Tag: health care

TTB and FDA Relax Restrictions on the Production of Hand Sanitizers by Alcohol Manufacturers

With the increasing pace of the spread of the Coronavirus (COVID-19) and the related emergent need to increase the available supply for hand sanitizer products across the United States, the Alcohol and Tobacco Tax and Trade Bureau (TTB), followed by the Federal Drug Administration (FDA), have relaxed requirements for certain alcohol producers to produce these products without first amending their existing permits or obtaining prior formula approval.

On March 18, 2020, TTB came forward advising industry members that it has found it necessary and desirable to waive provisions of the internal revenue law to provide certain exemptions and authorizations for distilled spirits permittees to produce ethanol-based hand sanitizers to address the demand for such products during this time of national emergency. More specifically, TTB’s guidance provides:

  1. The exemptions are in effect through June 30, 2020.

  2. Alcohol fuel plants (AFPs) and beverage distilled spirits plants (DSPs) are exempted from the need to obtain additional permits or bonds to manufacture hand sanitizer or to supply ethanol to other TTB-authorized permit holders.

  3. All TTB-permitted DSPs are authorized to manufacture hand sanitizer without prior formula approval if the formula is consistent with the World Health Organization (WHO) guidance.

  4. Industrial alcohol user permittees may also use denatured ethanol to manufacture hand sanitizer consistent with the WHO guidance, and these permit holders are further exempted from the need to request approval to increase the quantities of ethanol they may procure.

  5. Hand sanitizers made with denatured alcohol are not subject to federal excise tax, but federal excise taxes will apply to hand sanitizer made with undenatured alcohol.

On March 20, 2020, the FDA—which also has jurisdiction over the production of hand sanitizing products—issued revised guidance that specifies that the FDA does not intend to take action against firms that prepare alcohol-based hand sanitizers for consumer use and for use as healthcare personnel hand rubs for the duration of the public health emergency declared by the Secretary of Health and Human Services on January 31, 2020. More importantly, to be compliant with FDA’s guidance, the alcohol at issued must be denatured (not undenatured) and the packaging must be consistent with FDA’s Labeling for Ethyl Alcohol Formulation Consumer Use found at Appendix A to the guidance.

Finally, for those alcohol manufacturers (or others) that are not currently licensed DSPs or related permit holders, TTB is also expediting its processing and approval of these applications (in some instances within days) to allow for greater production and access to these vital products in our time of national need.

© 2020 McDermott Will & Emery

CMS/HHS Issues FAQs on Essential Health Benefits and COVID-19

As the President issues a state of emergency in response to the Coronavirus (COVID-19) outbreak, the Centers for Medicare & Medicaid Services, U.S. Department of Health and Human Services, issued frequently asked questions (FAQs) on COVID – 19 and essential health benefits (EHB) coverage through the individual and small group insurance markets.

These FAQs state first that EHB generally include coverage for the diagnosis and treatment of COVID-19. However, the exact coverage details and cost-sharing will depend upon the individual’s plan, and some plans may require preauthorization before these services are covered. Under current regulations, each state and the District of Columbia generally determines the EHB that plans in their locality must cover. Moreover, many states are encouraging, and some are requiring, insurance carriers to cover a variety of COVID-19 services, including testing and treatment, without cost-sharing or preauthorization.

The FAQs went on to say that medically necessary isolation and quarantine required by and under the supervision of a medical provider during hospital admission is generally covered as EHB. However, quarantine outside of a hospital setting, such as a home, is not a medical benefit, nor is it required as EHB.

Finally, the FAQs addressed the possibility of a future COVID-19 vaccine. Although not yet available, all vaccines are analyzed by the Advisory Committee on Immunization Practice of the Centers for Disease Control and Prevention, who will recommend whether the vaccine should be included as EHB without cost sharing and before any applicable deductible. Current guidance indicates that the process of evaluation and final implementation as an EHB can take over a year, but plans may voluntarily choose to cover a vaccine before that time. The FAQs also note that participants may use the plan’s drug exemptions process to request the vaccine be covered.

© 2007-2020 Hill Ward Henderson, All Rights Reserved

U.S. Health & Human Services – Office of Civil Rights Issued Guidance Regarding HIPAA Privacy and Novel Coronavirus

The Office of Civil Rights (OCR) last month provided guidance and a reminder to HIPAA covered entities and their business associates regarding the sharing of patient health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule during an outbreak or emergency situation such as what we are all facing right now with the Novel Coronavirus (2019-nCoV) outbreak.

The OCR guidance focused on sharing patient information in several areas, including: treatment, public health activities, disclosures to family, friends, and others involved in an individual’s care, and disclosures to prevent a serious and imminent threat.

The HIPAA Privacy Rule allows a covered entity to disclose PHI to the Center for Disease Control (CDC) or to state or local health departments that are authorized to collect or receive such information, for the purpose of preventing disease and protecting public health.  This would include disclosure to the CDC, and/or state or local health departments, of PHI as needed to report prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus.

The OCR message in the guidance document is clear and it emphasized the balance between protecting the privacy of patient PHI and the appropriate uses and disclosures of such information to protect the public health. For more information and resources, see the HHS interactive decision tool which provides assistance to covered entities to determine how the Privacy Rule applies to disclosures of PHI in emergency situations.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.

