North America

President Biden’s Six Prong COVID-19 Action Plan: What employers need to know about the Path out of the Pandemic

Facing the raging delta variant and waning vaccination levels, yesterday President Joe Biden announced a wide-ranging COVID-19 Action Plan termed the “Path out of the Pandemic,” designed to fight the continued spread of COVID-19. In a White House speech, the president implored the unvaccinated to get vaccinated and authorized federal agencies to take action to require public and private employers to make it happen.

Click here for an overview of the president’s six prong COVID-19 Action Plan and learn what action employers should take now when it comes to mandating vaccines.

Read full article

President Biden’s Six Prong COVID-19 Action Plan: What employers need to know about the Path out of the Pandemic

Facing the raging delta variant and waning vaccination levels, on Thursday, September 9, 2021, President Joe Biden announced a wide-ranging COVID-19 Action Plan (Plan) termed the “Path out of the Pandemic,” designed to fight the continued spread of COVID-19. In a White House speech, the president implored the unvaccinated to get vaccinated and authorized federal agencies to take action to require public and private employers to make it happen.  Read more…

Read full article

Under Pressure: California Clarifies Cyber Risk Management Best Practices for Healthcare Sector

On Tuesday, August 24, 2021, California Attorney General Rob Bonta issued a guidance bulletin (the “Guidance”) to health care providers reminding them of their compliance obligations under California’s health data privacy laws, and urging providers to take proactive steps to protect against cybersecurity threats. This Guidance comes, in part, as a response to federal regulators sounding the alarm over an uptick in cybercrime against hospitals and other health providers. The Guidance follows an October 2020 Joint Cybersecurity Advisory issued by the Cybersecurity and Infrastructure Agency,[1] the Department of Justice, and the Federal Bureau of Investigation, which assessed that malicious actors are targeting the Healthcare and Public Health Sector through ransomware attacks, data theft, and other disruption tactics on the healthcare sector.

The Guidance also arrives in the wake of a recent spike in ransomware attacks directed at healthcare providers, many of which were not reported to the Office of the Attorney General. Ransomware is malicious software that encrypts data and servers to block access to a network until a “ransom” is paid. Oftentimes, it may not be immediately clear whether protected health information has been compromised following a ransomware attack, though providers should treat a successful attack as a presumed breach, thereby triggering the requirement to conduct an internal breach investigation under the federal Health Information Portability and Accountability Act (“HIPAA”). The Guidance notes that timely reporting is critical to help affected Californians “mitigate the potential losses that could result from the fraudulent use of their personal information[.]” Under California law, entities that are required to notify more than 500 Californians of a data breach must also report the breach to the Office of the Attorney General, who then notifies the general public.[2]

Citing HIPAA and the California Confidentiality of Medical Information Act (“CMIA”), the Guidance further reminds providers to implement reasonable administrative, technical, and physical security measures to prevent and mitigate against ransomware and other cybersecurity attacks. The California Consumer Privacy Act (“CCPA”) also establishes data protection requirements for data not otherwise subject to CMIA or HIPAA. CCPA guidance issued in 2016 recommended that California companies implement the twenty data security controls published by the Center for Internet Security to provide reasonable security. The recent Guidance outlines the minimum preventative measures that California health care providers, specifically, should implement in order to protect their data systems from cyberattacks:

  • keep all operating systems and software housing health data current with the latest security patches;
  • install and maintain virus protection software;
  • provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
  • restrict users from downloading, installing, and running unapproved software; and
  • maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.

The failure to implement the aforementioned measures could render California providers vulnerable to liability.

Attorneys in Epstein, Becker & Green’s Privacy, Cybersecurity, and Data Asset Management practice group have extensive experience in advising healthcare providers how to protect against an increase in cybersecurity threats, conducting internal investigations in response to a presumed breach, notifying state and federal regulators in the event of a breach, and responding to government inquiries. For any questions about these or other related issues, contact the authors or your regular EBG Attorney.

Download Epstein Becker Green’s Ransomware Checklist for tips to proactively mitigate ransomware risk and for reactive measures to respond to a ransomware attack.


