Monday, June 26, 2017

Beard St. Clair Gaffney voted Best Law Firm

We are honored to be named Best Law Firm in the Post Register's annual reader's choice awards. We enjoy serving our clients with aggressive and creative legal solutions. Thank you for your votes!
Best Law Firm 2017
Staff at 2:31 PM No Comments | Post a Comment
Tuesday, June 6, 2017

Does Ransomware make you WannaCry?

On May 12, 2017, a worldwide ransomware attack assaulted businesses and government entities in 150 countries, including Britain’s national health system, FedEx, Spain’s Telefónica, and the Russian Interior Ministry.  The virus dubbed “WannaCry” was designed to access servers through vulnerabilities in Microsoft Windows software.   Many users’ systems were infected by opening a seemingly harmless email.  This virus was different from others in that it had the ability to spread throughout computer systems without any type of user interaction. 

The main targets of the virus were users of Microsoft Windows who had not implemented a patch distributed by Microsoft in March and users still operating on the Windows XP platform since their systems were the most vulnerable.  The attack was slowed after a researcher identified a “kill switch” for the virus. The kill switch couldn’t help devices the virus already infected, but it bought time to patch systems that hadn’t yet been hit. However, most computer security experts do not believe it has been halted completely, and there is at least one new strain of the ransomware that is unaffected by the kill switch, which has been slowly spreading.

So far, Britain’s national health system has been the most impacted health care organization worldwide. Because of the virus, many British hospitals were forced to cancel critical surgeries and divert patients to other hospitals when they could not access patients’ medical records.  Although the attack has not been reported to be as prevalent on the U.S. healthcare systems, the U.S. Department of Health and Human Services (HHS) issued a report urging healthcare organizations to be cautious in their cybersecurity practices. 

Taking that advice, there are several lessons we can learn from the WannaCry attack.  We suggest the following best practices to protect yourself from ransomeware attacks through email:

    1. Ensure that your computer and antivirus software are up to date.  Be sure to regularly check for patches and updates to your operating system and install the patches and updates as they become available.  The same goes for your antivirus software.

    2. Regularly backup your data and test to see if the backups can be restored.  Restorable backups can mean the difference between significant business disruption and simply restoring the data.

    3. Only open email messages from people you know and messages you are expecting to receive.

    4. Never click on links in emails if you weren’t expecting them.  

    5. Conduct regular security awareness training to remind your staff of the importance of good email hygiene. Phishing attacks with software downloads or links and attachments to malware are often the first sign that a ransomware event is looming.

    6. Before your practice has been attacked by ransomware, review and update your security incident response plan as well as your disaster recovery plans.

    7. Never Pay Ransom. Payment of ransom by one provider emboldens attackers and proliferates the attacks, placing other healthcare providers at risk.

If you were attacked, or know someone who was attacked, it is important to be aware of the HHS guidance on ransomeware.  HHS advises that when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (since unauthorized individuals have taken possession or control of the information). Unless the organization can demonstrate that there is a low probability that the PHI has been compromised based on the factors set forth in the Breach Notification Rule, a breach is presumed to have occurred and notification is required.

Keep in mind that policies and procedures implemented prior to a ransomware infiltration will dramatically affect the outcome of a ransomware attack.  As they say, an ounce of prevention is worth a pound of cure.

For questions, please contact:

Megan Hopfer | Attorney
2105 Coronado St | Idaho Falls, ID 83404

(208) 523-5171 |

This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Beard St. Clair Gaffney PA or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Beard St. Clair Gaffney PA. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

Megan J. Hopfer at 12:21 PM No Comments | Post a Comment
Health Care Law
Monday, May 22, 2017

Employment Law Workshop

Staff at 8:33 PM 1 Comments | Post a Comment
Monday, May 22, 2017

Kent Gauchay Named Clark County Magistrate Judge

Congratulations to attorney Kent W. Gauchay for being selected as the next Clark County Magistrate Judge. 
Staff at 3:18 PM No Comments | Post a Comment
Friday, April 7, 2017

Invasive Species

The 2017  Idaho Legislature has passed a bill authorizing additional funding to the Idaho Department of Agriculture to prevent invasive species from entering the state.  Invasive species are harmful, non-native, plants and animals that damage Idaho's ecosystems and environments.

