To Vaccinate Or Not To Vaccinate… That Is The Question

Requiring flu vaccines is nothing new for healthcare employers. However, in light of COVID-19, there is a renewed emphasis and discussion concerning flu vaccines in the workplace.  Healthcare employers are unique because often state or municipal laws regulate when a healthcare employer must require flu vaccinations, permissible exceptions and documentation requirements.  These regulatory obligations are in addition to other considerations under disability or religious discrimination laws.  Check out our colleagues’ recent blog post for more information.

Healthcare employers should review their current vaccination policies and practices to ensure state and local vaccination compliance, as well as compliance with CDC guidance and discrimination laws.  Healthcare employers should also consider attending our upcoming healthcare webinar scheduled for 12PM EST on December 3rd where we will discuss important developments on vaccinations and other issues facing healthcare employers.  Individuals can register here.

Federal Agencies Issue Joint Alert on Imminent Cybercrime Threat to Healthcare Providers

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have issued a joint cybersecurity advisory stating they have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

The advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain. The advisory provides technical details on the threat from Ryuk ransomware and new Trickbot malware modules named Anchor. The anticipated threat posed by this malware and ransomware is using encryption to interfere with a hospital’s access to its systems and ability to provide care and holding a decryption key for ransom.

In addition to the technical details, the advisory identifies steps hospitals and healthcare providers should take to protect themselves from this cybercrime threat. Those steps include maintaining an up-to-date business continuity plan and other best practices.

Network Best Practices

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to local administration being disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication (MFA) where possible.
  • Disable unused remote access or Remote Desktop Protocol (RDP) ports and monitor remote access or RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with the least privilege necessary in mind.
  • Audit logs to ensure new accounts are legitimate.

Ransomware Best Practices

  • CISA, FBI, and HHS do not recommend paying ransoms.
  • Regularly back up data, air gap, and password-protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

User Awareness Best Practices

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats (such as ransomware and phishing scams) and how they are delivered.
  • Provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.

The advisory notes that addressing the risks posed by malware and ransomware attacks will be particularly challenging for hospitals and healthcare providers during the COVID-19 pandemic. If you have questions about this advisory or how best to assess and manage the risks identified in the advisory, please contact a Jackson Lewis attorney.

Hacked Healthcare Provider Refuses to Pay Ransom, Attackers Target Psychotherapy Patients

Healthcare providers continue to be targeted by ransomware attackers. According to reports, a healthcare provider in Finland was hacked and the attackers demanded 40 bitcoins (or about $525,000) on the threat of public disclosure of patient psychotherapy records. Businesses in the US hearing these facts might be thinking of the recent advisory issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) alerting companies of the potential sanctions risk for facilitating ransomware payments. The 22-location psychotherapy provider, Vastaamo, refused to pay the ransom. When the attackers did not get paid by the provider, patients began receiving emails demanding payment of smaller amounts to avoid disclosure. You can learn more about this attack here.

Hospital Granted Summary Judgment on Surgeon’s Discrimination Claims

The hospital did not discriminate against a 73-year-old surgeon on the basis of his age or perceived disability or breach his contract when it required him to undergo neuropsychological and physical exams and have a proctor when conducting lower bowel surgeries following the death of one of his patients, a federal district court has found, granting the hospital summary judgment. Morris v. Mary Rutan Hosp., No. 2:18-cv-00543 (S.D. Ohio Oct. 7, 2020). This decision provides helpful analysis for hospitals considering remedial action for physicians following poor medical outcomes.

Dr. Larry Morris had worked for several years at the Hospital when one of his patients died shortly after being discharged following a colon surgery he performed. The Hospital then engaged three independent general surgeons to review the case. Based on the results of the review, the Hospital required the following of Morris:

  1. Submit to neuropsychological and physical exams and share the results with the Hospital;
  2. Take a course on medical record documentation;
  3. Not perform surgeries until the first two requirements are completed;
  4. Not perform any more lower bowel surgeries or agree to have at least 10 of those surgeries proctored by another surgeon; and
  5. Undergo a six-month Focused Professional Practice Evaluation.

