Administrative & Regulatory Archives - Page 76 of 112

IRS Ruling Creates Opportunities for Tax Savings by Companies With Substantial Real Estate Assets

On July 29, Windstream announced that it plans to spin off certain telecommunications network assets into an independent, publicly tradedreal estate investment trust (REIT). Windstream made the announcement after it obtained a favorable private letter ruling from the Internal Revenue Service (IRS) regarding the tax-free nature of the spin-off and the qualification of the spun-off entity’s assets as real property for REIT purposes.

Under the transaction, Windstream will spin off its existing fiber and copper network, real estate, and other fixed assets into a publicly traded, independent REIT. The REIT’s primary activity will be to lease the use of the assets back to Windstream through a long-term “triple net” exclusive lease. Windstream shareholders will retain their existing shares and receive shares in the REIT commensurate with their Windstream ownership. The transaction is intended to effectively enable Windstream to deduct, for federal income tax purposes, the amount of rent paid to the REIT without a corresponding corporate level income tax inclusion in income by the REIT—estimated to generate up to a $650 million annual overall reduction in taxable income between Windstream and the REIT.

Particularly notable about this transaction is that the private letter ruling obtained by Windstream is seemingly an indication by the IRS that it will respect the tax-free transaction of a spin-off even when coupled with an election for REIT status. The fact that the ruling recognized transmission infrastructure (e.g., wires and cable), in addition to the related real estate, as qualifying assets for REIT purposes is also a key development. The IRS issued proposed regulations in May that provided more specific guidance on what types of assets would be considered “real property” for purposes of meeting the requirements for making a REIT election, and Windstream’s private letter ruling is among the first to address the issue in light of the new regulations.

These developments mean that a REIT spin-off transaction might be available to many kinds of businesses. Companies (other than master limited partnerships) with similar assets, such as telecommunications, cables, fiber optics, and data centers, may be wise to explore opportunities to realize substantial tax savings through a similar transaction. However, there are several challenges that must be overcome to execute a successful REIT spin-off transaction.

ARTICLE BY

Katten Muchin Rosenman LLP

EPA Clarifies Standards for Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA) Assessments

In a move designed to provide greater certainty to those purchasing, selling, or evaluating industrial or commercial properties, the Environmental Protection Agency (EPA)recently proposed to remove any lingering effect of ASTM International’s E1527-05, a nine-year-old industry standard practice for evaluating potentially contaminated sites under the Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA).

As explained in detail in our February 24, 2014 E-Alert, “Amended All Appropriate Inquiries (AAI) Rule Offers New Due Diligence Standard, Focuses on Vapor Releases,” the EPA referenced and countenanced ASTM International’s updated framework, E1527-13, as an alternative due diligence standard to ASTM E1527-05. Issued on June 16, 2014, the Proposed Rule would clarify Phase I Environmental Site Assessment (ESA) standards by replacing ASTM E1527-05 with ASTM E1527-13. Yet these requirements still leave significant uncertainty in the absence of more detailed guidance about how to conduct vapor intrusion evaluations.

I. Background

International standards organization ASTM International modeled E1527-05 on the EPA’s All Appropriate Inquiries (AAI) Rule in 2005. The AAI Rule is a due diligence standard that allows buyers of potentially contaminated properties who conduct an investigation meeting the rule’s requirements to preserve certain defenses to federal cleanup liability under CERCLA when conducting Phase I ESAs. See 40 C.F.R. § 312 (2013). The ASTM E1527-05 framework was developed to provide guidance for such investigations, and instructed would-be purchasers to undertake all appropriate inquiries regarding the condition of a property before completing its sale. Any buyer who conducted such inquiries in compliance with ASTM E1527-05 could then qualify for certain landowner liability protections under CERCLA, including the innocent landowner, bona fide prospective purchaser, and contiguous property owner defenses.

