With the federal government’s announcement that it is considering expanding its MSA review process to include up to 51,000 MSAs for liability insurance and no-fault settlements, the liability MSA issue should be front and center for all parties resolving liability insurance claims. Non-compliance in this area has been rampant over the years, and changing your habits now is critical to ensuring a closed file remains closed from the federal government’s perspective. Addressing MSA issues in liability claims: What are you waiting for? In 1980, Congress enacted the Medicare Secondary Payer (MSP) Act. 42 U.S.C. § 1395y(b)(2). From this law (and following administrative policy statements from the federal government), parties resolving workers’ compensation (WC) claims became concerned about the application of Medicare Set-Aside Arrangements (MSAs). Today, we see the MSA issue often grinding a WC settlement to a halt for a variety of reasons. Strangely, the same broad level of concern has never really existed for those resolving auto, liability or no-fault claims. This article explores why, historically, these MSA issues have only resonated in the WC community. By comparing the issue in the WC context versus the liability context, you will see that parties resolving liability claims without addressing the MSA issue (more accurately stated as the future medical issue) expose themselves needlessly to the federal government asserting recovery for future medical expenses it paid mistakenly on behalf of its beneficiary. This exposure could lead to the federal government pursuing recovery of double (or, perhaps, treble damages. Recently, the federal government announced it is considering expanding its MSA review process to include liability and no-fault cases. No one wants to be the ones the federal government targets for non-compliance. Perhaps the Chinese philosopher Sun Tzu said it best in “The Art of War”: “The greatest victory is that which requires no battle.” At this point, if you are not yet addressing liability MSA issues as standard operating procedure on every single case, what are you waiting for? Background In 1980, Congress enacted the MSP Act. With the goal of extending the life of the Medicare Trust Funds, the MSP Act provides that the federal government should not pay for a beneficiary’s medical expenses when payment has been made under a workers’ compensation policy or plan, an automobile policy or plan, a liability insurance policy or plan (including self-insurance) or a no-fault plan. When the federal government’s right of recovery under the MSP Act is triggered, the parties involved in the claim have the responsibility to make sure Medicare does not pay a bill prematurely that had been paid previously as part of the settlement, judgment or award. See also: Medical Liability Insurance (Video)   In 2001, the federal government — through what is now known as the Centers for Medicare and Medicaid Services (CMS) — first verbalized its statutory interpretation of the MSP Act as applying not only to past medical expenses but also to future medical expenses. In what became known as the “Patel Memo,” CMS described situations in WC claims where parties should consider funding an MSA to ensure that Medicare is not asked to pay a medical bill prematurely on behalf of one of its beneficiaries. Since 2001, CMS has provided ample guidance in the form of additional policy memoranda and a reference guide that incorporates that policy memoranda for those who wish to ask CMS to review and approve an MSA as part of resolving a WC claim. Today, MSA concerns are commonplace in the WC community but not in the liability insurance community. Why is that? Statutory and Regulatory Language As a launching point, it’s important to understand the MSA statutory and regulatory landscape. In short, there is none. That’s right — neither the MSP Act itself nor the regulations enacted by CMS to provide its official interpretation of the MSP Act discuss or even mention the terms “Medicare Set-Aside” or “MSA.” Further, the Medicare Act provides that “The Secretary shall prescribe such regulations as may be necessary to carry out the administration of the insurance programs under this subchapter. In situations where regulations are not enacted, the Medicare Act provides that “No rule, requirement or other statement of policy … that establishes or changes a substantive legal standard … shall take effect unless it is promulgated by the Secretary by regulation under paragraph (1).” 42 U.S.C. § 1395hh(a)(2). As the MSP Act is a subpart of the Medicare Act, this applies to the MSP Act as well. Plainly put, because no regulation exists about MSAs today, there is no substantive legal standard parties must meet with respect to MSAs themselves. However, parties focusing on the so-called “MSA requirement” have missed the forest for the trees. An MSA is one possible tool to comply with the obligation to make sure Medicare does not pay a medical bill that is someone else’s responsibility. That same broad prohibition has existed under the MSP Act since Dec. 5, 1980. "Medicare will not pay for a beneficiary’s medical expenses where payment has been made under a workers’ compensation plan, an automobile plan, a liability insurance plan (including self-insurance) or a no fault plan." 42 U.S.C. § 1395y(b)(2)(A)(ii). The same statute addresses future medical expenses that Medicare could potentially be asked to make post-settlement for liability insurance just as it does for WC. According to the law, Medicare is barred by statute (but for the conditional payment exception) to make that payment where payment has already been made for those same items, services and expenses. Presumably, that payment would have already been made by the liability insurance carrier or self-insured to the claimant as part of the settlement. While the statute does not address MSAs, it does address future medicals. The fact that parties resolving liability insurance claims miss this is troubling. What’s more troubling (for some) is that the statute has addressed future medicals in liability cases for 36 years. Future medicals in liability cases under the law is not a new development. Despite the clear statutory text of the MSP Act, parties resolving WC claims worry about MSA issues, while parties resolving liability insurance claims generally do not. Why is that? MSA Jurisprudence Maybe the distinction lies with the body of case law that has developed around the MSA issue in the liability insurance context. Specifically, at least two federal courts have concluded that liability MSAs are not “required,” while none (to the author’s knowledge) have concluded that liability MSAs are “required.” (See Sipler v. Trans Am Trucking Inc., 881 F. Supp. 2d 635 (2012) and Aranki v. Burwell, No. 2:15-cv-00668 (D. Ariz. Oct. 15, 2015).) This is not a surprising conclusion from the judiciary given the fact that neither the law nor the regulations interpreting the law “require” liability MSAs. Still, that same law does not differentiate between WC claims and liability insurance claims. In both, Medicare’s right to not pay certain future medical expenses ripens when payment has been made by a primary plan or payer to a claimant for those same expenses. The law itself provides no distinction. Without a distinction, one might think that concern for MSA issues would be the same in the liability insurance context as they are in the WC context. But, historically, they have not been. Why is that? Federal Administrative Guidance If it’s not the statute itself or the regulations enacted to interpret the statute or the case law rendered when parties have taken the MSA issue in front of the judiciary, perhaps it is administrative guidance in the form of policy memoranda that stoke the heightened concern in the WC community as compared to the liability insurance settlement community. While not active in drafting regulations about MSAs, CMS has been active in providing policy memoranda and other informal writings about MSAs in WC. Starting with the Patel Memo of 2001, CMS drafted approximately 16 policy memoranda about WCMSAs. Then, in 2013, CMS combined those policy memoranda into one comprehensive WCMSA Reference Guide. As of April 4, 2016, CMS issued Version 2.5 of its WCMSA Reference Guide, and it has become CMS’ one source of the truth when it comes to WCMSAs. By comparison, CMS has issued scarce guidance about liability MSAs. One can look to one policy memo in 2011, an Advanced Notice of Proposed Rulemaking (ANPRM) in 2012, and a Notice of Proposed Rulemaking (NPRM) in 2013. By the way, CMS voluntarily withdrew the NPRM in October 2014. So, perhaps the distinction lies in the existence of the policy memoranda and the WCMSA Reference Guide. And that might make sense but for one thing: Policy memoranda and reference guides issued by the federal government alone are not afforded Chevron deference. For the non-lawyers out there reading this, Chevron deference is an administrative law principle whereby courts will defer to a federal administrative agency (like CMS) and its statutory interpretation of a law unless such interpretations are unreasonable. According to the United States Supreme Court, “Interpretations such as those in opinions letters — like interpretations contained in policy statements, agency manuals and enforcement guidelines — all of which lack the force of law — do not warrant Chevron-style deference.” Christensen v. Harris County, 529 U.S. 576 (2000). Thus, the mere fact that CMS has issued policy memoranda and reference guides about MSAs in WC situations does not mean those statements have the force of law behind them. Despite this, WCMSAs remain an issue of high concern, while LMSA issues remain largely ignored. Why is that? CMS and its Current MSA Review Process Well, the only other possibility for the disparate treatment of the MSA issue in WC as compared to liability insurance is the existence of a formal review process for WCMSAs. CMS is willing, under certain circumstances, to review a WCMSA when the parties voluntarily submit that WCMSA to CMS for review. However, since it cannot review every single WCMSA because of resource constraints, CMS has established workload review thresholds to help manage its caseload. This workload review threshold is not a safe harbor, and CMS clearly states this in its WCMSA Reference Guide. This means cases that do not meet the threshold are not provided safe passage from CMS on the issue. Future medicals should still be considered in a WC settlement that does not meet the CMS review threshold. That goes for WCMSAs in cases where the threshold is not met — as well as liability cases for which CMS does not yet offer a formal review process. The mere lack of a formal review process does not mean Medicare relinquishes its right to not pay certain future medical expenses under the law. Nor does it mean that Medicare surrenders its right to pursue parties who have failed to address the future medical issue compliantly under the MSP Act. The MSP Act grants Medicare the right to recover up to double damages plus interest for any conditional payments it is not reimbursed. 42 U.S.C. § 1395y(b)(3). <<--- ?? See also: Data Breaches: Who Has Legal Liability?   Further, Medicare might be able to recover treble damages if it chooses to assert claims under the federal False Claims Act. It is the False Claims Act, in the author’s estimation, that parties should be concerned about most in this area — no matter whether you are a lawyer on either side of the “V,” a Fortune 500 company who self-insures liability claims or a liability insurance carrier. For a moment, think about the number of liability claims you have resolved over the past 10 years or so without addressing the MSA issue. Then, multiply that number by anywhere between $10,781.40 and $21,562.80 — and then triple that figure. That’s the future medical exposure facing parties not addressing the LMSA issue today. Claims brought by CMS under the False Claims Act represent the “nuclear” option, which would be the federal government’s most sensational way to enforce its rights in this area. But, as it currently stands, parties resolving liability insurance claims seem comfortable with this exposure, while the WC community is not. Why is that? CMS Considering Expanding Formal Review to LMSAs Given all that, perhaps you’re still comfortable with your LMSA exposure. You ignore the plain statutory text that places WC and liability insurance claims on level ground. You point to the lack of regulations directly on point. You cite the cases that state that LMSAs are not “required.” You cling to the fact that CMS withdrew the NPRM in 2014 and conclude that must mean that MSAs are a non-issue in liability insurance settlements. You’re the one who says that LMSAs will be an issue to be concerned about only when CMS provides an official review process. Well, get ready to be concerned because it appears that time is right in front of us. On June 8, 2016, CMS announced that it is considering expanding its formal MSA review process to include liability and no-fault cases. CMS doubled down on that announcement in December 2016. As part of its RFP for WCMSA review contractor services, CMS asked bidders to provide information about its ability to review up to 51,000 LMSAs annually starting in 2018. That represents a 258% increase in MSAs reviewed as compared with current WCMSA reviewed. Bids are due to CMS by February 15, 2017 with an anticipated contract-award date of June 30, 2017. If CMS is considering expanding the formal MSA review process, it must mean that CMS believes MSAs in those types of claims are a thing, right? Why else consider expanding its formal review process? If CMS believes liability MSAs are a thing, how long has it thought that, and how much work has been done internally to vet the LMSA issue and the parties resolving liability claims without addressing the issue? So many questions and so much exposure that could be remedied by one simple step. The greatest victory is that which requires no battle. Conclusion By this point, one certainly realizes the ostrich approach to the LMSA issue is ill-advised. The time is right to either 1) formalize your process for addressing the MSA issue on every one of your liability cases pre-settlement; or, 2) begin formulating your plan to defend yourself when CMS pursues you seeking double or treble damages for future medical payments it made for its beneficiary by mistake. As a lawyer, I prefer my clients choose the former, but I'm willing to be hired to help those who prefer the latter. Your goal should be to minimize — or even extinguish — your future medical exposure related to this issue. You should get comfortable with the idea that Medicare’s right to future medicals is not limited to WC, and steps need to be taken to ensure your future medical exposure is minimal or even non-existent in the future. If you’re interested in learning how you can devise internal protocols to address potential LMSA issues or you would like a legal opinion about an LMSA issue in a specific case, I’d be happy to speak with you. Call me at (704) 232-7297, email me at cattielawpllc@gmail.com, visit my website at www.cattielaw.com or tweet me @MSALawyer. Don’t wait until it’s too late and you can’t keep your file closed because the feds won't let you.

