September 2009

E-Verify Mandatory for Federal Contractors in September

Any employer that enters into a contract to do business with the federal government on or after September 8 will need to use the Department of Homeland Security's (DHS) E-Verify system. 

E-Verify is an online system that verifies the match of an employee's name and social security number, and verifies the employee's eligibility to work in the United States.   

APA's Immigration subcommittee continues to raise issues with Congress and DHS about problems employers may face when complying with a mandatory E-Verify system.  

"If a contractor becomes mandated to use E-Verify, it will have to use it for any new employees hired on or after the date of the contract, and for any employees (old or new) that work on the project covered by the contract," said Scott Mezistrano, CPP, APA's Senior Manager of Government Relations. "The difficulty that arises is that a long-time employee, even if completely legal and authorized to work in the United States, may not be able to pass an E-Verify screening on the basis of the information contained in the Form I-9 the employer has on file for them."  

To use E-Verify, an employer must enter information about the employee's identity and work authorization documents. E-Verify will accept only those documents allowed under the current I-9. However, a long-time employee may have gone through the I-9 process with a document that is not on the current I-9's list of acceptable documents. Or it may be a document on that list, but the document may have expired.   

For example, if an employee hired 10 years ago showed their driver's license as proof of identity, certainly by now the license shown at hire has expired. Employers are not required to track the expiration of driver’s licenses and re-verify such employees. But if that 10-year employee is working on a federal contract project, their data won't be acceptable to the E-Verify system.   

The Immigration subcommittee of APA's Government Affairs Task Force has raised this issue to DHS personnel in attendance at recent subcommittee meetings, asking how an employer should handle this situation. Could these employees be required to complete a new Form I-9?  

This problem could be bigger than you might think. Recently, Form I-9 was updated. One change was that the choice of citizen status increased from three options to four. Specifically, the choice of "citizen or national of the United States" was split into two options--"citizen" and "non citizen national." So, any Form I-9 on which the "citizen or national" box was checked will not be able to be entered into the current E-Verify system because the employer would have to choose between "citizen" or "national."

USCIS Updates Expiration Date on Form I-9. U.S. Citizenship and Immigration Services has released a new version of Form I-9, Employment Eligibility Verification, with an expiration date of "08-31-12," a revision date of "08-07-09," and no other changes.

The new form has been posted on the LAI website – click here. 

EEO-1 Survey Deadline is September 30, 2009.  Need help with this?  Call us at 770.248.0401 today for our expert assistance.

CDC Guidance for Businesses and Employers To Plan and Respond to the 2009–2010 Influenza Season

Keep Sick Workers Home 
One of the best way to reduce the spread of influenza is to keep sick people away from well people. However, in the fall and winter, it will not be possible to quickly determine if workers who are ill have 2009 H1N1, seasonal influenza, or any number of other different conditions based on symptoms alone. Local and state health department surveillance information can be helpful to know when influenza is circulating in the community, although the availability, timeliness, and amount of local information on when influenza is circulating may vary substantially from community to community.

Workers who have symptoms of influenza-like illness are recommended to stay home and not come to work until at least 24 hours after their fever has resolved. Regardless of the size of the business or the function or services that you provide, all employers should plan now to allow and encourage sick workers to stay home without fear of losing their jobs. CDC recommends this strategy for all levels of severity. Employers should plan now for how they will operate if there is significant absenteeism from sick workers. However, employers should know that some persons with influenza, including those ill with 2009 H1N1, do not have fever.  Therefore, it will not be possible to exclude everyone who is ill with influenza from the workplace.

Here at LAI, we are highly experienced in contingency planning. Call us today at 770.248.0401 to learn how to prepare for absenteeism and gain more insight by signing up for our upcoming webinar on contingency planning.

Avoid Shortcuts to Big Fines - Careful with Classification

Contractor vs. Employee
Given the present state of the economy, employers are becoming more creative in cutting costs. One way a company may choose to save money is to classify current workers or new hires as independent contractors rather than employees, but misclassifying employees—even unintentionally—can prove to be extremely expensive for employers, opening them up to administrative fines and penalties as well as costly private lawsuits, according to Michael Schmidt, an attorney in Cozen O’Connor’s New York office.

In addition, the way the factors used to distinguish between employees and independent contractors have been historically applied by the agencies and courts have left employers without clear guidance to help them determine if they are classifying properly, noted Schmidt, who is also an adjunct professor of law at Touro Law School in Central Islip, N.Y.

Below are a few of the following dangers of misclassification:

If an employer is not withholding taxes because it is treating employees as independent contractors, the Internal Revenue Service and state tax agencies may come calling.

If the employer is not making workers’ compensation or unemployment insurance contributions for the misclassified individuals, state agencies “will have revenue concerns,” and, in the case of an injury, an employer may not have necessary workers’ compensation coverage.