Last December, the EPA amended the AAI Rule to allow a purchaser to satisfy Phase I ESA requirements by following either ASTM E1527-05 or ASTM E1527-13. See 78 Fed. Reg. 79319 (Dec. 30, 2013). As explained in our February 24, 2014 E-Alert, the 2013 framework included new regulatory file review requirements, updated definitions of certain key terms, including “de minimis condition,” “release,” “Recognized Environmental Condition,” and “Historical Recognized Environmental Condition,” and expanded ASTM E1527-05’s definition of “migrate/migration” to include vapor migrations.

II. Proposed Rule

The EPA amended the AAI Rule through direct final rulemaking, an approach whereby an agency publishes a rule and a notice of proposed rulemaking simultaneously because it expects that the rule will prove non-controversial. But the move nonetheless introduced confusion because in endorsing both ASTM E1527-05 and ASTM E1527-13, it recognized two distinct standards.

Responding to that criticism, the EPA has now proposed to replace ASTM E1527-05 with ASTM E1527-13 for purposes of the AAI rule so as “to reduce any confusion associated with the regulatory reference to a historical standard” and “promote the use of the standard currently recognized by ASTM International as the consensus-based, good customary business standard.” Amendment to Standards and Practices for All Appropriate Inquiries, 79 Fed. Reg. 34480 (proposed June 16, 2014) (to be codified at 40 C.F.R. 312), at 11. Besides removing all references to ASTM E1527-05, the Proposed Rule would not alter the substance of the AAI Rule.

III. Implications

ASTM E1527-13 incorporates new language about the need to evaluate soil vapor risk when conducting Phase I ESAs. Soil vapor intrusion is of particular focus with respect to TCE and other volatile organic compounds, but can also involve other contaminants. The EPA has suggested, however, that a vapor intrusion evaluation may already have been required under ASTM E1527-05. In its preamble to the rule offering ASTM E1527-13 as a new due diligence standard, the agency stated that it “in its view, vapor migration has always been a relevant potential source of release or threatened release that, depending on site-specific conditions, may warrant identification when conducting all appropriate inquires.” 78 Fed. Reg. 79319 (Dec. 30, 2013). It is unclear, however, whether the EPA intended this statement to reflect near contemporary Phase I ESAs (conducted after ASTM E1527-13 was developed) or instead intended to suggest that the obligation has always existed. Consequently, there may be future disputes as to whether a Phase I ESA not describing an evaluation of soil vapor intrusion actually satisfied the AAI Rule.

ASTM E1527-13 leaves open a number of key questions about vapor intrusion evaluations. Neither ASTM E1527-13 nor the AAI Rule describes, for example, what levels in soil gas or groundwater should lead to concern or what levels would require mitigation. The EPA and various states are developing guidance in this area to further clarify acceptable levels, how evaluations are to be conducted, whether one can evaluate risk based upon groundwater conditions alone, whether an evaluation must consider multiple lines of evidence, what vapor levels would be deemed acceptable in a residential setting, and what actions are required to mitigate risk.^[1]

IV. Conclusion

Consultants have already been transitioning toward the ASTM E1527-13 standard. Should the Proposed Rule be adopted, ASTM E1527-05 will still satisfy the AAI Rule for properties acquired between November 1, 2005 and the effective date of the new action. The EPA also anticipates providing for a delayed effective date of one year following any final action, to give those still using the previous framework time to complete ongoing investigations and become familiar with the updated standard.

However, it is important to recognize the potential that the EPA may claim that a failure to evaluate soil vapor, where otherwise appropriate, is a requirement under ASTM E1527-05 and not only ASTM E1527-13. It is therefore essential that potentially-affected individuals keep current on EPA developments with respect to the evaluation of soil vapor intrusion, and obtain sound and up to date advice from environmental professionals.

^[1] See http://www.epa.gov/oswer/vaporintrusion/index.html.

ARTICLE BY

Covington & Burling LLP

Department of State Releases September 2014 Visa Bulletin

The bulletin shows continued forward movement in the EB-2 India category while the cutoff dates in most other employment-based categories remain unchanged.

