“The No Surprises Act” a/k/a “The Act that Continues Surprising Providers”

Posted in Health Insurers & Managed Care Organizations, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

The No Surprises Act (the “Act”) continues muddling through its implementation period. We have discussed the Act in prior posts, and most recently on March 8, 2022. The surprises have continued, with new updates coming out almost daily! There has been legal movement as health care providers and facilities (collectively, “Providers”) have brought lawsuits against the Departments of Health and Human Services (“HHS”), Labor, and Treasury, and the Office of Personnel Management (collectively, “Departments”).  In addition, the Centers for Medicare & Medicaid Services (“CMS”) issued answers to new frequently asked questions (“FAQs”). Continue Reading

Common Errors in State Licensing Applications

Posted in Government Affairs, Licensure & Regulatory, Healthcare Law

As a condition of doing business in the healthcare field, persons and companies must generally obtain the appropriate licenses or approvals. In addition to requirements that apply to all businesses, such as registering corporate entities with the Secretary of State or obtaining local business licenses known as business tax receipts, there are also substantive requirements that vary based on the type of services to be provided. To properly assess whether a person or a company meets the minimum substantive qualifications for licensure, state agencies require the submission of license applications. These applications request information on topics such as education, training, experience, and financial requirements. Continue Reading

Help Wanted: OCR Seeks Public Input on “Recognized Security Practices” and Sharing Settlements with Harmed Individuals Under the HITECH Act

Posted in Healthcare Law, HIPAA, Privacy, and Data Security

Covered entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) have the chance to provide input on two amendments to the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) recently issued a Request for Information (“RFI”) seeking public input regarding:

  1. How covered entities and business associates (collectively, “regulated entities”) are voluntarily implementing “recognized security practices” as identified in the HITECH Act and demonstrating how such practices are in use throughout the organization.
  2. The types of harms that should be considered in distributing civil monetary penalties (“CMPs”) and monetary settlements to harmed individuals and potential methodologies for sharing and distributing CMPs and settlement funds to harmed individuals.

We discuss the two topics covered in the RFI in more detail below.

Recognized Security Practices

The HITECH Act was amended effective January 5, 2021 (“Amendment”) to require that HHS consider whether a regulated entity has adequately demonstrated that it had in place for at least the previous twelve months “recognized security practices.” The existence of those recognized security practices may mitigate potential fines, result in early termination of audit activities, and mitigate other remedies that might be agreed to in resolving potential violations of the HIPAA Security Rule following an investigation, compliance review, or audit. The goal of the Amendment is to encourage regulated entities to do “everything in their power to safeguard patient data.”

The Amendment defines “recognized security practices” as:

  • the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act;
  • the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015; and
  • other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.

Notably, the HITECH Act does not require regulated entities to implement recognized security practices, nor does it specify how regulated entities should select which category of recognized security practices to implement. However, to be considered for mitigation of fines and other remedial requirements, organizations must be able to demonstrate that they have fully implemented the recognized security practices for the preceding twelve months. Simply providing initial documentation of the adoption of the security practices is insufficient. Rather, the regulated entity must demonstrate that such practices and procedures have been in continuous operation for at least twelve months. The statute does not specify what triggers the beginning of the twelve-month look-back period.

The RFI requests that regulated entities provide input to OCR regarding their voluntary implementation of recognized security practices, including addressing the following questions:

  • What recognized security practices have regulated entities implemented and what recognized security practices do regulated entities plan to implement?
  • What standards, guidelines, and procedures developed under section 2(c)(15) of the NIST Act do regulated entities rely on when establishing and implementing recognized security practices?
  • What approaches promulgated under section 405(d) of the Cybersecurity Act of 2015 do regulated entities rely on when establishing and implementing recognized security practices?
  • What other programs and processes that address cybersecurity (besides those developed under section 2(c)(15) of the NIST Act or section 405(d) of the Cybersecurity Act of 2015) and that are developed, recognized, or promulgated through regulations under other statutory authorities do regulated entities rely on when establishing and implementing recognized security practices?
  • What steps do covered entities take to ensure that recognized security practices are in place?
  • What steps do covered entities take to ensure that recognized security practices are in use throughout their enterprise and what constitutes implementation throughout the enterprise?
  • What steps do covered entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?

Notably, in the RFI OCR refers to “regulated entities” in the first four questions and “covered entities” in the last three questions above.  Based on the full text of the RFI, it is unclear why OCR appears to limit the last three requests to covered entities and exclude business associates.