For more on HIPAA regulation, see the National Law Review Health Law & Managed Care section.

Preparing Your Workplace to Address Coronavirus Risks: FAQs for Employers

Employers in the United States should continue to prepare for a widespread outbreak of COVID-19, commonly referred to as the coronavirus, as new cases are confirmed daily. These preparations include assessing work-related travel (as well as employee personal travel) and implementing more expansive work-from-home policies.

Although COVID-19 is new, the steps employers should take are not unlike the approaches recommended to address the annual flu season as well as prior outbreaks such as H1N1 (the “Swine Flu”), Severe Acute Respiratory Syndrome (“SARs”) or Ebola.

Employers should carefully monitor recommendations from the U.S. Centers for Disease Control and Prevention (“CDC”) and other public health agencies in connection with the creation of workplace plans and strategies. As this is an evolving situation, best practices for the workplace will continue to develop as conditions change. Carefully tailoring an employer’s plan so as to act consistently with current public health guidance will help keep employees, patients, customers and clients safe as well as reduce an employer’s legal risks. If an employer has an on-site medical professional, partnering with such an expert regarding the implementation of such a plan is strongly advised.

What is the coronavirus and how does it spread?

The novel coronavirus causes coronavirus disease 2019 or COVID-19. Reported cases include respiratory illness with symptoms of fever, cough and shortness of breath. It is spread mainly from person to person either in close contact with each other or through the transmission of respiratory droplets when an infected person coughs or sneezes. The number of cases continues to grow, but for now, most cases continue to be mild.

What steps should employers take to reduce the risk of the coronavirus spreading in their workplaces?

There is no vaccine to prevent the coronavirus. The best way to prevent the spread of any respiratory illness in the workplace is to exercise commonsense measures. Health officials, including the CDC, recommend the following preventive measures:

  • Sick employees should stay home from work until they are free of fever, signs of a fever, or any other symptoms for at least 24 hours without the use of fever-reducing or symptom-altering medicine.
  • Wash hands vigorously with soap and water or an alcohol-based hand rub for at least 20 seconds.
  • Avoid touching one’s face, especially eyes, nose and mouth.
  • Exercise respiratory etiquette and cover one’s mouth when coughing or sneezing.
  • Clean frequently touched surfaces.
  • Maintain at least three feet of distance between oneself and others, including those who are coughing, sneezing or have a fever.

What steps should employers take to prepare for employee communications?

Employers should take steps to be prepared for communicating important health and safety information to all their employees whenever such information needs to be shared. Employers may need to reach employees while outside the workplace and outside regular working hours. Employers should ensure that they have up-to-date contact information for all employees in case health and safety updates need to be communicated. Messaging regarding the coronavirus should come from a dedicated workplace representative to avoid the sharing of conflicting information and to prevent employee confusion and undue alarm.

What employment laws should employers consider when making decisions regarding the coronavirus?

Employers should consider the Occupational Safety and Health Act (“OSH Act”), the Americans with Disabilities Act (“ADA”), Title VII of the Civil Rights Act (“Title VII”), the Pregnancy Discrimination Act (“PDA”), the Family and Medical Leave Act (“FMLA”), state workers’ compensation laws and any federal or state anti-discrimination or disability laws as employers develop plans regarding the coronavirus.

Employers have a legal obligation to provide a safe and healthy working environment free from serious recognized hazards under the OSH Act. Taking reasonable steps to prevent the spread of communicable diseases, like COVID-19, may fall under this requirement. Employers should consider potential discrimination claims that could arise under the ADA, Title VII or the PDA. The ADA protects individuals who are disabled or who are regarded as disabled. The Equal Employment Opportunity Commission (“EEOC”) has stated that while the ADA’s requirements continue to apply, they do not interfere with or prevent employers from following CDC guidelines and recommendations regarding the coronavirus. The EEOC also has indicated that its previously issued guidance regarding the H1N1 pandemic is applicable here. Similar to the EEOC’s approach during the H1N1 pandemic, employer actions that might be viewed as discriminatory under other circumstances (such as requiring an employee to remain at home for a period of time upon returning from travel to certain countries) would not run afoul of the ADA when taken to limit workplace exposure to the coronavirus. This is because either COVID-19 will not be considered a disability because the resulting illness is mild or, alternatively, if COVID-19 becomes more severe and/or widespread, an employer’s actions to limit the spread of the coronavirus will likely be deemed justified given the direct threat posed to other employees, customers, patients or the public at large.

Employers should also take care not to discriminate against employees based on their national origin. Accordingly, employers should establish consistently applied and clearly communicated practices with regard to self-quarantining of employees. For instance, consistent and science-based practices should be followed when employees return from travel to certain countries facing significant outbreaks, rather than singling out employees on an ad hoc basis who may have visited their countries of origin. Recent reports suggest a heightened concern regarding possible workplace discrimination against employees of Asian descent.

While pregnant women may be more susceptible to viral respiratory infections or severe illness, the CDC has released no guidance establishing that such individuals are more susceptible to COVID-19 than the general population. Employers should thus ensure they are not engaging in disparate treatment of pregnant employees.

In addition to discrimination concerns, employers should consider what reasonable accommodations they may need to provide employees under the ADA or the PDA.

Employers also should be prepared to grant FMLA leave to employees who test positive for (or display symptoms of) COVID-19 or who require leave to care for an individual with COVID-19.

