The following is an article reprinted with permission from the Spring 2005 edition of The WWR Letter:
Impact of HIPAA on Credit Unions
By: Raymond Moats, Esquire
In response to the rising cost of health care and the unrestricted exchange of private health information between private companies, such as insurance companies and drug manufacturers, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA consists of two sections: health insurance reform and administrative simplification. Of the two sections, the administrative simplification section is more likely to have an impact on credit unions.
The health insurance reform provisions promote portability and continuity of health insurance coverage for workers and their families when they change or lose their jobs. The administrative simplification provisions regulate how health care providers, health plans and healthcare clearing houses (covered entities) protect the privacy of patient information as well as provide a national electronic standard for the exchange of health care transactions. The privacy rule provides that covered entities may not use or distribute an individual’s health information without the patient’s authorization, unless the release of information is permitted by an exception in the rule. The privacy regulations also cover businesses (business associates) that perform a function or activity on behalf of a covered entity. This may include third-party administrators, billing companies, lawyers and data processing firms.
There are two situations where the privacy requirements of HIPAA could affect a credit union. First, if the credit union provides bill processing services or Automated Clearing House (ACH) services to a covered entity, then the credit union is considered a business associate of the covered entity. As a business associate, the credit union is obligated to follow the requirements of HIPAA and maintain the privacy of the patient’s health information. Second, if the credit union provides a self-insured health group insurance or offers flexible spending accounts and employee assistance programs, the credit union may be considered a covered entity and again must comply with the HIPAA privacy rule.
In order for a credit union to provide services such as bill processing to a covered entity, the parties must enter into a contract in accordance with HIPAA. The covered entity may not disclose patient health information to a business associate unless the parties have signed a written contract that ensures the business associate will protect the information. The contract must specify the permitted and required uses and disclosures of information by the credit union.
Credit unions that contract with an insurance company or other third party administrator to administer their group health plan are typically exempt from the privacy rules. Also, medical information acquired through the employment process, as test results, does not make the employer a covered entity. However, credit unions that have a self-insured health plan or a flexible spending plan with more than 50 participants are subject to the regulations under the HIPAA privacy rule.
In order to be HIPAA compliant, a credit union that is designated as a covered entity must appoint a privacy officer. The privacy officer will be responsible for developing and implementing privacy policies. The policies and procedures shall cover the process of taking complaints, sanctioning employees for violating the policies, and the steps involved to mitigate the inappropriate use or disclosure of information. The privacy officer will also appoint a contact person who is responsible for receiving complaints. The credit union will then be required to train all employees on these policies and procedures.
HIPAA creates burdensome requirements for credit unions that are considered business associates to a covered entity or that maintain a self-insured health group plan. Failure to comply with HIPAA could subject a credit union to civil and criminal penalties. In either situation, a credit union would be wise to review its policies with an attorney that is well-versed on the complexity of HIPAA.
Raymond Moats is an Associate in the Collection Services and Probate departments of the Grove City operations center. He can be reached at (614) 801-2767 or rmoats@weltman.com.
The following is a guest blog based on an Employment Law Update issued in June 2007 by the law firm of Nexsen Pruet Adams Kleemeier (NPAK). NPAK is a multi-specialty law firm headquartered in Columbia, South Carolina, with more than 170 attorneys and offices in Charlotte and Greensboro, NC and in Columbia, Charleston, Greenville, Hilton Head and Myrtle Beach, SC. The firm offers significant advantages to clients in terms of outstanding individual lawyers, a depth of talent, and extensive experience in many areas. If you have any questions about this post, please contact Suzanne Guitar Odom, an attorney with NPAK.
IRS Releases Final 409A Deferred Compensation Regulations- Time for Action
On April 20, 2007, the IRS issued final regulations interpreting the nonqualified deferred compensation requirements of Internal Revenue Code Section 409A. The 400 pages of regulations take effect on January 1, 2008. Employers should begin to plan for compliance by year-end because all plans and arrangements subject to Section 409A must be in full documentary and operational compliance by December 31, 2007.
Section 409A became effective on January 1, 2005, ushering in a new set of rules for the taxation of nonqualified deferred compensation plans. The new rules generally apply to any plan, program, or arrangement that defers compensation from one tax year to another, except for a qualified employer retirement plan (such as 401(k) plans), or a bona fide vacation leave, sick leave, compensatory time, disability pay or death benefit plan.
