:  Dobbs v. Jackson Women’s Health Ruling; Kaiser Family Foundation resources sited in this article; Roe v Wade Overturned By Allen Smith, JD, June 24, 2022, SHRM Resources and Tools; NAHU Compliance Corner Webinar, The Impact of Dobbs v. Jackson Women’s Health Organization, Jennifer Berman, MZQ Consulting and Jesse Hansen, One-Digital, Senior Benefits Attorney, August 16, 2022; Podcast Interview with Marilyn Monahan, Monahan Law Office, Benefits Executive Roundtable, Season 4, Episodes 1 and 2; Wikipedia; SIIA Regulatory Update, June 22, 2022, SIIA Legal Alert – Supreme Court Dialysis Decision; SIIA Legal Defense Update, November 6, 2022; Supreme Court Decision, June 21, 2022.

https://advancedbenefitconsulting.com/s2e4-legal-update-part-2-federal-and-state-legal-updates

Host Dorothy Cociu interviews once again attorney Marilyn Monahan of Monahan Law office. In part 2, we will start with an update from Part 1, where we discuss the newly signed California law AB 1867, which expands paid sick leave similar to FFCRA for California employers with 500 or more employees, then we discuss several California state and federal legal updates, including AB-5, the independent contractor’s law in California, recent changes to the ACA, new federal forms that were released, Grandfathered Plans proposed rule changes, California Paid Leave Programs, and Harassment training requirements in California.