There are a lot of good reasons to attend an insurance industry conference: high-profile keynote speakers, in-depth educational sessions on emerging industry issues, exhibitors showcasing their products and networking opportunities galore. Those reasons are why as many as 40 million people attend industry conferences every year, according to Conference Hound. The conference/event industry is only getting bigger; the Bureau of Labor Statistics expects it to expand 44% by 2020. For our industry, one index of insurance conferences listed more than 100 events focused on some aspect of the industry that happened in 2016. That's a lot of conferences! The trouble is, you can't do it all. Conferences present a lot of competing objectives--take a long lunch to continue networking, and you sacrificing key learning time, and catching an afternoon panel may mean missing an exhibitor's demonstration. You're stuck guessing what will be most beneficial. It's a real challenge, especially if it's your first time attending a conference. See also: Are Conferences Still Worth the Effort?   But that doesn't mean that you can't hit the ground running and get a lot out of your first insurance conference. With some preparation and follow-through, plus a little gumption during the conference itself, first-time conference attendees can maximize their experience and get significant value from the event. Before the conference

1. Find the right conference. With nearly 100 conferences for our industry, you have a lot of options, but that doesn't mean that they're all worth your time. The Risk and Insurance Management Society (RIMS) Annual Conference & Exhibition is a popular choice. Attendees get the chance to hear some of the top minds in the risk management and insurance industry. There are plenty of more specific options available, too, addressing topics ranging from windstorm insurance to trucking telematics. Attending a more targeted conference, such as one designed for underwriters, claims or another job function, may be more beneficial to your career development if you're looking to specialize.
2. Do your research. Once you've registered for the conference and have travel and accommodation logistics figured out, it's time to start snooping. A little bit of preconference research can significantly improve your experience during the conference. Look up the speakers and topics of interest--you can sometimes even connect with presenters on social media before the conference. Outline a tentative schedule of the speakers you want to catch so that you can spend your time at the conference networking and learning rather than double-checking when the next session starts.
3. Update your professional persona. Before you head to the conference, make sure that your business cards are up to date. Take a big stack of them--more than you think you'll need--and commit to giving them all away. Also make sure that you update your LinkedIn profile. Most importantly: Prepare a few short elevator speeches for conversations you're anxious to have. If you're there to network, come up with a short introduction of yourself and your organization. If you're there to learn about a certain topic, prepare specific questions you can ask speakers and subject matter experts.

