FDA Names First Acting Director of Medical Device Cybersecurity

The U.S. Food and Drug Administration (FDA) named University of Michigan Associate Professor Kevin Fu Acting Director of Medical Device Security in its Center for Devices and Radiological Health. This is a newly created 12-month post in which Fu will “work to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.” You can learn more here.

Updated Guidance for Healthcare Personnel Returning To Work Post-Vaccination

As more healthcare employees receive their COVID-19 vaccinations, questions about when vaccinated healthcare employees can return to work if experiencing COVID-19 symptoms continue to arise.  Coupled with ongoing staffing shortages in the industry, the need for employees to return to work when safe to do so is a pressing concern for many healthcare employers.

To help, the U.S. Centers for Disease Control and Prevention (CDC) issued updated guidance on strategies for evaluating and managing post-vaccination signs and symptoms, which may be challenging to distinguish from the signs and symptoms of COVID-19 or other infectious diseases.  Vaccinated or not, healthcare employees must continue to abide by current infection control measures, but this updated guidance provides clarity on returning vaccinated employees to work even when they may be experiencing both COVID-19 vaccination-related and COVID-19 symptoms.

The CDC’s updated guidance recommends the following return to work strategies for healthcare personnel who experience post-vaccination systemic signs and symptoms:

  • If vaccinated within the last three days, a vaccinated employee experiencing symptoms following the vaccination common to the vaccination and COVID-19 (g., fever, fatigue, headache, chills, muscle and joint pain) who are not known to have unprotected exposure in the previous 14 days, may return to work without testing if they feel well enough to do so. More on fevers below.  If symptoms are not improving or persist for more than two days, the vaccinated employee should be excluded from the workplace and viral testing for COVID-19 should be considered.
  • If the vaccinated employee develops symptoms only related to COVID-19 and not vaccination (g., cough, shortness of breath, rhinorrhea, sore throat and loss of taste or smell), the employee should be excluded from the workplace and the CDC’s general criteria on returning to work for healthcare personnel should be followed.
  • Vaccinated employees with fevers should ideally be excluded from the workplace pending further evaluation. In the case of current or anticipated critical staffing shortages, vaccinated employees with fever and systemic signs and symptoms limited only to those observed following vaccination could be considered for work if they feel well enough and are willing.  In such case, the vaccinated employees should be re-evaluated, and viral testing for COVID-19 should be considered, if the fever does not resolve within two days.
  • If a vaccinated healthcare personnel is symptomatic and had unprotected exposure to COVID-19 in the past 14 days, they should be excluded from the workplace, evaluated for COVID-19 and CDC guidance should be followed.

Under recent CDC guidance, vaccinated healthcare personnel with an exposure to someone with suspected or confirmed COVID-19 may return to work if they meet all of the following criteria:

  • Are fully vaccinated (i.e., more than two weeks following receipt of the second dose in a 2-dose series, or more than two weeks following receipt of one dose of a single-dose vaccine).
  • Are within 3 months following receipt of the last dose in the series.
  • Have remained asymptomatic since the current COVID-19 exposure.

The CDC reminds healthcare employers to:

  • Educate employees about the potential for short-term systemic signs and symptoms post-vaccination to assist in identifying symptoms that may be vaccination related versus those that are not.
  • Create mechanisms for timely assessments of vaccinated employees to distinguish between circumstances warranting exclusion from work from situations where providers can safely return.
  • Consider nonpunitive sick leave options to encourage reporting of symptoms.

This guidance may evolve as we continue to learn more about the effects of vaccination, but is a helpful tool for healthcare employers looking to ensure adequate staffing coverage while confirming an employee’s return to work is done in a safe manner.  Jackson Lewis continues to monitor the unique issues affecting healthcare employers in a post-vaccinated world.  Please reach out to the Jackson Lewis attorney with whom you regularly work, or any member of our COVID-19 team to learn more.

*This post was updated 2/12/2021 to include CDC guidance issued 2/10/2021, after the initial post publication.

