DID YOU KNOW? An Insured Wedding May Lead to Happily Ever After

download (2).jpg

Valentine’s Day is just days away and many couples will get engaged. According to the wedding industry research company The Wedding Report, Inc., the average cost of a wedding ranges from a low of $15,518 in Mississippi to a high of $39,078 in Hawaii.  The average cost for our home states of Illinois, Texas, and Oklahoma were in the middle of the pack (2017 data):


With this much money, time and planning dedicated to a single day, wedding insurance should be considered to make sure the Big Day is remembered for all the right reasons. 

Your homeowner’s and personal umbrella policies will provide some coverage for liability and theft of gifts, but it may be more prudent to transfer the risk to a separate policy, especially if your venue is requiring an insurance certificate.

For a little over $500, a wedding insurance policy can provide up to $25,000 of coverage for cancellation or postponement of the ceremony and up to $1,000,000 of liability coverage, including liquor liability.  The policy includes the ceremony, reception, rehearsal and rehearsal dinner and offers separate limits of coverage for the following:

·       Defective, lost, or damaged professional photographs and video

·       Last-minute additional and unforeseen expenses

·       Damage to wedding gifts

·       Lost or damaged wedding attire for the bridal party

·       Lost deposits if a vendor goes out of business or fails to show up for your wedding

Other special events, such as a Bar/Bat Mitzvah, Quinceanera, or Anniversary can also be insured on a similar policy.

Have questions about event insurance? David Miller has answers. Miller, who writes the monthly, DID YOU KNOW? blog is The Plexus Groupe’s Vice President, Client Executive for Private Client Solutions. Miller can be reached by calling 846-307-6141.





Wildfire Victims Are Largely Under-Insured

iStock-wildfire_California_145995925 (500 x 334).jpg

California’s massive wildfires over the past year have highlighted that many residents were under-insured – and an insurance expert believes several factors are to blame.

According to the latest figures, nearly 80% of the homes affected by the wildfires were under-insured – of which 60% were severely under-insured. Over 60% of affected homeowners also said that they plan to sue their insurance agents and/or brokers for being under-insured.

Under-insurance, however, is not a new issue, nor is it exclusive to California’s wildfire-prone regions.

Richard Masters, operator of Richard Masters Insurance Services and insurance litigation expert witness, told Ventura County Star that several factors are to blame for an issue that continues to haunt homeowners.

These factors include:

  • Insurance buyers wrongly equate insurance limits to the selling price of their home.

  • Building code upgrades easily add to the cost of a home – as much as 35% to 50%.

  • Construction costs increase following a disaster; in California, building costs have increased by 30% to 35%.

  • Insurance company programs that estimate replacement costs are inaccurate “nine times out of 10.”

One of the more notable factors Masters believes is contributing to underinsurance is the fact that agents and brokers are very much engaged in a downward spiral race to “be competitive.” He explained that as an expert witness, he has been involved in several cases where the agent/broker admitted under oath that in order to stay competitive, they reduced the insurance limits to reduce the premium.

Masters also noted that he has seen some agents admitting they reduce the dwelling limit by the replacement cost extension since the insured would not be able to use it anyway – a fallacious claim, since the policy requires the client to be insured for 100% of the cost.

“When you talk to your clients, family, friends and neighbors, tell them they are most likely under-insured,” Masters advised. “Get them to stop thinking about replacing the old house and start thinking about rebuilding the home with new regulations, new materials, higher labor costs, costly architectural plans, required demolition and debris removal, contractors’ overhead and profit, etc.”

Content provided by Insurance Business Mag

Government Shutdown Effects National Flood Insurance Program

The partial government shutdown which began at midnight on December 21 has impacted the National Flood Insurance Program (NFIP) despite the re-authorization of the program.

Although the NFIP are unable to issue any policies during the shutdown, the department will honor the effective dates of renewals that come up during the shutdown once it has been lifted. The shutdown ended on January 26th, 2019.

At this point it is unclear how long the shutdown will last, but it is expected into 2019. While both the House and Senate rushed to extend the NFIP before authorization expired, the Federal Emergency Management Agency (FEMA) will issue official guidance that the NFIP will operate in a limited capacity during the shutdown. 

The guidance will state that no new policies can be issued, no changes can be made to existing policies, and renewal policies cannot be issued. However, the claims process will proceed to function normally. The procedures outlined in bulletin W-17069 will be the basis for the forthcoming guidance.

Last week, it was the intent of Congress for the NFIP to continue to operate as normal should there be a government shutdown. However, FEMA’s appropriation, which funds the selling and servicing of flood insurance policies, expired with the rest of the unfunded government agencies and programs on December 22, 2018 at 12:01 a.m.

During this lapse in appropriation, FEMA will be advising all NFIP insurers (Write Your Own companies and NFIP Direct) that they may not collect premiums for the issuance, renewal, or monetary endorsements of NFIP policies because doing so would cause the government to incur obligations without an appropriation, which is prohibited by federal statue found in the Anti-Deficiencies Act. The guidance will state that the short-term interruption of flood insurance sales do not rise to the level of necessary market impact to warrant an exception to the Anti-Deficiencies Act. However, should the shutdown continue for a substantial period, the NFIP could start issuing policies again if the agency believes there is a significant market impact.

DID YOU KNOW? Beating Black Ice Could Mean A Better Insurance Rate


Winter is officially here and the arctic air has arrived, making it dangerous to be outside, much less on the roads. Even though we like to think we’re accustomed to tough Midwestern winters, the fact is we all tend to forget to adapt our driving styles when the season arrives. 

Black ice can be one of the worst causes of auto accidents because it forms quickly and is very hard to see.  It isn’t actually black, but it appears that way because if forms without bubbles, allowing it to blend in with any surface it forms over.  It forms most commonly at night or in the early morning when temperatures are at their lowest, and it tends to form on parts of the road that do not get much sunshine, or on elevated roadways.   

But if it happens quickly, and it’s hard to see, what are some of the signs to look for? 

  • If you are driving and suddenly see cars swerve for no apparent reason, black ice is a likely cause. 

  • If you are driving and your steering starts to feel very “light”, you may be driving on black ice.  Even when you are driving in a straight line, you are constantly making small steering corrections and you should be able to feel your car respond.  If you make a steering correction and there is no corresponding response from the tires, you are probably driving on black ice. 

  • Black ice almost always forms in very smooth, very glossy sheets.  In the right lighting conditions, you will be able to distinguish this shiny patch of pavement from the normally flat and dull-black pavement.   

What can you do if you find yourself sliding on black ice? 

  • First, get yourself familiar with that feeling before you’re on a crowded highway.  Practice driving on ice in a safe surrounding.  Find a large, empty parking lot that is covered in ice or snow and drive faster than you normally might.  Hit the brakes hard to get familiar with the pulsing feeling of your anti-lock braking system.  Over-correct with the steering wheel to induce a slide and steer your way out of it.   

  • If you do hit black ice, you need to remain calm and avoid over-correcting.  If you’ve practiced this, you know how quickly your car will slide and spin if you make sudden movements with the steering or brakes.  The general rule is to do as little as possible and allow the car to pass over the ice.  Roll your foot off the gas, keep the steering wheel straight and don’t touch the brakes.  Also, hold the steering wheel loosely.  If you have a death grip on the steering wheel, you won’t allow for any wheel travel if you are driving on bumps or uneven pavement.   

  • If you can, gently head for areas of traction.  This may include textured ice, snow covered areas, or the rumble strips on the shoulder.   

OK, I’m skidding.  Now what? 

  • Black ice is often patchy, so hopefully your tires will soon find traction.  Keep in mind that once your tires find traction, your car will want to start heading in the direction of that traction.  This is another reason why you want to loosely hold the steering wheel, because it will jerk back when you hit dry pavement.   

  • Now’s the time to hit the brakes.  Most cars have ABS, so you will start to hear and feel that pulsing/vibrating sound.  Keep your foot on the brake and let the car find whatever deceleration is possible. 

  • Always steer your car in the direction you want it to go.  You may get the car out of a skid, but it could snap back and skid in the opposite direction.  If this happens, you are probably going to wind up in a spin.  At this point, try to steer the car into something that will cause a minimum amount of damage, like a snowbank or a field.  You may not have any choice in the matter, but you can at least try. 

  • Once you stop, stay calm and assess the situation.  Are you hurt?  Are your passengers ok?  Is the car driveable, and if so, can you slowly move it to a safe spot where it won’t get hit by other cars? 

Have questions about auto insurance after a black ice accident? David Miller has answers. Miller, who writes the monthly, DID YOU KNOW? blog is The Plexus Groupe’s Vice President, Client Executive for Private Client Solutions. Miller can be reached by calling 846-307-6141.


Balancing Fun and Frugality: Tips for Baby Boomers on Being Resourceful, Having Fun


Most of us admire the frugal friend or relative who always seems able to set aside money for unexpected expenses and fun vacations. Some people just have a knack for being resourceful when it comes to saving and spending money. If you’re a member of the Baby Boomer generation, don’t make the mistake of turning your life into a no-fun zone. The trick is to find a happy medium between saving and spending so you’re less likely to give up on it.  Remember, it is never too late to plan for tomorrow. Plexus Financial Services, LLC can guide you to your goals.

