Fox Rothschild LLP partner, William Maruca, was recently interviewed for an article in Cosmos regarding the regulatory risks to hospitals and DME suppliers who enter into arrangements to ensure that COVID-19 patients receive free home oxygen equipment.  Some hospitals have decided to take on the inherent risks in such an arrangement to address a lack of home oxygen equipment in the pandemic, so that COVID-19 patients can be discharged earlier and beds can be turned over for new patients.

Please see the full article here: Cosmos Compliance: Some Hospitals Give COVID-19 Patients Free Oxygen to Speed Up Discharge

Should you have any questions regarding these or similar arrangements from the perspective of the hospital or the DME supplier, please do not hesitate to contact William Maruca.


On January 15, 2021, the U.S. Department of Health and Human Services opened the reporting portal for individuals who had received Provider Relief Funds (PRF) from the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The portal is currently open for “registration” only. HHS has not yet set up the reporting portion of the portal and the date by which the first reports will be due is currently unknown.

Who Needs to Register?

Entities that received one or more payments which totaled more than $10,000 from the General and Targeted Distributions will need to register on the portal.

Registration is NOT required at this time for providers who received less than $10,000 total in PRF or have received PRF based on:

  • The Nursing Home Infection Control Distribution
  • The Rural Health Clinic Testing Distribution
  • Reimbursement for Testing, Treatment and Vaccine Administration
  • The Vaccine Administration Assistance Fund

What is the Deadline for Registration?

At this time there is no deadline for registration.

The previous due date for submitting documentation regarding the use of PRF was February 15, 2021. HHS is now stating that they will provide information regarding when documentation must be submitted at a “later” date.

How Do Providers Register?

Providers should go to the HHS website and register.

Some things to know about registration:

You must complete the registration process in ONE session. You cannot stop, and return to your submission. HHS is estimating that the registration process will take approximately 20 minutes.

You should have the following information available when you start the registration process:

  • Tax ID Number (TIN) (or other identifying number submitted during the application process)
  • Business name (as it appears on a W-9) of the reporting entity
  • Contact information (name, phone number, email) of the person responsible for submitting the report
  • Address of the reporting entity as it appears on a W-9
  • TIN(s) of subsidiaries (if a provider is reporting on behalf of subsidiary(ies)
  • Payment information for any of the payments received, including:
    • TIN of entity that received the payment
    • Payment amount
    • Mode of payment (check or direct deposit ACH)
    • Check number or ACH settlement date

You will also need to create a username (in the form of an email address) and create a password during the registration process.

What Happens Next?

HHS will contact providers using the email provided as part of the registration process to notify providers as to when they can begin reporting actual information related to the use of PRF funds.

Notice of Reporting Requirements

HHS has issued another Post-Payment Notice of Reporting Requirements document. For the most part, the 1/15/21 Requirements track the previously published November 2, 2020 guidance, reiterating that PRF can be used for health care related expenses, including general and administrative expenses and lost revenue.

Some items of interest include:

Lost Revenue

The 1/15/21 Requirements outline the numerous ways that providers can quantify lost revenue. The requirements are consistent with language in the recently passed Consolidated Appropriations Act, 2021.

Lost revenue can be calculated as follows:

(a) the difference between 2019 and 2020 actual patient care revenue;

(b) the difference between 2020 budgeted and 2020 actual patient care revenue as long as providers can demonstrate that the 2020 budget was established and approved by March 27, 2020.

(c) by “any reasonable method of estimating revenue.”

This catch-all provision will require a provider to describe the methodology used, explain why it is reasonable, and demonstrate how the revenue loss was attributable to COVID-19.

The 1/15/21 Requirements also state that ALL providers will need to include information regarding their actual patient care revenue in 2019 vs 2020. Even providers who can demonstrate that they used all of their PRF for health care related expenses will need to provide information regarding 2019 actual patient care revenue and 2020 actual patient care revenue.

The 1/15/21 Requirements also contemplate that providers who did not expend all their PRF by December 31, 2020 can use the PRF for covering lost revenue in 2021. Providers can calculate lost revenue for 2021 by comparing actual revenue from Quarter 1 to Quarter 2 of 2019 with actual revenue from Quarter 1 to Quarter 2 of 2021. Alternatively, providers can compare budgeted revenue from Quarter 1 to Quarter 2 of 2020 to Quarter 1 to Quarter 2 of 2021.

