Underlying issues

Continuing to do business as usual is not acceptable. NCM needs to address several issues to qualify as legitimate contributors. First, NCM needs to articulate its value. To do that, NCM must computerize and standardize its process and measure and report outcomes, just like any other business in today’s world.

In most situations, an individual NCM interprets an issue, decides on an action and delivers the response. The organization’s medical management is thereby a subjective interpretation rather than a definable, quantifiable product. 

Granted, the NCM is a trained professional. But when the product is unstructured, variables in delivery cannot be measured or appreciated. A process that is different every time can never be adequately defined.

It's crucial to establish organizational standards about what conditions in claims require referral to NCM—without exception. This will remove the myriad decisions made or not made by claims adjusters to involve the NCM. The referral can be automated through electronic claims monitoring and notification. NCM takes action on the issue according to organizational protocol, and the claims adjustor is notified.

Measure

When the conditions in claims that lead to intervention by NCM are computerized and standardized, the effects can be measured. Apples can legitimately be compared with apples, not to oranges and tennis balls. Similar conditions in claims are noted and approached the same way every time, so the results can be validly measured.

In a fraternity, they’d call this hell week. At your agency, this is the one week each year when you deliver renewals to your four largest accounts. 

Renewals might be a misnomer this year because you are moving all of the accounts to a market that is better for you and them. Two of the accounts were being non-renewed, and you are not renewing the other two with the existing carrier. 

Its midnight, and you’ve just left your office. Miss Hathaway is still there putting the final touches on the renewal proposals. They’ll be on your desk in the a.m. as you begin this market marathon. In 48 hours, you’ll have worked your magic on 32% of your book – these most important accounts will be laid to rest for another 12 months. 

The staff thinks you’re crazy for waiting until the last minute. You’ve had these offerings in house for the past three weeks. But you think strategically. If you delivered these renewals when you received them, a ruthless competitor would have delivered a better quote a day later. Instead, you’ll be picking up deposit checks from four clients in three cities in a day and a half.

You need gas, but you need sleep more. You can fill up in the morning. Your wife and daughter are out of town, and your son is staying somewhere across town with a classmate. You can’t even remember who or where. Your wife will call in the a.m. and catch you up on the details.

You hit the bed for a few hours of rest. At 3 a.m., you’re awakened by police chatter. Your first thought is that you left the TV on in the den. As your head clears, you realize a police cruiser is driving through the neighborhood announcing an emergency evacuation. The announcement is garbled, but the message is clear – everyone is to evacuate at once. 

You throw on your clothes, grab your smart phone and iPad and head to the garage. As you open the car door you remember the gas you didn’t buy. As you approach the interstate's entrance ramp, you see chaos – total gridlock. You look west to see the sky aglow. This is near the nuclear reactor that has been the region’s source of electricity for decades. Just when you think your situation can’t get any worse, you hear explosions that remind you of the bombing raids in Vietnam. You realize the chemical and oil storage tanks in the industrial corridor north of town must be exploding – the sky is lit up like it’s noon.

The Emergency Broadcast channel’s message is clear – mandatory evacuation – everyone must be out at once. The danger zone is currently 50 miles in radius – you try to call your wife, but the cell phone signal is not adequate or jammed by too much traffic – what about your son? Your wife and daughter? Miss Hathaway? What if? What now? What next?

This is what a real disaster looks like.

As a public service, I offer this initial list of worries for you to consider in advance of a disaster. More serious problems will follow.