Take Care of Your Business First

Being frugal and saving money won’t get you far if you’re unprepared to handle an important expense like health insurance. If you can, continue on your employer’s health care plan post-employment. If you lack coverage, make sure to sign up for Medicare — there’s plenty of information online to guide you through the process of finding a plan that covers ancillary healthcare expenses such as dental, vision, hearing, and prescription medications.

Another good way to cut expenses is to discontinue a life insurance policy if it’s no longer necessary. If your life circumstances permit - if your children are grown and on their own or if you have sufficient income to cover your needs - you really don’t need a life insurance policy anymore and can better use that money in other ways. 

Email Lists

Go ahead and enjoy your favorite restaurant or retail stores; just make sure you sign up for their email lists. You’ll earn coupons, receive free offers, and get a jump on other promotions as they come up, which are great ways to save money. If you want to really get organized about it, set up a separate email address for all those coupons and offers so you don’t clog up your primary email address and risk losing track of emails that can save you money.

Don’t Forget the Library

Remember how much fun it was to visit the library when you were a kid? All those books and movies, and all you needed was that magic little card that doesn’t cost a cent. You can relive those happy visits and save money by borrowing great books and movies you love whenever you want. If you have kids, introduce them to story hour, which is a wonderful source of free entertainment that public libraries still offer their patrons.

Make Credit Cards Work for You

Credit card reward points are a great way to save for a family vacation, especially if setting money aside in a vacation fund is a problem. Use low-limit cards to pay bills and buy groceries and start racking up points. If you’re handy at managing credit cards, you can finance a nice vacation — just make sure you’re able to keep paying off those cards. Remember, racking up a bunch of credit card debt is the opposite of what you’re trying to do here, so be careful about this option if you’re not so good at managing money.

Parks Are Free

If you live in a community with a good parks system, you’ve got a terrific source of free entertainment anytime you want, especially if you live in an area that’s not conducive to walking or jogging. Many parks have tennis or soccer leagues you can join for free or at a minimal cost, so why not enjoy a little friendly competition while getting some exercise and fresh air?

Used Sports Equipment

If you’re an avid golfer, you know that the game can be quite expensive. In fact, golf clubs are among the most expensive sports equipment on the market. You can save hundreds of dollars by opting for used clubs at a second-hand sports store (such as Play It Again Sports). And who knows: You might finally come across the putter of your dreams.

Living frugally doesn’t mean you have to cope with boredom. If you can’t find ways to have fun, scrimping and saving may quickly seem a pointless waste of time. Stick with your plan and be sure to combine resourcefulness and entertainment. You’ve earned it!

Written by Jim McKinley

Money With Jim



9 ACA Employer Mandate FAQs for Employers and their Brokers

The Affordable Care Act (ACA) is still in effect, despite efforts to dismantle it. This means its employer mandate is still in effect, and something employers and brokers can’t ignore. Plexus Technology Services, which delivers innovative technology reporting solutions to companies needing to report ACA information to the government, provides 9 ACA FAQs (frequently asked questions) about the employer mandate for employers and their brokers.


What is the ACA employer mandate?

Employers with 50 of more full-time employees must offer those workers and dependents the chance to enroll in minimum essential coverage under an employer-sponsored plan.


What is “full-time” under health care reform?

Working at least 30 hours per week or 130 hours in a calendar month. A special rule covers “seasonal workers” and others not continuously employed.

What is the look-back method for counting full-time employees?

Count the number of full-time employees during each calendar month and divide by 12.

What is an offer of health coverage?

Employees with 50 or more employees must offer coverage during a plan year. Employees must pay their share within 30 days of due date.

When is employer coverage considered unaffordable?

If the employee’s required contribution for self-only coverage exceeds 9.69 percent of their household income for the taxable year.

How are wellness programs treated?

If a wellness program provides medical benefits, it will likely be treated as a group health plan, subject to non-discrimination requirements.

How are stand-alone wellness programs treated?

If they don’t pay for medical benefits, they are not treated as group health plans.

Who handles the Summary of Benefits and Coverage?

The insurer prepares the SBC, and the plan sponsor distributes it. A self-funded plan prepares its own SBC.

What are the two employer mandate penalties?

No Minimum Essential Coverage: $2,260 per full-time employee.

Inadequate Health Plan: $3,390 per full-time employee.

Have questions regarding these ACA mandates and filing? Contact a Plexus Technology Services associate in Deer Park, Illinois at 847-307-6100, Chicago at 312-606-4800, Dallas at 972-770-5010 or Oklahoma City at 405-840-3033. We’re here to help and we’re happy to help.

Content provided by New Equipment Digest.



The Plexus Groupe’s Property and Casualty November Newsletter shares the Top 10 OSHA violations in 2018:

10. Personal Protective and Lifesaving Equipment – Eye and Face Protection

This is the first appearance of this construction standard on the list.

Standard: 1926.95
Number of Violations: 1, 536

9. Machine Guarding

Inspectors cited machine shops and manufacturers for point of operation and for guards that were not attached to machines.

Standard: 1910.212
Number of Violations: 1,972

8. Fall Protection – Training Requirements

Employers lacked competent persons to provide training as well as no written certifications that the training occurred.

Standard: 1926.503
Number of Violations: 1,982

7. Powered Industrial Trucks part 2

OSHA inspectors found forklift drivers who were not certified. In addition, employers failed to recertify drivers every three years.

Standard: 1910.178
Number of Violations: 2,294

6. Ladders

Ladder use continues to be a problem in the construction industry. Inspectors found broken steps, use of top steps and ladders not being used as intended.

Standard: 1926.1053
Number of Violations: 2,812

5. Lockout/Tagout

A general industry standard, employers did not implement an energy control program or training.

Standard: 1910.147
Number of Violations: 2,944

4. Respiratory Protection

Fit testing, medical evaluations and respiratory programs were non-existent for employers who received this violation.

Standard: 1910.200
Number of Violations: 3,118

3. Scaffolds – General Requirements

Scaffolds were not properly decked, leaving holes where a worker potentially could fall through.

Standard: 1926.451
Number of Violations: 3,336

2. Hazard Communication

Failure to train and not maintaining data sheets led to this violation for many auto repair shops as well as hotels.

Standard: 1910.200
Number of Violations: 4,552

1. Fall Protection – General Requirements

Topping the list once again is fall protection. Roofing contractors failed to provide PPE.

Standard: 1926.501
Number of Violations: 7,270

If you have questions about this newsletter or any of the OSHA safety violations identified, contact an insurance expert at The Plexus Groupe at 847-307-6100.

DID YOU KNOW? Driving For Dollars Can Be Costly


As a consumer, I love the idea of Uber or Lyft. When my family and I were on vacation overseas this summer, it was very convenient to secure a pre-arranged trip and feel confident that we wouldn’t be taken advantage of as tourists.

As an insurance professional, I’m less than thrilled with the idea of Uber. Just before my son left for college, I overheard him talking to a friend.  “Yeah, I wish I could drive for Uber, but my car is too old.”  I mentally patted myself on the back for providing him with a not-so-pretty, but well-maintained '98 Buick Century.

From an auto insurance standpoint, the problem with Uber is coverage for an accident while the driver is “on the clock." Most, if not all, personal auto insurance policies exclude liability coverage, medical coverage, uninsured/underinsured motorist coverage and physical damage coverage when a personal vehicle is used for a fee.  Examples of this exclusion include the following from well-known insurance companies:

Policy Example 1

Vehicles used for a fee. We do not cover any person for damages arising out of the ownership, maintenance, or operation use of a vehicle while it is being used as a public or livery conveyance, including while it is being used for ride sharing in connection with a ride sharing program, for a fee.

“Ride sharing” means the use of any vehicle in connection with a ride sharing program during any time period the driver is logged into an online-enabled ridesharing application or digital network as a driver, when the driver accepts a requested ride, is en route to pick up a passenger, or is transporting a passenger until the passenger departs the vehicle.

Policy Example 2


The following sections of your Personal Auto Policy contain an exclusion which states coverage does not apply when “your covered auto” or a “nonowned auto” is being used as a public livery or conveyance:

Part A – Liability Coverage

Part B – Medical Payments Coverage

Part C – Uninsured/Underinsured Motorists Coverage; and

Part D – Coverage for Damage to Your Auto

The exclusions are clarified to specifically indicate no coverage exists when there is utilization of an online-enabled application, digital network or other form of communication used to connect passengers with drivers using vehicles for the purpose of providing prearranged transportation services for compensation.

Note that these exclusions are written to be as airtight as possible. In example 1, the exclusion applies when you are “en route to pick up a passenger” and “until the passenger departs the vehicle."  Uber provides their own insurance, but the app must be on, even when the driver is waiting for a ride request.  In addition, what constitutes “departing” a vehicle?  What if the passenger gets out of the vehicle, realizes she left her purse in the back seat, and is injured as she gets back in the car to retrieve her purse? Has she “departed” the vehicle?

In Example 2, the company reminds you that there is no coverage and then clarifies the exclusion with a separate Notice to Policyholders. Note that this exclusion even mentions transportation services for “compensation”.  It does not limit the exclusion to money.

But what if you have your heart set on becoming an Uber driver? You have the time and you want to earn some extra cash.  Can you get coverage?

As with most insurance questions, the answer is “it depends”.

