The New Jersey Department of Health (the “Department”) recently finalized regulations initially proposed in April 2020 that will now require all telehealth organizations providing telemedicine services to patients located in New Jersey to register their business with the Department before October 15, 2021, and annually thereafter. In addition to annual registrations, telehealth companies will also be required to submit annual reports on activity and encounter data.
As we wrote in our last Marijuana Legalization Rundown, state legislatures across the country have been busy enacting cannabis legalization laws this year. Along with those laws has come a number of recent court decisions interpreting the application of cannabis legalization laws. This post summarizes some of the significant decisions issued this year.
Supreme Court: Completion of CIRP within 330 days, Submitted Resolution Plan cannot be modified by the Resolution Applicant
The Hon’ble Supreme Court of India in the matter of Ebix Singapore Private Limited vs Committee of Creditors (“CoC”) of Educomp Solutions Limited held that the corporate insolvency resolution process (“CIRP”) has to be completed in a mandatory time-framed i.e. within a period of 330 days as provided under the Insolvency and Bankruptcy Code, 2016 (“IBC”).
Novel Massachusetts Decision Finds Waiver of Right to Compel Arbitration Based on Pre-Litigation Actions
Many employers are aware that they could waive the ability to enforce an arbitration agreement if they delay moving to compel arbitration until after they have engaged in significant litigation activities in court, such as filing a motion to dismiss or serving discovery requests. However, in Hernandez v. Universal Protection Services, a Massachusetts Superior Court judge found that an employer waived its right to compel arbitration based on its actions before an employee filed suit in court. As Hernandez is novel and significant, employers may want to consider adopting practices to remind employees of their arbitration agreements when it appears that litigation is likely.
California Appellate Decision Recognizing Manageability Requirements for PAGA Actions May Provide Much Needed Relief to Employers
It is no secret that the Private Attorneys General Act (“PAGA”) has been a cash cow for plaintiffs’ counsel in California.
PAGA allows a single employee (and their counsel) to file suit on behalf of other employees for alleged Labor Code violations, without having to go through the class action mechanism. In other words, a PAGA plaintiff can file suit seeking penalties for hundreds or thousands of employees, yet never need to show that there are common issues susceptible to common proof – or even that their own claims are typical of those of other employees.
By Nick Krnjevic, from our Insurance Law Practice Group
September 10, 2021 — On September 8, 2021, the Quebec Minister of Finance published in Part 2 of the Official Gazette of Quebec a draft of the regulation [Draft Regulation] that specifies the categories of insurance contracts, and insured parties, that may derogate, in part, from the rules set out in articles 2500 and 2503 of the Civil Code of Quebec [CCQ].
Quebec has always been distinct in that the costs associated to the duty to defend are over and above the policy limits. The draft regulation will allow an insurer to deviate from this in certain circumstances.
Proposed Massachusetts Law Classifying App-Based Drivers as Independent Contractors Clears First Step of Ballot Initiative Process
On September 1, 2021, Massachusetts Attorney General Maura Healey approved two versions of a ballot initiative (version 1, version 2) concerning the relationship between app-based drivers (such as those who transport passengers or deliver food) and the companies with which they contract. If passed, the ballot initiative will enact the Relationship Between Network Companies and App-Based Drivers Act (the “Act”) and classify such drivers as independent contractors, not employees. It will also require ride-sharing and food-delivery companies to provide them with certain benefits.
On Tuesday, August 24, 2021, California Attorney General Rob Bonta issued a guidance bulletin (the “Guidance”) to health care providers reminding them of their compliance obligations under California’s health data privacy laws, and urging providers to take proactive steps to protect against cybersecurity threats. This Guidance comes, in part, as a response to federal regulators sounding the alarm over an uptick in cybercrime against hospitals and other health providers. The Guidance follows an October 2020 Joint Cybersecurity Advisory issued by the Cybersecurity and Infrastructure Agency, the Department of Justice, and the Federal Bureau of Investigation, which assessed that malicious actors are targeting the Healthcare and Public Health Sector through ransomware attacks, data theft, and other disruption tactics on the healthcare sector.
The Guidance also arrives in the wake of a recent spike in ransomware attacks directed at healthcare providers, many of which were not reported to the Office of the Attorney General. Ransomware is malicious software that encrypts data and servers to block access to a network until a “ransom” is paid. Oftentimes, it may not be immediately clear whether protected health information has been compromised following a ransomware attack, though providers should treat a successful attack as a presumed breach, thereby triggering the requirement to conduct an internal breach investigation under the federal Health Information Portability and Accountability Act (“HIPAA”). The Guidance notes that timely reporting is critical to help affected Californians “mitigate the potential losses that could result from the fraudulent use of their personal information[.]” Under California law, entities that are required to notify more than 500 Californians of a data breach must also report the breach to the Office of the Attorney General, who then notifies the general public.
Citing HIPAA and the California Confidentiality of Medical Information Act (“CMIA”), the Guidance further reminds providers to implement reasonable administrative, technical, and physical security measures to prevent and mitigate against ransomware and other cybersecurity attacks. The California Consumer Privacy Act (“CCPA”) also establishes data protection requirements for data not otherwise subject to CMIA or HIPAA. CCPA guidance issued in 2016 recommended that California companies implement the twenty data security controls published by the Center for Internet Security to provide reasonable security. The recent Guidance outlines the minimum preventative measures that California health care providers, specifically, should implement in order to protect their data systems from cyberattacks:
- keep all operating systems and software housing health data current with the latest security patches;
- install and maintain virus protection software;
- provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
- restrict users from downloading, installing, and running unapproved software; and
- maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.
The failure to implement the aforementioned measures could render California providers vulnerable to liability.
Attorneys in Epstein, Becker & Green’s Privacy, Cybersecurity, and Data Asset Management practice group have extensive experience in advising healthcare providers how to protect against an increase in cybersecurity threats, conducting internal investigations in response to a presumed breach, notifying state and federal regulators in the event of a breach, and responding to government inquiries. For any questions about these or other related issues, contact the authors or your regular EBG Attorney.
Download Epstein Becker Green’s Ransomware Checklist for tips to proactively mitigate ransomware risk and for reactive measures to respond to a ransomware attack.
 See also Cybersecurity & Infrastructure Agency, Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches (Aug. 2021), https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf (encouraging organizations to adopt a “heightened state of awareness” and implement certain recommendations to reduce risk of ransomware attacks).
 See California Civil Code section 1798.82.
As we previously reported, the American Rescue Plan Act of 2021 (ARPA) was signed into law on March 11, 2021, requiring, among other things, the Pension Benefit Guaranty Corporation (PBGC) to issue its implementing regulations by July 9, 2021. As promised, PBGC issued an interim final rule, 86 Fed. Reg. 36598 (July 12, 2021) (the IFR), on a major element of the rescue plan―the Special Financial Assistance Program (SFA)―intended to provide a one-time payment to the estimated 200 most financially troubled multiemployer pension plans to help them survive and pay pensions through 2051. These 200 plans are a subset of the total of approximately 1,400 multiemployer pension plans covered by the ERISA insurance program. The IRS simultaneously issued Notice 2021-38 to provide guidance on how the SFA impacts minimum funding, as well as the reinstatement of certain suspended benefits by plans that receive the SFA.
Many New York families employ domestic workers –individuals who care for a child, serve as a companion for a sick, convalescing or elderly person, or provide housekeeping or any other domestic service. They may be unaware of federal and New York requirements that guarantee those domestic workers minimum wage for all hours worked, paid meal breaks, and overtime compensation.
In addition, New York imposes specific requirements on employers regarding initial pay notices, pay frequency, and pay statements that also apply to persons who employ domestic workers.