Nonqualified deferred compensation arrangements covered by Section 409A include:
· Nonqualified executive retirement plans (such as elective deferrals, Supplemental Executive Retirement Plans, and excess benefit plans)
· Post-retirement reimbursement arrangements and similar benefits
· Certain severance pay plans
· Certain stock option and other equity-based incentive awards (such as stock appreciation rights, restricted stock units, and phantom units)
· Certain other incentive compensation plans
· Some types of split dollar life insurance arrangements
Among the other types of employment-related arrangements that usually contain employer commitments governed by Section 409A are:
· Employment agreements
· Letters or other correspondence offering terms of employment
· Consulting agreements
· Change-of-control agreements
· Annual bonus programs
· Tax gross-up provisions
· Indemnification provisions
· Commission programs
A prudent employer should identify and inventory all plans and arrangements subject to Section 409A. By year-end, employers will need to review each plan or arrangement to determine what documents need to be amended and what administrative practices should be changed to be in full compliance.
There are a number of issues to be considered along the way, such as:
· How to preserve pre-40A “grandfathered benefits”?
· Do director pay plans (or pay plans relating to other contractors) need to be amended?
· Does a plan or arrangement qualify for a regulatory exception?
· How required changes impact compliance with contractual obligations?
· Will contractual provisions in plans or arrangements affect the amendment process?
· How should changes be communicated to affected individuals?
· Will service provider agreements need to be amended?
If a nonqualified deferred compensation plan fails to comply with any of the new requirements, then compensation deferred under the plan will become includible in the participant’s gross income for the taxable year in which the failure occurs, and interest along with a 20 percent penalty tax will be imposed.
The compliance and amendment process will take thoughtful and thorough planning. Most plan amendments will require appropriate approvals by a Board of Directors or the Board’s Compensation Committee. Employers should develop an action plan and compliance timeline to be completed by year-end.
The following is an article reprinted with permission from the Summer 2007 edition of Corporate Counsel:
Negotiation and Vendor Contracts
By: Robert Rutkowski, Esquire
Managers frequently negotiate with their vendors, employees, and even other competitors on a variety of issues. It’s really a two-step process that includes the negotiation itself and the reduction of the deal to a written contract.
It’s important to understand basic negotiation theory before sitting down with the vendor. Think carefully about what you really want and remember that money is often a means not an end. Set an optimistic but justifiable target. Be specific in your goals and become committed to them. Write down your goals and share them with someone else so that you carry your goals with you into the negotiation. Try to anticipate the arguments the other side will make in the negotiation process. At the same time, anticipate the counter arguments the other side will make to your points.
Try to build a working relationship across the table with the other negotiator. Avoid reciprocity and relationship traps such as trusting too quickly or letting others make you feel guilty. Be reliable, trustworthy and fair to those who are fair to you but when treated unfairly, let the other side know about it. Always negotiate with the person who will make the ultimate decision, not an agent of that person. If you can identify the other parties’ interest, you will be that much further along in realizing your goals.
Identify your leverage early on. Who has the most to lose from the deal? For whom is time a factor? If you improve your alternatives or make the other parties’ alternatives worse, or gain control over something the other party needs, you will have leverage and can be tougher in making your case.
Find your own bargaining style, whether it be competitive, problem-solving, compromising, accommodating or a combination thereof. Do not try to effect a style; do what comes naturally. No matter what approach you take, it is important to keep your emotional distance. Pause before making a concession and pause when the other side puts you under pressure. Deal with discouragement by being patient and always stay in control during a meeting.
Active listening during the negotiation process is as important as your arguments themselves. If you can avoid preconceptions and understand the perspective of the person negotiating with you, then you will be able to bring your issues to bear much more effectively. Plan your questions for the other side in advance and ask them with a purpose. Tailor the questions to your listener and keep the questions short and clear. Do not interrupt the other negotiator when they are responding to your questions as they may give you valuable information.
Avoid using threats in negotiation, raising your voice or omitting details. Maintaining good eye contact, smiling and displaying an obvious interest in the discussion is far more effective. You can, however, walk away from a deal that is not good for you. Avoid committing to positions that restrict further movement in the negotiation. Set your limits and stick to them. Develop a specific alternative as a fallback if the negotiation fails. People will try to put pressure on you by emphasizing the time element of the negotiation or encouraging you to split the difference when you have more to lose than they do.
The final goal in closing the deal is to get an enforceable contract. The contract should identify, among other things, what you’re getting, what you’re paying for, that which you are purchasing, how long the contract will be in effect and who the parties are to the contract. Along with the contract, however, you want to gain commitment from the other side that they will do everything that they have said they will do. Publicly announce your deal if it is newsworthy. Have a closing where there is a simultaneous exchange.