It depends on the insurance company that covers your car and it depends on the coverage that is offered. It is important to remember that your insurance policy is a contract between you and the insurance company.  The insurance company spends millions of dollars per year employing attorneys to write the contract language and get that language approved by Department of Insurance (DOI) offices in every state in which they do business.  Think of the contract language as a wall.  Inside the wall is the coverage you want.  Outside the wall is everything the insurance company does not want to pay for and every word in the contract is a brick in that wall.

One well-known insurance company offers an extra-cost endorsement to provide coverage while your vehicle is being used to provide rides for a fee. The endorsement is almost two pages long, contains approximately 1,000 words, and is entitled LIMITED RIDE SHARING COVERAGE.  Note that the endorsement includes the word “limited”.  That’s because the insurance company is taking great pains to limit the amount of coverage they are going to provide when you start your side hustle with Uber.

So, before you hit the “I accept” button on the Uber application, consider the costs against the benefits. You may have considered the loss of free time, the wear and tear on your car, and the possibility of dangerous passengers, but you also need to consider the insurance implications and how your policy may or may not respond.  Talk to your agent and make sure you understand the financial risks involved.

Have questions about insurance coverage while driving for a ride-share company? David Miller has answers. Miller, who writes the monthly, DID YOU KNOW? blog is The Plexus Groupe’s Vice President, Client Executive for Private Client Solutions. He can be reached by calling 846-307-6141.



A new study from Deloitte Health Solutions describes the U.S. health system as a kind of “Wild West,” and says benefits users and consumers fit into four general categories in that framing.

This Employee Benefits Newsletter from The Plexus Groupe delves into a recent study that surveyed 4,530 U.S. benefits users and consumers to assess their attitudes, behaviors, and preferences when making decisions about health care and health insurance. In their frontier scenario, the Deloitte researchers said consumers can be placed in the following categories:

·       Trailblazers—tech savvy, self-directed, engaged in wellness, willing to share data.

·       Prospectors—who rely on recommendations from friends/family, use providers as trusted advisors, willing to use technology.

·       Homesteaders—reserved, cautious traditionalists.

·       Bystanders—complacent, tech-reluctant, resistant to change, unengaged.

According to the report, Trailblazers make up 16 percent of consumers. These tend to be younger, higher-income consumers. They tend to be in excellent health, and the group contained more men than women. These are consumers who are most likely to look up report cards or scorecards on doctors, hospitals, and health insurance companies. They are also the most likely to change doctors if they are dissatisfied with their communication style.

The Prospectors is the second-youngest group and made up 30 percent of respondents. This group is also the second-highest income group and consisted of equal percentages of men and women. They are more open to technology such as wearable devices and virtual office visits. They are the second-most likely group to look up quality ratings for providers and plans, and rely on word of mouth or recommendations of former providers when choosing a new provider.

The Bystanders make up 14 percent of respondents, and are the oldest and poorest segment in the survey. This group is made up of more women than men, and are the most likely to be in poor health. The Bystander group is least likely to share health information with a doctor, least likely to follow a healthy diet or exercise according to recommendations, and most likely to choose a doctor based on out-of-pocket costs and convenience.

The largest group in the survey was Homesteaders, at 40 percent of respondents. This is the second-oldest group, second-lowest income group, and consists of more women than men. This group is less open to technology and close to average when it comes to following recommendations about health diet and exercise. This group is also more interested in convenience than out-of-pocket costs when choosing a provider, and less likely to change providers, even if they are dissatisfied with the provider’s communication style.

The Deloitte report suggested a range of strategies for reaching consumers, based on where they fell in these categories. For example, they recommend offering virtual office visits and encouraging the use of wearable devices or phone apps for the Trailblazer and Prospector groups. On the other hand, the report recommends a less-high tech, more high-touch approach for the Homesteaders and Bystanders. Using case managers, wellness coaches, or engaging caregivers and family members will yield better results with these groups, the report says.

“Every consumer makes decisions differently—whether deciding on which movie to watch, what type of car to buy, or where to stay or eat during a vacation. Consumers also have different approaches to determining which health plan offers the most appropriate coverage, when and where to seek care at a hospital, how to choose a doctor, and whether a pharmaceutical product or medical device offers value,” the report says. “Organizations can use data beyond just demographics to identify which segment their population or consumers fall into—and thus better target, attract, and retain consumers.”

If you have concerns about how best to approach your employee base, contact a client service team representative from The Plexus Groupe in Deer Park, Illinois at 847-307-6100, Chicago at 312-606-4800, Dallas at 972-770-5010 or Oklahoma City at 405-840-3033.

We’re here to help and we’re happy to help.

Content provided by BenefitsPro.



Insurance For Mass Shootings On The Rise

With the rise in mass shootings at schools, churches, concert venues, movie theaters, and even yoga studios, the need for insurance for mass shootings increases.

A terror attack or mass shooting can plunge organizations into a disorienting world of trauma, grief, media scrutiny and litigation threats. This newsletter from The Plexus Groupe’s Property & Casualty practice delves into how to protect your assets when an attack occurs to allow healing to begin.

When an attack occurs, the leaders of private companies and government entities alike feel driven to deliver a caring, supportive response to the victims and survivors. At the same time, they are staring down expenses that can spiral into millions of dollars.

A specialized kind of named-perils insurance is helping risk managers deliver the response organizations need. Indeed, select insurers are seeing strong demand for active shooter policies, which came to the marketplace within the past few years amid rising anxieties from a seemingly endless stream of violent attacks.

These policies represent more than an extra budget line item—they provide resources that help people recover from trauma. Understanding the basics of violence-response policies can help risk managers better serve their companies and stakeholders.

The Rise of Active Shooter Policies

Organizations such as the FBI and the Gun Violence Archive have documented a rise in mass shootings in the United States in recent years. In the immediate aftermath of these attacks, employers, school districts and other targets faced a similar challenge. While enduring the painful process of recovery, they were also scanning their existing insurance policies and discovering that they lacked the appropriate coverage. As a result, they often had to bear the full brunt of the recovery-related expenses on their own.

This gap between available coverage and marketplace demand provided an opportunity for insurance program developers who applied traditional named-perils coverage to new categories of risk. Over the years, named-perils policies had emerged to protect against storm risk, employment practices liability, cyber events and sexual misconduct. Today, named-perils policies help organizations manage the risks of mass shootings, terror attacks, kidnapping/ransom, and workplace violence.

Initially, coverage for active shooter and other mass violence incidents came in response to requests from larger school systems, health care companies, and the organizers of high-profile events like parades and festivals. Now, small-business owners, daycare centers, churches, car dealerships, and other local organizations have started seeing the value of these policies as well.

What Policies Can Cover

While general liability coverage applies to an expansive range of risks, it also has its limitations. By contrast, named-perils policies for mass violence explicitly state what they do cover. Of course, coverages have limits, but they address common expenses and scenarios that many general liability policies do not. Active shooter coverages can include:

Crisis management. Insurers can partner with expert teams trained to help insureds deal with media, reassure families, confer with top executives, and help the organization show the public it is handling the crisis with competence and compassion. Without expert guidance, it is possible that an organization’s suboptimal response to a crisis can create an entirely new crisis in its own right. The branding and public perception of an institution after an active shooter event can be difficult to recover from.

Victim counseling, medical, disability, funeral expenses and death benefits. Policies help organization leaders answer the question of who will help the victims by providing a supportive response to the trauma their employees and patrons experience.

Off-site/international terror attacks. Coverages can apply to workers traveling worldwide.

Loss of revenue/extra expenses. Policy provisions help commercial businesses recover income lost when police investigations bring commerce to a halt.

Loss of attraction. When a mass attack stigmatizes a neighborhood or business district, insurance can help companies fill some of the revenue gaps. This applies even if the incident did not occur at the insured’s own business.

Property cost. Many organizations have experienced millions of dollars’ worth of property expenses from an attack due to the cost of structural security upgrades along with building closure, relocation or teardown.

Litigation. Policies can cover an expansive range of legal costs related to “duty of care” that might not be available under general liability insurance. According to Dr. Christina Marinakis, director of jury research at Litigation Insights, this is important because organizations today are being held to a higher standard of accountability than in the past  when it comes to providing public safety measures.

Prevention. Insurers can work with policyholders to figure out how to identify troubled individuals and intervene before it is too late.

Examining the Exclusions

Many active shooter/workplace violence policies contain exclusions that could prove costly in the aftermath of an incident. The following are some of the most common exclusions:

Employees. Coverage may only include guests or visitors and not  employees of the insured. Due to the nature of these events, insured persons should include employees, volunteers, students, guests and patrons.

Casualty thresholds. Some policies have a body deductible and coverage applies only after a certain number of people (usually three or four) have been injured or killed. Most active shooter/ workplace violence events involve less than three individuals, however, so it is important to ensure that your policy covers these incidents as well.

Vehicles. Vehicle attacks are becoming more common. Certain policies might rule out damage caused by a vehicle, such as an incident involving a vehicle ramming into a crowd of people.

Weapons. Coverage can be confined to firearms or bladed weapons and might not cover improvised explosives or ordinary items used for violent purposes, which, as the Boston Marathon bombing demonstrated, can be just as harmful.

While these exclusions are rare, with the evolution of coverage forms, policies still need to be reviewed carefully. More robust policies are available that cover all these risk scenarios to provide the proper coverage.

