The Virginia Safety and Health Codes Board enacted a Permanent Standard on COVID-19 in workplaces in a 9-4 vote on January 13, 2021.

On July 15, 2020, Virginia became the first state in the nation to promulgate an Emergency Temporary Standard to address COVID-19 in workplaces. Even with vaccine deliveries on the way, Virginia has enacted a Permanent Standard for consideration by the Virginia Safety and Health Codes Board (which includes author Courtney Malveaux).

To read the entire article, click here.

In March 2020, when Congress passed the Families First Coronavirus Response Act (FFCRA) with a sunset date of December 31, 2020, few anticipated the COVID-19 pandemic would be ongoing into 2021. Several similar state and local laws also sunset at the end of 2020. But the pandemic has not slowed, and requests for COVID-19-related leave (along with the corresponding tax credits) continue.

Here’s What We Know

The new stimulus bill (Consolidated Appropriations Act, 2021) passed on December 27 did not extend the FFCRA obligations. Employers who were covered under the FFCRA are no longer obligated to provide their employees leave.

However, while the FFCRA does not mandate an employer continue to provide COVID-19-related paid sick and paid family leave beyond December 31, 2020, it allows employers who are covered under the FFCRA to voluntarily decide to provide “qualified” paid sick leave or paid family leave wages to their employees and continue to receive a tax credit for such wages until March 31, 2021.

Please read our full article here.

U.S. Citizenship and Immigration Services (USCIS) announced that it is experiencing delays in issuing receipt notices for some applications and petitions filed at USCIS lockboxes that are located in Chicago, Illinois, Phoenix, Arizona, and Lewisville, Texas. This announcement does not come as a surprise to most filers, since delays have been experienced for some time and have become even longer since October 2020, when thousands of Form I-485 Adjustment of Status applications were filed.

Adjustments due to COVID-19 restrictions at USCIS are adding to the problems. Not only can it take more than two months for receipts to be issued, but filing fee checks (the cashing of which became a way to determine whether an application or petition was received) are not timely cashed. These delays also are seen with other cases filed at lockbox addresses, such as Form I-765 Applications for Employment Authorization and Form I-131 Applications for Travel Documents. The delays have been particularly long for students applying for EADs who, like others, are experiencing gaps in employment authorization.

USCIS confirmed that, despite any delay, once the receipt is issued, it will reflect that actual date of receipt. USCIS also maintains the delays will not result in payments going beyond their validity dates.

USCIS asks stakeholders to be patient and says it is working extra hours and redistributing workloads to deal with the backlogs.

In order to speed up the receipt-acknowledgment process, USCIS suggests that applicants complete and attach Form G-1145, E-Notification of Application/Petition Acceptance to their filings at lockboxes to request a text message or email upon receipt.

If you have questions about receipting delays, please reach out to your Jackson Lewis attorney.

The City of San Jose recently passed an ordinance extending its supplemental paid sick leave ordinance until June 30, 2021 and expanding it to apply to all employers with employees working in San Jose.

Extension

When it was first passed, San Jose’s supplemental paid sick leave ordinance was set to expire on December 31, 2020. In late 2020, the City committed to extending the ordinance into 2021 but waited to see if the Emergency Paid Sick Leave (EPSL) provided under the Families First Coronavirus Response Act (FFCRA) would be extended before taking action. When the federal government did not extend the FFCRA, the City of San Jose passed a revised ordinance that extends the City’s supplemental sick leave until June 30, 2021. The ordinance is retroactive to January 1, 2021.

Expansion

San Jose’s original ordinance was designed to provide sick leave to employees who did not receive EPSL under the FFCRA; thus it only applied to employers with 500 or more employees. Because the FFRCA was not extended into 2021, the City of San Jose decided to expand its ordinance to apply to all employers with employees in the City of San Jose, regardless of the size of the employer. That means that San Jose’s supplemental paid sick leave is now available to all employees working in the city.

Reasons for Leave

The revised ordinance does not change the reasons for which sick leave may be taken. An employee may take leave when unable to work because the employee:

  • Is subject to a federal, state, or local quarantine or isolation order related to COVID-19 or is caring for someone who is;
  • Has been advised by a health care provider to self-quarantine due to concerns related to COVID-19 or is caring for someone who is;
  • Is experiencing symptoms of COVID-19 and seeking a medical diagnosis; or
  • Is caring for their child if the child’s school or place of care is closed or unavailable due to COVID-19 precautions.

