Category Archives: Compliance

Protect Your Most Important Asset: Your Data

 

Person Holding Gray Twist Pen and White Printer Paper on Brown Wooden Table

In today’s digital business environment, your most valuable asset isn’t your inventory or even your people — it’s your data. From employee records to health insurance details, payroll figures to tax returns, the information your business handles is not only critical to your operations — it’s also a prime target for cyber threats and regulatory scrutiny.

As an employer, you are a data steward — and the responsibility to protect that data rests squarely on your shoulders.

What’s at risk?

  • Employee health plan details (PHI)
  • Payroll and compensation data
  • Social Security numbers
  • Financials, tax returns, and accounting records
  • HR files, onboarding docs, and termination info

This is confidential, sensitive, and regulated information — and in many cases, sharing it with vendors opens you up to liability unless proper safeguards are in place.

What is a Business Associate Agreement (BAA)?

A BAA is a legal document required under HIPAA when a Covered Entity (like your company) shares Protected Health Information (PHI) with a third party (called a Business Associate).

It outlines:

  • How that vendor can use your data
  • Security measures they must have
  • What happens in case of a breach

If your vendor handles PHI and you don’t have a BAA in place, your business could be liable for any mishandling, data breach, or HIPAA violation — even if it wasn’t your fault.

Who Needs to Sign a BAA With You?

Here’s a rule of thumb: If they touch your employees’ health or personal data — get a BAA. Start with the below common vendors.

Vendors That May Require a BAA:

 

BAA vendors

*CPA firms may not require a BAA unless they are directly handling PHI or managing plan-related details.

What You Should Be Doing as a Business Owner or HR Leader

  1. Audit Your Vendor List
    Identify every third party with access to employee data or systems storing it.
  2. Request a BAA From Each Vendor
    Ask them: “Do you handle PHI or any health plan data? Do you have a BAA template or will you sign ours?”
  3. Review Your Privacy Practices
    • Are you encrypting emails with sensitive data?
    • Who on your team has access to employee health records?
    • How are files stored and backed up?
  4. Use Secure Channels
    Avoid sending PHI or personal data through unencrypted email or shared drives without permission controls.
  5. Train Your Staff
    Make sure your HR and benefits team knows what qualifies as sensitive information and how to protect it.

Final Thought: Protect Data Like It’s Money — Because It Is

Data breaches, regulatory fines, and lost trust can cost your business far more than just a headache. Think of your data as digital currency — and make sure you’re working with partners who take that as seriously as you do.

Can Employers Offer Employees Different Levels of Contribution?

Can Employers Offer EMPLOYEES Different Levels of Contribution?

Today we want to share a hack around discrimination in employer contribution to employee benefit plans. The question we often receive is: Can you give different employees different levels of employer contribution?

The short answer is “Yes you Can.”

It’s commonly thought that employers don’t have a lot of discretion in designing and delivering health care benefits for their employees. But the reality is, there are many ways employers can enhance the delivery of their benefits by defining the class of eligibility. Thus creating legal and non-discriminatory ways to enhance employee benefits by class.

Now while it is possible, there are some complexities to setting it up because it touches on some issues regarding employment law and may not be advisable depending on workplace culture. But in general, an employer can create classes of employees and define the contributions or the offering of benefits to these select classes of employees.

Non-discriminatory ways to define an employee’s class of eligibility:

Generally employers have discretion when structuring their benefits plans and are able to make distinctions among employees and the benefits they’re offered. Plans may differ among employees only on “bona fide employment-based classifications”. A “bona fide employment-based classifications” might include: full-time versus part-time employee status; different geographic location; membership in a collective bargaining unit; date of hire or length of service; or differing occupations. Each of these can be treated as different groups of similarly situated individuals and receive different levels of employer contribution. For example, it is perfectly fine to offer three weeks of vacation to exempt employees and two weeks to nonexempt employees because the basis of the vacation benefit is their FLSA category and not any protected category.

The key is to make sure that benefits plan decisions are non-discriminatory, and that’s where we can help. We can make sure protected groups remain protected and design an employer contribution plan that delivers the best possible benefit while eliminating any unintentional discrimination that may result from these decisions.

