CalNonprofits Insurance Services

COVID-19 and Risk Management

Print Friendly, PDF & Email

The laws in California have been changing at a rapid pace since the first stay at home orders were announced in March of 2020.  There are new compliance requirements related to COVID-19 due to several pieces of legislation that have been signed into law.  Your risk management plan needs to be comprehensive enough to meet the tests we have encountered in the past 12 months, and flexible enough to meet an uncertain future. If you have employees working from home, you need to include those new risks in your plan – both physical and cyber-related. 

New Legislation 

The Governor’s Stay-At-Home orders starting on March19th of 2020 put into place some temporary actions that have since been codified by legislation such as SB 1159 and AB 685.

The Families First Coronavirus Response Act (FFCRA) is federal legislation that included paid sick leave for covered employers.  This is important because some of the state legislation references the FFCRA benefits. Generally, FFCRA requires that employers provide up to 2 weeks of paid sick leave (at full pay) if the employee is quarantined and/or experiencing COVID-19 symptoms.  It also provides 2 weeks of paid sick leave (at 2/3 pay) for several other reasons including to care for someone else that must quarantine or to care for a child while school is closed. FFCRA also provides up to 10 weeks of extended paid (at 2/3 pay) family leave to care for a child whose school or childcare provider is closed for reasons related to COVID-19.  Organizations with fewer than 50 employees may qualify for an exemption. All covered employers are required to include a notice with their regular labor law postings.  If your employees are working in a virtual environment – you can post electronically or send to each one. The FFCRA paid leave requirements expired on 12/31/2020.  

SB 1159 and AB 685 codified parts of previous COVID-19 related executive orders and added new reporting requirements for employers, they were signed into law in September 2020.  

AB 685 was enacted to protect workers and the public from exposure to the COVID-19 virus. The new reporting and notification requirements for employers went into effect on September 17, 2020. Beginning January 1, 2021, AB 685 gives authority to Cal/OSHA to shut down an entire worksite due to COVID-19 exposure and to issue citations more quickly. Employers are also required to have a written COVID-19 Prevention Program in place. Nonprofit employers would be wise to keep on top of the Cal/OSHA changes related to AB 685 and incorporate them into the organization’s business continuity plan.  

AB 685 Employer Notification Requirements 

The employer notification requirement mandates employers to notify employees of:  

  • Potential exposure to COVID-19 – if an employee at a worksite tests positive, you must notify all employees that were at the same worksite within the infectious period - within 1 day of learning of the positive test result. 
  •  COVID-19 related benefits and protections to affected employees. 
  • The disinfection and safety standards that will be implemented by the employer upon potential exposure to COVID-19 at the worksite.  

Employers must also provide notification to local public health agency with 48 hours of an “outbreak” including names, number, occupation and worksite location of individuals related to the “outbreak”.  

For AB 685, an “outbreak” is defined by the California Department of Public Health as three or more laboratory confirmed cases of COVID-19 within a two-week period. If two employees who live together contract COVID-19 within a two-week period, and it is laboratory confirmed, this would count as 1 case. 

Having a written COVID-19 Safety and Prevention Plan in place is the best practice and is mandated by this legislation. This could include but not limited to disinfection and safety standards and can be part of your Injury and Illness Protection plan. The notification requirements apply to all employer worksites. All employees and employers of any subcontracted employees who were at the worksite where potential exposure occurred must be notified within one business day.   

AB 685 gives the California Division of Occupational Safety and Health (Cal/OSHA) three types of authority: 
  • Authority to issue an Order Prohibiting Use (OPU) to protect workers from an imminent hazard related to COVID-19 exposure.    
  • Authority to Cite or fine employers for serious violations related to COVID-19 without notice. Previously, a 15-day notice was required.  
  • Authority to cite or fine employers who do not follow AB 685 required notifications to employees  

The purpose of the OPU is to remove workers from the risk of exposure until the hazard can be addressed. This could be the closure of the entire worksite. This authority is in force until January 1, 2023.  Your Business Continuity Plan should include this scenario. A written COVID-19 Safety and Prevention Plan will help to minimize potential citations or fines given under Cal/OSHA’s new authorities.   

All public and private employers are required to follow the new AB 685 regulations. Health facilities and employers who provide direct care or testing to individuals for COVID-19 infection are excepted as they already have more stringent requirements. 

SB 1159 Workers’ Compensation Reporting Requirements 

SB 1159 Rebuttable Presumption 

SB 1159 created a “rebuttable presumption” starting July 6th  for first responders and frontline healthcare workers. For all other employers with five (5) or more employees, there is a rebuttable presumption following an “outbreak”.  This means that if an employee contracts COVID-19 and fits the presumptions, it will be assumed they contracted the illness on the job, the employer can rebut the presumption if they have evidence that shows otherwise. 