Sharing Civil Monetary Penalties and Settlements with Individuals

The HITECH Act also requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense. The methodology must be based on recommendations submitted by the General Accounting Office (“GAO”). OCR must base its determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. Under the HIPAA Enforcement Rule, OCR may consider physical harm, financial harm, reputational harm, and harms that hinder one’s ability to obtain health care as aggravating factors in assessing a CMP or proposed settlement amount. However, the HITECH Act does not define “harm” generally nor the specific types of harm that OCR may consider in assessing CMPs or settlement amounts. How OCR ultimately defines what constitutes compensable harm could have far-reaching consequences beyond enforcement of HIPAA.

The GAO has recommended that OCR consider three models for the methodology to distribute a portion of CMPs and settlement amounts to individuals:

  • The Individualized Determination Model, where the plaintiff bears the burden of proof with respect to the harm suffered by the plaintiff and the liability incurred by the defendant;
  • The Fixed Recovery Model, where awards are either fixed or calculated by a formula established by law; and
  • The Hybrid Model, which combines elements of the Individualized Determination Model and the Fixed Recovery Model.

To assist it in evaluating the methodologies recommended by the GAO, OCR seeks input from all stakeholders regarding:

  • How to define “harm,” including what constitutes compensable harm for violations of HIPAA and whether harm should include non-economic harms such as emotional harm;
  • What bases should be used for deciding which injuries are compensable;
  • What factors should be considered in establishing a methodology for calculating the amount to be set aside for distribution to individuals;
  • Whether there are circumstances in which funds should not be set aside for distribution to individuals; and
  • How to provide notice to affected individuals that monetary distribution may be available.

HIPAA covered entities, business associates, and other stakeholders that want to respond to one or both topics in the RFI must submit comments to OCR by June 6, 2022.  While OCR assesses how it will respond to comments, covered entities and business associates should consider: (i) implementing recognized security practices; and (ii) how they will document that such practices are in continuous use throughout the organization to avail themselves of the mitigation afforded by the Amendment.  Covered entities and business associates should consult healthcare attorneys for assistance in this analysis.

UPDATE: No Surprises Here – Portions of the No Surprises Act Regulations Invalidated

Posted in Health Insurers & Managed Care Organizations, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

The No Surprises Act (the Act) continues to bump through its initial implementation phase. As we discussed in our prior blog, out-of-network physicians and facilities (OON Providers), and their allies, are pushing back against portions of the recently issued interim final rule with comment period (the Interim Rule). Most recently, they succeeded in doing so when the Texas Medical Association, a trade association representing more than 55,000 physicians, and Dr. Adam Corley filed and won a lawsuit against the Departments of Health and Human Services (HHS), Labor, and Treasury, and the Office of Personnel Management (collectively, the Departments). The plaintiffs successfully argued that the Interim Rule unfairly protects group health plans and health insurance issuers (collectively, Plans) to the detriment of patients and OON Providers. Continue Reading

Healthcare Discrimination Based on Disability – Still Prohibited in the Pandemic!

Posted in Health Insurers & Managed Care Organizations, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

It may seem as though the pandemic is coming to an end, but while COVID cases are declining,  they have not ceased. As the pandemic continues, the Department of Health and Human Services (HHS) Office for Civil Rights issued new guidance on February 4, 2022 to remind healthcare providers that federal disability laws remain in place.

The new guidance recognizes that during a public health emergency, such as the one caused by the pandemic, when resources can be scarce, individuals with disabilities may be victims of healthcare rationing. So HHS reminds providers that Section 504 of the Rehabilitation Act (Section 504) and Section 1557 of the Affordable Care Act (Section 1557) (collectively, the Anti-Discrimination Laws) both prohibit discrimination on the basis of disability. These Anti-Discrimination Laws require healthcare providers who receive HHS funds to ensure individuals with disabilities are not excluded from services, programs, or activities on the basis of disability. Continue Reading

Florida Continues Pursuit of Improved Patient Safety

Posted in Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

Florida is continuing its efforts to improve patient safety in hospitals and ambulatory surgical centers (ASCs).  The Florida Legislature previously approved a requirement that hospitals and ambulatory surgical centers (ASCs) conduct patient safety surveys and tasked the Agency for Health Care Administration (AHCA) with implementing a rule specifying the submission process for these surveys.  AHCA’s proposed rule (Proposed Rule) was announced on November 4, 2021.

