Month: August, 2019

More Patient Data Has Been Compromised Through the First 7 Months of 2019 Than All of 2018

Each year, businesses in the health care sector invest more and more money into cybersecurity and data protection as the number of cyber-attacks and compromised patient records increases.  However, despite these efforts, successful cyber-attacks are significantly outpacing the health care sector’s efforts to protect patient data.

For example, in 2018, 15 million patient records were compromised as a result of slightly more than 500 breaches in the health care sector.  Through the first seven months of 2019, the three largest cyber-attacks alone affected more than 29.5 million patients.  The majority, and the most dangerous, of the attacks were carried out by hackers infiltrating third-party vendors or implementing successful phishing attacks. 

Of the biggest breaches thus far this year, the American Medical Collection Agency (“AMCA”) breach resulted in the largest compromise of patient data, affecting approximately 25 million patients.  Securities and Exchange Commission filings revealed that AMCA was hacked for eight months, between August 2018 and March 2019.   The compromised records included personal and financial data, such as Social Security numbers, credit card numbers, bank details, patient contact information, and sensitive medical information.  Since the breach, AMCA’s parent company, Retrieval-Masters Creditors Bureau, has filed for Chapter 11 bankruptcy protection.  It is unclear how the data breach remained undetected for such an extended period of time.  According to the company’s filing, it had slashed its staffing numbers from 113 to 25 at the end of 2018.

Another of the largest data breaches so far this year involved Inmediata Health Group, affecting 1.57 million patients.  Inmediata Health Group provides clearinghouse services and software and business processes outsourcing tools for health plans, hospitals, independent physician associations, as well as independent physicians. Officials discovered the data breach in January 2019.  Electronic health information was exposed due to a search engine function that allowed internal webpages used for business operations to be indexed.  Compromised data included patient names, contact information, medical claims data, and Social Security numbers.  Furthermore, patients affected by the data breach received multiple breach notification letters, some addressed to other patients.

Data breaches in the health care industry occur frequently and continue to grow in terms of affected patients.  Health care providers and affiliated organizations remain attractive targets for hackers due to the amount of personal information they possess.  According to the 2019 Cost of a Data Breach Report, a joint report issued by IBM Security and the Ponemon Institute (the “Report”), data breaches in the health care industry are the most costly.  According to the Report, the average cost of a data breach is $3.9 million.  The average cost of a data breach in the health care industry is $6.45 million – a difference of over $2.5 million.  Similarly, the average cost per record lost is $150, whereas the cost per record lost in the health care industry is $429.  Furthermore, according to the Report, formation of an incident response team and the extensive use of encryption reduce the cost of a data breach by an average of $360,000 each. 

Although the frequency and magnitude of data breaches have grown year by year, there are many actions that entities participating in the health care industry can implement.  These include, but are not limited to: (1) investment in, and expansion of, the information technology department, (2) implementation of updated security policies and periodic training for employees, and (3) the formation of a well-rounded incident response team.  

Injunction Issued Against Operation of New Jersey Medical Aid in Dying For the Terminally Ill Act

This statute in May and August was the subject of two previous postings on this blog.  As of August 1, 2019, health care providers in New Jersey were to be authorized to provide qualified terminally ill patients with prescriptions for medication which would enable the patients to end their own lives.  The phrase “terminally ill” was defined as being “in the terminal stage of an irreversibly fatal illness, disease, or condition with a prognosis, based upon reasonable medical certainty, of a life expectancy of six months or less.”  Codified at N.J.S.A. 26:16-1 et seq., the statute would not actually be operational until August 16 because of a statutory provision requiring the patient to make a second oral request no sooner than 15 days after the first request as a precondition for the physician providing the prescription.

On August 14, 2019, an Order with temporary restraints was entered by Judge Paul Innes sitting in the Chancery Division-General Equity for Mercer County enjoining the Attorney General from enforcing the statute.  The Order was issued in response to an application by Verified Complaint in the matter of Yosef Glassman v. Gurbir Singh Grewal, Attorney General of the State of New Jersey, Docket No. MER-C-53-19.  With a ten-count Verified Complaint, plaintiff sought to invalidate the statute on a number of constitutional grounds. The plaintiff is a licensed New Jersey physician with moral and religious objections to the conduct that the statute would authorize.  Judge Innes scheduled an October 23, 2019 return date for the Order to Show Cause.

The Office of the Attorney General filed an emergent motion with the Appellate Division.  The Appellate Division ordered expedited briefing to be completed by August 23, but declined to dissolve the injunctive order.  An application was then made to the New Jersey Supreme Court.  It entered an Order on August 20 denying the request for immediate dissolution of the injunction against implementation of the statute and declined to take any further action concerning “an issue of this magnitude” until the Appellate Division addressed the identical motion with the “thoughtful consideration” reflected by its order for expedited briefing.  It requested that the Appellate Division resolve the matter expeditiously.

As pointed out in prior blogs, New Jersey is the eighth state along with the District of Columbia enacting such physician-assistance in dying legislation.  There has been litigation challenging the validity of such statutes elsewhere, some of which is ongoing.