Under SB 1159 an “outbreak” is defined as: 

  1. For employers with less than 100 employees – 4 employees at a particular worksite test positive within a 14-day period 
  1. For employers with 100 or more employees – 4% of employees at a particular worksite test positive within a 14-day period. 
  1. The County or State Health Department, CalOSHA or school superintendent shuts down a worksite due to risk of infection from COVID-19.  

Note: Employees working from home (unless performing home health care in their own home) and not at the employer’s place of business are excluded. Employees visiting client homes for work may be covered – this area was not specifically addressed in the law.  

Additional Reporting Requirements Due to SB 1159 

If an employee has a positive COVID-19 test and they have been to any of your worksites within the previous 14 days, report it to your Work Comp carrier within 3 days of notification. Most carriers have set up online reporting lines for this purpose.  You will need to know the following information for the report – 

  • Date test sample was taken 
  • Date results were reported to employer 
  • Location of all worksites visited by employee in previous 14 days 
  • Maximum number of employees at each of those worksites within the previous 45 days 
  • Note – you do not report the employee name or any identifying information 

If you have an “outbreak” or suspect you might have an “outbreak” – provide the employee(s) with a DWC-1 form and submit to your Workers’ Compensation insurance carrier. 

It is important to note that if an employee is eligible for paid sick leave benefits such as under FFCRA or SB 1687, those must be exhausted before Workers’ Compensation benefits would begin. 

Failure to report can result in a penalties of up to $10,000.  Therefore, nonprofit employers should become familiar with the required forms and timeframes for filing claims. We recommend that your nonprofit incorporate these new requirements into their business continuity plan and document internal processes. This helps minimize risk of disruption to the organization should an outbreak occur.  

Work From Home Risks

And if all that was not enough, working from home increases the risks to the organization, especially around cybersecurity. The abrupt and sudden change to a remote workforce because of the  pandemic created lasting impacts on nonprofits of all sizes. Within a few days’ time, companies and employees had to make an immediate transition to doing their jobs from home. 

Teams without any remote working experience had to pivot and quickly adapt to their new situation. For many companies, there was not enough time to address the new security vulnerabilities due to this rapid shift. Using personal devices for work, accessing the internet through home networks, conducting meetings via videoconferencing software, and accessing company and customer data from home are all inherently risky from a cybersecurity standpoint. 

Now that it appears that the shift to remote work may be a permanent situation, even on a part-time basis, companies will need to establish more substantial security solutions for their remote teams. Global research leader Gartner recently noted that securing the remote workforce “has now become the single greatest existential imperative for all organizations in the wake of COVID-19.” 

Criminals Quickly Seized on Cyber Vulnerabilities 

Cybersecurity best practices for employees who are working from home should focus on key areas such as: devices, internet connections, storing and transferring data, and videoconferencing as these create vulnerabilities. 

  • Device security: Device, or endpoint, security involves setting security protocols. This includes laptops, desktops, tablets, smartphones, or other devices that connect to the internet and store or transfer data. 
  • Internet connections: many cyber-attacks and hacking incidents are related to the use of insecure public Wi-Fi. 
  • Videoconferencing: Widespread reports of security breaches tied to videoconferencing applications such as Zoom and Cisco WebEx. Hackers accessed confidential meetings and information communicated or transferred in remote meetings. 
  • Storing and transferring data: Data can be compromised when transferred via insecure channels such as messaging apps or unsecure networks

Now that it appears that the shift to remote work may be a permanent situation, even on a part-time basis, nonprofits will need to establish more substantial security solutions for their remote teams. Work with your IT vendors or departments to secure your organization’s data and systems. Sample policies are available through your account representative


Become a Risk Management Superhero

Cal/OSHA Model Programs: COVID-19 Prevention Program

Employee Rights Paid Sick Leave and Expanded Family and Medical Leave Under the Families First Coronavirus Response Act

No Business Continuity Plan? Take These 4 Steps

State of California—Health and Human Services Agency
California Department of Public Health: AB685 New Reporting Requirements

State of California Department of Industrial Relations: Workers’ Compensation Presumption (SB 1159) Frequently Asked Questions

About the Author

  • Colleen has over 20 years of experience crafting insurance programs for nonprofits, she is an insurance geek and actually enjoys reading insurance policies and forms. If she isn’t working, you can find her scuba diving in exotic locations or cooking up delicious meals for her family (husband, 4 children, 3 grandbabies, and Abby the incredible McNab).

Leave a Reply

Your email address will not be published.