Category: Health Care Law

Coronavirus – Further Updates on Travel Impact

As the Centers for Disease Control and Prevention (CDC) and World Health Organization (WHO) continue to monitor the current and potential impact of the coronavirus (COVID-19) in the United States and worldwide, the CDC and the Department of State (DOS) have updated their travel guidance by issuing warnings about new countries and raising the threat levels of previously named countries. Further, President Trump has issued a proclamation that temporarily suspends entry to the United States for foreign nationals who have been physically present in Iran within the last 14 days. We outline below the current travel advisories and will continue to provide updates as new information becomes available.

Iran:

The CDC issued a Travel Advisory alert on Iran at the Warning—Level 3 category, recommending that travelers avoid all nonessential travel.

On February 29, 2020, through a Presidential Proclamation, the U.S. government announced that effective today, March 2, 2020, at 5:00 p.m. eastern time, that it was suspending entry of foreign nationals, both immigrants and nonimmigrants, who were physically present in Iran within the last 14 days preceding their entry into the United States.

Italy:

The CDC issued a Travel Advisory alert on Italy at the Warning—Level 3 category, recommending that travelers avoid all nonessential travel. DOS maintains a Level 3 Advisory for Italy as well.

The most affected regions are Lombardy and Veneto (North Italy, Milan consular district). On February 23, 2020, the U.S. Embassy in Rome issued a Health Alert, stating that the U.S. Consulate General in Milan has suspended routine visa services until March 2, 2020. Given the continued health concerns, we expect an updated advisory shortly. However, at this time, full consular services are available at the U.S. Embassy in Rome and the U.S. Consulates General in Florence and Naples.

China:

The CDC has raised the Travel Advisory level for China to a Warning—Level 3 category, recommending that travelers avoid all nonessential travel. DOS has raised the Travel Advisory to Level 4 advising that individuals not travel to China, and to be prepared for the possibility of travel restrictions with little to no advanced notice.

The previous warnings related to China under the Presidential Proclamation, effective February 2, 2020, remain in effect. Foreign nationals who have visited China in the last 14 days may not enter the United States, and American citizens and lawful permanent residents who have been to China in the past 14 days will undergo health screenings at a prescribed list of airports. Depending on their history, individuals may receive additional travel prescriptions.

South Korea:

The CDC has raised the Travel Advisory level for South Korea to a Warning—Level 3 category, recommending that travelers avoid all nonessential travel. DOS maintains a Level 3 Advisory for South Korea as well.

Japan:

The CDC added Japan to the Travel Advisory alerts at Alert—Level 2. The CDC recommends that high-risk travelers practice enhanced precautions. As of February 21, 2020, the U.S. Embassy in Tokyo continues to provide all consular services.

Hong Kong:

The CDC has maintained a Travel Advisory level of Watch—Level 1 (Practice Usual Precautions) for Hong Kong. DOS increased the Hong Kong Travel Advisory to Level 2 (Exercise Increased Caution). Further, the U.S. Consulates in Hong Kong and Macau recommend that anyone with a pending consular appointment who resides in China, has traveled to China recently, or intends to travel to China prior to their planned trip to the United States, postpone their visa interview appointment until 14 days subsequent to their departure from China.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

ARTICLE BY Danielle A. Porter of Mintz.
For more on coronavirus developments see the National Law Review Health Law & Managed Care section.

Coronavirus: Employers Should Plan, Not Panic

Coronavirus, whose formal name is COVID-19, has been the subject of much media attention since the first outbreak in Wuhan, China, late last year.  Just like recent outbreaks of the swine flu, the avian flu, SARS and the West Nile virus, each new “bug” creates fear surrounding a previously unknown threat.  While there are tens of thousands of cases in China, as of February 19, 2020, according to the U.S. Centers for Disease Control and Prevention (CDC), there were 15 confirmed cases of coronavirus in the U.S.  The confirmed cases were limited to seven states located on the perimeter of the country.

According to the CDC, coronaviruses are a large family of viruses that are common in many different species of animals, including camels, cattle, cats and bats. Rarely, animal coronaviruses can infect and then spread between people.

To put the current coronavirus outbreak in context, the CDC estimates there have been between 26 MILLION and 36 MILLION cases of flu in the U.S. this season and an estimated 15,000 to 36,000 deaths.  In fact, this year’s flu season is the worst in almost 20 years.  While the majority of these deaths and hospitalizations have occurred in people over age 65, this year’s flu has impacted children and younger adults in greater numbers than usual.

While no one knows for sure the extent to which the coronavirus will take hold in the U.S., employers should take steps now to plan ahead so that they will be able to maintain normal business operations.  The challenges for any business facing coronavirus or any other disease outbreak involve a multitude of conflicting legal obligations.  Under the Occupational Safety and Health Act (OSHA) and similar state laws, employers have a general duty and obligation to provide a safe and healthy work environment, even when the work occurs outside the employer’s physical premises. Furthermore, under these health and safety laws, employers must not place their employees in situations that are likely to cause serious physical harm or death.

Conversely, overreacting by implementing broad-based bans and making business decisions about employees that are not based on statistical realities could get an employer sued under laws that prohibit discrimination based upon disability (perceived or real) and national origin discrimination, among others.

Properly planning for and implementing plans to deal with the coronavirus is legally and operationally complex.  Listing all of the considerations for such plans are too numerous for this brief blog article. By way of example, employers who have operations in Hubei Province in China, the epicenter of the coronavirus outbreak, will face far more difficult and complex challenges than an employer with a single facility in the middle of the U.S.  However, at a minimum here are some things every business should be doing:

  • If you have not already done so, institute a ban on all business travel to China.  This may be a moot point given the cancellation of most flights into and out of mainland China.  Under the circumstances, it is also totally appropriate to require that any of your employees who choose to travel to China for personal reasons notify a designated company official and let the official know of their plans.

  • If employees must use a company-designated travel agent to arrange business travel, get the agent to provide reports on all international business travel.  But don’t overreact and implement a broad-based travel ban to countries that do not pose a risk of harm.  However, if an employee expresses fear of any international travel, have a rational discussion and review the relevant outbreak statistics to see if those fears are real or inflated.  Even if fears are irrational, consider the negative impact on employee morale by forcing someone to travel.

  • Designate a management official to check the CDC website daily to see the latest tracking of the virus’ spread.  This person should be the in-house resource and should be involved in ban or no-ban decisions.