During the conference

1. Network, network, network. Conferences are designed for networking, but that isn't everyone's forte. A lot of us are uncomfortable meeting people in unfamiliar surroundings. But one of the most important benefits of attending conferences is the opportunity to hone your networking skills and try out those elevator speeches. Many find that they're more comfortable networking if they expand their scope a little bit. Think of yourself as representing your whole organization--what connections could benefit your employer? It shifts the focus from promoting yourself and gives you a broader purpose.
2. Use the app and the hashtag. More and more of the important conversations taking place at insurance conferences are held online. That said, in 2016 more than half of conference attendees were expected to download mobile conference apps. It's a good way to organize your schedule and keep up with hashtags and updates on social media. (And it's not a bad idea to check out the hashtag for conferences you aren't able to attend.) Just don't spend the whole conference buried in your phone--you're there to meet and learn from other industry professionals. In fact, almost half of conference attendees recently surveyed said that the face-to-face interactions they had were more valuable than they were two years ago, and the Center for Exhibition Industry Research expects them to become even more valuable in the future.
3. Get your money's worth. There's one thing many first-time conference-goers forget: They're paying money to be at the conference. Whether you paid out of pocket, your company is footing the bill or you're just offering your valuable time, you should work to get as much out of the conference as you can. If a speaker isn't providing the information you want, ask questions. If you're still not getting what you need, don't be afraid to leave and find a session that's a better fit. Fill your days with as much learning and activity as possible--attend every session you can, talk to as many people you can.

After the conference

1. Maintain your connections. The biggest challenge after an insurance conference is maintaining the momentum and enthusiasm you had during it. Start by staying in touch with the connections you made. Send follow-up notes, emails and messages to networking contacts and speakers you met.
2. Solidify your knowledge. You may have a left a keynote speaker's presentation or a particularly strong session energized and ready to put your new knowledge or perspective to work, but that enthusiasm fades fast. Take the time to organize your notes each night of the conference, or read more on a particular topic so that you're ready and excited to use the new information once you're back to day-to-day operations.
3. Demonstrate the value. Make sure that your employer sees that the time you spent away from your daily insurance gig was worthwhile. A specific thank-you email or follow-up is always good, but returning to work with a few practical ways to do your job better and improve your organization is even better.

See also: My Top Tips From EXEC InsurTech   Have you mastered the art of insurance industry conferences? Give us your best tip in the comments section below.

Thanks to Scott Brinker at chiefmartech.com for sharing the 2017 Marketing Technology Supergraphic above. I appreciate every year seeing the updated technology landscapes along with the insights and commentary provided by Luma Partners. If you are having trouble making out any of the details, it’s not your eyesight. More than 5,000 companies are included on the landscape, astoundingly up from 150 in 2011. Wow. Does the chief marketing officer really need 5,000 -- and growing -- choices? Even within the super-graphic’s sub-categories, any executive may find herself searching for just a few needles in the haystack. That short list will only include those needs that matter enough to command resources at the expense of some other priority: Software will be licensed, planned into the tech stack, fed by data to produce decisions and provide leverage for media selection, offer testing, user experience, servicing, personalization, team collaboration or any of the other demands of a modern marketing organization. The super-graphic conveys at least two messages:

• Lots of engineers see that marketing is a function continuing to live with daily disruption and want to help, or see an open window at least to build solutions.
• With so many solutions out there, it’s reasonable to question where the value and meaningful differences are among them. Where has tech product specialization become so deep that solutions are not relevant enough to be worth the CMO’s pursuit?

Direct marketers have long subscribed to the orthodoxy that choice depresses response. While not always the case, certainly when presented with an overwhelming number of choices buyers tend to shut down. Without a framework relevant to the CMO’s needs, having 5,000-plus options on one slide (while a remarkable feat of design, even organized into tech-based categories with add-on, zoom-in capability) will feed decision-making paralysis. See also: Insurtechs Are Pushing for Transparency   There is a way to not get swallowed by the mar-tech vortex, one that is remarkably low-tech and depends more on critical thinking, collaboration, customer focus and clear commercial goals. In this context, software is the enabler, the means but not the end. That way? Be clear on what the business strategy is. How does the business strategy translate into the short list of marketing priorities -- those that constitute a 20/110 effort-for-impact calculation? This means the 20% of activity that will make 110% of the difference. (I prefer 20/110 thinking to the more common 80/20 -- let’s admit that some of the decisions that marketers make end up dragging down results, and that the headlines that dominate team appraisals of progress tend to focus on a short list versus the totality). Strategy comes down to:

• The starting point: Where are you now?
• The destination: Where do you want to be?
• The route: How do you anticipate getting there?
• The rationale: Why does any of this matter?

The focus for any CMO trying to decide where to start and where to put her undoubtedly too-scarce resources is to be confident about:

• What customer problems the brand wants to solve that will allow standout status in the hearts and minds of our users.
• And, what marketing capabilities (technology and otherwise) are needed to ensure the brand gets to the solution(s) that widen competitive advantage and grow user preference.

See also: The Failures and Successes of Insurtech   Mar-tech along with all of the other advanced technologies available today should be chosen because they can help the brand enable remarkable differentiation -- in the hearts and minds of customers. With strategy in hand, it is possible to make smart decisions and tradeoffs for the right reasons, about how to prioritize mar-tech investments for business leverage. Then, frameworks such as this complex snapshot of what technology can do for marketing become incredibly useful places to start searching for the appropriate enablers.