Parent Use of Subsidiary Funds

Also consistent with the Consolidated Appropriations Act, 2021, HHS recognizes that parents can take Targeted Distribution funds received by one subsidiary and provide those funds to another subsidiary. However, providers who transfer targeted distribution funds will have an increased likelihood of an audit.

HHS plans to offer Question & Answer Sessions via webinars in advance of the reporting deadline and additional information will be provided in the HHS Provider Relief Fund FAQ document.

This post is a courtesy of Fox Rothschild attorney Mark Tabakman, Esq., and was first published on Fox’s Wage & Hour – Developments and Highlights Blog.  It is particularly relevant for health care providers that automatically deduct lunch breaks from their employees’ wages:

The health care industry seems to be ground zero for a particular kind of class action lawsuit.  Many of these health care institutions have policies where a thirty-minute lunch period is automatically deducted from the daily scroll of hours.  This is quite understandable, from an operational perspective, as it usually is difficult for employees to go to their time clock, punch out and then back in for lunch.  Although this facilitates operational efficiency, it also leads to allegations that employees supposedly worked through lunch and were not paid.  Then, a class action ensues.

The latest example of this is a group of nurses who have received conditional certification for a class in a FLSA collective action based on the theory that they took their lunch breaks when they really worked.  The case is entitled Hamid et al. v. The Chester County Hospital and was filed in federal court in the Eastern District of Pennsylvania.

Securing conditional certification in a class action suit is often not that hard, as only a modest showing of commonality has to be made.  In approving the request for conditional certification, the Judge agreed that the named plaintiff showed sufficient commonality with other workers, concluding she had the same job duties and same kind of claims as the other hourly nurses at the Hospital.  He concluded that “Hamid has provided some evidence, beyond mere speculation, of a ‘factual nexus’ between defendants’ pay and break structure policy for Hamid and defendant’s pay and break structure policy for other nurses.”

The lawsuit charged that the hospital automatically deducted break times from employee wages notwithstanding that the employees duties’ prevented them from taking their breaks.   A second theory of the lawsuit is the employer’s alleged failure to include weekend premium pay, e.g. shift differentials, when computing overtime pay.   Under the FLSA regulations, these kinds of extra payments must be included when the employer calculates overtime.

The Judge noted that the plaintiff had presented sufficient evidence to meet the “lenient” standard for conditional certification.  This low standard necessitates that the named plaintiff must demonstrate a “factual nexus” between the application of the employer’s policy to not only the named plaintiff but to the co-workers allegedly affected in the same manner.  The Judge concluded that the employer’s pay and break policies applied to all workers, causing them to not receive all of the wages to which they were entitled .  The Judge also found that the named plaintiff had made “a modest showing” that she worked under the same terms and conditions of employment as the other employees.  Thus, a class, at this time, was appropriate.

The Takeaway

The concept of a fail-safe mechanism is critical.  Any employer who utilizes an automatic deduction system for lunches, which is quite legal, must ensure that there is some way for employees who ostensibly work through lunch to report that missed lunch.  Then, the employer can pay for the time if it deems it was properly worked.  That way, if the employee does not use the reporting system and then files a suit for wages, he is put on the defensive as to why he did not use the reporting mechanism.

And, there is no (good) answer to that for an employee…

This post is a courtesy of Fox Rothschild attorney Mark Tabakman, Esq., and was first published on Fox’s Wage & Hour – Developments and Highlights Blog.  It is particularly relevant for health care providers that enter into staffing services arrangements with vendors:

In FLSA cases, plaintiff lawyers are always looking for a deep pocket and one of the avenues they use towards this “goal” is the joint employer doctrine.  That doctrine allows more than one employer to be liable for employee damages (e.g. overtime, back wages) if the employers are found to co-determine employee terms and conditions of employment.  In a recent Third Circuit case involving the health care industry, a panel has reversed a lower court ruling that found two entities were not a joint employer meaning that this company now has to defend the collective action allegations of unpaid overtime.  The case is entitled Talarico v. Public Partnerships LLC and issued from the Court of Appeals for the Third Circuit.