No Additional Time

Like the original ordinance, the revised ordinance provides full-time employees with 80 hours of paid sick leave (part-time employees receive a pro-rata amount). However, the ordinance states that 80 hours is the total amount available to employees for the period of April 2, 2020, to June 30, 2021.

Other local ordinances such as the City and County of Sacramento have also been extended. But like the federal government, the state of California has thus far not extended statewide supplemental paid sick leave.

Jackson Lewis continues to monitor local, state, and federal legislation pertaining to COVID-19. If you have questions about supplemental paid sick leave or other employment concerns related to COVID-19, contact a Jackson Lewis attorney to discuss.

At the end of 2020, California approved the Division of Occupational Safety & Health’s (“Cal OSHA”) COVID-19 Emergency Temporary Standard (“ETS”).

Among the many requirements in the new ETS, Cal OSHA imposed a performance-based obligation on employers to establish and implement an effective COVID-19 Prevention Program, COVID-19 preventive measures (e.g., social distancing and mandatory use of face coverings), and COVID-19 case management (e.g., investigation, recording, and reporting). In establishing these requirements, the ETS also published prescriptive written COVID-19 Prevention Program components and procedures for handling COVID-19 cases, as well as steps to regulate multiple infections and presumed outbreaks at the workplace that are already subject to substantial state and local health department requirements. Moreover, the ETS substantially departs from other health and safety regulations by compelling worker exclusion following a potential workplace exposure to COVID-19, mandating exclusion pay in limited circumstances,  and that employees be provided COVID-19 testing. The ETS further imposes potential liability on employers if they fail to comply with the various requirements.

The ETS has created confusion and frustration among California employers already facing a multitude of federal, state, and local COVID-19 requirements, which are in a constant state of flux. The ETS also attempts to impose requirements that are administered by other responsible agencies and authorities, making employers’ obligations unclear and duplicative. For example, the ETS imposes an obligation on employers to notify state and local health departments of multiple COVID-19 cases despite this obligation already being imposed on employers under AB 685, guidance from the state health department, and standing health department orders.

Cal OSHA’s ETS also uses inconsistent language to discuss requirements (e.g., “offer” vs. “provide” in the context of required testing), imprecise language, and imposes obligations that do not make sense from either a technical or feasibility standpoint. For instance, the ETS defines a “COVID-19 test” as one that is (i) approved by the United States Food and Drug Administration (“FDA”) or has an Emergency Use Authorization from the FDA, and (ii) is administered in accordance with the FDA approval or Emergency Use Authorization. In doing so, Cal OSHA fails to take into account that COVID-19 tests can be approved for use under other regulatory pathways and that many COVID-19 tests on the market are not approved by FDA or under an Emergency Use Authorization. Restricting testing in this way also unnecessarily complicates an already complicated requirement and makes compliance more difficult, costly, and time-intensive.

Despite numerous concerns raised in public meetings and written responses to the ETS, Cal OSHA also has not provided sufficient guidance on how to comply with the ETS, leaving many obligations on testing, worker exclusion, and COVID-19 case management unclear. Cal OSHA only just recently provided the public updated FAQs but still left numerous questions and ambiguities.

In response to the ETS’ ambiguities and overwhelming compliance burden, the Western Growers Association, the California Business Roundtable, the California Association of Winegrape Growers, the California Farm Bureau Federation, Ventura County Agricultural Association, and the Grower-Shipper Association of Central California joined together to file a lawsuit against Cal OSHA and related entities and individuals over the ETS before the Los Angeles Superior Court. The lawsuit contends that the Board violated employers’ due process rights and the state’s administrative procedure laws by failing to provide clear and adequate notice of the link between the ETS and the emergency situation necessitating the new rules. The lawsuit also claims that the ETS improperly imposes “unprecedented financial and operational costs on employers” in the state and without evidence that the new requirements will significantly or even materially improve workplace health and safety as it pertains to COVID-19. The required measures further lack clarity, such that employers are not understanding what is required of them, and do not take into account resources, feasibility, or costs. Further, the action alleges that many of the requirements in the ETS have little to no connection to workplace health and safety and instead deputize employers to monitor non-work-related COVID-19 exposure risks. The suit filed by the agricultural associations follows a lawsuit filed in San Francisco Superior Court by retail industry groups seeking declaratory and injunctive relief from the ETS.

To date, Cal OSHA and the other entities named in the suits have not publicly responded or acknowledged either complaint.

Jackson Lewis will continue to monitor issues pertaining to COVID-19 and the workplace in California. If you have questions about the ETS or related workplace safety issues, contact a Jackson Lewis attorney to discuss.