The Cost of Recovery

Lone-wolf violent attacks have garnered a significant amount of private and government attention and resources to provide vital attack analysis. For example, earlier this year, the U.S. Secret Service’s National Threat Assessment Center released its analysis of various mass attacks that occurred in 2017 in an effort to uncover clues that could assist in developing effective prevention measures.

These incidents are among the most significant financial exposures an organization can face. For example, the actions of the single assailant in the 2007 Virginia Tech shooting produced an estimated $48.2 million in litigation and recovery costs. And it cost $50 million to build a new Sandy Hook Elementary School in response to the 2012 attack.

In Florida, Broward County spent $1.2 million after a 2017 lone-wolf shooting at Fort Lauderdale-Hollywood International Airport. The Sun Sentinel reported the county’s spending included $562,000 to reunite travelers with their luggage, $270,000 to replace carpets and tiles at the shooting site and $314,700 for an assessment of the county’s handling of the crisis.

The combination of litigation costs and direct recovery expenses can financially devastate smaller organizations. Larger entities like corporations and universities may have more resources, but they still must reallocate funds toward recovery and away from other critical needs.

Thus, risk managers need to carefully assess their organization’s ability to withstand a violent attack and help the victims heal from the damage in order to determine if active shooter and workplace violence insurance is worth exploring in order to help mitigate these risks.

If you have questions about this newsletter or mass shooting insurance, contact an insurance expert at The Plexus Groupe at 847-307-6100.

Content provided by Risk Management Magazine.



The Plexus Groupe’s Employee Benefits September 2018 Newsletter provides this toolkit intended to help employers that sponsor group health plans understand their compliance obligations under the Health Insurance Portability and Accountability Act (HIPAA). It also provides sample resources to help employers comply with HIPAA’s documentation requirements for their group health plans.

HIPAA is a broad federal law that includes rules for protecting the privacy and security of certain health information, which is called protected health information (PHI). HIPAA also includes notification requirements following a breach of PHI. This toolkit discusses the following rules, which are collectively referred to as the HIPAA Rules.

While employers are not directly regulated by the HIPAA Rules, most employer-sponsored group health plans are subject to the HIPAA Rules’ requirements to some degree. This means that employers that sponsor group health plans for their employees will usually have compliance obligations under the HIPAA Rules with respect to their group health plans.


To assess how the HIPAA Rules may apply to an employer-sponsored group health plan, employers should review their group health plans and their access to PHI. The following flowchart depicts these steps:


An employer is generally not subject to the HIPAA Rules when it performs employment-related functions, such as administering employee leaves of absence or fitness-for-duty requirements. However, the HIPAA Rules indirectly regulate employers in their role as health plan sponsors. When an employer receives PHI from its group health plan for plan administrative functions, the employer must agree to comply with certain requirements of the HIPAA Rules.

Employers should assess their group health plans to determine if the HIPAA Rules apply and, if so, to what extent. A HIPAA assessment flowchart is provided as part of this toolkit to help employers with this process. Also, key concepts and action items are explained throughout this toolkit. After performing a HIPAA assessment, employers should refer to the HIPAA checklist below that is applicable to them.

Covered Entities

Health Plans

In general, any individual or group plan that provides or pays the cost of health care is a covered entity subject to the HIPAA Rules. Health insurance issuers are also considered health plans subject to the HIPAA Rules.

There is a special exemption for certain small, self-funded health plans. Under this exemption, a self-funded health plan with fewer than 50 eligible employees that is administered by the employer that sponsors the plan is exempt from the HIPAA Rules. This exemption may apply to group medical plans, health reimbursement arrangements (HRAs) or health flexible spending accounts (FSAs) that satisfy the requirements for the exemption.

Health Care Clearinghouse

A health care clearinghouse is a public or private entity that processes another entity’s health care transactions from a standard format to a nonstandard format (or vice versa). In many cases, health care clearinghouses will receive individually identifiable health information when they provide services to a health plan or health care provider as a business associate. Health care clearinghouses may include, for example, repricing companies, value-added networks, billing services or community health management information systems.

Health Care Providers

Every health care provider, regardless of size, that electronically transmits any health information in connection with a HIPAA-covered transaction is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests and other transactions for which HHS has established standards under HIPAA. Covered health care providers may include, for example, chiropractors, medical clinics, dentists, doctors, nursing homes, pharmacies and hospitals.

Business Associates

A business associate is a person or organization (other than an employee of a covered entity) that performs certain functions on behalf of, or provides certain services to, a covered entity that involves access to PHI.

Examples of Business Associates:

·      Third-party administrators (TPAs)

·      Pharmacy benefit managers (PBMs)

·      Attorneys or auditors who use PHI in performing their services

·      Health plan consultants or brokers

In general, a business associate means a third party (including a subcontractor) that:

  • Creates, receives, maintains or transmits PHI on behalf of the covered entity for a HIPAA-regulated activity or function, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing; or

  • Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services for the covered entity where the provision of the service involves the disclosure of PHI from the covered entity (or from another business associate of the covered entity) to the service provider.

If a covered entity uses a business associate, there must be a written agreement between the parties, called a business associate agreement, that requires the business associate to comply with certain requirements under the HIPAA Rules. A sample business associate agreement is provided in this toolkit.

What Information is Protected?


The HIPAA Rules protect individually identifiable health information, called PHI, that is held or transmitted by a covered entity or its business associate. PHI includes information that relates to any of the following:

  • The past, present, or future physical or mental health or condition;

  • The provision of health care to an individual; or

  • The past, present or future payment for the provision of health care to the individual.

The HIPAA Privacy Rule applies to PHI in any form or media—written, verbal, electronic or in any other medium. The Security Rule’s requirements, however, only apply to ePHI.

PHI does not include employment records held by an employer. These records may include, for example, files or records related to occupational injury, disability insurance eligibility, leave requests, drug screenings, workplace medical surveillance and fitness-for-duty tests. Other laws, such as the federal Americans with Disabilities Act or state privacy laws, may impose confidentiality or privacy requirements on the information.

De-identified Health Information

De-identified health information is not governed by the HIPAA Rules because it is no longer individually identifiable. Covered entities may freely use and disclose de-identified information without taking into account the HIPAA Rules. There are two different methods that may be used to de-identify health information.

Statistical Method

Under the statistical method, a person with appropriate knowledge and experience applying generally applicable statistical and scientific principles and methods for rendering information not individually identifiable makes a determination that the risk is very small that the information could be used, either by itself or in combination with other available information, by anticipated recipients to identify the subject of the information. The covered entity must document the analysis and results that justify the determination.

Safe Harbor Method

Under the safe harbor method, information is presumed to be de-identified if a covered entity:

  • Has no actual knowledge that the information could be used to identify the subject of the information (alone or in combination with other information); and

  • Removes 18 specific identifiers from the information. The 18 identifiers that must be removed are:

  • Names;

    1. Geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code and their equivalent geocodes, except for the initial three digits of a ZIP code if, according to the current publicly available data from the Bureau of Census, (1) the geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people, and (2) the initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000;

    2. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age;

    3. Telephone numbers;

    4. Fax numbers;

    5. Email addresses;

    6. Social Security numbers;

    7. Medical record numbers;

    8. Health plan beneficiary numbers;

    9. Account numbers;

    10. Certificate/license numbers;

    11. Vehicle identifiers and serial numbers, including license plate numbers;

    12. Device identifiers and serial numbers;

    13. Web URLs;

    14. IP addresses;

    15. Biometric identifiers, including finger and voice prints;

    16. Full-face photographic images and any comparable images; and

    17. Any other unique identifying number, characteristic or code.


The HIPAA Privacy Rule requires covered entities to comply with national standards for the protection of PHI. The Privacy Rule includes the following three main protections for PHI:

Minimum Necessary Rule

In general, when a covered entity uses, discloses or requests PHI, it must limit its use, disclosure or request to the minimum necessary amount of information to accomplish the intended purpose.

Employers that sponsor group health plans are also subject to these use and disclosure rules if they have access to PHI.

Required Disclosures

A covered entity must disclose PHI in only two situations:

  • To individuals (or their personal representatives) when they request access to their PHI in a designated record set or when they request an accounting of disclosures of their PHI; and

  • To HHS when it is investigating the covered entity’s compliance with the HIPAA Rules.

Permitted Disclosures

A covered entity is permitted, but not required, to use and disclose PHI, without an individual’s authorization, in certain situations, including the following:

  • To the individual – A covered entity may disclose PHI to the individual who is the subject of the information.

  • Public policy purposes – A covered entity may use or disclose PHI for specific public policy purposes, such as uses and disclosures that are required by law; for public health activities; about victims of abuse, neglect or domestic violence; for health care oversight activities; for judicial or administrative proceedings; for law enforcement purposes; necessary to avert a serious threat to health or safety; and for work-related injuries or illnesses.

  • Treatment, payment and health care operations – A covered entity may use and disclose PHI for:

    • Its own treatment, payment and health care operations activities;

    • The treatment activities of any health care provider;

    • The payment activities of another covered entity or any health care provider; or

    • The health care operations of another covered entity if both covered entities has (or had) a relationship with the individual, the PHI pertains to the relationship and the disclosure involves quality or competency assessment activities or fraud and abuse detection and compliance activities.

Authorized Disclosures

A covered entity must obtain the individual’s written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. In general, a health plan may not condition payment, enrollment or benefits eligibility on an individual granting an authorization, except in limited circumstances.

