The Employee Retirement Income Security Act of 1974 (“ERISA”) aims to balance the dual policies of (1) ensuring fair and prompt enforcement of rights under employee benefit plans, and (2) encouraging the creation of such plans. To strike this balance, ERISA pairs comprehensive rules regarding fiduciary responsibility with federal causes of action that allow plan participants and beneficiaries to recover benefits due, enforce ERISA’s mandates, obtain injunctive relief, and, where applicable, obtain attorney’s fees. At the same time, to protect employers and plan sponsors from operating under a patchwork of potentially conflicting state and local regulations, ERISA promotes uniformity in benefits administration by preempting “any and all state laws insofar as they may now or hereafter relate to” any ERISA benefit plan. 29 U.S.C. § 1144(a).

The Supreme Court is currently considering a petition for certiorari that addresses the application of ERISA preemption to local “play-or-pay” laws. Ostensibly, these location-specific laws are intended to improve low-wage employee access to affordable health coverage by requiring large employers to make enhanced healthcare expenditures on behalf of such employees who reside in that location. To evade ERISA preemption, these laws typically provide that, instead of altering their existing ERISA plans to accommodate the enhanced benefits, employers can simply cut a check in the same amount directly to their employees, or in some cases the local government.

Seattle passed such a law in September 2019. Seattle Ordinance SMC 14.28 (“Ordinance”) mandates that large employers in the hotel sector operating within the City make monthly healthcare payments on behalf of their covered local employees. Payments increase depending on whether the employee is single or has a spouse and/or dependents. Employers who fail to comply with the Ordinance are subject to fines, penalties, and other damages. Employers may comply by creating new ERISA plans specifically for the covered employees, increasing contributions for their employees to existing ERISA plans, or making payments directly to the covered employees.

The ERISA Industry Committee, a nonprofit trade association, brought suit alleging that ERISA preempted the Ordinance because it “relates to” an ERISA benefit plan. The District Court granted the City’s motion to dismiss, holding that ERISA does not preempt the Ordinance because it offers employers a compliance option (i.e., the direct cash payments to employees) that does not require creating a new ERISA plan or altering an existing ERISA plan. ERISA Industry Committee v. City of Seattle, 2020 U.S. Dist. LEXIS 81750 (W.D. Wash. May 8, 2020). In an unpublished opinion, the Ninth Circuit affirmed. 840 F. A’ppx. 248 (2021).

The Committee petitioned for certiorari to the United States Supreme Court, arguing that the Ninth Circuit’s decision deepened an existing split with other courts of appeals, which have held that even a direct payment option interferes with ERISA plan administration because it requires employers to consistently monitor state and local minimum spending requirements and adjust their healthcare expenditures.

Large employers have a vested interest in the Supreme Court granting certiorari and reversing the Ninth Circuit decision. Even though local play-or-pay laws may serve the salutary purpose of ensuring good benefits for local employees, large employers maintain that such purpose cannot trump the overriding federal concern that nationwide employers be able to design benefits that work for their nationwide workforce. ERISA already imposes significant obligations on plan sponsors and fiduciaries when it comes to benefits administration, and it is important that those employers be able to administer their plans uniformly pursuant to ERISA.

The direct-payment option does not make play-or-pay laws such as the Ordinance any less intrusive upon ERISA’s domain. As the Committee argued in the proceedings before the district and appeals courts, direct payments are “financially more onerous and therefore not a realistic and legitimate alternative” to altering an employer’s current coverage to address covered employees. This effectively compels employers to alter their current coverage to meet the requirements of whatever local play-or-pay laws may be in effect in every jurisdiction in which they operate. Such tiptoeing through administrative raindrops of multiple (and potentially conflicting) local regulations – and the additional costs and complications associated with such maneuvering – is precisely what ERISA preemption is intended to eliminate.

If you need more information or have questions, please contact the Jackson Lewis attorney with whom you regularly work, or any member of our ERISA team.

In furtherance of the Biden Administration’s January 28, 2021, Executive Order 14009 and April 5, 2022, Executive Order 14070 to protect and strengthen the ACA, the Treasury Department and IRS published a proposed rule on April 7, 2022, advancing an alternative interpretation of Internal Revenue Code Section 36B. Employers can breathe a sigh of relief as the proposed changes do not alter the Employer Shared Responsibility Payment (ACA penalty) construct. Employers can continue to offer affordable employee-only coverage and spousal or dependent coverage that is unaffordable. However, the potential indirect effects of the proposed regulations on employers are noteworthy. For more information, please see this post at our Benefits Law Advisor blog.