Idaho's Invasive Species Act of 2008 prohibts any person from importing, transporting, or introducing invasive species into the state without a permit.  The Department of Agriculture may conduct inspections on public or private property, and may establish check stations at points of entry in the state to inspect for invasive species.  Idaho regularly checks boats entering the state for quagga mussels and zebra mussels, which have the potential to cause devasting harm to hydropower and agricultural facilities.

To help pay for check stations Idaho law requires all motorized water craft, and any non-motorized vessel (canoe, kayak, raft, drift boat, etc.) to purchase and display an invasive species sticker.

Invasives species can be very distructive, and could destroy the natural beauty of the state if not controlled.  Species such as mussels, gypsy moths, yellow star thistle, cereal leaf beetles, nematodes,and white pine blister rust have the ability to threaten our crops, and interfere with recreation on our public lands and waters. 

To help, you should learn how to identify and report suspected invasive species (go to  Reports of potential invasive species can be made to Idaho's Invasive Species Hotline at 1-877-336-8676. 

Do your part to help prevent invasive species from taking hold in Idaho.

Lance J. Schuster at 2:28 PM No Comments | Post a Comment
Thursday, March 16, 2017

Do you know how to handle a HIPAA breach?

In the ever-growing world of electronic health records, cloud-based storage, and IT hacks, it is of the utmost importance to know how to handle a breach of protected health information (PHI).

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with requirements to protect the privacy and security of health information. Health plans, such as health insurance companies or government programs such as Medicare and Medicaid qualify as covered entities.  Health care providers, such as doctors, clinics, dentists, chiropractors, and pharmacists also qualify as covered entities if they electronically submit claims or other information to carry out financial or administrative activities related to health care.

For any breach affecting more than 500 individuals, a covered entity, such as a doctor’s office, must investigate and report the breach without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. If it fails to do so, it may be subject to HIPAA fines. The Office for Civil Rights just settled its first case of the year against Presence Health, one of the largest integrated health systems in Illinois, for ‘unreasonable delay’ in reporting a HIPAA breach. The report was 45 days late. The fine was $475,000.

The HIPAA Breach Notification Rule requires that covered entities notify individuals and, if the breach involves more than 500 persons, report breaches to HHS and local media without unreasonable delay and in no event later than 60 calendar days after discovery of the breach. A separate HIPAA violation occurs for each day the covered entity fails to report the breach beyond the deadline.

We can learn a valuable lesson from Presence Health’s blunder: covered entities must take the reporting deadlines seriously. For notification to affected individuals, the breach must be reported without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. If the breach involves 500 or more individuals, the covered entity must notify HHS at the time it notifies affected individuals. If the breach involves fewer than 500 individuals, the covered entity may wait to notify HHS until no later than 60 days after the end of the calendar year. If the breach involves more than 500 residents in one state, the covered entity must notify local media at the time it notifies affected individuals.  One important clarification for covered entities: the 60-day time period begins to run from the time that any member of the covered entity’s workforce (other than the person committing the breach) knew or by exercising reasonable diligence should have known that the breach occurred.

In addition, while we’re on the topic, please allow us to remind you about a few best practices to avoid HIPPA blunders:

      1.   Update Your PoliciesCovered entities should adopt, implement, revise, and update your policies and procedures providing for the timely and adequate notification of a breach to HHS, individuals and the media. To avoid internal miscommunication, covered entities should ensure that such policies and procedures explicitly define employee roles and responsibilities with respect who 1) completes risk assessments of potential breaches, 2) receives and acts upon reports related to potential breaches, 3) prepares and sends notifications to individuals, HHS and the media without unreasonable delays and within the Rule’s prescribed timeframes, and 4) updates policies and procedures on an at-least annual basis.

      2. Train Your Employees. Make it a priority to provide annual and ongoing training based on your updated policies and procedures. It is best to provide training to all current and new workforce members on an at-least annual basis. Such trainings should be comprehensive and include information about what constitutes a breach, the importance of quickly reporting and acting upon reports of potential breaches, and identify the key people to whom such reports should be made.

      3. Incentivize Employee Compliance. Impose sanctions on workforce members (e.g., retrain, compensation/bonus impact and/or termination) that fail to adhere to HIPAA-related policies and procedures to ensure that employees are properly incentivized to comply. Accordingly, be sure that you do not merely have policies and procedures in place, but that you impose sanctions on staff members who fail to comply.

