Arizona’s New Paid Sick Time Law Goes Into Effect July 1, 2017

Arizona voters recently approved Proposition 206, which will increase the minimum wage to $10 per hour, effective as of January 1, 2017, and provides all Arizona employees (other than employees of the federal or state government) paid sick time (PST) as of July 1, 2017.

This post summarizes the key issues that employers will need to address before July 1, 2017. We will be providing more information and will assist clients in drafting a compliant policy in the coming months, as we expect clarification on the notice requirements in rules that will be issued by the Industrial Commission of Arizona (ICA).

Employers will likely want to create a new PST policy, which they provide to employees before 7/1/2017, and which explains the employees’ rights to PST under the new Arizona statute.

Coordination with Other Policies

In most cases, employers will want to make their PST policy separate from any existing Paid Time Off (PTO) policy, even though the two policies will refer to each other. In addition, existing PTO policies may need to be refined to ensure they work as smoothly as possible with the new PST requirements.

Your PST policy will need to coordinate with your FMLA leave policies, as the two types of leave may overlap in some instances, but they are not synonymous. Employers should also consider coordinating their PST policy with any self funded short term disability policy, to ensure that they do not have to pay out twice for the same leave (once under the STD policy and once under the PST policy)

PTO Accrual

  • If you are an employer of fewer than 15 employees, employees must be allowed to accrue and use up to 24 hours of PST per year and if you are an employer of 15 employees or more, employees must be allowed to accrue and use up to 40 hours of PST per year (the time is accrued 1 hour for every 30 hours worked)
  • FLSA Exempt employees are presumed to work 40 hours per week; unless they actually work less than 40 hours per week in which case they can accrue PST based on actual hours worked.
  • Time taken for PST can also reduce available PTO (if your PTO policy so provides).

Employees can take PST for Four Broad Reasons:

  • Their own mental or physical illness, injury or health condition, need for diagnosis, treatment or care, or for preventive care
  • Care of a family member with the above
  • Absences necessary due to certain domestic violence, sexual violence, abuse or stalking
  • Certain business closures due to public health emergencies.

Optional Policy Provisions

In adopting a PST policy, employers will need to consider the following (we anticipate providing a checklist in the Spring of next year to help clients draft their policy to incorporate these choices):

  • Define a PST year: Your policy will need to define when the PST year begins. We generally recommend January 1, unless your company uses a different month for the beginning of the work year or your welfare benefits plan year.
  • Define the increments in which the employee can use the accrued PST: may be used in the smaller of either an hourly increment or the smallest increment that your payroll system uses to account for absences or use of other time.
  • Termination of Employment: Will you pay employees out for accrued PST upon separation of employment? Most employers will not pay it out.
  • Carryover of PST or payout unused accrued PST at the end of the year? Employers have the option to pay out unused PST at the end of each year, or to carry it over.
    • We recommend that most employers not payout the unused PST and instead allow the time to carryover each year. The employee will continue to accrue additional PST (up to 24 or 40 additional hours). However, the impact of this is limited because:
      • employees cannot use more than 24/40 hours of PST per year, regardless of how much PST they carry over and end up accruing in the new year, and
      • employers do not have to pay out PST upon termination of employment. The carry over therefore simply allows the employee to have the availability to use PST hours that were accrued and unused during the prior year – i.e. to use PST immediately in the subsequent year, as needed. The financial impact can be limited for most employers if their PTO policy is properly drafted to ensure this time is also deducted from an employee’s PTO bank.
  • Delay Availability of PST for New Hires (after 7/1/2017)? Newly hired employees will accrue PST once they commence employment, however employers may require that they wait until 90 calendar days after they commence employment before they can use any accrued PST.
  • Who in your organization will keep record of the PST? : Employers must keep records for 4 years.
  • Will you allow employees to borrow PST?: Most employers will not allow borrowing of PST. However, many will revise the PTO policies to allow borrowing of PTO, if it is used for PST reasons (thereby increasing the likelihood that you will in fact reduce the amount of PTO available by each hour of PST taken).
  • What Procedures will you Adopt for Requiring Notice before an Employee Takes PST (both foreseeable and non-foreseeable)? (and how will you coordinate that with your current policy for requesting PTO)?
    • If you require notice of the need to use PST, even where the need is not foreseeable, your policy must include the procedures for the employee to provided notice.
  • What circumstances will you require proof of the need for PST (other than a request)?
    • You may request “reasonable documentation” that earned PST is used for a proper purpose only where an employee seeks to use three or more consecutive work days of PST.
    • “Reasonable documentation” is defined as “documentation signed by a health care professional indicating that the earned paid sick time is necessary.”
    • Where three or more consecutive PST days are used in cases of domestic violence, sexual violence, abuse, or stalking, the statute provides alternative forms of reasonable documentation that may be requested, such as a police report, a protective order, or a signed statement from the employee or other individual (a list of which appears in the statute) affirming that the employee was a victim of such acts.
    • If you currently require a doctor’s note for any single-day absence you will need to change that practice.