CDC Issues Post Vaccine-Considerations for Healthcare Personnel

As employers in healthcare settings prepare to administer the vaccine to healthcare personnel, they are likely grappling with new practical considerations.  Undoubtedly, one of the most widespread challenges is how to manage employees with potential post-vaccination systemic signs and symptoms (“signs and symptoms”), without unnecessarily imposing work restrictions to the detriment of patient care demands.  Towards these ends, the CDC has issued a series of considerations healthcare employers should review as they develop policies to balance these competing concerns.  Below is an overview:

  1. Vaccinate HCP preceding 1-2 days off from work.
  2. Stagger both doses of the vaccine. Don’t vaccinate an entire department or unit at the same time.
  3. Educate HCP about potential signs and symptoms and options to mitigate them.
  4. Assess HCP exhibiting signs and symptoms consistent with the CDC’s recommended approaches.
  5. Encourage HCP to report signs and symptoms by offering non-punitive paid leave.

For assistance drafting your institution’s COVID-19 vaccination policy generally, or specifically addressing HCP with signs and symptoms, please contact Sarah Skubas, Mary McCudden, or the Jackson Lewis attorney with whom you usually work.

Year-End Considerations and Resources For Healthcare Employers

Surging COVID-19 cases, COVID-19 vaccination considerations and post-election impacts are just a few of the many evolving issues facing healthcare employers as we head into the end of 2020. If you missed our recent Healthcare Industry Key Trends webinar, please consider watching as our Jackson Lewis colleagues touch on many of these issues and more. Also, our colleague’s recent post on COVID-19 vaccination considerations is a helpful tool as healthcare employers will likely be the first to navigate employee COVID-19 vaccinations as we near the end of 2020.

Additionally, COVID-19 fatigue is a real concern facing many healthcare employers. More than ever, employees are balancing work and personal demands with limited time and increased stress. Merely providing an Employee Assistance Program (EAP) referral is not enough. There are several resources for healthcare employers to consider as they navigate employee fatigue, including:

As we head into the end of 2020, now is a good time for healthcare employers to review these top issues facing the industry, including COVID-19 fatigue and vaccination considerations. Reach out to your Jackson Lewis attorney, who can provide additional best practices and resources as the healthcare industry navigates these developments together.

Families First Coronavirus Response Act’s 80 Hours of Emergency Paid Sick Leave is ‘One Time Use’

As the COVID-19 pandemic continues, employees who took leave earlier in the year may be requesting additional COVID-19-related leave. Employers covered by the Families First Coronavirus Response Act (FFCRA) are again seeking guidance in determining which employees qualify for the emergency sick leave and family leave portions of the FFCRA. In September 2020, the federal Department of Labor (DOL) issued revised regulations that limited the scope of the “health care provider” exemption of the FFCRA, so many healthcare employers must revisit their position on employee eligibility for FFCRA leave.

In particular, employers being asked to provide Paid Sick Leave (PSL) under the FFCRA should determine whether the employee in question has already taken their 80 hours of PSL – whether working for the employer OR whether the employee in question was working for another entity at the time of that paid leave. Most employers realize that employees to whom they granted 80 hours of PSL last spring or during the summer of 2020 are not entitled to a second allowance of PSL now. However, many do not realize that employees who took 80 hours of PSL while working for a previous employer have exhausted their PSL entitlement as well.

The DOL’s regulations provide under 29 C.F.R. Sec. 826.160(f) – titled “One time use” – that “Any person is limited to a total of 80 hours of Paid Sick Leave. An Employee who has taken all such leave and then changes Employers is not entitled to additional Paid Sick Leave from his or her new Employer.” Employers can and should ask employees hired over the past several months whether they have already taken their PSL with a previous employer, before granting PSL.

Of course, providing unnecessary PSL to an employee beyond their maximum entitlement under the FFCRA also will have tax credit implications.

Please contact a Jackson Lewis attorney with any questions.


To Vaccinate Or Not To Vaccinate… That Is The Question

Requiring flu vaccines is nothing new for healthcare employers. However, in light of COVID-19, there is a renewed emphasis and discussion concerning flu vaccines in the workplace.  Healthcare employers are unique because often state or municipal laws regulate when a healthcare employer must require flu vaccinations, permissible exceptions and documentation requirements.  These regulatory obligations are in addition to other considerations under disability or religious discrimination laws.  Check out our colleagues’ recent blog post for more information.