1. Can you reach your wife and kids and find a place to join up with each other?
2. What about your employees and their families – can they get out safely?
3. What about your friends, clients and their families, and the community – what about them?
4. What about the work on your desk? Your renewals? Miss Hathaway has been encouraging you to go paperless, but you’re old school – you still use paper files – a rolodex – a written calendar. You need your office and your desk? You couldn’t get there now if you owned a helicopter.
5. What about your agency? These are busy weeks. How do you connect with everyone? What if you can’t get back to town for two weeks? What if there is a radiation leak – could two weeks become two months? – two years?
6. It’s taken an hour to go two miles – you need gas. Your phone isn't working. You’ve got to pee!
7. An agent friend in New Orleans told you the most important thing to do in a disaster requiring you to evacuate is to get a temporary office and temporary housing so your team and their families can recreate your agency wherever y’all land. How will they know where to go and what to do?  What will this cost? What if the team can’t or won’t get there?
8. Reality grabs you – electricity failed for four hours in your office last week, and many of the staff couldn’t cope. How will they deal with a real emergency? What if they can’t? What if some quit?
9. Wait – your four biggest accounts have coverage expiring in less than 48 hours, and they don’t even know the terms of the renewals. The carriers have to be notified. You dial your cell again only to realize there is no signal. Will a connection return?
10. You look to the right to see your agency billboard with your tag line -- “We’re at our best when your problems are at their worst!" You were so proud of that theme when you first heard it. Will this prove to be a lie displayed on a billboard? What about claims? What next? 
11. The radio reports are now catching up with the disaster and evacuation – all motel rooms are now filled in the first 40 miles outside of the evacuation perimeter. Nearest available housing is at least 90 miles away. It’s now 5:30 a.m.
12. Suddenly, your worst fears are realized – the governor is announcing that radiation leakage has occurred and that no civilians will be allowed back into the evacuation zone for at least 30 days and probably 60.

You start preparing a “to do list” in your brain – not for 60 days but for the next 24 hours. Is this too little too late? It’s the best you can do, but it is the wrong time to be doing it. If only you had done this sooner. 

Got the picture?

Here’s a “to do” list that might help mitigate damage by future disasters if you plan ahead:

1. Understand that disasters (s_ _ _) happen – disaster awareness, preparation and planning can mitigate the damage for you, your family, your agency and team and your clients.
2. Disasters are events – the planning and plan implementation are a process – a critically important process.
3. Don’t plan in secrecy – engage your team, your clients/prospects, community, experts and carriers. This involvement may prove to be logistic and marketing genius.
4. Don’t dictate the process – engage all in the discussion – find the best ideas.
5. Be certain that your operations are not location- or paper-dependent – be virtual, with access from afar. The good news is that this is now doable – years ago, it wasn’t. Back up systems always.
6. Visit with carriers to build strategies to mitigate the shared challenges all will face. What works best for the insureds, the carriers and your team? If a catastrophe doesn’t force you to evacuate, offer hospitality and kindness to the storm troopers in your communities – they need it.
7. Create a crisis communication plan and identify who can speak for the agency – what the message is and what the media needs to hear - even if it is just signs in the windows of your office. Remember, electricity and phones may not work for days or weeks.
8. Give clients a policy ID card (or a thumb drive with their policy info) and carrier contact information to carry in their vehicle. A policy in the safety box at an unoccupied home is of no value.
9. Establish contingency plans with a fellow agent to facilitate their relocation to your office or your relocation to theirs in a worst-case scenario. Discuss plans to find temporary housing, phone and computer and Internet access for the families and team of the displaced agency. Remember that there will be “No Vacancy” signs quickly appearing after an evacuation.
10. As you and your team begin recovery and claims handling – allow time to comfort (group hugs) each other and pray (there are no atheists in foxholes).  Constantly monitor your team, too, for post-traumatic stress disorder – some can handle disasters, some can’t – assign work according to cope-ability.

This is far from a complete list, but it is an adequate starter kit – the process and the engagement of others will lead you down the path you need to go – “the road less traveled.” Godspeed!

Cyber insurance can be an extremely valuable asset in an organization’s strategy to address and mitigate cyber security, data privacy and other risks. But selecting and negotiating the right insurance product can present a significant challenge, given, among other things, the lack of standardized policy language and the fact that many “off the shelf” policies do not adequately match the organization’s risk profile. The following five tips will help to facilitate a successful cyber policy placement.

#1. Get a Grasp on Risk Profile and Tolerance

A successful cyber placement is facilitated by having a thorough understanding of an organization’s risk profile, including the scope and type of personally identifiable information and confidential corporate data maintained by the company and the manner in which (and by whom) such data is used, transmitted and stored. A complete understanding of the risk profile also entails evaluation of the organization’s IT infrastructure and practices and assessment of potential threats to the organization’s (and its vendors’) network security. An organization should also consider the pervasiveness and manner of use of unencrypted mobile and other portable devices. There are many other factors that may warrant consideration. An organization should also assess its potential exposure in the event of a data breach or network security incident. When an organization has a grasp on its risk profile, potential exposure and risk tolerance, it is well-positioned to consider the type and amount of insurance coverage that it needs to adequately respond to identified risks and exposure.