In addition to adopting a policy, and posting a required notice (a model of which the ICA will provide), employee pay statements must include or have enclosed a report of PST to include the following:

  • the amount of PST available;
  • the amount of PST taken to date; and
  • the dollar amount of PST paid year to date

We recommend clients wait until March/April of 2017 before drafting their PST policy and updating their PTO policies, because expected ICA rules will likely provide some guidance on the new law that may impact your policy choices. We anticipate providing clients a checklist in the Spring to select the features they would like in a PST, and to draft policies based on those choices. We expect we will be able to provide that service for a low flat fee. Look for details in the Spring.

ERISA Benefits Law Receives Recognition as a Top Tier Law firm in 2017 U.S. News – Best Lawyers® “Best Law Firms” Rankings

Just eight months after opening its doors as a niche ERISA and employee benefits law firm focused on providing the highest quality legal services at the most affordable rates anywhere, ERISA Benefits Law has been recognized as a top tier law firm in the 2017 U.S. News – Best Lawyers® “Best Law Firms” rankings. The firm received a Tier 1 metropolitan ranking in Tucson, Arizona in Employee Benefits (ERISA) Law.

The U.S. News – Best Lawyers “Best Law Firms” rankings are based on a rigorous evaluation process that includes the collection of client and lawyer evaluations, peer review from leading attorneys in their field, and review of additional information provided by law firms as part of the formal submission process.

IRS Announces 2017 COLA Adjusted Limits for Retirement Plans

The IRS has released Notice 2016-62 announcing cost‑of‑living adjustments affecting dollar limitations for pension plans and other retirement-related items for tax year 2017.

Highlights Affecting Plan Sponsors of Qualified Plans for 2017

  • The contribution limit for employees who participate in 401(k), 403(b), most 457 plans, and the federal government’s Thrift Savings Plan remains unchanged at $18,000.
  • The catch-up contribution limit for employees aged 50 and over who participate in 401(k), 403(b), most 457 plans, and the federal government’s Thrift Savings Plan remains unchanged at $6,000.
  • The limitation on the annual benefit under a defined benefit plan under Section 415(b)(1)(A) is increased from $210,000 to $215,000.
  • The limitation for defined contribution plans under Section 415(c)(1)(A) is increased in 2017 from $53,000 to $54,000.
  • The annual compensation limit under Sections 401(a)(17), 404(l), 408(k)(3)(C), and 408(k)(6)(D)(ii) is increased from $265,000 to $270,000.
  • The dollar limitation under Section 416(i)(1)(A)(i) concerning the definition of key employee in a top-heavy plan is increased from $170,000 to $175,000.
  • The limitation used in the definition of highly compensated employee under Section 414(q)(1)(B) remains unchanged at $120,000.
  • The dollar amount under Section 409(o)(1)(C)(ii) for determining the maximum account balance in an employee stock ownership plan subject to a 5‑year distribution period is increased from $1,070,000 to $1,080,000, while the dollar amount used to determine the lengthening of the 5‑year distribution period is increased from $210,000 to $215,000.
  • The compensation amount under Section 408(k)(2)(C) regarding simplified employee pensions (SEPs) remains unchanged at $600.
  • The limitation under Section 408(p)(2)(E) regarding SIMPLE retirement accounts remains unchanged at $12,500.