The Court found that Public Partnerships, LLC (PPL) set rules for a group of Direct Care Workers (DCWs), established their working conditions

Copyright: rmarmion / 123RF Stock Photo

and maintained their employment records, all indicators of a joint employer relationship.  In the end, it was a factual question for a jury.  The Court observed that “whether PPL is Talarico’s employer is a genuine dispute as to a material fact because the evidence — viewed in the light most favorable to the nonmoving party, Talarico — does not so favor PPL that no reasonable juror could render a verdict against it.”  PPL provided “financial management services” to entities who participated in Medicaid’s Home and Community-Based Services waiver program.  It must be noted that the joint employer “problem” is prevalent in the health care industry, where many different agencies and entities work together to provide care.

The suit alleged that overtime was only paid to these direct care workers when they worked in excess of forty hours for a single client.  When they worked for more than one client, and their hours added up to more than forty, they were only paid straight time.  The lower court Judge applied the four-factor test adopted by the Third Circuit in 2012 decision and noted that the documents “all state that the [participant-employer] is the employer of the DCW, not PPL.”  On appeal, the appellate panel that two of these factors militated a conclusion that the entities were a joint employer.

The Third Circuit identified those “bad” factors as “the alleged employer’s authority to promulgate work rules and assignments and to set the employees’ conditions of employment: compensation, benefits, and work schedules, including the rate and method of payment,” and “the alleged employer’s actual control of employee records, such as payroll, insurance, or taxes.”  The Court also noted that “although the participants select the specific wage rate for their DCWs, PPL caps the maximum rate DCWs may receive based on the commonwealth’s reimbursement rate.  In addition to this cap, PPL requires DCWs and the participants to submit time sheets, which PPL then reviews before paying the DCWs.”  The Court also found that PPL had the “authority to hire and fire the relevant employees” and PPL played a role in “day-to-day employee supervision, including employee discipline.”

The Takeaway

Health care employers are, I believe, particularly at risk in these joint employer cases.  Health care entities often utilize many staffing or other agencies for personnel and the lines of supervision can grow blurry, which may impel a joint employer finding.  The strategy here is to engraft into any vendor or other commercial agreement specifically demarcated lines of independence that seal off, to as large an extent as possible, the putative joint employer from making any decisions into the terms and conditions of employment of the workers at issue.  In other words, the employer can draft its way out of a problem.


This post is authored by Catherine Wadhwani, Partner and Co-Chair of the firm’s Immigration Practice Group.  The post first appeared on Fox’s Immigration View Blog:

We hear the reports daily.  COVID-19 cases are spiking nationwide.  Hospitals and health care facilities are at maximum capacity.  Even with progress toward the availability of a vaccine, it’s not clear exactly when things will return to a state of normalcy.  Health care employers in many areas of our country continue to have difficulty recruiting physicians to meet patient needs. With the ongoing pandemic, this is more urgent than ever.

One option that may help health care employers when a US physician cannot be recruited is J-1 Waiver sponsorship of an international medical graduate.  Barring unusual circumstances, J-1 waiver sponsorship should result in a full-time employment contract with a highly qualified international medical graduate for a period of 3 years.

For eligible employers, sponsoring a J-1 Exchange Visitor physician who is completing graduate medical education and training in the US is done by filing an application with an appropriate government agency, often a state health department.  Most employer-sponsored J-1 Waiver applications are filed by healthcare providers that are located in Health Professional Shortage Areas (HPSAs) or Medically Underserved Areas (MUAs) or that treat underserved patient populations.  This includes the Conrad 30 J-1 waiver program in which all 50 states participate.  There are also a few region-specific waiver programs such as that of ARC (Appalachian Regional Commission) and the DRA (Delta Regional Authority), and waiver applications can be filed with HHS (Health and Human Services), among other agencies.