If individuals are not treated as employees, they may be losing benefits and protections to which they are entitled under state law.

Recently enacted state laws impose penalties on certain employers for misclassifying workers.

And possibly the biggest ramification, if workers are incorrectly being treated as independent contractors, they are missing out on the protections of the federal Fair Labor Standards Act and state laws as to minimum wage and overtime, possibly leading to class litigation that could potentially cost the employer huge sums.

Recent State Actions

Under the Massachusetts independent contractor statute, enacted in 2005, but not really interpreted by the state courts until this year, a worker will be considered an employee unless the employer can show that all three prongs of the independent contractor test have been satisfied:

The individual is free from control and direction in connection with the performance of the service, both under his contract for the performance of service and in fact.

The service is performed outside the usual course of business of the employer.

The individual is customarily engaged in an independently established trade, occupation, profession or business of the same nature as that involved in the service performed.

Applying this test, a state trial judge recently certified a class of exotic dancers whose employer improperly classified them as independent contractors (Chaves v. King Arthur's Lounge (No. 07-2505 (July 31, 2009)).

Maryland’s recently enacted Workplace Fraud Act of 2009, goes into effect Oct. 1. Applying only to the landscaping and construction industries, the law “has onerous penalties” for misclassification, Connolly said (penalties of up to $5,000 per misclassified employee as well as restitution paid to the employees themselves).

In addition to establishing standards for determining whether an employer-employee relationship exists, similar to those under the Massachusetts law, the law gives Maryland’s Commissioner of Labor and Industry broad powers. If misclassification is found, the commissioner will notify the state comptroller, the Office of Unemployment Insurance, the Insurance Administration, and the Workers’ Compensation Commission. “The Maryland act is particularly disconcerting,” Connolly said. “It is not just one entity that comes after you. If one agency finds an impropriety, a number of agencies might come after you to see if you comply with their standards.”

A new law in Colorado went into effect June 2, 2009.  It subjects Colorado employers that misclassify employees as independent contractors to fines of up to $5,000 for a first offense and $25,000 for a second or subsequent offense per misclassified worker.

Avoiding Classification Errors 

In order to avoid classification errors, the first step, Schmidt said, is for employers to try to get a better understanding of the criteria used to distinguish employees from independent contractors. All of the different tests basically come down to three major factors, he said:

1. The degree of behavioral control the employer has over the worker.
2. The degree of financial control the employer has.
3. The parties’ own views and their treatment of the work relationship.

Connolly also offered some guidelines to help employers distinguish employees from independent contractors. First, he said, if the individual is working on his or her own (without a formal business entity in place), assume he or she is an employee. Second, give serious consideration to the question of whether what the contractor is doing is an integral part of your business.

Third, ask whether you are hiring this person for a discrete project. Is he or she more like a plumber, who shows up for an isolated problem, tells you when he or she will be there and has his or her own tools; or more like a nanny, who shows up when requested, keeps the hours you set and follows your instructions. The plumber is likely to be a contractor; the nanny an employee.

Finally, ask whether the individual is working substantially full-time for your company. If so, employee status is more likely, Connolly noted.

Do not rely on job descriptions or position statements, but investigate and look at the day-to-day functions being carried on by individuals to see if those individuals really are independent contractors or if they should be classified as employees. The company should document its conclusions, setting out the criteria relied on and the reasons why the individuals were classified as independent contractors rather than employees.  

In almost all cases, the employer should consider using third-party help. Use an outside leasing organization for workers, rather than hiring or reclassifying employees as independent contractors, to minimize your risk,” he suggested.

Use LAI to review and assist in clasifying employees. We can also lease workers back to further minimize your risk. Call 770.248.0401 for more information.

Because the potential exposure and risk of misclassification is really significant for companies, Schmidt said, “They should take a strong look at how they are classifying and who they are classifying instead of waiting to get a knock on the door.” Further, according to Connolly, “I think that it is really important for HR to get a handle on the independent contractors that their companies are engaging. At the end of the day, HR is probably in the best position to identify that there may be a problem,” he concluded. 

Joanne Deschenaux is SHRM’s senior legal editor.

New HIPAA Regulations Effective September 23

On September 23, 2009, the new HIPAA regulations issued by The U.S. Department of Health and Human Services (HHS) requiring healthcare providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached will become effective.

Employers must establish guidelines on how PHI will be handled. A privacy officer must be selected to ensure that all HIPAA regulations are being properly met.

There are some records that are not covered by the HIPAA guidelines. They are workers’ compensation records, family medical leave records, sick leave doctor notes, fitness-for-duty notices, and occupational safety and health records.

