COVID-19

Mental Health Telehealth Services May Not Be Protecting Your Data

Tessa Wright, MJLST Staffer

The COVID-19 pandemic changed much about our daily lives, and nowhere have those changes been more visible than in the healthcare industry. During the pandemic, there were overflowing emergency rooms coupled with doctor shortages.[1] In-person medical appointments were canceled, and non-emergency patients had to wait months for appointments.[2] In response, the use of telehealth services began to increase rapidly.[3] In fact, one 2020 study found that telehealth visits accounted for less than 1% of health visits prior to the pandemic and increased to as much as 80% of visits when the pandemic was at its peak.[4] And, while the use of telehealth services has decreased slightly in recent years, it seems as though it is likely here to stay. Nowhere has the use of telehealth services been more prevalent than in mental health services.[5] Indeed, as of 2022, telehealth still represented over 36% of outpatient mental health visits.[6] Moreover, a recent study found that since 2020, over one in three mental health outpatient visits have been delivered by telehealth.[7] And while this increased use in telehealth services has helped make mental health services more affordable and accessible to many Americans, this shift in the way healthcare is provided also comes with new legal concerns that have yet to be fully addressed.

Privacy Concerns for Healthcare Providers

One of the largest concerns surrounding the increased use of telehealth in mental health services is privacy. There are several reasons for this. The primary concern has been due to the fact that telehealth takes place over the phone or via personal computers. When using personal devices, it is nearly impossible to ensure HIPAA compliance. However, the majority of healthcare providers now offer telehealth options that connect directly to their private healthcare systems, which allows for more secure data transmission.[8] While there are still concerns surrounding this issue, these secure servers have helped mitigate much of the concern.[9]

Privacy Concerns with Mental Health Apps

The other privacy concern surrounding the use of telehealth services for mental health is a little more difficult to address. This concern comes from the increased use of mental health apps. Mental health apps are mobile apps that allow users to access online talk therapy and psychiatric care.[10] With the increased use of telehealth for mental health services, there has also been an increase in the use of these mental health apps. Americans are used to their private medical information being protected by the Health Insurance Portability and Accountability Act (HIPAA).[11] HIPAA is a federal law that creates privacy rules for our medical records and other individually identifiable health information during the flow of certain health care transactions.[12] But HIPAA wasn’t designed to handle modern technology.[13] The majority of mental health apps are not covered by HIPAA rules, meaning that these tech companies can sell the private health data from their apps to third parties, with or without consent.[14] In fact, a recent study that analyzed 578 mental health-related apps found that nearly half (44%) of the apps shared users’ personal health information with third parties.[15] This personal health information can include psychiatric diagnoses and medication prescriptions, as well as other identifiers including age, gender, ethnicity, religion, credit score, etc.[16]

In fact, according to a 2022 study, a popular therapy app, BetterHelp, was among the worst offenders in terms of privacy.[17] “BetterHelp has been caught in various controversies, including a ‘bait and switch’ scam where it advertised therapists that weren’t actually on its service, poor quality of care (including trying to provide gay clients with conversion therapy), and paying YouTube influencers if their fans sign up for therapy through the app.”[18]

An example of information that does get shared is the intake questionnaire.[19] An intake questionnaire needs to be filled out on BetterHelp, or other therapy apps, in order for the customer to be matched with a provider.[20] The answers to these intake questionnaires were specifically found to have been shared by BetterHelp with an analytics company, along with the approximate location and device of the user.[21]

Another example of the type of data that is shared is metadata.[22] BetterHelp can share information about how long someone uses the app, how long the therapy sessions are, how long someone spends sending messages on the app, what times someone logs into the app, what times someone sends a message or speaks to their therapists, the approximate location of the user, how often someone opens the app, and so on.[23] According to the ACLU, data brokers, Facebook, and Google were found to be among the recipients of other information shared from BetterHelp.[24]

It is also important to note that deleting an account may not remove all of your personal information, and there is no way of knowing what data will remain.[25] It remains unclear how long sensitive information that has been collected and retained could be available for use by the app.

What Solutions Are There?

The U.S. Department of Health and Human Services recently released updated guidance on HIPAA, confirming that the HIPAA Privacy Rule does not apply to most health apps because they are not “covered entities” under the law.[26]  Additionally, the FDA put out guidance saying that it is going to use its enforcement discretion when dealing with mental health apps.[27] This means that if the privacy risk seems to be low, the FDA is not going to enforce or chase these companies.[28]

Ultimately, if mental telehealth services are here to stay, HIPAA will need to be expanded to cover the currently unregulated field of mental health apps. HIPAA and state laws would need to be specifically amended to include digital app-based platforms as covered entities.[29] These mental health apps are offering telehealth services, similar to any healthcare provider that is covered by HIPAA. Knowledge that personal data is being shared so freely by mental health apps often leads to distrust, and due to those privacy concerns, many users have lost confidence in them. In the long run, regulatory oversight would increase the pressure on these companies to show that their service can be trusted, potentially increasing their success by growing their trust with the public as well.