Lastly, employees who contract COVID-19 in the scope of their employment may be entitled to make claims under their employers’ workers’ compensation policies.

Should employers cancel work-related travel?

As of March 6, 2020, the CDC recommends avoiding all nonessential travel to China, Iran, Italy and South Korea and has issued travel alerts recommending that travelers practice enhanced precautions in Japan. These travel advisories extend to layovers in the affected areas. Moreover, entries into the United States of foreign nationals who have been in China or Iran in the 14 days prior to entering the United States have been suspended in many circumstances.

Employers should consider these travel advisories when formulating their business travel plans. Many employers are suspending all business travel to the affected areas. Employers face potential risk when requiring employees to travel to areas where the CDC and other federal agencies have advised against non-essential travel. Other employers are limiting or suspending all non-essential travel or canceling in-person attendance at conferences or meetings in light of the potential spread of the coronavirus.

In assessing work-related travel plans, employers should ensure that they do not single out certain groups (e.g., limiting a pregnant employee’s travel due to the risk of exposure to the coronavirus, but allowing other employees to travel).

Should employers cancel large conferences or other community events?

Employers planning events should stay informed about local coronavirus risks. The CDC is recommending event organizers and staff review existing emergency operations plans and focus on prevention strategies, such as frequent handwashing and encouraging both staff and patrons who are sick to stay home. If events are proceeding, the implementation of flexible refund policies may help encourage sick individuals to stay home. And organizers should have supplies that help prevent the spread of viruses such as soap, hand sanitizer and facial tissue available to employees and attendees. Organizers should also establish criteria with the venue and local public health officials to determine under what specific circumstances events will be postponed or canceled.

What should employers do when they suspect an employee was exposed to the coronavirus and is symptomatic?

An employer should send such an employee home and advise him or her to seek immediate medical attention. The employee should be required to remain at home until he or she no longer displays symptoms and is not contagious. The decision to discontinue home isolation should be made on a case-by-case basis, in consultation with health care providers and state and local health departments.

Are employees sent home due to exposure to the coronavirus (self-quarantined) entitled to paid leave?

Employers typically are not legally obligated to provide paid leave to employees who are sent home due to suspected COVID-19 infection or exposure unless state or local paid sick leave laws apply. However, employers should consider allowing employees to utilize paid leave under any available employer leave policies. If the employee is able to perform his or her job remotely, and is physically able to work, employers should consider allowing remote work during such self-quarantine period, even if such remote work is not consistent with the employer’s regular practices. Employers should consult with counsel to determine whether and when to offer paid or unpaid leave to employees facing quarantine situations. And any modification of an employer’s routine policies and practices to address this unique circumstance should be implemented consistently.

What should employers do if employees travel to affected areas (currently China, Iran, Italy, South Korea and Japan ) but do not display any symptoms upon return?

Many employers are encouraging (but not requiring) self-quarantining regardless of whether the employee is symptomatic. Others are requiring employees to self-quarantine for up to 14 days (the commonly presumed incubation period for the coronavirus) after returning from these areas. As the list of affected countries continues to expand and risk levels continue to change, employers should carefully monitor and reevaluate their practices.

Requiring self-quarantining protects other employees. On the other hand, requiring self-quarantining for those who have traveled to affected areas may expose an employer to potential claims under the ADA, Title VII, or other anti-discrimination statutes, especially where a forced quarantine situation results in the employee’s loss of income or other benefits. Such legal risks may be reduced where an employee is able to work remotely and thus is compensated during the quarantine period.

When employees work from home, are they entitled to a reasonable accommodation under the ADA, the PDA or other equal employment opportunity laws?

Employees are entitled to reasonable accommodations that will enable them to perform the essential functions of their positions. For example, if an employee has been provided the accommodation of a low-vision screen reader on his or her work computer, that employee should have access to such a screen reader as a reasonable accommodation when required to work at home.

Can employers ask employees if they have traveled to one of the affected areas?

Yes. Given the ongoing travel advisories and the recommendations of the CDC and other federal agencies regarding travel to affected areas and self-quarantining to limit the spread of the coronavirus, there is likely low risk in requiring employees to disclose their recent travel destinations.

Can employers require a return to work or fitness for duty exam to allow employees to return to work?

Employees who have been diagnosed with COVID-19 should only discontinue isolation after consulting health care providers and state and local health departments. Employers may require the employee to provide proof that isolation can be discontinued before the employee returns to work.

But for employees who have not been diagnosed with COVID-19, it practically may be difficult to receive a return to work exam given that there has been a shortage of testing kits to test for COVID-19. The CDC has also recognized that health care offices may be busy and it may be difficult for an employee with acute respiratory illness to validate their illness or return to work. Employers must take care to treat employees with similar symptoms in a consistent manner.

What should an employer do if an employee fears coming to work due to possible exposure in the workplace?

Creating and implementing consistent plans for preventing and addressing potential workplace exposure and communicating such measures clearly and effectively will go a long way to reducing employee fears of workplace exposure. Employers should assess the specific risk in the workplace on a case-by-case basis. Currently, federal guidance is focused on encouraging those who are sick (or may have been exposed to the coronavirus) to stay home. In the event of a more particularized risk, such as an actual case of exposure to the coronavirus in the workplace, employers may wish to encourage (or require) working from home or offer more lenient work from home options to its employees.