The Consolidated Appropriations Act, 2021 (Act) provides certain COVID-19-related relief, including temporary additional flexibility regarding flexible spending accounts (FSAs). Employers have several practical considerations when deciding whether to adopt one or more of the changes in their plans.

Under the FSA changes, employees need not lose the benefit of the dollars they set aside from their pay into healthcare and dependent care FSAs and may use the amounts contributed for up to 12 months after the end of the 2020 or 2021 plan years.  More

In the final days of 2020, the Office for Civil Rights (OCR) at the U.S. Health and Human Service (HHS) released a HIPAA Audits Industry Report (“the Report”), that could be quite helpful to covered entities and business associates for tackling HIPAA compliance as we enter the new year.  The Report examines OCR’s findings from HIPAA audits the agency conducted during 2016-2017 of 166 healthcare providers and 41 business associates. The audits were intended to examine mechanisms for compliance, identify promising practices for protecting the privacy and security for health information, and discover vulnerabilities that may be have been overlooked by OCR enforcement activity. It is the OCR’s hope that insights from the Report will enhance industry awareness of compliance obligations and assist the OCR in developing tools and guidance to assist industry compliance, self-evaluation, and prevent data breaches.

The Report looked at seven components of HIPAA compliance by covered entities:

Privacy Rule:

      • notice of privacy practices/content requirements
      • provision of notice – electronic notice (website posting)
      • right of access

Breach Notification Rule:

      • timeliness of notification
      • content of notification

Security Rule:

      • security management process – risk analysis
      • security management process – risk management

For business associates, the Report examined three components:

Breach Notification Rule –

      • notification by a business associate,

Security Rule –

      • security management process – risk analysis and
      • security management – risk management.

The Report applied a rating scale of 1-5 to covered entities, one being essentially full compliance and five being no evidence of a serious attempt to comply with the rules. Based on this scale and the results from the audits, the Report concludes covered entities generally demonstrated compliance in only two of the seven areas audited: 1) timeliness of breach notification and 2) prominent posting of the notice privacy practices on their websites. Here are some troubling data points from the Report:

  • With regard to satisfying the content requirements for HIPAA notices of privacy practices, only 2% of covered entities fully met the requirements, and two-thirds failed to or made minimal or negligible efforts to comply.
  • Almost all covered entities audited (89%) failed to show they were correctly implementing the individual right of access. Notably, right of access compliance is a specific enforcement initiative of the OCR, having announced 13 enforcement actions over the past two years. Compliance gaps included inadequate or incorrect policies and procedures for providing access, such as policies that incorrectly state that the entity could deny access to PHI or lack of policies for honoring requests for information to be provided to a designated third party.
  • Approximately 70% of covered entities used breach notification letters that failed to satisfy regulatory content requirements, such as a description of the electronic personal health information (ePHI) breached and steps individuals can take to protect themselves from additional harm.
  • As the OCR’s previous audit (from 2012) found, covered entities struggled to implement the Security Rule’s requirements for both risk analysis and risk management – the Report highlighted that only 14% of audited covered entities “substantially fulfilled” responsibilities regarding safeguarding of ePHI through risk analysis mechanisms, and only 6% of covered entities adequately fulfilled requirements to implement appropriate risk management mechanisms to reduce risks and vulnerabilities to a reasonable and appropriate level.

Business associates shared similar struggles with covered entities regarding implementation of security risk analysis and management requirements – only 17% of audited business associates “substantially fulfilled” requirements regarding safeguarding of ePHI through risk analysis, and only 12% of business associates fulfilled the requirement to implement appropriate risk management mechanisms. Moreover, while few audited business associates reported a breach of ePHI, those that did generally evidenced minimal or negligible efforts to address audited requirements.

On a positive note, the Report noted that a large majority of the covered entities and business associates shared their appreciation for the comments or findings, and already initiated steps to strengthen policies, procedures, and/or correct deficiencies.  The Report also provides helpful easy-to-use tools and resources to assist organizations with compliance. For example, the Report highlights the Model Notices of Privacy Practices available on the OCR’s website – covered entities may customize these models by entering their entity-specific information.

In the OCR’s announcement of the Report, OCR Director Roger Severino emphasized,

The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative.  We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.

Takeaway

The OCR was active in enforcing HIPAA regulations in 2020. In particular, there were thirteen settlements under the OCR’s Right to Access Initiative which enforces patients’ rights to timely access medical records at reasonable cost. In September of 2020 alone, the OCR announced settlements with five providers under that Initiative. OCR settlements have impacted a wide array of health industry related businesses including hospitals, health insurers, business associates, physician clinics, and mental health/substance abuse providers. Furthermore, 2020 saw more than $13.3 million recorded by OCR in total resolution agreements.

