Healthcare companies providing patient care during the pandemic must be vigilant, not only to prevent the spread of infection on their premises, but also to avoid lawsuits by patients, employees, and others who claim they contracted COVID-19 on the premises. This article describes best practices that healthcare providers should consider for limiting such claims.
Claims that May Arise Based on Alleged Infection on Premises
A plaintiff who claims to contract COVID-19 on a healthcare provider’s premises would likely bring some form of negligence claim, including general negligence, premises liability, and/or medical malpractice. The elements of these claims vary by jurisdiction, but in general, a plaintiff will need to prove (among other things) that the defendant owed a duty to the plaintiff, the defendant breached that duty by failing to act reasonably under the circumstances, and the breach proximately caused the plaintiff’s damages. A plaintiff may also assert negligence per se, arguing that the defendant violated a statute, rule, or regulation related to COVID-19 (such as Medicare Conditions of Participation) and the plaintiff contracted the illness as a result. Or, a plaintiff may assert fraud, claiming the healthcare provider misrepresented the safety precautions taken by the facility, the plaintiff relied on the alleged misrepresentation, and the plaintiff was injured as a result.
Plaintiffs are also testing the boundaries of other, less obvious theories, such as public nuisance, which has already been asserted by employees who claim to have contracted COVID-19 at their workplaces. A public nuisance is generally defined as an unreasonable interference with a right common to the general public. Public nuisance claims traditionally focused on an alleged interference with the use of land, but in recent decades, plaintiffs have pushed the boundaries of public nuisance claims, with mixed rates of success, to address alleged injuries related to asbestos, firearms, climate change, tobacco, and opioids, among other things.
The legal standards for these claims vary by jurisdiction, but in most cases, the defense of these claims will focus in large part on whether the healthcare provider complied with applicable federal, state, and local guidelines related to COVID-19.
These guidelines will likely inform the reasonableness standard of negligence and nuisance claims and may form the basis for a negligence per se or other tort claim.
The causation element of these claims will pose a major hurdle for most plaintiffs, who will be hard- pressed to prove that they contracted COVID-19 on the premises, although nursing homes and other long-term care providers may be more at risk, at least for claims by residents and other patients residing at the facility for longer periods. In most circumstances, the plaintiff may need to negate one or more other potential sources of infection outside the premises where the plaintiff could have contracted the disease. This burden is further increased by the current understanding that the disease could be transmitted by non-symptomatic persons and the latency period of the disease is currently understood to vary from 2 to 14 days.
In other words, the plaintiff may need to show that
they were not exposed to any source of infection
outside the healthcare provider’s premises in the 14
days preceding infection. Note, however, that some
jurisdictions may apply a lower causation standard to
nuisance claims than other traditional tort claims, so
defendants must be prepared with a multi-pronged
defense to such claims. Improvements in genetic
testing and sequencing, applied to the coronavirus,
may help a defendant prove that a plaintiff was
not exposed to the virus on its premises, but such
improvements could also help a plaintiff identify the
source of their infection.
Current Scope of Immunity Laws
Federal protections related to COVID-19 for healthcare providers are currently limited. The Public Readiness and Emergency Preparedness (PREP) Act provides immunity protections for the prescription, use, or administration of certain “covered countermeasures” (i.e., certain vaccines, drugs, and devices used to diagnose and treat COVID-19, including ventilators and NIOSH-approved masks), and the Coronavirus Aid, Relief and Economic Security (CARES) Act provides immunity for healthcare professionals volunteering care during the public health emergency. However, broader scale federal immunity protections do not currently exist. Senate Majority Leader Mitch McConnell has pushed for inclusion of a broad immunity against COVID-19 claims for businesses, schools, and hospitals in the next coronavirus stimulus package, but to date, negotiations have been unsuccessful. Healthcare providers must therefore rely on the patchwork of state laws for immunity and the federal PREP Act and CARES Act protections, to the extent they apply.
Numerous states (such as Illinois, New Jersey, and New York) have granted some form of immunity specifically to healthcare providers and facilities, either through the issuance of executive orders or by legislation. Often, the immunity is tied to providing healthcare services in response to COVID-19, and the exact scope of the immunity can be unclear, especially in the context of a claim alleging the plaintiff contracted COVID-19 on the provider’s premises. In addition, at least thirteen states (including Utah, Wyoming, Kansas, Iowa, Oklahoma, Arkansas, Louisiana, Mississippi, Alabama, North Carolina, Georgia, Nevada, and Ohio) have passed legislation or signed executive orders providing broad immunity for COVID-related claims, such as the ones described in this article, against businesses in general. Other states (including at least Illinois, New Jersey, and Arizona) are considering similar legislation. Some of these broad state immunity laws are expressly tied to compliance with applicable guidance from federal, state, and local health
HEALTH LAW VITALS / October 2020
© 2020 Haynes and Boone, LLPhaynesboone.com 3
officials. Therefore, healthcare providers should carefully document their efforts to comply with applicable standards.
None of these immunities are absolute. In most states, for example, the immunity does not apply to willful, reckless, or intentional misconduct or to gross negligence.