Should employers inform employees if there is an identified case of COVID-19 in the workplace?

Yes. Employees should be informed of confirmed cases in the workplace. But employers must ensure that employee confidentiality is maintained as required under the ADA, the Health Insurance Portability and Accountability Act (“HIPAA”) and any other state or federal law.

Should employees be encouraged to wear face masks?

The CDC has not recommended that healthy persons wear face masks. Face masks are reported to have no benefit for a healthy person in preventing their exposure to the coronavirus, although masks may provide some benefit if worn by sick persons in limiting their spread of the virus to others. The CDC has urged people to stop buying masks because such consumer behavior is depleting necessary resources from health care professionals who need them.

What about specific guidance for health care employers?

The CDC has issued specific guidance to try to prevent the spread of the coronavirus into, among, and between health care facilities, including monitoring patients and employees for fever or respiratory systems, encouraging employees to stay home if they have symptoms of respiratory infection and identifying which employees will care for patients with COVID-19. It is critical for health care facilities to have a plan in place to respond to any outbreak. There are potentially severe risks to patients facing health challenges if they are being cared for by employees who have been exposed to the coronavirus.

Is there a special risk for employees who handle packages or products shipped from an affected area?

The CDC has issued guidance that it is unlikely that the coronavirus can spread vis-à-vis products or packaging. Some employers may nevertheless decide to offer specific personal protective equipment (“PPE”) to those employees handling packages or products from affected areas, simply in an effort to mitigate employee fear or concern. In such cases, employees should be properly trained on the use and disposal of the PPE.

What other issues may employees working abroad face?

Consular offices may be closed due to the coronavirus outbreak. Currently, field offices in Beijing and Guangzhou are closed. Such closures may delay any communications with immigration officials

© 2020 Vedder Price

For more on the coronavirus, see the National Law Review’s New Coronavirus News section.

Coronavirus: Employers Should Plan, Not Panic

Coronavirus, whose formal name is COVID-19, has been the subject of much media attention since the first outbreak in Wuhan, China, late last year.  Just like recent outbreaks of the swine flu, the avian flu, SARS and the West Nile virus, each new “bug” creates fear surrounding a previously unknown threat.  While there are tens of thousands of cases in China, as of February 19, 2020, according to the U.S. Centers for Disease Control and Prevention (CDC), there were 15 confirmed cases of coronavirus in the U.S.  The confirmed cases were limited to seven states located on the perimeter of the country.

According to the CDC, coronaviruses are a large family of viruses that are common in many different species of animals, including camels, cattle, cats and bats. Rarely, animal coronaviruses can infect and then spread between people.

To put the current coronavirus outbreak in context, the CDC estimates there have been between 26 MILLION and 36 MILLION cases of flu in the U.S. this season and an estimated 15,000 to 36,000 deaths.  In fact, this year’s flu season is the worst in almost 20 years.  While the majority of these deaths and hospitalizations have occurred in people over age 65, this year’s flu has impacted children and younger adults in greater numbers than usual.

While no one knows for sure the extent to which the coronavirus will take hold in the U.S., employers should take steps now to plan ahead so that they will be able to maintain normal business operations.  The challenges for any business facing coronavirus or any other disease outbreak involve a multitude of conflicting legal obligations.  Under the Occupational Safety and Health Act (OSHA) and similar state laws, employers have a general duty and obligation to provide a safe and healthy work environment, even when the work occurs outside the employer’s physical premises. Furthermore, under these health and safety laws, employers must not place their employees in situations that are likely to cause serious physical harm or death.

Conversely, overreacting by implementing broad-based bans and making business decisions about employees that are not based on statistical realities could get an employer sued under laws that prohibit discrimination based upon disability (perceived or real) and national origin discrimination, among others.

Properly planning for and implementing plans to deal with the coronavirus is legally and operationally complex.  Listing all of the considerations for such plans are too numerous for this brief blog article. By way of example, employers who have operations in Hubei Province in China, the epicenter of the coronavirus outbreak, will face far more difficult and complex challenges than an employer with a single facility in the middle of the U.S.  However, at a minimum here are some things every business should be doing:

  • If you have not already done so, institute a ban on all business travel to China.  This may be a moot point given the cancellation of most flights into and out of mainland China.  Under the circumstances, it is also totally appropriate to require that any of your employees who choose to travel to China for personal reasons notify a designated company official and let the official know of their plans.

  • If employees must use a company-designated travel agent to arrange business travel, get the agent to provide reports on all international business travel.  But don’t overreact and implement a broad-based travel ban to countries that do not pose a risk of harm.  However, if an employee expresses fear of any international travel, have a rational discussion and review the relevant outbreak statistics to see if those fears are real or inflated.  Even if fears are irrational, consider the negative impact on employee morale by forcing someone to travel.

  • Designate a management official to check the CDC website daily to see the latest tracking of the virus’ spread.  This person should be the in-house resource and should be involved in ban or no-ban decisions.