With its new inspection initiative, the Occupational Safety and Health Administration (OSHA) is taking steps to ensure certain healthcare employers continue to protect workers against COVID-19, even as falling case numbers across the country have prompted many state and local agencies to withdraw mask mandates and other COVID-19 precautions. OSHA announced a “highly focused” inspection initiative limited to general medical and surgical hospitals, psychiatric and substance abuse hospitals, skilled nursing facilities, and assisted living facilities that treat or handle COVID-19 patients and have been previously cited or inspected for COVID-19 concerns. This initiative began March 9 and will continue until June 9, 2022, and it will comprise 15 percent of all inspections in a region. Read more.

Pay equity among physicians is not a new topic, and recent data suggests that the pay gap remains wide. 504 Maryland physicians responded to an updated survey on compensation, benefits and practice metrics conducted by Merritt Hawkins on behalf of MedChi, The Maryland State Medical Society. The results of MedChi’s first survey were released in 2018. The most recent results, announced on March 7, 2022 showed:

On average, male physicians earned 49.6% more than female physicians.

  • Average male physician compensation: $320,000.
  • Average female physician compensation: $213,000.

The gender disparity existed across specialties and practice settings.

  • Male primary care physicians earned an average of 41.2% more than female primary care physicians ($262,542 vs. $172,542).
  • Male surgical, diagnostic and other specialists earned an average of 33.5% more than female specialists ($350,625 vs. $250,115).
  • Male physicians in private practice earned 30.9% more than female physicians in private practice.

Female physicians reported working slightly more hours per week than male physicians.

  • Female physicians worked an average of 48.3 hours per week.
  • Male physicians worked an average of 48 hours per week.

The survey also showed disparity when different races were compared.

  • Average Asian/Asian-American physician compensation: $325,000.
  • Average white physician compensation: $268,000.
  • Average Black/African-American physician compensation: $225,000.

The push for pay equity continues as jurisdictions like Colorado, Illinois, New York City and Connecticut enact new laws with pay transparency requirements. For more information about how your organization can proactively evaluate its pay equity, contact your Jackson Lewis attorney.

Healthcare companies continue to face increased risks of ransomware attacks on their operations. According to the recently released BD Cybersecurity Annual Report for 2021, such attacks are also increasingly sophisticated. Management can take important steps to minimize the risks of this form of cybercrime.

Ransomware

Ransomware is malware that encrypts files on a device, rendering the files and systems that rely on them unusable. Bad actors seek to extort payment for the decryption information. As tactics evolve, threat actors are increasingly encrypting or deleting backup data; stealing data and threatening to publish, contacting employees, patients, or customers using stolen contact information; or posting a company’s name or data on a website to increase their leverage.

A ransomware attack can result in unauthorized access or acquisition of sensitive data; the loss, corruption, or unavailability of data; disruption to internal operations such as billing and invoicing; or the inability to provide essential services. These malicious attacks can cause significant business disruption, cost valuable time and money, divert labor, and result in reputational harm or loss of trust. They also can directly affect patient care and place lives at risk.

How Companies Can Manage the Risks

Healthcare organizations can minimize cyber-risks by having robust organizational and technical safeguards, as well as an incident response plan (IRP). While an IRP is tailored to the specific entity, at minimum, it will define a security incident; identify the stakeholders who will guide the response; determine the types of data and critical systems at risk; identify potential reporting obligations based on contracts, laws, and regulations; consider issues related to confidentiality and privilege; and account for the scope of any cyber insurance, including whether the carrier will appoint outside counsel and an expert forensic investigation firm.

The IRP also includes the fundamental steps for responding to a ransomware attack: containment, preservation, investigation, restoration, and remediation. Immediate containment stops the attack. An expert cybersecurity forensic investigation and the preservation of evidence attempt to identify and document the nature and scope of the incident. This information may help determine the contractual and legal reporting obligations that may apply, assist with responding to regulatory inquiries, or help defend against litigation. The restoration process restores data and critical system functionality, and remediation efforts attempt to minimize the potential risk and harm from the attack.