The IRS previously Updated Health Savings Account limits for 2017. See our post here.

The following chart summarizes various significant benefit Plan limits for 2015 through 2017:

Type of Limitation 2017 2016 2015
415 Defined Benefit Plans $215,000 $210,000 $210,000
415 Defined Contribution Plans $54,000 $53,000 $53,000
401(k) Elective Deferrals, 457(b) and 457(c)(1) $18,000 $18,000 $18,000
401(k) Catch-Up Deferrals $6,000 $6,000 $6,000
SIMPLE Employee Deferrals $12,500 $12,500 $12,500
SIMPLE Catch-Up Deferrals $3,000 $3,000 $3,000
Annual Compensation Limit $270,000 $265,000 $265,000
SEP Minimum Compensation $600 $600 $600
SEP Annual Compensation Limit $270,000 $265,000 $265,000
Highly Compensated $120,000 $120,000 $120,000
Key Employee (Officer) $175,000 $170,000 $170,000
Income Subject To Social Security Tax (FICA) $127,200 $118,500 $118,500
Social Security (FICA) Tax For ER & EE (each pays) 6.20% 6.20% 6.20%
Social Security (Med. HI) Tax For ERs & EEs (each pays) 1.45% 1.45% 1.45%
SECA (FICA Portion) for Self-Employed 12.40% 12.40% 12.40%
SECA (Med. HI Portion) For Self-Employed 2.9% 2.9% 2.90%
IRA Contribution $5,500 $5,500 $5,500
IRA catch-up Contribution $1,000 $1,000 $1,000
HSA Max Single/Family $3,400/6,750 $3,350/6,750 $3,350/6,650
HSA Catchup $1,000 $1,000 $1,000
HSA Min. Annual Deductible Single/Family $1,300/2,600 $1,300/2,600 $1,300/2,600

OSHA Issues Final Rules for Handling ACA Retaliation Claims

The Department of Labor’s Occupational Safety and Health Administration has published a final rule establishing procedures, time frames and burdens of proof for handling whistleblower complaints under the Affordable Care Act (ACA).

The ACA amended Section 18C of the Fair Labor Standards Act to protect employees from retaliation for receiving federal financial assistance when they purchase health insurance through an Exchange. It also protects employees from retaliation for raising concerns regarding conduct that they believe violates the consumer protections and health insurance reforms found in Title I of the ACA.

This rule establishes procedures and time frames for hearings before Department of Labor administrative law judges in ACA retaliation cases; review of those decisions by the Department of Labor Administrative Review Board; and judicial review of final decisions. Significant provisions in the final rule, and implications for employers include:

  • As with other retaliation claims, the complainant need not prove that the initial complaint, which they allege triggered the retaliation, pertained to an actual violation of law. They only need to show that they had a good faith belief that they were complaining about a violation of law.
  • To establish a prima facie case of retaliation for receiving a subsidy or premium assistance through an Exchange, an employee merely needs to show that an adverse action took place shortly after the protected activity.
  • This will be a very easy burden to meet where the employer has knowledge that the employee was receiving a subsidy or premium assistance. For example:
    • an employee might ask the employer about the coverage available through his employment, for the purpose of applying for a subsidy through the Exchange.
    • in addition, under the ACA, when an exchange provides a premium subsidy it is supposed to notify the employer. This will provide the employer specific notice that the employee has requested or is receiving a subsidy.
    • the employer’s knowledge of the above could prove fatal to the employer’s defense of a retaliation claim, unless the employer scrupulously segregates such knowledge from those making employment decisions.
  • Once a claimant establishes a prima facie case, the burden shifts to the employer to establish by clear and convincing evidence that it would have taken the adverse action even if the protected activity had not occurred. This is a very high standard.

More…

The Final Rule

OSHA’s Affordable Care Act fact sheet provides more information regarding who is covered under the ACA’s whistleblower protections, protected activity, types of retaliation, and the process for filing a complaint.