After Morris refused to comply with these requirements, his employment with the Hospital ended. Morris filed suit in federal district court, alleging that the Hospital discriminated against him on the basis of his age and perceived disability and breached his contract, among other claims. The court granted the Hospital’s motion for summary judgment on all these counts.

The court found no age discrimination because the “mere imposition of the additional requirements as a condition of Plaintiff’s employment does not constitute an adverse employment action.” It further found that “even if the conditions imposed on [Plaintiff] were intolerable and difficult to operate under, he has not offered any evidence to show that the requirements were imposed due to his age.” The court also found that the Hospital articulated a legitimate nondiscriminatory reason for the requirements imposed following the review by the independent surgeons. Morris failed to establish this reason was a pretext for age discrimination because he did not point to any evidence demonstrating the Hospital did not honestly believe its reason for imposing these requirements or did not honestly have concerns about his abilities.

Similarly, the court found no disability discrimination because Morris’s failure to submit to the examinations, in and of itself, entitled the Hospital to summary judgment; and that even if this did not bar Morris from bringing the disability discrimination claim, the court found the requirements imposed by the Hospital were job-related and consistent with business necessity.

Finally, the court granted the Hospital summary judgment on the breach of contract claim because the contract provided for general oversight and the imposition of additional requirements by the Hospital, including by committees contributing to its management and oversight; and because the conditions the Hospital imposed did not terminate Morris’s ability to practice.

The decision demonstrates that so long as hospitals exercise due diligence, they can take remedial measures to ensure patient safety in ways that are consistent with anti-discrimination laws and their contractual obligations.

Please contact a Jackson Lewis attorney with any questions.

DOL Strikes Back: Redefines Health Care Provider Exception to FFCRA

Last month a New York federal court left health care providers in a lurch, when it vacated the Department of Labor’s definition of who could be exempted as a health care provider from the FFCRA leave obligations. Thankfully, the DOL has stepped back in to provide further clarity on this issue, providing revisions and clarifications to its FFCRA Temporary Rule. For more information about the revisions, click here.

The FFCRA which requires certain employers to provide paid sick leave and expanded FMLA to its employees provides an exception for health care providers. Under the revised rule, the DOL explains that the health care providers that an employer can elect not to cover under the FFCRA include:

  1. Doctors of medicine or osteopathy who are authorized to practice medicine or surgery (as appropriate) by the State in which the doctor practices;
  2. Podiatrists, dentists, clinical psychologists, optometrists, and chiropractors authorized to practice in the State and performing within the scope of their practice as defined under State law;
  3. Nurse practitioners, nurse-midwives, clinical social workers and physician assistants who are authorized to practice under State law and who are performing within the scope of their practice as defined under State law;
  4. Christian Science Practitioners listed with the First Church of Christ, Scientist in Boston, Massachusetts;
  5. Any other employee who is capable of providing health care services, meaning he or she is employed to provide:

● diagnostic services (taking or processing samples, performing or assisting in the performance of x-rays or other diagnostic tests or procedures, and interpreting test or procedure results);

● preventive services (screenings, check-ups, and counseling to prevent illnesses, disease, or other health problems);

● treatment services (performing surgery or other invasive or physical interventions, prescribing medication, providing or administering prescribed medication, physical therapy, and providing or assisting in breathing treatments); or

● other services that are integrated with and necessary to the provision of patient care and, if not provided, would adversely impact patient care (bathing, dressing, hand feeding, taking vital signs, setting up medical equipment for procedures, and transporting patients and samples).

The revised rule further explains that the types of employees falling under this last category include only:

A.  Nurses, nurse assistants, medical technicians, and any other persons who directly provide services described in 5 above;

B.  Employees providing services described in 5 above under the supervision, order, or direction of, or providing direct   assistance to, a person described in numbers 1-4 above or A above; and

C.  Employees who are otherwise integrated into and necessary to the provision of health care services, such as laboratory technicians who process test results necessary to diagnoses and treatment.