An authorization must be written in specific terms. It may allow use and disclosure of PHI by the covered entity seeking the authorization or by a third party. The following information must be contained—in plain language—in HIPAA authorizations:

  • A description of the information to be used or disclosed;

  • The name or other specific identification of the person who is authorized to release the PHI;

  • The name or other specific identification of the person who is authorized to receive the PHI;

  • A description of the purpose of the requested use or disclosure (for example, at the request of the individual);

  • An expiration date or event;

  • A statement that the individual has a right to revoke an authorization in writing and an explanation of the procedures for revocation;

  • An explanation of the covered entity’s ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the receipt of an authorization;

  • A statement that informs the individual that the information used or disclosed pursuant to the authorization is subject to re-disclosure by the recipient and may no longer be protected by the HIPAA Privacy Rule; and

  • The individual’s signature and date of signature.

Reminder – An employer that is hands-on PHI (that is, it has access to PHI from the issuer for plan administration functions) takes on significant compliance responsibilities under the HIPAA Rules with respect to that PHI.

Other Disclosures

Disclosures to Plan Sponsors

A group health plan (and the health insurance issuer for a fully insured plan) may disclose the following PHI to the employer sponsoring the plan:

  • Plan enrollment or disenrollment information;

  • If requested by the plan sponsor, summary health information for the plan sponsor to use to obtain premium bids for providing health insurance coverage through the group health plan, or to modify, amend or terminate the group health plan; and

  • PHI of the group health plan’s enrollees for the plan sponsor to perform plan administration functions.If a plan sponsor has access to PHI other than summary health information and enrollment and disenrollment information, the plan must receive certification from the plan sponsor that the group health plan document has been amended to impose restrictions on the plan sponsor’s use and disclosure of the PHI. These restrictions must include the representation that the plan sponsor will not use or disclose the PHI for any employment-related action or decision or in connection with any other benefit plan.

Enforcement Example: No Business Associate Agreement

In April 2017, HHS entered into a HIPAA settlement with a small health care provider following an investigation of a business associate. Neither the health care provider nor the business associate could produce a signed business associate agreement. Based on this HIPAA violation, the health care provider agreed to pay HHS $31,000 to settle the investigation.

Disclosures to Business Associates

The HIPAA Rules allow a covered entity to share PHI with a business associate if the covered entity receives satisfactory assurances from the business associate—through a business associate agreement—that it will appropriately handle and safeguard PHI. A business associate may use or disclose PHI only as permitted or required by its business associate agreement or as required by law. In general, a business associate is prohibited from using or disclosing PHI in a manner that would violate the HIPAA Privacy Rule if done by the covered entity.

The business associate agreement must establish the permitted and required uses and disclosures of PHI by the business associate. The business associate agreement must also require the business associate to:

  • Not use or further disclose the PHI other than as permitted or required by the contract or as required by law;

  • Use appropriate safeguards to prevent improper use or disclosure of the PHI;

  • Report to the covered entity any known use or disclosure of PHI not permitted by the contract or any breach of unsecured PHI;

  • Ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions that apply to the business associate;

  • Make PHI available, including for amendment, to individuals as required by the HIPAA Rules;

  • Maintain an accounting of disclosures, made during the last six years, and make the accounting available upon request; and

  • Make its internal practices, books and records relating to use and disclosure of PHI available to HHS.

The business associate contract must also allow the covered entity to terminate the contract in the event of a material breach. At termination, the business associate must be required to destroy or return all PHI, if feasible, or extend the limitations on use and disclosure beyond termination of the contract.

Individual rights

Notice of Privacy Practices

The HIPAA Privacy Rule requires covered entities to provide a Notice of Privacy Practices to each individual who is the subject of PHI. The Privacy Notice for a health plan must be written in plain language and must:

  • Explain how the health plan may use and disclose an individual’s PHI;

  • Describe the individual’s rights with respect to his or her PHI; and

  • Summarize the health plan’s legal duties with respect to the PHI.

There are a number of specific provisions that must be incorporated into the Privacy Notice, such as details regarding how individuals may exercise their rights with respect to PHI. A typical Privacy Notice is multiple pages long due to the numerous content requirements.

The Privacy Notice requirements for a health plan vary depending on whether the plan is self-insured or fully insured, and, if the plan is fully insured, whether the plan sponsor has access to PHI for plan administration purposes. A self-insured plan must always issue its own Privacy Notice, while a fully insured plan is only required to maintain its own Privacy Notice if the employer has access to PHI for plan administration functions.

Delivery Requirements

At least once every three years, self-insured health plans must provide the Privacy Notice, or notify participants that the notice is available with instructions for how to obtain a copy. In addition, self-insured health plans must provide the Privacy Notice in the following circumstances:

  • To new enrollees at the time of enrollment;

  • Within 60 days of a material change to the notice; and

  • Any time upon a participant’s request.

If a health plan sends out a revised notice (for example, following a material change to the notice), it will reset the three-year notice requirement.

A health plan must provide the Privacy Notice to individuals covered by the plan. If the health plan provides the Privacy Notice to a covered employee, the plan is not required to provide a separate notice for dependents (for example, a spouse or child) covered through the employee.

The Privacy Notice must be actually delivered to participants. Merely posting the Privacy Notice on a website or on a bulletin board in the workplace is not sufficient. The Privacy Notice may be provided electronically via email to participants who have agreed to receive an electronic notice. The health plan must provide a participant with a paper copy of the Privacy Notice if it discovers that the electronic delivery has failed.

In general, the Privacy Notice may be provided with other plan documents. It does not need to be provided as a stand-alone document. For example, a health plan could provide the Privacy Notice with the plan’s enrollment materials or with the summary plan description (SPD). However, the Privacy Notice may not be combined in the same document as a HIPAA authorization.

If a health plan maintains a website about the plan’s services or benefits, the Privacy Notice must be posted on the website and must be electronically available through the website.

Model Privacy Notices

HHS has developed model Privacy Notices that health plans may customize and use. There are three designs for the model Privacy Notice for health plans—a booklet version, a full-page version and a layered version. Every design has the same language, although the layered notice includes an additional first page that summarizes key privacy rights, choices, uses and disclosures.

Each design is in a fillable Adobe PDF format and has some areas that can be customized for each health plan. More information on customizing the notice and best practices is available in the Health Plan Instructions and Questions and Instructions for using the Model Notices. For additional flexibility, HHS also maintains a text-only version of the model Privacy Notice


The HIPAA Security Rule establishes national standards for securing individuals’ ePHI. These standards require covered entities to analyze the risks and vulnerabilities of the confidentiality, integrity and availability of their ePHI. The risk assessment process helps covered entities implement reasonable and appropriate administrative, physical and technical safeguards to protect their ePHI.

Impact on Health Plans

In general, sponsors of self-insured and fully insured group health plans should conduct risk assessments and implement appropriate safeguards to protect their ePHI. Unlike the Privacy Rule, the Security Rule does not contain a special exception for fully insured plans that do not have access to PHI for plan administration purposes. However, fully insured health plans that do not handle ePHI will have fewer obligations under the Security Rule due to their hands-off approach to PHI.

Electronic phi

The Security Rule only applies to ePHI—it does not apply to PHI that is in paper or written form, and it does not apply to electronic personal information that is not PHI.

Electronic PHI is PHI that is transmitted by, or maintained in, electronic media. This includes PHI in computers, devices that are used with computers (such as disks and drives), and smartphones. It also includes PHI that is sent via email or in any manner using the internet.

The Security Rule’s requirements apply even when the ePHI is located on a device that is not owned by the covered entity (for example, an employee’s smartphone) or is accessed outside of the covered entity’s physical location (for example, on a home computer or on a laptop outside of work). HHS has cautioned that covered entities should be extremely careful about allowing off-site use of, or access to, ePHI due to security risks involved.

Security requirements

The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting ePHI. Each covered entity must analyze the risks to ePHI in its environment and create solutions appropriate for its own situation. What is reasonable and appropriate depends on the nature of the entity’s business, as well as its size, complexity and resources. Specifically, a covered entity must:

  • Ensure the confidentiality, integrity and availability of all ePHI it creates, receives, maintains or transmits;

  • Identify and protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI;

  • Protect against reasonably anticipated use or disclosure of ePHI that is not permitted or required under the HIPAA Privacy Rule; and

  • Ensure its workforce complies with the procedures implemented to comply with the HIPAA Security Rule.

    Risk Assessment

    According to HHS, performing a risk assessment is a crucial first step to comply with the Security Rule. A risk assessment helps an organization establish appropriate administrative, physical and technical safeguards for its ePHI. It directs what reasonable steps a covered entity or business associate should take to protect the ePHI it creates, transmits, receives or maintains.

    There are numerous methods of performing a risk assessment, and there is no single method or best practice that guarantees compliance with the Security Rule. However, most risk analysis processes have common steps. The following are examples of common risk analysis steps:

    Also, to better understand the risk analysis and management processes, covered entities should be familiar with the following terms:

    • Vulnerability means a flaw or weakness in system security procedures, design, implementation or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of security policy.

    • Risk means the net impact considering the probability that a particular threat will exercise a particular vulnerability and the resulting impact if this should occur.