#2. Look at Existing Coverage

The California federal district court’s recent decision in Hartford Casualty Insurance Company v. Corcino & Associates et al. ¹ -- upholding coverage under a commercial general liability (CGL) policy for a data breach that compromised the confidential medical records of nearly 20,000 patients -- underscores that there may be valuable privacy and data breach coverage under “traditional” insurance policies, including under the “Personal And Advertising Injury Liability” (Coverage B) of a typical CGL policy. There may also be valuable coverage for data breach and network security liability and network security failures under an organization’s commercial property, D&O, E&O, professional liability, fiduciary, crime and other coverages.

#3. Purchase Cyber Insurance As Needed

As recently described in Law360,  ² in response to decisions upholding coverage for data breach, privacy, network security and other cyber risks, the insurance industry has added various limitations and exclusions purporting to cut off the “traditional” lines of coverage. By way of example, Insurance Services Office, Inc. (ISO) ³ recently filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion - Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability - Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage B:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information. ⁴

Although the full reach of the new exclusions ultimately will be determined by judicial review, and it may take some time for the new (or similar) exclusions to make their way into CGL policies, the exclusions provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of privacy coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises confidential personally identifiable information. By way of example, the AIG Specialty Risk Protector^® specimen policy ⁵ states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” ⁶ “Privacy Event” includes:

1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.⁷

^​“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
4. information used for authenticating customers for normal business transactions;
5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation” coverage (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

• costs associated with post-data breach notification
• credit monitoring services
• forensic investigation to determine cause and scope of a breach
• public relations efforts and other “crisis management” expenses
• legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem. 

The sublimits typically associated with remediation coverage warrant careful attention. Cyber insurance policies often offer other types of coverages, including:

• network security coverage (often in the same coverage grant as the “privacy” coverage discussed above), which generally covers liability arising out of security threats to networks, including, for example, transmission of malicious code and DDoS attacks;
• media liability coverage, which generally covers liability arising out of, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content;
• information asset coverage, which generally covers an insured for the cost of recreating, restoring or repairing the insured’s own data or computer systems;
• network interruption coverage, which generally covers an insured for its lost revenue due to network interruption or disruptions resulting from a DDoS attack, malicious code or other security threats to networks; and
• extortion coverage, which generally covers an insured for the costs of responding to “e-extortion” threats to prevent a threatened cyber attack.

In addition to the main coverages, insurers increasingly offer complimentary pre- and post-loss risk management services, which can be valuable in preventing as well as mitigating attacks.

#4. Spotlight the “Cloud”

Cyber risk is intensified by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers. The Ponemon Institute’s 2011 Cost of Data Breach Study, published in March 2012, found that more than 41% of U.S. data breaches are caused by third-party errors, including “when protected data is in the hands of outsourcers, cloud providers and business partners.” ⁸ Many “off the shelf” cyber policies, however, purport to limit the scope of coverage to the insured’s own acts and omissions (not the acts and omissions of third parties) and to network security threats to the insured’s own network or computer system -- not the networks / computer systems of third parties. This may result in illusory coverage. As recently described in Law360, ⁹ the recent high-profile attack on the New York Times homepage, during which users who tried to access  www.nytimes.com were directed to a website apparently maintained by a group called the Syrian Electronic Army, may not be covered under many “off the shelf” policies because the attack was not on the New York Times “system” as defined in many policies, but rather on the system of a third-party domain name registrar.

#5. Remember the Cyber Misnomer

Keep in mind that many data breaches are not electronic -- they often result from non-electronic sources. Data privacy laws do not distinguish between a breach resulting from a network security failure or a breach on account of stolen paper records from a closet. Neither should a cyber insurance policy. A solid policy will cover non-electronic data, such as paper records. ¹⁰ Likewise, a policy should also provide coverage for physical breaches resulting from, for example, the theft of a laptop or loss of a USB drive.