PBGC Expands Missing Participant Program to Defined Contribution Plans

The Pension Benefit Guaranty Corporation (PBGC) has issued a Proposed Rule that would redesign its existing missing participants program for single employer Defined Benefit (DB) plans and to adopt three new missing participants programs that will cover most Defined Contribution (DC) plans, as well as multiemployer DB plans and professional service employer DB plans. All four programs would follow the same basic design. Among the most prominent changes to the existing program would be:

• Provision for fees to be charged for plans to participate in the missing participants program.

• A requirement to treat as ‘‘missing’’ non-responsive distributees with de minimis benefits subject to mandatory cash-out under the plan’s terms.

• More robust requirements for diligent searches, using sponsor and related plan records, free web-search methods, and (subject to waiver) commercial locator services (which would be clearly defined).

• Fewer benefit categories and fewer sets of actuarial assumptions for determining the amount to transfer to PBGC.

• Changes in the rules for paying benefits to missing participants and their beneficiaries.

An important part of all of the missing participants programs will be a new unified pension search database. This database would include information about missing participants and their benefits and a directory through which members of the public could easily query the database (using a choice of fields) to determine whether it contained information about benefits being held for them. PBGC anticipates that its new pension search database will provide a comprehensive, nationwide, authoritative, reliable, easy to use source of information about missing participants and the benefits being held for them.

‘‘Missing’’ would be defined more specifically than in the current regulation. As explained below, a distributee would be missing if—

(1) For a DB plan, the plan did not know where the distributee was (e.g., a notice from the plan was returned as undeliverable), unless the distributee’s benefit was subject to mandatory ‘‘cashout’’ under the terms of the plan, or

(2) For a DC plan, or a distributee whose benefit was subject to a mandatory cash-out under the terms of a DB plan, the distributee failed to elect a form or manner of distribution.

For DC plans, PBGC proposes to specify simply that a diligent search is one conducted in accordance with DOL guidance, the most recent of which was issued on August 14, 2014 by the Employee Benefits Security Administration (EBSA) in Field Assistance Bulletin No. 2014–01 regarding Fiduciary Duties And Missing Participants In Terminated Defined Contribution Plans (the FAB). The FAB provides guidance about required search steps and options for dealing with the benefits of missing participants in terminated DC plans.

PBGC is proposing to charge a one-time $35 fee per missing distributee, payable when benefit transfer amounts are paid to PBGC, without any obligation to pay PBGC continuing ‘‘maintenance’’ fees or a distribution fee. There would be no charge for amounts transferred to PBGC of $250 or less. There would be no charge for plans that only send information about missing participant benefits to PBGC.

More…

Overview of Proposed Expanded Missing Participants Program

Proposed Expanded Missing Participants Program FAQs

Read the Proposed Rule

IRS Updates EPCRS Retirement Plan Correction Procedures

The IRS released Revenue Procedure 2016-51 on September 29, 2016, updating its prior Employee Plans Compliance Resolutions System (EPCRS) correction guidance. Significant changes made to the EPCRS system include:

  • Plan sponsors applying under EPCRS to correct a plan document failure will not longer be permitted to include an application for a favorable determination letter with their EPCRS application. This change is to coordinate EPCRS with the recently announced changes to the IRS determination letter program.
  • Similarly, individually designed plans using the Self-Correction Program (SCP) to correct significant failures will no longer need to have a current favorable determination letter (since the IRS will no longer issue periodically updated determination letters). Individually designed plans will simply need a favorable determination letter.
  • Fees associated with the Voluntary Correction Program (VCP) will now be considered user fees and therefore will no longer be set forth in the EPCRS revenue procedure. For VCP submissions made:
    • in 2016, refer to Rev. Proc. 2016-8 and Rev. Proc. 2013-12 to determine the applicable user fee.
    • after 2016, refer to the annual Employee Plans user fees revenue procedure to determine VCP user fees for that year.
  • The IRS is changing its approach to determining Audit CAP sanctions. A reasonable sanction will no longer be a negotiated percentage of the maximum payment amount (MPA). Instead, it will be based on all of the facts and circumstances, but will generally not be less than the user fee for a VCP application. The MPA is one of the factors they will consider. Others include:
    • the type of failure;
    • the number and type of employees affected;
    • the steps the plan sponsor took to prevent the error and identify it; and
    • the extent to which the error has been corrected before discovery.
  • The IRS will no longer refund half the paid user fee if there is disagreement over correction in Anonymous Submissions.