  • If an employee has been to a real coronavirus “hotspot,” consider making him or her stay home for the full 14-day incubation period.  Whether employees work remotely or do not work, the decision whether they should be paid to stay home during this time is an individualized determination.  However, employers need to be flexible and should consider bending the rules if they want to appear humane and seriously concerned about health issues.  If employers force someone to stay home for two weeks without pay or make them use precious PTO, they may push people to hide where they have been, which will defeat planning to ensure that management is taking all reasonable steps to prevent the spread through the workplace.

  • Do not panic or overreact but rather engage in sound business contingency planning.  Begin by developing contingency plans based upon the industry you are in, the size of your business and how you will operate in the event absenteeism rates greatly exceed those of a normal flu season.

  • Use this opportunity to communicate with your employees about seasonal flu prevention strategies, such as minimizing contact and engaging in sound hygiene and sanitation.  As the statistics above demonstrate, seasonal flu poses a far greater and more immediate threat to your employees’ health than does the coronavirus.

  • Develop a plan for communicating with your employees if a major pandemic breaks out, regardless of where they are located, including the workplace, at home or on the road.
    Regardless of how bad things may get, it is important that management not panic or overreact.  Plan for worst case scenarios now so you can effectively respond to what will likely be a rapidly changing situation. To do this, your management should anticipate and prepare for how you will answer the plethora of questions that will almost certainly be raised.

Proper planning for and dealing with individualized employee situations implicates a whole range of employment laws, such as ADA, GINA, OSHA, Title VII, ERISA, as does the nature of your business.  To deal with these legal issues, you should consult with your attorney.

Finally, there are a variety of web-based resources available to assist you in planning, preparation, and monitoring the spread of the coronavirus on a global basis, including the CDC at www.cdc.gov, OSHA at https://www.osha.gov/SLTC/covid-19/, and the World Health Organization https://www.who.int/emergencies/diseases/novel-coronavirus-2019.

© 2020 Foley & Lardner LLP

For more on the coronavirus see the National Law Review Health Law & Managed Care section.

Law Firms and Bar Associations Must Plan Now for Coronavirus Outbreak

Our sources in Washington are indeed very worried about the coronavirus emerging from China. 

Many of our sources believe that containment will not work.

In the event of a major pandemic, “social distancing” will be enforced.  Schools, restaurants, movie theaters – and even law firms – will be closed, perhaps for an indefinite time, presenting unprecedented challenges.

At the very least, bar associations and law firms should begin thinking about logistics now using “peace time” wisely.

Viruses that originate in an animal and jump to a human can and often do change or mutate, presenting challenges to doctors and researchers. Especially during rapidly developing situations, reporters will likely demand simple and definitive answers, even in situations where simple and definitive answers don’t exist. As well, bloggers with political agendas may accidentally or purposely report fact as fiction and vice versa.

On the internet, anyone can be a “reporter” with the ability to publish immediately and without the safety net of editors, fact-checkers and other traditional media gatekeepers. Consider also the pressure on traditional media of balancing the need to report immediately vs. reporting accurately. Given those factors, the emerging coronavirus provides another fertile field for confusion with consequences.

The Spanish flu killed some 50 million to 100 million people worldwide over about a year in 1918-19 — one of the deadliest pandemics in human history. The 2003 severe acute respiratory syndrome (SARS) outbreak turned out to be less than a pandemic, but caused 774 deaths in 17 countries, according to the World Health Organization (WHO). The 2009 swine flu (H1N1) outbreak featured high rates of human- to-human transmission, yet was thought to have been less lethal than originally feared, with a minimum of 18,449 confirmed deaths. In fact, though, the U.S. Centers for Disease Control (CDC) has since estimated the global death toll at 284,000 — 15 times those confirmed cases.

All of these examples should serve as cautionary tales for how we approach and talk about this latest potential pandemic.

I reached out to Peter Sandman, perhaps the United States’ pre-eminent risk communication speaker and consultant. Here’s what Sandman told me in his email reply:

The key lesson here: The word “pandemic” means an infectious disease has spread to lots of people in lots of places. To be a pandemic, an outbreak has to be widespread and intense. It doesn’t have to be severe; 1918 was, 2009 wasn’t — at least in comparison.

This coronavirus? The experts are pretty sure it’s going to go pandemic. They don’t know yet how severe it will be, though many are guessing it will be closer to 2009 than to 1918. Even a mild pandemic kills a lot of people, simply because a small percentage of a huge number is a lot of people. And a mild pandemic can certainly be disruptive: hospital overcrowding, absenteeism, supply-chain problems, etc.

If it’s mild and stays mild, it won’t be catastrophic.

Whether it’s mild or severe, though, a pandemic eventually makes containment efforts futile, and therefore a waste of effort. Patient isolation, contact tracing and monitoring, quarantines and travel restrictions are the four main containment tools. The first two are conventional. The last two are controversial, not because they’re less effective than the first two but because they have bigger downsides.

None of the four, separately or together, can stop a pandemic. They can slow it a little, which isn’t nothing: It buys time for preparedness (emotional as well as medical and logistical). But as soon as the virus is spreading widely in a place, that place has no further use for containment.

The risk communication lesson now: Stop telling people that containment will “work.” If the coronavirus goes pandemic, as noted immunologist Dr. Anthony Fauci, director of the National Institute of Allergy and Infectious Diseases, and nearly every other expert expects, eventually (and probably pretty soon) it will be spreading widely in the U.S., too, and containment won’t make sense.

One feature of the 2009 flu outbreak was the changing nature of advice. At first, pregnant women were to receive priority for inoculations. Then, it was anyone with a compromised immune system, followed by those over the age of 60. As I recall, during this era before social media exploded and become a main source for news, reporters, columnists and other pundits were quick to criticize the CDC, the World Health Organization and other federal, state and local health officials for the lack of definitive advice and prognostication.

As this is being written, there is no way to tell whether the coronavirus is going to be highly infectious but not lethal or highly infectious with a high degree of lethality. It might even burn itself out — or it may seem to go into hiatus but then come roaring back in the fall (as did the Spanish flu).

Government agencies are already placing visitors from China into quarantine. This may suddenly escalate, with the closure of airports and other ports of entry. Stock markets may dramatically tumble — but then recover just days later. Or they may not. And if things really escalate, offices, schools, malls, theaters and other venues may close — and grocery shelves may empty. In the face of this uncertainty and volatility, prudent bar association and law firm leaders should be using “peace time” to prepare for the worst.

Now is the time to:

  • Examine your sick-leave policies. Family-leave policies, too, should be looked at because many employees may unilaterally decide to hunker down at home, especially if they have small children or elderly relatives to care for.

  • Encourage and utilize good hygiene practices (e.g., hand-washing, coughing into the crook of the elbow instead of the hand).