There are many other considerations and points to focus on. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.

This article first appeared in FC&S Legal, The National Underwriter Company on October 17, 2013.

The original intention of the EU's Solvency 2, the regulatory requirement for capital held by insurers, was to create a framework that inspired policyholder confidence and restore trust. The real outcome was to force insurers to undertake massive programs of data management at costs that, for some Tier 1 insurers, have exceeded $200 million. Some insurers said they would pass the cost on to their customers, which I’m sure wasn’t the intention.

In what was arguably worse, the cost became so great that other useful programs were put on hold because of this burning regulatory platform. The knock-on effect has been to create delay especially in customer-facing activities (which would have had a far better impact in improving confidence and trust).

Some international insurers suggested that the requirements might prevent them from trading in Europe – creating a "Fortress Europe" – but Solvency 2 seems to be emerging in multiple guises around the globe, in China, Latin America, South Africa and of course the U.S. in the form of RMORSA.

There’s lots written on this topic, such as http://www.solvencyiiwire.com/, and I won’t bore you, but as I looked out at the faces at a major conference in the U.S. where I spoke recently, I recognized the look I saw in many insurers in Europe in 2008 -- that of not really knowing what was going to hit them.

Insurers were to discover that more than 80% of both cost and implementation time was absorbed in data management, 15% on analysis and the small balance on risk reporting. Yet the reporting element proved to be the only part visible – reminding me of an iceberg analogy, with the reporting being that part of the ‘berg visible above the waterline.

Comparing risk and regulation to an iceberg is interesting, and as I looked around the room at the conference, I wondered how many attendees were ready for what would be, for them, a long and difficult passage. But not, I hope, a Titanic one…

Castlight is in the news, with the largest IPO in the history of employer cost savings tools. Despite only $13 million in sales and a $62 million loss, the market is rewarding the company by valuing it at more than $1 billion.  

We will let others opine on the fairness of that valuation, but clearly that valuation reflects an expectation that there is a huge market for tools that employees can use to shop around for lower-priced medical care. And there is so much buzz around this company that even notoriously insulated human resources executives are going to hear about it, and ask you whether it works. By way of background, in case you’ve been off the grid for a few months, the basic Castlight intervention is an app that allows employees to identify and price venues for elective procedures, high-cost diagnostics, specialists, hospitals, physical therapy and other uses of care. It may help employees avoid emergency care for conditions that are merely urgent, and there is a pharmacy app, as well.

This column will help you provide the type of pluses and minuses that your clients count on you for, and that should sound insightful enough to cement your status as a trusted adviser.

Pluses:

1. Employees who have not yet satisfied the annual deductible will indeed save money, possibly a lot of money, on fungible resources – like MRIs and CT scans – where there really is no actual or perceived quality differential;

2. In addition, employees will appreciate the convenience of being able to find a place that may be closer, have earlier availability, weekend hours, etc.;  

3. Employees will also appreciate that the app will tell them how much of their deductible remains to be satisfied and give them other financial insights;

4. Because the employee is the one saving the money if they are low-enough utilizers not to exhaust their deductibles, you can offer this app as an offset when moving to a high-deductible plan, or use this as one enticement to get employees into a high-deductible plan. Otherwise, direct decreases in your own health benefit are likely to be modest.

So far, so good. And, by the way, Castlight is good, relatively speaking. It is a far better use of money than wellness, for example. However, your client can learn these benefits directly from Castlight. The greater insights you can provide are about the cautions, and setting low expectations for an ROI.

First, much of medical care is not likely to be shopped. Perhaps employees new to an area will shop for a primary-care physician (PCP) using Castlight, but probably not on the basis of price, given that PCP checkups are free. And generally people don’t shop for specialists on the basis of price, but rather use someone referred by the PCP who is “in-network,” and typically in-network doctor visits have the same co-pay once the deductible is satisfied. Or if employees don’t use someone referred by the PCP, they’ll use a referral by a friend to someone who is “supposed to be one of the best.”

Second, once employees satisfy the deductible, people are far less likely to be price-sensitive beyond in-network and out-of-network differentials. Employees will be much more interested in saving their own money than saving your clients' money.

