Volume 18 | June 2021

As the attorneys at Chilivis Grubman have discussed previously, the federal government released a massive wave of funds under the CARES Act in response to the COVID-19 pandemic, including more than $100 billion under the Provider Relief Fund. Providers that have accepted Provider Relief Fund payments must attest to complying with a lengthy list of Terms and Conditions, including an obligation to submit documentation to substantiate that funds were used for healthcare-related expenses or lost revenues attributable to coronavirus. 

The Department of Health and Human Services (HHS) has not released any formal rulemaking on the appropriate use of Provider Relief Funds (which would require notice and an opportunity to comment on proposed rules), but rather maintains a webpage of Frequently Asked Questions (FAQs) to provide sub-regulatory guidance. HHS also released a Post-Payment Notice of Reporting Requirements in July 2020 and updated those requirements on January 15, 2021.

On Friday, June 11, 2021, HHS released an updated Post-Payment Notice of Reporting Requirements (Post-Payment Notice) and simultaneously modified several FAQs on the CARES Act Provider Relief Fund. HHS also states that the reporting portal will be open for providers to start submitting information on July 1, 2021.   

Post-Payment Notice

The Post-Payment Notice outlines the data elements that providers who have received Provider Relief Fund Payments (exceeding $10,000 in the aggregate) will be required to report during the applicable “Reporting Time Period.” The Post-Payment Notice’s guidelines are more detailed than prior iterations, and include new tables outlining the deadline for the use of funds and the applicable “Reporting Time Period,” depending on when the Provider Relief Fund Payments were received. The summary table is located at the end of this article.

Notably, it appears that providers may be required to report in each applicable “Reporting Time Period” during which the provider received one or more payments exceeding $10,000 in a “Payment Received Period.” What this practically means is, if a provider received funds both before and on/after July 1, 2020, it may not be able to cumulatively report on all funds received in one single report.

In addition, for Provider Relief Fund payments received during the first two phases of the General Distribution (before July 1, 2020), the deadline for the use of such funds is still June 30, 2021, but the deadline on reporting on the use of such funds has been extended to September 30, 2021.

FAQ General Terms and Conditions Updates

This most recent round of updates to the HHS Provider Relief Fund FAQs include the following general terms and conditions:

Is there a set period of time in which providers must use the funds to cover allowable expense or lost revenues attributable to COVID-19?

  • Response: Yes. HHS notes that Provider Relief Fund recipients must use funds appropriately within a period of 12-18 months, depending on the date the funds were received. HHS refers to the summary chart (included at the end of this article) to assist with determining the deadline. 

  • HHS also states that recipients may use funds for eligible expenses incurred prior to the date the funds were received, however “it would be highly unusual for providers to have incurred eligible expenses prior to January 1, 2020.”  

  • Of note, HHS has reserved the right to audit Provider Relief Fund recipients “now or in the future” and asserts that it has authority to recoup any Provider Relief Fund amounts that are not supported by “documented expenses or losses attributable to coronavirus or not used in a manner consistent with the program requirements or applicable law.”  

In order to accept a payment, must the provider have already incurred eligible expenses and losses higher than the Provider Relief Fund payment received?

  • Response: Per HHS, no. A provider does not have to prove that their losses related to the pandemic meet or exceed their Provider Relief Fund payment at the time the payment is received, but they will be required to report on the use of all received payments (and will be subject to audit).

What should providers do if they have remaining Provider Relief Fund money that they cannot expend on permissible expenses or losses by the relevant deadline?

  • Response: Per HHS, any providers with remaining Provider Relief Fund amounts that cannot be used for permissible expenses or losses by the deadline must return the funds to HHS. 

  • HHS again reiterates that “HHS is authorized to recoup any Provider Relief Fund amounts that were made in error or exceed lost revenue or expenses due to COVID-19, or in cases of noncompliance with the Terms and Conditions.”

HHS also added several new FAQs and modified existing FAQs under the Auditing, Use of Funds, Supporting Data, Change of Ownership, Non-Financial Data, and Miscellaneous subsections.  

The past 18 months have been particularly challenging for employers navigating the pandemic, and as more employees get vaccinated and return to work in-person, the challenges will continue. While the vaccine roll-out is promising for a return to normalcy, employers are now struggling with new questions: Can an employer ask about an employee’s “vaccine status?” Can an employer require employees to be vaccinated? What steps should an employer take to protect employees from COVID-19, and will that differ between vaccinated and non-vaccinated individuals? 