“J-1 Waiver Season” generally begins on October 1st with the start of the federal government’s fiscal year.  A few states have already received the currently permissible 30 waiver applications per fiscal year to close out their Conrad 30 programs until next October.  Many other Conrad programs and agencies continue to accept J-1 waiver applications so if you are a health-care employer in need, it may not be too late.

Sponsorship of a foreign national physician through the J-1 Waiver process can help meet patient demand and provide consistency of care over the 3-year commitment period.  Further, during the 3-year period, the physician may become well established in an area and agree to stay beyond the 3-year commitment.  This can greatly benefit an underserved patient population and bring much-needed relief to over-burdened providers.

To learn more about sponsoring a J-1 Exchange Visitor physician for a waiver, please contact me directly with inquiries at or 412-394-5540.

Catherine Wadhwani is a Partner and Co-Chair of the Immigration Practice Group at Fox Rothschild LLP.  For more than 25 years, her practice has focused on business immigration law and compliance, primarily in the health care, general corporate and academic sectors.  Ms. Wadhwani’s practice covers the United States and Consulates worldwide.  She is based in our Pittsburgh, Pennsylvania office.  

Please contact Ms. Wadhwani at  or 412-394-5540.

Earlier this week, the Office of Inspector General OIG issued a Special Fraud Alert (Alert) on speaker programs by pharmaceutical and medical device companies in connection with the Federal Anti-Kickback Statute. In the Alert, the “speaker programs” are defined as company-sponsored events at which a health care professional makes a speech or presentation to other health care professionals about a drug or device product or a disease state on behalf of the company. In these scenarios, the company generally pays the health care professional speaker and provides remuneration (such as free meals) to the attendees. In the last three years, drug and device companies have reported paying nearly $2 billion to health care providers for speaker-related services.

In the Alert, the OIG highlighted it is skeptical of the educational value and intent of these speaker programs when there are numerous other ways for health care professionals to obtain information about products and disease states that do not involve remuneration, such as online resources, package inserts, third party educational conferences and journals.

The Alert also provided a number of factors that could evidence improper intent, including, but not limited to:

  1. The company sponsors speaker programs where little or no substantive information is actually presented;
  2. Alcohol is available or a meal exceeding modest value is provided to the attendees of the program (the concern is heightened when the alcohol is free);
  3. The program is held at a location that is not conducive to the exchange of educational information (e.g., restaurants or entertainment or sports venues);
  4. The company sponsors a large number of programs on the same or substantially the same topic or product, especially in situations involving no recent substantive change in relevant information;
  5. There has been a significant period of time with no new medical or scientific information nor a new FDA-approved or cleared indication for the product;
  6. Health care professionals attend programs on the same or substantially the same topics more than once (as either a repeat attendee or as an attendee after being a speaker on the same or substantially the same topic);
  7. Attendees include individuals who don’t have a legitimate business reason to attend the program, including, for example, friends, significant others, or family members of the speaker or health care professional attendee; employees or medical professionals who are members of the speaker’s own medical practice; staff of facilities for which the speaker is a medical director; and other individuals with no use for the information;
  8. The company’s sales or marketing business units influence the selection of speakers or the company selects health care professional speakers or attendees based on past or expected revenue that the speakers or attendees have or will generate by prescribing or ordering the company’s product(s) (e.g., a return on investment analysis is considered in identifying participants);
  9. The company pays health care professional speakers more than fair market value for the speaking service or pays compensation that takes into account the volume or value of past business generated or potential future business generated by the health care professionals.

In the conclusion of the Alert, the OIG reasoned the Alert is not intended to discourage meaningful health care provider education, but rather to highlight certain inherent risks.

As a result of this Alert, drug and device companies and health care providers should consider the risks when assessing whether to offer, pay, solicit, or receive remuneration related to speaker programs.

Should you have any questions regarding the Alert, any member of Fox Rothschild LLP’s Health Law Group would be happy to assist you.

On October 28th, the Federal Bureau of Investigation, the Department of Health and Human Services, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency alerted hospital administrators and security researchers about a “credible threat” of cyberattacks to American hospitals.  Four hundred American hospitals are being targeted in cyberattacks by the same Russian hackers whom American officials and researchers fear sought to cause problems with the presidential election.[1] The ubiquitous integration of medical devices throughout the hospital network environment provides a potential portal for cyberattacks by these and other criminals, which risk is increased during a pandemic. Hospital systems should consider cyberattacks on medical devices as a serious and evolving threat, and consult with legal counsel, insurance advisors and other experts to plan how to mitigate this threat going forward.

