Another Party Enters ACA Enforcement and HIPAA Privacy and Security Enforcement Expands


OSHA Joins the ACA Enforcement Regime

Effective on and after October 13, 2016, employers need to watch their mail from the Occupational Safety and Health Administration (“OSHA”) for notices related to ACA retaliation claims under the new regulatory framework for the retaliation claims.  An individual can claim that there was an adverse employment action (discrimination up to and including termination) in retaliation for the individual’s claiming a right under Title I of the Affordable Care Act (“ACA”) or being a whistleblower complaining of a violation of Title I of the ACA. 

A complaint of a  violation of ACA Title I includes complaints regarding an employer’s health plan not complying with the mandated coverage requirements under the ACA (e.g., coverage of dependents to age 26, the new claim procedures, restrictions on limitations and cost sharing, or coverage of gender dysphoria for employers subject to ACA section 1557 or claims of discrimination against an employee for claiming an health care tax credit or cost sharing reductions for coverage the employee purchased on an ACA marketplace/exchange).  It also includes any retaliation or discrimination for an employee seeking an advance health care tax credit, a determination of eligibility for a health care tax credit from an ACA marketplace or exchange, or an individual seeking any of the cost sharing reductions available under the ACA by purchasing coverage on one of the ACA marketplaces or exchanges. 

Claims for an employer retaliating against an individual for exercising their rights under the ACA or for being a whistleblower on an alleged ACA violation can be made by current employees, former employees and applicants for employment. Employers may want to review their intake process to verify whether any questions in the intake process might raise any potential issues.

An employee only must reasonably believe that an activity, policy, practice or assigned task is in violation of any provision of Title I of the ACA to be protected by these new rules. It only must be a subjective good faith belief for the individual to be protected under the whistleblower and anti-retaliation provisions of the ACA.  The individual must be able to show that they engaged in a protected activity (e.g., filing a complaint about coverage provisions or applying to an ACA marketplace for a health care tax credit), that the employer knew of the protected activity, the employee suffered an adverse employment action and the circumstances of such adverse action are sufficient to raise an inference that the employee’s protected activity was a “contributing factor in the adverse action.

Since the notice of these claims are being sent out and administered by OSHA, employers need to be certain that the person handling OSHA claims watches for these and involves the benefits and other relevant legal team members in handling these claims promptly upon receipt. Employers will receive an initial notice, which will be followed by an OSHA investigation.  After the investigation concludes, OSHA will issue its written findings.  The employer must request an ALJ hearing at the DoL within 30 days of the issuance of the findings to dispute the findings and preliminary order or the findings and preliminary order become final and unreviewable. Further discussion of the procedures are below.

New ACA and OSHA Administered Retaliation Claims Do Not Preclude Other Avenues of Complaints Under Other Statutes Based on the Same Situation

The anti-retaliation whistleblower protection under the ACA was enacted as an amendment to the Fair Labor Standards Act and as such these claims carry with them not the traditional ERISA remedies for a violation, but also the remedies under the FLSA, such as back pay, tax implications related to the remedies, reinstatement, lost benefits, seniority, etc., to put the individual back in the same place they would have been in absent the retaliatory actions and compensatory damages. Employers also need to remember that the OSHA administered anti-retaliation rule does not replace or eliminate the ERISA 510 retaliation claim and that it may be possible for some claimants to pursue claims on the same facts under two different forums. This new retaliation claim mechanism does not displace any rights the individual may have to pursue a claim arising out of the same circumstance under a collective bargaining agreement or under any other statute.

Initial Procedures

An individual starts the process of making a claim by filing a complaint with the Secretary of Labor within 180 days of the alleged retaliation.  When the Secretary of Labor receives a complaint, it must provide written notice to the persons named in the complaint as the alleged violators of the substance of the complaint and their rights during the investigation. The Secretary of Labor must investigate any complaint received within 60 days of receipt, including affording both parties the opportunity to submit responses and meet with the investigator to present witness statements and conduct the investigation. OSHA determines if the individual has made a prima facie case regarding the retaliation.