Continue Reading

CMS Is Here To Help Healthcare Entities Comply with Its Vaccination Rule

Posted in Healthcare Law, Hospitals & Health Systems, Physicians

The Centers for Medicare and Medicaid Services (“CMS”) recently published an infographic to help Medicare and Medicaid facilities and providers determine if they or some members of their workforce are subject to the Omnibus Health Care Staff Vaccination Interim Final Rule (“Vaccine Rule”).  CMS has also issued FAQs to assist healthcare providers in assessing whether they are subject to the Vaccine Rule and if so, what they must do to comply with it.  The FAQs were most recently updated as of January 20, 2022 and are available here. Medicare- and Medicaid-certified providers and suppliers are encouraged to monitor further compliance guidance from CMS.

Surprised Providers Seek Changes to Latest Provisions of the No Surprises Act

Posted in Health Insurers & Managed Care Organizations, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

Effective January 1, 2022, new billing protections went into effect that have the goal of providing greater protections for patients against surprise medical bills. As we discussed in our prior blog, the Departments of Health and Human Services, Labor, and Treasury, and the Office of Personnel Management (collectively, the Departments) implemented these additional protections that are part of the No Surprises Act as an interim final rule with comment period (Interim Rule).  Unfortunately, many healthcare providers are concerned the new provisions unfairly protect group health plans and health insurance issuers (collectively, Plans) to the detriment of patients and out-of-network physicians and facilities (Out-of-Network Providers).

The majority of the criticism against the Interim Rule focuses on the creation of a federal Independent Dispute Resolution (IDR) process. The IDR process provides a method for Plans and Out-of-Network Providers to determine the out-of-network rate for applicable items or services after an unsuccessful open negotiation. Once an IDR entity is selected, the parties must each submit to the IDR entity their offers for payment along with supporting documentation. The IDR entity uses that information to determine the appropriate out-of-network amount.

The IDR entity is required to begin with the presumption that the qualifying payment amount (QPA) is the appropriate amount.  In general, the QPA is the Plan’s median contracted rate for the same or similar service in the specific geographic area.  This presumption is the basis of the controversy as the Out-Of-Network Providers deem a Plan’s median contracted rate to be an inappropriate starting point.

The American Hospital Association, the American Medical Association, and other co-plaintiffs (collectively, the Plaintiffs) filed a complaint in the United States District Court for the District of Columbia on December 9, 2021, arguing that the IDR process deviates from the original law.  The Plaintiffs support the goal behind the IDR, which was to bring both parties to the table and allow them to present relevant information to support their payment offers.  The lawsuit challenges the way the Interim Rule “undermines the independence of the IDR process and the fairness of the No Surprises Act by severely tilting the scales towards the QPA.” The Plaintiffs ask the court to set aside the requirement that the arbitrators use a presumption in favor of the QPA, arguing that the requirement is contrary to law and in excess of the Departments’ statutory authority. On January 7, 2022, the Physician Advocacy Institute, 16 state medical associations, and nine national medical specialty societies, filed an amicus brief supporting the Plaintiffs’ lawsuit.

Others are also pushing back against the Interim Rule.  On November 5, 2021, a bipartisan group of 152 House members wrote the Secretaries of the Departments, urging them to amend the IDR process.  The letter provides: “This directive establishes a de-facto benchmark rate, making the median in-network rate [the QPA] the default factor considered in the IDR process. This approach is contrary to statute and could incentivize insurance companies to set artificially low payment rates, which would narrow provider networks and jeopardize patient access to care – the exact opposite of the goal of the law. It could also have a broad impact on reimbursement for in-network services, which could exacerbate existing health disparities and patient access issues in rural and urban underserved communities.”

There certainly is more to come on this as the lawsuit moves forward.  Out-of-Network Providers must remember that, for the time being, the IDR process must be followed in accordance with the Interim Rule.  To assist Out-of-Network Providers who feel the presumption in favor of the QPA will unfairly harm them and patients, we outline the factors the Interim Rule details as those that will be considered by the IDR entity when deciding whether the QPA is the appropriate out-of-network amount.