In addition, there was a significant amount of OCR issued guidance relating to HIPAA in 2020. In March OCR issued back-to-back guidance on COVID-19 related issues, first regarding getting protected health information (PHI) of COVID-19 exposed individuals to first responders, and next providing FAQs for telehealth providers. In July, the Director of the OCR issued advice to HIPAA subject entities in response to the influx of recent OCR enforcement actions – “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” In September, the OCR published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization and improve HIPAA Security Rule compliance, and shortly after issued updated guidance on HIPAA for mobile health technology. Finally, regulations have been issued to permit hospitals and health systems to donate cybersecurity technology to physician practices.

The Report combined with increased OCR enforcement activity and guidance, serves as a reminder of the seriousness in which OCR treats HIPAA compliance obligations, and healthcare organizations and their business associates need to address basic best practices as they enter 2021.

In the final days of 2020, the Office for Civil Rights (OCR) at the U.S. Health and Human Service (HHS) released a HIPAA Audits Industry Report (“the Report”), that could be quite helpful to covered entities and business associates for tackling HIPAA compliance as we enter the new year.  The Report examines OCR’s findings from HIPAA audits the agency conducted during 2016-2017 of 166 healthcare providers and 41 business associates. The audits were intended to examine mechanisms for compliance, identify promising practices for protecting the privacy and security for health information, and discover vulnerabilities that may be have been overlooked by OCR enforcement activity. It is the OCR’s hope that insights from the Report will enhance industry awareness of compliance obligations and assist the OCR in developing tools and guidance to assist industry compliance, self-evaluation, and prevent data breaches.

The Report looked at seven components of HIPAA compliance by covered entities:

Privacy Rule:

      • notice of privacy practices/content requirements
      • provision of notice – electronic notice (website posting)
      • right of access

Breach Notification Rule:

      • timeliness of notification
      • content of notification

Security Rule:

      • security management process – risk analysis
      • security management process – risk management

For business associates, the Report examined three components:

Breach Notification Rule –

      • notification by a business associate,

Security Rule –

      • security management process – risk analysis and
      • security management – risk management.

The Report applied a rating scale of 1-5 to covered entities, one being essentially full compliance and five being no evidence of a serious attempt to comply with the rules. Based on this scale and the results from the audits, the Report concludes covered entities generally demonstrated compliance in only two of the seven areas audited: 1) timeliness of breach notification and 2) prominent posting of the notice privacy practices on their websites. Here are some troubling data points from the Report:

  • With regard to satisfying the content requirements for HIPAA notices of privacy practices, only 2% of covered entities fully met the requirements, and two-thirds failed to or made minimal or negligible efforts to comply.
  • Almost all covered entities audited (89%) failed to show they were correctly implementing the individual right of access. Notably, right of access compliance is a specific enforcement initiative of the OCR, having announced 13 enforcement actions over the past two years. Compliance gaps included inadequate or incorrect policies and procedures for providing access, such as policies that incorrectly state that the entity could deny access to PHI or lack of policies for honoring requests for information to be provided to a designated third party.
  • Approximately 70% of covered entities used breach notification letters that failed to satisfy regulatory content requirements, such as a description of the electronic personal health information (ePHI) breached and steps individuals can take to protect themselves from additional harm.
  • As the OCR’s previous audit (from 2012) found, covered entities struggled to implement the Security Rule’s requirements for both risk analysis and risk management – the Report highlighted that only 14% of audited covered entities “substantially fulfilled” responsibilities regarding safeguarding of ePHI through risk analysis mechanisms, and only 6% of covered entities adequately fulfilled requirements to implement appropriate risk management mechanisms to reduce risks and vulnerabilities to a reasonable and appropriate level.

Business associates shared similar struggles with covered entities regarding implementation of security risk analysis and management requirements – only 17% of audited business associates “substantially fulfilled” requirements regarding safeguarding of ePHI through risk analysis, and only 12% of business associates fulfilled the requirement to implement appropriate risk management mechanisms. Moreover, while few audited business associates reported a breach of ePHI, those that did generally evidenced minimal or negligible efforts to address audited requirements.