The U.S. Department of State (DOS) has released its September 2014 Visa Bulletin. The Visa Bulletin sets out per-country priority date cutoffs that regulate the flow of adjustment of status (AOS) and consular immigrant visa applications. Foreign nationals may file applications to adjust their statuses to that of permanent residents or to obtain approval of immigrant visas at a U.S. embassy or consulate abroad, provided that their priority dates are prior to the respective cutoff dates specified by the DOS.

What Does the September 2014 Visa Bulletin Say?

After several months of significant movement in both directions, the September Visa Bulletin shows no movement in any of the employment-based categories other than continued forward movement in the EB-2 India and EB-3 Philippines categories. Such continued forward movement in the EB-2 India category cannot be guaranteed; once significant demand in this category occurs, the cutoff date is likely to once again retrogress.

The cutoff date for F2A applicants from all countries will advance significantly in September.

EB-1: All EB-1 categories will remain current.

EB-2: The cutoff date of January 22, 2009 for applicants in the EB-2 category chargeable to India will advance by slightly more than three months to May 1, 2009. The cutoff date of October 8, 2009 for applicants in the EB-2 category chargeable to China will remain unchanged. The EB-2 category for all other countries will remain current.

EB-3: The cutoff date of November 8, 2003 for applicants in the EB-3 category chargeable to India will remain unchanged. The cutoff date of November 1, 2008 for applicants in the EB-3 category chargeable to China will also remain unchanged. The cutoff date of June 1, 2010 for applicants in the EB-3 category chargeable to the Philippines will advance by 10 months to April 1, 2011. The cutoff date of April 1, 2011 for applicants chargeable to Mexico and the Rest of the World will remain unchanged.

The relevant priority date cutoffs for foreign nationals in the EB-3 category are as follows:

China: November 1, 2008 (no movement)
India: November 8, 2003 (no movement)
Mexico: April 1, 2011 (no movement)
Philippines: April 1, 2011 (forward movement of 10 months)
Rest of the World: April 1, 2011 (no movement)

Developments Affecting the EB-2 Employment-Based Category

Mexico, the Philippines, and the Rest of the World

The EB-2 category for applicants chargeable to all countries other than China and India has been current since November 2012. The September Visa Bulletin indicates no change to these categories. This means that applicants in the EB-2 category chargeable to all countries other than China and India may continue to file AOS applications or have applications approved through September 2014.

China

The August Visa Bulletin indicated a cutoff date of October 8, 2009 for EB-2 applicants chargeable to China. The September Visa Bulletin indicates no change to this cutoff date. This means that applicants in the EB-2 category chargeable to China with a priority date prior to October 8, 2009 may file AOS applications or have applications approved in September 2014.

India

The August Visa Bulletin indicated a cutoff date of January 22, 2009 for EB-2 applicants chargeable to India. The September Visa Bulletin indicates a cutoff date of May 1, 2009, reflecting forward movement of 99 days. This means that applicants in the EB-2 category chargeable to India with a priority date prior to May 1, 2009 may file AOS applications or have applications approved in September 2014.

The September Visa Bulletin notes that the use of potentially “otherwise unused” employment-based visa numbers prescribed by section 202(a)(5) of the Immigration and Nationality Act has allowed the cutoff date in the EB-2 India category to advance rapidly in recent months. The Visa Bulletin warns that continued forward movement of this cutoff date in upcoming months cannot be guaranteed, and no assumptions should be made until the dates are formally announced. Once there is a significant increase in demand in this category, it will be necessary to retrogress the cutoff date, possibly as early as November, to hold numbers within the fiscal year 2015 annual limit.

Developments Affecting the EB-3 Employment-Based Category

China

The August Visa Bulletin indicated a cutoff date of November 1, 2008 for EB-3 applicants chargeable to China. The September Visa Bulletin indicates no change to this cutoff date. This means that only applicants in the EB-3 category chargeable to China with a priority date prior to November 1, 2008 may file AOS applications or have applications approved in September 2014.

