Volume 3 | March 2020
These are trying times, to say the least. Although we are working remotely, we are at full capacity to ensure that we are handling all of the legal challenges that our clients are facing during this difficult and unprecedented time.

We have decided to send out this "Special Edition" firm newsletter to share some useful information related to the COVID-19 crisis and its effect on businesses. We hope that you find it helpful, and send our sincerest wishes that you and your families all stay safe and healthy.

Please do not hesitate to contact us if there is anything we can do for you.

CMS Announces Telehealth Expansion and Waivers
On March 17, the Trump administration announced that, due to the COVID-19 crisis, Medicare providers may now use phone and video conference, including FaceTime and Skype, to see patients, with no penalties. This includes blanket HIPAA waivers, as well as Medicare reimbursement for such services.

"Today we're also announcing a dramatic expansion of our telehealth services. Medicare patients can now visit any doctor by phone or video conference at no additional cost, including with commonly used services like FaceTime and Skype," Trump said. "In addition, states have the authority to cover telehealth services for their medical patients."

Trump added that the administration "will not enforce applicable HIPAA penalties so that doctors can greatly expand care for their patients using telehealth."
That same day, the Centers for Medicare and Medicaid Services (CMS) issued an FAQ on the topic. The FAQ includes a list of HCPCS codes that are eligible for telehealth services under the emergency declaration and waivers. The FAQ also makes clear that the waiver temporarily eliminates the requirement that the originating site must be at a physician's office or other authorized facility and allows Medicare to pay for telehealth services when beneficiaries are in their homes or any care setting. Moreover, CMS makes clear that it will not enforce the typical "established relationship" requirement, and that the telehealth services subject to the temporary waiver are not limited to services related to patients with COVID-19.

Also on March 17, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that it would exercise its enforcement discretion and will waive potential penalties for HIPAA violations against healthcare providers that serve patients through "everyday communications technologies" during the COVID-19 crisis. The waiver applies to "widely available communications apps" such as FaceTime or Skype, "when used in good faith for any telehealth treatment or diagnostic purpose, regardless of whether the telehealth service is directly related to COVID-19." OCR's guidance related to these waivers can be found here.
DOJ Cracks Down on COVID-19 Related Fraud

According to a press release by the Department of Justice (“DOJ”), numerous fraud schemes have developed related to the COVID-19 pandemic. In a March 16 memo to U.S. attorneys , Attorney General William Barr directed the DOJ to “remain vigilant in detecting, investigating, and prosecuting wrongdoing related to the crisis.” Barr directed all U.S. attorneys to prioritize fraud related to the COVID-19 pandemic. According to the DOJ, such fraud schemes include:  

  • Seeking charitable donations to nonexistent government and public health institutions

  • Creating fake website stores claiming to sell supplies in high demand (masks, hand sanitizer, etc.) but pocketing the cash instead of supplying the goods

  • Soliciting protected health information under the guise of public health officials

  • Embedding malware or viruses in coronavirus news and updates

  • Selling free test kits, treatments, cures, or vaccines

U.S. Attorney offices nationwide appear to be heeding Barr’s call to action. Many districts have issued press releases alerting citizens of common schemes. For example, U.S. Attorney for the Northern District of Georgia BJay Pak issued a statement “urging the public to report suspected fraud schemes related to COVID-19” by contacting the National Center for Disaster Fraud (NCDF). According to Pak’s press release, the NCDF “can receive and enter complaints into a centralized system that can be accessed by all U.S. Attorneys, as well as Justice Department litigating and law enforcement components to identify, investigate and prosecute fraud schemes.” Moreover, the NCDF “coordinates complaints with 16 additional federal law enforcement agencies, as well as state Attorneys general and local authorities.” 

Other districts, including the Western District of Virginia, have created Coronavirus Fraud Task Forces . According to the U.S. Attorney for the Western District of Virginia, the task force is “focused on the fraud, not the amount of the loss, and will utilize all available tools and statutes to put bad actors in federal prison.”