  • Consider what a travel ban might do to your business.

  • Remind your employees — and yourself — to depend on only the most reliable sources for information about coronavirus. The WHO, the CDC and state and local health boards are reliable. Facebook isn’t — and the advice given by the pundits on cable television must be taken with more than the proverbial grain of salt.

  • Remember to remind all of your stakeholders that situations like this are fluid and the information given out now may be preliminary and subject to change. Even advice from the CDC and WHO can change, depending on the facts at hand.

Employees, customers and other stakeholders will cross-check what you tell them against other sources. If you mislead them, they’ll hold it against you. Be especially careful not to sound over-reassuring or overconfident, which Sandman says are the two most common crisis risk communication mistakes other than outright dishonesty (also common, sadly).

© 2020 Hennes Communications. All rights reserved.

For more on Coronavirus risk mitigation, see the National Law Review Health Law & Managed Care section.

D.C. District Court Limits the HIPAA Privacy Rule Requirement for Covered Entities to Provide Access to Records

On January 23, 2020, the D.C. District Court narrowed an individual’s right to request that HIPAA covered entities furnish the individual’s own protected health information (“PHI”) to a third party at the individuals’ request, and removed the cap on the fee covered entities may charge to transmit that PHI to a third party.

Specifically the Court stated that individuals may only direct PHI in an electronic format to such third parties, and that HIPAA covered entities, and their business associates, are not subject to reasonable, and cost-based fees for PHI directed to third parties.

The HIPAA Privacy Rule grants individuals with rights to access their PHI in a designated record set, and it specifies the data formats and permissible fees that HIPAA covered entities (and their business associates) may charge for such production. See 45 C.F.R. § 164.524. When individuals request copies of their own PHI, the Privacy Rule permits a HIPAA covered entity (or its business associate) to charge a reasonable, cost-based fee, that excludes, for example, search and retrieval costs. See 45 C.F.R. § 164.524(c) (4). But, when an individual requests his or her own PHI to be sent to a third party, both the required format of that data (electronic or otherwise) and the fees that a covered entity may charge for that service have been the subject of additional OCR guidance over the years—guidance that the D.C. District Court has now, in part, vacated.

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act set a statutory cap on the fee that a covered entity may charge an individual for delivering records in an electronic form. 42 U.S.C. § 17935(e)(3). Then, in the 2013 Omnibus Rule, developed pursuant to Administrative Procedure Act rulemaking, the Department of Health and Human Services, Office for Civil Rights (“HHS OCR”) implemented the HITECH Act statutory fee cap in two ways. First, OCR determined that the fee cap applied regardless of the format of the PHI—electronic or otherwise. Second, OCR stated the fee cap also applied if the individual requested that a third party receive the PHI. 78 Fed. Reg. 5566, 5631 (Jan. 25, 2013). Finally, in its 2016 Guidance document on individual access rights, OCR provided additional information regarding these provisions of the HIPAA Privacy Rule. OCR’s FAQ on this topic is available here.

The D.C. District Court struck down OCR’s 2013 and 2016 implementation of the HITECH Act, in part. Specifically, OCR’s 2013 HIPAA Omnibus Final Rule compelling delivery of protected health information (PHI) to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress. That statute requires only that covered entities, upon an individual’s request, transmit PHI to a third party in electronic form. Additionally, OCR’s broadening of the fee limitation under 45 C.F.R. § 164.524(c)(4) in the 2016 Guidance document titled “Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. Sec. 164.524” violates the APA, because HHS did not follow the requisite notice and comment procedure.” Ciox Health, LLC v. Azar, et al., No. 18-cv0040 (D.D.C. January 23, 2020).

All other requirements for patient access remain the same, including required time frames for the provision of access to individuals, and to third parties designated by such individuals. It remains to be seen, however, how HHS will move forward after these developments from a litigation perspective and how this decision will affect other HHS priorities, such as interoperability and information blocking.

© Polsinelli PC, Polsinelli LLP in California

For more on HIPAA Regulation, see the National Law Review Health Law & Managed Care section.

Federal Court Strikes Down HIPAA Fee Limitations for Third-Party Medical Records Requests

On Jan. 29, 2020, OCR released a notice regarding a recent federal court ruling in the case of Ciox Health, LLC v. Azar, et al., where a federal judge in the District Court for the District of Columbia vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to protected health information (“PHI”) of an individual … in an electronic format.”Additionally, the court held that the fee limitation set forth at 45 CFR § 164.524(c)(4) should only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party.

The Ciox Health case centered on the restrictions the Department of Health and Human Services (“HHS”) and the Office for Civil Rights (“OCR”) put in place in the 2013 Omnibus Rule 2 and through informal guidance published in 2016 regarding fees that can be charged to patient in searching for, retrieving, and delivering their records and PHI as it pertains to third-party directives. Third-party directives are a mechanism promulgated by the HITECH Act that granted individuals the right to obtain a copy of their PHI maintained electronically, and “if the individual so chooses, to direct the covered entity to transmit such copy directly to an entity or person designed by the individual.”3 Additionally, the HIPAA Privacy Rule permits a reasonable cost-based fee to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct a copy to a designated third party. The fee may include only the cost of certain labor, supplies, and postage (this fee is also referred to as the “Patient Rate”).4

The 2013 Omnibus Rule broadened the third-party directives to PHI maintained in any format, not just electronic records. Moreover, the 2013 Omnibus Rule amended the Patient Rate and required actual labor costs associated with the retrieval of electronic information to be excluded.5

In 2016, HHS issued a guidance document titled Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. § 164.524 (the “2016 Guidance”).6  The 2016 Guidance made two notable requirements that gave rise to the current litigation. Most significantly, HHS declared that the Patient Rate applies “when an individual directs a covered entity to send the PHI to a third party.”7

“This limitation,” HHS said, referring to the Patient Rate, “applies regardless of whether the individual has requested that the copy of PHI be sent to herself, or has directed that the covered entity send the copy directly to a third party designated by the individual (and it doesn’t matter who the third party is).”8

Additionally, in the 2016 Guidance, HHS provided a methodology to calculate the Patient Rate in requests for an electronic copy of PHI maintained electronically. The methodology would require the entity to determine a fee by calculating the actual allowable costs to fulfill each request or by using a schedule of costs based on the average allowable labor costs to fulfill standard requests. HHS also provided an option for entities to charge a flat rate for requests for electronic copies of PHI not to exceed $6.50 as an alternative to going through the process of calculating these costs.