Federal regulators have released new and updated guidance on the issue over the past couple of weeks to assist employers with these questions, though the appropriate response from an employer will depend on the employer’s industry and potentially the employer’s location. 

OSHA Update

On Monday, June 21, 2021, the Occupational Safety and Health Administration (OSHA) published its new COVID-19 Emergency Temporary Standard (ETS) in the Federal Register. The ETS contains new requirements for employers in healthcare settings. On June 10, OSHA also released guidance for employers in non-healthcare settings. 

Key Points

  • Application is limited. The ETS applies to employers in healthcare settings only, and the additional guidance for employers in non-healthcare settings is not mandatory – but still important to consider when updating policies for returning to in-person work. OSHA has released a flow chart to help employers determine whether the ETS applies.  

  • Employers in the healthcare setting have a deadline to comply.  The ETS is lengthy, detailed, and effective immediately on Monday, June 21, 2021, when the rule was published in the Federal Register For most requirements, the deadline will be 14 days after publication (July 6, 2021). For other requirements, it will be 30 days after publication (July 21, 2021). Employers in the healthcare setting should begin preparing to comply with the ETS now. OSHA will have discretion on whether to enforce the ETS against employers who are making a good faith effort to comply. 

  • Vaccine-status plays a role for employers in a non-healthcare setting.  The ETS does not address whether an employer in the healthcare setting can require employees to get the vaccine. However, the guidance for employers in a non-healthcare setting provides that most employers do not need to enforce COVID-19 control measures (like masks and social distancing) for most fully vaccinated workers. This presents some interesting issues and challenges for those employers who may have both fully vaccinated and non-vaccinated workers in the workplace.  

EEOC Update

On May 28, 2021, the U.S. Equal Employment Opportunity Commission (EEOC) posted updated and expanded guidance, which is the first comprehensive update of EEOC guidance since the end of 2020, when vaccines first became broadly available. The new guidance discusses how the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) apply in the context of COVID-19 and in considering the new vaccines. 

Key Points:

  • With certain limitations, an employer can lawfully require its employees to obtain a COVID-19 vaccination as a condition to returning to in-person work.  If an employer takes this approach, it must apply the policy in a non-discriminatory manner and be conscious of the impact the policy may have on certain categories of protected workers. The employer must also make reasonable accommodations for employees who have not been vaccinated because of a disability or sincerely held religious beliefs, practices, or observances. 

  • Watch for Updates. The EEOC has indicated that this new guidance was prepared before the CDC’s updated stance that masks and social distancing are no longer required for individuals that are fully vaccinated.

  • The EEOC’s guidance is limited to the application of federal civil rights laws. Employers should also be aware of state or local laws that may limit the EEOC guidance’s application or would otherwise alter the employer’s approach.

Chilivis Grubman News
FREE Webinars

Chilivis Grubman offers FREE on-demand webinars on various legal and compliance matters. Access the free webinars here.
Events & Presentations

Last week, Chilivis Grubman partner Scott Grubman spoke at the annual meeting of the American Society of Interventional Pain Physicians (ASIPP) in New Orleans, on HIPAA; specifically, HHS-OCR's Right of Access Initiative as well as responding to a ransomware attack.

On July 23, Scott will be moderating a panel on healthcare fraud & abuse topics for the Georgia Academy of Healthcare Attorneys, for which he serves on the Board. You may register here.

There are very few events in the world that are truly make-or-break. One example is winning or losing a limited license or government contract in a highly lucrative industry. Another example is the job interview to get your dream job. But one of the prime examples of a make-or-break situation is the outcome of a clinical trial for a life sciences company. If the outcome is positive, the company could grow and potentially see exponential growth in stock prices. If the outcome is negative, the company could fail, and the stock price could plummet. How does one with knowledge of the outcome refrain from acting on it? Under the securities laws, insiders and people learning information from insiders are prohibited from trading securities while that information is not public. But for some, the temptation to prevent a massive loss can be too much to resist.