The IDR entity will consider the following credible information when determining if the information submitted by an Out-of-Network Provider clearly demonstrates that the QPA is materially different from the appropriate out-of-network rate for the item or service:

  • The QPA failed to take into account the experience or level of training of the Out-of-Network Provider that was necessary to provide the items or services to the patient;
  • The Plan has a majority of the market share in the geographic region where the items or services were provided (e.g., a Plan having the majority of the market share in a geographic region may establish that the QPA is unreasonably low, as Plans with a large market share could drive down rates);
  • The patient acuity or the complexity of furnishing the item or service to the individual is an outlier because the intensity of care exceeded what is typical for the particular service code or modifier, thereby helping to establish that the QPA does not adequately take the case’s complexity into account;
  • The teaching status, case mix, and scope of services of the out-of-network facility was critical to the delivery of the item or service (e.g., a hospital’s trauma level certification may be considered when the item or service involves trauma care that could not be performed at a lower-level hospital, but only if the QPA does not already account for this factor);
  • The Out-of-Network Provider made good-faith efforts to enter into a network agreement with the Plan and, if applicable, the contracted rates between the Out-of-Network Provider and the Plan during the previous four Plan years (e.g., the IDR entity may consider what the contracted rate might have been had the Out-of-Network Provider and the Plan entered into a network agreement);
  • Any additional information submitted by the Out-of-Network Provider, to the extent the information is credible and relates to the offer submitted by either party.

We are available to Out-Of-Network Providers seeking guidance regarding adhering to the IDR process.

Hot off the Press! The OIG Revises its Self-Disclosure Protocol for the First Time in Several Years

Posted in Fraud & Abuse & False Claims Act, Health Care Providers, Hospitals & Health Systems, Medicare & Medicaid

For the first time since 2013, on November 8, 2021, the Department of Health and Human Services Office of Inspector General (“OIG”) updated its Health Care Fraud Self-Disclosure Protocol (“SDP”). The updated SDP makes several important revisions and clarifications that directly impact providers and suppliers who seek to self-disclose potential violations of healthcare fraud statutes to the government.

Importantly, the OIG emphasized that the benefits of such self-disclosure remain intact: Continue Reading

Biden Administration Unveils Long-Awaited COVID-19 Rules For Large Employers and Healthcare Workers

Posted in Health Care Providers, Healthcare Law, Healthcare Litigation, HIPAA, Privacy, and Data Security, Hospitals & Health Systems

The wait is over for employers seeking clarity on the details of the Biden Administration’s vaccine and testing rules for private employers, first announced by President Biden in early September and now slated to take effect alongside federal contractor vaccine requirements on January 4, 2022.

The first rule, issued by the Occupational Safety and Health Administration (the “OSHA Rule”), will require private employers with 100 or more employees to ensure that each of their workers is either fully vaccinated, or tests negative for COVID-19 at least once per week.  The second rule, issued by the Centers for Medicare & Medicaid Services (the “CMS Rule”), will require healthcare workers at facilities participating in Medicare and Medicaid to be fully vaccinated.  Unlike the OSHA Rule, the CMS Rule does not include a weekly testing option.

The rules represent a significant and long-anticipated step in the Biden Administration’s efforts to boost lagging vaccination rates across the country.  The Biden Administration anticipates that the OSHA Rule will cover approximately 84 million employees, whereas the CMS Rule will cover approximately 17 million workers at about 76,000 healthcare facilities across the country.

A summary of the newly released rules follows.

The OSHA Rule

The stated purpose of the OSHA Rule is to “establish minimum vaccination, vaccination verification, face covering, and testing requirements to address the grave danger of COVID-19 in the workplace, and to preempt inconsistent state and local requirements relating to these issues, including requirements that ban or limit employers’ authority to require vaccination, face covering, or testing, regardless of the number of employees.”


The OSHA Rule covers all private employers with 100 or more full- and part-time employees, except for workplaces covered by CMS Rule, or workplaces covered by the Biden Administration’s earlier requirements for federal contractors.  Employees who do not report to a workplace where other individuals, such as coworkers or customers, are present are exempted from coverage – an exemption which could lead employers to reevaluate whether to continue remote working practices.  Also exempted are employees of covered employers who exclusively work from home, or who work exclusively outdoors.

Vaccination Requirement and Verification

Vaccination Requirement

The OSHA Rule requires employers to establish, implement, and enforce a written mandatory vaccination policy requiring employees to be fully vaccinated unless “the employer establishes, implements, and enforces a written policy allowing any employee not subject to a mandatory vaccination policy to either be fully vaccinated against COVID-19 or provide proof of regular testing for COVID-19 . . . and wear a face covering.” The OSHA Rule defines a “mandatory vaccination policy” to require vaccination of all employees, including new employees as soon as practicable, other than for employees for whom: (i) a vaccine is medically inadvisable; (ii) medical necessity requires a delay; or (iii) there is a legal entitlement to a reasonable accommodation under federal civil rights laws due to a disability or sincerely held religious belief, practice, or observance.