Practical Strategies to Limit Liability
Regardless of the existence of immunity laws— whose scope is still uncertain and not absolute— healthcare providers should consider implementing the following strategies to defend against potential claims that an individual contracted COVID-19 on their premises.
• Implement and enforce written coronavirus safety policies in compliance with applicable guidance. As noted above, a claim involving alleged contraction of COVID-19 on a healthcare provider’s premises will likely focus, in large part, on whether the defendant complied with applicable federal, state, and local guidance for limiting the spread of coronavirus infection. Where the premises owner makes good faith efforts to implement and enforce safety measures to control the infection on their premises, it will likely be difficult for the plaintiff to prove their case. Among other things, healthcare providers must have written workplace safety policies in place to address infection prevention and control, which should be reviewed and updated to comply with COVID-19 guidance from federal, state, and local sources applicable to their clinical setting and jurisdiction. For example, the CDC has issued specific guidance for healthcare facilities and professionals. In addition, states, regulatory agencies, professional associations, industry groups, and accrediting bodies may have specific standards to prevent the spread of infection, and some state OSHA programs have adopted (or are in the process of adopting) coronavirus-specific safety standards. Healthcare providers should
also review and update their facility’s emergency plan.
To ensure that policies and procedures remain up-to-date, healthcare providers should designate one or more persons to monitor changes in the applicable guidance. The safety policies and any applicable changes should be communicated to employees, who should be trained to follow the rules to limit the spread of coronavirus infection in the premises according to the guidance.
In implementing the various safety controls, healthcare providers should be mindful to stay in compliance with various state and federal privacy and discrimination laws. For example, the Office of Civil Rights at the U.S. Department of Health and Human Services (OCR) has resolved several religious freedom complaints against healthcare providers during COVID-19, as covered in our Client Alert.
• Implement exposure response procedures to address incidences of coronavirus infection on the premises. A healthcare provider’s duty of care may also include having procedures in place to handle any confirmed or suspected case of COVID-19, consistent with the applicable guidance. Such procedures could include designating a separate treatment area for suspected or confirmed COVID-19 patients and isolating such patients, routinely cleaning and disinfecting those areas, reporting the potential COVID-19 cases or exposure to facility infection control leads and public health officials, and performing contact tracing to identify other persons at the premises who also may have been exposed. Healthcare providers should have a written coronavirus exposure plan in place to address infection control and continued safety of all persons on the premises. The CDC has specific guidelines for infection prevention and control practices for healthcare providers when caring for a patient with a suspected or confirmed case of COVID-19.
HEALTH LAW VITALS / October 2020
© 2020 Haynes and Boone, LLPhaynesboone.com 4
• Require patients and other third parties at the premises to comply with the healthcare provider’s coronavirus safety policy. Healthcare providers should require third parties such as patients, visitors, vendors, and contractors present in the premises to follow the healthcare provider’s coronavirus safety rules. Among other things, healthcare providers should require all patients and other third parties in the premises to wear a face mask, and may consider limiting visitors to those essential for the patient’s physical or emotional well-being and care. Additionally, healthcare providers should seek assurance, in writing, from contractors that their employees will comply with the coronavirus safety rules while on the premises. Healthcare providers should also communicate changes in policies to patients as needed, such as those regarding requirements for attending appointments in-person, waiting room procedures, designation of separate treatment areas for COVID-19 patients, providing non- urgent patient care by telephone, and limitations on visitors.
• Document compliance with and enforcement of the coronavirus safety policy in the premises. Healthcare providers should carefully document their coronavirus safety policies (including updated versions over time); efforts to train employees and contractors regarding the policies; and enforcement of the policies. Healthcare providers should also maintain documentation reflecting governmental and/ or industry standards related to coronavirus prevention. It is important to maintain date- stamped versions of all such internal and external documents, which will inevitably change over time as additional information about the virus becomes available. To the extent it is infeasible to implement any applicable safety guidance, healthcare providers should document steps taken to attempt to implement such measures, reasons for infeasibility, alternative means of protection explored by the provider, and any alternative safety means implemented. Such
documents could be critical, not only to defeat a claim of breach of duty of care, but also to counter an argument that the healthcare provider’s failure to comply with the applicable safety guidance caused the plaintiff’s disease.
In defending against the causation element of a claim asserted against it, a defendant healthcare provider may show evidence of compliance with the applicable coronavirus safety rules in its premises during the past 14 days, evidence that no person with symptoms of coronavirus infection was allowed access to the business premises during the 14-day period, and evidence that there were no known instances of infection during that time-period. To the extent there were any instances of infection at the premises, healthcare providers should have documentation to show how such instances were handled in a safe manner, consistent with applicable guidance, to prevent exposure of persons like the plaintiff. Care should be taken to preserve privilege of any root cause investigation of the cause of any coronavirus case in the premises.