On June 7, the Securities and Exchange Commission announced that it had charged two individuals with insider trading based on non-public information concerning the outcome of a clinical trial. One of the individuals was overseeing a clinical drug trial for the drug company formerly known as Neuralstem Inc. and learned that the results of the trial were not favorable. The SEC alleges that the insider informed an acquaintance of the results. Further, the acquaintance is alleged to have tipped off his uncle. Both men sold their stock that day. The next day, after the negative results of the trial were announced, Neuralstem’s stock dropped by approximately 50%. That acquaintance allegedly sold his shares ahead of the announcement, avoiding a loss of $103,875, while his uncle avoided a loss of $14,434. The insider and her acquaintance were charged with insider trading and agreed to a consent judgment requiring the acquaintance to pay $222,184 and the insider to pay $103,875.  

Deputy AG Issues New Guidance Regarding Ransomware and Digital Extortion

In recent years, the United States has seen a rapid increase in major incidents of cybercrime directed at individual citizens, businesses, and government entities. One of the many forms of cybercrimes levied against these groups has been ransomware attacks. Ransomware attacks consist of a criminal or group of criminals eliminating access to a victim’s files or systems. This is usually achieved by using malware to encrypt the digital assets. The group then holds the files or system hostage until the victim pays the ransom. This is often coupled with the threat that, if the ransom is not paid, files will be destroyed or released to the public. In 2018, the City of Atlanta suffered a ransomware attack in which the attackers demanded payment of $51,000 in Bitcoin. The city refused to pay the ransom, suffered the destruction of years of files, and incurred millions of dollars in expenses to address cyber security issues. Most recently, Colonial Pipeline suffered a ransomware attack that left the pipeline shut down, resulting in gas shortages throughout the southeastern U.S. Colonial eventually paid a ransom of $4.4 million to have access restored. Colonial Pipeline is one of the most high-profile and expensive ransomware attacks in history. Following this attack, many called for renewed efforts to combat cybercriminals throughout the world.

On June 3, Deputy Attorney General Lisa Monaco issued new “Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion.” The guidance was issued to ensure coordination between the many divisions within the Department of Justice (DOJ) and emphasized the need to utilize all of the assets available to DOJ to combat ransomware and digital extortion. The guidance creates new notice requirements for U.S. Attorney’s Offices (USAOs). USAOs are required to inform the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and the National Security & Cyber Crime Coordinator for the Executive Office for United States Attorneys (EOUSA) of the opening of, or any new developments in, cases involving ransomware, digital extortion, or illicit infrastructure used to facilitate those acts. USAOs are also required to notify CCIPS and EOUSA whenever they become aware of any new ransomware attack or instance of digital extortion.
The guidance provides further requirements regarding coordination with CCIPS and clarifies that CCIPS is responsible for cases across the DOJ that involve ransomware, digital extortion, or illicit infrastructure. CCIPS will track developments in cases and coordinate with USAOs conducting investigations. The guidance reiterates the mandate that USAOs consult with CCIPS with respect to charging decisions under the Computer Fraud and Abuse Act. USAOs are also required to coordinate public statements regarding these cases with CCIPS. The guidance demonstrates an increased focus on cybercrime within the DOJ, and the effort to coordinate investigations and prosecutions with an office that specializes in cybercrimes is likely to result in investigations that are simultaneously more efficient and more thorough.  

On June 2, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced another settlement of an enforcement action in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. This is the nineteenth settlement so far under the initiative.

This most recent settlement arose from a patient complaint filed in August 2019, alleging that a West Virginia provider failed to provide a copy of a minor child’s protected health information (PHI) in a designated record set to the child’s parent. Following the complaint, the OCR initiated an investigation and determined that the provider potentially violated HIPAA’s right of access standard. 

The HIPAA right of access standard can be found at 45 CFR §164.524, and generally provides that a HIPAA covered entity must provide individuals, upon request, with access to PHI about the individual maintained by the covered entity in one or more designated record sets. An individual’s personal representative (which would be any person with authority under state law to make health care decisions for the individual, like the parent of a minor), also has the right to access an individual’s PHI, upon request, consistent with the scope of such representation (see 45 CFR §164.502(g)).

As a result of the OCR investigation, the provider agreed to pay $5,000 to settle a potential violation of HIPAA’s right of access standard. In addition to the penalty, the provider agreed to take corrective actions including two years of monitoring. The provider ultimately provided a copy of the child’s records in May 2021, nearly two years after the parent’s initial request.  

Key Takeaways:

  • Do not underestimate frustrated patients.

  • Patients do not have a private right of action under HIPAA. However, they can and will file a complaint with the OCR, and the OCR can and will take action on legitimate complaints. The HIPAA right of access standard is currently a key enforcement priority.