An employee is considered “fully vaccinated” two weeks after completing primary vaccination with a COVID-19 vaccine with, if applicable, at least the minimum interval between doses as recommended by the CDC, World Health Organization (“WHO”), or if administered as a part of a clinical trial.  An employee also is considered fully vaccinated two weeks after receiving the second dose of a combination of two doses of approved or authorized COVID-19 vaccines.  In this latter case, the second dose must be at least 17 days after the first dose.


It is the employer’s responsibility to determine the vaccination status of each employee.  Specifically, employers must require each vaccinated employee to provide “acceptable proof” of their vaccination status, including whether they are fully or partially vaccinated.  The following is considered acceptable proof of vaccination status:

  1. A record of immunization from a healthcare provider or pharmacy;
  2. A copy of the COVID-19 Vaccination Record Card;
  3. A copy of medical records documenting the vaccination;
  4. A copy of immunization records from a public health, state, or tribal immunization information system; or
  5. A copy of any other official documentation that contains the type of vaccine administered, date(s) of administration, and the name of the healthcare professional(s) or clinic site(s) administering the vaccine or vaccines.

An employee who is unable to produce such acceptable proof may instead produce a signed and dated statement that: (1) attests to their full or partial vaccination status; (2) attests that they have lost or are otherwise unable to produce acceptable proof of their vaccination status; and (3) includes language declaring the veracity of his or her attestation, and acknowledging that knowingly providing false information may subject the employee to criminal penalties.  Employees providing such statements in lieu of other acceptable proof should, to the best of their recollection, also disclose the type of vaccine administered, the date(s) of administration, and the name of the administering healthcare professional(s) or clinic site(s).

For the purposes of the OSHA Rule, employees not following these verification requirements are to be treated as not fully vaccinated, and thus, can be kept from the worksite.

Employers are Responsible for Allowing Time and Paid Leave for Vaccination and Recovery

Employers are required to provide a reasonable amount of time for employees to receive each vaccination dose, and offer up to four hours of paid time (including travel time) at the employee’s regular rate of pay for that purpose.  Employers also must provide reasonable time and paid sick leave for employees to recover from side effects from any vaccination dose.


Employers are to maintain a record of each employee’s vaccination status, and acceptable proof of vaccination (as defined above) for each fully or partially vaccinated employee.  These records must be maintained in a “roster” of each employee’s vaccination status, which should be considered employee medical records and generally should not be disclosed.

Alternative Testing and Face Covering Requirements

The OSHA Rule exempts employers from its mandatory vaccination policy only if the employer “establishes, implements, and enforces a written policy allowing any employee not subject to a mandatory vaccination policy to choose either to be fully vaccinated against COVID-19 or provide proof of regular testing for COVID-19.”  Such employees also must wear an adequate face covering in the workplace.


There are separate testing requirements for non-fully vaccinated employees depending on the frequency that they report to a workplace where other individuals, such as coworkers or customers, are present.  Employees who are present at such a workplace at least once every seven days must be tested for COVID-19 at least once per week, and must provide documentation of their most recent test result no later than every seven days.  Employees who do not report to such a workplace at least once a week (such as an employee who teleworks for two weeks before reporting to the workplace) must be tested within seven days prior to returning to the workplace, and must provide documentation of their test results upon their return.

A self-administered and self-read test does not satisfy OSHA’s testing requirements unless the employee takes the test under the employer’s observation, or the observation of an authorized telehealth proctor.

Face Covering

Employees who are not fully vaccinated are required to wear appropriate face coverings when indoors and when occupying a vehicle with another person for work purposes.  However, employees need not wear face coverings under certain delineated circumstances, including:

  1. When alone in a room with a closed door and floor to ceiling walls;
  2. For a limited time while eating or drinking at the workplace, or to comply with safety and security requirements;
  3. When wearing a respirator certified by the National Institute for Occupational Safety and Health, or approved facemask;
  4. Where the employer can show that a face covering is infeasible or would create a greater hazard that would excuse compliance (e.g., where it is important to see an employee’s mouth for job-related purposes, or where a face covering presents a “risk of serious injury or death” to the employee).