With the current challenges in recruiting and retaining it’s a perfect time to revisit how you deliver, what you deliver, and make sure your benefit packages are competitive in helping you attract, retain, and reward the A players to move your business forward. Need help creating classes of employees and defining contributions? Let’s talk, shoot us an email at marketing@corpstrat.com

Why Every Employer Needs an ERISA Wrap Document

 

Heading into audit season, a simple and cost effective solution to ensure your documents are prepared correctly is having an ERISA Wrap Document. Including a wrap document will mean if there’s anything missing in your insurance policy or coverage certificate, this one document will supplement the information necessary to comply with ERISA. It’s a bit like playing defense, it’s nothing flashy but when you need it, you’re so glad you’re covered. Plus, at less than $500 a year, it’s the easiest way to save yourself a ton of headaches.

What is ERISA?

  • Employee Retirement income Security Act (ERISA) is intended to protect employees who are counting on retirement benefits or pensions promised by their employer.
  • ERISA sets guidelines and rules for how employee retirements funds must be managed, it puts strict guidelines in place for when and how employees can earn a non-forfeitable interest in promised pension benefits.
  • Every employer who maintains a health and retirement plan is subject to ERISA and must have a separate written plan document.

What is an ERISA Wrap Document?

  • It’s a relatively simple written document that “wraps” around the insurance policy, coverage certificate, or plan booklet.
  • It describes the participants’ rights, benefits, and obligations within their plans as well as the plan’s terms and conditions.
  • By using a wrap document, an employer can satisfy the ERISA Summary Plan Description (SPD) requirement by using this one document for all the health and welfare benefits offered.

What doesn’t count as an ERISA Wrap Document:

  • Summary Plan Descriptions (SPD)
  • Certificate of Coverage
  • Summary of Benefits
  • Copy of the Master Contract

Why Do I Need An ERISA Wrap Document?

  • Using a wrap document is an easy, cost-effective way for employers to show auditors that they’re in compliance with ERISA and other laws affecting the employee benefits they offer.
  • The penalties for not having one are very steep.
  • Without one, the company is left vulnerable to costly lawsuits.

If you don’t have an ERISA Wrap Document or your company’s ERISA Wrap Document is outdated, schedule a call with us now. We can help.

Learning with CorpStrat: Free Courses for Clients

Black Woman Working From Home With Laptop Computer

We understand there are many businesses struggling during this very challenging time.

With most people working remotely now, it is easy for employees to feel disconnected from the rest of their team, having to manage stress and learn to adapt each day. While we have also been adjusting to remote work, some have also been juggling their other jobs as parents, teachers, & employees.

As part of our 21st Century HR Solution that uses technology to simplify and streamline HR procedures, we are offering CorpStrat Learning: a platform for employees to come together to connect and collaborate, which allows companies to assign, track, and educate their staff and managers on a host of subjects.

Our CorpStrat Learning tool is for clients to empower employees during these times when everything can start to feel rather bleak.

Here are the 5 courses we have identified as the most purposeful and helpful during this time:

  1. Coronavirus Preparedness for Managers and Employees
    This course informs managers and employees of simple steps they can take to stay healthy and prevent the spread of Coronavirus (COVID-19). (Recommended for: Managers and Employees)
  2. Crisis Management and Emergency Response Planning
    This course teaches managers how to safeguard their employees and the reputation of their organization with advance planning and swift, effective actions during a crisis or emergency situation. (Recommended for: Managers)
  3. Handling Stress
    In this course, managers and their team will learn effective techniques to learn how to best manage their stress levels, allowing them to not only improve their overall sense of well-being but also to work more productively. (Recommended for: Managers and Staff)
  4. Working Remotely
    Whether your business has always been remote, or this is the new normal for you given the circumstances around COVID-19, our “Working Remotely” course offers managers and their team strategies on how to be an effective, remote employee. (Recommended for: Managers and Staff)
  5. Managing Remote Teams
    As we touched on earlier when it comes to working remotely, feeling connected and touching base frequently is important to keep your team productive and engaged. Not to be confused with our “Working Remotely” course, this course focuses on providing managers guidance on how to strengthen their team’s synergy during times of remote work. (Recommended for: Managers)

We know times are tough, so CorpStrat is proud to offer this platform for FREE to our existing agency clients. Contact us now to enroll and roll out these courses.