On a positive note, the Report noted that a large majority of the covered entities and business associates shared their appreciation for the comments or findings, and already initiated steps to strengthen policies, procedures, and/or correct deficiencies.  The Report also provides helpful easy-to-use tools and resources to assist organizations with compliance. For example, the Report highlights the Model Notices of Privacy Practices available on the OCR’s website – covered entities may customize these models by entering their entity-specific information.

In the OCR’s announcement of the Report, OCR Director Roger Severino emphasized,

The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative.  We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.

Takeaway

The OCR was active in enforcing HIPAA regulations in 2020. In particular, there were thirteen settlements under the OCR’s Right to Access Initiative which enforces patients’ rights to timely access medical records at reasonable cost. In September of 2020 alone, the OCR announced settlements with five providers under that Initiative. OCR settlements have impacted a wide array of health industry related businesses including hospitals, health insurers, business associates, physician clinics, and mental health/substance abuse providers. Furthermore, 2020 saw more than $13.3 million recorded by OCR in total resolution agreements.

In addition, there was a significant amount of OCR issued guidance relating to HIPAA in 2020. In March OCR issued back-to-back guidance on COVID-19 related issues, first regarding getting protected health information (PHI) of COVID-19 exposed individuals to first responders, and next providing FAQs for telehealth providers. In July, the Director of the OCR issued advice to HIPAA subject entities in response to the influx of recent OCR enforcement actions – “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” In September, the OCR published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization and improve HIPAA Security Rule compliance, and shortly after issued updated guidance on HIPAA for mobile health technology. Finally, regulations have been issued to permit hospitals and health systems to donate cybersecurity technology to physician practices.

The Report combined with increased OCR enforcement activity and guidance, serves as a reminder of the seriousness in which OCR treats HIPAA compliance obligations, and healthcare organizations and their business associates need to address basic best practices as they enter 2021.

When the federal Families First Coronavirus Response Act (FFCRA) expired on December 31, 2020, COVID-19-related leave was no longer assured for many employees throughout the United States unless another law, like the Family and Medical Leave Act or the Americans with Disabilities Act, applies. Jurisdictions that have COVID-19-related leave laws (such as the District of Columbia and certain California municipalities), however, will continue to grant time off to eligible employees.

D.C.’s COVID-19-leave laws took effect on March 11, 2020, and are set to expire on March 31, 2021. In 2020, employers subject to both the FFCRA and these D.C. laws generally fulfilled their D.C. COVID-19 leave obligations when they provided FFCRA leave to covered employees. Now, employers with workers in D.C. should ensure they provide D.C. COVID-19 leave to covered employees who need it. For further discussion of D.C.’s COVID-19 leave laws, please see our full article.

On January 4, 2021, DHS announced that for I-9 purposes, Deferred Action for Childhood Arrivals (DACA) recipients may present an unexpired Employment Authorization Document (EAD) with Code C33 issued on or after July 28, 2020, along with an I-797 Extension Notice that shows an additional one-year extension. This new procedure is in response to a court order.

After the U.S. Supreme Court ruled the Administration had not properly terminated DACA, Acting Director of Homeland Security, Chad Wolf, issued a memo explaining that the Administration would be reviewing DACA and that until the review was concluded, DACA would be restricted. No new initial applications would be accepted, renewals (including renewals of EADs) would be limited to one year, and advance parole would be issued only for urgent humanitarian purposes, the memo stated. Then, in November 2020, a federal judge, Nicolas G. Garaufis, ruled that Acting Director Wolf had not been properly appointed and his rollback of DACA, therefore, was invalid.

As part of the Judge’s ruling, USCIS was ordered to post notices informing the public of how the court’s order would be implemented. That notice can be found on the USCIS website along with instructions on how to apply for DACA. In compliance with the court order, USCIS notified the public it would do the following under the terms of the DACA policy in effect prior to its termination by President Donald Trump on September 5, 2017:

  • Accept first-time requests for deferred action;
  • Accept renewal requests for deferred action;
  • Accept applications for advance parole documents;
  • Extend one-year grants for deferred action to two years; and
  • Extend one-year employment authorization documents to two years.

USCIS also agreed to take appropriate steps to provide evidence of the one-year extensions of deferred action and employment authorization to those who were issued such documentation on or after July 28, 2020, with only a one-year validity period. As it turns out, that evidence will be in the form of an I-797 Extension Notice.

DHS plans to comply with the above while the Judge’s ruling remains in effect, “but DHS may seek relief from the order.” DHS has not yet appealed the order. Although President-elect Joe Biden has said he would protect DACA, another case threatening the program is pending in federal court in Texas.

Jackson Lewis attorneys will continue to provide updates as they become available.