A landmark study into the profits of businesses found that only 55% stemmed from factors they could control. A full 45% of a business’s earnings was determined by external factors – the growth rate of the economy, political changes, movement in oil prices, etc. That study was done 20 years ago, so the part of earnings now determined by uncontrollable factors may well be higher, given that technology, politics and other factors have added so much uncertainty to today’s business environment. Executives don’t like things they can’t control, so many focus 100% of their effort on that 55% (or less) of earnings that is in their hands. But focusing on only roughly half the sources of profitability leaves an enormous opportunity for those who are willing to embrace uncertainty and find better ways to sense and react to those external, uncontrollable factors. Because of regulation and capital requirements, financial services have been largely protected from the digital disruption that has rewritten the rules for retailing, music and so many other parts of the economy. But uncertainty is picking up because financial services firms are now having to confront new kinds of information, at much higher speed, and must learn how to quantify new types of risk. For instance, some fintech startups are granting loans based on analyses of social media -- one theory being that, if your friends are solid citizens, you’re likely to be a better risk than your credit score suggests. The jury is still out on how effective these startups will be, but they show the need to be able to analyze "unstructured" data such as that coming from social media and from the cameras and sensors that increasingly blanket the world. See also: Change Management Is Not About Change!   Meanwhile, although technology is typically described as addressing humanity’s problems, it also creates whole new types of risk. How do you figure out how to insure a driverless car? There’s never been one before. When the Internet of Things essentially connects every device to every other device in the world, what risks come along with the benefits? They won’t just relate to cybersecurity issues such as how to protect personal information either; people will also hack into systems to sabotage equipment, to make cars crash into each other and who knows what else. History shows that many companies will wait and watch to see how the business environment evolves and only then start to react, but research for our new book, "Accelerating Performance," found that the best firms have a fast, yet low-risk way of responding to change. We can summarize that approach as: "mobilize, execute and transform with agility." Our study of these factors is based on decades of work and years of research, included a survey of 20,000 global leaders, investigation into the performance of 3,000 teams and deep research into the FT 500, including interviews with senior executives at 23 top performers we call "superaccelerators." Here’s what they do – and do well. Mobilize Embracing uncertainty. Some 60% of the respondents in a major survey of ours said high-impact events had repeatedly blindsided their organization, and 97% said their organization lacked an adequate early-warning system. To avoid ugly surprises, companies need to embrace uncertainty. That means building a deep understanding of the highest-impact forces that are shaping the future of an industry and preparing for a range of alternatives, rather than just addressing operational pressures. Pressure-tested decision making. Often, context needs to be broadened so that new options can surface. What seems to be a harsh, either/or choice can become a much easier decision. Continually reframing business challenges must become a best practice. It is human nature to have mental filters – they help us to efficiently manage information overload and to make many routine decisions without hesitation -- but these shortcuts often lead people to see what they expect to see rather than what is actually there. Overconfidence can also cloud judgment. We need to constantly recognize and work to overcome our biases, while still making swift decisions. Shared vision. Uncertainty can lead to divisiveness, as everyone has his or her own opinion of how the business will develop. But extensive research shows that companies that have a shared vision of where they are going, and why, do remarkably better than those that do not. Most visions are incremental and stifling, limiting change to minor investments in new capabilities that support the core, existing business. But a bold vision is often a bridge too far, creating a state of paralysis by presenting the prospect of radical changes  to the business model. Most successful strategies find the elusive sweet spot between incremental and bold, balancing the familiar with a distinct "North Star" for the future. Execute Core competencies. Today’s winning capabilities may become tomorrow’s table stakes. Organizations must identify what capabilities world-class competitors will possess in the future and begin to invest in them now. Execution feasibility. Many attractive strategies exist. However, not all are possible for every organization. Investing in strategies with low feasibility is a sucker’s game. Leadership needs to recognize that how they will win may be different than the path for their competitors. Before making any moves, organizations should inventory the principal strategic decisions for the near term and long term, and then evaluate their readiness to execute. Adaptive playbook. Relentless testing of alternative strategies is imperative. Organizations need more than one strategy at the ready, as market conditions often change and new threats and opportunities emerge, and must be acted on quickly. Most firms plan as if the world were predictable, developing point forecasts, budgets and initiatives that will succeed as long as the external environment cooperates. Organizations must become intimately familiar with their competitors’ inner workings, regularly employing role-playing exercises to simulate the competition’s strategic intents. Transform  Balanced portfolio. A well-constructed portfolio balances investments with knowable return on investment (ROI) in the short term along with investments that have long-term potential and can’t be evaluated with such traditional financial metrics. Portfolios need to incorporate varying levels of risk and multiple time horizons. Failing fast. Every organization has limited resources, so it must objectively assess which strategies are working and which are not, pull the plug on those that are failing, double down on those that are working and invest in new ideas. A firm burdened with too many stagnant strategic initiatives quickly faces a drag on overall performance. Rapid response. Rapid response requires the ability to sense threats and opportunities in the market, while relentlessly pursuing improvement in how to respond when signals emerge. Responding to a threat or opportunity more quickly than competitors, based on less-than-perfect information, can make all the difference. Most organizations struggle to act swiftly and commit resources because the near-term risks of being wrong outweigh the long-term reward of being right. See also: Group Benefits: the Winds of Change   Agility Foresight. Most companies are skilled at sensitivity analyses of one issue in isolation, but few can conduct deeper-level examinations of how issues interact in a complex system. The current volatile, uncertain, complex and ambiguous environment demands that firms re-evaluate their strategies and strengths and improve the ability to anticipate. Learning. You must continuously test assumptions about yourself, your market, your customers and your competitors. It’s important to understand which assumptions might be vulnerable and to "unlearn" associated behaviors. Operational excellence is increasingly becoming commonplace in many industries, with true differentiation stemming from a learning culture that is externally focused, experimental and innovative, collaborative and comfortable with risk. Adaptability. Existing strategies and processes, even if successful in the past, might need to be changed dramatically to ensure continued performance in the future. Organizations must adjust to changing circumstances by applying existing resources to new purposes and modifying actions and behaviors accordingly. Resilience. Many companies have too narrow a view of the plausible range of outcomes, and often a disruptive event turns into something that is crippling rather than a small setback or even an opportunity. Organizations must surface and examine mental models. By considering which assumptions might be vulnerable and looking at a broader range of outcomes, leaders can combat overconfidence and prepare for challenging operating environments. Even addressing all 13 of these factors won’t guarantee that you’ll win. The business world will remain a harsh place full of formidable competitors. But becoming expert on these issues will give you a much better chance of mastering uncertainty, while your competitors continue to focus just on the factors they can control.

When the Health Insurance Portability and Accountability Act (HIPAA) became law in 1996, the internet was an infant. Physicians walked around with paper charts. A “tablet” referred to a pill. And the typical cyber attack aimed to simply deface a website. But with the evolution of the electronic age, the majority of the nearly 1.2 billion annual medical visits in the U.S. are documented, stored and shared in electronic form. And the threat landscape has been evolving, as well. “Now that (the records) are online and connected across multiple providers and exchanges, there will be more breaches if nothing else is done (for security),” says Kurt Roemer, chief security strategist for Citrix, which provides security tools. See also: Restated HIPAA Regulations Require Health Plans To Tighten Privacy Policies And Practices In response, federal authorities have stepped up enforcement actions against healthcare organizations that violate patient privacy rules under HIPAA. As a result, the number of sanctions has reached record levels. In August, Advocate Health Care Network agreed to pay a record $5.6 million HIPAA settlement for a series of 2013 data breaches affecting 4 million patients. The fines levied by the Department of Health and Human Services’ Office of Civil Rights (OCR) in 2016 surpassed any previous year since HIPAA became law. Settlements send a message And the fines levied by OCR in 2016 were hefty, averaging just over $2 million per sanction. This stepped-up enforcement is no doubt sending a message to healthcare providers. “There’s a clear upward trend,” says Matt Mellen, security architect for health care with Palo Alto Networks, which provides a next-generation cybersecurity platform. This “is definitely enough to get the attention of healthcare organizations.” The trend also is reflected in the number of incidents reported by HIPAA-covered entities. OCR’s database, which only includes incidents that affect 500 or more individuals, shows a steady growth each year. In 2010, 198 incidents were reported to OCR, compared with 296 in 2014 and 269 in 2015. This trend has been documented in various cybersecurity reports, including IBM’s 2016 Cybersecurity Intelligence Index, which put healthcare at the top of all other industries for the number of data breaches. And according to Ponemon’s recent “State of Cybersecurity in Healthcare Organizations in 2016,” nearly half of the 535 respondents said their healthcare organizations experienced an incident in the past 12 months involving loss or exposure of patient data. The sector is clearly struggling to keep up with the threats, but the problem is not the law itself, says Niam Yaraghi, a fellow at the Center for Technology Innovation at the nonprofit Brookings Institution. Sinking teeth into the law “HIPAA is a fairly good law,” he says. “The problem is that healthcare organizations consider (HIPAA) as the ultimate level of security that they have to implement, and they do not have any incentive to go beyond HIPAA.” Jodi Daniel, who worked for the Department of Health and Human Services for 15 years and was one of the key draft writers of HIPAA’s Privacy Rule and Enforcement Rule, says, “When the rules first came out … the focus of enforcement was on education and promoting voluntary compliance.” The goal was to help the industry “get it right, as opposed to penalizing them for getting them wrong.” The first OCR settlement — $100,000 — didn’t come until 2008. And over the next three years, there were only a total of six. The pace picked up in 2012, as has the average amount of the settlements. See also: Will You Be the Broker of the Future?   What happened in the meantime was the passage in 2009 of the Health Information Technology for Economic and Clinical Health Act. The HITECH Act dramatically expanded the penalties, based on “increasing levels of culpability,” and increased the maximum to $1.5 million instead of $25,000 per identical violation. It also extended HIPAA to business associates. The addition of business associates was significant, considering a large number of breaches are attributed to third-party incidents. Risk management more important The increased OCR enforcement also is putting an emphasis on risk management. Of the 39 settlements to date, at least 14 included lack of risk assessments among the violations. Palo Alto’s Mellen says OCR’s emphasis on risk management is a positive trend. “The risk management process is designed to identify all the potential threats to patient data and allows you to define action plans to mitigate those risks,” he says. Cyber attacks, in particular, pose a bigger threat to patient privacy than other types of breaches. Yaraghi’s report shows that nearly 120 million people were affected by about 150 incidents involving cyber attacks versus a little more than 20 million people affected by about 700 incidents involving theft (laptops, media, etc.). And the number of hacking/IT incidents is seeing a dramatic increase. Those reported to OCR between 2010 and 2014 grew from nine to 32. In 2015, there were 57. Yaraghi is a proponent of a third-party HIPAA certification system to serve as a preventative measure. But a true economic incentive, he believes, would be cybersecurity insurance. He recommends every healthcare organization have a policy. “Healthcare organizations will have to take security into account to reduce the cost of premiums,” he says. See also: Can InsurTech Make Miracles in Health?   In the meantime, the increased OCR enforcement could create a stronger incentive for healthcare organizations to step up cybersecurity. It will also get the attention of boards of directors, Citrix’s Roemer says. “It would make it more difficult for the health care institutions and their boards to casually say they aren’t going to invest in security,” Roemer says. “It will definitely drive some changes in behavior.” More stories related to HIPAA and health records: Hospital hacks show HIPAA might be dangerous to our health Encrypting medical records is vital for patient security Healthcare data at risk: Internet of Things facilitates healthcare data breaches This article originally appeared on Third Certainty. It was written by Rodika Tollefson.

The landmark WannaCry ransomware attack, I believe, may have been a proof of concept experiment that inadvertently spun out of control after it got released prematurely. But now that it’s out there, WannaCry signifies two developments of profound consequence to company decision-makers monitoring the cybersecurity threat landscape:

• It revives the self-propagating internet worm as a preferred way to rapidly spread new exploits, machine to machine, with no user action required.
• It lights up the cyber underground like a Las Vegas strip billboard, heralding a very viable style of attack. WannaCry already has begun to spur hackers to revisit self-spreading worms, an old-school, highly invasive type of attack.

The unfolding “kill switch” subplot supports my analysis. First, a recap: WannaCry is an exploit that spreads on its own, seeking out Windows laptops, desktops and servers that lack a certain security patch issued in March by Microsoft. See also: How to Keep Malware in Check   WannaCry first appeared on the internet on a Friday morning and swiftly swept across the globe, reminiscent of the I Love You and Code Red worms of yore. It infected 200,000 Windows machines in 150-plus countries. Hardest-hit were institutions of the U.K.’s National Health Service, as well as Spanish and Russian utility companies. You may recall that self-spreading Windows worms were all in vogue a decade ago. The most infamous probably was Conficker. I wrote extensively about Conficker for USA Today. But for all the attention Conficker drew, it never delivered any overtly malicious payload. It simply spread. WannaCry, by contrast, is spreading with a purpose. It carries with it instructions to encrypt each infected machine’s hard drive. Then it requests a $300 ransom, payable in bitcoin, to decrypt the drive. So why do I think WannaCry was released prematurely? Because $300 is low for a ransom demand, especially for a ransomware attack aimed at the business sector and designed to scale globally. It makes more sense that $300 was a placeholder amount. “This looked like a shotgun approach to compromise as many systems as quickly as possible before anti-virus definitions could catch up,” says Andrew Spangler, principal malware analyst at Nuix, an intelligence, analytics and cybersecurity solutions company. “It’s possible the attackers were not even aware of how effective this propagation method would be.” Kill switch discovered On Friday night, a researcher going by the handle “Malware Tech” reported that he had reverse-engineered WannaCry and discovered a “kill switch” sitting at a domain name that the author had not yet actually registered. A kill switch also is somewhat unusual for ransomware. It could have been included as a tool to give the attacker the ability to release the ransomware in small doses, shutting it down to make tweaks. But WannaCry’s creator neglected to follow through and register his kill switch’s domain name. That made it possible for Malware Tech to come along, discover the unregistered domain name, register it and thus take control of the kill switch. He then was able to shut down the original version of WannaCry—by hitting the kill switch.

Yet to no one’s surprise, within a matter of hours, slightly tweaked variants of the original version began circulating. “Updated WannaCry variations have since been released,” says Ray Pompon, principal threat researcher at F5 Networks, an application services and security company. “The danger is still real.” Good guys, bad guys engage in cyber duel To be specific, new variants with a slightly modified kill-switch domain are spreading. A very small change connects the malware’s kill switch to a slightly different domain and creates a viable variant, says Chris Doman, threat engineer at AlienVault. “This allows WannaCry to continue propagating again,” Doman says. Fortunately, other good-guy researchers have taken it upon themselves to hustle to register the kill switch domains of any new variant that turns up and follow Malware Tech’s example to kill the variant when possible. “The cat-and-mouse (chase) will likely continue until someone makes a larger change to the malware, removing the kill-switch functionality completely,” Doman says. “At that point, it will be harder to stop new variants.” Security patching more vital than ever The kill switch subplot aside, one might ask why did it took this long—nearly a decade after Conficker—for cyber criminals to incorporate a Windows worm into an attack designed for monetary gain? Part of the reason is that Microsoft has put forth a tremendous effort to stay on top of newly discovered Windows vulnerabilities. Under its bug bounty program, it pays researchers handsomely to discover and report fresh Windows vulnerabilities. And it pours vast resources into issuing security patches in a timely manner. See also: It’s Time for the Cyber 101 Discussion   With respect to the specific Windows bug leveraged by WannaCry, Microsoft issued a patch in March. Still, the digital world we live in is both amazing—and amazingly complex. That means implementing security patches across an organization of any size can be an onerous process. The result is that vulnerability management, and security patching, lags well behind in the vast majority of organizations. This is true for patches issued by Microsoft, Oracle, Java, Adobe and any other widely used business system you care to name.

“Numerous organizations have fallen victim to these attacks because they failed to apply the patches in a timely manner or were using legacy systems that could not be patched,” says Andreas Kuehlmann, senior vice president and general manager of the Software Integrity Group at Synopsys. Unintended help from government An X-factor also came into play. It turns out that the National Security Agency knew all about this particular Windows bug and, in fact, possessed a tool to take advantage of it. Nothing wrong with that. Our intelligence agencies need to have the capability to match or exceed the cyber capabilities of China, Russia or North Korea. The X-factor that made a difference was this: Hackers stole that information from the NSA and published it online—delivering it on a silver platter to the creator of WannaCry. “Now that weapons-grade cyber attack tools are in the wrong hands, it is clear that tools and techniques previously reserved for use by nation-states are being integrated into crime ware for profit,” says Josh Gomez, senior security researcher at Anomali. “This means we can expect to see more of these exploits and tools leveraged in future attacks, each one likely surpassing the previous in sophistication and stealth.” Hang on to your hats, folks. Buckle your seat belts. Company networks’ defenses sorely need shoring up: This, we know all too well. And now attacks are all but certain to ratchet to an unprecedented level of intensity. Observes Jonathan Sander, chief technology officer at STEALTHbits Technology: “This massive attack is a potent mix of phishing to attack the human, worm to spread via unpatched Microsoft systems and ransomware to get the bad guys their payday. … The reason for WannaCry’s success is our collective failure to do the basic security blocking and tackling of patches, user education and consistent backups. As long as we fail to remove vulnerabilities and watch our files, bad guys will exploit us by exploiting our systems.”

Hundreds of millions of years ago, Pangaea was a supercontinent formation now commonly explained in terms of plate tectonics.  It began to break apart in three major phases, but at different times.  During this breakup, some species survived, and others struggled. This breakup reset the world.  It reorganized the continents, oceans and seaways that subsequently altered the cooling and heating of land and ocean. And it influenced five major mass extinction events, which resulted in significant loss of marine and terrestrial species. It disrupted the world, while creating a new one that would ultimately shape the future. We recognize this as pre- and post continental split. How does this history lesson relate to insurance?  We are exiting the pre-digital age and entering a post-digital environment where survival will be measured by rapid adaptability. The digital age represents a seismic shift in the insurance industry, due to the converging “tectonic plates” of people, technology and market boundary changes that are disrupting and redefining the world, industries and businesses — including insurance. As we outlined in our report, Future Trends 2017:  The Shift Gains Momentum, the shift is realigning fundamental elements of business that would take more than minor adjustments to survive, let alone succeed. See also: 3 Ways to Leverage Digital Innovation   Just like the tectonic shift millions of years ago that separated the two great continents, we are seeing a similar shift due to the digital age that is pushing a sometimes slow-to-adapt industry by challenging the traditional business assumptions, operations, processes and products. The shift is separating the continents of insurance into two distinctively different business models. The business models of the past 50-plus years (based on the business assumptions, products, processes and channels of the Silent and Baby Boomer generations) will soon be an ocean away from the business models of the next generation (including the Millennials and Gen Z, as well as many in Gen X). To avoid extinction on a pre-digital island, the business models of the past will need to quickly chart a course toward next-generation expectations. It requires a new business paradigm. We must redefine and re-envision insurance, embracing business components that work in the new context of people, technology and market boundaries and discarding the pieces that are outmoded or irrelevant. Most organizations can’t simply flip off their pre-digital switch (traditional business model and products administered on traditional systems) and flip on their digital age model (new services and products on modern, flexible systems that will handle digital integration and better data acquisition and analysis). So, the shift will require steps. Those steps will operate as both a bridge and a proving ground, while the traditional system is still operational as a firm foundation and the new foundation is being constructed. The steps are active and continuing, and they overlap.

1. Keep and grow the existing business, while transforming and building the new business.

This is crucial. Marketing and distribution should not pull back from traditional business in anticipation of the launch of new business models, new products or new channels. Insurers cannot stop pushing for more business of a particular type until or unless new products clearly nudge them out of existence. The current business is funding the future and needs to be kept running efficiently and effectively as the market shifts.

2. Optimize the existing business while building the new business.

A customer engagement improvement is ALWAYS an improvement. If an organization’s teams have been working toward placing digital front ends on the traditional business to engage customers, they shouldn’t stop in the middle of the bridge. Any process that can be optimized on the traditional side will help to maximize the existing business, reduce the cost of doing business and provide a bridge from the past to the future while beginning to enable realignment of resources and investment into the new business. These are very often the incremental changes that will also gently shift the customer base through new ways of doing business.

3. Develop a new business model for a new generation of buyers.

Some insurers have made the mistake of envisioning their digital front end as their big leap into the future, not realizing that they have only just touched the new landscape. They need a strategy for a new business model that supports simultaneous leaps forward that will create new customer engagement experiences underpinned by innovative products and services. This will create growth, competitive differentiation and success in a fast-changing market dynamic. Speeding Into the Digital Age Over the past year, the renaissance of insurance gained momentum due to the convergence of multiple factors or “tectonic plates” that are redefining insurance. The interaction between people, technology and market boundary changes are disrupting the world, industries and businesses that insurance serves. We have seen the introduction of new products, the establishment of new channels, the offering of new services, the launching of new business models and much more. These events have created disruption and opportunity for insurers. See also: The Key to Digital Innovation Success   It is a new age of insurance — a digital age. Each and every day, insurers must recommit to their business strategies and their renaissance journeys. They must avoid falling into an operational trap or resorting to traditional thinking. The appetite for traditional multi-year, multimillion-dollar, on-premise custom configurations has waned, all while new competitors, new business models and new products are being launched to the market in a fraction of the time and cost. In this new age of insurance, the focus is on speed to value including:

• Speed to implementation – get up and running in weeks or a few months versus years
• Speed to market – rapidly develop and launch new products with ready to use rules and tools
• Speed to revenue – rapidly enable business growth with minimal upfront cost

Building these new business models will continue to intensify.  Majesco is increasingly working with existing insurers and reinsurers who are taking new paths to capture the next generation of customers and position themselves for growth and sustainable agility across the new insurance landscape. Because new competitors don’t play by the traditional rules of the past, insurers need to be a part of rewriting the rules for the future. There is less risk in a game where you write the rules. Will you be stranded on pre-digital island in a sea of change?  Or will you join the game?

Could a blockchain platform deliver new markets, more agile products and large-scale cost efficiencies across the industry? Commentators have identified the insurance industry as an ideal candidate for transformation by blockchain technology. Many blockchain Insurtech pilots are exploring alternatives for processes in the insurance value chain such as know your customer (KYC) and claims. But few have seriously explored the more fundamental potential of blockchain for the insurance industry and considered how it could improve a substantial part of the value chain by removing rework and driving efficiencies, thus transforming the industry, including its operating model and cost structures and thereby opening up new market segments. Insurers Are Struggling with Digital Growing digital channels and transforming insurance organizations are hampered by:

• Complicated products. Clients struggle to understand product features while the ticket sizes and commitment durations are often intimidating. Products increasingly fail to meet client expectations and don’t suit new digital distribution channels.
• Legacy systems. Monolithic systems obstruct personalization and require long product development cycles. Straight-through processing remains the exception, not the norm.
• Limited customer service options. Insurers dictate which channels clients use for service while the omni-channel experience remains a dream and far from reality.
• Limited digital options for customers. Digital support is sporadic across the customer journey.

This means Asian insurers struggle to find a model to cost-effectively expand their reach into Asia’s emerging middle class while a growing millennially minded, digitally savvy demographic in mature markets is underserved. See also: Why Blockchain Matters to Insurers   Properties of a Blockchain Blockchain implementations have three fundamental qualities:

• Trust. All parties know their view of the current state is true and devoid of fraud.
• Transparency. Participants can be confident all counterparties have the same information.
• Immutable. The content of the transactions that delivered the current state can never be changed. The code encased in a smart contract will endure for the transaction’s lifecycle.

To understand this potential, let’s decompose the blockchain and understand the technology properties it brings to solving business problems.

• Database. First and foremost, a blockchain is a distributed database, with each node maintaining its own copy with the confidence that its version is identical to the other parties’ and safe in the knowledge that no one can change the history of transactions that have created the current state.
• Codified services. Smart contracts enable code to be executed at various points in the lifecycle of a contract. The executable byte code is enshrined in the contract. The code reacts to the changes in state by executing each time the variables in the contract are updated.
• Middleware. Contracts are replicated to all nodes on the network. Nodes can monitor the network and react to changes in the state of contracts. It’s publish-and-subscribe.
• Business process management. These properties create a perfect environment for BPM. Changes in the state of contracts can orchestrate a workflow described in the contract’s code. This enables the execution of complex processes where different parties (such as insurers and distributors) perform roles and execute a process.

Contracts stored on a blockchain cannot be changed. Once a contract is mined into a block, it is cast in stone. In blockchains like Ethereum, the code can never be changed but the variables can be updated, creating a new state and storing a new version of the contract. As each new version is propagated to the other nodes on the chain, the code will execute and react to the changes in state. This is perfect for updating contracts over the lifecycle of an insurance policy. For example, on each anniversary of a policy there are payments and renewals to be processed and commissions to be paid. The logic for this would be encoded in the policy at its outset. The rules would reflect the terms and conditions of the policy itself, the commission agreements for distributors and the processes of the insurer. All of this would be encoded in a smart contract representing the policy. Claims would be separate contracts, emitted by the policy and coded to follow their own lifecycle as they are assessed and paid. Integrating Industry Participants Blockchain is an ideal distributed platform for connecting participants in an industry that includes distributors, insurers and reinsurers. Like any industry with multiple participants, each party currently maintains its own version of data. At various points in the life cycle, these different perspectives need to be reconciled. This could be commission payments to a distributor or claims against a reinsurance agreement from the insurer to the reinsurer. A shared database means all of the participants are looking at the same single source. All the relevant participants know the current state of a policy or a claim. Many benefits are enabled by a trusted shared platform.

1. There is a single source of truth. Parties to a policy (distributors, insurers and reinsurers) are accessing a single source of information. This has the potential to deliver a true omni-channel experience.
2. The distributor could use a contract to request quotations from insurers on behalf of a client.
3. The terms, conditions and premiums for a policy, once agreed, are permanently encoded in a smart contract.
4. Names, addresses and contact details of the policy owner, the life insured and beneficiaries could be stored in client contracts so that all parties to the policies have up-to-date information.
5. Payments could be made by clients using tokens or be performed using traditional channels and tracked using oracles and contracts.
6. Documents relating to the policy, KYC and claims would be stored off-chain and shared in a parallel environment, with the blockchain used to share their provenance, locations and authenticity.
7. Reinsurers could be participants using contracts documenting reinsurance relationships. If an insurer has an agreement to cover a percentage of all policies written for a product, this could be executed automatically when a policy is underwritten.
8. Claim contracts would be linked to policies and any impact on reinsurance contracts would be instantaneous.
9. The model can be expanded to other participants. Providers of health services could access coverage limits and submit claims on behalf of clients.

Improving Business Agility Existing policy administration systems are cumbersome because their code base must support multiple generations of products. A policy administration system for life insurance, for example, needs to be capable of processing everything from term life to universal life, disability, health and every conceivable rider. Its commission system has to support every possible structure, including those that may have only been used for one or two products. This ever-expanding code base is costly to maintain and slows product development. Changes to accommodate new products need to consider this vast array of legacy to ensure nothing is broken when they are introduced. The policy contract on a blockchain would have its own heartbeat. Its code and business rules remain with it for its life. This may be a matter of days for travel insurance or an entire lifetime for a term life policy. But the code and business rules enshrined in the contract need only support that policy. It is self-contained, and it doesn’t have to include all of the options for every other product ever produced. This simplifies the code base. We no longer need a monolithic application to support all products and commission structures but smaller programs each supporting individual policies. This is the key to product and service innovation enabling experimentation with new designs. This will be important in new distribution channels, partnerships and reaching specific client segments with targeted offerings. See also: What Blockchain Means for Analytics   Keys to Success To realize this vision of an industry platform on a blockchain, a successful solution would need these features:

• Enterprise scale. It would need to be capable of processing the volume of insurance transactions in a jurisdiction.
• Credentials. Access must be limited to properly qualified industry participants. With participants filling different roles (distributors, insurers, reinsurers, etc.), a system of credentials is required to govern the permissions of participants.
• Encryption. Blockchains are typically public. People often confuse the cryptographic structure of a blockchain with encryption of its data. The state of a contract can be seen by all participants in a basic blockchain, whereas policies and insurance transactions need to be confidential. Any solution needs a method for encrypting individual contracts.
• Open APIs. There must be a set of services defined and implemented enabling each node to interact with the participant’s own or third party systems.

Conclusion A blockchain-based industry-wide platform will be the catalyst for entirely new paradigms for selling and administering insurance. The shared platform offers cost-effective adoption of new technologies giving access to new generations and segments of consumers. As business models of existing and new players within the industry flex and evolve, their integration via the platform will deliver a seamless, rewarding client experience. And blockchain technology will uphold the secure, trusted and reliable qualities that are so critical for insurance brands.

“Star Wars” first appeared in theaters on May 25, 1977, unleashing one of the great, galactic pop culture tsunamis ever seen. And while there has been an explosion of technology and innovation since that time (one that would rival the explosion of the Death Star), virtually nothing has been done regarding the way insurance information is shared via forms, certificates of insurance, driver ID cards and the like. Workers' compensation may be leading this backward trend. It’s no wonder that workers' comp insurance draws a lot of attention. Covering more than 90% of the workforce, with more than $45.5 billion in total premiums from both private carriers and state funds and a combined ratio of 94%, workers' comp is one of the few bright spots within the commercial lines market. With payrolls rising $316.5 billion by year-end 2016, not to mention $1.16 trillion in construction projects, there will be billions of dollars in new premiums for workers' comp coverage. If economic growth and hiring continue as projected, workers' comp exposure is likely to remain among the faster-growing major commercial P/C lines of insurance in 2017 and beyond. And this positive outlook takes into account that workers' comp fraud is 25% of the P&C industry-wide annual fraud problem of $34 billion. Many are investing heavily in new systems and technology to reach this rich marketplace. Carriers, brokers, agents and third-party service providers are all positioning themselves for a larger slice of the workers' comp pie through innovative and forward-thinking technology. However, with all the technology available within the workers' comp ecosystem, it consistently takes a giant leap backward when it comes to requesting, generating and delivering proof of insurance. Form-based certificates of insurance are universally produced and passed like a hot potato between different stakeholders, yet they provide no real proof of insurance. As one industry pundit put it, “At best, it’s just a piece of paper that shows proof of coverage at the time it was issued. At worst, it’s fraud.” Some are touting the ability to request proof of workers' comp coverage from a mobile device. Yes, through an app, you can request a workers' comp QR code that can be used to request a certificate PDF. But this PDF has all the usual limitations: no updates, no notice of cancellation, no ability to compare data with coverage needs, no exception processing. See also: How Should Workers’ Compensation Evolve?   Because the form-based certificate of insurance has been the forum for exchanging dead data, people have been attempting all sorts of subterfuge to require wording on the certificate in a vain attempt to make it say something that is not in the workers' comp policy. It’s important to realize, from a business and insurance standpoint, that a certificate has many inherent limitations and weaknesses. For example, a certificate CANNOT:

• Extend or modify policy conditions or rights to the certificate holder. The insurance policy is a contract, and changes to those terms can only be accomplished by following proper procedure as outlined by the insuring company. Extending policy rights, such as additional insured status, can only be accomplished by properly endorsing the insurance policy in question.
• Guarantee a policy will not be canceled in accordance with the conditions of the insurance policy. Cancellation of a workers' comp policy is controlled by state statute and cannot be modified by a certificate.
• Provide insurance coverage to the certificate holder. The insurance certificate only indicates coverage found in place on the policies in force at the time the certificate is issued. A certificate of insurance coveys no insurance coverage to the certificate holder; only proper endorsements to the insurance policy can achieve that.

There are many large industries that are totally dependent on workers' comp coverage and proof of insurance — construction, transportation and agriculture, to name a few. Roads, bridges and buildings don’t get built or repaired without workers' comp insurance. Nothing moves across our highways without workers' comp insurance. Crops, fruit, cattle and food do not get produced, harvested or delivered without workers' comp insurance. As we move forward into a 21st century economy, more companies and workers are shifting into the gig economy where workers' comp is either not there at all or has substantial holes. Under current definitions, gig economy workers, sometimes called on-demand workers, are neither employees nor independent contractors. If a rideshare driver is attacked by a passenger, sustains severe injuries and cannot work for a long period, how is his or her income replaced? For that matter, if any on-demand worker is injured on the job (accident, repetitive motion injury, etc.) how is his or her income replaced? And with the current state of health insurance, or the lack thereof, how are his or her health bills paid? While there are a number of instances where coverage verification is needed for workers' comp alone, many times other lines of business need to be verified simultaneously. General liability, commercial auto, commercial property and other types of insurance also require verification at the same time with workers' comp, by the same stakeholders. These coverages may be within a single business owners policy (BOP), or they can be spread across multiple policies, written by multiple carriers, with different effective/expiration dates. See also: Five Workers’ Compensation Myths   Rather than pushing around forms filled with dead data, workers' comp deserves a digital ecosystem where all stakeholders can securely connect and share coverage information. Online and continuing coverage verification automatically validates that insurance in force. Additionally, the needs of each stakeholder are evaluated, alerting stakeholders on an exception basis. It’s time to move forward from, “May the forms be with you” to “Let the data be with you.” This is GAPro’s vision and mission.

