Photo of Conor Duffy

Conor Duffy is a member of Robinson+Cole's Health Law Group and the firm's Data Privacy + Security Team. Mr. Duffy advises hospitals, physician groups, accountable care organizations, community providers, post-acute care providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on a full range of transactional and regulatory health law issues, including contracting, licensure, mergers and acquisitions, the False Claims Act, the Stark Law, Medicare and Medicaid fraud and abuse laws and regulations, HIPAA compliance, state breach notification requirements, and other health care regulatory matters. Read his full rc.com bio here.

On November 4, 2021, the Centers for Medicare & Medicaid Services (CMS) issued heavily anticipated emergency regulations requiring COVID-19 vaccination of eligible staff at health care facilities that participate in the Medicare and Medicaid programs. CMS issued an Interim Final Rule (IFR) in response to the COVID-19 “Path out of the Pandemic” Action Plan announced by President Biden on September 9, 2021, that per CMS is intended to protect the health and safety of residents, patients and staff at health care facilities. See our previous analysis of the Plan here.

Below please find key takeaways regarding the new COVID-19 vaccination requirements for health care facilities and staff:
Continue Reading CMS Issues Emergency Regulation Requiring COVID-19 Vaccination for Health Care Facility Workers

On September 9, 2021 President Biden announced a COVID-19 Action Plan entitled “Path out of the Pandemic” (the “Plan”) which comprises a six-pronged national strategy aimed at combatting COVID-19. The Plan includes a number of important provisions related to health care, including implementation of COVID-19 vaccine requirements and an expansion of resources available for treatment of COVID-19. The Plan signals significant changes upcoming for health care organizations, their employees, and their patients.

The following summary addresses certain parts of the Plan with specific implications for health care, but please continue to check R+C blogs and legal updates for follow-up analysis of the specific guidance and rules that are released in furtherance of the Plan.
Continue Reading Biden COVID-19 Action Plan Expands Vaccine Mandates, Testing, and Treatment to Combat Spread of Virus

On August 19, 2021, Connecticut Governor Ned Lamont issued Executive Order No. 13C (the “Order”) to expand access to COVID-19 vaccination information for patients and providers (and school nurses) as public health authorities continue to promote vaccination efforts, implement recommendations for vaccine booster shots, and as schools adopt COVID-19 control measures for returning students and

On June 7, 2021, Connecticut Governor Ned Lamont signed into law Public Act 21-26 “An Act Concerning Various Revisions to the Public Health Statutes” (the “Act”). This Act makes notable changes to laws affecting hospital and health system practices, including the following:

Hospitals Required to Give Patients Option to Contact Family or other

In June 2021, the Centers for Medicare and Medicaid Services (CMS) issued a notable interpretation of the Physician Self-Referral Law (aka the Stark Law) in Advisory Opinion No. CMS-AO-2021-01 (Advisory Opinion) regarding whether a physician practice can furnish designated health services (DHS) through a wholly-owned subsidiary and still qualify as a group practice (as defined under the Physician Self-Referral Law) for purposes of compliance with various Physician Self-Referral Law exceptions.
Continue Reading CMS Issues Advisory Opinion Clarifying Physician Self-Referral Law Group Practice Structure

Below is an excerpt of a contributed article co-authored with Robinson+Cole Business Litigation Group partner Seth Orkand published in Medical Economics on July 27, 2021.

How a hodgepodge of federal and state telehealth waivers creates compliance concerns for providers practicing across state lines.

In response to the devastating COVID-19 pandemic in 2020, the federal government

On July 6, 2021, Connecticut Governor Ned Lamont signed into law Public Act 21-113 titled “An Act Concerning Opioids” (PA 21-113), which establishes pilot programs to help serve persons with opioid use disorder in urban, suburban, and rural communities, and requires the Commissioner of Public Health to issue and increase awareness of chronic pain treatment guidelines. PA 21-113 became effective on July 1, 2021.
Continue Reading Connecticut Legislature Passes Act to Help Address the Opioid Epidemic

On June 23, 2021, Connecticut Governor Ned Lamont signed into law Public Act 21-2 “An Act Concerning Provisions Related To Revenue And Other Items To Implement The State Budget For The Biennium Ending June 30, 2023” (PA 21-2). PA 21-2 makes various changes to Connecticut law as part of implementing the Governor’s budget, including, in pertinent part, a change to statutory requirements that apply to contracts between health carriers (insurers) and participating health care providers. This provision of PA 21-2 takes effect October 1, 2021.
Continue Reading Connecticut Budget Bill Includes Important Changes to Network Participation Contracts Between Health Care Providers and Insurers

On June 16, and then on July 6, 2021, Connecticut Governor Ned Lamont signed into law a pair of bills that together address privacy and cybersecurity in the state. As cybersecurity risks continue to pose a significant threat to businesses and the integrity of private information, Connecticut joins other states in revisiting its data breach reporting laws to strengthen reporting requirements, and offer protection to businesses that have been the subject of a breach despite implementing cybersecurity safeguards from certain damages in resulting litigation.

Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to expand the types of information that are protected in the event of a breach, to shorten the timeframe for reporting a breach, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) correspondingly establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards (as set forth in PA 21-119).

Both laws take effect October 1, 2021.
Continue Reading Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations

Below is an excerpt of a legal update co-authored with Robinson+Cole’s Environmental, Energy + Telecommunications Group partners Megan Baroni and Jon Schaefer.

On June 21, 2021, the Occupational Safety and Health Administration (OSHA) adopted its COVID-19 Healthcare Emergency Temporary Standard (ETS). Employers providing health care services will be required to comply with new