[1] See also Cybersecurity & Infrastructure Agency, Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches (Aug. 2021), (encouraging organizations to adopt a “heightened state of awareness” and implement certain recommendations to reduce risk of ransomware attacks).

[2] See California Civil Code section 1798.82.

Read full article

The Department of Justice (“DOJ”) Continues its Medicare Advantage (“MA”) Enforcement Efforts with a $90 Million Dollar Settlement Against Downstream Provider Sutter Health

On August 30, 2021, the DOJ announced a $90 million dollar settlement with Sutter Health and affiliates[1] (“Sutter Health”) to settle False Claims Act (“FCA”) allegations brought by qui tam relator, Kathy Ormsby, related to the Center for Medicare & Medicaid Services’ (“CMS”) MA Program.[2] Sutter Health elected to settle with DOJ and the relator without an admission of liability. As part of the Settlement Agreement, the Office of Inspector General (“OIG”) required Sutter Health to enter into a Corporate Integrity Agreement.

Read full article

Paid leave rights once again front and center as COVID variants spike

As students across the country are returning to the classroom, the spike in the COVID Delta variant is reigniting the conversation about a need for paid sick leave for working parents who are forced to deal with school closures.

Working parents face a very uncertain future with regard to their leave rights as COVID and its variants pose a real threat to require home schooled learning yet again, as recently reported by Bloomberg Law. In fact, at the time of publishing, several states are already implementing school shut-downs related to COVID and its variants, including Arizona, Florida, Georgia, Illinois, Texas, and Virginia. Read more…

Read full article

Vaccine mandates: The final blow for nursing homes?

In an effort to quell the recent spike in COVID-19 cases and hospitalizations, President Biden has announced a series of new measures that seek to bolster the United States’ healthcare and financial response to the virus. In addition to recommending vaccine booster shots, the measures include new regulations requiring all employees of nursing homes to be fully vaccinated for COVID-19 if such nursing homes participate in the Medicare and Medicaid programs. While the logic of requiring health care workers who engage with those most vulnerable to COVID-19 has a clear appeal, the consequences of the new regulations could prove devastating for nursing homes. Read more…

Read full article


One of the most common questions employers are asking at this point in time during the pandemic is this: “Can we require our employees to be vaccinated before allowing them to return to work?” The answer has been this: “it depends“, followed by an explanation of human rights’ considerations, privacy considerations, health and safety considerations, etc. On August 13, 2021, the federal government made an announcement that suggests the pendulum might be swinging towards a “yes” on that question. On August 17, 2021, the provincial government made an announcement that suggests the same swing.

Read full article

Video: Vaccine Mandates, Mandate Bans, Wage and Hour Nomination Stalls – Employment Law This Week

As featured in #WorkforceWednesday:  This week, we look at how the COVID-19 Delta variant is shifting employer vaccination policies and how that shift is conflicting with regulations in some states.

The Shift to Mandatory Vaccinations

The Delta variant of COVID-19 is fueling another new chapter of the pandemic: mandates. Recent federal and state action is driving a trend toward employers mandating vaccines. Read more about state action in California and New Jersey.

Read full article

Employment Law Q&A: New CDC guidance for vaccinated employees

The Center for Disease Control (CDC) took many by surprise on May 13, 2021, by announcing that masks would no longer be required for vaccinated individuals in most settings. Faced with the rapid spread of the Delta variant across the country, on July 27, 2021, the CDC once again modified its masking guidance and reopened the debate over workplace masking. Understanding the CDC’s guidance will help employers as they consider their options. Read more…

Read full article

Florida Joins a Growing Number of States Requiring Licensure of Genetic Counselors

On June 21, 2021, Florida Governor Ron DeSantis signed into law a bill requiring genetic counselors to be licensed by the Florida Department of Health (“FLDOH”).  The new law, known as the Genetic Counseling Workforce Act (“GCWA”), became effective on July 1, 2021.  FLDOH has announced a 90 day enforcement moratorium to allow counselors time to become appropriately licensed in the State.  Florida now joins a growing number of states that regulate the work of genetic counselors.

Read full article