Negotiation is a situation where the person with the most information gets the best deal. Preparation for a negotiation is work and you must allow time for interviewing, fact-finding and strategic thinking. By treating the negotiation process seriously, you will become an effective dealmaker.
After you have made your deal, the vendor may present you with a written contract. There are many other important issues involved in reviewing such a contract. As a rule of thumb, you want to avoid contracts where the vendor can change terms unilaterally, change fees without your consent and completely and utterly disclaim liability. Another red flag is when a contract references a document you don’t have or a third party document that you haven’t reviewed. Of course, price is an issue. Yet, getting the most favorable pricing is only the beginning. You will want to be familiar with the pricing structures of at least three vendors in the particular market.
Along with price comes vendor performance standards. This needs to be spelled out. Often this is done in the form of an addendum or an exhibit to the contract. These could include the amount of time a particular system is available or the functionality of a product. There needs to be real teeth attached to these. Having standards where there is no penalty to the vendor for violating them accomplishes nothing. Penalties can come in the form of per day credits, fines or other reductions in the amount of remuneration the vendor receives. Other penalties may include your right to terminate the contract without penalty to you.
Termination itself can be tricky. Often, a vendor will ask for a fee to terminate a contract early. Depending on the size of the contract itself, this fee can be sizable. You, on the other hand, need as much flexibility as possible to pursue other options.
Warranties are the representation that the vendor makes with respect to the goods or services being sold. While some disclaimer of warranties might be granted, it’s wise to pay attention to exactly what the vendor is seeking to avoid. You need to insist that a product or service that you’re getting works when you get it. If it doesn’t, you need recourse. Warranties may establish your right to recourse (other factors are involved as well). And if things really go wrong, you need to be able to sue the vendor. The vendor of course wants to avoid this.
One of the most important provisions, and one that merits close scrutiny, is the provision limiting liability. Typically, a vendor will seek to limit its liability for the products and/or services it offers. A common provision of this type disclaims special, indirect, incidental or consequential damages. Very aggressive contracts will also seek to limit direct or actual damages as well. That is not acceptable on its face; there must be liability for direct or actual damages caused by the vendor.
Nor should damages based on the vendor’s negligence or misconduct be eliminated or limited. A common modification is to use “gross” negligence and “willful” misconduct as a higher standard, but some level of responsibility for this issue needs to remain in the contract.
These damages can be limited by clauses that cap overall liability. The contract will contain a clause, for example, stating that liability is limited to the amount paid under the contract three months prior to the claim. This can be an astoundingly small amount in the face of a serious breach of a large commercial agreement. Certainly, one can argue that such a provision is unenforceable or unconscionable, but why not try to eliminate it before the contract is signed? A compromise to this would be to raise the limit to three times the amount paid for the life of the contract.
More insidious yet is the effect of the damages limitation provision on other important provisions of the contract. Typically, a fair contract will have a mutual indemnity provision. If one party is sued by a third party because of something that the other party did, the innocent party should be indemnified. The provisions may appear generous, but if there is a liability cap, the vendor can argue later that its duty to indemnify is also limited by that cap. The generous indemnity provision is then effectively destroyed. The indemnification provisions need to be outside any cap on liability or damages.
Nowadays, intellectual property litigation is more common than ever. Perhaps the largest action in this regard pending today is the SCO v. IBM litigation. SCO sued IBM for approximately $5 billion over ownership of the Linux operating system. This suit has implications for every business that uses Linux. A business that thinks it has the legal right to use the software may not after all. This is why it is important to have an unfettered right of indemnity back to the vendor in the event of a third party challenge to that vendor’s intellectual property.
Some final considerations include privacy, venue, choice of law and a host of other miscellaneous issues. Financial institutions require very specific language in their contracts concerning privacy. Depending on your business, perhaps you need less, but it still needs to be in the contract along with a confidentiality provision. These are not necessarily the same thing. Venue describes where lawsuits must be brought under the contract if there’s a dispute. Make it in the court closest to you. Avoid arbitration clauses, as there’s no real right of appeal in arbitration. If nothing else, make it non-binding. Choice of law concerns which state’s law applies to the contract. It’s a matter of debate as to which state has the best contract law. People often just choose the state where they are located or that they know the best.