In this case, HHS was sued by Ciox Health, a medical record retrieval company, over the changes to the Patient Rate set forth in both the 2013 Omnibus Rule and the 2016 Guidance. Ciox Health argued that the $6.50 flat fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee has negatively impacted its business. Ciox Health claims the 2013 Omnibus Rule and the 2016 Guidance, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

The district court, in declaring the changes to the Patient Rate set forth in the 2013 Omnibus Rule unlawful, held that HHS cannot rely on its general rulemaking authority to supplement the limited-scope, third-party directive enacted by Congress in the HITECH Act. The court held that the 2013 Omnibus Rule’s expansion of the third-party directive is therefore arbitrary and capricious. Moreover, the district court held that the 2016 Guidance that worked a change into the Patient Rate was akin to a legislative rule that HHS had no authority to adopt without notice and comment. As a result, the court vacated the 2013 Omnibus Rule’s expansion of the HITECH Act’s third-party directive beyond requests for a copy of electronic records with respect to PHI of an individual in an electronic format. The court also declared unlawful and vacated the 2016 Guidance as it extended the Patient Rate to third-party directives without going through notice and comment.

Health care providers and medical records access companies are no longer required to limit the fees charged to their average costs, or charge a $6.50 flat fee, when a patient requests their medical records be transmitted to a third party. The fee limitations will still apply to individuals when they request their own records, however, as decided in the Ciox Health decision, on January 23, 2020.

OCR released a notice on Jan. 29, 2020 that the right of individuals to access their own records and any fee limitations that apply when exercising this right still apply. However, OCR appears to have at least accepted this ruling for now, as it pertains to third-party directives. OCR stated that it will continue to enforce the right of access provisions in 45 CFR § 164.524 that are not restricted by the court order. The court order can be viewed here.

[1] Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020)

[2] See Modifications to the HIPAA Privacy, Security,

Enforcement, and Breach Notification Rules Under the [HITECH] Act and the Genetic

Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5,566

(Jan. 25, 2013).

[3] 42 U.S.C. § 17935(e);

[4] 45 CFR § 164.524(c)(4)

[5] 78 Fed. Reg. at 5,636.

[6] This guidance is available at this link: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

[7] Id. at 16.

[8] Id.

© 2020 Dinsmore & Shohl LLP. All rights reserved.

For more on HIPAA medical-records regulation, see the National Law Review Health Law & Managed Care section.

Coronavirus and the Workplace: What Employers Need To Know

News that multiple cases of the newly-identified 2019 Novel Coronavirus have reached the United States have prompted employers to think about employee safety and ways to address disease prevention in the workplace. Although, according to the Occupational Safety and Health Administration (OSHA), “most American workers are not at significant risk of infection” at this time, the situation is evolving, and it is never too early for employers to consider how they can address employee concerns, help prevent an outbreak, or address one if it occurs. Employers should also be aware of legal pitfalls that they may encounter when attempting to protect their employees from the virus.

The following addresses some of the key questions employers may have regarding the Coronavirus threat.

What is the Coronavirus and How Is It Transmitted?

At this point, relatively little is known about the 2019 Novel Coronavirus, more commonly known as the “Coronavirus.” According to the CDC, the initial reports of the illness originated in Wuhan, China, where people likely contracted the virus from animals at a seafood and animal market. Experts now believe that the virus is spreading from human-to-human when an infected person coughs or sneezes, similar to the spread of a cold or flu. However, it is still too early to know how easily the virus is transmitted between people.

What Are the Primary Symptoms of the Coronavirus?

In the confirmed cases of Coronavirus thus far, affected individuals have reported mild to severe respiratory symptoms, fever, cough, shortness of breath, and breathing difficulties. In severe cases, the virus has led to pneumonia, kidney failure, and, in at least 100 deaths (presently, all in China), as of the time of this writing.  The CDC believes at this time that symptoms may appear within two to fourteen days after exposure.  However, some infected individuals have shown little to no symptoms.

How Can Spread of the Coronavirus Be Prevented?

Because there is presently no Coronavirus vaccine available, the CDC is recommending standard precautions to avoid the spread of respiratory viruses, such as washing hands with soap and water for at least 20 seconds, or, if soap is not available, using hand sanitizer; avoiding close contact with people who are sick; staying at home when you are sick; and disinfecting frequently touched objects and surfaces.

What If My Employees Travel to China For Business?

As of January 27, 2020, the CDC has issued a level 3 health travel notice (the highest threat level) recommending that people avoid all nonessential travel to China.

Employers whose employees travel to and from China should keep in mind the following:

  • Consider whether to limit business travel to affected areas. While the current CDC travel notice does not specifically define “nonessential travel,” the General Duty Clause of the Occupational Safety and Health Act (OSHA) requires employers to furnish “employment and a place of employment which are free from recognized hazards that are causing or likely to cause the death or serious physical harm to … employees.”  Although the Occupational Safety and Health Administration (also referred to as OSHA) has not promulgated specific standards covering the Coronavirus, requiring employees to engage in nonessential business travel to China (or any other areas in which the risk of contagion is heightened) could create risk under the General Duty Clause, particularly in light of the CDC warning against nonessential travel.  For that reason, employers whose business may involve travel to China (or other areas that become subject to travel restrictions or otherwise experience an increase in the spread of the virus) should consider other available options for employees for the duration of the threat, such as videoconferencing.

By the same token, employers should also be prepared to respond to employees who may express concerns about traveling to affected areas due to the virus.  While an employer generally has broad discretion to decide the duties and requirements of a job and to discipline employees who fail to fulfill those requirements, as a practical matter employers may wish to consider offering employees reasonable alternatives to such travel.

Finally, while employers may implement restrictions on work-related travel to affected areas, employers should tread more carefully when attempting to police personal, non-work-related travel. That said, recent decisions in the Seventh, Eighth, and Eleventh Circuits have held that the disability discrimination protections of the ADA do not apply where an employer takes an employment action based on the potential for an employee to become ill and disabled in the future.  Specifically, the Eleventh Circuit found no liability under the ADA where an employer terminated an employee who requested time off to travel to Ghana to visit family because of the perceived risk that the employee would contract the Ebola virus, due to recent outbreaks of the disease in neighboring countries.  While courts have tended to take this view, it is worth noting that the EEOC has argued on at least one occasion that an employer acting on a potential future health condition may be viewed as “regarding” an employee as disabled as long as the condition otherwise qualifies as a disability under the law.  For this reason, employers should consider the risks with imposing a ban on personal, non-work-related travel to affected areas.