    • Threat means the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Threats may be grouped into the following categories:

      • Natural threats, such as floods, earthquakes, tornadoes and landslides;

      • Human threats, including intentional (for example, network and computer-based attacks, malicious software upload and unauthorized access) and unintentional (for example, inadvertent data entry or deletion) actions; and

      • Environmental threats, such as power failures, pollution, chemicals and liquid leakage.

    Security Standards

    The security standards are divided into the following three categories:

    Enforcement Example: In January 2017, the Office for Civil Rights (OCR) announced a HIPAA settlement with an insurance company regarding an impermissible disclosure of ePHI. The disclosure involved a USB data storage device containing ePHI that was stolen from the company’s IT department, where the device was left without safeguards overnight. Pursuant to the settlement, the insurance company paid $2.2 million and implemented a corrective action plan.

    The standards and implementation specifications for each type of safeguard are listed in the Security Standards Matrix below. The Security Rule allows covered entities some flexibility in determining how to implement the standards and implementation specifications, including choosing which technology it will employ in order to achieve the required security standards. In deciding how to implement security measures, a covered entity is permitted to take into account:

    • Its size, complexity and capabilities;

    • Its technical infrastructure, hardware and software security capabilities;

    • The costs of security measures; and

    • The probability and criticality of potential risks to health information.

    However, HHS has stated that cost alone is not a justification for failing to implement a procedure.

    In an effort to provide covered entities with additional flexibility, the Security Rule categorizes implementation specifications as “required” or “addressable.” The “required” implementation specifications must be implemented.

    The “addressable” designation does not mean that an implementation specification is optional. However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.

    Policies and Procedures

    Covered entities are required to implement reasonable and appropriate policies and procedures to comply with the Security Rule’s standards and implementation specifications. These policies and procedures must be documented in written form, which may be electronic. In addition, a covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of ePHI. Documentation supporting its security policies must be retained for at least six years from the date of its creation or the date when it was last in effect, whichever is later.


    The Health Information Technology for Economic and Clinical Health Act (HITECH Act) amended HIPAA to add breach notification requirements for unsecured PHI. The HITECH Act, and its underlying HIPAA breach notification rules, require covered entities to notify affected individuals following the discovery of a breach of unsecured PHI. Notification must also be provided to HHS and, in some cases, to the media.

    Unsecured PHI

    The breach notification requirements only apply to unsecured PHI. PHI is unsecured if it is not rendered unusable, unreadable or indecipherable to unauthorized individuals by a methodology specified by HHS. HHS has specified encryption and destruction as the methodologies for securing PHI.

    breach of unsecured phi

    The HIPAA Rules define a “breach” as the unauthorized acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the information. There are three exceptions to this definition.

    1. Disclosures where the recipient of the information would not reasonably have been able to retain the information;

    2. Certain unintentional acquisition, access, or use of information by employees or others acting under the authority of a covered entity or business associate; and

    3. Certain inadvertent disclosures among people similarly authorized to access PHI at a business associate or covered entity.An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates through a risk assessment that there is a low probability that the PHI has been compromised (or one of the three exceptions to the definition of breach applies). The risk assessment must, at a minimum, take into account these factors:

      • The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification;

      • The unauthorized person who used the PHI or to whom the disclosure was made;

      • Whether the PHI was actually acquired or viewed; and

      • The extent to which the risk to the PHI has been mitigated.

      If an evaluation of the factors fails to demonstrate that there is a low probability that PHI has been compromised, breach notification is required.

      Breach Notification

      Notice to Individuals

      If a covered entity discovers that it has experienced a breach of unsecured PHI, it must notify each individual whose unsecured PHI has been (or is reasonably believed by the covered entity to have been) accessed, acquired, used or disclosed as a result of the breach. The notice must be provided without unreasonable delay and in no case later than 60 calendar days after the breach is discovered.

      Enforcement Example: In January 2017, OCR announced a HIPAA settlement with a health care provider based on the untimely reporting of a breach of unsecured PHI. After receiving a breach notification report from the health care provider, OCR investigated and found that the provider failed to notify affected patients, media outlets and OCR within 60 days of the discovery. Pursuant to the settlement, the provider paid $475,000 to OCR and implemented a corrective action plan,

      The notice must be written in plain language and must contain the following information:

      • A brief description of what happened, including the dates the breach occurred and was discovered, if known;

      • A description of the types of unsecured PHI that were involved, such as names, Social Security numbers or other types of information;

      • Any steps individuals should take to protect themselves from potential harm resulting from the breach;

      • A brief description of what the covered entity involved is doing to investigate the breach, mitigate harm to individuals and protect against any further breaches; and

      • Contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an email address, website or postal address.

      In general, notice must be provided in writing, by first-class mail to the individual’s last known address. Notice can be sent electronically if the individual has agreed to electronic notice. In a case that requires urgency because of possible imminent misuse of unsecured PHI, the covered entity may provide notice by telephone or other means.

      Notice to HHS

      Covered entities must notify HHS of a breach of unsecured PHI. However, the notification required depends on the size of the group affected.

      Breaches involving fewer than 500 individualsThe covered entity must maintain a log or other documentation of the breaches. Within 60 days after the end of each calendar year, the covered entity must notify HHS of the breaches that occurred during the year.Breaches involving 500 or more individualsThe notice must be provided at the same time as the notice to the individuals and in the manner specified on the HHS website.

      Notice to the Media

      If the breach of unsecured PHI involves more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets that serve that area. The notice must include the same information as a notice to an individual. It must be provided without unreasonable delay and no later than 60 calendar days after the breach is discovered.

      Business Associate Role

      If a business associate discovers a breach of unsecured PHI, it must notify the covered entity of the breach. Notification must be provided without unreasonable delay and no later than 60 calendar days after the breach is discovered. The notice must include, to the extent possible, the identification of each individual whose unsecured PHI has been affected. The business associate must also give the covered entity any information necessary to notify the individual of the breach.


      Covered entities must incorporate compliance with the breach notification requirements into their HIPAA privacy policies and procedures. Covered entities and business associates have the burden of demonstrating that all notifications were provided or that an impermissible use or disclosure did not constitute a breach, and must maintain documentation to meet the burden of proof.


      HHS’ OCR is responsible for enforcing the HIPAA Privacy and Security Rules. OCR investigates complaints that individuals file, conducts compliance reviews, and performs education and outreach to encourage compliance. OCR also works with the Department of Justice regarding possible criminal violations of HIPAA.

      Enforcement Data

      As of July 31, 2018, OCR has received over 186,453 HIPAA complaints and has initiated over 905 compliance reviews. OCR has resolved 96 percent of these cases (178,834). In many cases involving HIPAA violations, OCR worked with the entities involved to apply corrective measures instead of imposing penalties. However, to date, OCR has settled or imposed a civil money penalty in 55 of these cases, resulting in a total dollar amount of $78,829,182. More information regarding HIPAA enforcement is available through OCR’s website.

      Most of OCR’s investigations are trigged by individuals’ complaints regarding HIPAA violations or a covered entity’s breach notification reports. OCR has investigated many different types of entities, including national pharmacy chains, major medical centers, group health plans, hospital chains and small provider offices.

      OCR’s most investigated compliance issues (in order of frequency):·         Impermissible uses and disclosures of PHI;

      ·         Lack of safeguards on PHI;

      ·         Lack of patient access to PHI;

      ·         Uses or disclosures of more than the minimum necessary PHI; and

      ·         Lack of administrative safeguards to protect ePHI.

      HIPAA Audits

      OCR has audited covered entities and business associates to ensure their compliance with the HIPAA Rules. According to OCR, these HIPAA audits are primarily a compliance improvement activity. However, if an audit reveals a serious compliance issue, OCR may initiate a review to investigate.


  • In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented by covered entities to comply with HIPAA’s requirements.

  • In March 2016, OCR launched the second phase of its HIPAA audit program. This second phase of HIPAA audits included covered entities and their business associates.

  • Next, OCR is expected to release its findings regarding the second phase of its audit program. It is not clear at this point whether OCR will continue its HIPAA audit program in the future. However, OCR has indicated that it will continue to investigate covered entities of all sizes and types when it becomes aware of possible compliance failures.

    Civil Penalties

    OCR has the authority to assess civil penalties for violations of the HIPAA Privacy or Security Rules. The amount of the penalty depends on the type of violation involved. These penalties may not apply if the violation is corrected within 30 days of the date the person knew, or should have known, of the violation. HHS is also required to assess penalties for violations involving willful neglect and to formally investigate complaints of such violations.

    These civil penalty amounts are subject to annual inflation-related increases. The penalty amounts that apply to civil penalties that are assessed on or after Feb. 3, 2017, and relate to violations occurring after Nov. 2, 2015, are as follows:

    Criminal Penalties

    Criminal penalties may be assessed for violations of the HIPAA Privacy and Security Rules. These penalties are $50,000 and one year in prison for knowing violations, $100,000 and five years in prison for violations committed under false pretenses, and $250,000 and 10 years in prison for offenses committed for commercial or personal gain.