  • Make sure staff is familiar with HIPAA rights regarding access to health records, not just requirements restricting disclosure of PHI.

  • Provider staff often understand the restrictive components of HIPAA very well, but sometimes may take HIPAA too far. Staff should have a deep understanding of the statute’s full requirements, including certain rights patients have to access records timely and at a reasonable cost. And in cases where the staff may have questions, they should know to reach out to the provider’s active and trained HIPAA compliance officer.  
  • It is far more affordable to implement an effective HIPAA compliance program and to train and support a HIPAA compliance officer than to put an effective HIPAA compliance program in place retroactively.

  • While the cost of the settlement may seem small in this case, the overall cost of the HIPAA complaint is not limited to the assessed penalty. An investigation can result in legal fees in navigating the investigation, disruptions to the provider’s operations during the investigation, and the cost of implementing a corrective action plan (including monitoring for two years) after the settlement. 

"History, despite its wrenching pain, cannot be unlived, but if faced with courage, need not be lived again."

Maya Angelou

Since the beginning of the COVID-19 pandemic, Chilivis Grubman attorneys have written about the temporary expansion of telehealth services and related increased government scrutiny. In March 2020, the Trump administration announced that Medicare providers could use certain telehealth technologies with no penalties, provided blanket HIPAA waivers, and announced that qualifying telehealth services were reimbursable by Medicare. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that it would exercise its enforcement discretion and waive potential penalties for HIPAA violations related to using telehealth technologies. OCR also provided guidance related to its enforcement discretion.

While telehealth rapidly expanded under the government’s temporary emergency declarations and enforcement discretions, so did the potential for fraud and abuse. For example, the U.S. Department of Justice (“DOJ”) announced “Operation Brace Yourself,” where 24 people were charged in connection with an alleged scheme involving telemedicine and durable medical equipment.  

On May 26, 2021, the DOJ announced “first in the nation” charges related to a telehealth scheme during the COVID-19 pandemic. According to the press release, Michael Stein, an owner of a consulting company, and Leonel Palatnik, an owner of testing laboratories “allegedly exploited temporary waivers of telehealth restrictions enacted during the pandemic by offering telehealth providers access to Medicare beneficiaries for whom they could bill consultations.” According to the government, some consultations billed to the government did not occur. In exchange for the telehealth leads, the providers agreed to refer patients to Mr. Palatnik’s laboratories for medically unnecessary cancer and cardiovascular genetic testing, according to the government.  

Besides telehealth enforcement, the government’s announcement also discussed the third Provider Relief Fund (“PRF”) related indictment, which comes less than two months from the government’s second PRF related indictment. According to the press release, Petros Hannesyan, an owner of a home health agency, allegedly obtained and misappropriated over $229,000. The government also alleged that Mr. Hannesyan submitted false loan information and documents to the government as part of the scheme.  

The PRF has billions in allocations and reimburses eligible providers for healthcare-related expenses and lost revenue attributable to COVID-19. Chilivis Grubman attorneys have cautioned providers on government enforcement efforts related to the PRF and COVID-19 aid. Audits and enforcement actions will continue, as evidenced by HHS’ Office of Inspector General updating its Work Plan to include audits of PRF distributions.

On May 28, the U.S. Department of Justice issued a press release addressing President Joe Biden’s submitted budget request for Fiscal Year 2022. The request included $35.3 billion in funding for the Department of Justice. The budget reflects some of the changes in priority from the Trump Administration to the Biden Administration. DOJ’s press release highlighted 9 areas of focus that are set to receive increased funding – international and domestic terrorism, gun violence, civil rights, gender-based violence, criminal justice reform, law enforcement community relations, environmental justice, reduction of the immigration backlog, and cyber investigations and security. Notably, the press release does not reflect an increased emphasis on white-collar enforcement, which would normally be expected with the transition to a Democrat administration.

DOJ’s press release emphasized an increase in the threat of domestic terrorism, but said that it remains steadfast in its duty to help combat the threat of international extremist organizations. The budget request seeks increased funding for the FBI, USAOs, and U.S. Marshalls to investigate and prosecute both domestic and international terrorism. The press release further elaborated on its focus on civil rights. The budget request seeks the re-establishment of the Office for Access to Justice and an increase in funding for the Civil Rights Division. Specifically, DOJ noted its efforts to protect voting rights and the prosecution of hate crimes, especially those driven by the COVID-19 pandemic.