Notes

[1] Gary Drenik, The Future of Telehealth in a Post-Pandemic World, Forbes, (Jun. 2, 2022), https://www.forbes.com/sites/garydrenik/2022/06/02/the-future-of-telehealth-in-a-post-pandemic-world/?sh=2ce7200526e1.

[2] Id.

[3] Id.

[4] Madjid Karimi, et. al., National Survey Trends in Telehealth Use in 2021: Disparities in Utilization and Audio vs. Video Services, Office of Health Policy (Feb. 1, 2022).

[5] Shreya Tewari, How to Navigate Mental Health Apps that May Share Your Data, ACLU (Sep. 28, 2022).

[6] Justin Lo, et. al., Telehealth has Played an Outsized Role Meeting Mental Health Needs During the Covid-19 Pandemic, Kaiser Family Foundation, (Mar. 15, 2022), https://www.kff.org/coronavirus-covid-19/issue-brief/telehealth-has-played-an-outsized-role-meeting-mental-health-needs-during-the-covid-19-pandemic/.

[7] Id.

[8] Supra note 1.

[9] Id.

[10] Heather Landi, With Consumers’ Health and Privacy on the Line, do Mental Wellness Apps Need More Oversight?, Fierce Healthcare, (Apr. 21, 2021), https://www.fiercehealthcare.com/tech/consumers-health-and-privacy-line-does-digital-mental-health-market-need-more-oversight.

[11] Peter Simons, Your Mental Health Information is for Sale, Mad in America, (Feb. 20, 2023), https://www.madinamerica.com/2023/02/mental-health-information-for-sale/.

[12] Supra note 5.

[13] Supra note 11.

[14] Id.

[15] Deb Gordon, Using a Mental Health App? New Study Says Your Data May Be Shared, Forbes, (Dec. 29, 2022), https://www.forbes.com/sites/debgordon/2022/12/29/using-a-mental-health-app-new-study-says-your-data-may-be-shared/?sh=fe47a5fcad2b.

[16] Id.

[17] Supra note 11.

[18] Id.

[19] Supra note 5.

[20] Id.

[21] Id.

[22] Id.

[23] Id.

[24] Id.

[25] Supra note 5.

[26] Id.

[27] Supra note 10.

[28] Id.

[29] Supra note 11.


Who Has to Pay? Major Contractual Elements That Affect Which Party Bears the Cost of Supply Chain Delays and Price Increases in Construction Projects

Kristin Thompson, MJLST Staffer

As a result of the COVID-19 pandemic there have been supply chain issues occurring around the world, causing constant price increases and delivery delays for construction materials.[1] While there are numerous factors that will affect exactly where the expenses of those delays fall, this article briefly outlines the major contractual elements that will come into play when determining whether the contractor, subcontractor or owner bears the risk. The first question that should be asked when investigating COVID-19 related supply chain issues is, “what does the contract say?” However, my first area of analysis begins when the answer to that question is “we don’t have one yet.”

 

The contract is not yet executed

This is the first major element to be addressed: what point of the contractual process the parties are in. To be clear, once the contract and subcontracts are executed the parties must rely on contract remedies and their pricing structures for relief. However, if the contracts have not yet been executed the contractor and subcontractors still have the potential to push the risk onto the owner or devise an equitable way to share those risks. They can build the supply chain-related price increases and project delay costs into their estimates, putting the owner in the position to either accept the increased cost and timeline or forego the project. During this pre-execution process the contractors will largely either be bidding a cost plus guaranteed maximum price model (“GMP”) or a lump sum model.[2] Here the GMP is ideal as the contractor can build the increased costs into the contingency. The lump sum model will call for an upward adjustment to their estimated total costs to account for the increases, chancing that those estimates will be enough. After adjusting their price model, the contractor and subcontractors can then add contractual language specifically saying that they are allowed time extensions for any and all supply chain delays, define their force majeure clause as inclusive of a pandemic or epidemic, and include change in law provisions that cover mandates issued as a result of the COVID-19 pandemic.

 

The Contract is Executed

In this case, the parties will need to dive into their contract to see who bears the responsibility for extra costs and find out if they are able to extend their timelines without consequence. Issues relating to extra costs will be almost exclusively determined by whether or not a GMP or lump sum price model was used. Absent provisions stating otherwise, a GMP will allocate the extra costs to the owner up to the guaranteed maximum price as those costs come out of the contingency fee, while a lump sum contract will allocate them to the contractor as the costs will come out of the total bid price.[3] In the latter scenario, the contractor can then hold subcontractors to the price of their contract and make them bear their own price increases which would relieve the contractor from some of the extra cost burden. However, the contractor must keep in mind the reality in which a subcontractor would not be able to bear the extra costs and then either go out of business or refuse to perform. Legal action taken will either be futile if the subcontractor is insolvent, or expensive and time-consuming if they refuse to perform.

The parties then must determine whether or not schedule extensions resulting from supply chain issues are proper. This determination will largely be based on the force majeure clause and change in law provision located in the general conditions.

 

Force Majeure Clause

If the COVID-19 pandemic is found to be included as a force majeure event, the contractor will be allowed a time extension for the extra work relating thereto. Some contracts pre-dating the pandemic already used language relating to a pandemic or epidemic. The most regularly used form contracts, 200AIA.201-017[4] and ConsensusDocs 200[5],include broad force majeure provisions that have been read to include the pandemic.[6] The AIA provides for “other causes beyond contractors control,[7]” and the ConsensusDocs200 for “any cause beyond the control of constructor” and “epidemics.[8]” The specific delays must still be attributed to the pandemic, and proving causation will depend on the amount of proof the suppliers can provide to support that claim. The more challenging situations are those in which the contracts have narrow force majeure clauses or contain catch-all phrases.[9] Interpretation in these cases tend to be dependent on state law and vary widely.[10] If found to not include the pandemic, the contractor will not be guaranteed a time extension for delays and will be held to their original timeline absent other contractual provisions affording them an extension.

 

Changes in Law Provision

The final factor is whether the contract has a change of law provision. If so, executive orders or other changes of law related to the pandemic may allow for time extensions.[11] For instance, a delay in production because a factory producing specified windows had to cut their work force in half to stay in line with federal social distancing mandates would constitute a change in law allowing the contractor an extension while they wait for the windows. ConsensusDOCS 200 currently provides that “the contract price or contract time shall be equitably adjusted by change order for additional costs resulting from any changes in laws…[12]” thus laying out an avenue for relief for those party to a ConsensusDOCS 200 contract. Conversely, the AIA.201-2017 currently does not provide a change in law provision, taking away this option for the large number of contractors that use this form.

In sum, when viewing supply chain delays and expenses in an attempt to ascertain who bears the risk one should look to where the parties are at in their contractual process, the price model being used, the general conditions involved and the breadth of the force majeure and change in law provisions.

 

Notes

[1] Continued Increases In Construction Materials Prices Starting To Drive Up Price Of Construction Projects, As Supply-chain & Labor Woes Continue, The Associated General Contractors of America (November 9, 2021).

[2] Richard S. Reizen, Philip P. Piecuch, & Daniel E. Crowley, Practice Note, Construction Pricing Models – Choosing an Appropriate Pricing Arrangement, Gould + Ratner (2018).

[3] Joseph Clancy, How Do Guaranteed Maximum Price (GMP) Contracts Work?, Oracle (May 20, 2021).

[4] AIA Document 201-2017.

[5] ConsensusDOCS 200.

[6] Force Majeure Provisions: COVID-19, Sheet Metal and Air Conditioning Contractors’ National Association (June 3, 2021).

[7] AIA Document 201-2017 § 8.3.1.

[8] ConsensusDOCS 200 § 6.3.1.

[9] Douglas V. Bartman, Force Majeure in Construction and Real Estate Claims, American Bar Association (July 17, 2020).

[10] Id.

[11] Peter Hahn, Enough About Force Majeure! What Other Options Does a Construction Contractor Have for COVID-19 Pandemic Losses?, JDSupra (April 3, 2020).

[12] ConsensusDOCS 200 § 3.21.1


Employee Vaccine Mandates: So, Are We Doing This?

Kristin Thompson, MJLST Staffer

Rewind to the beginning of September. President Biden had just announced a generalized plan for addressing the alarmingly slow rise in vaccination rates in the United States. His disposition was serious as he pleaded with the American public to go out and get vaccinated. During this address he laid out several different measures that, conceivably, would lead to a higher national vaccination rate. Included in this plan was a vaccine requirement for all federal employees and government contractors. This sanction did not come as much of a surprise, as federal employees had previously been asked to provide proof of vaccination to avoid stringent safety protocols in the workplace. What was surprising, however, was President Biden’s plea to the Department of Labor to develop a federal vaccine mandate or required weekly COVID testing for private companies employing more than one hundred employees.

In the wake of this announcement came many different responses. On the one hand there were some private U.S. companies already enforcing vaccine policies who seemed unrattled by a potential new federal mandate, and there were some companies who viewed it as a welcome opportunity to implement a vaccine policy by means of a third-party enforcer. On the other hand there were companies who loathe any type of government interference in their business activity and policy implementation, and those who have been specifically opposed to a vaccine requirement and may have even made promises to their employees saying as much. Those companies who opposed a vaccine mandate, in light of this plea from President Biden, had to start making strategic decisions on how they would move forward if the Department of Labor heeded the president’s request.

The questions that came following President Biden’s address were the same regardless of the company’s personal view. Would a federal mandate be legal, would it be constitutional, and would it ever come? This uncertainty hung in the air while private companies, those with 101 employees and 5,000 employees alike, began to prepare. Draft mandatory vaccine policies were made, legal counsel was requested, and employees were advised. Now all that was left to do was wait for the Department of Labor’s cue.

Fast-forward to November. The Department of Labor’s Occupational Safety and Health Administration (OSHA) released an emergency temporary standard (ETS) in line with President Biden’s plan. The goal of this standard being “to minimize the risk of COVID-19 transmission in the workplace,” and to “protect unvaccinated employees of large workplaces.” This standard mandates that all employers with more than 100 employees, including private companies, must require their employees get vaccinated or undergo weekly COVID tests and wear face masks while at work. The standard does not apply to remote workers, workers who predominantly work outside, or employees who work without other co-workers present.

The questions that arose after the ETS was announced were similar to those asked by companies directly after President Biden’s address. Is this ETS legal, is it constitutional, and when will we have to be in compliance? The last question seems to be easily answered; all requirements except weekly testing for unvaccinated employees must be met by December 6th, 2021. The weekly testing policy for unvaccinated employees must begin by January 6th, 2022. However, the immediate onslaught of lawsuits attempting to prevent the ETS have made these straightforward dates seem somewhat arbitrary. Companies now face a unique set of issues prompting even more, new, questions. Do we actually have to be in compliance by December 5th? What effect will these lawsuits have on the ETS? Are we just supposed to wait and see?

Legally, the situation private companies face is complex. As of November 12th, the Fifth Circuit had issued and subsequently reaffirmed a stay on the standard, meaning companies did not have to comply with the mandate. At that time, the Fifth Circuit was the only court that had issued a stay, although there were lawsuits pending in eleven of the twelve circuit courts. What complicated this Fifth Circuit determination was the question of whether or not it covered all U.S. companies; if your company is based in another Circuits’ jurisdiction was this Fifth Circuit stay relevant? The current ruling enjoins OSHA from enforcing the ETS, so while the Fifth Circuit did not write on whether their holding extended outside of their jurisdiction, its practical effect was, and is, felt everywhere. So then, what comes next? How long will this stay last, and who should private companies be looking to in planning their next move?

The Fifth Circuits’ stay will last until one of two things occur. The first is multidistrict litigation, where all outstanding lawsuits brought against the ETS will be combined, and one decision will be rendered by the Circuit Court on whether or not the stay shall be enforced. The first step of this process has already begun; on Tuesday November 16th the Sixth Circuit Court was chosen via a lottery process to preside over the multidistrict litigation. The Sixth Court is based in Cincinnati, Ohio and typically leans conservative. While this proclivity does not necessarily mean that the ETS is doomed, it does suggest that President Biden may ask the Supreme Court to take over the case, preferring the Supreme Court Justices over the Sixth Circuit’s judges. This introduces the second way the stay may be addressed, by a Supreme Court ruling. This alternative can be triggered by either a plea from the federal government directly asking the Court to end the Fifth Circuits’ stay, or via an independent decision by the Supreme Court to pluck this consolidated lawsuit out the Sixth Circuits’ hands.

However, if the Supreme Court is not called upon and chooses not to pull the case up on their own, the Sixth Circuit will have the authority to either end, modify, or extend the Fifth Circuits’ current stay on the ETS. This leaves companies with a choice; will they wait and see how the Sixth Circuit, or maybe even the Supreme Court, rules on the stay? Will they wait to see if the stay is extended and the deadline for compliance is pushed back, or will they start implanting the mandate now in the event that the stay is extinguished and December 5th compliance is reinstated?

There is a chance that an extended stay will allow these companies to push off vaccine mandates. There is also a chance that the stay will be terminated before December 5th and all original compliance deadlines will be the same. Both of these alternatives are further complicated when paired with the uncertainty surrounding timing. If a company decides to run the risk and hope for an extended stay, and the Sixth Circuit court issues a retraction of the stay on December 3rd, companies may still be forced to observe the December 5th compliance date. However, if they decide to comply right now and the stay is extended, they may regret acting so quickly. In the end the mass amount of uncertainty surrounding the ETS and resulting litigation is creating many tough decisions for private employers. While the choice to comply with OSHA’s currently suspended ETS may not be mandatory right now, it’s obvious that a failure to act may put them far behind schedule for creating and implanting an effective vaccine mandate policy. That failure to act has the potential to end in high OSHA fines as well as general pushback from the public. In the end the decision on how to treat this paused ETS is up to each individual company, as will be any consequences stemming from that choice.