    Amount of Penalties – Important Factors

    The Enforcement Rule provides some guidance on the actions that constitute a single violation, but gives HHS the authority to determine the number of violations based on the nature of the covered entity’s obligation to act or not act under the provision that is violated. Where a violation is continuing, a separate violation occurs each day that the covered entity is in violation of the requirements. Also, HHS must consider certain aggravating or mitigating factors when imposing civil penalties. These factors include the following:

    • The nature and extent of the violation, including (but not limited to) the number of individuals affected and the time period during which the violation occurred;

    • The nature and extent of the harm resulting from the violation, including whether the violation resulted in physical harm, financial harm, harm to an individual’s reputation or hindered an individual’s ability to obtain health care;

    • The history of prior compliance with HIPAA’s administrative simplification requirements, including whether the current violation is the same or similar to previous instances of noncompliance, whether and to what extent the covered entity has attempt to correct prior instances of noncompliance, how the covered entity has responded to technical compliance assistance from OCR and how the covered entity has responded to prior complaints;

    • The financial condition and size of the covered entity; and

    • Any other matters as justice may require.Civil money penalties may not be imposed if HHS determines that the violation was not due to willful neglect and it is corrected within a time frame specified by HHS (that is, within 30 days). Willful neglect is defined as a conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provisions. HHS has discretion to expand the 30-day time period depending on the nature and extent of the covered entity’s compliance failure.For violations due to reasonable cause and not to willful neglect that are not corrected in a timely manner, HHS may waive civil money penalties, in whole or in part, to the extent that payment of the penalty would be excessive relative to the violation. In addition, HHS must initiate civil money penalty actions within six years from the date the alleged violation occurred.


Have questions regarding HIPAA Compliance, this newsletter, or any other employee benefits matters? Contact a client service team representative from The Plexus Groupe in Deer Park, Illinois at 847-307-6100, Chicago at 312-606-4800, Dallas at 972-770-5010 or Oklahoma City at 405-840-3033.We’re here to help and we’re happy to help.

Content provided by Zywave.



15 Emerging Risks Worth Watching — That Aren’t Cyber

Insurance experts have identified the most important emerging risk for the property and casualty insurance industry as cyber in one form or another.

But what about other emerging risks? They identified 15 risk trends. They are:

Directors and Officers Privacy – Many companies are capturing vast amounts of client and customer information — and must to comply with GDPR. Think how much your airline, pharmacy and even your electric company know about you. Often this information is then used to better define their marketing and pricing efforts. If mishandled, this information could lead to bad publicity, a corporate crisis, and significant D&O litigation.

Government Actions – Government imposition of retroactive liability or limits on the ability of the market place to price risk can threaten marketplace stability. Industry security is also impacted by the effectiveness of government security policies preventing cyber warfare terrorist attacks, the next asbestos, superfund or next 9/11 solvency threat. There is a technology race that is driving massive insurer investment in IT and changing business strategies and platforms to meet escalating consumer expectations.

Sandbox Trap – Regulation of insurance. Traditional carriers are pushing for laxation of rules and momentum exists for creating regulatory sandboxes for new companies and distributors. Reasonable but strong regulation protects companies often against themselves, and it protects consumers from companies that might find ways around quality capitalization, disclosure, and quality coverages.

Tax Accounting – The Tax Cuts and Jobs Act took effect on Jan. 1, 2018 and has an immediate impact on accounting professionals because of the large overall on the U.S. Internal Revenue Code. The result is that it is has produced two primary risks for an increase in claims: advisory-related risks associated with fully educating clients and managing client expectations.

Regulation Fragmentation – Regulatory fragmentation from state to state in the area of data and cyber security. There are many differences between EU’s General Data Protection Regulations (GDPR) and emerging U.S. state regulations and controllers of that data in each system must demonstrate technology, process and organizational compliance.

Policy Deficiencies – Increasing deficiencies in insurance policies, especially personal lines, mixed in with dominant industry advertising leads consumers to believe that their only difference between insurance companies is the price of their policies. Compounding that is the emergency of insurtechs that tout they can place your insurance in seconds by asking only a few — or even one — questions.

Irrelevant Policies – Whether insurers will be able to adapt quickly and effectively to dramatic societal changes threatening to breach traditional policy boundaries and lines of business is vital to the future of insurance. To remain relevant for buyers operating in the sharing virtual and gig economies, carriers will need to adapt policy language to account for the blurring of lines between commercial and personal use of property and times as well as among individual product lines.

Fundamental Auto – The fundamental changes to auto and the auto business in the next decade will provide opportunities and threats to the auto insurance business. Driverless cars, ride sharing, and technology will all change the way auto insurance policies are written and priced in years to come.

Unprotected Assets – Digital assets already have more value than physical ones. Cyber liability insurance is answering one part of the expanded needs but falls short of protecting digital assets. The higher the digital assets relevancy, the bigger and more articulated the need to protect it.

Risky Playgrounds –  Children’s playground, with features including spiked nails and steep drops have been gaining popularity around the globe in part because educator’s are claiming that purposeful risky play promotes resilience and builds self-reliant young people. Playgrounds now feature access to saws, knives, loose bricks and two-by-fours and fire — and endless insurance complications.

Dockless Scooters – Electric scooters are popping up in urban areas across the country. Companies like Bird, Lime, Spin and others have flooded the sidewalks with a policy of ask for forgiveness, not permission in cities like Boston, San Francisco and Chicago. Users pay with a credit card and don’t have to return the scooters to a designated location, causing scooters to be abandoned throughout the cities. Cities are balking and injury claims are growing. If a pedestrian is hit by a person on a scooter, there often is no insurance company to sue.

Driving Deliveries – The rising demand of fast and free delivery of retail goods needs monitoring.  Consumers want expecting faster deliveries and more accurate delivery times but are not willing to pay the price, which causes more driving jobs in a gig economy whose drivers often use private cars to fulfill deliveries. Health risks like back pain from lifting and long hours at the wheel also complicate the situation.

Compliance Witnesses – Failure to address compliance misconduct and safety issues affects retention, productivity and morale. Employees who witness misconduct are twice as likely to leave an organization and 29 percent of employees observed at least one compliance violation at work in 2016 and 2017. To decrease safety mishaps, cut insurance claims costs and retain a happy staff, a company must comply to all safety standards.

Coastal Communities and Property Values – The threat of rising seas is undermining property values in coastal communities. Homes with exposure to the sea sold for 6.6 percent less than unexposed homes. Researchers found that properties at higher elevation were appreciating faster than properties at lower elevation. Accelerating sea level could put more than $1 trillion in property at risk by the end of the century.

Smart Contracts – Smart contracting based on digital ledger or blockchain technology holds great promise fro the insurance industry, it isn’t without risks, The benefits of blockchain – immutablity, transparency and decentralization also present concomitant risks. If an insurer inadvertently discloses protections over the blockchain, there is no control-al-delete button enabling a do-over. Remedial efforts will be hampered by the disclosure and its widespread distribution.

If you have questions about this newsletter or any of the emerging risks identified, contact an insurance expert at The Plexus Groupe at 847-307-6100.

Content provided in part by Insurance Journal.

House Method article features The Plexus Groupe’s Personal Lines Insurance Expert David Miller


David Miller, Vice President, Client Executive for Private Client Solutions, was quoted this week in a blog about owning and caring for upscale homes called House Method. The article is about 16 items usually not covered in a homeowner’s insurance policy. 

This is Miller’s second time this month that he has been cited in a national publication. Last week, he was featured in a Consumer Reports article.

The Plexus Groupe is stocked with experts just like Miller who work in various practice areas like employee benefits and property and casualty to technology solutions and mergers and acquisitions. Contact a strategic insurance expert in Deer Park, Illinois at 847-307-6100, Chicago at 312-606-4800, Dallas at 972-770-5010 or Oklahoma City at 405-840-3033.

The Plexus Groupe Hires Kari Fredrick as Vice President of HR


The Plexus Groupe, an innovative, client-focused insurance brokerage and risk management consulting firm, has hired Kari Fredrick as Vice President of Human Resources.

Fredrick brings a wealth of knowledge and experience in human resources, said Matthew McKenna, Chief Financial Officer of The Plexus Groupe.

“Kari’s expertise is in developing and implementing strategic human resource initiatives that will ultimately help make our already thriving company the best workplace possible for our associates,” McKenna said.

Fredrick earned a bachelor’s degree from the University of Wisconsin-La Crosse, and a master’s degree from Roosevelt University in human resources management. She then attended Argosy University to earn a doctorate degree in business administration and holds the SHRM Senior Certified Professional credentials for HR.

Fredrick spent the last 14 years working in the manufacturing industry and now looks forward to showcasing her skills in the insurance industry with The Plexus Groupe.

“It is an honor to join the Plexus team,” Fredrick said. “I am excited to visit each office and become part of the culture of this great company.”

The Plexus Groupe offers innovative solutions in employee benefits, property and casualty, corporate retirement plans, personal lines insurance, human resources administration/consulting, benefits technology services, and mergers and acquisitions. Additionally, the Plexus Global Network gives clients access to insurance placement in 130 countries around the world. Plexus is headquartered in Deer Park, Ill., with additional locations in Chicago, Dallas, and Oklahoma City.

For more information on strategic insurance solutions, please contact the firm at 847-307-6100 and ask to speak to a client executive. The firm can also be reached via the Web at www.PlexusGroupe.com.

VP David Miller Cited in Consumer Reports Article


The Plexus Groupe's Vice President, Client Executive, and in-house personal lines expert David Miller, was cited this week in an article published in Consumer Reports. The article is about rental car insurance and Miller's insight explains how some rental car companies aggressively upsell what may be unnecessary additional coverage. To read the article, click here.