Employers are not Required to Pay for Tests or Face Coverings

The OSHA Rule does not require employers to pay for any costs associated with testing or face coverings unless otherwise required by state or local laws, or in labor union contracts.  However, employers may voluntarily choose to cover such costs.  The OSHA Rule also does not address whether time spent going for a test is compensable.  Thus, employers should expect that the FLSA (and any applicable state wage and hour laws) will govern with respect to whether that time must be paid.

Failure to Provide Satisfactory Documentation

Employees who do not provide acceptable documentation of a COVID-19 test result must be removed or kept from the workplace until an acceptable test result is provided.

Positive Test Results

If an employee tests positive for COVID-19 (or is diagnosed with COVID-19 by a licensed healthcare provider), employers must not require further testing for 90 days following the date of the positive test or diagnosis.  OSHA explained that the intention of this provision was to counter the “high likelihood of false positive results” following a recent infection.  Practically, it appears that this means that an unvaccinated person who has been diagnosed with COVID-19 may be kept out of the workplace for a significant period of time.


Similar to the recordkeeping requirements for vaccinations, employers must maintain a record of each COVID-19 test result submitted by an employee.  Those results are considered employee medical records and generally should not be disclosed.

Reasonable Accommodations for Disabilities or Sincerely Held Religious Beliefs

Despite the foregoing requirements, the OSHA Rule acknowledges that workers may nevertheless be entitled to a reasonable accommodation from their employer under federal law, such as the Americans with Disabilities Act (“ADA”) and Title VII of the Civil Rights Act of 1964 (“Title VII”), unless such accommodation would result in undue hardship for the employer.

Thus, for example, a worker may be entitled to a reasonable accommodation under the ADA if he or she cannot be vaccinated or wear a face covering due to a disability.  Similarly, a worker may be entitled to a reasonable accommodation if a vaccination, test, or face covering conflicts with such worker’s sincerely held religious belief, practice, or observance.   The OSHA Rule does not address whether an employer may be required, depending on the specific circumstances, to pay for testing as a reasonable accommodation.  For more information on handling requests for religious exemptions from mandatory vaccination policies see our previous blog post.

Notice to Employees

Covered employers must inform each employee about the provisions of the OSHA Rule, as well as any policies and procedures established to implement it.  Additionally, employers must provide the document, “Key Things to Know About COVID-19 Vaccines” to employees.

Employers also must inform employees that they cannot be discharged or discriminated against for reporting work-related injuries or illnesses, and that they cannot be discriminated against for exercising their rights under the OSHA Rule.

Reporting Requirements

Employers must report to OSHA each work-related COVID-19 fatality, within eight hours of learning of the fatality, and each work-related COVID-19 in-patient hospitalization, within 24 hours of learning of the hospitalization.

When evaluating whether a fatality or in-patient hospitalization is the result of a work-related case of COVID-19, employers must follow the criteria in OSHA’s recordkeeping regulation for determining work-relatedness.  In other words, employers must consider a case of COVID-19 work-related if an event or exposure in the work environment “either caused or contributed to the resulting condition or significantly aggravated a pre-existing injury or illness.”  Further, work-relatedness is generally presumed for illnesses resulting from events or exposures in the work environment.


Non-compliant employers are subject to possible fines, up to $13,653 per serious violation.  If the violation is willful, penalties can be up to $136,532.

Compliance Dates

As noted above, testing for unvaccinated workers will begin after January 4, 2022. Employers must comply with all other requirements under the OSHA Rule – for example, providing paid time for employees to be vaccinated and masking for unvaccinated workers – by December 5, 2021.

The CMS Rule

The CMS emergency regulation, titled the CMS Omnibus COVID-19 Health Care Staff Vaccination Interim Final Rule with Comment Period (“CMS Rule”), requires Medicare and Medicaid-certified facilities to quickly develop and implement policies and procedures to ensure that their staff are fully vaccinated for COVID-19 by January 4, 2022, unless an individual is exempted.  CMS explained it is issuing the rule as an emergency regulation because any delay in implementation would result in additional deaths and serious illness among healthcare staff and patients, further worsening the ongoing strain on healthcare providers.  The CMS Rule is effective immediately upon publication, November 5, 2021, though CMS will accept public comment until January 4, 2022.  The details of CMS’ emergency regulation follow below.

What facilities are subject to the CMS Rule?