  • Provide relevant safety information to employees. Employers whose employees travel to affected areas should provide information to their employees about how the Coronavirus is transmitted, its symptoms, and how to avoid exposure – utilizing trusted and reputable sources such as the CDC. Employers would be well advised to also provide these employees with resources and contact information for local health departments and the CDC.
  • Understand that employee travel may be interrupted. The Chinese government has closed transit within and out of Wuhan and certain other areas of the Hubei Province. Hong Kong has also imposed certain restrictions on travel to and from the Chinese mainland. The United States is also re-routing passengers from Wuhan, China to certain designated airports (including Chicago O’Hare, Atlanta, New York JFK, Los Angeles, and San Francisco) for enhanced screening. While screening for common viruses usually takes several hours, officials have indicated that those suspected of having the Coronavirus could be delayed for up to a day if additional screening is needed.

What Should I Do if an Employee Has Recently Traveled to China or Otherwise May Have Been Exposed to the Coronavirus?

Employers should remember that the Americans with Disabilities Act (ADA) places certain restrictions on the kinds of inquiries that can be made into an employee’s medical status. Specifically, the ADA prohibits employers from making disability-related inquiries and requiring medical examinations, unless (1) the employer can show that the inquiry or exam is job-related and consistent with business necessity, or (2) where the employer has a reasonable belief that the employee poses a direct threat to the health or safety of the individual or others that cannot otherwise be eliminated or reduced by reasonable accommodation.

According to Pandemic Preparedness Guidance published in 2009 by the Equal Employment Opportunity Commission (EEOC) in the midst of the H1N1 influenza outbreak, whether a particular outbreak rises to the level of a “direct threat” depends on the severity of the illness.  Employers should look to the most up-to-date assessments being made by the CDC or other public health authorities, as they relate to the employer’s location, to determine the severity level of an illness and, in turn, whether an employee who potentially has been exposed to the illness may constitute a “direct threat.”  Employers should not rely on speculation or unofficial information when making determinations about whether there is a direct threat.  At the moment, the CDC is not classifying the Coronavirus as a pandemic and has not issued a heightened threat level for the United States.  However, the situation continues to rapidly evolve and we will provide updates should additional guidance be released by the CDC or other public health officials on this important issue.

All this being said, employers should keep in mind the following when it comes to employees who have traveled to affected areas:

  • Employers need not wait until an employee returning from travel develops symptoms to inquire about exposure to the Coronavirus. Inquiring about whether an employee has traveled to an affected area or about possible exposure to a contagious illness during such travel would not constitute a disability-related inquiry.  However, as discussed below, the extent to which an employer may act on the information received will depend on the most recent information available from the CDC or other public health officials.  Further, employers inquiring into whether employees have traveled to affected areas should do so of all employees known or believed to have recently traveled, rather than directing such inquiries only to employees of certain races, ethnicities, or national origins. Finally, employers should be mindful to keep confidential all medical-related information received from an employee, in accordance with the ADA.
  • Under certain circumstances, employers may require employees who have traveled to areas affected by serious health threats to stay home. If the CDC or other local public health officials recommend that people who visit specified locations remain at home for several days until it is clear they do not have illness symptoms, an employer may require an employee who traveled to an affected area to remain out of work for the suggested period of time.  While presently the CDC states that individuals who may have been in close contact with someone with the Coronavirus may continue with their daily activities so long as they are not showing any symptoms, employers should continue to monitor the CDC website for further developments. In the absence of a CDC directive that employees who have traveled to affected areas stay at home, an employer who is considering requiring such employees to remain home, they should consult with counsel.

What Other Things Should Employers Be Thinking About When it Comes to the Coronavirus?

  • Employers may – and should – send employees home if they exhibit potential symptoms of contagious illnesses at work. The EEOC has said that sending an employee home who displays symptoms of contagious illness would not run afoul of the ADA’s restrictions on disability-related actions because: (i) if the illness ultimately turns out to be relatively mild or “run of the mill” (such as seasonal influenza), then it would not have constituted a covered disability in the first place; and (ii) if the illness does turn out to be severe (such that it may constitute a disability under the law), then the actions would be warranted under a direct threat analysis. In either case, an employer can send an employee home who is displaying symptoms of contagious illness, even if this is against the employee’s wishes.  Employers should also consider making clear in their policies that employees who have symptoms of a potential contagious illness must not report to work while they are sick.
  • Determine whether the FMLA or other leave laws may apply. An employee who is experiencing a serious health condition or who requires time to care for a family member with such a condition may be entitled to take unpaid leave under the federal Family and Medical Leave Act (FMLA) or state-law analogues.  Employees may also be eligible for leave as a reasonable accommodation under the ADA or related state or local law, if the underlying condition constitutes a qualifying disability.  However, employees generally are not entitled to take FMLA or reasonable accommodation leave to stay at home to avoid getting sick (though an exception may exist where a preexisting medical condition is likely to be worsened by exposure to a contagious disease). Furthermore, employees in certain jurisdictions may be entitled to paid sick leave if needed to care for themselves or a sick family member in the event of an illness, or if their workplace or a child’s school or day care is closed due to a public health emergency.
  • Consider whether OSHA requirements may apply. While, as noted above, OSHA has not promulgated specific standards covering the Coronavirus, it has issued a notice indicating that employers should be aware of the following general standards to which employers may be subject under OSHA:
    • General Duty Clause: As discussed above, the OSHA General Duty Clause requires employers to furnish “a place of employment which [is] free from recognized hazards that are causing or likely to cause the death or serious physical harm to … employees.” To that end, there are some readily achievable steps that employers can take to prevent the spread of the Coronavirus (and other contagious illnesses) within the workplace, such as: providing hand sanitizer to employees, ensuring that surfaces and eating areas are disinfected regularly, and encouraging employees who are sick to stay home. Employers also may start to consider certain policy changes they may wish to implement in response to the Coronavirus should the situation become more severe in the U.S., such as allowing employees to work from home.
    • Personal Protective Equipment: OSHA requires that protective equipment, clothing, and barriers be provided whenever it is necessary to prevent employees from being exposed to environmental hazards. Employers are required to assess the workplace, determine if hazards are present, and if so, select and have employees use protective equipment. Employers whose employees may encounter individuals infected with the Coronavirus, such as those in the healthcare and travel industries, should begin to consider what protective equipment would be necessary to protect its workforce should the virus begin to spread within the United States.
    • Recordkeeping and Reporting Requirements: OSHA requires that certain employers keep a record of certain work-related illness and injuries (often referred to as an OSHA Form 300 log). While there is a regulatory exemption for recording instances of the standard cold and flu, OSHA has deemed the 2019 Novel Coronavirus a recordable illness when a worker is infected on the job. In addition, certain employers may be subject to reporting requirements under state and local law if they have a reasonable belief that a significant disease is present in the workplace.
    • Employers in Higher-Risk Industries: While, again, OSHA has yet to issue any standards or controls specific to Coronavirus, employers operating in industries where employees may be at a potential increased risk of exposure should prepare for the possibility that heightened requirements may be put in place. In the past, OSHA has issued such guidance for employers in industries such as healthcare, airlines, and mortuary services, such as during the MERS outbreak in 2015.