  • If an employee has been to a real coronavirus “hotspot,” consider making him or her stay home for the full 14-day incubation period.  Whether employees work remotely or do not work, the decision whether they should be paid to stay home during this time is an individualized determination.  However, employers need to be flexible and should consider bending the rules if they want to appear humane and seriously concerned about health issues.  If employers force someone to stay home for two weeks without pay or make them use precious PTO, they may push people to hide where they have been, which will defeat planning to ensure that management is taking all reasonable steps to prevent the spread through the workplace.

  • Do not panic or overreact but rather engage in sound business contingency planning.  Begin by developing contingency plans based upon the industry you are in, the size of your business and how you will operate in the event absenteeism rates greatly exceed those of a normal flu season.

  • Use this opportunity to communicate with your employees about seasonal flu prevention strategies, such as minimizing contact and engaging in sound hygiene and sanitation.  As the statistics above demonstrate, seasonal flu poses a far greater and more immediate threat to your employees’ health than does the coronavirus.

  • Develop a plan for communicating with your employees if a major pandemic breaks out, regardless of where they are located, including the workplace, at home or on the road.
    Regardless of how bad things may get, it is important that management not panic or overreact.  Plan for worst case scenarios now so you can effectively respond to what will likely be a rapidly changing situation. To do this, your management should anticipate and prepare for how you will answer the plethora of questions that will almost certainly be raised.

Proper planning for and dealing with individualized employee situations implicates a whole range of employment laws, such as ADA, GINA, OSHA, Title VII, ERISA, as does the nature of your business.  To deal with these legal issues, you should consult with your attorney.

Finally, there are a variety of web-based resources available to assist you in planning, preparation, and monitoring the spread of the coronavirus on a global basis, including the CDC at www.cdc.gov, OSHA at https://www.osha.gov/SLTC/covid-19/, and the World Health Organization https://www.who.int/emergencies/diseases/novel-coronavirus-2019.

© 2020 Foley & Lardner LLP

For more on the coronavirus see the National Law Review Health Law & Managed Care section.

Law Firms and Bar Associations Must Plan Now for Coronavirus Outbreak

Our sources in Washington are indeed very worried about the coronavirus emerging from China. 

Many of our sources believe that containment will not work.

In the event of a major pandemic, “social distancing” will be enforced.  Schools, restaurants, movie theaters – and even law firms – will be closed, perhaps for an indefinite time, presenting unprecedented challenges.

At the very least, bar associations and law firms should begin thinking about logistics now using “peace time” wisely.

Viruses that originate in an animal and jump to a human can and often do change or mutate, presenting challenges to doctors and researchers. Especially during rapidly developing situations, reporters will likely demand simple and definitive answers, even in situations where simple and definitive answers don’t exist. As well, bloggers with political agendas may accidentally or purposely report fact as fiction and vice versa.

On the internet, anyone can be a “reporter” with the ability to publish immediately and without the safety net of editors, fact-checkers and other traditional media gatekeepers. Consider also the pressure on traditional media of balancing the need to report immediately vs. reporting accurately. Given those factors, the emerging coronavirus provides another fertile field for confusion with consequences.

The Spanish flu killed some 50 million to 100 million people worldwide over about a year in 1918-19 — one of the deadliest pandemics in human history. The 2003 severe acute respiratory syndrome (SARS) outbreak turned out to be less than a pandemic, but caused 774 deaths in 17 countries, according to the World Health Organization (WHO). The 2009 swine flu (H1N1) outbreak featured high rates of human- to-human transmission, yet was thought to have been less lethal than originally feared, with a minimum of 18,449 confirmed deaths. In fact, though, the U.S. Centers for Disease Control (CDC) has since estimated the global death toll at 284,000 — 15 times those confirmed cases.

All of these examples should serve as cautionary tales for how we approach and talk about this latest potential pandemic.

I reached out to Peter Sandman, perhaps the United States’ pre-eminent risk communication speaker and consultant. Here’s what Sandman told me in his email reply:

The key lesson here: The word “pandemic” means an infectious disease has spread to lots of people in lots of places. To be a pandemic, an outbreak has to be widespread and intense. It doesn’t have to be severe; 1918 was, 2009 wasn’t — at least in comparison.

This coronavirus? The experts are pretty sure it’s going to go pandemic. They don’t know yet how severe it will be, though many are guessing it will be closer to 2009 than to 1918. Even a mild pandemic kills a lot of people, simply because a small percentage of a huge number is a lot of people. And a mild pandemic can certainly be disruptive: hospital overcrowding, absenteeism, supply-chain problems, etc.

If it’s mild and stays mild, it won’t be catastrophic.

Whether it’s mild or severe, though, a pandemic eventually makes containment efforts futile, and therefore a waste of effort. Patient isolation, contact tracing and monitoring, quarantines and travel restrictions are the four main containment tools. The first two are conventional. The last two are controversial, not because they’re less effective than the first two but because they have bigger downsides.

None of the four, separately or together, can stop a pandemic. They can slow it a little, which isn’t nothing: It buys time for preparedness (emotional as well as medical and logistical). But as soon as the virus is spreading widely in a place, that place has no further use for containment.

The risk communication lesson now: Stop telling people that containment will “work.” If the coronavirus goes pandemic, as noted immunologist Dr. Anthony Fauci, director of the National Institute of Allergy and Infectious Diseases, and nearly every other expert expects, eventually (and probably pretty soon) it will be spreading widely in the U.S., too, and containment won’t make sense.