Third, a corollary is that the really high-cost employees—the 5% who consume 50% of your resources—will easily blow through their deductibles. Castlight will be of very little use to them. Likewise, emergency care and admissions generally are not price-sensitive, and the latter itself would blow through a deductible.

Fourth, there is an implicit assumption that when employees go shopping for medical care, it’s for the lowest price. They are equally if not more likely to be shopping for convenience, perceived quality, availability etc.

Finally, in non-urban areas and for less common specialties, there isn’t likely to be much choice; all the price comparisons in the world aren’t going to be helpful if the low-price option is an hour’s drive away.  

Put all that together and the result is at best a very modest cash-on-cash ROI. Note that Castlight doesn’t scream about ROI on its website. This could be a testament to their honesty, or else – call me a cynic here – because they are going public they’ve decided not to be liable to shareholders for false representations.  

In the past, their impact calculations have been squirrelly. Take a hard look at that link because they may be reporting similar statistics to you. Don’t assume that “influencing a healthcare decision” means saving money, and when you see a figure like “61%” for engagement, don’t assume 61% means 61%. In this Honeywell example, 53% registered, 60% of registrants used the app and 61% of users say the app “influenced a decision.” Do the math--53% times 60% times 61%--and that means just 19% of all employees in the case study say they benefited from the app. Yet somehow Castlight claims 9% overall savings. To make their own figures tie together, you’d need to assume that those 19% used the app for just about everything and were able to cut almost 50% out of the price of everything they used the app for.

In other words, that 9% savings figure is made up. (Welcome to the world of population health management.) However, unlike with wellness vendors (which are more likely to harm employees than benefit them), there is an employee benefit to using Castlight, and unlike with wellness vendors you don’t need to bribe or threaten employees into using the app. The app speaks for itself.

Beyond these observations, there are many strategies you yourself could undertake with your client to maximize the value of Castlight and, more importantly, your own services. For instance, if you find that a delivery costs between $2,000 and $8,000 (for hospitals that get an A or B from Leapfrog – and you want to choose those so you don’t expose yourself to charges that you are pushing lower-quality institutions), you might recommend a $5,000 delivery benefit and let people make their own decisions as to where to go.  

You can also use the Castlight app as a negotiating lever. If you show a nearby high-cost provider what the price differential is and how you are giving employees the tool to look elsewhere, you may be able to negotiate a better price, a win-win for everyone in your value chain. It’s a “lose” for the provider in question, but that just means you’re doing your job.

Let me assure you from the outset that this article has nothing to do with losing belly fat, curing diabetes with cinnamon or buying real estate with no money down. And, unlike other enticing articles that make you wade through 30 minutes before they tell you about that “one trick,” I’ll get right to it. The trick is: communicate with injured workers.

This is something that most workers' comp professionals have known for a long time: Generally speaking, injured workers don't call the TV plaintiff attorneys because they want more money -- they call plaintiff attorneys to file a claim because the employer/carrier has not communicated about benefits claimants can expect to receive or how the workers' compensation process works.

I know this to be true because of what plaintiff attorneys tell me. When I have my first conversation with opposing counsel on a new claim, she will often say something along the following lines: "Brad, if your employer/carrier had just explained to my client what was going on, the claimant wouldn't have hired me to file a claim."

Once the plaintiff attorney tells the claimant about his workers' compensation rights, the claimant then believes that he has "secret" information, and that creates a lack of trust toward the employer.

Listen, you can buy a kidney and find the schematics for a nuclear reactor online these days -- and employers think that claimants can't find out about their workers' comp rights? I have one word for you: Google.

So, why do many employers and carriers insist on giving claimants the “mushroom treatment” (kept in the dark and covered with....fertilizer)?  I can think of three reasons.

First, many employers wrongly believe that communicating with the claimant about the workers' comp process will encourage more claimants to hire attorneys and file claims. While this may seem intuitively correct, it is empirically false. Claimants hire attorneys because of too little information, not too much.

Employers think: “If I have a safety meeting on what benefits injured workers receive when they file a comp claim, aren’t I just teaching them how to get more money out of the process?” Legitimate concern. But once an employer understands that the motive to hire an attorney and file a claim is more often driven by uncertainty rather than greed, this concern tends to diminish.