*          *          *

Information about the Coronavirus is constantly developing, so employers also should continue to refer to the CDCWHO, and OSHA websites for the latest on appropriate precautions, including changes to travel notices.  Of course, we will continue to monitor this situation and report on any updates as they develop.

© 2020 Proskauer Rose LLP.

Growing Number of States Enact Drug Pricing Transparency Laws

Drug prices continue to be a hot button issue in American politics.  While many of the Trump Administration’s efforts to curb increasing drug prices stalled in 2019, a number of state legislatures have adopted drug price transparency laws in recent years.  Since 2015, Vermont, Nevada, California, Maryland, Louisiana, New York, Oregon, Colorado, Connecticut, Maine, Texas, and Washington have all adopted drug pricing transparency laws.  These laws are designed to incentivize manufactures to lower drug prices by requiring them to report information about drug price increases and their justification for how drug prices are set.  We have been tracking and summarizing these laws, and you can find our summary here.

Below is a brief overview of the trends that we’re seeing in state drug price transparency laws.

  • State Laws Requiring Manufacturer Reporting on Drug Price Increases.  The most prevalent type of drug price transparency laws requires manufacturers to report an extensive amount of information about drug price increases.  Generally, states require manufacturers to report the information to a state government agency (e.g., Oregon), but other states (e.g., California) require manufacturers to provide advance notice of drug price increases to purchasers.  Generally, reporting requirements are triggered when the wholesale acquisition cost (WAC) increases over a certain dollar threshold or when the net increase of the WAC increases a certain percentage over the course of a year.
  • State Laws Requiring Manufacturer Reporting for Specific Drugs Identified by the State or Certain Types of Drugs. Several states (e.g., Connecticut and Vermont) authorize an independent board to compile a list of drugs on which the state spends significant dollars and/or for which the WAC has increased significantly over the past year or past five years.  Manufacturers of the drugs identified by the board are required to report certain information about the drugs’ costs and pricing.  The reporting requirements in other state laws are specific to certain types of drugs.  For example, Nevada’s drug price transparency law initially applied only to forms of insulin and biguanides, which are essential for diabetes treatment.  In 2019, Nevada expanded the law to apply to prescription drugs essential for asthma treatment as well.
  • State Laws Requiring Pharmacy Benefit Managers (PBMs) to Disclose Manufacturer Rebates.  These laws place accountability for drug price increases on PBMs by requiring them to disclose the amount of rebates they negotiate and retain from manufacturers.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

ARTICLE BY Rachel E. Yount of Mintz.
For more drug pricing transparency developments see the National Law Review Biotech, Food & Drug law page.

Emerging Cyber-Security Threats for 2020: The Rise of Disruptionware and High-Impact Ransomware Attacks

Disruptionware is defined by the Institute for Critical Infrastructure Technology (ICIT) as a new and “emerging category of malware designed to suspend operations within a victim organization through the compromise of the availability, integrity and confidentiality of the systems, networks and data belonging to the target.”  New forms of disruptionware can be a more crippling form of cyber-attack than other more “garden-variety” malware and ransomware attacks. This is the case since, as the ICIT notes, disruptionware not only attempts to encrypt and deny users access to their data, but works as a “layered attack” designed to “disrupt operations and production in manufacturing or industrial environments (as well as infrastructure) in order to achieve some other strategic goal.”

Disruptionware has “consumed” many traditional cyber-attacks, making them part of the disruptioware “toolkit.” These techniques include cyber-attacks such as ransomware, “wipers,” “bricking capabilities,” automated components, data exfiltration tools and network reconnaissance tools. (See ICIT report for further definitions.) Today, the rise of disruptionware is a new and even more chaotic form of cyber warfare attack – it not only attempts to encrypt and deny users access to their data, but disruptionware works to “disrupt operations and production in manufacturing or industrial environments (as well as infrastructure) in order to achieve some other strategic goal.”

Additionally, generalized forms of ransomware attacks – designed to block access to the victim’s computer systems until money is paid – are continuing to represent a more prevalent threat to government agencies, healthcare providers and educational institutions. Ransomware was so destructive on its own that the FBI recently issued a Public Service Announcement (PSA) warning about such “high-impact” attacks on critical private and public sector institutions. Underscoring the FBI’s announcement, another publication has noted the rise of ransomware attacks since the beginning of 2019 finding that there have been at least 621 reported successful ransomware attacks against U.S.-based corporations. Of these attacks, at least 491 were targeted against healthcare providers, while another 68 of the attacks were directed at county and municipal institutions, and 62 of the attacks were focused on school districts.

According to the FBI, hospitals and health care institutions are the primary targets of these high-impact ransomware attacks because of the critical role they play in providing lifesaving services, and the fact that these institutions usually do not have the luxury of taking time to restore backups in order to get their networks working again and running safely and securing after an attack. Above and beyond the costs associated with paying the ransom and restoring computer networks and systems, ransomware attacks on hospitals and health care providers have proven especially damaging because they affect the ability of the targeted healthcare providers to deliver critical health care services to patients. Perhaps even more disturbingly, many of the victim companies reported losing data even when they paid the ransom demanded by the hackers. Nevertheless, according to the blog “knowbe4,” it was predicted that ransomware payments alone by victim companies will have exceeded $11.5 billion in 2019 – representing an increase of almost 30% over the approximately $8 billion paid in 2018.

Along with the rise of disruptionware and high-impact ransomware, hackers are also now using new and diverse techniques to launch multiple forms of cyber-attacks including, among other things, an increased use of new Remote Desktop Protocol (RDP) attacks, as well as leveraging various software vulnerabilities to infect organizations through backdoor channels. Unfortunately, few businesses are hardening their IT infrastructure against these new types of extremely damaging cyber-attacks. RDP attacks are becoming far more common because of the simplicity of many users’ login credentials, while companies are not doing enough to “whitelist” exclusively acceptable computer software and applications to prevent security holes caused by numerous software vulnerabilities in unsecured and sometimes untested software applications.