    The new revenue procedure is effective January 1, 2017. Unlike with prior EPCRS updates, plan sponsors may not elect to voluntarily apply the updated provisions before January 1, 2017.

A Retirement Plan Established by a Church-Affiliated Organization is not an ERISA-Exempt Church Plan (at least in the 9th, 3rd and 7th Circuits)

The 9th Circuit Court of Appeals recently held that, to qualify for the church plan exception to the requirements of the Employee Retirement Income Security Act (ERISA), a church plan (i) must be established by a church or by a convention or association of churches and (ii) must be maintained either by a church or by a church-controlled or church-affiliated organization whose principal purpose or function is to provide benefits to church employees.

The specific holding in in Rollins v. Dignity Health, 2016 WL 3997259 (9th Cir. 2016) was that Dignity Health’s pension plan was subject to the requirements of ERISA and did not qualify for ERISA’s church-plan exemption because it was not originally established by a church, even if it was maintained by a “principal purpose” organization. The 3rd and 7th circuits have reached the same conclusion when confronted with this question. See Kaplan v. Saint Peter’s Healthcare Sys., 810 F.3d 175, 180–81 (3d Cir. 2015); Stapleton v. Advocate Health Care Network, 817 F.3d 517, 523–27 (7th Cir. 2016).

Background

  • 29 U.S.C. § 1003(b)(2) provides that a church plan is exempt from ERISA.
  • 29 U.S.C. § 1002(33)(A) provides that in order to qualify for the church-plan exemption, a plan must be both established and maintained by a church.
  • 29 U.S.C. § 1002(33)(C)(i) provides that a plan established and maintained by a church “includes” a plan maintained by a principal-purpose organization.

The 9th Circuit reasoned that “there are two possible readings of subparagraph (C)(i). First, the subparagraph can be read to mean that a plan need only be maintained by a principal-purpose organization to qualify for the church-plan exemption. Under this reading, a plan maintained by a principal-purpose organization qualifies for the church-plan exemption even if it was established by an organization other than a church. Second, the subparagraph can be read to mean merely that maintenance by a principal purpose organization is the equivalent, for purposes of the exemption, of maintenance by a church. Under this reading, the exemption continues to require that the plan be established by a church.”

The 9th Circuit then held that “the more natural reading of subparagraph (C)(i) is that the phrase preceded by the word “includes” serves only to broaden the definition of organizations that may maintain a church plan. The phrase does not eliminate the requirement that a church plan must be established by a church.”

More

Rollins v. Dignity Health, 2016 WL 3997259 (9th Cir. 2016)

Kaplan v. Saint Peter’s Healthcare Sys., 810 F.3d 175, 180–81 (3d Cir. 2015)

Stapleton v. Advocate Health Care Network, 817 F.3d 517, 523–27 (7th Cir. 2016)

IRS Releases 2016-2017 Priority Guidance Plan

The IRS has published its 2016–2017 Priority Guidance Plan containing 281 projects that are priorities for allocation of its resources during the twelve-month period from July 2016 to June 2017.

Significant employee benefits issues prioritized for guidance in the next year include:

  • Additional guidance on the determination letter program, including changes to the pre-approved plan program.
  • Updates to the Employee Plans Compliance Resolution System (EPCRS) to reflect changes in the determination letter program and to provide additional guidance with regard to corrections.
  • Final regulations on income inclusion under §409A.
  • Guidance to update prior §409A guidance on self-correction procedures.
  • Final regulations under §457(f) on ineligible plans.
  • Guidance on issues under §4980H (the Employer Mandate).
  • Regulations under §4980I regarding the excise tax on high cost employer-provided coverage (the Cadillac Tax)
  • Regulations updating the rules applicable to ESOPs.
  • Regulations under §401(a)(9) on the use of lump sum payments to replace lifetime income being received by retirees under defined benefit pension plans.
  • Guidance regarding substantiation of hardship distributions.
  • Guidance on the §403(b) remedial amendment period.