The DOJ’s promise to go after such fraud is not hollow. Over the weekend, the DOJ took its first legal action against an alleged coronavirus scammer. In a civil complaint filed in Austin, Texas, the DOJ filed an emergency petition seeking a temporary restraining order against the operator of a website claiming to sell COVID-19 vaccine kits. The complaint alleged that the website was engaged in a wire fraud scheme that claimed to offer access to World Health Organization vaccine kits in exchange for paying only a $4.95 shipping fee, despite the fact that there currently is no COVID-19 vaccine. The court issued a temporary restraining order requiring the registrar of the website to immediately block public access to it. The Assistant Attorney General of the Civil Division announced that the DOJ “will use every resource at the government’s disposal to act quickly to shut down these most despicable of scammers, whether they are defrauding consumers, committing identity theft, or delivering malware,” and that this case is just the first example. 
HHS-OCR Warns of Cyber Scams
On March 18, OCR shared guidance released by the C ybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security, warning individuals to remain vigilant for scams related to COVID-19. According to CISA, "[c]yber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes." CISA encourages individuals to remain vigilant and take the following precautions:

  • Avoid clicking on links in unsolicited emails and be wary of email attachments.

  • Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.

  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.

  • Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.

HHS-OIG Issues COVID-19 Fraud Alert Aimed at Beneficiaries Warning of Fraudulent Schemes

On March 23, HHS-OIG became the latest federal agency to issue an alert warning of COVID-19 related scams. Specifically, HHS-OIG stated that "[s]cammers are offering COVID-19 tests to Medicare beneficiaries in exchange for personal details, including Medicare information. However, the services are unapproved and illegitimate."

The fraud alert also warned that "fraudsters are targeting beneficiaries in a number of ways, including telemarketing calls, social media platforms, and door-to-door visits." HHS-OIG warns that Medicare beneficiaries should be cautious of unsolicited requests for Medicare or Medicaid numbers, be suspicious of any unexpected calls or visitors offering COVID-19 tests or supplies, and ignore offers or advertisements for such services or treatments.
EEOC Issues Guidance on COVID-19, the ADA, and the Rehabilitation Act

On March 19, 2020, the EEOC issued updated guidance on pandemic preparedness to provide guidance related to COVID-19 and its effect on Titles I and V of the American with Disabilities Act (“ADA”) and Section 501 of the Rehabilitation Act. Importantly, the EEOC notes that the ADA and the Rehabilitation Act will not interfere with employers following workplace advice from the Centers for Disease Control and Prevention (“CDC”) or other public health authorities. 

Generally, the ADA prohibits employers from requiring a medical examination or inquiring as to whether the employee has a disability or the nature of a disability unless the examination or inquiry is job-related or meets a business necessity. A disability-related inquiry or medical examination of an employee is job-related or meets a business necessity if an employer has a reasonable belief, based on objective evidence, that (1) an employee’s ability to perform essential job functions will be impaired by a medical condition; or (2) an employee will pose a direct threat due to a medical condition.

Whether a public health emergency or pandemic meets the “direct threat” exception is based on the severity of the illness. An assessment by the CDC or another public health authority provides the objective evidence needed for a disability-related inquiry or medical examination. Based on information from the CDC and other public health authorities, the EEOC declared in its updated pandemic preparedness publication that the COVID-19 pandemic meets the direct threat standard as of March 2020. The EEOC also issued the following guidance:

1.    Employers may send home an employee with COVID-19 or associated symptoms.

2.     If an employee reports feeling ill at work, or calls in sick, the employer may inquire about their symptoms to determine if they have or may have COVID-19. 

3.     While checking an employee’s body temperature is considered a medical examination, an employer may measure the body temperature of employees in light of COVID-19. However, whether an employee has a fever or other symptom is subject to ADA confidentiality requirements.

4.     Employers may require infection control practices, such as regular hand washing, proper tissue usage and disposal, and coughing and sneezing etiquette.

5.     An employer may screen job applicants for symptoms of COVID-19 after making a conditional job offer (but not pre-offer), as long as the employer applies the screening to all entering employees in the same type of job. This ADA rule allowing post-offer medical inquiries and exams applies to all applicants, whether or not the applicant has a disability.  