Second, workers' comp professionals (HR directors, safety directors, adjusters, defense attorneys, nurse case managers, etc.) know the process inside and out. We know all of the acronyms, the sequence of events and even a lot of great big medical terms that sound really cool at parties. ("Epicondylectomy" and "acromioclavicular" are two of my favorites.)

It is easy to forget that a claimant experiencing his first work-related injury has NO IDEA about how doctors are chosen, how TTD benefits are calculated or what MMI even means. Because we often fail to discuss comp rights and benefits with claimants without using the legalese and comp terminology that we throw around on a daily basis, the claimant becomes more confused than a dad reading a bicycle assembly guide translated from Chinese. 

Third, I’ve been told by plaintiff attorneys that many claimants are treated from the outset as if their claim is fraudulent. Don’t misunderstand me: I’ve seen my fair share of fraudulent claims - - most workers' comp professionals have. But not every claim is fraudulent. The challenge is spotting the fraudulent claims that are hidden within the legitimate claims. If employers or carriers treat every claimant as a fraud even before there is evidence of fraud, we’re giving free advertising to plaintiff attorneys. 

I say: Bypass the cloak-and-dagger approach, tell the employees up-front about what to expect and watch the volume of litigated claims go down. 

Now, if I could only find that “one trick” to regrow hair!

The Last Analog Generation—let’s call them LAGgards—are departing, and in their wake a fascinating new world is emerging.

I’ve been surprised lately, when meeting with the nation’s leading financial service providers and discussing the tsunami of intergenerational wealth transfer that is upon us. The generation that is now entering (or will soon enter) the work force stands to receive something like $30 trillion of personal wealth over the next 20-30 years. That’s a staggering figure by any measure, but what’s really surprising is the apparent lack of preparedness and stunning dearth of appreciation for the opportunity – and potential threat – this massive wealth transfer represents to stalwart companies and even entire industry sectors.

For context, according to research, there exists roughly $230 trillion of personal wealth around the globe. That’s both financial wealth, like cash and its numerous equivalents, and real and personal property; the figure does not include corporate or public holdings. To give some sense of perspective to the enormity of that figure, just consider that the gross world product (the combined market value of all the products and services produced in one year by all the countries in the world) totaled approximately $85 trillion in 2012. Thinking about the number another way: To accomplish the transfer of $30 trillion over the next 30 years would mean that more than $1.9 million would have to change hands every minute.

By the time the last baby-boomer has shuffled off this mortal coil, about 13% of all global personal wealth will have changed hands in one form or another. Understanding some of the techno-societal distinctions between the bequeathers and the bequeathees should be a discipline required for anyone who aspires to make sense of the opportunities or threats attendant to the wealth transfer.

Because we develop a sort of digital life for the things in our users’ lives (by collecting and digitally managing all the information about those things), Trōv is becoming a technological bridge between the LAGgards, who were born before the digitization of everything, and the emerging generations who are indisputably “born digital.” In our interactions with users and the service providers that are precariously dangling between these two distinct constituencies, we are developing a sense for both parties. A couple of the big thoughts that seem to aptly describe what influences the perspectives of two groups are at once technological and sociological: the death of privacy and the power of information symmetry.  

Privacy is dead

LAGgards are concerned that their personal information remains private. Okay, this should neither surprise nor irritate any of us. However, the norms for what is considered private are being entirely redefined by the constant revelations of breaches (both nefarious and national) – and the new (ab)normal boundaries of self-disclosure regularly displayed on the massively adopted social media platforms like Facebook, Twitter and their do-alikes.

Just take a peek (if you have the stomach for it) at Instagram’s ersatz cult of spoiled children referenced as #richkidsofinstagram. Photos are regularly posted depicting the profligate lives of a generation of an über-wealthy and unbelievably overexposed generation reveling in their latest acquisitive binge or imbibing impossibly costly libations.

As Robert Scoble, one of the oracles for the emerging generation of Digital Natives, intimated to me, privacy is all but dead, and it is no longer a core issue of the emerging generations. So what? Self-disclosure and widely available information about all connected people and institutions will make a profound impact on reputations: personal, corporate and governmental, and if you’re attempting to engage the new generation of wealthy, transparency is mere table stakes, at best.