The DOL further clarified that employees who do not provide health care services as described above are not health care providers even if their services could affect the provision of health care services, such as IT professionals, building maintenance staff, human resources personnel, cooks, food services workers, records managers, consultants, and billers.

The revised Rule recognizes that individuals who fall under this health care provider exemption may work, among other places, at a doctor’s office, hospital, health care center, clinic, medical school, local health department or agency, nursing facility, retirement facility, nursing home, home health care provider, any facility that performs laboratory or medical testing, pharmacy, or any similar permanent or temporary institution, facility, location, or site where medical services are provided. But the DOL explained that an employee does not need to work at one of these facilities to be a health care provider, and working at one of these facilities does not necessarily mean an employee is a health care provider.

The DOL’s revised Rule provides welcome relief and clarity to employers. Although it is not immune to further legal challenge, the DOL appears to have addressed the issues raised by the New York court. Employers are nonetheless wise to seek legal counsel with respect to how the various FFCRA requirements might apply in an individual circumstance.

Contact your Jackson Lewis attorney for assistance in developing an approach that helps minimize the risk for your organization.

Court Decision Restores Affordable Care Act’s Discrimination Protections for Transgender Patients

A New York court has restored anti-discrimination protections for transgender patients under the Affordable Care Act (ACA). Walker et al. v. Azar et al., No. 20-cv-2834 (E.D.N.Y. Aug. 17, 2020).

Section 1557 of the ACA extends Title IX of the Education Amendments of 1972’s prohibition against “sex discrimination” to covered entities in the healthcare setting. On June 12, 2020, the Department of Health and Human Services (HHS) issued a final rule that walked back broad prohibitions against transgender-based discrimination, among other changes because HHS “disagree[d] … that Section 1557 or Title IX encompass gender identity discrimination within their prohibition on sex discrimination.” On August 17, 2020, a New York federal court issued an order that “stays the repeal of the 2016 definition of discrimination on the basis of sex.” In other words, this decision restores the definition contained in the previous Section 1557 regulations from 2016. Under that definition, sex is “an individual’s internal sense of gender, which may be male, female, neither, or a combination of male and female, and which may be different from an individual’s sex assigned at birth.” The 2016 Rule required covered entities: (1) to not discriminate on the basis of sex in providing access to health programs and activities; and (2) to “treat individuals consistent with their gender identity.” It prohibited “deny[ing] or limit[ing] health services that are ordinarily or exclusively available to individuals of one sex, to a transgender individual based on the fact that the individual’s sex assigned at birth, gender identity, or gender otherwise recorded is different from the one to which such health services are ordinarily or exclusively available.”

As noted in the court’s decision: “Timing, the saying goes, is everything.” The 2020 Rule expressly recognized that a U.S. Supreme Court decision involving whether Title VII of the Civil Rights Act protected transgender employees was forthcoming, but announced HHS decided not to wait for the decision when it issued it on June 12. Three days later, on June 15, 2020, the Supreme Court decided that Title VII protects transgender employees. The 2020 Rule was formally published in the Federal Register four days after that, on June 19, 2020, and was to take effect 60 days after publishing (on August 18, 2020). As a result of the Supreme Court decision, and the day before it was to take effect, the court held the 2020 Rule was contrary to law: “It is clear from the preamble to the 2020 Rules that a central reason for HHS’s action was a fundamental disagreement as to whether Title IX—and, by implication, § 1557—prohibited discrimination based on gender identity and sex stereotyping. HHS took a position on that issue, as it was entitled to do, but that position was effectively rejected by the Supreme Court.”

The court noted that the plaintiffs may be able to prove the 2020 Rule was “arbitrary and capricious” because HHS failed to consider the Supreme Court’s guidance. It noted HHS “had an (admittedly brief) opportunity to re-evaluate its proposed rules after the case was decided contrary to its expectations. Instead, it did nothing. The timing might even suggest to a cynic that the agency pushed ahead specifically to avoid having to address an adverse decision.”

The court’s injunction is preliminary, and HHS has not yet announced whether it will appeal this decision. We will continue to monitor and report further developments. Please contact a Jackson Lewis attorney with any questions.

