CalNonprofits Insurance Services

The laws in California have been changing at a rapid pace since the first stay at home orders were announced in March of 2020.  There are new compliance requirements related to COVID-19 due to several pieces of legislation that have been signed into law.  Your risk management plan needs to be comprehensive enough to meet the tests we have encountered in the past 12 months, and flexible enough to meet an uncertain future. If you have employees working from home, you need to include those new risks in your plan – both physical and cyber-related. 

New Legislation 

The Governor’s Stay-At-Home orders starting on March19th of 2020 put into place some temporary actions that have since been codified by legislation such as SB 1159 and AB 685. 

The Families First Coronavirus Response Act (FFCRA) is federal legislation that included paid sick leave for covered employers.  This is important because some of the state legislation references the FFCRA benefits. Generally, FFCRA requires that employers provide up to 2 weeks of paid sick leave (at full pay) if the employee is quarantined and/or experiencing COVID-19 symptoms.  It also provides 2 weeks of paid sick leave (at 2/3 pay) for several other reasons including to care for someone else that must quarantine or to care for a child while school is closed. FFCRA also provides up to 10 weeks of extended paid (at 2/3 pay) family leave to care for a child whose school or childcare provider is closed for reasons related to COVID-19.  Organizations with fewer than 50 employees may qualify for an exemption. All covered employers are required to include a notice with their regular labor law postings.  If your employees are working in a virtual environment – you can post electronically or send to each one. The FFCRA paid leave requirements expired on 12/31/2020.  

SB 1159 and AB 685 codified parts of previous COVID-19 related executive orders and added new reporting requirements for employers, they were signed into law in September 2020.  

AB 685 was enacted to protect workers and the public from exposure to the COVID-19 virus. The new reporting and notification requirements for employers went into effect on September 17, 2020. Beginning January 1, 2021, AB 685 gives authority to Cal/OSHA to shut down an entire worksite due to COVID-19 exposure and to issue citations more quickly. Employers are also required to have a written COVID-19 Prevention Program in place. Nonprofit employers would be wise to keep on top of the Cal/OSHA changes related to AB 685 and incorporate them into the organization’s business continuity plan.  

AB 685 Employer Notification Requirements 

The employer notification requirement mandates employers to notify employees of:  

  • Potential exposure to COVID-19 – if an employee at a worksite tests positive, you must notify all employees that were at the same worksite within the infectious period - within 1 day of learning of the positive test result. 
  •  COVID-19 related benefits and protections to affected employees. 
  • The disinfection and safety standards that will be implemented by the employer upon potential exposure to COVID-19 at the worksite.  

Employers must also provide notification to local public health agency with 48 hours of an “outbreak” including names, number, occupation and worksite location of individuals related to the “outbreak”.  

For AB 685, an “outbreak” is defined by the California Department of Public Health as three or more laboratory confirmed cases of COVID-19 within a two-week period. If two employees who live together contract COVID-19 within a two-week period, and it is laboratory confirmed, this would count as 1 case. 

Having a written COVID-19 Safety and Prevention Plan in place is the best practice and is mandated by this legislation. This could include but not limited to disinfection and safety standards and can be part of your Injury and Illness Protection plan. The notification requirements apply to all employer worksites. All employees and employers of any subcontracted employees who were at the worksite where potential exposure occurred must be notified within one business day.   

AB 685 gives the California Division of Occupational Safety and Health (Cal/OSHA) three types of authority: 
  • Authority to issue an Order Prohibiting Use (OPU) to protect workers from an imminent hazard related to COVID-19 exposure.    
  • Authority to Cite or fine employers for serious violations related to COVID-19 without notice. Previously, a 15-day notice was required.  
  • Authority to cite or fine employers who do not follow AB 685 required notifications to employees  

The purpose of the OPU is to remove workers from the risk of exposure until the hazard can be addressed. This could be the closure of the entire worksite. This authority is in force until January 1, 2023.  Your Business Continuity Plan should include this scenario. A written COVID-19 Safety and Prevention Plan will help to minimize potential citations or fines given under Cal/OSHA’s new authorities.   

All public and private employers are required to follow the new AB 685 regulations. Health facilities and employers who provide direct care or testing to individuals for COVID-19 infection are excepted as they already have more stringent requirements. 

SB 1159 Workers’ Compensation Reporting Requirements 

SB 1159 Rebuttable Presumption 

SB 1159 created a “rebuttable presumption” starting July 6th  for first responders and frontline healthcare workers. For all other employers with five (5) or more employees, there is a rebuttable presumption following an “outbreak”.  This means that if an employee contracts COVID-19 and fits the presumptions, it will be assumed they contracted the illness on the job, the employer can rebut the presumption if they have evidence that shows otherwise. 