Healthcare employers should review their current vaccination policies and practices to ensure state and local vaccination compliance, as well as compliance with CDC guidance and discrimination laws.  Healthcare employers should also consider attending our upcoming healthcare webinar scheduled for 12PM EST on December 3rd where we will discuss important developments on vaccinations and other issues facing healthcare employers.  Individuals can register here.

Federal Agencies Issue Joint Alert on Imminent Cybercrime Threat to Healthcare Providers

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have issued a joint cybersecurity advisory stating they have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

The advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain. The advisory provides technical details on the threat from Ryuk ransomware and new Trickbot malware modules named Anchor. The anticipated threat posed by this malware and ransomware is using encryption to interfere with a hospital’s access to its systems and ability to provide care and holding a decryption key for ransom.

In addition to the technical details, the advisory identifies steps hospitals and healthcare providers should take to protect themselves from this cybercrime threat. Those steps include maintaining an up-to-date business continuity plan and other best practices.

Network Best Practices

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to local administration being disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication (MFA) where possible.
  • Disable unused remote access or Remote Desktop Protocol (RDP) ports and monitor remote access or RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with the least privilege necessary in mind.
  • Audit logs to ensure new accounts are legitimate.

Ransomware Best Practices

  • CISA, FBI, and HHS do not recommend paying ransoms.
  • Regularly back up data, air gap, and password-protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

User Awareness Best Practices

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats (such as ransomware and phishing scams) and how they are delivered.
  • Provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.

The advisory notes that addressing the risks posed by malware and ransomware attacks will be particularly challenging for hospitals and healthcare providers during the COVID-19 pandemic. If you have questions about this advisory or how best to assess and manage the risks identified in the advisory, please contact a Jackson Lewis attorney.

Hacked Healthcare Provider Refuses to Pay Ransom, Attackers Target Psychotherapy Patients

Healthcare providers continue to be targeted by ransomware attackers. According to reports, a healthcare provider in Finland was hacked and the attackers demanded 40 bitcoins (or about $525,000) on the threat of public disclosure of patient psychotherapy records. Businesses in the US hearing these facts might be thinking of the recent advisory issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) alerting companies of the potential sanctions risk for facilitating ransomware payments. The 22-location psychotherapy provider, Vastaamo, refused to pay the ransom. When the attackers did not get paid by the provider, patients began receiving emails demanding payment of smaller amounts to avoid disclosure. You can learn more about this attack here.

Hospital Granted Summary Judgment on Surgeon’s Discrimination Claims

The hospital did not discriminate against a 73-year-old surgeon on the basis of his age or perceived disability or breach his contract when it required him to undergo neuropsychological and physical exams and have a proctor when conducting lower bowel surgeries following the death of one of his patients, a federal district court has found, granting the hospital summary judgment. Morris v. Mary Rutan Hosp., No. 2:18-cv-00543 (S.D. Ohio Oct. 7, 2020). This decision provides helpful analysis for hospitals considering remedial action for physicians following poor medical outcomes.

Dr. Larry Morris had worked for several years at the Hospital when one of his patients died shortly after being discharged following a colon surgery he performed. The Hospital then engaged three independent general surgeons to review the case. Based on the results of the review, the Hospital required the following of Morris:

  1. Submit to neuropsychological and physical exams and share the results with the Hospital;
  2. Take a course on medical record documentation;
  3. Not perform surgeries until the first two requirements are completed;
  4. Not perform any more lower bowel surgeries or agree to have at least 10 of those surgeries proctored by another surgeon; and
  5. Undergo a six-month Focused Professional Practice Evaluation.

After Morris refused to comply with these requirements, his employment with the Hospital ended. Morris filed suit in federal district court, alleging that the Hospital discriminated against him on the basis of his age and perceived disability and breached his contract, among other claims. The court granted the Hospital’s motion for summary judgment on all these counts.

The court found no age discrimination because the “mere imposition of the additional requirements as a condition of Plaintiff’s employment does not constitute an adverse employment action.” It further found that “even if the conditions imposed on [Plaintiff] were intolerable and difficult to operate under, he has not offered any evidence to show that the requirements were imposed due to his age.” The court also found that the Hospital articulated a legitimate nondiscriminatory reason for the requirements imposed following the review by the independent surgeons. Morris failed to establish this reason was a pretext for age discrimination because he did not point to any evidence demonstrating the Hospital did not honestly believe its reason for imposing these requirements or did not honestly have concerns about his abilities.