One feature of the 2009 flu outbreak was the changing nature of advice. At first, pregnant women were to receive priority for inoculations. Then, it was anyone with a compromised immune system, followed by those over the age of 60. As I recall, during this era before social media exploded and become a main source for news, reporters, columnists and other pundits were quick to criticize the CDC, the World Health Organization and other federal, state and local health officials for the lack of definitive advice and prognostication.

As this is being written, there is no way to tell whether the coronavirus is going to be highly infectious but not lethal or highly infectious with a high degree of lethality. It might even burn itself out — or it may seem to go into hiatus but then come roaring back in the fall (as did the Spanish flu).

Government agencies are already placing visitors from China into quarantine. This may suddenly escalate, with the closure of airports and other ports of entry. Stock markets may dramatically tumble — but then recover just days later. Or they may not. And if things really escalate, offices, schools, malls, theaters and other venues may close — and grocery shelves may empty. In the face of this uncertainty and volatility, prudent bar association and law firm leaders should be using “peace time” to prepare for the worst.

Now is the time to:

  • Examine your sick-leave policies. Family-leave policies, too, should be looked at because many employees may unilaterally decide to hunker down at home, especially if they have small children or elderly relatives to care for.

  • Encourage and utilize good hygiene practices (e.g., hand-washing, coughing into the crook of the elbow instead of the hand).

  • Consider what a travel ban might do to your business.

  • Remind your employees — and yourself — to depend on only the most reliable sources for information about coronavirus. The WHO, the CDC and state and local health boards are reliable. Facebook isn’t — and the advice given by the pundits on cable television must be taken with more than the proverbial grain of salt.

  • Remember to remind all of your stakeholders that situations like this are fluid and the information given out now may be preliminary and subject to change. Even advice from the CDC and WHO can change, depending on the facts at hand.

Employees, customers and other stakeholders will cross-check what you tell them against other sources. If you mislead them, they’ll hold it against you. Be especially careful not to sound over-reassuring or overconfident, which Sandman says are the two most common crisis risk communication mistakes other than outright dishonesty (also common, sadly).

© 2020 Hennes Communications. All rights reserved.

For more on Coronavirus risk mitigation, see the National Law Review Health Law & Managed Care section.

D.C. District Court Limits the HIPAA Privacy Rule Requirement for Covered Entities to Provide Access to Records

On January 23, 2020, the D.C. District Court narrowed an individual’s right to request that HIPAA covered entities furnish the individual’s own protected health information (“PHI”) to a third party at the individuals’ request, and removed the cap on the fee covered entities may charge to transmit that PHI to a third party.

Specifically the Court stated that individuals may only direct PHI in an electronic format to such third parties, and that HIPAA covered entities, and their business associates, are not subject to reasonable, and cost-based fees for PHI directed to third parties.

The HIPAA Privacy Rule grants individuals with rights to access their PHI in a designated record set, and it specifies the data formats and permissible fees that HIPAA covered entities (and their business associates) may charge for such production. See 45 C.F.R. § 164.524. When individuals request copies of their own PHI, the Privacy Rule permits a HIPAA covered entity (or its business associate) to charge a reasonable, cost-based fee, that excludes, for example, search and retrieval costs. See 45 C.F.R. § 164.524(c) (4). But, when an individual requests his or her own PHI to be sent to a third party, both the required format of that data (electronic or otherwise) and the fees that a covered entity may charge for that service have been the subject of additional OCR guidance over the years—guidance that the D.C. District Court has now, in part, vacated.

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act set a statutory cap on the fee that a covered entity may charge an individual for delivering records in an electronic form. 42 U.S.C. § 17935(e)(3). Then, in the 2013 Omnibus Rule, developed pursuant to Administrative Procedure Act rulemaking, the Department of Health and Human Services, Office for Civil Rights (“HHS OCR”) implemented the HITECH Act statutory fee cap in two ways. First, OCR determined that the fee cap applied regardless of the format of the PHI—electronic or otherwise. Second, OCR stated the fee cap also applied if the individual requested that a third party receive the PHI. 78 Fed. Reg. 5566, 5631 (Jan. 25, 2013). Finally, in its 2016 Guidance document on individual access rights, OCR provided additional information regarding these provisions of the HIPAA Privacy Rule. OCR’s FAQ on this topic is available here.

The D.C. District Court struck down OCR’s 2013 and 2016 implementation of the HITECH Act, in part. Specifically, OCR’s 2013 HIPAA Omnibus Final Rule compelling delivery of protected health information (PHI) to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress. That statute requires only that covered entities, upon an individual’s request, transmit PHI to a third party in electronic form. Additionally, OCR’s broadening of the fee limitation under 45 C.F.R. § 164.524(c)(4) in the 2016 Guidance document titled “Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. Sec. 164.524” violates the APA, because HHS did not follow the requisite notice and comment procedure.” Ciox Health, LLC v. Azar, et al., No. 18-cv0040 (D.D.C. January 23, 2020).

All other requirements for patient access remain the same, including required time frames for the provision of access to individuals, and to third parties designated by such individuals. It remains to be seen, however, how HHS will move forward after these developments from a litigation perspective and how this decision will affect other HHS priorities, such as interoperability and information blocking.

© Polsinelli PC, Polsinelli LLP in California

For more on HIPAA Regulation, see the National Law Review Health Law & Managed Care section.