The rule requires health care providers and other HIPAA-covered entities to promptly notify affected individuals following breaches, as well as to notify the HHS secretary and the media for breaches involving 500 or more individuals. Breaches affecting fewer individuals are to be reported to the HHS secretary annually. 
 
The Federal Trade Commission (FTC) on Aug. 17, 2009, issued companion breach notification regulations that apply to vendors of health records and certain others, including third-party service providers, not covered by HIPAA. 
 
“Pretty much anyone in the IT world is a third-party service provider,” according to Jon Neiditz, an attorney and the information management practice leader at Nelson Mullins in Atlanta, in an Aug. 19 webcast. “Health insurance brokers in almost all cases are business associates,” he added. “If you have a wellness program” and access to personal health records for employees, “you may have to deal with” the federal breach notification rules, he said. Neiditz noted that “not all HR breaches would be covered, but many would be.”

"The privacy and security rules are interdependent; you can't have privacy without security," says Peter N. Cizik, managing director of the consulting firm HIPAA Solutions Rx in Beaverton, Ore. "Just as compliance with the privacy rules might mean that when you file hard copies, your filing cabinets should be locked or otherwise protected, so the new electronic security rules could require that your computers be password protected," he says.

An area of particular concern is e-mail. "If HR staff are e-mailing employee health plan information, that could be considered e-PHI," Cizik says. "HR needs to ensure that the e-mail is in some kind of secure form. Attaching an unprotected spreadsheet to an e-mail doesn't work anymore."

Fully Insured or Self-Funded

If your organization is fully insured under a group plan with an external insurance provider, your compliance burden will be lighter, but you are still responsible for securing e-PHI. "Employers that sponsor health plans need to make sure those plans are going to be in compliance," says Susan Imming, an administration and technology consultant in the Denver office of The Segal Company, a benefits consultancy. "For fully insured plans, you still have in-house administrators dealing with the insurer," she says. "If they are transmitting information electronically, they would have to comply with the security rules."

For self-funded plans, including health-related flexible spending accounts (FSAs), the burden is heavier. Even if the FSA is managed by a third-party administrator (TPA), says Cizik, "you can get access to that data, so you have to put a compliance infrastructure around yourself in terms of policies and procedures."

"If you've hired another company to administer your flex plan, there is going to be electronic data flowing back and forth, and most likely, that's going to involve e-PHI," says Imming. "Most employers have flex plans and do enrollment, so right there, those are areas in which they should take a look and see how this will affect them." And remember, she points out, "it's not only information that's transmitted. It's also information stored on your computers' hard drives."

Gray Areas

More so than under the HIPAA privacy rules, there is a heavy IT component to the electronic security standards involving encryption, disaster recovery, firewalls and other safeguards. All of the new administrative, technical and physical safeguards fall into one of two categories: addressable specifications or required specifications. With addressable specifications, "the government gives you the flexibility to determine what it would take to meet the letter of the rule, and you may conclude that you don't need to do anything," Cizik says. Required specifications provide you with far less leeway. Some examples of each:

Administrative safeguards:

o Disaster recovery plan required specification

o Log-in monitoring addressable specification

Technical safeguards:

o Access controls/unique user identification required specification

o Access controls/encryption and decryption addressable specification

Physical Safeguards:

o Workstation security required specification

o Facility security plan addressable specification

Again, for sponsors of fully funded insurance plans, this may mostly be a matter of ensuring that your external health care provider is in compliance with the new standards. However, employers are still responsible for securing any e-PHI their in-house staff may see, and for safeguarding e-PHI related to self-funded plans administered by the employer or a TPA.

Establishing Electronic Security Safeguards

Fortunately, the security rules are in many regards consistent with most standard corporate security guidelines, so "chances are this is not going to require a huge change from what most companies are already doing," Cizik says.

"Employers should look at their current security procedures and then stack up what they're doing against what they'll need to do under the security rules," Imming says. Whether you decide your safeguards are already adequate or need beefing up, be prepared to document that you performed a risk analysis, Cizik says, because "if you're audited by the government, it's the first document they are going to ask for."

Once risk vulnerabilities are identified, they can be addressed -- for example, by adding encryption and electronic signatures to e-mail transmission. According to Uday O. Ali Pabrai, a consultant and security expert at the HIPAA Academy, a consulting and training organization in Warrenville, Ill., putting an electronic security program in place typically includes these steps:

1. Assign security responsibility by formally designating the person who will be responsible for compliance.
2. Conduct a risk analysis and develop security strategy, policies and procedures.
3. Secure third parties and make modifications or addendums to contracts for business associates used to comply with the HIPAA privacy regulations as necessary for the security regulations.
4. Train employees; remember that people potentially can be the weakest link in your security chain.
5. Evaluate your procedures and make sure you are in compliance with the regulations.

Call LAI at 770.248.0401 and ensure your compliance today.