Negotiation of a Ransomware Demand

While the organization manages its response to a ransomware attack, it also may be negotiating the ransom demand. The U.S. Department of Treasury and FBI strongly discourage paying ransom demands. However, payment is not illegal unless the ransom group is on the Department of Treasury’s Office of Foreign Assets Controls sanctions list (also known as the OFAC list). A prohibited payment can result in fines, regardless of whether the organization knew the group was on the list. The Department of Treasury has identified steps to help mitigate the risk attached to a ransom payment. These include, at a minimum, having meaningful technical security measures in place, maintaining offline backups of data, implementing cybersecurity training to minimize the success of the attack, and voluntarily cooperating with federal authorities to investigate the attack.

Breach Reporting

According to the Fact Sheet: Ransomware and HIPAA from the Department of Health and Human Service Office for Civil Rights, when protected health information (PHI) is encrypted during a ransomware attack, unauthorized individuals are deemed to have taken possession or control of the information. As a result, a breach is presumed to have occurred, unless the covered entity or business associate can demonstrate a low probability the PHI has been compromised.

Whether the presence of ransomware constitutes a reportable breach under HIPAA is a fact-specific determination. This determination can be facilitated by engaging an expert, third-party cybersecurity forensic investigation firm to review the nature and scope of the attack and whether sensitive data was accessed or stolen.

In addition to breach notification obligations under HIPAA, the healthcare entity may have reporting obligations under state law.

Increased Ransomware Litigation

Moreover, healthcare entities are seeing an increase in litigation alleging negligence, failure to safeguard patient data, breach of contract, and unavailability of systems, equipment, or PHI that resulted in the inability to provide essential medical services.

***

Healthcare organizations can take steps to potentially minimize the risk and harm from a ransomware attack through preventive and responsive measures. These may include drafting or updating the organization’s IRP, engaging in cybersecurity risk-based vendor management, regularly training employees on data protection and security awareness, conducting regular risk assessments, and regularly reviewing and updating internal HIPAA Privacy and Security Rules policies and procedures.

Please contact a Jackson Lewis attorney if you have questions or need additional guidance.

This month, Doximity issued its Fifth Annual 2021 Physician Compensation Report. With the continued strain of the pandemic spanning 2021, the self-reported physician data reflected widespread burnout and early retirement, especially by female physicians. With respect to physician compensation, Doximity findings demonstrated:

  • While average doctor pay increased 3.8 percent between 2020 and 2021, there was a decline of real income compared to 2020 given the CPI 6.2% rate of inflation in 2021.
  • The top five metro areas with the highest physician pay were Charlotte, NC; St. Louis, MO; Buffalo, NY; Jacksonville, Florida; and, Orlando, Florida.
  • The top five metro areas with the lowest physician pay were Baltimore, MD; Providence, RI; San Antonio, TX; Washington, D.C.; and Boston, MA.
  • A widening gender pay gap of 28.2% this year, with female physicians making $122,000 less than male physicians in 2021.
  • Based on 2014-2019 data, Doximity estimates that over the course of a career, female physicians will earn over $2 million less than male physicians.

Specialties with the largest pay equity gaps between men and women are oral & maxillofacial surgery; allergy and immunology; ENT; pediatric nephrology; and thoracic surgery. Significantly, there is no one medical specialty where women earned the same or more than men in 2021. All specialties had a pay gap over 10%, except Pediatric Rheumatology (which had a gap of 7.9%). To compound matters, a recent Jama Network Open research letter found that physician residents who were mothers – compared to physician residents who were fathers – were more likely to be responsible for childcare or schooling (24.6% v. .8%), household tasks (31.4% v. 7.2%), to work primary from home (40.9% to 22%), and to reduce their work hours (19.4% to 9.4%). The study reflected the significant concern that these “short-term adjustments can have serious long-term repercussions as they may lead to lower earnings and negatively impact advancement.”

Doximity’s research also revealed that due to the pandemic, over 1% of physicians retired before expected, which is feared to strain an already tight labor market. The report also highlighted studies suggesting about half of doctors are considering an employment change due to the “COVID-related overwork.” The overwork also had a disproportionate impact on women physicians, with 25% of them reporting they are “considering early retirement” due to increased work during the pandemic.