The Problem with Medical Devices

The problem with medical devices lies in their interconnectivity with the hospital’s information technology networks (“ITN”), which exposes the hospital’s ITN to vulnerabilities that exist in the medical device and its software. Presently, medical devices are deployed to fully leverage its connectivity to seamlessly integrate with the hospital’s ITN. Exacerbating the level of risk exposure is the exponential growth in the use of medical devices within the hospital. It is estimated that there are 10 to 15 million medical devices used in hospitals throughout the United States. On average, there are approximately 10 to 15 medical devices per bed.[2] The use of these medical devices and their linkage with the ITN of the hospital has transformed the delivery of health care, and improved patient safety and patient care. Connected medical devices are vital to care. They facilitate the collection and maintenance of important health data, provide greater patient mobility and independence, and facilitate care.

What is a Medical Device?

A medical device is defined by the Food and Drug Administration as:

  • an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part or accessory which is:
    • recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them;
    • intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals; or
    • intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.”[3] (Emphasis added)


In short, a medical devices is a device that is intended to diagnose, cure, mitigate, treat, or prevent a disease in man or other animals.

Why are Medical Devices Particularly Vulnerable to Cyberattack?

Many medical devices were designed for stand-alone use, and not to be utilized in a connected environment. They were created to be unidirectional. Many were manufactured to be used right out of the box. Therefore, they were not intended to be protected from cyberattacks. In addition, the medical devices may contain outdated operating system or software. Also, they may lack timely software updates or patches. All of these weakness create a fertile environment for experienced hackers.

Who Would Want to Perpetrate a Cyberattack upon a Hospital, and Why?

The question then arises, who would want to infiltrate a hospital’s ITN? What would be their motives? There are a number of cyber-players who may wish to breach the hospital’s ITN. They include, but are not limited to the following: criminals, nation-state attackers, and hackers furthering a political or social cause. Most of the cyber-players who target hospitals have a financial motivation, such as to extort money for holding a hospital’s ITN hostage. Some wish to sell or use patient information for their own financial gain. Other cyber-players solely seek to disrupt the hospital and cause chaos to further their nation’s interests or to make a statement.

What Harm can a Cyberattack cause to a Hospital?

A cyberattack can result in an array of adverse consequences for the hospital. The following are some examples of the harm that a cyberattack could cause:

  • The attack could result in disruptions in patient care;
  • The attack could distort the reliability of the information that the hospital relies upon for care;
  • The attack could cause a loss and/or theft of patient information; and
  • The attack could paralyze the use of the hospital’s ITN.

Why are Hospitals More Vulnerable During this Time of COVID?

The COVID-19 pandemic has created the perfect opportunity for cyber attackers to exploit the vulnerabilities existent with some connected medical devices. In April, Interpol issued an alert warning that, since the beginning of the pandemic, it noticed a significant upsurge in detected cyberattacks on health systems.[4] This threat is aggravated by health care providers having an increased need for both medical devices and temporary external hospital facilities during the pandemic.

What Preventive Measures can a Hospital Undertake? What Potential Barriers Confront the Hospital in Implementing Such Measures?

The hospital should consider the following preventive measures:

  • Maintain a current inventory of the types of connected medical devices and where they are located within the facility;
  • Identify areas of vulnerability;
  • Isolate the systems that connect to medical devices;
  • Create additional local and segregated networks, as needed; and
  • Stress-test the connected medical devices.

Cost is a major barrier to some of these measures. Additionally, the existing capacity of the hospital’s ITN may also serve as a barrier.

In the final analysis, there is no risk-free cyber environment. The hospital must determine its risk appetite in consideration of the benefits offered by connecting medical devices to its ITN with its inherent vulnerabilities.  Hospitals should also consult regularly with their legal counsel, insurance advisors and experts to plan for and address the risks associated with their ITN, including those related to the use of medical devices.