India

The August Visa Bulletin indicated a cutoff date of November 8, 2003 for EB-2 applicants chargeable to India. The September Visa Bulletin indicates no change to this cutoff date. This means that only EB-3 applicants chargeable to India with a priority date prior to November 8, 2003 may file AOS applications or have applications approved in September 2014.

Rest of the World

The August Visa Bulletin indicated a cutoff date of April 1, 2011 for EB-3 applicants chargeable to the Rest of the World. The September Visa Bulletin indicates no change to this cutoff date. This means that only applicants in the EB-3 category chargeable to the Rest of the World with a priority date prior to April 1, 2011 may file AOS applications or have applications approved in September 2014.

Developments Affecting the F2A Family-Sponsored Category

The August Visa Bulletin indicated a cutoff date of March 15, 2011 for F2A applicants from Mexico. The September Visa Bulletin indicates a cutoff date of April 22, 2012, reflecting forward movement of 404 days. This means that applicants from Mexico with a priority date prior to April 22, 2012 will be able to file AOS applications or have applications approved in September 2014.

The August Visa Bulletin indicated a cutoff date of May 1, 2012 for F2A applicants from all other countries. The September Visa Bulletin indicates a cutoff date of January 1, 2013, reflecting forward movement of 245 days. This means that worldwide, F2A applicants with a priority date prior to January 1, 2013 will be able to file AOS applications or have applications approved in September 2014.

How This Affects You

Priority date cutoffs are assessed on a monthly basis by the DOS, based on anticipated demand. Cutoff dates can move forward or backward or remain static. Employers and employees should take the immigrant visa backlogs into account in their long-term planning and take measures to mitigate their effects. To see the September 2014 Visa Bulletin in its entirety, please visit the DOS website.

ARTICLE BY

Eric S. Bord

Lisa Stephanian
Burton

Tracy Evlogidis

Malcolm K. Goeschl

Eleanor Pelta

A. James Vázquez-Azpiri

Morgan, Lewis & Bockius LLP

SEC Brings Fraud Charges Against Oil and Gas Company and Its CEO

On August 4, the Securities and Exchange Commission instituted cease-and-desist proceedings against Houston American Energy Corp., an oil and gas exploration and production company, and John F. Terwilliger, its CEO, for making fraudulent claims about the company’s oil reserves. According to the SEC, during late 2009 and early 2010, Houston American raised approximately $13 million in a public offering and saw its stock price increase from less than $5 to more than $20 per share after fraudulently claiming that a Colombian exploration concession, in which Houston American owned a fractional interest, held between one billion and four billion barrels of oil reserves that would be worth the equivalent of $100 per share to investors. The SEC alleged that those estimates lacked any reasonable basis and were falsely attributed to the concession’s operator, who actually had much lower estimates. The SEC order charged Houston American and Mr. Terwilliger with violations of Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act); Rule 10b-5, Section 20(b) of the Exchange Act; and Section 17(a) of the Securities Act of 1933. The SEC seeks a civil penalty and disgorgement from Houston American, and to prohibit Mr. Terwilliger from acting as an officer and director of the company.

Matter of Houston American Energy Corp. et al, Admin. Proceeding No. 3-16000 (Aug. 4, 2014).

ARTICLE BY

Michael S. Gordon

Ashley H. Jones

Katten Muchin Rosenman LLP

NLRB General Counsel Authorizes Complaints Asserting Franchisor Can Be Jointly Liable With Its Franchisees

Earlier this week, the General Counsel of the National Labor Relations Board (NLRB), Richard F. Griffin, authorized the issuance of multiple complaints which include allegations that a franchisor, McDonald’s, USA, LLC, could be liable as ajoint employer with its franchisees for violations of theNational Labor Relations Act (NLRA). The text of the General Counsel’s authorization is available here.

Since 2012, McDonald’s, USA, LLC and its franchisees have been named in 181 unfair labor practice charges filed with the NLRB. In a memorandum issued to the Regional Directors, the General Counsel noted that 43 of those charges were found to have merit, while the remaining charges either were found to have no merit or are pending further investigation. The General Counsel’s action authorizes the regions in which the charges were filed to issue administrative complaints naming McDonald’s USA, LLC and its franchisees as respondents if the parties are unable to reach settlement in the 43 cases that have been found to have merit.