Similarly, the court found no disability discrimination because Morris’s failure to submit to the examinations, in and of itself, entitled the Hospital to summary judgment; and that even if this did not bar Morris from bringing the disability discrimination claim, the court found the requirements imposed by the Hospital were job-related and consistent with business necessity.

Finally, the court granted the Hospital summary judgment on the breach of contract claim because the contract provided for general oversight and the imposition of additional requirements by the Hospital, including by committees contributing to its management and oversight; and because the conditions the Hospital imposed did not terminate Morris’s ability to practice.

The decision demonstrates that so long as hospitals exercise due diligence, they can take remedial measures to ensure patient safety in ways that are consistent with anti-discrimination laws and their contractual obligations.

Please contact a Jackson Lewis attorney with any questions.

DOL Strikes Back: Redefines Health Care Provider Exception to FFCRA

Last month a New York federal court left health care providers in a lurch, when it vacated the Department of Labor’s definition of who could be exempted as a health care provider from the FFCRA leave obligations. Thankfully, the DOL has stepped back in to provide further clarity on this issue, providing revisions and clarifications to its FFCRA Temporary Rule. For more information about the revisions, click here.

The FFCRA which requires certain employers to provide paid sick leave and expanded FMLA to its employees provides an exception for health care providers. Under the revised rule, the DOL explains that the health care providers that an employer can elect not to cover under the FFCRA include:

  1. Doctors of medicine or osteopathy who are authorized to practice medicine or surgery (as appropriate) by the State in which the doctor practices;
  2. Podiatrists, dentists, clinical psychologists, optometrists, and chiropractors authorized to practice in the State and performing within the scope of their practice as defined under State law;
  3. Nurse practitioners, nurse-midwives, clinical social workers and physician assistants who are authorized to practice under State law and who are performing within the scope of their practice as defined under State law;
  4. Christian Science Practitioners listed with the First Church of Christ, Scientist in Boston, Massachusetts;
  5. Any other employee who is capable of providing health care services, meaning he or she is employed to provide:

● diagnostic services (taking or processing samples, performing or assisting in the performance of x-rays or other diagnostic tests or procedures, and interpreting test or procedure results);

● preventive services (screenings, check-ups, and counseling to prevent illnesses, disease, or other health problems);

● treatment services (performing surgery or other invasive or physical interventions, prescribing medication, providing or administering prescribed medication, physical therapy, and providing or assisting in breathing treatments); or

● other services that are integrated with and necessary to the provision of patient care and, if not provided, would adversely impact patient care (bathing, dressing, hand feeding, taking vital signs, setting up medical equipment for procedures, and transporting patients and samples).

The revised rule further explains that the types of employees falling under this last category include only:

A.  Nurses, nurse assistants, medical technicians, and any other persons who directly provide services described in 5 above;

B.  Employees providing services described in 5 above under the supervision, order, or direction of, or providing direct   assistance to, a person described in numbers 1-4 above or A above; and

C.  Employees who are otherwise integrated into and necessary to the provision of health care services, such as laboratory technicians who process test results necessary to diagnoses and treatment.

The DOL further clarified that employees who do not provide health care services as described above are not health care providers even if their services could affect the provision of health care services, such as IT professionals, building maintenance staff, human resources personnel, cooks, food services workers, records managers, consultants, and billers.

The revised Rule recognizes that individuals who fall under this health care provider exemption may work, among other places, at a doctor’s office, hospital, health care center, clinic, medical school, local health department or agency, nursing facility, retirement facility, nursing home, home health care provider, any facility that performs laboratory or medical testing, pharmacy, or any similar permanent or temporary institution, facility, location, or site where medical services are provided. But the DOL explained that an employee does not need to work at one of these facilities to be a health care provider, and working at one of these facilities does not necessarily mean an employee is a health care provider.

The DOL’s revised Rule provides welcome relief and clarity to employers. Although it is not immune to further legal challenge, the DOL appears to have addressed the issues raised by the New York court. Employers are nonetheless wise to seek legal counsel with respect to how the various FFCRA requirements might apply in an individual circumstance.

Contact your Jackson Lewis attorney for assistance in developing an approach that helps minimize the risk for your organization.