Notably absent is any mention of guidance on the nondiscrimination rules applicable to fully-insured medical plans, which were included in the Affordable Care Act. The Treasury Department and the IRS, as well as the Departments of Labor and Health and Human Services (collectively, the Departments), previously determined in Notice 2011-1 that compliance with the nondiscrimination provisions will not be required (and thus, any
sanctions for failure to comply do not apply) until after regulations or other administrative guidance of general applicability has been issued. Therefore, for the foreseeable future fully insured plans can continue to discriminate in favor of highly compensated individuals in ways the self-insured plans cannot under Code Section 105(h).

IRS 2016–2017 Priority Guidance Plan

Attorney Erwin Kratz Named to the Best Lawyers in America© 2017

ERISA Benefits Law attorney Erwin Kratz was recently selected by his peers for inclusion in The Best Lawyers in America© 2017 in the practice area of Employee Benefits (ERISA) Law. Mr. Kratz has been continuously listed on The Best Lawyers in America list since 2010.

Since it was first published in 1983, Best Lawyers® has become universally regarded as the definitive guide to legal excellence. Best Lawyers lists are compiled based on an exhaustive peer-review evaluation. Lawyers are not required or allowed to pay a fee to be listed; therefore inclusion in Best Lawyers is considered a singular honor. Corporate Counsel magazine has called Best Lawyers “the most respected referral list of attorneys in practice.”

HHS Announces Two More Significant HIPAA Privacy and Security Settlements

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has announced two more significant settlements in cases of alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). These settlements highlight the need for HIPAA covered entities and their business associates to:

  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of their ePHI;
  • Implement policies and procedures and facility access controls to limit physical access to their electronic information systems;
  • Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
  • Assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI;
  • Reasonably safeguard laptops with unencrypted ePHI (or better yet, secure all ePHI);
  • Implement policies and procedures to prevent, detect, contain, and correct security violations; and
  • Obtain satisfactory assurances in the form of a written business associate contract from their business associates that they will appropriately safeguard all ePHI in their possession.

In addition, if it has been more than a few years since you conducted a security and privacy assessment and adopted privacy and security policies and procedures under HIPAA, you should be working on updating that assessment and the resulting policies and procedures. As in many areas, making a good faith effort at compliance is half the job.

Details

In the first case, Advocate Health Care Network (Advocate) agreed to a settlement with OCR for multiple potential HIPAA violations involving ePHI pursuant to which Advocate agreed to pay a $5.55 million settlement and adopt a corrective action plan. This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country. OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to:

  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
  • Implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
  • Obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
  • Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

Read the Advocate Health Care Network resolution agreement and corrective action plan.

In the second case, the University of Mississippi Medical Center (UMMC) agreed to settle multiple alleged violations of HIPAA. OCR’s investigation of UMMC was triggered by a breach of unsecured ePHI affecting approximately 10,000 individuals. During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight. UMMC will pay a resolution amount of $2,750,000 and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules. On March 21, 2013, OCR was notified of a breach after UMMC’s privacy officer discovered that a password-protected laptop was missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC’s investigation concluded that it had likely been stolen by a visitor to the MICU who had inquired about borrowing one of the laptops. OCR’s investigation revealed that ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password. The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008. Further, OCR’s investigation revealed that UMMC failed to:

  • implement its policies and procedures to prevent, detect, contain, and correct security violations;
  • implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
  • assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI; and
  • notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

University of Mississippi is the state’s sole public academic health science center with education and research functions. In addition it provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the state. Its designated health care component, UMMC, includes University Hospital, the site of the breach in this case, located on the main UMMC campus in Jackson.

Read the University of Mississippi resolution agreement and corrective action plan.