The authorization comes on the heels of an amicus brief filed by the General Counsel in June in Browning-Ferris Industries of California, Inc., urging the Board to adopt a new standard for determining joint-employer status. Under the current standard, the NLRB analyzes whether alleged joint employers share the ability to control or co-determine the essential terms and conditions of employment. TLI, Inc., 271 NLRB 798 (1984). Essential terms and conditions of employment include hiring, firing, discipline, supervision and direction of employees. Laerco Transportation, 269 NLRB 324 (1984). The putative joint employers’ control over these employment matters must be direct and immediate.

In the amicus brief, the General Counsel argued that the Board’s current standard for determining joint-employer status is significantly narrower than the traditional standard and ignores Congress’s intent that the term “employer” be construed broadly. Griffin urged the Board to adopt a new standard that accounts for the totality of the circumstances, including how putative joint employers structure their commercial dealings. Under the proposed test, joint-employer status would exist if one of the entities wields sufficient influence over the working conditions of the other entity’s employees such that meaningful bargaining could not occur in its absence.

The NLRB has not yet decided whether to adopt the General Counsel’s proposed standard, and the Browning-Ferris case is currently pending before the Board.

Implications and Recommendations

Although the General Counsel’s action has sparked a flurry of debate over the proper test for determining joint-employer status, it remains unclear whether the NLRB will accept his position. If the NLRB decides to adopt a new joint-employer standard, it would likely expand the number of entities found to be joint employers and thus potentially liable for alleged unfair labor practices, and could have ramifications under other employment laws as well, including wage and hour and discrimination cases.

ARTICLE BY

Alexis Dominguez

Schiff Hardin LLP

E-Verify Update and Improvements

E-Verify has been operational since 1997 as part of a Basic Pilot Program to assist employers to verify electronically that a newly hired employee is authorized to work in the US. A number of states have made use of E-Verify mandatory, including North Carolina which requires that employers with 25 employees to have been enrolled in E-Verify by July 1, 2013.

Update

Currently there are over 530,000 employers nationwide enrolled in E-Verify. Statistically, the program has grown rapidly as has its accuracy, having verified close to 24 million cases. Of those, 98.81% have been confirmed as employment authorized. The US Citizenship and Immigration Services (USCIS) graphic below provides E-Verify’s latest statistics:

E-verify

The Monitoring and Compliance Branch (M&C Branch) was created by the USCIS in 2009 to ensure E-Verify is being used properly. Its main function is to monitor and guide E-Verify participants by phone, email, desk reviews and site visits. This unit does not fine employers, but does refer cases of suspected misuse, abuse or fraud to Immigration Customs and Enforcement (ICE) and the Department of Justice’s Office of Special Counsel for Immigration-Related Unfair Employment Practices (OSC). There has been an uptick in complaints to the OSC resulting in some sizeable settlements. All settlement agreements described on the OSC website have one thing in common: all employers participated in E-Verify and the OSC became involved, for the most part, by the USCIS referring the employer to OSC. Thus, it is noteworthy that participation in E-Verify alone does not protect an employer from enforcement action and penalties.

Recent Improvements to E-Verify System

E-Verify has announced some needed improvements to its system to assist employers who, in doing so, will hopefully not attract M&C Branch attention:

