Three Key Things in Health Care

February 3, 2021

  • Biden Administration Urges Tougher Enforcement by the federal Occupational Safety and Health Administration (OSHA) on COVID-19 Worker Safety; Calls for Consideration of Federal Emergency Temporary Standard (ETS) by March 15.  Virginia Enacts Permanent Virus Standard.
    • On January 21, President Biden signed an executive order requiring OSHA to enhance COVID-19 enforcement efforts, issue science-based guidance, and consider whether to introduce an ETS to protect workers from hazards associated with COVID-19.
    • Federal OSHA regulations do not include an infectious disease standard.  OSHA has been investigating employers’ COVID-19 risk mitigation efforts and issuing citations primarily under the General Duty Clause and the respiratory protection standard.  The General Duty Clause requires employers to maintain a workplace free from recognized hazards that are likely to cause death or serious physical harm.  COVID-19 General Duty Clause violations will be very difficult for OSHA to prove because, among other reasons, the understanding of COVID-19 transmission has continuously evolved, and establishing work-related infection is nearly impossible given asymptomatic transmission and the high rate of community spread.
    • As of January 14, 2021, OSHA had issued a total of 310 COVID-related citations, totaling $4,034,288 in penalties, to U.S. employers.  A significant number of these citations have been issued to health care providers.
    • President Biden ordered OSHA to consider implementing an ETS related to COVID-19, including the issue of masks in the workplace.  A federal ETS would allow OSHA to enforce standards related to particular COVID-19 issues not encompassed by existing standards.  For example, it could mandate physical distancing, symptom screening, contact tracing, testing, isolation, quarantine, masks and/or respirators, and enhanced ventilation.  If implemented, the rule could stay in effect for six months.
    • Some states, including Virginia, California and Michigan, already have COVID-19 emergency standards under their state OSHA plans.  States with approved state plans have the ability to enact and enforce their own workplace health and safety rules, as long as those rules are at least as effective as federal requirements.  Experience from these states suggests a federal ETS also could include mandatory reporting of a certain number of COVID-19 employee cases to OSHA (likely 3 within two weeks) and written plan and employee training requirements.  The emergency standards in place have included more burdensome requirements for employees in higher risk industries, including health care.
    • On January 27, Virginia became the first state to enact a permanent rule requiring employers to protect employees from COVID-19 at work.  The rule basically extended Virginia’s ETS until the end of the COVID-19 state of emergency, with a few minor changes.  At the end of the COVID-19 state of emergency, the Virginia Safety and Health Codes Board will consider whether the standard remains necessary.
    • The Virginia standard classifies many health care employers as “very high,” “high,” or “medium” risk employers depending on whether they care for patients with confirmed or suspected cases of COVID-19.  An employer may have more than one risk level present at the same workplace.  As a result, the Virginia standard requires health care employers to provide employees with COVID-19 specific training and includes other requirements for personal protective equipment.  It also requires employers to develop an Infectious Disease Preparedness and Response Plan.
    • Key Takeaway:  While some states have already enacted temporary workplace safety standards to address COVID-19, a federal standard is likely on the way.  Virginia already has a permanent standard and other states may follow suit without waiting for federal action.  And, with or without a federal standard, OSHA enforcement addressing perceived COVID-19 hazards is going to be much more aggressive. 
  • As the federal government and states struggle with COVID-19 vaccine shortages, distribution, and increasing frustration from the public, the U.S. Department of Health and Human Services (“HHS”) relaxes health privacy and security compliance obligations, aiming to speed up vaccine access and administration.
    • Although health privacy and security compliance is not necessarily top of mind when it comes to vaccinating the American public against COVID-19, HIPAA and HITECH compliance obligations nonetheless remain ever present, with the potential to slow the pace with which covered health care providers and their business associates can facilitate COVID-19 vaccine access and administration to the public.
    • But in a small, bright spot among many other COVID-19 vaccination challenges, the HHS Office for Civil Rights (“OCR”) announced in a January 19, 2021 Notice of Enforcement Discretion that it will not impose penalties on covered health care providers or business associates (including vendors of WBSAs, as defined below) for noncompliance with HIPAA/HITECH regulatory requirements in connection with good faith use of certain online or web-based scheduling applications used for scheduling individual COVID-19 vaccination appointments during the COVID-19 public health emergency.  The Notice has a December 11, 2020 retroactive effective date.
