Employers who are classified as covered entities under HIPAA are required to report any 2018 breach of protected health information that affected fewer than 500 individuals (also known as a small breach) by March 1, 2019. This current breach notification requirement arises from amendments made to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act, as finalized in 2013. HIPAA defines a covered entity as either (1)  a group health plan, (2) a health care clearinghouse, or (3) a health care provider who electronically transmits any protected health information.  A covered entity may be an individual, an institution, or an organization.

Background

Under applicable rules, a breach is defined as an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. Some exceptions apply, so that not all incidents will rise to the level of a breach. Still, an impermissible use or disclosure of protected health information is generally presumed to be a breach unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of several specified factors.

Notification Requirement

Upon the occurrence of a confirmed (or in some cases, suspected) breach, the affected individuals must be provided with detailed notification letters without unreasonable delay and no later than 60 days after the discovery of the breach. While the covered entity, most often, provides the required notifications, the final rules permit the delegation of reporting duties to a business associate.

A HIPAA breach also triggers an obligation to notify the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS).

• When a breach affects 500 or more individuals, the reporting entity must notify OCR contemporaneously with the notification to individuals (and must also notify local media outlets).
• Where a breach affects fewer than 500 individuals (also known as a small breach), however, a reporting entity must maintain a log or other documentation of all breaches occurring during the year, and annually report all such breaches no later than 60 days after the end of that calendar year.

For a small breach occurring any time in 2018, the deadline to report that breach to OCR is March 1, 2019.

Small Breach Reporting Details

A reporting entity is not required to wait until the March 1 deadline to report a small breach. Small breaches may be reported as early as contemporaneously with the occurrence of the breach. Regardless of timing, all small breaches must be reported to OCR in the same manner. Specifically a reporting entity must report the breaches online through the OCR’s “Breach Portal.”

Note that even when a covered entity delegates the reporting function to a business associate, the covered entity retains ultimate legal responsibility for proper reporting. Accordingly, covered entities who delegate reporting may want to require proof of timely reporting.

Be aware that, while the reporting entity may report all small breaches on a single date, each separate breach incident will require a separate submission. Instead of simply uploading a log of breach incidents occurring in the prior year, the reporting entity must complete a six-section questionnaire to provide: (1) general information; (2) identification of the covered entity, business associate, and relevant contact information; (3) the nature of the breach; (4) a summary of related notices provided and actions taken; (5) an attestation, and; (6) a summary. Multiple fields must be completed within each of these six sections. The HIPAA status of a reporting party (as either a HIPAA covered entity or a business associate) must be indicated on the “Contact” tab of the online filing form.

The online reporting form also requires the reporting entity to indicate the level of pre-breach HIPAA compliance status, including whether or not HIPAA Privacy Rule safeguards and HIPAA Security Rule safeguards were in place.

Because filing the breach notice can be time-consuming, parties tasked with reporting 2018 small HIPAA breaches of unsecured protected health information are advised to gather and prepare the content to be reported before actually logging on to the OCR Breach Portal. Because any changes or updates to the submitted information must be entered as a separate entry, it is preferable to ensure that each submission is fully accurate. Moreover, because the content of Breach Notifications to OCR can form the basis for a future OCR investigation and enforcement action, it is advisable to have legal counsel review content prior to submission.

In addition to ensuring that 2018 breaches affecting fewer than 500 individuals are reported by March 1, covered entities and business associates should continue to ensure that HIPAA Policies and Procedures, as well as the applicable administrative, physical and technical safeguards are up to date and periodically reviewed.

On January 29, 2019, the Wisconsin Supreme Court ruled in favor of our client, Park Bank, in a case of first impression in Wisconsin. In Koss Corp. v. Park Bank, 2019 WI 7, Koss Corp. sued Park Bank alleging that Park Bank acted in bad faith under the Uniform Fiduciaries Act (“UFA”) in failing to detect an embezzlement being conducted by one of Koss’s employees, Sue Sachdeva. Ms. Sachdeva embezzled $34 million from Koss Corp. over a 12-year period. The embezzlement was the largest embezzlement in Wisconsin history, and the ninth largest embezzlement in U.S. history.