The CMS Rule applies to the following Medicare and Medicaid-certified providers and suppliers:

  • Ambulatory Surgery Centers,
  • Community Mental Health Centers,
  • Comprehensive Outpatient Rehabilitation Facilities,
  • Critical Access Hospitals,
  • End-Stage Renal Disease Facilities,
  • Home Health Agencies,
  • Home Infusion Therapy Suppliers,
  • Hospices,
  • Hospitals,
  • Intermediate Care Facilities for Individuals with Intellectual Disabilities,
  • Clinics, Rehabilitation Agencies, and Public Health Agencies as Providers of Outpatient Physical Therapy and Speech-Language Pathology Services,
  • Psychiatric Residential Treatment Facilities (PRTFs) Programs for All-Inclusive Care for the Elderly Organizations (PACE),
  • Rural Health Clinics/Federally Qualified Health Centers, and
  • Long Term Care facilities, including nursing homes.

The CMS Rule does not apply to Religious Nonmedical Health Care Institutions (RNHCIs), Organ Procurement Organizations, and Portable X-Ray Suppliers.

Who within a covered facility must be vaccinated?

Within a given facility, the CMS Rule applies to all current staff as well as any new staff who provide any care, treatment, or other services for the facility and/or its patients. Thus, the vaccine requirement covers staff who perform patient care services outside the four walls of a facility, e.g., home health workers seeing patients in their home.  The requirement also includes facility employees, licensed practitioners, students, trainees, and volunteers as well as individuals who provide care, treatment, or other services for the facility and/or its patients under contract or other arrangements. CMS clarifies that the scope of the Rule includes “administrative staff, facility leadership, volunteer or other fiduciary board members, housekeeping and food services, and others.”

Also, while physician practices are not covered by the CMS Rule because they are not a Medicare or Medicaid-certified provider or supplier, physicians and other clinicians who have staff privileges and admit and/or treat patients in a hospital are subject to the vaccination requirement. CMS also notes that health care providers who are not subject to the CMS Rule may still be subject vaccine requirements under other laws and regulations such as the OSHA Rule, the Executive Order on Ensuring Adequate COVID Safety Protocols for Federal Contractors, or state laws.

The vaccination requirements do not apply to staff at covered facilities who exclusively provide telehealth or telemedicine services outside of the facility setting and who do not have any direct contact with residents and other staff. The requirements also do not apply to staff providing support services for the facility that are performed exclusively outside of the facility setting and who do not have any direct contact with residents and other staff, e.g., individuals who provide services 100 percent remotely and who do not have any contact with any patients or other staff.

When is a staff member fully vaccinated under the CMS Rule?

Generally, an individual is considered to be fully vaccinated fourteen (14) days after the first dose of a one-dose vaccine or fourteen (14) days after the last dose of a multi-dose vaccine.  However, under the CMS Rule, facility staff who receive the second dose of a two-dose vaccine or the first dose of a one-dose vaccine by January 4, 2022 will be considered as satisfying the vaccination requirement.

What is required of covered facilities?

Covered facilities must establish a policy or process to ensure that all eligible staff are vaccinated against COVID-19.  Specifically, facilities must ensure that all applicable staff have received the first dose of a two-dose COVID-19 vaccine or a one-dose COVID-19 vaccine before providing any care, treatment, or other services by December 5, 2021. All eligible staff must be fully vaccinated by January 4, 2022. Third doses and booster vaccines are not currently required by the CMS Rule.  As noted above, unlike the OSHA Rule, the CMS Rule does not provide a testing option for those staff who are unvaccinated and do not qualify for an exemption.  CMS considered daily or weekly testing of unvaccinated individuals but rejected that option because it “reviewed the scientific evidence on testing and found that vaccination is a more effective infection control measure.”  However, providers are welcome to submit comments on this decision.

Facilities must also develop policies and procedures that provide exemptions to the vaccine requirement for staff with recognized medical conditions for which vaccines are contraindicated or religious beliefs, observances, or practices that prohibit vaccination.  In the Rule and in FAQs, CMS signals that facilities are not to liberally grant exemptions.  For example, no exemption should be provided to any staff unless the ADA or Title VII require one, and staff requests for an exemption solely to avoid vaccination should be denied.  Also, as described below, CMS is very specific about the documentation that must be provided to support an exemption based on a medical condition.