Federal Court Strikes Down HIPAA Fee Limitations for Third-Party Medical Records Requests

On Jan. 29, 2020, OCR released a notice regarding a recent federal court ruling in the case of Ciox Health, LLC v. Azar, et al., where a federal judge in the District Court for the District of Columbia vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to protected health information (“PHI”) of an individual … in an electronic format.”Additionally, the court held that the fee limitation set forth at 45 CFR § 164.524(c)(4) should only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party.

The Ciox Health case centered on the restrictions the Department of Health and Human Services (“HHS”) and the Office for Civil Rights (“OCR”) put in place in the 2013 Omnibus Rule 2 and through informal guidance published in 2016 regarding fees that can be charged to patient in searching for, retrieving, and delivering their records and PHI as it pertains to third-party directives. Third-party directives are a mechanism promulgated by the HITECH Act that granted individuals the right to obtain a copy of their PHI maintained electronically, and “if the individual so chooses, to direct the covered entity to transmit such copy directly to an entity or person designed by the individual.”3 Additionally, the HIPAA Privacy Rule permits a reasonable cost-based fee to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct a copy to a designated third party. The fee may include only the cost of certain labor, supplies, and postage (this fee is also referred to as the “Patient Rate”).4

The 2013 Omnibus Rule broadened the third-party directives to PHI maintained in any format, not just electronic records. Moreover, the 2013 Omnibus Rule amended the Patient Rate and required actual labor costs associated with the retrieval of electronic information to be excluded.5

In 2016, HHS issued a guidance document titled Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524 (the “2016 Guidance”).6  The 2016 Guidance made two notable requirements that gave rise to the current litigation. Most significantly, HHS declared that the Patient Rate applies “when an individual directs a covered entity to send the PHI to a third party.”7

“This limitation,” HHS said, referring to the Patient Rate, “applies regardless of whether the individual has requested that the copy of PHI be sent to herself, or has directed that the covered entity send the copy directly to a third party designated by the individual (and it doesn’t matter who the third party is).”8

Additionally, in the 2016 Guidance, HHS provided a methodology to calculate the Patient Rate in requests for an electronic copy of PHI maintained electronically. The methodology would require the entity to determine a fee by calculating the actual allowable costs to fulfill each request or by using a schedule of costs based on the average allowable labor costs to fulfill standard requests. HHS also provided an option for entities to charge a flat rate for requests for electronic copies of PHI not to exceed $6.50 as an alternative to going through the process of calculating these costs.

In this case, HHS was sued by Ciox Health, a medical record retrieval company, over the changes to the Patient Rate set forth in both the 2013 Omnibus Rule and the 2016 Guidance. Ciox Health argued that the $6.50 flat fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee has negatively impacted its business. Ciox Health claims the 2013 Omnibus Rule and the 2016 Guidance, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

The district court, in declaring the changes to the Patient Rate set forth in the 2013 Omnibus Rule unlawful, held that HHS cannot rely on its general rulemaking authority to supplement the limited-scope, third-party directive enacted by Congress in the HITECH Act. The court held that the 2013 Omnibus Rule’s expansion of the third-party directive is therefore arbitrary and capricious. Moreover, the district court held that the 2016 Guidance that worked a change into the Patient Rate was akin to a legislative rule that HHS had no authority to adopt without notice and comment. As a result, the court vacated the 2013 Omnibus Rule’s expansion of the HITECH Act’s third-party directive beyond requests for a copy of electronic records with respect to PHI of an individual in an electronic format. The court also declared unlawful and vacated the 2016 Guidance as it extended the Patient Rate to third-party directives without going through notice and comment.

Health care providers and medical records access companies are no longer required to limit the fees charged to their average costs, or charge a $6.50 flat fee, when a patient requests their medical records be transmitted to a third party. The fee limitations will still apply to individuals when they request their own records, however, as decided in the Ciox Health decision, on January 23, 2020.

OCR released a notice on Jan. 29, 2020 that the right of individuals to access their own records and any fee limitations that apply when exercising this right still apply. However, OCR appears to have at least accepted this ruling for now, as it pertains to third-party directives. OCR stated that it will continue to enforce the right of access provisions in 45 CFR § 164.524 that are not restricted by the court order. The court order can be viewed here.

[1] Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020)

[2] See Modifications to the HIPAA Privacy, Security,

Enforcement, and Breach Notification Rules Under the [HITECH] Act and the Genetic

Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5,566

(Jan. 25, 2013).

[3] 42 U.S.C. § 17935(e);

[4] 45 CFR § 164.524(c)(4)

[5] 78 Fed. Reg. at 5,636.

[6] This guidance is available at this link: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

[7] Id. at 16.

[8] Id.

© 2020 Dinsmore & Shohl LLP. All rights reserved.

For more on HIPAA medical-records regulation, see the National Law Review Health Law & Managed Care section.

Growing Number of States Enact Drug Pricing Transparency Laws

Drug prices continue to be a hot button issue in American politics.  While many of the Trump Administration’s efforts to curb increasing drug prices stalled in 2019, a number of state legislatures have adopted drug price transparency laws in recent years.  Since 2015, Vermont, Nevada, California, Maryland, Louisiana, New York, Oregon, Colorado, Connecticut, Maine, Texas, and Washington have all adopted drug pricing transparency laws.  These laws are designed to incentivize manufactures to lower drug prices by requiring them to report information about drug price increases and their justification for how drug prices are set.  We have been tracking and summarizing these laws, and you can find our summary here.