The Department highlighted $1.3 billion to support law enforcement agencies, programs that support community-oriented policing, and training for law enforcement on racial profiling, de-escalation, and the duty to intervene. With regard to environmental enforcement, DOJ signaled its commitment to President Biden’s Executive Order 14008, “Tackling the Climate Crisis at Home and Abroad.” The press release indicated there would be increased funding “to reduce greenhouse gas emissions and address the impacts of climate change . . .” Finally, DOJ highlighted its efforts to reduce a backlog in immigration applications, including asylum claims. The budget provides for 100 additional Immigration Judges and attorneys and support staff to assist them. The request also creates a program to support legal representation for immigrant children and families seeking asylum. These areas of focus largely align with the expected shift in priorities between the Trump Administration and the Biden Administration.
SEC Awards Whistleblower $18 Million

The Securities and Exchange Commission (SEC) recently announced that it had awarded $22 million to two whistleblowers, with one of those individuals receiving an $18 million award. The two individuals provided the SEC with information concerning the same investigation; however, the individual receiving the larger award provided the information that led the SEC to initiate the investigation in the first place. The press release does not disclose the investigation that led to the award, but given the size of the award, the SEC likely obtained over $100 million from the entity that was the target of the investigation. Similarly, the SEC’s order does not disclose the identities of the two individual whistleblowers, shielding them from retaliation and public scrutiny.  

This demonstrates the SEC’s commitment to protecting whistleblowers, and the mechanisms by which it does so. The SEC relies heavily on whistleblowers to reveal potential fraud to the SEC. Fraud, by its nature, is concealed from the prying eyes of curious investors and the SEC. According to government agencies like the SEC, whistleblowers are crucial in pealing back the shades and revealing fraud. As both an incentive and a reward, the SEC provides whistleblowers with a portion of any recovery against individuals and entities that the whistleblower has reported on. Since its inception in 2012, the SEC’s whistleblower program has awarded whistleblowers nearly $1 billion. Awards can range from 10 to 30 percent of the money collected when the SEC’s recovery exceeds $1 million. Further, there are protections in place to prevent retaliation and ensure that previous employees are not hampered in bringing fraud to the attention of the government.  

The Small Business Administration (SBA) closed the window for applications for its popular Paycheck Protection Program (PPP) on Monday, May 31, 2021, after approving nearly $800 billion in loans since the commencement of the program in April, 2020. Just over $10 billion in loans have gone to Georgia businesses, and about 10% of the total PPP loan funds have gone to businesses in the “health care and social assistance” industry. The SBA has not yet released a summary of data on loan forgiveness amounts for 2021, however it reports that about 54% of PPP funds that were issued under loans approved in 2020 have been forgiven, while forgiveness applications for roughly 15.6% of 2020 PPP loan funds remain under review. The SBA has not received forgiveness applications for a little over 30% of 2020 PPP loan funds. 
What’s Next?

Businesses that have accepted PPP loan funds can apply for forgiveness as soon as the business has spent all PPP loan funds for which it plans to request forgiveness and must apply for forgiveness before the maturity date of the loan (either two years or five years after the date issued, depending on when the loan was issued). Businesses can get the correct forgiveness application from their PPP loan lender and should be prepared to submit documentation showing (i) payroll expenses during the covered period, and (ii) non-payroll expenses paid during the covered period (to prove that obligations existed prior to February 15, 2020). 

An Enforcement Wave is Coming – Keep Documentation Handy

Businesses that plan to submit or have already submitted forgiveness applications should keep all documentation on hand to show that the PPP loan funds were properly used for eligible expenses. As Chilivis Grubman previously reported, Attorney General Merrick B. Garland recently announced a new COVID-19 Task Force, which will collaborate with several different agencies, including the SBA. The COVID-19 Task Force is expected to focus on PPP loans, among other COVID-19 relief programs. To date, many of the Department of Justice’s enforcement actions have involved particularly blatant cases of fraud (for example, see the DOJ’s February statement regarding an individual that pleaded guilty to fraudulently obtaining $3.9 million in PPP loans and using part of the funds to purchase a Lamborghini). However, with the new task force, businesses can expect to see increased coordination between agencies and enforcement actions in more nuanced scenarios. 
To read all of this month’s client alerts, please visit our website blog by clicking our link below: