[UPDATE, Nov. 18, 2021: The CMS Interim Final Rule Has Been Challenged in Two Federal Courts. Read more here.]

On November 4, 2021, the Centers for Medicare and Medicaid Services (CMS) issued an interim final rule (the “Rule”) requiring COVID-19 vaccination for staff at Medicare- and Medicaid-certified providers and suppliers.  The Rule became effective on November 5, 2021.

The following summarizes the Rule’s requirements and provides guidance on how covered employers should proceed in light of this broadly sweeping, immediately effective regulation.

The Rule’s Applicability: Providers and Suppliers

The Rule requires full COVID-19 vaccination by January 4, 2022, of covered staff at health care facilities that participate in Medicare and Medicaid programs.  This includes Medicare- and Medicaid-certified providers and suppliers (hereinafter “covered facilities”), such as:

  • ambulatory surgical centers;
  • hospices;
  • Programs of All-Inclusive Care for the Elderly (PACE);
  • hospitals (e.g., acute care hospitals, psychiatric hospitals, hospital swing beds, long term care hospitals, children’s hospitals, transplant centers, cancer hospitals, and rehabilitation hospitals/inpatient rehabilitation facilities);
  • long-term care facilities (including Skilled Nursing Facilities, otherwise referred as nursing homes);
  • psychiatric treatment facilities;
  • intermediate care facilities for individuals with intellectual disabilities;
  • home health agencies;
  • comprehensive outpatient rehabilitation facilities;
  • critical access hospitals;
  • clinics (rehabilitation agencies, and public health agencies as providers of outpatient physical therapy and speech-language pathology services);
  • community mental health centers;
  • home infusion therapy suppliers;
  • rural health clinics/federally qualified health centers; and
  • end-stage renal disease facilities.

The Rule does not apply to other health care facilities or entities that participate in the Medicare and Medicaid programs, such as physician offices.  However, those facilities or entities not subject to CMS’s Rule may be subject to OSHA’s Emergency Temporary Standard (ETS), effective on November 5, 2021.

Covered Individuals

The Rule applies to staff of the aforementioned covered facilities, regardless of whether their positions are clinical or non-clinical, and includes employees, licensed practitioners, students, trainees, and even volunteers.  It also includes individuals who provide treatment or other services for the facility under contract or other arrangements, such as independent contractors.  For example, the Rule provides that a crew working on a construction project whose members use shared facilities (e.g., restrooms, cafeteria, or break rooms) during their breaks would be subject to the Rule’s requirements.  Conversely, a plumber performing an emergency repair in an empty restroom or service area who correctly wears a mask will not be subject to the Rule’s vaccination requirement. 

The Rule also applies to staff providing services remotely via telework that occasionally encounter fellow staff.  Thus, any individual that performs their duties at any site of care, or has the potential to have contact with anyone at the site of care, including staff or patients, must be fully vaccinated, unless eligible for a reasonable accommodation, discussed below.  However, the Rule does not apply to staff who telework full-time—that is, 100% remotely—for example, employees that provide remote telehealth or payroll services. 

In sum, health care facilities and entities should consider the following factors in determining whether staff must be vaccinated against COVID-19: the presence of the individual on site; the services provided by the individual; and the proximity of the individual to patients and staff. 

Important Dates

Under the Rule, all eligible staff must receive their first dose of a two-dose primary vaccination series by December 5, 2021, prior to providing any care, treatment, or other services.  All eligible staff must be fully vaccinated, as defined below, by January 4, 2022, unless exempted by federal law (which is consistent with the requirement of the OSHA ETS).

Definition of “Fully Vaccinated”

An individual is considered “fully vaccinated” for COVID-19 under the CDC’s guidance 14 days after receipt of a single-dose vaccine (Janssen/Johnson & Johnson) or the second dose of a two-dose primary vaccination series (Pfizer-BioNTech/Comirnaty or Moderna).  At this time, the definition of “fully vaccinated” does not include authorized boosters.

No Testing Opt-Out

Under the Rule, there is no opt-out test option available to covered employees.  Thus, unless an individual qualifies for an exemption because of a disability, medical condition, or sincerely held religious belief, practice, or observance, as defined by federal law and on which we reported, vaccination against COVID-19 is mandatory.  In this respect, the Rule more closely resembles the requirements of Executive Order 14042 (reports can be found here and here), rather than the new OSHA ETS. 

Proof of Vaccination Status

Employers should promptly notify their staff of their obligations under the Rule.  This means ensuring that individuals are timely notified of their obligation to receive their first dose of a two-dose vaccination against COVID-19 by December 5, 2021, and to be fully vaccinated by January 4, 2022.   

To ensure individuals are vaccinated in compliance with the Rule, providers and suppliers must track and securely document the vaccination status of each staff member, including those for whom there is an excused temporary delay in vaccination, due to, for example, recent receipt of monoclonal antibodies or convalescent plasma.  Furthermore, any vaccine exemption requests and outcomes must also be documented. 

Employers must keep all medical records, including vaccine documentation, confidential and secure.  Suppliers and providers must keep personnel files and medical files separately.  Appropriate places to maintain staff vaccine documentation include a facilities immunization record, health information files, or other relevant locations.  Acceptable forms of proof of vaccination include: (1) a CDC COVID-19 vaccination record card (or a legible photo of the card); (2) documentation of vaccination from a health care provider or electronic health record; or (3) a state immunization information system record.  If an individual is vaccinated outside of the U.S., a reasonable equivalent of any of the previous examples is sufficient. 

Policies and Procedures

Employers must update their policies and procedures to ensure that they contain:

  • A process for ensuring that covered staff (except for those who have pending requests for, or who have been granted, exemptions to the vaccination requirement) have timely received their COVID-19 vaccinations by the aforementioned dates;
  • A process to mitigate the transmission and spread of COVID-19 (including the implementation of additional precautions for staff who are not fully vaccinated for COVID-19);
  • An application process for exemptions based on federal law and a process documenting the information used in the exemption application;
  • A process to confirm that medical exemption documentation is from licensed practitioners and contains information specifying which COVID-19 vaccines are clinically inadvisable for the staff member and the recognized clinical reasons for the conclusion;
  • Documentation of the vaccination status of covered staff for whom COVID-19 must be temporarily delayed (e.g., individuals who received monoclonal antibodies or convalescent plasma for COVID-19 treatment); and
  • Contingency plans for staff who are not fully vaccinated for COVID-19.

CMS Enforcement Mechanisms

Compliance with the Rule will be ensured through established state surveyors, who will review the covered entity’s records of staff vaccinations.  Surveyors may also conduct interviews with staff to verify their vaccination status.  Furthermore, surveyors will review the providers’ or suppliers’ policies and procedures to ensure each component of the Rule has been addressed.

Surveyors will cite non-compliant providers or suppliers and will provide an opportunity to return to compliance before additional actions occur.  Where there is a determination of lack of compliance, the Rule states that CMS will use its full enforcement authority to protect the health and safety of patients.  This includes imposing remedies such as civil money penalties, denial of payment for new admissions, or termination of the Medicare/Medicaid provider agreement.  Nonetheless, the Rule clearly articulates a preference for voluntary compliance.

What Employers Should Do Now

Employers should first determine whether the Rule applies to their entity, and if so, to which particular staff it applies.  As noted above, the Rule encompasses a broad range of providers and suppliers, and covers most staff who interact or encounter other staff or patients.  Fully remote workers are not covered by the Rule.

Employers must update their policies and procedures to ensure compliance with the Rule’s mandates.  This means ensuring that individuals are timely notified of the timeline for required vaccinations.  This also requires all reasonable efforts to assure that staff are actually vaccinated by the said dates. 

Employers should also begin the exemption application process before December 5, 2021, so that they have ample time to review the exemption application, have any appropriate interactive process discussions, and make a determination.  Medical exemptions or accommodation requests must be handled in accordance with the Rule’s guidance listed in the Policies and Procedures section above.  Religious accommodation requests should be addressed as per EEOC’s guidance, as noted above.  In granting any exemption or accommodation, employers are urged to ensure that they minimize the risk of transmission of COVID-19 to at-risk individuals, and in keeping with their obligation to protect the health and safety of patients and coworkers.  

In sum, employers must act quickly to ensure compliance with the Rule or face penalties by CMS.  The Rule is intended to sweep broadly as a requirement for those not only on the front lines of treating patients, but also to those with only occasional patient or colleague contact.  If you are unsure whether your entity falls within the broad scope of the Rule, or you have any other questions about the Rule and its implementation, please reach out to an Epstein Becker Green attorney as soon as possible. 

* * *

This Insight was authored by Susan Gross Sholinsky, Frank C. Morris, Jr., Arthur J. Fried, Nathaniel M. Glasser, Vidaur Durazo, and Kamil Gajda.* For additional information, please contact one of the authors or the Epstein Becker Green attorney who regularly handles your legal matters.

*Kamil Gajda, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s New York office, contributed to the preparation of this post.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.