The FBI’s PSA serves as a warning to businesses that they should have a plan in place to respond efficiently and appropriately in the event of high impact ransomware and disruptionware attacks. Such plans should include, among other things, clear designations of responsible individuals (both inside and outside the company), procedures for contacting law enforcement, and the business having a firm understanding of what their data is as well as a good understanding of its importance in the overall business plan. Finally, businesses need a current and workable Disaster Recovery Plan for getting the organization up and running again as quickly as possible if there is a cyber-attack. Businesses would be wise to review how their systems are backed up, as reliable and readily accessible backups are often critical in allowing ransomware or disruptionware victims to try and resume normal business operations as quickly as possible.

©2020 Drinker Biddle & Reath LLP. All Rights Reserved

For more on ransomware and other cyberthreats, see the Communications, Media & Internet section of the Nationa Law Review.

The Shell Game Played with Your DNA, or 23 and Screwing Me

So you want to know how much Neanderthal is in your genes.

You are curious about the percentage of Serbo-Croatian, Hmong, Sephardim or Ashanti blood that runs through your veins. Or maybe you hope to find a rich great-aunt near death, seeking an heir.

How much is this worth to you?  Two hundred bucks? That makes sense.

But what about other costs:

– like sending your cousin to prison for life (and discovering that you grew up with a serial killer)?

– like all major companies refusing to insure you due to your genetic make-up?

— like ruining your family holidays when you find that your grandfather is not really genetically linked to you and grandma had been playing the field?

– like pharma companies making millions using your genetic code to create new drugs and not crediting you at all (not even with discounts on the drugs created by testing your cells)?

– like finding that your “de-identified” genetic code has been re-identified on the internet, exposing genetic propensity for alcoholism or birth defects that turn your fiancé’s parents against you?

How much are these costs worth to you?

According to former FDA commissioner Peter Pitts, writing in Forbes, “The [private DNA testing] industry’s rapid growth rests on a dangerous delusion that genetic data is kept private. Most people assume this sensitive information simply sits in a secure database, protected from hacks and misuse. Far from it. Genetic-testing companies cannot guarantee privacy. And many are actively selling user data to outside parties.” Including law enforcement.

Nothing in US Federal health law protects the privacy of DNA test subjects at “non-therapeutic” labs like Ancestry or 23andMe. Information gleaned from the DNA can be used for almost anything.  As Pitts said, “Imagine a political campaign exposing a rival’s elevated risk of Alzheimer’s. Or an employer refusing to hire someone because autism runs in her family. Imagine a world where people can have their genomic building blocks held against them. Such abuses represent a profound violation of privacy. That’s an inherent risk in current genetic-testing practices.”

Genetic testing companies quietly, and some would argue without adequate explanation of facts and harms which are lost in a thousand words of fine print that most data subjects won’t read, push their customers to allow genetic testing on the customer samples provided. Up to 80% of 23andMe customers consent to this activity, likely not knowing that the company plans to make money off the drugs developed from customer DNA. Federal laws require labs like those used by 23andMe for drug development to keep information for more than 10 years, so once they have it, despite rights to erasure provided by California and the EU, 23andMe can refuse to drop your data from its tests.

Go see the HBO movie starring Oprah Winfrey about medical exploitation of the cell lines of Henrietta Lacks, or better yet, read the bestselling book it was based on. Observe that an engaging, vivacious woman who couldn’t afford health insurance was farmed for a line of her cancer cells that assisted medical science for decades and made millions of dollars for pharma companies without any permission from or benefit to the woman whose cells were taken.  Or any benefit to her family once cancer killed her. Companies secured over 11,000 patents using her cell lines. This is the business model now adopted by 23andMe. Take your valuable data under the guise of providing information to you, but quietly turning that data into profitable products for their shareholders’ and executives’ benefit. Not to mention that 23andMe can change its policies at any time.

As part of selling your genetic secrets to the highest bidder, 23andMe is constantly pushing surveys out to its customers. According to an article in Wired, 23andMe Founder Ann Wojcicki said, “We specialize in capturing phenotypic data on people longitudinally—on average 300 data points on each customer. That’s the most valuable by far.” Which means they are selling not only your DNA information, but all the other data you give them about your family and lifestyle.

This deep ethical compromise by 23andMe is personal for me, and not because I have sent them any DNA samples – I haven’t and I never would. But because, when questioned publicly about their trustworthiness by me and others close to me, 23andMe has not tried to explain its policies, but has simply attacked the questioners in public. Methinks the amoral vultures doth protest too much.

For example, a couple of years ago, my friend, co-author and privacy expert Theresa Payton noted on a Fox News segment that people who provide DNA information to 23andMe do not know how such data will be used because the industry is not regulated and the company could change its policies any time. 23andMe was prompt and nasty in its response, attacking Ms. Payton on Twitter and probably elsewhere, claiming that the 23andMe privacy policy, as it existed at the time, was proof that no surprises could ever be in store for naïve consumers who gave their most intimate secrets to this company.

[BTW, for the inevitable attacks coming from 23andMe and their army of online protectors, the FTC endorsement guidelines require that if there is a material connection between you and 23andMe, paid or otherwise, you need to clearly and conspicuously disclose it.]

Clearly Ms. Payton was correct and 23andMe’s attacks on her were simply wrong.

Guess what? According to the Wall Street Journal, 23andMe sold a $300 MM stake in itself to GlaxoSmithKline recently and, “For 23andMe, using genetic data for drug research ‘was always part of the vision,’ according to Emily Drabant Conley, vice president and head of business development.” So this sneaky path is not even a new tactic. According to the same WSJ story, “23andMe has long wanted to use genetic data for drug development. Initially, it shared its data with drug makers including Pfizer Inc. and Roche Holding AG ’s Genentech but wasn’t involved in subsequent drug discovery. It later set up its own research unit but found it lacked the scale required to build a pipeline of medicines. Its partnership with Glaxo is now accelerating those efforts.”

And now 23andMe has licensed an antibody it developed to treat inflammatory diseases to Spanish drug maker Almirall SA. “This is a seminal moment for 23andMe,” said Conley. “We’ve now gone from database to discovery to developing a drug.” In the WSJ, Arthur Caplan, a professor of bioethics at NYU School of Medicine said “You get this gigantic valuable treasure chest, and people are going to wind up paying for it twice. All the people who sent in DNA will be paying the same price for any drugs that are developed as anybody else.”

So this adds another ironic dimension to the old television adage, “You aren’t the customer, you are the product.” You pay to provide your DNA – the code to your entire physical existence – to a private company. Why? Possibly because you want information that may affect your healthcare, but in all likelihood you simply intend to use the information for general entertainment and information purposes.