Under SB 1159 an “outbreak” is defined as: 

  1. For employers with less than 100 employees – 4 employees at a particular worksite test positive within a 14-day period 
  1. For employers with 100 or more employees – 4% of employees at a particular worksite test positive within a 14-day period. 
  1. The County or State Health Department, CalOSHA or school superintendent shuts down a worksite due to risk of infection from COVID-19.  

Note: Employees working from home (unless performing home health care in their own home) and not at the employer’s place of business are excluded. Employees visiting client homes for work may be covered – this area was not specifically addressed in the law.  

Additional Reporting Requirements Due to SB 1159 

If an employee has a positive COVID-19 test and they have been to any of your worksites within the previous 14 days, report it to your Work Comp carrier within 3 days of notification. Most carriers have set up online reporting lines for this purpose.  You will need to know the following information for the report – 

  • Date test sample was taken 
  • Date results were reported to employer 
  • Location of all worksites visited by employee in previous 14 days 
  • Maximum number of employees at each of those worksites within the previous 45 days 
  • Note – you do not report the employee name or any identifying information 

If you have an “outbreak” or suspect you might have an “outbreak” – provide the employee(s) with a DWC-1 form and submit to your Workers’ Compensation insurance carrier. 

It is important to note that if an employee is eligible for paid sick leave benefits such as under FFCRA or SB 1687, those must be exhausted before Workers’ Compensation benefits would begin. 

Failure to report can result in a penalties of up to $10,000.  Therefore, nonprofit employers should become familiar with the required forms and timeframes for filing claims. We recommend that your nonprofit incorporate these new requirements into their business continuity plan and document internal processes. This helps minimize risk of disruption to the organization should an outbreak occur.  

Work From Home Risks

And if all that was not enough, working from home increases the risks to the organization, especially around cybersecurity. The abrupt and sudden change to a remote workforce because of the  pandemic created lasting impacts on nonprofits of all sizes. Within a few days’ time, companies and employees had to make an immediate transition to doing their jobs from home. 

Teams without any remote working experience had to pivot and quickly adapt to their new situation. For many companies, there was not enough time to address the new security vulnerabilities due to this rapid shift. Using personal devices for work, accessing the internet through home networks, conducting meetings via videoconferencing software, and accessing company and customer data from home are all inherently risky from a cybersecurity standpoint. 

Now that it appears that the shift to remote work may be a permanent situation, even on a part-time basis, companies will need to establish more substantial security solutions for their remote teams. Global research leader Gartner recently noted that securing the remote workforce “has now become the single greatest existential imperative for all organizations in the wake of COVID-19.” 

Criminals Quickly Seized on Cyber Vulnerabilities 

Cybersecurity best practices for employees who are working from home should focus on key areas such as: devices, internet connections, storing and transferring data, and videoconferencing as these create vulnerabilities. 

  • Device security: Device, or endpoint, security involves setting security protocols. This includes laptops, desktops, tablets, smartphones, or other devices that connect to the internet and store or transfer data. 
  • Internet connections: many cyber-attacks and hacking incidents are related to the use of insecure public Wi-Fi. 
  • Videoconferencing: Widespread reports of security breaches tied to videoconferencing applications such as Zoom and Cisco WebEx. Hackers accessed confidential meetings and information communicated or transferred in remote meetings. 
  • Storing and transferring data: Data can be compromised when transferred via insecure channels such as messaging apps or unsecure networks

Now that it appears that the shift to remote work may be a permanent situation, even on a part-time basis, nonprofits will need to establish more substantial security solutions for their remote teams. Work with your IT vendors or departments to secure your organization’s data and systems. Sample policies are available through your account representative


Become a Risk Management Superhero

Cal/OSHA Model Programs: COVID-19 Prevention Program

Employee Rights Paid Sick Leave and Expanded Family and Medical Leave Under the Families First Coronavirus Response Act

No Business Continuity Plan? Take These 4 Steps

State of California—Health and Human Services Agency
California Department of Public Health: AB685 New Reporting Requirements

State of California Department of Industrial Relations: Workers’ Compensation Presumption (SB 1159) Frequently Asked Questions

Risk is the chance of loss.  A severe loss to your organization can cause injuries to people, damage of property, and damage to reputation.  This can result in substantial business interruption and monetary loss.  Sometimes people think of gambling when they think of risk. However, with gambling there is the chance of gain as well as loss.  Risk management is the process of identifying and handling the risks faced by your organization. By actively engaging in this process you can become a Risk Management Superhero for your nonprofit!   

You should care about risk management because it can ensure the safety of your staff and the people you serve as well as the sustainability and reputation of your organization. It would be terrible to permanently close some or all your  operations  because there was no plan in place for dealing with risks we all face.  The risk management plan gives staff a blueprint for handling the risks and “bakes in” the idea of risk management for the entire team.  Risk management should be connected to your mission. By managing risks appropriately, you can make sure your organization survives to continue your mission and the valuable services you provide.    