Please do not hesitate to contact us to discuss how your hospital or health system can better prepare for the liability that can arise from cyberattacks.

[1]New York Times, Officials Warn of Cyberattacks on Hospitals as Virus Cases Spike, October 28, 2020,

[2] IBM Institute for Business Value, Treating Healthcare Cybersecurity Woes,

[3]  FDA Medical Device Overview,

[4] Medtechdive, Coronavirus chaos ripe for hackers to exploit medical device vulnerabilities, April 8, 2020,


An additional $20 billion in “Provider Relief Funds” is being made available pursuant to the Coronavirus Aid, Relief, and Economic Security (CARES) Act through a “Phase 3” General Distribution. However, time is running out for health care providers to apply to the U.S. Department of Health and Human Services for these funds. The application deadline for what may be the final round of relief funds is November 6 at 11:59 pm ET.

Who Can Apply?

Phase 3 of the General Distribution allows health care providers who did not begin operation until after January 1, 2020 to apply for funds and allows health care providers who have already received payments equaling 2% of patient revenue to receive additional funds.

On October 22, HHS announced that additional providers, such as residential treatment facilities, chiropractors, and eye and vision providers that have not yet received Provider Relief Fund distributions, are also eligible to receive funds from this last distribution.

When Will Distributions Be Made?

HHS intends to issue Phase 3 – General Distribution payments as soon as practical following the November 6, application deadline. Entities that have not yet received 2% of annual revenue from patient care will be first to receive funds from the Phase 3 General Distribution.

The Phase 3 final payment amounts for applicants that have already received payments equaling 2% of annual patient care revenue will be determined once all applications have been received and reviewed.

How Will HHS Calculate 2% of Annual Revenue for Providers in Operation Less Than a Year?

Providers that began providing patient care in 2020 will be paid approximately 2% of patient care revenue based on the applicant’s reported financial information for those months in 2020 that they were in operation.

HHS has also stated that it may consider data from the same type of provider as the applicant when assessing the amount to be paid. However, no additional details have been provided at this time regarding how that assessment of similar providers will be utilized to assess funds to be received.

How Will Distributions Over 2% Of Annual Revenue Be Calculated?

The Phase 3 General Distributions will also take into account the financial impact of COVID-19 on individual providers and assess whether additional funds should be distributed to certain providers. The actual additional amount to be received will depend in part on the CARES Act funds available after the Phase 3 General Distribution to those that have not yet received an amount equivalent to 2% of annual revenue.

In assessing whether to award a provider additional funds over the 2% annual revenue amount, HHS will consider: (1) a provider’s change in operating revenue from patient care; (2) a provider’s change in operating expenses from patient care, including coronavirus expenses, and (3) payments received by the provider as part of previous Targeted Distributions.

Additional Considerations

  • Providers that are newly eligible for receipt of funds, such as those that did not operate until after January 1, 2020, should submit their TIN for validation as soon as practical in order to ensure that they can submit an application before the November 6 deadline.
  • Providers that previously submitted applications will need to submit a new application to receive additional funds.
  • Providers must agree to certain Terms and Conditions related to the use of funds.
  • Providers receiving more than $10,000 must meet certain Reporting Requirements. See HHS Sets Reporting Deadlines for CARES Act Provider Relief Funds 

Providers are encouraged to start the application process as soon as possible so as to not miss out on what may be the last general distribution of funds.

On October 2, 2020, Health and Human Services (HHS) Secretary, Alex M. Azar II, announced the renewal of the public health emergency declaration due to the continued consequences of the COVID-19 pandemic. The 90-day renewal is effective October 23, 2020, and extends until January 20, 2021.

The renewal impacts a number of regulatory flexibilities and temporary rules applicable to health care providers including, but not limited to, 1135 Waivers, HIPAA enforcement discretion, and fraud and abuse enforcement discretion – all of which are effective only for the duration of the public health emergency.

  1. 1135 Waivers

Section 1135 of the Social Security Act grants HHS the power to waive and/or modify certain federal healthcare requirements during a federal emergency to (i) ensure individuals enrolled in Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP) have sufficient access to health care items and services and (ii) protect health care providers furnishing such items and services in good faith during emergency conditions against penalties for noncompliance.