Once an individual makes a prima facie case showing the individual’s protected activity was a contributing factor in the employer’s alleged adverse action, the burden of proof shifts to the employer to show through clear and convincing evidence that the employer would have taken the same adverse action in the absence of the protected activity. After completion of the investigation the Secretary of Labor will issue written findings and if it finds that there is reasonable cause to believe that retaliation has occurred, the employer (or other alleged violator) will be notified of the finding along with a preliminary order to take corrective action, which can include reinstatement, back pay, restoration of terms, conditions and privileges of employment, and compensatory damages as well as all costs and expenses incurred by the individual in bringing the complaint.  The employer has 30 days after notification of the Secretary’s findings to request a hearing before an ALJ (administrative law judge at the DoL). If the hearing is not requested within 30 days, the preliminary order becomes final and is not subject to judicial review.  If the hearing is requested in a timely manner, the dispute then moves to a hearing before the ALJ. There are additional procedures and requirements once one enters the hearing phase.

Federal Trade Commission and HIPAA Privacy and Security

Apparently, benefit plans have caught the interest of yet another federal regulator. The Federal Trade Commission posted on its website a word of caution to business associates and covered entities that the HIPAA Privacy and Security regulations should not be the only rules that covered entities (health plans and health care providers and health care clearinghouses) and their business associates should be concerned about. The Federal Trade Commission asserts that the Federal Trade Commission Act also applies to HIPAA Authorizations for disclosure.  The FTC Act prohibits companies from engaging in deceptive or unfair acts or practices in or affecting commerce. They interpret this to meant that companies must not mislead consumers about what Is happening with their health information.

Health plan sponsors should review their HIPAA Privacy Notices, and authorization forms and contrast these with the service provider agreements and business associate agreements with the service providers to verify that the service providers to the health plan are not using the health plan data (the protected health information) in any manner that has not been disclosed to the plan participants in the privacy notice.  In today’s cyber world, data is mined and it is important to be certain that a health plan’s vendors are not mining data information from the health plan data that has not been de-identified or that is being done in a manner that the employer is not aware of or has not addressed in its agreements with the plan vendors.

OCR Continues to Issue Resolution Agreements

HIPAA Privacy and Security enforcement is thriving.  The Office for Civil Rights recently issued a settlement related to failure to manage security risks at a health care provider which permitted electronic PHI to be accessible through search engines resulting in a penalty of $2,140,00 and a substantial correction plan, including an enterprise –wide risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems and applications controlled, administered or owned by the entity, its workforce members and affiliated staff that contains, stores, transmits or receives electronic PHI.  This included a complete inventory of all devices and all applications touching ePHI. The OCR then has the opportunity to comment and make recommendations for a revised risk analysis. Risk management plans are required to be prepared for OCR review and recommendations as well as policies and procedures, training and establishing certain events that must be reported to the OCR as they occur and in an annual report.

Security of ePHI is very clearly a serious matter for the OCR.  The settlement agreements give us a glimpse at not only the penalties by the ongoing expectations and additional requirements that may be imposed when a covered entity or business associate has an issue and an investigation does not find “full compliance” in the eyes of the OCR in the covered entity’s or business associate’s current procedures. Has your plan completed a review of its HIPAA Security compliance with the administrative, technical and physical requirements recently?  Do your policies and procedures for security match your operations? Have you talked with your IT department lately?


Greta Cowart

Nancy Furney

Lori Oliphant

Disclaimer: Content contained within this news alert provides information on general legal issues and is not intended to provide advice on any specific legal matter or factual situation. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel.

Media Contact

Stephen Hastings
Director of Communications & Media Relations  
713.650.2485 Direct
832.343.4228 Mobile

Search Tips:

You may use the wildcard symbol (*) as a root expander.  A search for "anti*" will find not only "anti", but also "anti-trust", "antique", etc.

Entering two terms together in a search field will behave as though an "OR" is being used.  For example, entering "Antique Motorcars" as a Client Name search will find results with either word in the Client Name.


AND and OR may be used in a search.  Note: they must be capitalized, e.g., "Project AND Finance." 

The + and - sign operators may be used.  The + sign indicates that the term immediately following is required, while the - sign indicates to omit results that contain that term. E.g., "+real -estate" says results must have "real" but not "estate".

To perform an exact phrase search, surround your search phrase with quotation marks.  For example, "Project Finance".

Searches are not case sensitive.

back to top