6.    An employer may delay the start date of an applicant with COVID-19 or associated symptoms.

The guidance from the EEOC, CDC, and other public health authorities is likely to change as the COVID-19 pandemic evolves. Employers should continue to monitor the most current information from the CDC and public health authorities, as it may affect the EEOC’s current guidance. 
FINRA Issues COVID-19 Guidance on Temporary Relief, Cyber Security, and Postponement of Hearings
On March 9, 2020, the Financial Industry Regulatory Authority, Inc. (FINRA) issued   Regulatory Notice 20-08  t o members, granting temporary relief from certain regulatory requirements and providing guidance on actions firms should take in light of the COVID-19 pandemic.

FINRA granted temporary relief in connection with the following requirements:

  • Deadline Extensions: FINRA stated that, upon request, it will consider extending deadlines for regulatory filings and responses to requests it issues in inquiries and investigations into members. Member firms that require extra time to respond to requests or make an upcoming filing are advised to contact their Risk Monitoring Analysts or the relevant FINRA department to seek such an extension.

  • Remote/Telework and Emergency Relocations: FINRA acknowledged that registered persons may need to use remote offices or telework arrangements, which require alternative methods to reasonably supervise their activities. In addition, member firms are temporarily not required to submit branch office applications on Form BR when opening a temporary office location or space sharing arrangement. Nevertheless, if a firm relocates an office to an emergency location that is not registered as a branch office or regular non-branch location, it should use its best efforts to provide its Risk Monitoring Analyst with written notification.

  • Form U4: FINRA has temporarily suspended the requirement that firms maintain updated office of employment address information on a registered person’s form U4 in the case of a relocation due to COVID-19. 

FINRA also warned member firms about the increased Cyber Security risks associated with the COVID-19 pandemic and recommends that firms take the following cyber-safety measures:

  • Ensure that virtual private networks (VPNs) and other remote access systems have been updated with all of the latest security patches.

  • Confirm that system entitlements (access permissions) are current.

  • Use multi-factor authentication for remote access to the firm’s systems.

  • Use education and exercises promoting vigilance, employees of cyber risks.

FINRA has also   administratively postponed   all in-person arbitration and mediation proceedings scheduled through May 1, 2020. Note that this postpone does  not  affect other case deadlines, which will continue to apply.

HHS Secretary Issues Privacy Rule Waiver For Hospitals

Although the HIPAA Privacy Rule, which restricts the use and disclosure of individuals’ protected health information, applies even during public health emergencies, federal law permits the Secretary of the U.S. Department of Health and Human Services (HHS) to waive some of its requirements in order to lessen the barriers of data sharing within the healthcare sector during a public health emergency.

The COVID-19 pandemic is such a public health emergency that has resulted in government action at every level. On January 31, 2020, HHS Secretary Alex M. Azar declared a public health emergency related to COVID-19. On March 13, 2020, President Donald J. Trump declared a nationwide emergency. According to an HHS Bulletin , “Secretary Azar has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply” with specific provisions of the HIPAA Privacy Rule. The waiver went into effect on March 15, 2020, and applies to the following requirements:

  • The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. 

  • The requirement to honor a request to opt-out of the facility directory. 

  • The requirement to distribute a notice of privacy practices. 

  • The patient's right to request privacy restrictions. 

  • The patient's right to request confidential communications.

Importantly, Secretary Azar’s waiver applies only to hospitals that have instituted a disaster protocol. The waiver applies up to 72 hours from the time the hospital implements its disaster protocol or when the presidential or Secretarial declaration terminates – whichever is earlier. A hospital must then comply with the HIPAA Privacy Rule in its entirety.

HHS’ Bulletin makes clear that, even under public health emergencies, a covered entity must use reasonable efforts to ensure protected health information disclosed is limited to the minimum necessary information to achieve the purpose of the disclosure.


If you are going through hell, keep going

- Sir Winston Churchill

To read all of this month’s client alerts, please visit our website blog by clicking our link below: