Colorado Issues New COVID-19 Directives & Guidance to ALRs

On March 23, 2020, the Colorado Department of Public Health & Environment (CDPHE) issued further Directives and Guidelines applicable to Assisted Living Residences (ALRs).

CDPHE Letter Regarding ALR Visitation Requirements:

  1. Home health and hospice workers operating under physician’s orders may be essential visitors, as considered on a case-by-case basis with the resident’s physician.
  2. All visitors permitted after screening must perform hand hygiene, use Personal Protective Equipment (PPE), and restrict their visit to the resident’s room or other designated location.
  3. Essential visitors entering under compassionate care situations or as vendors must be screened and then also limited to a specific room.

CDPHE Directives and Guidelines also highlight the following:

  1. If a resident has a suspected COVID-19 case:  Consider telehealth or nurseline options instead of calling EMS.  In Colorado, telehealth is covered by all insurance plans.  Services are available here.
  2. For people experiencing COVID-19  symptoms:  Not everyone with symptoms needs to be immediately tested, but if the resident has mild symptoms, isolate the resident and avoid unnecessary contact until he/she: (1) has had no fever for at least 72 hours; (2) other symptoms have improved; and (3) at least 7 days have elapsed since the symptoms first appeared.   Increased precautions and directives are provided for residents with more serious or sever symptoms.
  3. Communities who are aware of a resident with COVID-19:  Report the case to the county public health agency.  Log other individuals who interacted with the afflicted resident and be able to report all staff who had interactions. 
  4. Resident Rights:  There is a right to personal and community engagement and residences may not restrict a resident from leaving unless living in a locked and secure environment.  However, strongly encourage residents to stay-in-place and screen returning residents.  Gordon & Rees attorneys advise that for those Communities in Denver, residents must be educated about and comply with the Stay at Home Order issued on March 23, 2020 and revised on March 24, 2020.
  5. Infection Control Practices:  Re-train all staff on infection control policies and reinforce hygiene directives.
  6. Stimulating Self-Isolating Residents:  Consider alternate communication methods with technology and provide other activities.  Make routine, safe-distance checks on isolated residents.

Visit our COVID-19 Hub for ongoing updates.

Denver Ordered to Stay Home, Certain Healthcare Operations Excluded

On March 23, 2020, Denver Public Health Administrator Robert McDonald issued a Stay at Home Order.  The Order requires all individuals in the City and County of Denver to stay at home, except for limited essential activities, including “Healthcare Operations.”  Individuals are permitted to leave their homes to both work at and obtain services from these Healthcare Operations.

The Order provides the following list of examples of Healthcare Operation, but notes the term will be construed broadly to avoid any impacts to the delivery of healthcare.  Finally, health clubs, fitness and exercise gyms, and similar facilities are not included in the exemption.

Healthcare Operations:

  • Hospitals, clinics, and walk-in health facilities;
  • Medical and dental care, excluding elective procedures;
  • Research and laboratory services;
  • Medical wholesale and distribution;
  • Home health care companies, workers, and aides;
  • Pharmacies;
  • Pharmaceutical and biotechnology companies;
  • Behavioral health care providers;
  • Nursing homes, residential health care, or congregate care facilities;
  • Medical supplies and equipment manufacturers and providers, or any related and/or ancillary healthcare services;
  • Veterinary care, livestock services, and all healthcare services provided to animals; and
  • Animal shelters and pet boarding services.

Visit our COVID-19 Hub for ongoing updates.

CMS Updates Guidance for Visitation in Nursing Homes

On Friday, March 13, 2020, Centers for Medicare & Medicaid Services (CMS) again revised its guidance for infection control and prevention of COVID-19 in nursing homes – this time to include guidance for visitation.

The new guidance applies to all facilities nationwide and calls for a restriction on visitation of all visitors and non-essential health care personnel. If a state issues a more restrictive ban, a surveyor cannot cite the facility for noncompliance with visitation requirements when complying with heightened state orders. Facilities should notify all potential visitors to defer visitation through signage posted at entrances/exits, letters, emails, phone calls, recorded messages, and other means by which the facility normally communicates.

