February 7, 2023

Volume XIII, Number 38


February 06, 2023

Subscribe to Latest Legal News and Analysis

CMS Requires COVID-19 Vaccine for Health Care Workers at all Facilities Participating in Medicare and Medicaid

On Nov. 4, 2021, the Centers for Medicare and Medicaid (CMS) released a new Interim Final Rule (IFR) regarding staff vaccination at facilities that participate in the Medicare and Medicaid programs. The IFR requires covered employers to ensure that staff receive their first dose no later than Dec. 5, 2021 and achieve full vaccination no later than Jan. 4, 2022.

The vaccine rule that was also released on Nov. 4, 2021 by the Occupational Safety and Health Administration (OSHA) does not apply to employees of health care entities who are covered under the CMS IFR. However, employees of health care providers who are not subject to the CMS IFR may be subject to the OSHA vaccine rule if the facility has more than 100 employees. For more information on the OSHA vaccine rule, please click here.

Justification for the Rule

CMS cited a number of reasons for the IFR, including the risk unvaccinated staff pose to patients, reports of individuals foregoing health care due to concerns of contracting COVID-19 from health facility staff, disrupted health care operations due to infected staff, and low vaccination rates among health care staff.

Scope of Coverage

The requirements of the IFR apply to health care facilities that participate in Medicare and Medicaid and that are subject to Conditions or Requirements of Participation, including but not limited to:

  • Ambulatory surgical centers;

  • Hospices;

  • Hospitals, such as acute care hospitals, psychiatric hospitals, hospital swing beds, long-term care hospitals, and children’s hospitals;

  • Long-term care facilities;

  • Home health agencies;

  • Comprehensive outpatient rehabilitation facilities;

  • Critical access hospitals;

  • Home infusion therapy suppliers; and

  • Rural health clinics/federally qualified health centers.

While the IFR does not directly apply to physician offices, which are not regulated by CMS Conditions or Requirements of Participation, physicians may nevertheless be required to vaccinate as a result of their relationships with other health care entities. For example, the IFR requires hospitals to implement policies and procedures to ensure “individuals who provide care, treatment, or other services under contract or by other arrangement” are fully vaccinated.

Covered Personnel

The IFR requires vaccinations for staff who routinely perform care for patients and clients inside and outside of the facility, such as home health, home infusion therapy, hospice, and therapy staff. CMS’s vaccination requirement also extends to all staff who interact with other staff, patients, residents, or clients, at any location, and not just those who enter facilities. However, staff who provide services 100% remotely—that is, staff who never come into contact with other staff, patients, residents, or clients—are not subject to the IFR vaccination requirements. Additionally, providers and suppliers are not required to ensure IFR vaccination compliance of one-off vendors, volunteers, or professionals, such as (a) those who provide infrequent ad hoc non-health care services (e.g. annual elevator inspectors), (b) those who perform exclusively off-site services (e.g. accounting services), or (c) delivery and repair personnel.

Definition of Full Vaccination

CMS considers “full vaccination” as 14 days after receipt of either a single-dose vaccine (such as the Johnson & Johnson vaccine) or 14 days after the second dose of a two-dose primary vaccination series (such as the Pfizer or Moderna vaccines). At this time, CMS is not requiring the additional (third) dose of mRNA vaccine for moderately/severely immunosuppressed persons or the “booster dose” in order for staff to be considered “fully vaccinated.” Additionally, CMS considers individuals receiving heterologous vaccines—doses of different vaccines—as satisfying the “fully vaccinated” definition so long as they have received any combination of two doses. In order to gauge compliance, CMS is requiring that providers and suppliers track and securely document the vaccination status of each staff member as well as vaccine exemption requests and outcome. The IFR does not specify that weekly testing, masking, and social distancing are an alternative to vaccination, meaning employers must ensure all employees are either (1) fully vaccinated or (2) exempted under a permissible exemption.


The IFR explicitly provides that employers must continue to comply with anti-discrimination laws and civil rights protections which allow employees to request and receive exemption from vaccination due to a disability, medical condition, or sincerely held religious belief or practice. Exemptions should be provided to staff with recognized medical conditions for which a vaccine is contraindicated as a reasonable accommodation under the Americans with Disabilities Act. For exemptions for a sincerely held religious belief or practice, CMS encourages health care entities to refer to the Equal Employment Opportunity Commission’s Compliance Manual on Religious Discrimination. Despite the ability to provide an exemption, CMS states that exemptions may be provided to staff only to the extent required by law, and that requests for exemption should not be provided to those who seek solely to evade vaccination. CMS also notes at length that the Food and Drug Administration considers approved vaccines safe. Accordingly, CMS will likely be unwilling to excuse provider and supplier noncompliance due to employees refusing vaccination based on fears about safety.


Although the IFR does not identify specific penalties for non-compliance, CMS is expected to use enforcement tools such as civil money penalties, denial of payment for new admissions, or termination of the Medicare/Medicaid provider agreement. CMS will utilize State Survey Agencies to review compliance with the IFR through standard recertification surveys and complaint surveys. Noncompliance with the IFR will be addressed through established classification channels of “Immediate Jeopardy,” “Condition,” or “Standard” deficiencies.


While CMS recognizes that some states and localities have established laws to prevent mandatory compliance with vaccine mandates, CMS ultimately considers the Supremacy Clause of the United States Constitution as preempting inconsistent state and local laws as applied to Medicare- and Medicaid-certified providers and suppliers.

© 2023 Dinsmore & Shohl LLP. All rights reserved.National Law Review, Volume XI, Number 309

About this Author

Timothy Cahill Health Care Attorney Dinsmore Law Firm
Partner Of Counsel

Tim is an attorney with more than two decades of experience in health care-related fields. He has worked as in-house counsel and external counsel for non-profit and commercial health care organizations, health systems, hospitals, physicians and physician groups, joint ventures, and other corporate clients. Most recently, Tim served in the role of general counsel of a regional health system, working closely with the executive team and board to further the organization’s strategic mission and significantly improve operating revenues.

In his practice, Tim has addressed a wide range...

Christopher B. Begin Health Care Attorney Dinsmore & Shohl Columbus, OH

Christopher focuses his practice on health care law and earned his J.D. from Capital University Law School. His experience includes extensive participation with a number of law school groups and organizations, including Military Law Society president, three years of brief writing and advocacy involvement in Moot Court, two years in his school’s Law Review, and student coordinator for the John E. Sullivan Lecture. Outside of the classroom, Christopher honed his skills of solving complex legal issues through his internship experience with the federal attorney’s office.

Before entering...

Jennifer Mitchell, health care practice group partner, Dinsmore Shohl, law firm,

Jennifer is a Partner in the Health Care Practice Group and leads the firm’s HIPAA Privacy and Security practice and initiatives. In her HIPAA practice, she works with clients to minimize the risk of privacy and data security issues, assisting with all aspects of HIPAA privacy and security compliance, governance, audits/investigations, breach analyses, training and strategic planning. She has a thorough understanding of federal and state privacy and confidentiality laws and has served as a health care privacy expert witness. 

Within the...