As noted above, the CMS Rule is effective upon publication on November 5, 2021, though there is a phased implementation.  Phase 1 is effective December 5, 2021 (30 days after publication) and consists of the requirements that (i) all staff have received, at a minimum, a single dose COVID vaccine or the first dose of a multi-dose COVID-19 vaccine, or have requested and/or been granted a lawful exemption, prior to staff providing any care, treatment, or other services for the facility and/or its patients, and (ii) all covered facilities have developed and implemented the required policies and procedures (see below).  Phase 2 is effective January 4, 2021 and consists of the requirement that all staff be fully vaccinated (see discussion below) except for those who received an exemption or for those for whom the vaccine must be temporarily delayed due to clinical precautions or considerations, as recommended by the CDC.

Required policies

Covered facilities must implement policies that provide a process for:

  • ensuring that all eligible facility staff have received at least a single dose COVID-19 vaccine or the first dose of a multi-dose vaccine prior to the staff providing any care, treatment, or services for the facility and/or its patients;
  • ensuring that all staff, except those are granted exemptions as described below, are fully vaccinated for COVID-19;
  • ensuring implementation of additional precautions to mitigate the transmission and spread of COVID-19 for all staff who are not fully vaccinated;
  • tracking and securely documenting the COVID-19 status of all staff, including any staff who receive any booster doses as recommended by the CDC;
  • requesting an exemption from the vaccine requirement based on applicable Federal law;
  • tracking and securely documenting information provided by staff members who request, and for whom the facility grants, an exemption from the COVID-19 vaccination requirements;
  • ensuring that all documentation supporting staff requests for medical exemptions from vaccination is signed and dated by a licensed practitioner (who is not the individual requesting the exemption) and further ensuring that such documentation:
  • specifies which of the authorized COVID-19 vaccines are clinically contraindicated for the staff member to receive and the recognized clinical reasons for the contraindications and
  • includes a statement by the authenticating practitioner recommending that the staff member be exempted from the facility’s COVID-19 vaccination requirements for staff based on the recognized clinical contraindications;
  • ensuring the tracking and secure documentation of the vaccination status of staff for whom COVID-19 vaccination must be temporarily delayed due to clinical precautions and considerations, as recommended by the CDC,; and
  • contingency plans for staff who are not fully vaccinated for COVID-19.

In implementing the policies described above, particularly those addressing exemptions from the vaccine requirement, covered facilities must also comply with federal laws governing anti-discrimination and civil rights protection, such as the ADA, Title VII, and GINA.  However, when granting exemptions or accommodations based on disability, medical condition, or sincere religious belief, employers must ensure that they minimize the risk of transmission of COVID-19 to at-risk individuals, consistent with their obligation to protect the health and safety of patients.

Many facilities should be able to leverage their existing policies and procedures regarding safeguarding employee medical information and handling requests for medical or religious accommodations in implementing the CMS Rule.


Notably, the new vaccine requirement is a Condition of Participation, Condition for Coverage, or Requirement for Participation, as applicable, for covered facilities.  CMS will enforce the vaccine requirements through its established survey and enforcement processes, with the goal of bringing health facilities into compliance rather than punishing them.  CMS expects state surveyors to assess all facilities for the vaccine requirements during standard recertification surveys and to assess staff vaccination status on all complaint surveys.  Accrediting organizations will also have to update their survey processes to include the new vaccine requirement in their assessments.

Providers and suppliers who do not comply with the requirements will be cited by a surveyor and afforded the opportunity to become compliant before additional action is taken.  Nursing homes, home health agencies, and hospice facilities that do not come into compliance could face civil monetary penalties, denial of payment, and even termination from the Medicare program.  Non-compliant hospitals and certain acute and continuing care providers could be terminated.

Interaction with other laws

In what appears to be acknowledgement of likely challenges to the vaccine requirement by some states, CMS says that under the Supremacy Clause of the U.S. Constitution, the emergency regulation preempts any state law to the contrary.  CMS also acknowledges that there are several regulations and other authorities imposing vaccine mandates that could simultaneously apply to healthcare providers.  For facilities that are certified under the Medicare and Medicaid programs and are regulated by the CMS Conditions of Participation, Conditions for Coverage, and Requirements for Participation, the CMS Rule takes precedence over other federal vaccine requirements.


Although these rules almost certainly will be subject to significant pushback and legal challenges, the prevailing view following a series of failed efforts to challenge vaccine mandates is that such mandates are permissible.  Covered employers should therefore immediately begin preparing for the December 5th and January 4th deadlines by creating and implementing written mandatory vaccination and/or testing policies and communicating such policies to their employees. Of course, your Akerman counsel can assist you with these policies.