Exceptions to the Restriction

1. Cases of compassionate care or end-of-life

These visits are to be evaluated on a case-by-case basis. Before a visitor is permitted into the facility, they must undergo careful screening for symptoms of respiratory illness including fever, cough, shortness of breath, or sore throat. If the potential visitor has any of these symptoms, they should not be allowed in the facility at any time.

If the visitor is permitted, facilities must require the visitor to frequently perform hand hygiene and use personal protective equipment, including a facemask. The visit should be limited to a specific room. This could either be the resident’s own room or another room designated by the facility.

2. Health care workers

Health care workers are permitted into facilities given they meet the criteria outlined by the CDC here.

3. Surveyors

Surveyors must be allowed to enter, unless they are exhibiting symptoms of respiratory illness.

Monitoring after Visitation

Facilities should advise any individual who is allowed in the facility to monitor themselves for symptoms of respiratory infection for at least 14 days and, if symptoms occur, to:

  • self-isolate at home;
  • contact their healthcare provider; and
  • immediately notify the facility with details of their visit such as the date of visit, who they were in contact with, and the locations within the facility they visited.

Facilities should the immediately screen the individuals of reported contact and take appropriate actions.

Additional Updated Guidance

CMS added some general additional guidance for infection control, such as:

1. Canceling communal dining and group activities;

2. Implementing active screening of residents and staff for symptoms of respiratory illness;

3. Reminding residents of proper hand hygiene and social distancing;

4. Screening staff for and documenting symptoms of respiratory illness at the beginning of each shift;

5. If staff work at multiple facilities, actively screen and restrict appropriately so illness is not spread between facilities; and

6. Restricting access to the Ombudsman program per the guidelines above, but allowing review on a case-by-case basis.

See CMS Guidance for Infection Control and Prevention of COVID-19 in Nursing Homes (REVISED).

Colorado State Health Department Issues Orders Restricting Visitors in Skilled Nursing, Assisted Living, and Intermediate Care Facilities

On March 12, 2020, The Colorado Department Public Health and Environment (CDPHE) issued emergency orders to prevent further spread of COVID-19. The order requires all Colorado licensed or certified skilled nursing facilities, intermediate care facilities and assisted living residences to implement the following restrictions and requirements regarding visitors to these facilities:

Screening, limiting and restricting visitors

1. Follow the revised CMS guidelines on restricting visitorson restricting visitors, even though the facility (e.g., ALRs) may not be subject to CMS certification. Gordon & Rees has concurrently published a bulletin on these guidelines here.

2. Restrict visitation of non-essential individuals. Facilities should post signage with the essential individual visitor policy. Essential visitors include vendors providing necessary supplies or services and individuals necessary for a resident’s physical and mental health.

3. Before allowing entry, screen all essential individuals before they enter the facility. Facilities should limit the number of essential individuals who enter the building. Facilities are required to document all screenings with this CDPHE form. These forms must be retained indefinitely and must be provided to CDPHE when requested.

4. After entry, facilities should implement limits within the facility. This includes:

  • Using personal protective equipment, including a gown, gloves, and a mask;
  • Limiting movement to the resident’s room;
  • Limiting surfaces touched;
  • Limiting physical contact; and
  • Limiting the number of visitors to only two essential visitors per resident at a time.

Gordon & Rees counsel have confirmed with State authorities that the Order does not give facilities discretion to require some, but not all, essential individuals entering the building to wear PPE. Even though resident interaction may be limited for certain visitors, the Order still requires PPE for all visitors entering the facility. The Colorado Department of Public Health & Environment has indicated that, when PPE is not available, facilities should contact their local/county health departments to determine if there is PPE available for distribution.

Gordon & Rees counsel also recommend requiring outside home health, hospice and or therapy contractors to supply their own PPE when entering the facility.

5. If there is a suspected, presumptive, or confirmed case of COVID-19 the facility must:

a. Contact and notify the county public health agency and CDPHE;

b. Identify and maintain a log of visitors and staff who interacted with the infected individual and their environment; and

c. Restrict visitation to and all group activities within the facility.

Provide alternative means of communication

Facilities must provide residents and family with alternate means of communication, phone calls, Facetime, email, etc., when restricting visitation. A staff member should be assigned as a primary contact for each resident. This person should be the contact point for incoming calls as well as provide regular updates via outbound calls. Facilities should set a phone line recording, updated daily, concerning the facility operation and visitation status.

Revise polices concerning third parties

Facilities should also review their interactions with third parties and revise related policies to ensure the best practices are in place to prevent transmission of COVID-19.

Gordon & Rees counsel are continually monitoring the rapidly evolving nature of State and Federal guidance. We are here to assist with the development of compliant policies, while understanding the continuing need to promote patient care and operational objectives during these difficult times.

See Notice of Public Health Order 20-20.

CDC COCA Issues Update on COVID-19 for Clinicians & Healthcare Facilities

On March 5, 2020, the CDC Clinician Outreach and Communication Activity (COCA), a resource for emergency health professionals, hosted a call updating clinicians on preparing for COVID-19, or coronavirus. Healthcare settings, including skilled nursing and long-term care facilities, are some of the areas of greatest concern. Below is a summary of COCA’s best practices when addressing COVID-19 in a healthcare setting:

1) Identifying persons under investigation

As of yesterday, the criteria for evaluation of persons under investigation was expanded to a wider group of symptomatic patients. Clinicians should look to possible symptoms of COVID-19, such as fever, cough, and difficulty breathing, in determining if the patient should then be tested. Influenza should also be considered during testing and co-infection is possible. Testing of healthcare personnel should be considered if they have been exposed to an individual with a suspected case of COVID-19 or they exhibit even mild symptoms of COVID-19.

2) Applying infection prevention and control measures

While the CDC has learned a lot about COVID-19, there is still a great deal that is unknown. The best way to protect residents, visitors, and staff is to rely on the infection control measures already in place. This includes standard precautions, such as washing hands and disinfecting surfaces. Facilities should also take an aggressive approach to diagnosing individuals showing signs of any respiratory infection and place them in isolation where possible.

3) Assessing risks for exposures

It is currently optional, not mandatory, for facilities to verify absence of fever and respiratory symptoms when healthcare personnel report to work. Risk exposure should focus on source control, use of personal protective equipment (PPE), and the degree of contact with the resident. Healthcare providers are also advised to inform their employers if they have travel or community related exposure.

4) Optimizing the use of personal protective equipment supplies

The CDC anticipates an increased demand for N95 masks. Facilities should optimize the use of these masks by, for example, limiting them to use in symptomatic residents and using expired masks during training. The FDA has also issued an emergency use authorization for the use of certain other masks in healthcare settings. See Letter of Authorization and NIOSH-approved FFRs.

5) Managing and caring for patients (inpatient and at home)

If a resident is either a person under investigation or a confirmed case, provide supplies and a garbage bin outside the door of the resident’s room. Post signage on the door clearly describing the infection control precautions to be taken. A facility may also limit exposure by designating and training certain individuals, or a team, to care for persons under investigation or confirmed cases.

Stay Updated:

Looking for information related to a specific state? Contact the authors for more information.

See also: CDC Issues Update on COVID-19 Response: Precautions in Healthcare Facilities (March 4, 2020)

CDC Issues Update on COVID-19 Response

On March 3, 2020, Nancy Messonnier, MD, Director for the National Center for Immunization and Respiratory Diseases at the Center for Disease Control (“CDC”), held a medical telebriefing on COVID-19, commonly known as coronavirus disease. She reported confirmed cases in 12 states. While the CDC, at a national level, and state health departments, on a local level, are taking steps to contain and reduce the spread of COVID-19, she highlighted the importance of informed clinicians in batting the spread of the virus. Here are some recommended actions to prevent the spread of the virus.

Precautions in Healthcare Facilities:

  1. Review Infection Control Policies with Employees and Visitors
    Strictly adhere to all facility policies concerning minimizing exposure to respiratory pathogens. For example, wearing personal protective equipment, such as masks, gloves and eyewear, utilizing airborne infection isolation rooms when possible, and isolating patients when necessary.
  2. Employee and Visitor Screening and Access
    Strictly adhere to all facility policies concerning monitoring who is entering the facility. Including asking family members about travel, cold symptoms, maintaining an accurate sign-in log, and restricting certain visitors. While public health facilities are required by regulations to accept visitors, there are generally exceptions to this when it comes to the health and safety of patients. Be sure to discuss changes to visitor polices with patients as part of their service and care plans. Facilitate alternatives to in-person visitations, such as phone calls, Facetime, and text messaging. Consider blanket prohibitions on visitors if the facility is located in an area with known cases of COVID-19.
  3. Supply Items for Basic Hygiene
    Ensure there are tissues, hand sanitizer, soap, and respiratory masks for the residents, staff, providers, and visitors throughout the facility.
  4. Educate
    Educate residents, staff, providers, and visitors on the individual actions to reduce spread and impact. Posting signs with these recommendations is encouraged. Provide advance warning that access to the facility may be restricted on short notice.
  5. Stay Informed and Communicate
    It is important for providers to be in close contact with state and local health department to understand the precautions being taken at the local level. This also includes reporting any cases to the local health departments as necessary. Consider reaching out to state and local regulatory agencies to inquire whether they have more specific guidance.

Stay Informed

Candor in Colorado: New Statutory Protections for Communications About Adverse Health Care Incidents

On Monday, July 1, 2019, Colorado’s Candor Act will go into effect, making it one of four states in the U.S. to adopt such a law. The Candor Act establishes a process for keeping communications between a patient and health care provider or health facility privileged following an adverse health care incident. Described as an “Open Discussion,” this process allows health care providers or health facilities to communicate with patients and families about a patient’s physical injury or death, conduct an investigation into a health care incident, and if appropriate, provide an offer of compensation because of the physical injury or death. If the statute’s steps are followed, the communications, investigation, and offer of compensation are privileged, confidential, not subject to discovery or subpoena, and are inadmissible at trial, an arbitration hearing, or certain administrative proceedings.

To achieve this protection, requirements of the statute must be fulfilled. For instance, the health care provider or health facility must notify the patient or her family of the intention to engage in an Open Discussion within 180 days after the provider knew about the incident. The patient must be advised of her rights to receive medical records, to have legal counsel if she chooses during the Open Discussion process, and to be notified of applicable limitation periods, among other requirements. If the patient agrees to participate in the Open Discussion, she must provide her agreement in writing.

As a condition of an offer of compensation, the provider or facility may require the patient to execute a release to resolve the health care incident. If the process is initiated properly by the provider, upon successful resolution and receipt of compensation, the event is not likely considered subject to certain reporting required by the Colorado Medical Board, Colorado Board of Nursing, other Colorado licensing boards, or the National Practitioner Data Bank. The law specifies that “candor compensation” is not considered a payment resulting from a written claim or demand for payment, a claim for purposes of reporting to a licensing board or insurance commissioner, or a payment resulting from a settlement, final judgment, administrative action or arbitration award.

Providers and facilities should be cautioned that the protections of the statute do not include certain materials not prepared specifically for an Open Discussion. When proceeding under this process, consult your legal counsel with expertise in the subject in order to ensure compliance with the nuances in the law and be advised of other risks. Providers and facilities should require all involved parties to sign documents as a condition of any compensation paid.

Three Key Requirements Imposed by Colorado’s New Consumer Data Privacy Statute

Be careful what you ask for (and maintain) about Colorado residents…especially if you don’t have the proper data security policies in place. On September 1, 2018, Colorado’s new privacy law, HB 18-1128, will go into effect, imposing new requirements on any business or government entity that maintains, owns, or licenses personal identifying information about Colorado residents.

The new law imposes three key requirements on businesses subject to the rule:

  1. Reasonable security procedures and practices must be implemented that are proportionate to the nature of the personal identifying information maintained and the nature and size of the business’s operations.
  2. Written policies for the destruction and proper disposal of paper and electronic documents containing personal identifying information must be developed.
  3. Breach notification procedures must be followed, including adhering to a 30-day time period by which notification must be completed.

Personal information is defined broadly under the new law to include a resident’s first name or first initial and last name (e.g., Jane Doe or J. Doe), in combination with one of the following: medical information; health insurance identification number; biometric data; social security number; student, military, or passport identification number; driver’s license number or identification card. Personal information also includes—even when not tied to a resident’s name—a resident’s username or email address with a password or a security question and answer that permits access to an online account, or an account number or credit/debit card number in combination with a security code, access code or password that permits access to an online account.

Business that do not already have written data disposal and security policies should act quickly to ensure that they are compliant with the nuances of the new law. Additionally, businesses need to operationalize procedures designed to ensure that employees and third-party service providers are adhering to privacy policies, since mere “paper compliance” falls short of protecting from the risk and exposure attendant to a breach.

Colorado’s breach notification requirement imposes a more aggressive requirement for notifying affected residents than requirements under the Health Insurance Portability and Accountability Act (HIPAA) and virtually any other U.S. state. A business must provide written notification with certain information to affected residents in the most expedient time possible and without unreasonable delay, but not later than 30 days after the point in time when there is sufficient evidence to conclude that a security breach has occurred. For breaches believed to have affected 500 residents or more or 1000 residents or more, businesses must notify the Colorado Attorney General and certain consumer reporting agencies, respectively.

Reflective of the shift towards providing consumers with more control over their personal information, the bill is codified under the Colorado Consumer Protection Act (CCPA), C.R.S. §6-1-713, et seq., and potentially creates a private right of recourse against businesses who misuse a resident’s information. CCPA causes of action oftentimes include assertion of a right to treble (or triple) damages and reasonable attorneys’ fees. Additionally, the Colorado Attorney General may bring civil, or in some cases criminal, actions for violation of the law.

The frequently unforgiving nature of civil monetary penalties imposed by the HHS Office of Civil Rights (OCR) for HIPAA violations should be cautionary. But, not only is there great risk of exposure for unprepared or noncompliant businesses facing enforcement by state and federal regulatory agencies, now more than ever, individual or class action liability seems to be on the horizon. Last, but not least, businesses never envision themselves as “the ones” making headlines about their data breaches…until it happens…and happens quickly.

What if I already comply with other state or federal privacy laws?

The new law indicates that businesses already regulated by other state or federal law are in compliance if adhering to such regulator’s procedures for the protection and disposal of personal identifying information. If the business operates in interstate, international and/or online commerce involving Colorado residents, however, a thorough review of policies and procedures is recommended to ensure that the mandates of the various applicable laws are reconciled against each other. For example, Colorado’s breach notification provision indicates that the time period for notice to affected individuals with the shortest timeframe will control. Healthcare entities which are typically subject to a HIPAA’s 60-day notification requirement need to implement measures to comply with the shortened period under Colorado law.


Businesses subject to the privacy law should take the following steps, at a minimum, to ensure that they are prepared to comply.

  1. A thorough risk analysis of the type of data maintained should be completed. Entities should know and map the flow of data both internally and outside of their business, whether in paper or electronic format. Inventories of hardware and other electronic portable devices where electronic media is stored should be routinely tracked.  Physical security controls should be identified and regularly reinforced.
  2. Employees must be routinely trained in data privacy and security policies and procedures. Handbooks should be updated and it is a good idea to asses whether to require nondisclosure and confidentiality agreements. Appropriate protocols for the destruction and disposal of personal identifying information must be implemented for all employees accessing the sensitive information, especially for departing employees.
  3. Third-party service vendors should be identified and communicated with regularly to obtain reasonable assurances of compliance with the new law. Contractual documents should reflect vendors’ obligation to adhere to data maintenance, destruction and breach notification policies so that a coordinated and rapid response to a security incident is set in motion.
  4. Businesses, including HIPAA covered entities, should rework their data breach policies and ensure that third-party vendor agreements or business associate agreements reflect Colorado’s more stringent breach notification measures.


The U.S. Department of Health and Human Services (HHS) recently announced that it is seeking comments regarding potential changes in HIPAA and 42 CFR Part 2,1 with the indication that action to reform the rules will be taken to ease the regulatory burden on the healthcare sector and coordinate better care at a lower cost. These efforts, however, must be juxtaposed with HHS’s continued aggressive enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules2 and many States’ efforts to enact their own heightened data security and breach laws.3

There is no uniform mechanism for determining how best to implement the necessary measures. Legal counsel specializing in data privacy and security law are instrumental resources when ensuring that adequate measures are taken to navigate compliance with state and federal laws, especially in today’s rapidly changing environment.

1 42 CFR Part 2 is a federal privacy law governing the confidentiality for individuals seeking treatment for substance use disorders from federally assisted programs.
2 Of note is a recent ruling by a HHS Administrative Law Judge upholding $4.3 million in civil monetary penalties after The University of Texas MD Anderson Cancer Center reported three separate data breaches involving an unencrypted laptop and USB drives.
3 The California legislature’s recent passage of a sweeping consumer privacy law is just one such example.

Colorado Voters Approves “End of Life Options” Measure

On November 9, 2016, Colorado voters approved Proposition 106, the “End of Life Options” measure. Modeled after Oregon’s “Dignity in Death” law, it allows a Colorado resident who is terminally ill to seek a prescription for a lethal dose of medication if two doctors certify that the resident is mentally competent and has less than six months to live. The detailed act consists of 23 separate statutes, and it addresses a number of issues that may raise important questions for health care providers. For example, under Section 118 of the law, health care facilities (specifically including long term care facilities) are expressly permitted to bar employed or contracted physicians from writing a prescription for the terminal medication; obviously, health care facilities will need to decide whether – and how – their physicians will be allowed to participate in the right-to-die process. Look for updates from Gordon & Rees on key factors that health care providers must consider in upcoming weeks. The law is scheduled to become effective in the next month.

To read Proposition 106, the “End of Life Options” measure, please click here.


Effective November 28, 2016, long-term care facilities that participate in Medicare and Medicaid will no longer be able to enter into “pre-dispute” agreements for binding arbitration with their residents.  The Centers for Medicare & Medicaid Services (CMS) issued the final rule on September 28, 2016, after consideration of extensive comments from key stakeholders in the long-term care community regarding proposed revisions.

Under the rule, a facility can ask a resident or a resident’s representative to enter into an arbitration agreement after a dispute arises.  However, the facility must comply with several requirements, such as ensuring that the agreement provides for the selection of a neutral arbitrator and a venue convenient to both parties.  Further, a resident’s right to remain in the facility cannot be contingent upon entering into the arbitration agreement and the agreement cannot contain language that discourages communications with federal, state or local surveyors and other officials.

As one of the more controversial changes, critics of the new arbitration rule have reacted strongly against the change and have commented that this part of the rule “clearly exceeds” CMS’s statutory authority.  In its response to public comments, CMS explains that the Secretary of Health and Human Services has the authority to administer the program under the Social Security Act by setting general practice parameters for payment under Medicare and Medicaid.  CMS further cites to its authority to promulgate regulations for residents’ health, safety and well-being and states that there is “significant evidence that pre-dispute arbitration agreements have a deleterious impact on the quality of care for Medicare and Medicaid patients.”  Nevertheless, there are several legal bases upon which to challenge the agency’s ability to preclude an arbitration agreement.

While CMS’s comments cite to a resident’s waiver of the right to a jury trial as a major factor considered in its decision to disallow pre-dispute arbitration agreements, the final rule does not expressly preclude jury trial waiver provisions within facility admissions agreements.  Jury waivers may help to address runaway verdicts that have become a concern in negligence cases in past years, while still respecting expressed concerns that arbitration presents undue costs to residents and creates an environment of “secrecy.”  Note that state law may vary on whether such waivers are enforceable.

Also remarkable is CMS’s comment that it will not address waiver of class-action litigation in this rule, but rather reserve the issue for consideration during future rulemaking.

The broad-sweeping final rule also contains several other provisions that directly affect compliance programs, training of nursing staff, updating infection and control programs, and other key requirements that long-term care facilities must comply with in order to participate in the Medicare and Medicaid programs.  It is advisable for long-term care facilities to promptly consult with a knowledgeable healthcare attorney to assess modifications to admissions packets and to otherwise establish the framework necessary to comply with the revised Requirements of Participation.