NEW YORK REAFFIRMS THAT THE CORPORATE PRACTICE OF MEDICINE DOCTRINE IS ALIVE AND KICKING

The New York Court of Appeals recently issued an opinion on the State of New York’s corporate practice of medicine prohibition, holding that medical practices that give too much operational and financial control to Management Service Organizations (“MSOs”) are “fraudulently incorporated” and thus, no-fault automobile insurers have no obligation to reimburse such practices.

In the case of Andrew Carothers, M.D., P.C. v. Progressive Insurance Company 2019 N.Y. Slip Op. 04643, a MSO provided management services to a New York professional corporation that performed magnetic resonance imaging services. Several no-fault automobile insurance carriers stopped paying the practice’s no-fault claims claiming that the practice was fraudulently incorporated, and in response, the practice sued the insurance carriers for non-payment of the insurance claims. A jury found that the owners of the MSO controlled the practice, and that the practice was fraudulently incorporated such that the insurance companies could rightfully deny payment of claims.

The Court of Appeals agreed with the jury and found that, due to certain terms of the MSO arrangement, the practice ceded control of the practice to the MSO. In making its determination, the court pointed to several aspects of the arrangement including:  (i) the MSO leased equipment to the practice at above fair market value; (ii) the licensed physician had a limited role in the clinical and administrative aspects of the practice; (iii) the executive secretary of the practice with ties to the owners of the MSO ran certain clinical aspects of the practice including the discipline of providers and the handling of physician referrals to the practice; and (iv) the MSO had the right to terminate each lease without cause, regardless of payment, however no similar provision allowed the practice to terminate the leases without cause.  The court stated that “[a] material breach of the foundational rule for professional corporation licensure—namely that it be controlled by licensed professionals—[is] enough to render [that party] ineligible for reimbursement.” See Slip Op at 16. While the holding of this case is limited in scope to no-fault insurance reimbursement, the court’s examination of the relationship between the MSO and the practice is an indication that New York courts will continue to closely monitor these MSO-practice relationships to ensure that the spirit of the corporate practice of medicine remains intact.

New York’s Business Corporation Law prevents unlicensed persons from exercising control of professional corporations.  All shareholders, officers, and directors must be licensed in the profession the entity is being incorporated to practice.  Ceding too much control to non-physicians violates the Business Corporation Law.  Similar concepts apply to professional limited liability companies.

This decision does not mean that medical practices or other professional entities in New York cannot enter into arrangements with MSOs.  Instead, the decision reaffirms that these arrangements must be carefully crafted and implemented and operated with care to stay within the bounds of the law.

Dying with Dignity in New Jersey: New Jersey’s Aid in Dying for the Terminally Ill Act

New Jersey residents should be aware that on August 1, 2019, New Jersey’s Aid in Dying for the Terminally Ill Act went into effect.  The Aid in Dying for the Terminally Ill Act permits qualified terminally ill patients to self-administer medication to end their life in a humane and dignified manner. Both patients and physicians are protected by several safeguards built into the recently enacted New Jersey statute.

The patient must be a New Jersey resident who is at least 18 years of age and can document his or her residency with a driver’s license or identification card issued by the New Jersey Motor Vehicle Commission; a New Jersey resident gross income tax return filed for the most recent year; or other government record that demonstrates residency. The patient must be able to communicate health care decisions and be capable of making informed decisions. The patient’s attending physician and consulting physician will make the determination regarding a patient’s mental capacity.  Finally, the patient must be terminally ill, as defined in the statute. If a patient is in the terminal stage of an irreversibly fatal illness, disease, or condition with a prognosis, based upon reasonable medical certainty, of a life expectancy of six months or less, he or she will be considered “terminally ill” under the statute.

Some of the requirements for the attending physician include: (i) examining the patient and confirming that the patient is terminally ill; (ii) informing the patient of the feasible alternatives to taking the life-ending medication, including, but not limited to: concurrent or additional treatment opportunities, palliative care, comfort care, hospice care and pain control; (iii) referring the patient to a consulting physician for medical confirmation of the diagnosis and prognosis and a determination that the patient is capable of decision-making and is acting voluntarily; (iv) referring the patient to counseling with a mental health care professional; and (v) recommending the patient participate in consultation regarding the alternatives to self-administering the life-ending medication. 

Prior to providing a prescription for the medication, the physician is required to recommend that the patient notify their next of kin. Whether the patient decides to withhold notice to their next of kin is left entirely up to the patient. The patient must make two oral requests and one valid written request, in the written form set forth in the statute, to their attending physician to receive a prescription for the life-ending medication.

The State of New Jersey is now the 8th state in the United States to enact a compassionate death with dignity statute. Presently, each of California, Colorado, District of Columbia, Hawaii, New Jersey, Maine (will be effective in September 2019), Oregon, Vermont, and Washington have death with dignity statutes. The State of Montana relies on case law to permit physician-assisted deaths.

Should you wish to receive additional information, or if you have any questions relating to this topic, we invite you to contact our firm’s Private Clients Services and/or Health Care Practice Groups for further discussion.