Information symmetry -- your advisor is dead (he just doesn’t know it, yet) 

Information symmetry will be the death of intermediated businesses. When Netflix started shipping CDs and DVDs to homes throughout the U.S. in the late 1990s, the writing was on the wall for the leading distributors of home video. And, as cloud storage and high-bandwidth digital pipelines became ubiquitous and increasingly affordable, Blockbuster (as a proxy for all things analog) scuttled its storefront retail business – bowing out because its distribution channel was obliterated by technology’s relentless march.

Retail auto sales have undergone a somewhat similar coming-of-(digital) age, as well. For years, LAGgards have been subject to the demeaning process of haggling over price, because details about costs were kept intentionally opaque, giving the salesperson the information advantage. (This imbalance in access to data is sometimes referred to as information asymmetry). The sales process was successfully upended when data from the likes of Carfax and Kelly Bluebook were made instantly accessible to anyone with an interest and a browser. 

For roughly similar reasons, LAGgards have grown dependent on trusted advisers, various specialists and brokers to make decisions about many of their important investments, risk, spending and even medical choices. Data asymmetry is at the very center of the LAGgards’ dependence on these data-equipped intermediaries, and models for business -- even entire business sectors -- have been built on its expected continuation. 

But make no mistake, these intermediated, information-unbalanced businesses are (or soon will be) in trouble; their added value questionable. With massive data availability, the information-scales are being leveled, and with instant, mobile connectivity, the generation-digitalis is no longer apt to transact or make decisions through a human intermediary. The generations of Born Digitals demand immediate, hands-on, intermediary-free access to nearly all aspects of their lives. 

So what? If your livelihood assumes that your clients will be dependent on you because you alone hold the magic elixir of unique information, beware. You might need to consider embracing the new models of info-egalitarianism rather than resisting them. 

To wit, we recently began testing an in-app capability to insure a newly acquired item at point-of-sale with literally the push of a button. This action alerts the broker-of-record to information that had been previously unavailable and carries tremendous customer-retention and quality-of-service implications (not to mention risk management and potential revenue upticks).

I have been perplexed by some brokers, who appear more concerned about the incremental work that this might create than the expansion and quality of their service. Powered by data accessibility, irrespective of our entrenched operations, the march toward disintermediation is inexorable.

Although these two ideas -- personal privacy and disintermediation –- may appear to be distinct families of thought, they are much more than distant cousins. Indeed, they are utterly related and perhaps alone frame the most important distinctions between the LAGgards and the Born Digitals.  

If you depend on your intermediated services and expect them to remain relatively unchanged, you may be setting yourself up for incalculable risk (and you’re most likely a LAGgard). However, if you are comfortable with gobs of information floating around in the cloud and are adopting the tools that help you benefit, then you are likely going to survive the turbulence.

The opportunities arising from the merging of data and disintermediation are just becoming evident – and these trends will entirely reshape seemingly unassailable businesses and entire industries. 

As the fabric of personal information privacy becomes increasingly threadbare, the expectation for transparency in all segments of commercial life will be elevated to a prerequisite for any type of engagement. And as new generations of shoppers, investors and the “serviced” become less concerned about privacy and more connected to -- and facile with -- data, business as usual will be anything but.

(This article first appeared in JetSet magazine.)

Think your healthcare organization or health plan has healthcare privacy covered? Think again.

A series of supplemental guidance issued by the Department of Health and Human Services Office of Civil Rights (OCR) in recent weeks is giving healthcare providers, health plans, healthcare clearinghouses (covered entities) and their business associates even more to do. They must review and update their policies, practices and training for handling protected health information. This is beyond bringing their policies and practices into line with OCR’s restatement and update to the Omnibus Final Rule that OCR published Jan. 25, 2013.

Covered entities generally had to be in compliance by Sept. 23, 2013, but many covered entities and business associates have yet to complete the policy, process and training updates required to comply with the modifications implemented in the Omnibus Final Rule.