Duplicate Case alert now notifies the employer if a social security number matches any other social security number entered for an existing case with the past 30 days.
The user’s name no longer auto-fills: it must now be completed each time to ensure accuracy, providing a prompt to validate or update email and phone number whenever the user’s password expires, which is every 90 days.
An employee whose information is entered in E-Verify resulting in a tentative nonconfirmation will receive email notification if they provide their email address on the Form I-9.
There is a new photo tool that will display any photo on record with E-Verify, enabling the user to compare it to the photo ID being presented.
E-Verify now verifies a driver’s license as to authenticity by matching the data entered by the user against participating state motor vehicle department records. Currently, North Carolina does not participate in this so-called RIDE system.
If E-Verify detects fraudulent use of a social security number, it prevents that number from being used more than once.
Notices generated by E-Verify are now available in 18 languages.
There are monthly webinars in Spanish for employers.
E-Verify screens for typographical errors and requires employers to correct them.
The Further Action Notice that is generated after a Tentative Nonconfirmation from the Department of Homeland Security includes instructions on how to correct immigration records after resolving the Tentative Nonconfirmation on E-Verify.
Updated Further Action Notices are also no longer pre-populated, but are easy to complete.
Customer support has been improved and includes an “E-Verify Listens” link that can be accessed by the E-Verify user while in the E-Verify system to assist with E-Verify completion.

While the system is not perfect, it is increasingly pervasive and increasingly “user friendly.” Further, employers have a strong incentive to use E-Verify properly to avoid settlements generated by enforcement actions that appear to be directly linked to E-Verify misuse, abuse and fraud.

ARTICLE BY

Jennifer G. Parser

Poyner Spruill LLP

SEC Commissioner Highlights Need for Cyber-Risk Management in Speech at New York Stock Exchange

Cyber risks are an increasingly common risk facing businesses of all kinds. In a recent speech given at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar emphasized that cybersecurity has grown to be a “top concern” of businesses and regulators alike and admonished companies, and more specifically their directors, to “take seriously their obligation to make sure that companies are appropriately addressing those risks.”

Commissioner Aguilar, in the speech delivered as part of the Cyber Risks and the Boardroom Conference hosted by the New York Stock Exchange’s Governance Services department on June 10, 2014, emphasized the responsibility of corporate directors to consider and address the risk of cyber-attacks. The commissioner focused heavily on the obligation of companies to implement cybersecurity measures to prevent attacks. He lauded companies for establishing board committees dedicated to risk management, noting that since 2008, the number of corporations with board-level risk committees responsible for security and privacy risks had increased from 8% to 48%. Commissioner Aguilar nevertheless lamented what he referred to as the “gap” between the magnitude of cyber-risk exposure faced by companies today and the steps companies are currently taking to address those risks. The commissioner referred companies to a federal framework for improving cybersecurity published earlier this year by the National Institute of Standards and Technology, which he noted may become a “baseline of best practices” to be used for legal, regulatory, or insurance purposes in assessing a company’s approach to cybersecurity.

Cyber-attack prevention is only half the battle, however. Commissioner Aguilar cautioned that, despite their efforts to prevent a cyber-attack, companies must prepare “for the inevitable cyber-attack and the resulting fallout.” An important part of any company’s cyber-risk management strategy is ensuring the company has adequate insurance coverage to respond to the costs of such an attack, including litigation and business disruption costs.

The insurance industry has responded to the increasing threat of cyber-attacks, such as data breaches, by issuing specific cyber insurance policies, while attempting to exclude coverage of these risks from their standard CGL policies. Commissioner Aguilar observed that the U.S. Department of Commerce has suggested that companies include cyber insurance as part of their cyber-risk management plan, but that many companies still choose to forego this coverage. While businesses without cyber insurance may have coverage under existing policies, insurers have relentlessly fought to cabin their responsibility for claims arising out of cyber-attacks. Additionally, Commissioner Aguilar’s speech emphasizes that cyber-risk management is a board-level obligation, which may subject directors and officers of companies to the threat of litigation after a cyber-attack, underscoring the importance of adequate D&O coverage.

The Commissioner’s speech offers yet another reminder that companies should seek professional advice in determining whether they are adequately covered for losses and D&O liability arising out of a cyber-attack, both in prospectively evaluating insurance needs and in reacting to a cyber-attack when the risk materializes.

Read Commissioner Aguilar’s full speech here.