EEOC Issues Guidance on Opioid Addiction in Employment

The U.S. Equal Employment Opportunity Commission recently issued two technical assistance documents addressing accommodation issues under the Americans with Disabilities Act for employees who use opioid medications or may be addicted to opioids. One of them provides guidance to health care providers on helping patients through the ADA interactive process with their employers. You can learn more about these EEOC guidance documents here.

Court Vacates Parts of FFCRA Regulations, Including Healthcare Provider Definition

Healthcare employers who believed they were entirely exempt from the FFCRA’s obligations, including providing certain paid leave, based on the Department of Labor’s March regulations should revisit their position in light of a recent ruling from a New York federal court.  Many healthcare providers believed they were entirely exempt from the FFCRA because of the broad definition of healthcare provider in the Department of Labor’s regulations.   Now, a New York federal district court struck down this regulatory provision.  You can read more about this important decision from our colleagues here.  Healthcare providers with less than 500 employees are encouraged to contact their Jackson Lewis attorney for assistance to assess risks in light of this development.

Affordable Care Act No Longer Interpreted to Prohibit Discrimination Against Transgender Patients

Section 1557 of the Affordable Care Act (“ACA”) contains anti-discrimination provisions, which include prohibitions on sex discrimination, that apply to certain health care providers and insurers receiving federal funding. On June 13, 2020, the Department of Health and Human Services (“HHS”) published a final rule walking back protections for transgender patients, among other changes (“2020 Rule”).

The previous Section 1557 regulations, from 2016 (“2016 Rule”), defined sex as “an individual’s internal sense of gender, which may be male, female, neither, or a combination of male and female, and which may be different from an individual’s sex assigned at birth.” Based on that definition, the 2016 Rule required covered entities (1) not discriminate on the basis of sex in providing access to health programs and activities; (2) “treat individuals consistent with their gender identity”; and (3) prohibited “deny[ing] or limit[ing] health services that are ordinarily or exclusively available to individuals of one sex, to a transgender individual based on the fact that the individual’s sex assigned at birth, gender identity, or gender otherwise recorded is different from the one to which such health services are ordinarily or exclusively available.”

The 2020 Rule eliminated that definition and the above requirements. HHS stated that it

disagrees … that Section 1557 or Title IX encompass gender identity discrimination within their prohibition on sex discrimination…. The biological differences between men and women are not irrelevant to employment law and education, and they are in many ways even more relevant in the health setting…. The Department believes that, unlike stereotypes, reasonable distinctions on the basis of sex, as the biological binary of male and female, may, and often must, play a part in the decision making process – especially in the field of health services. A covered entity such as a healthcare provider is not impermissibly stereotyping biological males (notwithstanding their internal sense of gender) on the basis of sex if it uses pronouns such as “him”; limits access to lactation rooms and gynecological practices to female users and patients; or lists a male’s sex as “male” on medical forms. Similarly, a covered health care entity is not impermissibly stereotyping biological females (notwithstanding their internal sense of gender) on the basis of sex if it uses pronouns such as “her”; warns females that heart-attack symptoms are likely to be quite different than those a man may experience; advises women that certain medications tend to affect women differently than men; or lists a female’s sex as “female” on medical forms. Finally, it is not stereotyping for covered entities to have bathrooms or changing rooms designated by reference to sex, or to group patients in shared hospital rooms by sex. Such practices and actions are not rooted in stereotypes, but in real biological and physiological differences between the sexes. Moreover, none of these examples disadvantages one sex over another, and in fact the failure to take sex into account may in some cases have a disadvantageous effect…. Distinctions based on real differences between men and women do not turn into discrimination merely because an individual objects to those distinctions…. The Department will vigorously enforce Section 1557’s prohibition on sex-based discrimination, but that prohibition cannot be construed as a prohibition on reasonable sex-based distinctions in the health field…. Unprofessional conduct such as inappropriate jokes or questions, excessive precautions, or concealment of treatment options, may be covered under State medical malpractice, tort, or battery laws [but not Section 1557].