Koss Corp. had some of its bank accounts at Park Bank, which Ms. Sachdeva used to embezzle $17 million from Koss Corp. by use of cashier’s checks she obtained from those accounts, which she used to pay her creditors for personal items such as jewelry, clothing and travel. Ms. Sachdeva was ultimately caught by an American Express employee, was criminally charged for her actions, and was sentenced to 11 years in prison.

After six years of litigation, the trial court granted Park Bank’s motion for summary judgment in 2016, ruling that the evidence did not support Koss Corp.’s claim that Park Bank acted in bad faith.

On December 12, 2017, the Wisconsin Court of Appeals affirmed that ruling.

On January 29, 2019, the Wisconsin Supreme Court affirmed the Wisconsin Court of Appeals’ decision in a 2-3-2 decision, with five Justices voting to affirm. The Court held that, to establish bad faith under the UFA, a bank must have acted dishonestly. The Court held that “[b]ad faith requires some evidence of bank dishonesty such as a bank willfully failing to further investigate compelling and obvious known facts that suggest fiduciary misconduct because of a deliberate desire to evade knowledge of fiduciary misconduct.” Decision at ¶ 55. In so ruling, the Court recognized several foundational principles that form the framework for analyzing a bank’s conduct when bad faith under the UFA is alleged:

First, bad faith is reviewed on a transaction by transaction basis, such that the facts known to each individual bank employee are not aggregated to form collective knowledge of the bank. Second, whether a bank acted in bad faith is determined at the time of the breach of fiduciary duty, not by looking back at transactions that occurred many months earlier.

             Third, bad faith is an intentional tort; negligence by a bank is insufficient to show bad faith. Fourth, considerations of bad faith require analyses of a bank’s actions to determine its subjective intent.

Id. at ¶¶ 52, 53.

In applying these foundational principles to the facts of the case, the Court held that “[w]hile discovery was extensive and conducted for years, no proof has been proffered from which a factfinder could find that any Park Bank transaction was not honestly done.” Id. at ¶ 71.

Our firm is proud to have represented Park Bank in this case, and pleased that all of the courts to have considered the matter — the trial court, the Wisconsin Court of Appeals, and the Wisconsin Supreme Court — all held that Park Bank has no liability to Koss Corp. in this matter.

Park Bank was represented by Dean Laing, Greg Lyons and Joe Newbold of our firm. Koss Corp. was represented by Michael Avenatti of California.

Newsletter Article Highlights:

• Even the Brightest Minds Can Suffer from Dementia
• Terms and Conditions: How Sellers Can Avoid Getting Injured in a “Battle of the Forms”
• The Need for Succession Planning
• Should I Use E-Verify or Not?
• How Much Should a Trustee Be Paid?

Pleased to Announce:

• OCHDL Attorneys Argue Three Cases Before WI Supreme Court
• Congratulations to Our Attorneys Listed in the 2018 Edition of Super Lawyers

Click the image below to read more.

Employers in Wisconsin may be closed this week due to the extremely cold temperatures that are predicted on Wednesday and Thursday. If an employer makes that decision, they may be wondering whether or not they need to pay their employees for the days they choose to be closed. For non-exempt employees, the answer is simple: employees must be paid only for time worked. Therefore, if the employer closes and the employee does not perform any work, the employee does not need to be paid. However, the answer is a bit more complicated for exempt employees.

Under the Fair Labor Standards Act (“FLSA”), an employee is considered exempt if they meet certain duties tests and receive compensation on a “salary basis.” The FLSA regulations provide that, for an exempt employee to be paid on a “salary basis,” the employee must receive his or her full salary for any week in which the employee performs any work without regard to the number of days or hours worked.  An employee will not be considered to be paid on a “salary basis” for any week if deductions are made from an employee’s salary for any absence occasioned by the employer or by the operating requirements of the business.  However, a deduction may be made when an exempt employee is absent from work for one or more full days for personal reasons, other than sickness or disability.