• Obtain written waivers of liability and indemnification agreements. Third parties entering the premises should be informed, in writing, that while the safety measures may limit the exposure to coronavirus infection, they are not a guarantee against exposure. Healthcare providers should consider having third parties sign a waiver of liability related to potential coronavirus-related claims. While the enforceability of such a waiver may vary by jurisdiction, the waiver may serve as evidence that the party had notice of the potential risk of exposure to coronavirus infection and assumed the risk of exposure before entering the premises.
In addition, contractors of the premises owner should be provided written notice that the healthcare provider takes no responsibility for the safety of employees of contractors and that the safety of these persons is the responsibility of the contractor. Healthcare providers should consider requiring contractors to agree in writing
HEALTH LAW VITALS / October 2020
© 2020 Haynes and Boone, LLPhaynesboone.com 5
that the contractors will indemnify the healthcare provider for any coronavirus-related claims by the contractor’s employees.
Finally, please note that employers have specific obligations to their employees related to workplace safety. Please consult your legal counsel to properly address these issues.
HHS Settles Ninth Investigation in HIPAA Right of Access Initiative
On October 9, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that it settled its ninth enforcement action in its HIPAA Right of Access Initiative, which involved failure to provide timely access to medical records after a patient’s request. The press release is available here. This most recent investigation resulted from an individual’s complaint that she had made multiple requests for her medical records to a private medical practice specializing in neurology and pain management (the “Practice”). While the Practice provided some of the records, it did not provide the diagnostic films that the individual specifically requested. In October 2020 (over a year after the initial request), the individual received all of the requested medical records. The Practice agreed to take corrective actions and pay $100,000 to settle the potential violation of HIPAA’s right of access standard.
OCR Resolves Two More Religious Discrimination Complaints
On October 20, 2020, the OCR announced that it resolved two more religious discrimination complaints ensuring clergy access to patients for religious purposes during the COVID-19 pandemic. Both health systems involved received technical assistance from OCR based on CMS guidance explaining adequate and lawful access to chaplains or clergy in hospital visitations during the COVID-19 pandemic. The press release and links to the health systems’ updated policies are available here.
HIPAA Data Breach Settlements
HHS settled three HIPAA breach investigations in September, ranging in amounts from $1.5 million to $6.85 million, which represented the second-largest payment to resolve a HIPAA investigation in the OCR’s history. This settlement was made by a health insurer for potential violations related to a cyberattack in which hackers used a phishing email to install malware, resulting in the disclosure of over 10 million individuals’ protected health information (PHI). HHS also settled with a HIPAA Business Associate, who agreed to pay $2.3 million along with the adoption of a corrective action plan for potential violations related to a breach affecting over 6 million people also caused by a cyberattack. Lastly, an orthopedic clinic agreed to pay $1.5 million following a hacker’s exfiltration of a database of its patient records that affected 208,557 individuals and included social security numbers, medical procedures, test results, and health insurance information.
New Phase 3 Provider Relief Funding
On October 1, 2020, HHS, through the Health Resources and Services Administration (HRSA) announced $20 billion in new funding for providers on the frontlines of the COVID-19 pandemic. The press release is available here. On October 22, 2020, HHS, through HRSA, expanded the eligibility requirements and updated the reporting requirements to broaden the use of provider relief funds. The press release is available here. This Phase 3 General Distribution is available to: (1) providers who have already received Provider Relief Fund payments, (2) providers who began practicing January 1, 2020 through March 31, 2020, and (3) behavioral health providers, chiropractors, residential treatment facilities, eye and vision services providers, and others. The Phase 3 General Distribution is designed to balance an equitable payment of 2 percent of annual revenue from patient care for all applicants plus an add-on payment to account for changes in operating revenues and expenses from patient care, including expensed incurred related to COVID-19. All payment recipients will be required to accept the associated terms and conditions. Providers can apply for funds from October 5, 2020 through November 6, 2020.
HEALTH LAW VITALS / October 2020
© 2020 Haynes and Boone, LLPhaynesboone.com 6
Information Blocking Rules
The U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) issued final rules implementing interoperability and patient access provisions of the 21st Century Cures Act. The final rules are available here. These rules include new information blocking regulations that restrict healthcare providers and other entities from interfering with the access, exchange, or use of electronic health information, which are currently set to take effect on November 2, 2020. On October 29, 2020, in response to the COVID-19 public health emergency, the ONC released an interim final rule with comment period that extends the compliance dates for these information blocking provisions to April 5, 2021. The IFR is available here.
Advisory Opinion on Pharmaceutical Manufacturer’s Proposal to Provide Cost-Sharing Assistance Directly to Medicare Beneficiaries
On September 18, 2020, the HHS Office of Inspector General issued an advisory opinion regarding a pharmaceutical manufacturer’s proposal to provide cost-sharing assistance directly to Medicare beneficiaries who are prescribed either of two formulations of its drug, concluding that the proposed arrangement would not generate prohibited remuneration under the civil monetary penalty provisions prohibiting inducements to beneficiaries, but would potentially generate prohibited remuneration under the anti-kickback statute if the required intent was present. The advisory opinion is available here.
HEALTH LAW VITALS / October 2020