Elliott Lawson & Minor, P.C. | October-December, 2003

DOES YOUR BUSINESS NEED "BUSINESS ASSOCIATE AGREEMENTS" UNDER THE NEW HIPAA REQUIREMENTS?

By now, nearly every business owner-indeed every adult-in America has heard that Congress has passed stringent laws relating to the privacy of medical records. The Department of Health and Human Services has passed regulations implementing those laws, and together with the statutes, these are known as the "HIPAA" requirements. HIPAA-the Health Insurance Portability and Accountability Act of 1996-serves several purposes, but the provisions that have attracted the most attention of late are the regulations, which went into effect in April, 2003, requiring "covered entities" to protect "individually identifiable health information."

HIPAA defines "covered entities" as health plans, health care clearinghouses, and health care providers who transmit health information in electronic form, and "individually identifiable health information," or "protected health information" ("PHI") as A subset of health information, including demographic information collected from an individual, [that] (1) is created or received by a health care provider, health plan, employer or health care clearinghouse and (2) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 45 C.F.R. § 164.501.

Many business owners and managers assume that, because their businesses don't provide medical services, or aren't "covered entities," the new HIPAA requirements couldn't possibly apply to them. However, nothing could be further from the truth. HIPAA requires covered entities to protect the PHI they disclose to their business associates. The question that business owners and managers should ask themselves is "Are we a business associate of a covered entity?" In other words, "Do we have access to any protected health information?" If your business provides services to physician's offices, clinics, health insurance carriers or administrators, hospitals, pharmacies, or the like, the answer may be "Yes, we are a business associate of a covered entity." If so, your business needs to enter into a business associate agreement with that covered entity.

The HIPAA regulations make clear that not all access to PHI of a covered entity requires a business associate agreement. If the access is only incidental, and not routine, no agreement is required. For example, a janitorial service company that cleans a physician's office after-hours is not required to have a business associate agreement with that physician. If, however, part of that company's regular duties is to routinely shred and dispose of patient records, a business associate agreement is required. A company that sells computer software designed to process insurance claims is not required to have business associate agreements with their purchasers, because there is no on-going relationship through which the software company would gain PHI. However, a company that uses its software to process patients' records or insurance claims would need business associate agreements with its clients.

The HIPAA regulations clearly delineate the elements that must be included in business associate agreements. Title 45, Section 164.504 of the Current Federal Regulations (45 C.F.R. § 164.504) identify the required provisions. Among these, are promises not to use or disclose the PHI, to return or destroy the PHI once the job is complete, and to institute safeguards against unintentional disclosure of PHI. You should consult the C.F.R. for a full listing of requirements.

Many attorneys report, however, that some of the business associate agreements that large covered entities are asking their associates to sign extend far beyond the minimum requirements of the regulations, and expose those companies to considerable additional liability. If a covered entity presents you with a business associate agreement, you should have it reviewed by an attorney familiar with the HIPAA requirements to make sure that your business is not accepting liability that is not required by HIPAA.

To learn more about HIPAA business associate agreements, see 45 C.F.R. § 164.500 et seq., check out the Department of Health and Human Services' HIPAA website at http://www.hhs.gov/ocr/hipaa/, or consult your attorney.

Whether federal anti-discrimination statutes apply to an employer depends upon its employee complement or number of employees. This is so because “Congress decided to spare very small firms from the potentially crushing expense of mastering the intricacies of the antidiscrimination laws, establishing procedures to assure compliance, and defending against suits when efforts at compliance fail.” Clackamas Gastroenterology Associates, P.C. v. Wells, 123 S. Ct. 1673, 1678-79 (2003) (citations omitted). For example, the Americans with Disabilities Act (“ADA”) only covers employers with “15 or more employees for each working day in each of 20 or more calendar weeks in the current or preceding calendar year.” 42 U.S.C. § 12111(5). Similarly, Title VII of the Civil Rights Act of 1964, which prohibits discrimination in employment on the basis of race, color, sex, national origin, or religion, also only covers employers with 15 or more employees. 42 U.S.C. § 2000e(b). The Age Discrimination in Employment Act (“ADEA”) applies to employers with 20 or more employees.[1] Therefore, whether an individual is classified as an “employee” can impact your business’ potential liability under the federal anti-discrimination statutes.

Unfortunately, these statutes do not meaningfully define the term “employee.” As a result, confusion has arisen as to whether certain upper-level individuals in various business organizations, such as partners, directors, and shareholders, should be counted as “employees” under federal anti-discrimination statutes. The Supreme Court of the United States recently addressed this issue in Clackamas Gastroenterology Associates, P.C. v. Wells, 123 S. Ct. 1673 (2003). The issue in that case was “whether four physicians actively engaged in medical practice as shareholders and directors of a professional corporation should be counted as ‘employees’” for purposes of determining whether the medical clinic could be sued by a former bookkeeper under the ADA. Id. at 1676. If the physicians were counted as employees, then the clinic met the minimum requirement of 15 employees for application of the employment discrimination provisions of the ADA.

The medical clinic argued that the shareholder-directors were akin to partners in a partnership, and that such individuals are employers, not employees. In discounting the substantive usefulness of the title “partner,” the Supreme Court held that “[t]he question whether a shareholder-director is an employee, however, cannot be answered by asking whether the shareholder-director appears to be the functional equivalent of a partner. Today there are partnerships that include hundreds of members, some of whom may well qualify as ‘employees’ because control is concentrated in a small number of managing partners.” Id. at 1678. Furthermore, “an employer may not evade the strictures of Title VII simply by labeling its employees as ‘partners.’” Id. (quoting Hishon v. King & Spalding, 467 U.S. 69, 80 (1984)).