Risk Management Process

There are 5 steps to the risk management process –  

  • Identify risks.  There are many ways to go about identifying the risks your operations and organization face.  Use as many brains as possible – everyone has a different point of view and may find additional risks.  Checklists and other tools can help in the identification process. Review contracts for risks the organization has accepted. 
  • Analyze and rank risks. Analyze the identified risks for impact severity and potential frequency.  Each identified risk should be analyzed and assessed for impact and prioritized. 
  • Evaluate options for handling each risk based on the potential severity and frequency.  The major methods for handling risks include
    • Avoid – eliminate or stop the activity (high impact/cost, low reward).
    • Reduce – take steps to minimize the risk such as safety equipment, modifications to processes. 
    • Transfer/Share – Transfer the risk to another party – this is usually done via a contract.  Insurance is a contract and one that transfers risks from the organization to the insurance company.   
    • Retain – do nothing – you accept the risk (low impact, low potential cost) – make a plan to pay for the risks you retain! 
  • Implement Plan – Implement the controls identified above, purchase insurance, enter into contracts, implement safety controls, and train staff.  
  • Review and Evaluate – Risk management is a continuous process and must be reviewed, evaluated, and adjusted for effectiveness periodically. Each new program should be taken through the risk management process.  

Business Continuity Plan

Business Continuity Plan (BCP) is the documented risk management plan for ensuring the continuance of operations in the event of a disaster.  The plan should document the steps that individuals need to take depending on the type of disaster and shut down. The process to create the BCP is similar to the larger risk management plan –  

  • Identify the types of interruption or shut down 
  • Analyze the functions and how you can recover
  • Explore strategies for handling and examine gaps in capabilities 
  • Develop the Plan 
  • Test and review periodically – since the plan is for future shutdowns it should be tested periodically and reviewed for changes. 


Most of our carriers have risk management resources available that are specific to nonprofits.  In addition, we are an affiliate of the Nonprofit Risk Management Center.  We offer their discounted online Risk Management Planning Tool that will walk you through the steps of creating a risk management plan for your organization. CalNonprofits Insurance Services is providing sponsored registration for the upcoming 2020 Virtual Risk Summit so that our clients can attend at no cost to them. Contact us today to assist with building your risk management plan!   


CalNonprofits Insurance Services Risk Management

Managing Risk for a Successful Nonprofit Organization

No Business Continuity Plan? Take These 4 Steps

Vector image by VectorStock / vectorstock

Our new insurance programs exclusively for CAM members provide protection for your mission with coverage tailored for the risks unique to museums. We are at the California Association of Museums Conference – CAM2020, March 5 – 6, where we will have information about these exclusive programs. Stop by our exhibitor booth if you are attending the conference!

brown eye

Regular vision exams from an eye doctor is an excellent wellness strategy!   In fact, regular eye exams can lead to early detection of many preventable diseases. The retina is the only place in the body where the doctor can view your blood vessels directly. This allows for early detection of a multitude of diseases including, cancer, high blood pressure, glaucoma, and diabetes. Did you know, concussions can be detected through an eye exam?

Benefits of Offering a Group Vision Plan

Offering a group vision plan is inexpensive and encourages regular eye exams even for those that have 20/20 vision. The average person is 4 times more likely to get an eye exam than to get an annual physical. According to EyeMed, health issues may cost employers an average of $1,685 per employee each year. Early detection of serious conditions may be a key factor in reducing these costs for nonprofit employers.

Retinal Imaging

Retinal imaging is a relatively new technique for examining eye health. More importantly, it is being used for early detection of diseases.  In addition, It is a way to detect changes over time to your eyes and their health. Our exclusive VSP vision plans in the Nonprofit Benefits Trust cover retinal imaging at a low $20 copay. Many other vision plans may include this benefit as well.  

Blue Light Exposure

Blue Light Exposure is another serious issue for our eye health for the reason that it causes strain and damage to the eyes. Viewing screens, LED lighting, and the sun are all sources of blue light. As a result, many eye experts recommend blue light blocking glasses even if you do not require vision correction.   We should also protect our children’s eyes now before all the screen time damages their vision.  Our exclusive Nonprofit Benefits Trust plans offer blue light blockers at a highly discounted rate.  

Consider Vision Insurance

For these reasons, we encourage you to consider Vision Insurance as part of your employee benefits package. Communicate to employees the importance of vision benefits and annual exams as part of a wellness program. Vision insurance can be offered as an employer paid group plan or as a voluntary plan where employees pay premiums. We can help you educate your employees on eye health and craft a vision insurance plan to suit your budget.   Contact us at 888-427-5224 or

By Colleen Lazanich


Concussion Detection –

Healthy Heart – Healthy Eyes – article on vsp.comBlue Light Infographic by VSP

EyeMed Healthy Eyes Brochure

Eye Med Vision from a Better Angle whitepaper