    • The exercise of enforcement discretion does not come without limitations.  It applies only to non-public facing online or web-based scheduling applications that provide scheduling of individual appointments for services in connection with large-scale COVID-19 vaccinations – collectively defined in the Notice as “WBSAs.”  To be considered “non-public facing” the WBSA must, as a default, allow only the intended parties (described to include a covered health care provider, individual or personal representative scheduling the appointment, and a WBSA workforce member, if needed for technical support) to access data created, received, maintained, or transmitted by the WBSA.  Importantly, appointment scheduling technology that connects to electronic health records (“EHRs”) systems is expressly excluded from the WBSA definition.
    • Furthermore, OCR will not consider the following uses of WBSAs to be in good faith:
      • Use of a WBSA whose terms of service prohibit use for scheduling health care services or state that the WBSA may sell personal information it collects.
      • Use of a WBSA to conduct services other than scheduling individuals for COVID-19 vaccinations (the Notice provides as an example the use to determine an individual’s eligibility for vaccination).
      • Use of a WBSA without reasonable security safeguards (for example, access controls) to prevent protected health information from being readily accessed or viewed by unauthorized persons.
      • Use of a WBSA to screen individuals for COVID-19 prior to in-person health care visits.
    • Key Takeaway:  Despite its limitations, the aim of OCR’s exercise of enforcement discretion is undoubtedly to speed up COVID-19 access and administration, with HHS expressly noting that “covered health care providers need to quickly schedule large numbers of individuals for appointments for COVID-19 vaccination.”
  • Providers Taking Out PPP Loans – Another Reason to be Careful: FIRREA!
    • While providers familiar with billing governmental health care programs have long known of federal False Claims Act (FCA) risks that can arise with fraudulent or careless billing activity, the contours of those risks as they relate to accepting and using government assistance related to the COVID-19 pandemic have been slower to emerge.  Direct funding assistance to providers in the form of payments under the Provider Relief Fund (PRF) may trigger such risks if providers fail to pay careful attention to the requirements that apply to the receipt of PRF payments, their use by recipients and recipients’ reporting.  The availability of PRF payments may have led fewer providers to apply for loans under the Paycheck Protection Program (PPP), but FCA risks abound there, too.
    • Early on, we flagged the substantial FCA risks that can attend applying for federally supported loans under the PPP.  False statements and false certifications made in connection with any claim for federal funds can result in criminal prosecutions by the government, and civil actions by private whistleblowers seeking a share of FCA recoveries, which can include treble damages and hefty per claim civil money penalties.  Those severe consequences are structured to provide a substantial disincentive to would-be fraudsters by creating risks wholly disproportionate to any perceived benefit.  But it is likely that few PPP borrowers appreciated yet another source of disproportionate risk.
    • In the first civil settlement announced under the PPP borrowers were made aware of yet another reason to exercise care in seeking federal assistance related to the COVID-19 pandemic: exposure to additional penalties under the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA).  In a case arising in the Eastern District of California, a PPP borrower was alleged to have made false statements on its PPP loan application by omitting facts about its having filed for bankruptcy.  In  the settlement agreement the borrower – Slide Belts, Inc. – agreed to pay a penalty of $100,000 to discharge the government’s claims, even though it had promptly repaid the $350,000 PPP loan.  Not only did the government assert violations of the FCA, Slide Belts and its CEO also were accused of FIRREA violations pushing the total amount of damages and penalties to nearly $4.2 million, a greater than 10-fold increase of the $350,000 PPP loan proceeds.
    • Key Takeaway:  The government’s use of FIRREA in this case provided substantially greater enforcement leverage in connection with a relatively small PPP loan because FIRREA’s penalty provisions run $2,048,915 per violation and up to $10,244,577 for continuing violations.  While these amounts may pale in comparison to FCA settlements involving allegations of systemic billing fraud by institutional providers, for physician practices or smaller providers or suppliers, the scale of FIRREA’s penalties is not inconsequential.  Of equal concern is that like the FCA, FIRREA also includes financial incentives for whistleblowers – a feature that dramatically increases the likelihood that fraud against the federal government will not escape detection and prosecution, be it civil or criminal.