Finally, although noting that “[n]othing in this [2020] [R]ule prohibits a healthcare provider from offering or performing sex-reassignment treatments and surgeries, or an insurer from covering such treatments and procedures, either as a general matter or on a case-by-case basis,” (emphasis added), HHS states there is no legal requirement to do so under Section 1557.

The 2020 Rule noted that some comments had urged HHS to defer issuing this Final Rule until the Supreme Court decided a trio of cases and resolved whether Title VII’s sex-discrimination prohibition also prohibits discrimination based on transgender status. HHS explained it opted not to wait because the administration had taken the position in those cases Title VII does not prohibit discrimination based on transgender status, Section 1557 encompasses Title IX’s sex-discrimination provisions (not Title VII), and there are unique medical issues related to “biological” sex implicated in ACA discrimination that would not matter in employment discrimination cases. On June 15, 2020, the Supreme Court decided that Title VII does protect transgender employees.  In doing so, the Supreme Court rejected arguments similar to the HHS statements quoted above.  However, because the Supreme Court’s decision interpreted Title VII and not Title IX, it is unclear what, if any, impact that decision will have on courts’ interpretation of the new HHS rule regarding transgender patients.

OCR’s Relaxed Enforcement of HIPAA During COVID-19 Paves The Way For Increase in Telehealth Services

As the COVID-19 pandemic continues to spread across the country, doctors, dentists, therapists and other healthcare providers have turned to telehealth use with their patients by way of videoconferencing applications such as Zoom, Skype and WebEx. The Office of Civil Rights and the Department of Health and Human Services (“OCR”) defines telehealth as “the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications.”

There are a number of privacy concerns healthcare providers should consider when utilizing telehealth technology. Generally, healthcare providers providing telehealth services are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, not every videoconferencing application is HIPAA-compliant. HIPAA requires that a healthcare provider who utilizes a vendor to transmit or maintain protected health information, or who utilizes a vendor who has routine access to protected health information (PHI), must have a Business Associate Agreement (BAA) with each vendor.

In light of COVID-19, the OCR recently relaxed its enforcement of HIPAA’s privacy and security rules and issued a notification stating that it will practice “enforcement discretion” regarding HIPAA’s privacy and security rules. The OCR will not impose penalties for noncompliance with HIPAA for healthcare providers’ “good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency”, whether the telehealth services are related to a COVID-19 diagnosis and treatment or not, including for example, “a sprained ankle, dental consultation or psychological evaluation, or other conditions.”

The OCR advises healthcare providers to use public facing videoconferencing applications including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without the risk that the OCR will issue penalties for non-compliance with HIPAA. However, the OCR also specifically disallows the use of certain other public facing video apps such as TikTok, Facebook live, and Twitch to provide telehealth services.

Notwithstanding the OCR’s practice of enforcement discretion, healthcare providers should continue to engage in best practices to safeguard patient data. For example:

1. Consent. Before using video conferencing for medical consultations, request permission from the patient to do so and document their approval in their medical record.

2. BAA. Despite the fact that the OCR will not impose penalties against covered health care providers for the lack of a BAA, the OCR encourages healthcare providers to enter into a BAA with any vendor that provides videoconferencing services, and in its notification provides a list of vendors which represent that they are HIPAA-compliant video conferencing applications that will enter into a HIPAA BAA, including:

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Google G Suite Hangouts Meet
  • Cisco Webex Meetings / Webex Teams
  • Amazon Chime
  • GoToMeeting
  • Spruce Health Care Messenger

3. Encryption. Healthcare providers should enable all available encryption and privacy modes when using the videoconferencing technology.

4. Password Protection. Healthcare providers should create a unique meeting ID and a strong password to access a virtual consultation.

5. Monitor. Healthcare providers should monitor all communications containing PHI. Additionally, healthcare providers should check that both employees and patients are accessing via a secure network connection prior to consultations.

According to analysts at Forrester Research, the adoption of telehealth services has increased dramatically, with virtual healthcare interactions projected to exceed 1 billion by year’s end. While the OCR’s relaxed enforcement of HIPAA during COVID-19 likely will end when the pandemic is brought under control, it appears telehealth services may become the “new normal” for healthcare providers.