P.S. (If you have more “downtime” and want to get ahead of the compliance curve, CorpStrat also offers a full set of California compliance training courses. As a reminder, it is required by California law that employers of 5 or more employees are required to provide Sexual Harassment Prevention Training. Although the current stay-at-home order may give us all a sense of comfort with this issue, it is important to ensure this is completed before January 1, 2021.)

Ready to feel empowered to tackle working remotely?
Email us at Learning@CorpStrat.com to get started.

 

CCPA and Its Effect on the Employment Relationship

CCPA and the Employment Relationship

Since January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) has officially been in effect. In short, the CCPA imposes new privacy obligations on businesses that collect personal information of California consumers. But it doesn’t just stop at consumers. With the recent Attorney General-issued revisions, the CCPA applies to the employment relationship as well, including information related to employee benefit plans.

Here is a breakdown of how the CCPA affects the employment relationship.

CCPA and Employees

Under the CCPA, the definition of “consumer” is very broad, providing that any natural person who is a California resident is a “consumer”. Therefore, this broad definition extends to cover employees who are resident in California, no matter the fact that their relationship with the business is as an employee, and not a consumer.

Since the definition of “consumer” is very broad, so is the definition of “personal information.” However, the recent revisions by the Attorney General brought some clarity about what “personal information” constitutes: employment-related information is considered “personal information” under the CCPA. There is no exemption for employment-related personal information stored and maintained by an employer.

As such, similar to consumer information, the CCPA requires employees and applicants to be notified that their personal information is being collected.

Other noteworthy revisions from the Attorney General include:

  • An employer is not required to provide a link to an online privacy policy to employees and applicants as a method of notice; they can be notified through a paper form or via email.
  • An employer is allowed to provide a link to an online privacy policy tailored to employee and applicant data, rather than the general online privacy policy which deals with consumers as a whole.

Employment-related Information Under CCPA

The following common types of “employment-related” data are considered “personal information” (and protected) for purposes of the CCPA:

  • New hire/on-boarding paperwork, including resumes, employee applications (including Social Security Number, drivers’ license, mailing address), background checks, IRS Forms W-4 (withholding), etc.
  • Payroll information, including employee bank account numbers for direct deposit.
  • Credit card information provided in connection with expense reports.
  • Random drug testing paperwork and results.
  • Documentation of various types of leave, such as sick leave, vacation, paid time off, etc.
  • Employee benefit plans (to the extent not exempt from the CCPA).
  • Employee’s online activity on a work computer/system, such as browsing history and search history.

Data from Employee Benefit Plans

Data from employee benefits plans are covered—and protected—under the CCPA. Employee benefit plans collect and use personal information since plans require various types of personal information, such as name, address, Social Security Number, and insurance policy information.

However, certain benefit plans may have varying compliance obligations to the CCPA, especially if they are HIPAA-covered or ERISA-covered.

compliance obligations of certain benefit plans may be: (1) limited by the CCPA’s HIPAA exemption; and (2) potentially preempted by ERISA.

HIPAA Exemption

The CCPA does not apply to “protected health information” (PHI) of a group health plan that is subject to HIPAA or to other personal information protected in the same fashion as PHI. Employer-sponsored HIPAA-covered benefit plans typically include a major medical plan, dental, vision, health flexible spending account, and certain wellness or employee assistance programs. One thing to note is that some information collected by a benefit plan may be personal information under the CCPA, but not PHI under HIPAA, and there may be compliance obligations concerning that information.

ERISA Preemption

The CCPA does not specifically address how it applies to benefit plans not covered by HIPAA. For plans that are subject to the Employee Retirement Income Security Act of 1974 (“ERISA”), there is a possibility that the CCPA could be preempted, or prevented, by ERISA. As such, ERISA-covered benefit plans that are not HIPAA-covered (such as 401(k) plans, long term disability, and AD&D) may be able to successfully argue that personal information collected and used is not subject to the requirements of the CCPA.

The Bottom Line

When dealing with the CCPA regarding employment, an employer should apply the same steps they apply to “personal information” from customers and other consumers to employee data and employee benefit plan data (that may be subject to the CCPA).

Reach out to CorpStrat to learn how we design and manage (compliant) employee benefits at competitive rates so your company can attract, reward, and retain your employees.