Even if a covered entity or business associate completed the updates, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance concerning its interpretation and enforcement of HIPAA against covered entities and business associates published by OCR since Jan. 1, 2014 alone:

·         HIPAA Privacy Rule and Sharing Information Related to Mental Health

·         Spanish Language Model Notices of Privacy Practices

·         CLIA Program and HIPAA Privacy Rule; Patients' Access to Test Reports

·         Proposed Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS)

Beyond this 2014 guidance, covered entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule, such as:

·         HIPAA Privacy Rule: Disclosures for Emergency Preparedness - A Decision Tool

·         The HIPAA Privacy Rule and Refill Reminders and Other Communications About a Drug or Biologic Currently Being Prescribed for the Individual

·         Health Information of Deceased Individuals

·         Student Immunizations

·         Model Notices of Privacy Practices (English)

With OCR stepping up both audits and enforcement and penalties for violations, covered entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, covered entities and business associates should not only carefully watch for and react promptly to new OCR guidance and enforcement actions but should document their commitment and continuing compliance and risk-management activities, while taking well-documented, reasonable steps to encourage business associates to do the same. This documentation could help demonstrate that an organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation.   

When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws, such as: the privacy and data security requirements that often apply to personal financial information; trade secrets or other sensitive data; and judicial precedent.

Insurers have always been at the forefront of responding to user needs. Direct marketing and online portals make it easier for consumers to understand and purchase insurance. Usage-based insurance (UBI) allows safe drivers, particularly those who drive less, to reduce their premiums. Even insurance company-sponsored coffee houses offer a unique way to gain financial service knowledge and one-on-one access to experts.

Today, a different type of opportunity exists that may help insurers not only meet changing consumer needs but gain first-mover advantage in the process. Called the “sharing economy,” this market involves renting privately or company-owned assets—generally cars or homes—primarily through an online, peer-to-peer network. While the car-sharing market in North America is exploding, few insurers have even begun to explore this market.

As people continue to seek new opportunities in this economy, and as Millennials begin to take control, it’s likely that this idea of “sharing” will not only thrive but expand. The question is: Can insurance companies make a reasonable profit from this market? If so, how will they adapt their models to meet the new consumer demands?

To begin answering these questions, we will take a look at three areas. In this article, the first part, we’ll define the sharing economy and examine some of the innovative models already in play. Then we’ll discuss the insurance challenges that sharing-economy companies are facing, and the insurance industry’s response. Finally, we’ll look at four steps insurers can take to begin evaluating the sharing economy as a viable business opportunity.

Access trumps ownership

The sharing economy offers a fast and efficient way for owners of assets and renters to connect through online services. Two main stars have emerged in the sharing economy: auto and home. Companies like RelayRides and Getaround can help a consumer rent a car for a few hours of errands or even enjoy an SUV for a weekend in the mountains. The other main sector, home rental, allows owners to rent out their homes or simply a room on a short-term basis through companies like Airbnb. As the sharing economy branches out, owners are renting out other assets such as parking spaces, tools and camping gear.

It’s all about monetizing unused capacity of an asset for owners. For renters, it’s about gaining quick and easy access to those assets without being bogged down by ownership. Access, in a sense, becomes a service that is paid for per time increment or by distance.

Much of this market is being driven by the Millennials who grew up with the ideas of sharing, renting and paying small transactional fees for access to things such as music and movies. This generation has been slow to move out of their parents’ houses, and many delay getting their driver’s license for a few years. They simply don’t value ownership the way previous generations have. That means sales are down for this generation, especially on large items such as cars.

As the sharing economy becomes more popular, large companies are jumping into the mix. For example, Avis paid $500 million for Zipcar to gain access to the peer-to-peer market. Daimler’s Car2Go charges 38 cents per minute including fuel, insurance and parking. And GM invested in RelayRides to allow peer-to-peer rentals of OnStar-enabled cars.

There’s a reason consumers and corporations are embracing this model. Forbes predicts that the global sharing economy will grow by 25 percent this year, reaching more than $3.5 billion. Frost & Sullivan estimates that the North American car-sharing economy alone will reach $3.3 billion by 2016, with 9 million members participating. And once self-driving cars come into play, decreasing the risk inherent in different driving behaviors, the car-sharing model could explode.

Next week, we'll explore the interactions between sharing-economy advocates and insurance companies.