In short, contract negotiation can be quite challenging, but being forewarned is being forearmed. Stay away from vendors carving out unilateral powers for themselves. Make these provisions mutual or eliminate them. Any limitations on liability that are agreed to must be given special attention. If a vendor is unwilling to negotiate on these points, consider walking away from the contract. Understanding the contract you sign in advance can help you avoid unpleasant surprises later.
Robert Rutkowski is a Partner in the Brooklyn Heights operations center of Weltman, Weinberg & Reis Co., L.P.A. He is responsible for managing the firm’s Credit Union department and Corporate & Financial Services Practice Group. He can be reached at (216) 739-5004 or rrutkowski@weltman.com.
The following is an article reprinted with permission from the Spring 2006 edition of The WWR Letter:
Making Data Security a Priority
By: Robert Rutkowski, Esquire
The last few years have not been great ones for keeping data secure. Several major corporations reported security breaches where records were lost or stolen. Tapes were lost, paper lists never arrived at their intended destinations and laptops fell into the hands of people with bad intentions. It is as though we need an entirely new way of looking at the storage and transportation of data.
The NCUA gives some instruction on data security in its Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice. Federally insured credit unions must now follow certain requirements when member information is at risk. Essentially, credit unions must make an assessment of the situation, notify regulatory and law enforcement agencies, contain and control the situation, take corrective action, notify members and revise its vendor contracts (to require vendors to inform credit unions of data breaches).
The NCUA regulation is helpful in that it creates a minimum standard to follow. However, a credit union should not stop there. This entire problem is one of data security. Currently, the best way to send data is to encrypt it and send it electronically. We need to stop thinking of data as something that can be entrusted lightly with a courier. Instead, we should think of sending data the same way we think of sending money and treat it with the same level of security. Avoiding the loss or theft of data in the first instance is the most effective way to deal with the problem.
The consequences of a data breach or loss of data can be catastrophic to a credit union. Under the requirements of a security response program, notice to members should be given if “substantial harm or inconvenience could result to members from unauthorized access.” In the instance of a large-scale data compromise, such a notice could cause a run on the credit union.
State governments are noticing this problem as well. Many states have new identity theft laws that allow the freezing of consumer reports or placing of fraud alerts beyond what is offered under FACTA. Ultimately, however, legislation is not going to solve the problem. Data must be treated differently and more securely. It must be encrypted and transmitted by the most secure method possible. Credit unions definitely need a policy in place to comply with the law, but to protect the credit union to the fullest extent, it is important to move away from storing and transporting data in vulnerable ways. Credit unions have lots of experience in handling money securely. Data now needs to be approached in the same way.
Robert Rutkowski is the Managing Partner of WWR’s Credit Union department and Corporate & Financial Services practice group. Located in the Brooklyn Heights operations center, he can be reached at (216) 739-5004 or rrutkowski@weltman.com.
Filed under: credit unions
In working with credit unions, part of what I do is give seminars. This takes me across the country and I get to work with a lot of credit union leagues. In fact, the majority of the seminars I do are sponsored by the various leagues throughout the country. I have to say, without fail, that I have had a positive experience in working with credit union leagues.
Most recently, I worked with the Maryland/DC Credit Union Association on two back-to-back all day presentations. For me, these types of seminars are the hardest as they involve six hours of teaching. My mom would probably laugh at that as she taught high school, so she did that every day, nine months a year, for 30 years. The people in MD and DC are very professional, well organized and friendly. That helps a great deal.
It also typifies my experience from California to Arizona to Utah to New Mexico to Illinois to Indiana to Michigan to Pennsylvania to New Jersey and of course Ohio and all of the leagues I’ve worked with. The league system is definitely an expression of the credit union movement. It’s a system of people who believe in the movement and who share the same honest, down to earth values that you find at credit unions themselves. It’s not just seminars. I’m sure if I needed a resource to find out what credit unions were doing on a particular issue in California, I could call someone at the league and find out.
While I’m on the vendor side of things, I recognize the value that leagues give to credit unions. From coordinating an extremely effective Political Action Committee to operational help and guidance, leagues are there for credit unions. From state to state, the leagues offer products and services too varied to list. Some leagues work with vendors directly, others offer CUSOs. In all cases, the leagues offer value to their member credit unions.
At the same time, in an environment of credit union consolidation, leagues, too, are having to look at budgets and do business differently. It’s still business after all. However, I believe in the league system. It has worked for credit unions for decades. Sure, leagues will follow credit unions in evolving as markets change. In terms of core value, however, leagues have never been more important.