Presently, HHS and the Centers for Medicare and Medicaid Services (CMS) have issued numerous “blanket” waivers and state-specific Medicaid waivers in connection with the COVID-19 public health emergency (including waivers related to sanctions under the physician self-referral law (Stark Law) for COVID-19 purposes).

These waivers afford health care providers enhanced flexibility with regard to Medicare telehealth services, waive certain physician hospital privilege requirements/credentialing process requirements, and suspend many reporting requirements.

  1. HIPAA Enforcement Discretion

The HHS Office of Inspector General (OIG) has issued various guidance providing for OIG enforcement discretion with regard to certain provisions of HIPAA (e.g., privacy, security, and breach notification rules) as it relates to permissible telehealth practices, business associates making disclosures for public health purposes, and community-based testing sites (CBTSs).

Note that in conjunction with the relaxation of certain federal HIPAA privacy and security rules during the public health emergency, health care providers should continue to be cognizant of compliance with other applicable state privacy laws to the extent they are still in effect.

  1. Fraud and Abuse Enforcement Discretion

In connection with applicable HHS waivers, the HHS Office of Inspector General (OIG) has issued guidance relaxing the imposition of administrative sanctions under the Anti-Kickback Statute and Stark Law for certain COVID-19 response activities (see also this OIG Policy Statement regarding physicians and other practitioners that reduce or waive amounts owed by federal health care program beneficiaries for telehealth services during the public health emergency).

Note that HHS retains the discretion to terminate the public health emergency at any time and is not required and/or obligated to extend the present declaration beyond its January 20, 2021 expiration. Accordingly, health care providers should be mindful of termination, expiration, and renewal timelines applicable to COVID-19 related emergency measures, which could immediately eliminate current regulatory flexibilities (such as the ones discussed herein).

If you have any questions regarding the COVID-19 public health emergency, the regulatory flexibilities and temporary rules applicable to health care providers, or anything related thereto, please do not hesitate to contact us.

In 2016, the Obama Administration issued a regulation implementing Section 1557 of the Affordable Care Act (ACA) (the 2016 Rule), which redefined sex discrimination to include termination of pregnancy and gender identity. Despite efforts by the U.S. Department of Health and Human Services (HHS) to repeal and revise certain provisions of the 2016 Rule through a new Rule, a NY Federal Court issued a preliminary injunction on August 17, 2020 against the new Rule from becoming effective.

Section 1557 of the ACA is a civil rights provision that prohibits discrimination on the basis of race, color, national origin, sex, age, or disability by providers that receive federal funding.

Notably, the 2016 Rule redefined discrimination “on the basis of sex” to include “discrimination on the basis of pregnancy, false pregnancy, termination of pregnancy, or recovery therefrom, childbirth or related medical conditions, sex stereotyping, and gender identity.” The 2016 Rule defines “Gender identity” as “one’s internal sense of gender, which may be male, female, neither, or a combination of male and female.”

Pursuant to a Press Release issued on June 12, 2020, HHS announced it had a finalized a rule (the 2020 Rule) that revised certain provisions of the 2016 Rule. Of note, the 2020 Rule returns “to the government’s interpretation of sex discrimination according to the plain meaning of the word “sex” as male or female and as determined by biology.” The 2020 Rule was to become effective as of August 18, 2020.

On August 17, 2020, the U.S. District Court for the Eastern District of New York issued a preliminary injunction staying the 2020 Rule’s repeal of the definition of “on the basis of sex”, in a case involving two transgender women who filed their suit in an effort to prevent implementation of the 2020 Rule. In the case (Asapansa-Johnson Walker v. Azar), the two women allege health care providers previously discriminated against them based on their transgender status.

In light of the above, health care providers should continue to take proactive steps to implement policies regarding discrimination on the basis of sex (including, but not limited to, gender identity sensitivity).  In addition, health care providers should educate and train physicians and staff on the importance of gender identity sensitivity and preventing discrimination in the workplace.

If you have any questions regarding the above, such as the implementation of effective protocols and policies to prevent workplace discrimination, please do not hesitate to contact us.