ARTICLE BY

Shawn Ledingham

Proskauer Rose LLP

Financial Crimes Enforcement Network (FinCEN) Proposes Anti-Money Laundering Rules

On July 23, 2014, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking that would amend existing Bank Secrecy Act regulations with respect to customer due diligence (CDD) requirements for certain covered financial institutions, including mutual funds, brokers or dealers in securities and futures commission merchants and introducing brokers in commodities. The proposed rules would formalize certain CDD requirements and also require that covered financial institutions “identify and verify the beneficial owners of legal entity customers.” FinCEN’s proposal includes a standard certification form that covered financial institutions would be required to use for documenting the beneficial ownership of their legal entity customers. An individual may qualify as a “beneficial owner” of a legal entity customer if the individual either (1) owns 25% or more of the equity interests of the entity, or (2) has significant management responsibilities within the entity. As proposed, covered financial institutions would be exempted from identifying the beneficial owners of an intermediary’s underlying clients if the covered financial institution has no customer identification program obligation with respect to those underlying clients.

Comments on the Notice of Proposed Rulemaking are due by October 3, 2014.

ARTICLE BY

Investment Services Group

Vedder Price

Firewall on the Hill: The Cybersecurity Information Sharing Act

U.S. Treasury Secretary Jack Lew is urging Congress to pass legislation to bolster the country’s cyber defenses. The proposed bill—the Cybersecurity Information Sharing Act of 2014 (CISA)—may unleash a brute-force attack in the cyber war, but opposition based on privacy and civil liberties concerns could stop the bill dead in its tracks.

The CISA would enable companies to

share information with one another, including an antitrust exemption for the exchange or disclosure of a “cyber threat indicator,” which is broadly defined and includes information that indicates any attribute of a cybersecurity threat;
share information with the federal government, including the absence of any waiver of privilege or trade-secret protection and the retained ownership of the disclosed information;
launch countermeasures and monitor information systems under broad sets of circumstances, potentially expanding the information to be shared; and
monitor and share the information under an umbrella of protection from liability relating to the permitted activities, including a good-faith defense (absent gross negligence or willful misconduct) for activities not authorized by the CISA.

The CISA includes some protections for individuals. Namely, the U.S. Attorney General would develop governing guidelines to limit the law’s effect on privacy and civil liberties. Moreover, companies would be required to remove information that is known to be personal information (and not directly related to a cybersecurity threat) before sharing a cyber threat indicator.

In sum, companies could decide to share a wealth of information with one another and with the federal government if the CISA is passed, when sharing personal information depends on the reach of any future guidelines. If an extensive information-sharing program materializes, and there is at least a perception that sensitive personal information is being shared, companies could feel pressure from customers and advocacy groups to disclose their CISA activities and policies in their privacy statements. Companies should stay informed about developments in cybersecurity legislation, but the potential fallout regarding privacy could substantially weaken or postpone any new system. For every cybersecurity legislative effort, there will be bold countermeasures.

ARTICLE BY

Doneld G. Shelkey

A. Benjamin Klaber

OF:

Morgan, Lewis & Bockius LLP

Office for Civil Rights (OCR) to Begin Phase 2 of HIPAA Audit Program

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will soon begin a second phase of audits (Phase 2 Audits) of compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification standards (HIPAA Standards) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Unlike the pilot audits during 2011 and 2012 (Phase 1 Audits), which focused on covered entities, OCR will conduct Phase 2 Audits of both covered entities and business associates. The Phase 2 Audit Program will focus on areas of greater risk to the security of protected health information (PHI) and pervasive noncompliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards. The Phase 2 Audits are also intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities. OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates. In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.

The following sections summarize OCR’s Phase 1 Audit findings, describe the Phase 2 Audit program and identify steps that covered entities and business associates should take to prepare for the Phase 2 Audits.