Instead of basing employment status on an individual’s title, the Supreme Court followed the guidance of the Equal Employment Opportunity Commission (“EEOC”) and looked to common law factors defining the master-servant relationship. Those factors focus on the master’s control over the servant. The Court concluded that “the common-law element of control is the principal guidepost that should be followed” in distinguishing between employers and employees for purposes of the anti-discrimination statutes. Id. at 1679.

“According to the EEOC’s view, if the shareholders-directors operate independently and manage the business, they are proprietors and not employees; if they are subject to the firm’s control, they are employees.” Id. (citations omitted). The Court also agreed with the EEOC that each of the following six factors is relevant to the inquiry of whether a shareholder-director is an employee:

Id. at 1680 (citing EEOC Compliance Manual § 605:0009). The Supreme Court noted, however, that no one factor is decisive and that the answer depends upon all of the incidents of the relationship. Id. at 1681. For example, “the mere existence of a document styled ‘employment agreement’ [should not] lead inexorably to the conclusion that either party is an employee.” Id. at 1680.

So what does this mean for small businesses? Not all individuals within an organization are counted as “employees” for purposes of the federal anti-discrimination statutes. Those individuals that exercise control over the organization, and the people in it, may not be considered “employees.” Any organization should carefully document the control exercised by any owner, or individual exercising control over the organization, because such documentation may prove critical in defense of a federal discrimination or harassment case.

[1] An employer may be covered by state anti-discrimination statutes that frequently require fewer employees.

PROPOSED CHANGES TO THE TESTS FOR DETERMINING “EXEMPT” EMPLOYEES UNDER FLSA

In the spring of 2003, the Department of Labor proposed changes to the “tests” used by employers to determine which employees are “exempt” from the Fair Labor Standards Act (“FLSA”) overtime pay requirements. The current rules have been in place for nearly five decades, and few can argue that they aren’t outdated. However, the Department of Labor probably did not foresee the political squabble that resulted from the proposed rule changes. A Democratic Congress initially opposed the changes, but now a Republican-led Congress is favoring them. Accordingly, the proposed rules are expected to go into effect sometime in early 2004.

An unchanged element is the requirement that an exempt employee be paid on a “salary basis,” with a predetermined rate of pay that is not subject to reduction due to variations in quantity or quality of work. The changes in the rules will primarily affect those employees earning between $22,101 and $65,000 annually. Currently, FLSA only “guarantees” that those employees earning less than $8,060 annually be paid overtime, regardless of their job descriptions or duties; the proposed rules would raise this bar and “guarantee” that overtime be paid only to those earning less than $22,100 annually.

Under the current “short test,”[1] an employee who earns at least $250 per week ($13,000 annually) may be classified as “exempt” if he or she meets one of three primary classifications: executive/managerial exemption, administrative exemption, or professional exemption. Under the executive/managerial exemption, if the employee’s primary duty is to manage a business enterprise, or a subdivision or department thereof, and the employee regularly directs the work of two or more other employees, he or she is considered an executive or managerial employee, and is therefore exempt from the overtime requirements of FLSA. An employee who performs “office” or non-manual work related to the management policies or general business operations of the employer and is required to exercise discretion and independent judgment in the course of his or her work is exempt as an administrative employee. An employee who performs work in a field requiring advanced knowledge or study, artistic or original work of a creative nature, or certain computer system jobs, and whose work requires the consistent exercise of discretion and judgment by the employee, is exempt as a professional employee.

The proposed rules are somewhat different. To qualify as exempt, an employee must earn at least $425 per week ($22,100 annually) and qualify for one of the following three classifications: executive employee, administrative employee, or professional employee. Under the proposed rules, an employee is exempt as an executive employee if he or she (1) manages the enterprise, or a department or subdivision thereof (this is the same as in the current rules), (2) customarily and regularly directs the work of two or more other employees (again, the same as the current rules), and (3) has the authority to hire/fire other employees or have particular weight given to his or her suggestions and recommendations about the hiring, firing, advancement, etc. of other employees (this aspect of the test is new).

An employee would be exempt as an administrative employee if he or she performs office or non-manual work related to the management or general business operations of the employer (this is the same as the current test, but the new rules provide examples of this, including tax, accounting, personnel management, human resources, or public relations) and if he or she holds a “position of responsibility” with the employer. The “position of responsibility” requirement is new with the proposed rules, and can be met by an employee who performs “work of substantial importance,” such as formulating or interpreting management policies, making or recommending decisions with substantial impact on business operations or finances, analyzing and recommending changes to operating practices, arbitrating disputes, or resolving grievances. Alternatively, the employee could meet the “position of responsibility” requirement by employing a high level of skill or training.

Finally, the professional employee exemption is changed by the omission of the requirement that the employee exercise discretion and independent judgment. Instead, the professional exemption focuses on the education and training or experience of the employee. An individual is a professional if he or she employs “advanced knowledge” in a field or science or learning that is customarily acquired by a prolonged course of specialized intellectual instruction, or by an equivalent combination of intellectual instructions and work experience. Also, certain computer system employees (such as systems analysts, programmers, or software engineers) and creative professionals qualify for a professional exemption.

The proposed rules also add a second test for “highly compensated employees,” and provide that any employee earning over $65,000 annually who does non-manual work and has an identifiable executive, administrative or professional function (i.e., meets one or more of the criteria for that exemption, but is not required to meet all those criteria) is also exempt from the overtime requirements of FLSA.

Business owners and managers should keep in mind that the proposed rules still have not received final approval and are not yet in effect. For advice, contact your attorney, read the proposed rules at 68 Fed. Reg. 15,559 (Mar. 31, 2003), or visit the Department of Labor’s website at www.dol.gov.

[1] There is also a “long test” under the current rules, but it is functionally obsolete as it applies to employees earning less than $8,060 annually for full-time work.