So, can an employer deduct the day’s wage from an exempt employee’s salary when the employer closes its business due to inclement weather (e.g., extreme cold)?  The short answer is no.  It is the U.S. Department of Labor’s (“DOL”) position that an employer must pay an exempt employee his or her full salary for any week in which work was performed if the employer closes its operations due to a weather-related emergency or other emergency, such as a power outage.  The DOL’s position is based, in part, on the FLSA’s regulation that provides that deductions may not be made for time when work is not available.  When it is the employer’s decision to close its business because of an emergency, including severe weather, the DOL presumes that employees remain ready, willing, and able to work.  Under such circumstances, deductions may not be made from an exempt employee’s salary when work is not available.  If deductions are made under such circumstances, the employer risks losing the exemption, thus subjecting it to potential overtime liability. If the employer’s operation are closed for a full workweek, no salary must be paid.

Employers are permitted to require that employees utilize their available paid time off during an employer-mandated office closure, whether for a full day or a partial day. However, if the employer does not provide paid time off or if the employee does not have available paid time off, the employer may not deduct from the employee’s salary for the closure. The employer may not require that the employee have a negative leave balance or make an already negative leave balance more negative as the result of requiring the employee to take paid time off for an office closure.

On the other hand, when an emergency causes an employee to choose not to report to work for the day, even though the employer remains open for business, the DOL treats such an absence as an absence for personal reasons.  Consequently, an employer that remains open for business during inclement weather may lawfully deduct one full day’s wages from an exempt employee’s salary if that person does not report for work for the day due to adverse weather conditions or otherwise require the employee to utilize paid time off.  Such a deduction will not violate the “salary basis” rule or otherwise affect the employee’s exempt status.  If, however, the employee works only a partial day because of weather-related issues, the employer may not make deductions from the employee’s salary for the lost time because an exempt employee must receive a full day’s pay for the partial day worked in order for the employer to meet the “salary basis” rule.

(This is second of our 11-part series of articles based on our book The Art, Science and Law of Business Succession Planning. Complimentary copies are available to the clients and friends of the firm.)

“Why do I need succession planning?”

“Can’t I just hand my business over to my children?”

“Why can’t I just leave the business to someone in my will?”

As a law firm focused on helping business owners plan for the succession of their businesses, we hear these questions, and others like them, all the time. We understand. After spending decades dealing with all the details of a successful family business, the last thing many business owners want to do is handle more details. When the time comes, they wish they could just wave a wand, instantly transfer their company to someone else, and not think about it anymore.

Unfortunately, that’s not how it works. Until you’ve actually completed the transfer of your business to someone else, the details of the exchange are yours to deal with— and if you don’t spell out the transition clearly, you leave the door open for unexpected results.

Think of it this way: You’ve put years into building this business. You’ve invested time, money, blood, sweat and tears, and that investment is now paying off. Your business provides well for your family, and you want it to continue doing so for many years to come, long after you retire, long after you pass away. For this to happen, at some point you must give control of the business to a successor, whether a family member or an outsider.

The only way to do this safely is through succession planning. Isn’t your investment worth protecting through the vulnerabilities of succession, even if it means a few more details along the way?

Succession Planning Is a Process, Not an Event

Many people think of transferring a business as a one-and-done event. In reality, effective succession planning begins years before the transfer actually occurs (hence the “planning” part). Once the plan is in place, as your life and business evolve, you may need to make updates and changes to the plan, until the time comes to pass the business to your successor.

Challenges Involved with Succession Planning

Succession planning can be challenging; there are often a few difficulties along the way. That is why we advise business owners to begin thinking about, and planning for, succession as early as possible. There are two basic reasons why succession planning can be difficult:

1. You must attempt to predict future events with as much accuracy as possible. Of course, none of us can know the future; we can only predict it. Succession planning requires you to predict you’ll be ready to retire at a given age, for example, and your successor will be prepared to take over management or ownership of the business when you’re ready to transfer it. You’ll also need to anticipate as many variables as possible. What happens in the event of a health crisis, a natural disaster or a financial hit? What happens if your appointed successor dies? What happens if a successor divorces and remarries? A good succession plan forecasts one outcome, but it remains flexible to account for other possible outcomes, as well. Developing a succession plan that achieves this balance requires careful forethought and attention to detail.
2. In a family owned business, you must account for emotions and attitudes, not just facts and figures. Everyone associated with the business will present some sort of emotional variable, and every decision you make concerning your business may touch on those emotions. You must take into account the emotions of close and extended family members, as well as the emotions of your employees and associates who must work under new management or owners. Even your own emotions will come into play as you weigh these decisions.