Have questions about this article or personal lines insurance? The Plexus Groupe has answers. Miller leads Private Client Solutions at The Plexus Groupe and can be reached at 846-307-6141.

DID YOU KNOW? Storage Facility Insurance May Not Be Needed


About 10 percent of all American households have a storage unit in one of the 52,000 storage facilities across the country offering 2.3 billion square feet of space to rent and grapple with whether they need storage facility insurance.

If you are someone with too many things and not enough space, you may be wondering if you need the insurance offered at the storage facility.

As with most insurance questions, the answer starts with "it depends."

Most home insurance policies cover the home itself and provides coverage for  your personal property -- your clothes, furniture, home electronics, bedding, etc. But does that coverage still apply when your personal property is not physically located in your home?

Most policies provide worldwide coverage for your personal property, with some limitations. The limitations apply when some of the personal property is "usually located" in another residence that is not insured with the same insurance company. For example, suppose your own a home, but also rent a vacation home for 3 months every summer. Your homeowner’s insurance policy indicates a personal property limit of $250,000. The amount of personal property that you bring with you to the rental home would be limited to no more than 10% of the personal property limit on your home policy ($25,000).

With most companies, this 10% limitation on personal property does NOT apply to storage facilities, but it would be prudent to confirm in writing with your agent. Also, many storage facilities only let you waive their insurance if you can prove that your homeowners/renter's policy will cover your items stored on their property.

Here’s how one company insures off-premises personal property, or storage facility insurance:

“If the covered loss takes place at a residence you own or live at that does not have contents coverage listed in this policy or any other policy issued by us, we will pay up to 10% of the contents coverage in this policy.”

The key words/phrases in this sentence are “residence” and “live at." The limitation only applies to a “residence” or somewhere in which you would “live at."  A storage facility is not a residence (or it least they are not intended to be a residence) so the limitation would NOT apply. This is good news because it means you don’t have to buy the insurance offered by the storage facility, which is usually very expensive and very restrictive in its coverage.

Keep in mind that if there is a loss to your personal property in storage, coverage would apply as if it happened at your home. This means your homeowner’s deductible would apply, along with all of the policy exclusions.  So if your homeowner’s policy excludes losses due to flood, a flood loss at the storage facility would also be excluded. Conversely, you may actually pick up coverage from your home insurance policy that might otherwise be excluded. Let’s say that you rent a storage unit in Florida, but the insurance on your primary residence is for your home in Illinois. If you bought coverage from the Florida storage facility, losses due to hurricane would very likely be excluded, but if your Illinois policy did not exclude losses due to hurricane, coverage would apply to the property in storage in Florida.

Have questions about storage facility insurance? David Miller has answers. Miller, who writes the monthly, DID YOU KNOW? blog is The Plexus Groupe’s Vice President, Client Executive for Private Client Solutions. Miller can be reached by calling 846-307-6141.

The Plexus Groupe Earns Bronze Workplace Health Achievement From The American Hearth Association


The Plexus Groupe earned a 2018 Bronze Workplace Health Achievement award from the American Heart Association for its comprehensive wellness program.

The American Heart Association’s Workplace Health Achievement measures the comprehensiveness and quality of a company’s workplace health program, and the overall heart health of its employees.

The program takes into account seven organizational best practices: leadership, reporting outcomes, programs, policies and environment, partnerships, engagement and communications.

The Plexus Groupe offers a comprehensive wellness program that includes a walking challenges, fruit and vegetables served daily and preventive care and screenings among other initiatives.

11 Tips to Prepare for High Winds During Hurricane Season


As Hurricane Florence approaches the southeastern coastline, now is the time to firm up your hurricane preparedness plan and take action.

The Plexus Groupe's Property & Casualty practice offer 11 hurricane safety tips to prepare for high winds to ensure that damage and losses are kept at a minimal and a hurricane doesn't cripple your business:

1. Develop a written windstorm emergency plan

Your emergency plan should include assigned organization roles and responsibilities with training provided at least annually.

Designate one person to monitor the status and location of the windstorm. Assemble emergency supplies and equipment (plastic tarps, mops, squeegees, emergency lighting, battery operated radio, tape for windows, lumber and nails) in a safe location for easy retrieval.

Maintain a list of key vendors, contractors and salvage services. Also, keep a business continuity plan (reviewed and updated regularly) for restoring operations after the event.

2. Inspect and repair roof

Inspect roof for problems with loose roof covering, loose flashing, edging strips and accessories, blocked or loose drains, gutters or downspouts, as well as inadequately secured equipment, signs, stacks, roof ventilators and repair or secure as needed.

Anchor large equipment, such as cranes and draglines, in accordance with manufacturer’s guidelines.

3. Secure the outside of your property

Fasten down loose outdoor equipment, machinery, stock and other debris, or move it indoors.

Outdoor structures, such as trailers, should be properly anchored. Secure storage of flammable liquid containers or move them to a sheltered area (never into main facility areas).

Identify and consider removing any large trees or limbs that could fall and damage buildings, outdoor equipment, power lines, etc.

4. Protect windows and doors

Protect windows and doors by attaching pre-fitted windstorm shutters or plywood. Repair weak latches and hardware on doors and windows, and install steel bars in pre-installed metal brackets on the inside of exterior roll-up doors.

5. Fill fuel tanks

Make sure fuel tanks for generators, fire pumps, as well as company-owned vehicles are filled up. Also, fill above-ground tanks to capacity with product or water to prevent wind damage. 

6. Clean drains and catch basins

Debris washed into storm drains can travel through pipes and get into lakes, rivers, streams and the ocean. Litter and leaves can also clog drains causing backups, which could result in flooding.

7. Protect computers, stock and machinery and equipment

All of these things can be damaged by water. Protect them with plastic tarps or waterproof covers. Backup all important computer data and store in a safe location.

8. Take note of what chemicals you have stored

Isolate, neutralize or remove from the site any chemicals that can react violently with each other. Certain combined chemicals can produce potentially toxic vapors that can be very dangerous, even deadly. Others may react violently to cause chemical burns.

9. Prepare for flooding

Relocate important equipment, stock and records to higher elevations not subject to flooding.

Cover equipment and stock that cannot be relocated with plastic tarps or store on pallets. Install back-flow prevention devices in sewer and drain lines to prevent floodwater from backing up into buildings.

Place sandbags at vulnerable building openings and around critical outdoor equipment subject to flooding. If there is imminent danger of flooding, shut off the building’s electrical power. Note: Power to electric motor-driven fire pumps should remain in service.

10. Be prepared to shut down operations

Shut off processes and equipment following your own established procedures. Shut off all flammable and combustible liquid and gas lines at their source to prevent discharge from broken piping. Enforce “no smoking” and “no cutting or welding” rules. Protect or shut off other possible flame sources.

11. Check your insurance policy

Consider things such as the type of coverage, as well as your level of coverage, and ensure that your insurance policy provides coverage for the types of events specific to your location.

These may include: flash floods, storm water runoff, landslips (or landslides) and damage to properties by trees. Discuss this with your insurance agent prior to the storm.

Content provided by Property & Casualty 360.

The Plexus Groupe Intern Selected as The Council Foundation Scholarship Recipient


Kyle Vitale, a student at Illinois State University and a summer intern at The Plexus Groupe, has been selected as a recipient of a $5,000 academic scholarship for the 2018-19 year academic year, as announced today by The Council Foundation.

“The Plexus Groupe is very proud of Kyle for being selected for this prestigious scholarship,” said Brian Griffin, President of The Plexus Groupe. “This honor is a testament to the caliber of scholars who participate in our internship program, which helps The Plexus Groupe to develop future industry talent.”

The Council Foundation’s mission is to bring fresh, diverse talent into the brokerage sector by way of internships with member firms of The Council of Insurance Agents & Brokers. In awarding the scholarships, an independent selection committee looks for candidates who have the potential to excel as leaders and contributors in the commercial insurance brokerage business sector.

Vitale is one of 75 college students across the country who received a Council Foundation scholarship this year. Vitale said he learned of the scholarship opportunity during his first interview with The Plexus Groupe and thought of applying for it as an added perk to the company’s summer internship program.

“I was so excited to learn that I won,” said Vitale, 19. “I learned so much during my internship at The Plexus Groupe and know that knowledge will serve me well as I further continue in my career.”

Vitale, of Lombard, is currently taking online classes at ISU and one class in person at Illinois Central College while working at a fall internship position for a company in Peoria. The finance major plans to spend the scholarship money on college expenses in order graduate in the next two years. He hopes to have a career in finance.

The Council Foundation is a 501(c)(3) charitable educational organization instituted by the Washington, D.C.-based Council of Insurance Agents & Brokers. Part of the Foundation’s core mission is to secure the future of the commercial insurance brokerage business by attracting and developing tomorrow’s talent, like Vitale.

The Plexus Groupe is an innovative, client-focused insurance brokerage and risk management consulting firm offering innovative solutions in employee benefitsproperty and casualtycorporate retirement planspersonal lines insurancehuman resources administration/consultingtechnology services, and mergers and acquisitions. Additionally, the Plexus Global Network gives clients access to insurance placement in 130 countries around the world. The Plexus Groupe is headquartered in Deer Park, Ill., with additional locations in Chicago, Dallas, and Oklahoma City.