      4. Prepare and Practice Your Game Plan. Once you learn of a breach, the clock starts ticking so it’s best to be ready to spring into action as quickly as possible. The notification process requires multiple tasks, such as investigating the breach, analyzing any changes to the regulatory requirements, tracking down affected individuals’ names and addresses, communicating and coordinating with the relevant decision-makers, setting up call centers to answer data subjects’ questions, and preparing and mailing notifications.  Therefore, best practices are to have an incident response plan ready; a battle plan if you will. Put in place, and  practice as much as possible, your coordination and communication strategies related to the discovery and reporting of breaches. Such exercises are an important way for you to ensure that you have defined timetables, coordinated team members, and an overall awareness of compliance requirements.


For questions, please contact:

Megan Hopfer | Attorney
2105 Coronado St | Idaho Falls, ID 83404
(208) 523-5171 |

This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Beard St. Clair Gaffney PA or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Beard St. Clair Gaffney PA. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

Megan J. Hopfer at 1:23 PM No Comments | Post a Comment
Health Care Law
Friday, March 3, 2017

Be Sure to Know Your Rights to Water Your Stock

The water right rule in Idaho, both before and since the adoption of the Idaho Constitution, is that the first in time is the first in right. 

The constitutional method of appropriation generally requires an actual diversion of water in order to obtain a water right.  However, no diversion from a natural watercourse or diversion device is needed to establish a valid appropriative water right for stock watering.           

For example, a stock watering right may have been established in watercourses on federal lands simply by applying the water to the beneficial use of watering cattle.  Even if a cattleman did not understand, or intend to create a water right, a water right might be established simply by watering livestock in the springs, creeks and rivers on the range that cattle use for forage. 

While many cattleman in Idaho may presume to have stock watering rights, it is important to establish and protect those rights with the Idaho Department of Water Resources. 

The federal government has attempted to claim stockwater rights on federal lands even though it does not own or graze cattle on those lands.  Idaho Courts have denied those attempts. 

In addition, the Idaho legislature is currently considering a bill which would prohibit the federal government from obtaining stock watering rights in the springs, streams and rivers on federal land unless the federal land owner owns livestock and puts the water to beneficial use. 

If an agency of the federal government does obtain a stock watering right, that water right could not be utilized for any purpose other than the watering of livestock. 

Know the law of the land.

Lance J. Schuster at 2:08 PM No Comments | Post a Comment
Friday, March 3, 2017

Join us for March Madness Fun

BSG March Madness
Staff at 10:24 AM No Comments | Post a Comment
Thursday, February 9, 2017

Business Seminar for Healthcare Professionals

Staff at 4:38 PM No Comments | Post a Comment
Friday, February 3, 2017

Overtime Pay and Minimum Wage

On December 8, 2016, two dairy workers in southern Washington state sued their employer for overtime pay. The class action lawsuit is challenging a long-time part of federal labor laws that exempts agricultural employees from overtime pay requirements.

This suit is the latest in a line of cases across the country. Agricultural workers are using the courts to break down laws that treat them differently from employees in other industries. Farmworkers have sued for the right to unionize, the right to workers’ compensation, and the right to a minimum wage.

Groups advocating for change claim that the law needs to change to account for industrialized large-scale farm operations of the modern era.

Idaho follows federal law with regard to overtime pay. Most employees have a right to “time-and-a-half” for hours worked in excess of forty per week. All employees employed in agriculture are exempt from this requirement. The exemption applies to any employee engaged in growing and harvesting crops, raising livestock, dairying, etc.

However, the exemption does not apply to employees who merely work on agricultural products, if such work is performed off the farm and by employees not employed by the farmer (e.g. produce or meat processing operations).

Idaho’s laws regarding minimum wage similarly mirror federal law. Employers in Idaho do not need to pay minimum wage to their immediate family members or employees principally engaged in the range production of livestock. Also exempt are harvest laborers traditionally paid on a piece-rate basis, as long as they do not live on site at the farm and only worked in agriculture for thirteen weeks or less the previous year. Harvest laborers under age sixteen are also exempt if they are employed on the same farm as a parent or guardian and are paid at the same rate as the adults.

The agricultural industry in the U.S. has changed dramatically in the last eighty years.  The law will continue to change with it.

Lance J. Schuster at 2:02 PM No Comments | Post a Comment