Succession Planning Involves Multiple Layers

For most business owners, ”succession” involves more than just handing the reins to someone else. You’ll need to address questions of ownership and management of the company, both of which may occur at different times:
Ownership succession planning usually intertwines with your estate planning, because your business is part of your estate.

Management succession planning addresses who will run the company when you step down–whether it’s a family member, a key employee or someone else.

You can see how quickly succession can become complicated and convoluted. A well-constructed plan can avert many of these complications before they derail the process and give you peace of mind, knowing you have “the bases covered”.

O’Neil, Cannon, Hollman, DeJong and Laing S.C. has received notification from Martindale-Hubbell that Attorney Kelly M. Spott has received a Martindale-Hubbell® Peer Review Rating^TM.

Kelly was given an “AV” rating from her peers–the highest rating–which means that she was deemed to have very high professional ethics and preeminent legal ability. Only lawyers with the highest ethical standards and professional ability receive a Martindale-Hubbell Peer Review Rating of AV.

Martindale-Hubbell conducts secure online Peer Review Ratings surveys of lawyers across multiple jurisdictions and geographic locations, in similar areas of practice as the lawyer being rated. Reviewers are instructed to assess their colleagues’ general ethical standards and legal ability in a specific area of practice.

The Martindale-Hubbell® Peer Review Ratings™ help buyers of legal services identify, evaluate and select the most appropriate lawyer for a specific task at hand. The confidentiality, objectivity and complete independence of the ratings process are what have made the program a unique and credible evaluation tool for members of the legal profession. The legal community values the accuracy of lawyer peer review ratings because they are determined by their peers – the people who are best suited to assess the legal ability and professional ethics of their colleague.

Grant Killoran and Christa Wittenberg of O’Neil, Cannon, Hollman, DeJong and Laing’s Litigation Practice Group recently presented at the State Bar of Wisconsin’s “Annual Constitutional Law Symposium 2018” in Pewaukee, Wisconsin.

Attorney Killoran was the Chair of the Symposium and authored an article and presented at the seminar on “The Current State of the Second Amendment.” Attorney Wittenberg authored an article and presented at the seminar on “Freedom from Litigation: Personal Jurisdiction and Sovereign Immunity.”

Attorneys Killoran and Wittenberg presented along with attorneys and professors from around Wisconsin and the country on various constitutional topics and issues.

Grant is a shareholder with the law firm and is the Chair of its Litigation Practice Group. He has significant and diverse trial experience representing clients in Wisconsin State and Federal Courts, and courts around the country, focusing on complex business, health care and employment law disputes. Grant also devotes a portion of his practice to arts and entertainment law, with an emphasis on the music industry.

Christa is a member of the Litigation Practice Group. She assists businesses and individuals with prosecuting and defending a variety of civil litigation matters, including complex contract disputes, trademark and copyright claims, inheritance disputes, class actions, personal injury cases, and fraud and conspiracy claims. As a former federal district court law clerk, Christa is intimately familiar with litigation and procedures in federal court. She has also litigated matters in state court, as well as resolved cases through mediation prior to litigation. Christa is well-versed in a wide range of legal issues, and especially enjoys litigating cases with disputes involving personal and subject-matter jurisdiction, testamentary capacity and undue influence, constitutional law, debt collection laws, contract formation and enforcement, and procedural and evidentiary rules.

Arbitration is a common form of alternative dispute resolution (ADR) used frequently and effectively in business settings. In arbitration, the parties have flexibility to choose decision-makers, jurisdiction, and many procedural rules, but they limit themselves in terms of discovery and some courtroom protections.

While most courts will enforce arbitration clauses in contracts, such clauses should be sufficiently clear and precise. When considering arbitration and contractual arbitration provisions:

1. Treat arbitration clauses as key business terms.

The arbitration clause contains the details of how you will settle any dispute that arises. Review it as carefully as you would any other business term, like delivery or payment details.