You likely send a swab to the DNA company because you want to learn your ethnic heritage and/or see what interesting things they can tell you about why you have a photic sneeze reflex, if you are genetically inclined to react strongly to caffeine, or if you are carrier of a loathsome disease (which you could learn for an additional fee). But the company uses the physical cells from your body not only to build databases of commercially valuable information, but to develop drugs and sell them to the pharmaceutical industry. So who is the DNA company’s customer? 23andMe and its competitors take physical specimens from you and sell products made from those specimens to their real customers, the drug companies and the data aggregators.

These DNA processing firms may be the tip of the spear, because huge data companies are coming for your health information. According to the Wall Street Journal,

“Google has struck partnerships with some of the country’s largest hospital systems and most-renowned health-care providers, many of them vast in scope and few of their details previously reported. In just a few years, the company has achieved the ability to view or analyze tens of millions of patient health records in at least three-quarters of U.S. states, according to a Wall Street Journal analysis of contractual agreements. In certain instances, the deals allow Google to access personally identifiable health information without the knowledge of patients or doctors. The company can review complete health records, including names, dates of birth, medications and other ailments, according to people familiar with the deals.”

And medical companies are now tracking patient information with wearables like smartwatches, so that personally captured daily health data is now making its way into these databases.

And, of course, other risk issues affect the people who provide data to such services.  We know through reporting following the capture of the Golden State Killer that certain genetic testing labs (like GEDMatch) have been more free than others with sharing customer DNA with law enforcement without asking for warrants, subpoenas or court orders, and that such data can not only implicate the DNA contributors but their entire families as well. In addition, while DNA testing companies claim to only sell anonymized data, the information may not remain that way.

Linda Avey, co-founder of 23andMe, concedes that nothing is foolproof. She told an online magazine, “It’s a fallacy to think that genomic data can be fully anonymized.” This articles showed that researchers have already re-identified people from their publicly available genomic data. For example, one 2013 study matched Y-chromosome data with names posted in places such as genealogy sites. In another study that same year, Harvard Professor Latanya Sweeney re-identified 84 to 97 percent of a sample of Personal Genome Project volunteers by comparing gender, postal code and date of birth with public records.

2015 study re-identified nearly a quarter of a sample of users sequenced by 23andMe who had posted their information to the sharing site openSNP. “The matching risk will continuously increase with the progress of genomic knowledge, which raises serious questions about the genomic privacy of participants in genomic datasets,” concludes the paper in Proceedings on Privacy Enhancing Technologies. “We should also recall that, once an individual’s genomic data is identified, the genomic privacy of all his close family members is also potentially threatened.” DNA data is the ultimate genie, that once released from the bottle, can’t be changed, shielded or stuffed back inside, and that threatens both the data subject and her entire family for generations.

And let us not forget the most basic risk involved in gathering important data. This article has focused on how 23andMe and other private DNA companies have chosen to use the data – probably in ways that their DNA contributing customers did not truly understand – to turn a profit for investors.  But collecting such data could have unintended consequences.  It can be lost to hackers, spies or others who might steal it for their own purposes.  It can be exposed in government investigations through subpoenas or court orders that a company is incapable of resisting.

So people planning to plaster their deepest internal and family secrets into private company databases should consider the risks that the private DNA mills don’t want you to think about.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more in health data privacy, see the National Law Review Health Law & Managed Care section.

Offered Free Cyber Services? You May Not Need to Look That Gift Horse in the Mouth Any Longer.

Cyberattacks continue to plague health care entities. In an effort to promote improved cybersecurity and prevent those attacks, HHS has proposed new rules under Stark and the Anti-Kickback Statute (“AKS”) to protect in-kind donations of cybersecurity technology and related services from hospitals to physician groups. There is already an EHR exception1 which protects certain donations of software, information technology and training associated with (and closely related to) an EHR, and HHS is now clarifying that this existing exception has always been available to protect certain cybersecurity software and services. However, the new proposed rule explicitly addresses cybersecurity and is designed to be more permissive then the existing EHR protection.

The proposed exception under Stark and safe harbor under AKS are substantially similar and unless noted, the following analysis applies to both. The proposed rules allow for the donation of cybersecurity technology such as malware prevention and encryption software. The donation of hardware is not currently contemplated, but HHS is soliciting comment on this matter as discussed below. Specifically, the proposed rules also allow for the donation of cybersecurity services that are necessary to implement and maintain cybersecurity of the recipient’s systems. Such services could include:

  • Services associated with developing, installing, and updating cybersecurity software;

  • Cybersecurity training, including breach response, troubleshooting and general “help desk” services;

  • Business continuity and data recovery services;

  • “Cybersecurity as a service” models that rely on a third-party service provider to manage, monitor, or operate cybersecurity of a recipient;

  • Services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis, or penetration test; or

  • Services associated with sharing information about known cyber threats, and assisting recipients responding to threats or attacks on their systems.

The intent of these rules is to allow the donation of these cybersecurity technology and services in order to encourage its proliferation throughout the health care community, and especially with providers who may not be able to afford to undertake such efforts on their own. Therefore, these rules are expressly intended to be less restrictive than the previous EHR exception and safe harbor. The proposed restrictions are as follows2:

  • The donation must be necessary to implement, maintain, or reestablish cybersecurity;

  • The donor cannot condition the donations on the making of referrals by the recipient, and the making of referrals by the recipient cannot be conditioned on receiving a donation; and

  • The donation arrangement must be documented in writing.

AKS has an additional requirement that the donor must not shift the costs of any technology or services to a Federal health care program. Currently, there are no “deeming provisions” within these proposed rules for the purpose of meeting the necessity requirement, but HHS is considering, and is seeking comment on, whether to add deeming provisions which essentially designate certain arrangements as acceptable. Some in the industry appreciate the safety of knowing what is expressly considered acceptable and others find this approach more restrictive out of fears that the list comes to be considered exhaustive.

HHS is also considering adding a restriction regarding what types of entities are eligible for the donation. Previously for other rules, HHS has distinguished between entities with direct and primary patient care relationships, such as hospitals and physician practices, and suppliers of ancillary services, such as laboratories and device manufacturers.

Additionally, HHS is soliciting comment on whether to allow the donation of cybersecurity hardware to entities for which a risk assessment identifies a risk to the donor’s cybersecurity. Under this potential rule, the recipient must also have a risk assessment stating that the hardware would reasonably address a threat.

1 AKS Safe Harbor 42 CFR §1001.952(y); Stark Exception §411.357(bb)
2 AKS Safe Harbor 42 CFR §1001.952(jj); Stark Exception §411.357(w)(4)

©2020 von Briesen & Roper, s.c

More on cybersecurity software donation regulation on the National Law Review Communications, Media & Internet law page.