This research reflects the importance of a physician/employer in any setting reflecting on the impact of the pandemic on its healthcare team. Moreover, the research shows continued pay equity deficits between female and male physicians, which may be exacerbated by the pandemic. Internal reflection on current pay practices to identify the factors contributing to it are critical to maintain top talent, improve morale amidst very difficult times and avoid wage and hour litigation.

In December 2020, Congress passed the “No Surprises Act” (NSA) as part of the Consolidated Appropriations Act of 2021. The NSA applies most commonly in situations where a patient receives out-of-network medical services from a provider to whom the patient had no meaningful opportunity to consent, as in the case of emergency room care or a service performed by an ancillary provider in connection with a scheduled surgery, such as an anesthesiologist. The intent of the NSA is to protect patients from later receiving large “surprise bills” from such out-of-network providers. To learn more, read the post on our ERISA Litigation Advisor blog.

On December 15, 2021, the Fifth Circuit Court of Appeals granted, in part, the federal administration’s motion to stay the nationwide preliminary injunction enjoining the Centers for Medicare and Medicaid (“CMS”) from enforcing its COVID-19 vaccine mandate nationwide as to non-plaintiff states. Louisiana et al v. Becerra et al., No. 3:12-cv-03970 (W.D. La. December 15, 2021).

Immediately after this ruling was issued, Plaintiffs in the matter pending before the United States District Court for the Northern District of Texas, Texas et al v. Becerra et al., No. 2:21-cv-229-Z (N.D. Tex. December 15, 2021) sought a ruling on its Motion for Preliminary Injunction. The Court granted the motion enjoining CMS from enforcing its COVID-19 vaccine mandate in Texas.

As a result, because of this Fifth Circuit ruling, the Eastern District of Missouri’s prior ruling, and the Northern District of Texas ruling, CMS cannot presently enforce its vaccine mandate in: Louisiana, Montana, Arizona, Alabama, Georgia, Idaho, Indiana, Mississippi, Oklahoma, South Carolina, Utah, West Virginia, Kentucky and Ohio, Alaska, Arkansas, Iowa, Kansas, Missouri, Nebraska, New Hampshire, North Dakota, South Dakota, Texas and Wyoming.

As of now, CMS can proceed with enforcing its rule in all remaining 25 states. CMS has not yet stated whether it will proceed with enforcement in those 25 states and/or what new deadlines for compliance may be imposed if they do. Impacted employers should continue to monitor for further developments.

Please contact a Jackson Lewis attorney with questions.

Title VII prohibits discrimination at the workplace based on race, color, sex, and national origin. But, only “employees” can bring claims under Title VII as the law does not protect independent contractors. The Tenth Circuit (covering Oklahoma, Kansas, New Mexico, Colorado, Wyoming, and Utah) was asked to determine whether a locum tenens physician was an employee of a Kansas hospital. The court determined that he was an independent contractor, and not an employee, and affirmed the dismissal of his Title VII claims.

In Benaissa v. Salina Reg’l Health Ctr., Nos. 20-3236 & 21-3015 (10th Cir. Dec. 2, 2021), the hospital contracted with a third-party vendor to provide locum tenens physicians. The vendor assigned Dr. Benaissa to provide orthopedic surgical services to the hospital. Dr. Benaissa, an Arab Muslim male, performed these services for just under a year (the hospital gave thirty days’ written notice to the vendor that it no longer wanted Dr. Benaissa’s services, consistent with the vendor contract). The doctor sued the hospital, alleging race, religion, and national origin discrimination under Title VII.

Applying a multi-factor “hybrid test” to determine if the doctor was an employee of the hospital, the court noted the doctor “was a highly skilled, experienced, board-certified orthopedic surgeon who was licensed in eleven states.” The most critical fact for the court was that he “agree[d] that he had complete autonomy in determining what work needed to be done for his patients” because this “inform[ed] the hybrid test’s primary concern with the employer’s right to control the means and manner of the worker’s performance.” (Citation omitted). The court rejected the doctor’s argument in support of employee status that the hospital converted his privileges from locum tenens privileges “to permanent status,” concluding that “the circumstances of [t]his case [do not] warrant deviating from the principle that having staff privileges at a hospital is not sufficient to confer employee status on a physician.” Because the doctor was an independent contractor, the court affirmed the summary judgment in favor of the hospital.

If you have questions regarding your physician classifications, please contact the Jackson Lewis attorney with whom you regularly work, or any member of our Healthcare industry group.