Below is a brief overview of the trends that we’re seeing in state drug price transparency laws.

  • State Laws Requiring Manufacturer Reporting on Drug Price Increases.  The most prevalent type of drug price transparency laws requires manufacturers to report an extensive amount of information about drug price increases.  Generally, states require manufacturers to report the information to a state government agency (e.g., Oregon), but other states (e.g., California) require manufacturers to provide advance notice of drug price increases to purchasers.  Generally, reporting requirements are triggered when the wholesale acquisition cost (WAC) increases over a certain dollar threshold or when the net increase of the WAC increases a certain percentage over the course of a year.
  • State Laws Requiring Manufacturer Reporting for Specific Drugs Identified by the State or Certain Types of Drugs. Several states (e.g., Connecticut and Vermont) authorize an independent board to compile a list of drugs on which the state spends significant dollars and/or for which the WAC has increased significantly over the past year or past five years.  Manufacturers of the drugs identified by the board are required to report certain information about the drugs’ costs and pricing.  The reporting requirements in other state laws are specific to certain types of drugs.  For example, Nevada’s drug price transparency law initially applied only to forms of insulin and biguanides, which are essential for diabetes treatment.  In 2019, Nevada expanded the law to apply to prescription drugs essential for asthma treatment as well.
  • State Laws Requiring Pharmacy Benefit Managers (PBMs) to Disclose Manufacturer Rebates.  These laws place accountability for drug price increases on PBMs by requiring them to disclose the amount of rebates they negotiate and retain from manufacturers.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

ARTICLE BY Rachel E. Yount of Mintz.
For more drug pricing transparency developments see the National Law Review Biotech, Food & Drug law page.

Offered Free Cyber Services? You May Not Need to Look That Gift Horse in the Mouth Any Longer.

Cyberattacks continue to plague health care entities. In an effort to promote improved cybersecurity and prevent those attacks, HHS has proposed new rules under Stark and the Anti-Kickback Statute (“AKS”) to protect in-kind donations of cybersecurity technology and related services from hospitals to physician groups. There is already an EHR exception1 which protects certain donations of software, information technology and training associated with (and closely related to) an EHR, and HHS is now clarifying that this existing exception has always been available to protect certain cybersecurity software and services. However, the new proposed rule explicitly addresses cybersecurity and is designed to be more permissive then the existing EHR protection.

The proposed exception under Stark and safe harbor under AKS are substantially similar and unless noted, the following analysis applies to both. The proposed rules allow for the donation of cybersecurity technology such as malware prevention and encryption software. The donation of hardware is not currently contemplated, but HHS is soliciting comment on this matter as discussed below. Specifically, the proposed rules also allow for the donation of cybersecurity services that are necessary to implement and maintain cybersecurity of the recipient’s systems. Such services could include:

  • Services associated with developing, installing, and updating cybersecurity software;

  • Cybersecurity training, including breach response, troubleshooting and general “help desk” services;

  • Business continuity and data recovery services;

  • “Cybersecurity as a service” models that rely on a third-party service provider to manage, monitor, or operate cybersecurity of a recipient;

  • Services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis, or penetration test; or

  • Services associated with sharing information about known cyber threats, and assisting recipients responding to threats or attacks on their systems.

The intent of these rules is to allow the donation of these cybersecurity technology and services in order to encourage its proliferation throughout the health care community, and especially with providers who may not be able to afford to undertake such efforts on their own. Therefore, these rules are expressly intended to be less restrictive than the previous EHR exception and safe harbor. The proposed restrictions are as follows2:

  • The donation must be necessary to implement, maintain, or reestablish cybersecurity;

  • The donor cannot condition the donations on the making of referrals by the recipient, and the making of referrals by the recipient cannot be conditioned on receiving a donation; and

  • The donation arrangement must be documented in writing.

AKS has an additional requirement that the donor must not shift the costs of any technology or services to a Federal health care program. Currently, there are no “deeming provisions” within these proposed rules for the purpose of meeting the necessity requirement, but HHS is considering, and is seeking comment on, whether to add deeming provisions which essentially designate certain arrangements as acceptable. Some in the industry appreciate the safety of knowing what is expressly considered acceptable and others find this approach more restrictive out of fears that the list comes to be considered exhaustive.

HHS is also considering adding a restriction regarding what types of entities are eligible for the donation. Previously for other rules, HHS has distinguished between entities with direct and primary patient care relationships, such as hospitals and physician practices, and suppliers of ancillary services, such as laboratories and device manufacturers.

Additionally, HHS is soliciting comment on whether to allow the donation of cybersecurity hardware to entities for which a risk assessment identifies a risk to the donor’s cybersecurity. Under this potential rule, the recipient must also have a risk assessment stating that the hardware would reasonably address a threat.

1 AKS Safe Harbor 42 CFR §1001.952(y); Stark Exception §411.357(bb)
2 AKS Safe Harbor 42 CFR §1001.952(jj); Stark Exception §411.357(w)(4)

©2020 von Briesen & Roper, s.c

More on cybersecurity software donation regulation on the National Law Review Communications, Media & Internet law page.