2. Use the contractual negotiation process to design a mutually-agreeable arbitration clause.

During contract negotiation, most business parties are cooperating well together and are pursuing a shared interest in creating a contract that benefits them both. This atmosphere lends itself well to creating an arbitration clause that will meet the parties’ respective needs if a dispute arises later.

3. Attend to the details.

Although negotiation is a good time to address arbitration decisions, remember that cooperation between the parties in negotiating their contract is not necessary a sign that this corporation will continue. Any details regarding arbitration not agreed upon at the outset of the deal may be more difficult to negotiate after the arbitration provision is part of a signed agreement and the parties face a dispute and feel less inclined to cooperate.

4. Focus on the type of arbitration that is appropriate for the transaction.

The type of arbitration that is most familiar to you may not be the best choice for every transaction or situation. Consider your business goals each time the question of arbitration is discussed. For instance, will the circumstances of a future dispute lend itself well to binding arbitration, or does non-binding arbitration provide more or better “bargaining power” to discuss a settlement of the dispute?

If you have any question, please contact Grant Killoran at grant.killoran@wilaw.com or 414-276-5000.

In the spirit of the holiday season, the attorneys and staff at O’Neil Cannon recently collected items to be donated to The Women’s Center in Waukesha. The mission of the Women’s Center is to “provide safety, shelter, and support to empower all impacted by domestic abuse, sexual violence, child abuse, and trafficking.”

The services offered by The Women’s Center include emergency shelter for abused families, transitional living, counseling, child abuse prevention programming, legal advocacy and employment counseling. It also provides Hispanic outreach, community education programs, information and referral services, and a 24-hour hotline. If you are interested in donating or learning more about this amazing community organization, you can visit here to find more information.

Best wishes for the holiday season.

The holidays are upon us, and that means holiday parties. While holiday parties are a good time to reflect on the year and gather employees to boost morale and camaraderie, they also have potential employment law pitfalls that employers should plan to avoid. If throwing a company-sponsored holiday party, employers should keep the following in mind:

1. Prevent Sexual Harassment. Although the #MeToo movement has not changed the legal requirements related to sexual harassment, it has certainly brought such issues to the top of employer’s minds, and it should stay there during the holiday season and any holiday parties. Ensure that your employees are aware of your anti-harassment policy and that they understand that harassment involving any employee at any time, including at a holiday party, will not be tolerated. Remind your employees that, while they are encouraged to have a good time at the holiday party, it is a company-sponsored event where all of the policies and rules of the company apply. If you become aware of inappropriate conduct that occurs at the holiday party, you should deal with it appropriately. Additionally, if you receive complaints about activities related to the holiday party, you must document the incident and do a proper investigation to deal with those issues.
2. Reduce the Risk of Alcohol-Related Incidents. Employers may be subject to liability for injuries caused by employees who consume alcohol at employer-sponsored events. To avoid potential liability, employers should promote responsible drinking and monitor alcohol consumption appropriately. Employers may want to consider hosting their holiday parties at a restaurant or other off-site location where alcohol is served by professional bartenders who know how to recognize and respond to guests who are visibly intoxicated.
3. Minimize the Risk of Workers’ Compensation Liability. Workers’ compensation benefits may be available to employees who suffer a work-related injury or illness. To avoid this liability at a company-sponsored holiday party, the employer should make it clear that there is no business purpose to the event, that attendance is completely voluntary, and that they are not being compensated for their attendance at the event. Illnesses caused by contaminants found in food or beverages may create legal exposure if the providers are not properly licensed, so companies should use licensed third-parties who have their own insurance coverage to provide food and beverages.
4. Prevent Wage and Hour Claims. Non-exempt employees must be paid for all work-related events that they are required to attend. Therefore, to ensure that the time spent at a holiday party is not considered compensable under state or federal wage and hour law, employers should make it clear that attendance is completely voluntary, hold the party outside of normal working hours, and ensure that no work is performed during the party and that employees are not under the impression that they are performing work.