COVID, Privacy and More! New Challenges for Physicians in 2021
Client AlertThis article was originally published in the Spring Edition of Stark County Medical Society News.
While hopefully we are coming out of the pandemic, the legal repercussions related to legislative initiatives and other actions during that time continue to apply to businesses in general and healthcare practices. It is a helpful reminder that practices make certain that they maintain accurate records in order to satisfy the reporting requirements under the various COVID-related bills and protect yourself from future employment claims.
Families First Coronavirus Response Act (FFCRA).
This legislation was an expansion of the Family Medical Leave Act. It provides that employers with less than 500 employees are required to provide compensation to employees who are absent from work due to six specific triggering events. Those include that (a) the employee themselves are subject to a quarantine order (tested positive); (b) the employee was advised to self-quarantine because of potential exposure to a diagnosed person; (c) the employee is experiencing symptoms; (d) the employee is caring for someone else who has been diagnosed or been told to self-quarantine; or (e) is caring for a child due to COVID closure of school or childcare center.
Under FFCRA, employers were required to pay certain benefits on a two-week basis with a cap of $5,000 if in the first two categories, or in the other categories, two-thirds of pay with a $2,000 cap. No benefits are required if the employee could potentially work from home through some telework opportunities.
A particularly complex situation applied for healthcare practices. Initially, healthcare practices were exempt with the idea that healthcare workers were essential. A change in interpretation several months later basically split a healthcare practice with those staff members with direct patient care continuing to be exempt from coverage while employees who are behind-the-scenes, so to speak, such as billing would be eligible for benefits.
If the employer made payments, the employer would then be eligible for a tax credit for all payments made under the statute. In essence, the employer-funded the benefit but then recouped those dollars against other income when taxes were filed.
The mandatory program ended on December 31, 2020 but it remains available on a voluntary basis through September 30, 2021. Congress is considering an extension of these provisions and so you should anticipate having to implement them again. From an employer's perspective, it is crucial that you fully document the particular employee, what their role is in the office, verify with written documentation that they met one of the criterion (similar to a return to work slip), and otherwise make certain that the person either met the criteria or not. One additional note regarding school issues. The rule only applies to children through high school, and does not apply if the child could attend school but the family made a family decision to do remote education. Once again, if the employee could work through telework they are required to do so.
Liability to Staff or Public.
Ohio was one of the first states to adopt an immunity statute from COVID claims in certain circumstances. The bill went into effect on March 9, 2020. In short, it abolishes any claim for “damages, death or injury” against any person if the claim is based in whole or in part on the exposure, transmission, or contraction of a COVID-type condition with some limited exceptions. It specifically provides that a physician who delays treatment or a procedure due to COVID cannot be held liable simply for delaying the procedure or treatment. An employer is not liable should the employee contract COVID provided the employer took reasonable steps in their office. The bill goes on to provide while Ohio may establish certain recommended protocols, an employer’s failure to follow each element of the protocol will not be presumed that the employer is not taking reasonable steps. We certainly recommend where possible you follow those protocols, however.
Financial Support Legislation.
There were several bills enacted that provided funds to employers to assist in recovery efforts. The Paycheck Protection Program (PPP) provides loans through the Small Business Administration in an amount of approximately two months of payroll which if used to cover payroll and other approved expenses would result in the loan being forgiven. Additional tax-relief was included. Normally, when a loan is cancelled, that is deemed by the IRS to be income to the borrower. The PPP loan forgiveness is not deemed to be income. Second, employers used the funds to pay payroll. Originally there had been an inference that payroll expense, which ordinarily would have been a deductible business expense, would not be permitted to be deducted if it was paid for by PPP money. Subsequent interpretations in fact concluded that employers can take the ordinary business deduction. Borrowers must file an application seeking forgiveness and the portals to do so are currently open. Borrowers must however maintain good records to document that the funds were used exactly as permitted. People can also apply for additional PPP loans for the 2020 time period if the business could demonstrate at least one quarter where the 2020 income of the practice was lower than the corresponding period in 2019. If you could meet the qualifying quarter, you would again be eligible for more PPP money.
CARES Act Relief Fund.
This provided an automatic deposit into your account of 2% of the Medicare fees collected by your practice in 2019. These funds are to be used for expenses such as acquisition of PPE, renovations in your office, training and lost income for physicians provided however it cannot duplicate any funds being used for PPP purposes. Again, funds should be segregated, and a report has to be submitted attesting to the use of the funds. The portal is open and must be completed by July 31, 2021.
American Resource Rescue Plan.
The most recent bill includes a provision that provides for an employee retention credit that while similar to the PPP, has some different measures. You should discuss these options with your accountant to make sure that you maximize any credits that are available.
Patient Privacy and Security.
While HIPAA has been in effect since 2004, it should be a standard part of your practice. It is important to verify that your practice is diligently following all of the requirements under HIPAA, that includes making sure that a Notice of Privacy Practices are provided to patients, that staff and physicians undergo annual updates in training, and to make sure that your written plans are up-to-date. There were major revisions to the HIPAA requirements that came into effect in 2011 and if your plan has not been modified since that time it is probably out of compliance. Further, with the changes in implementation of telemedicine during the pandemic, many plans are likewise out of date if it does not specifically include features for telling patients how you handle telemedicine interactions with the patients. You should review and make sure your plan is up to date. If not, it should be reviewed by an experienced healthcare attorney.
A second part of HIPAA deals with security standards for the protection of records against cyber-attack or the like. The practice is required to conduct what is known as a risk assessment to determine if you have the most up-to-date electronic security features, the use of passwords, authentication codes, are your records backed up, and what steps have you implemented to protect against cyber-attack. Because HIPAA has been in effect for over 15 years, the federal enforcement office now takes a position that any HIPAA violation should be sanctioned, and fines paid. In 2020 alone, the federal government collected over $13 Million in fines simply from HIPAA violations.
In addition to monetary sanctions, there has been an increase in cyber attacks on medical practices of all sizes including even one-professional offices. We recently worked with a professional whose office was cyber attacked and the cost to recover, payment of technology fees, ransom and the like, was significant let alone the loss of productivity during the downtime. You may want to look at cyber attack insurance.
Congress adopted the 21st Century Cures Act which goes into effect April 5, 2021. This provision enhances the rights of patients to access information and imposes significant penalties of up to $1 Million per violation for both healthcare providers or healthcare systems technology and the like, which make it difficult or create barriers for patients to obtain their medical information. Again, part of the review assessment and updates of your HIPAA plans may well protect you from these additional risks.
Action Steps.
We recommend that you periodically look at the details of your compliance plans. If you participated in any of the COVID programs verify that you have segregated records to account for all dollars in and how expenses were paid using those dollars and make sure you timely do the reporting and attestation in order to get the loan forgiveness under PPP and accurately report so you can keep the CARES Act money.
This article is a recap of information presented to Stark County Medical Society in its webinar series on March 24, 2021. If you would like copies of the presentation or have any questions, please contact Scott P. Sandrock at spsandrock@bmdllc.com or (330) 253-4367.