With 3 trillion reasons ($$) to protect the status quo, it should be no surprise that employing frontal assault on healthcare would be laughably ineffective. This would be like the revolutionaries battling the British army via a frontal assault. One could argue that top-down, governmental efforts to reform healthcare are experiencing what happens through a frontal assault -- fierce resistance, rage and lobbying to name a few. Rather, there are two overriding drivers to how the Health Rosetta Institute (HRI) is approaching the daunting challenge of attempting to transform an industry that is remarkably adept at preserving a wildly under-performing status quo. Healthcare is already fixed. Join us to scale the fixes As we state on the Health Rosetta Institute’s website, “Healthcare is already fixed. Join us to scale the fixes.” The genesis for the Health Rosetta was my seven-year quest to find all of the solutions that are actually working. The great news is that we’ve found a wide array of pioneers who’ve proven what works in rural and urban settings, in the private and public sector, in large and small organizations and in every corner of the country. They've shown how to tackle even the most vexing health challenges with extremely demanding populations. These are the sorts of things I capture in my forthcoming book, CEO's Guide to Restoring the American Dream: How to deliver world class healthcare to your employees at half the cost. This is a contrast to what’s happening in DC, which is largely moving deck chairs around on the Titanic debating who pays for a “morbidly obese” healthcare system that is the third leading cause of death (due to preventable medical mistakes) despite pockets of brilliance in our system. Community-driven change from the bottom-up: A network of networks We believe in community-driven change from the bottom up. Central governments have largely reached the limits of what they can achieve, so community-level change is where the real action is. Bruce Katz articulates this in his book, "The Metropolitan Revolution: How Cities and Metros Are Fixing Our Broken Politics and Fragile Economy." Social-impact-investing pioneer Chris Brookfield has put this approach into effect in areas ranging from microfinance to local food production. “Community” can be defined as an employer and its employees, a town, a neighborhood or a group of five women. These are local networks able to drive change in their sphere of influence. See also: A Caribbean Hospital: Healthcare’s Solution?   Nothing about the Health Rosetta is employer-specific or even U.S.-specific. However, employers and unions are two communities that have an imperative to change. The smart ones are embracing that opportunity and spending 20-55% less on health benefits with spectacular benefits packages. A key reason that the goal of universal care is feared by some is that both the private and public sector versions of healthcare in the U.S. have out-of-control costs. Government entities themselves are huge employers. With few exceptions (Kirkland, Milwaukee and Pittsburgh are examples of how to do things right), public sector employers are just as bad at purchasing health benefits as any private-sector employer. Even when there is political will, such as in Vermont, efforts at universal coverage failed as unaffordable. For those seeking universal care as an objective, a logical path is for it to start with public-sector employees in high-value benefits programs. Once proven there (like Kirkland, Milwaukee and Pittsburgh), extend to state-based programs such as Medicaid, and then there will be a large body of evidence that it won't bankrupt citizens. In fact, it will do quite the opposite if the smart path is chosen. The Season of Resilience Speaking broadly, Brookfield points out how 1950-2001 was the Efficiency Era - or what he calls “The Great Moderation” that had key attributes such as conglomeration and centralized production and control. 2001-2016 was about hierarchies fracturing with tumult such as Brexit and American populism that led to the success of the Sanders and Trump campaigns. Hierarchies are fracturing in healthcare such as an explosion in employers taking control of their healthcare spending and doctors leaving insurance-centric practice models -- in both cases, they’re cutting out middlemen that are out of touch with specific communities. Looking forward from 2017 is what Brookfield calls the Season of Resilience, where geography is resurgent and grassroots is the dominant lever of change. Just as the electrification of America happened at different rates in different locales, the move toward Health 3.0 will happen in some geographies faster than others. However, we draw from the lessons of the Internet and open, distributed systems, which is a network of networks. For too long, healthcare has operated as a set of isolated tribes with limitations on tribal knowledge being passed around slowly. We believe the Health Rosetta Institute’s greatest value is serving as a network of networks to accelerate the dissemination of proven approaches that can then be adapted to local market conditions. The first network we're building, due to their outsized influence on the health ecosystem, is benefits consultants. Despite not promoting it at all and it being buried on our website, we're getting tremendous interest in our first phase rollout. One of the individuals most responsible for the explosion of Internet growth was Tom Evslin who has a blog called Fractals of Change. The depiction of fractals show how a fractal is a never-ending pattern (click for an interactive version). Fractals are infinitely complex patterns that are self-similar across different scales. They are created by repeating a simple process over and over in an ongoing feedback loop. Driven by recursion, fractals are images of dynamic systems – examples include trees, clouds, coral reefs and the Internet in a virtual context. Another visual is at the heart of the approach we’re taking with the Health Rosetta. The non-profit institute is gathering and sharing insights in an open, distributed manner. It has a sister organization, the Health Rosetta Group (HRG), that is focused on bringing capital to ideas that fuel the positive transformation of the health ecosystem. Brookfield created the graphic depiction below to describe how his social impact investing approach is replicated in a distributed manner. Health and healthcare are very local but there are approaches that can be shared to rapidly accelerate transformation. [caption id="attachment_26112" align="alignnone" width="968"] Graphic courtesy of Chris Brookfield[/caption] The HRG believes sustainable investing requires focus on a particular region/sector with an eye towards social and economic benefits that reflect aligned values. It has a long-term focus that taps motivated local entrepreneurs to create businesses that enhances economic resilience which creates sustainable economic development (“Economic Development 3.0”). These emerging organizations are strengthened through local business and ultimately can create value for investors that ensures long-term resilience of local interests. We believe the path to optimizing health is a move away from centralized massive assets whether that is massive food production producing low-value food or massive medical centers that produce high volumes of low-value procedures (e.g., where 90% of spinal procedures were of no help). A strategy that is more aligned with community interests will deliver resilience, variability and locality that is part and parcel of Health 3.0. See also: Healthcare Buyers Need Clearer Choices   I wrapped up by TEDx talk with the following that seems appropriate here:

For too long, we’ve let healthcare crush the American Dream. We can’t stand for 20 more years of an economic depression for the middle class. No country has smarter or more compassionate nurses and doctors and no country has more innovators that have reinvented our country time and again. In every corner of healthcare, people went into healthcare for all the right reasons but perverse incentives and outdated approaches have shackled them. Whether we knew it or not, we all contributed to this mess. Now, it’s on us to fix it. When change happens community by community, it’s impossible to stop. Yes, healthcare stole the American Dream. But it’s absolutely possible to take it back. Join us to make it happen in your community.

We are working on catalytic events to accelerate the change. The institute is helping raise awareness of the rising risk to corporations and boards that will compel them to act. In parallel, we continue work on The Big Heist film (think The Big Short for healthcare) that will wake up America to the greatest heist in American history. Please share Ted talk: Healthcare stole the American Dream. Here is how we take it back. Sign up for The Future Health Ecosystem Today newsletter to be in the know about healthcare's future.