Phase 1 Audit Findings

OCR audited 115 covered entities under the Phase 1 Audit program, with the following aggregate results:

There were no findings or observations for only 11% of the covered entities audited;
Despite representing just more than half of the audited entities (53%), health care providers were responsible for 65% of the total findings and observations;
The smallest covered entities were found to struggle with compliance under all three of the HIPAA Standards;
Greater than 60% of the findings or observations were Security Standard violations, and 58 of 59 audited health care provider covered entities had at least one Security Standard finding or observation even though the Security Standards represented only 28% of the total audit items;
Greater than 39% of the findings and observations related to the Privacy Standards were attributed to a lack of awareness of the applicable Privacy Standard requirement; and
Only 10% of the findings and observations were attributable to a lack of compliance with the Breach Notification Standards

The Phase 2 Audit Program

Selection of Phase 2 Audit Recipients

Unlike the Phase 1 Audit Program, which focused on covered entities, OCR will conduct Phase 2 Audits of both covered entities and business associates. OCR has randomly selected a pool of 550–800 covered entities through the National Provider Identifier database and America’s Health Insurance Plans’ databases of health plans and health care clearinghouses. OCR will issue a mandatory pre-audit screening survey to the pool of covered entities this summer. The survey will address organization size measures, location, services and contact information. Based on the responses, the agency will select approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses, for Phase 2 Audits. OCR intends to select a wide range of covered entities and will conduct the audits between October 2014 and June 2015.

OCR will notify and send data requests to the 350 selected covered entities this fall. The data requests will ask the covered entities to identify and provide contact information for their business associates. OCR will select the business associates that will participate in the Phase 2 Audits from this pool.

Audit Process

OCR will audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards, 100 covered entities for compliance with the Privacy Standards and 100 covered entities for compliance with the Breach Notification Standards. OCR will initiate the Phase 2 Audits of covered entities by sending the data requests this fall and then initiate the Phase 2 Audits of business associates in 2015.

Covered entities and business associates will have two weeks to respond to OCR’s audit request. The data requests will specify the content, file names and other documentation requirements, and the auditors may contact the covered entities and business associates for clarifications or additional documentation. OCR will only consider current documentation that is submitted on time. Failure to respond to a request could lead to a referral to the applicable OCR Regional Office for a compliance review.

Unlike the Phase 1 Audits, OCR will conduct the Phase 2 Audits as desk reviews with an updated audit protocol and not on-site at the audited organization. OCR will make the Phase 2 Audit protocol available on its website so that entities may use it for internal compliance assessments.

The Phase 2 Audits will target HIPAA Standards that were sources of high numbers of non-compliance in the Phase 1 Audits, including: risk analysis and risk management; content and timeliness of breach notifications; notice of privacy practices; individual access; Privacy Standards’ reasonable safeguards requirement; training to policies and procedures; device and media controls; and transmission security. OCR also projects that Phase 2 Audits in 2016 will focus on the Security Standards’ encryption and decryption requirements, facility access control, breach reports and complaints, and other areas identified by earlier Phase 2 Audits. Phase 2 Audits of business associates will focus on risk analysis and risk management and breach reporting to covered entities.

OCR will present the organization with a draft audit report to allow management to comment before it is finalized. OCR will then take into account management’s response and issue a final report.

What Should You Do to Prepare for the Phase 2 Audits?

Covered entities and business associates should take the following steps to ensure that they are prepared for a potential Phase 2 Audit:

Confirm that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization (the Risk Assessment);
Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion;
Ensure that the organization has a complete inventory of business associates for purposes of the Phase 2 Audit data requests;
If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented (i) why any such addressable implementation standard was not reasonable and appropriate and (ii) all alternative security measures that were implemented;
Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards;
Health care provider and health plan covered entities should ensure that they have a compliant Notice of Privacy Practices and not only a website privacy notice;
Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI;
Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for a workforce member to perform his/her job duties;
Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring your own device environment);
Confirm that all systems and software that transmit electronic PHI employ encryption technology or that the organization has a documented the risk analysis supporting the decision not to employ encryption;
Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan; and
Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (e.g., physical security plans, disaster recovery plan, emergency access procedures, etc.)

ARTICLE BY

Patrick Callaghan

Daniel F. Gottlieb

Edward G. Zacharias

Of:

McDermott Will & Emery

Category: Administrative & Regulatory

IRS Ruling Creates Opportunities for Tax Savings by Companies With Substantial Real Estate Assets

Like this: