In the heyday of the real estate bubble, developers flipped tens of thousands of apartment structures into condominiums — with little regard for the condition of the potable water system. Many of these galvanized steel or early copper systems are rapidly approaching the end of their service life. Unseen, a small leak can cause thousands of dollars of damage and a ruptured main riser can amount to millions of dollars in claims and severe hardship for the community of homeowners.

While it may be tempting to react to failure statistics, not all water systems are equal. Water chemistry varies substantially across the country, as do workmanship and materials quality — these variables may have a greater influence on mode and consequences of the failure than the age of the system itself. The least appropriate action may be for the insurer to put the community in an emergency situation. Poor or rushed Homeowners Association (HOA) decisions can end up costing everyone far more than a properly replaced system that is well planned.

Insurers must first help the community to resolve to replace their potable water system. Then, they must encourage the community to have a comprehensive piping condition assessment overseen by a qualified engineering representative. It is essential to determine the stability of the existing system without the threat of policy cancellation. Small leaks may be tolerable as long as the possibility of a large rupture is fairly remote — they are not necessarily related conditions. Once these probabilities are known, then good decisions regarding a replacement system can be made.

Unfortunately, the Homeowners Association board is often left with a daunting task of selecting the right technology that both heals the pain and fits the budget. All pipe renewal solutions have different risks and vulnerabilities and many Homeowners Associations can fall for a slick contractor peddling inferior products. Potable water is a matter than requires rational analysis.

Piping Materials:
The three main classifications of piping renewal materials on the market include epoxy liner, copper re-pipe, or a variety of plastic products. All have vulnerabilities and limitations so it is important for the insurer to take a deep hard look at the risks while the Homeowners Association can focus on the costs.

Epoxy Pipe Liner
Epoxy pipe liner is a continuous paint-like coating that is blown through an existing pipe system that has been cleaned by an abrasive sandblasting. Epoxy has the advantage of being relatively fast and minimally invasive. The problem with epoxy is there is no certain way to know the pipe is clean on the inside and no certain way to know if the cleaning process compromises the strength of the pipe. Finally, if we were to test the epoxy, and adhesion is shown to be poor — then what? There is no way to remove the epoxy and breaking the continuity of the coating breaks the protection. Our research has found that an epoxy failure can very likely happen at the exact place where the pipe is already at its weakest. This does little to mitigate the peril of the multi-million dollar rupture claim. While we are confident that epoxy may be applied correctly, we are not confident the epoxy would be risk/cost competitive over a far superior re-pipe.

New Copper Re-pipe
Copper is very familiar to most people from its use in the penny. The tarnish that forms on copper actually protects it from corrosion. Under the right conditions, a 50-year service life is a reasonable expectation if that tarnish coat is not disrupted. Copper plumbing has been extensively studied and many professional codes and standards apply to its use. Consequently, many copper failures can be traced directly back as failures to apply these standards: improper design, poor workmanship, aggressive water chemistry, or inferior materials, etc. All are known perils, which may be avoided or mitigated with the assistance of a good technical advisor representing the best interest of the owners.

Cross Linked Polyethylene (PEX)
PEX is a white or colored plastic that is fairly stiff but also quite flexible. A slightly weaker form is commonly used in plastic milk jugs. PEX has been used in the US for 20-25 years, and has demonstrated an excellent track record in millions of installations. PEX is easy to install, relatively low cost, and enjoys broad market acceptance. PEX has two main problems — both of which are avoidable. Lawsuits have been filed over failures due to "dezincification" of low cost brass fittings. It is extremely important to avoid some sources of fittings with high zinc composition in alloy. Lawsuits have also been filed over the leaching of chemical compounds from types A and C PEX — the use of Type B PEX largely eliminates this problem. Again, a good owner's representative can help navigate this landscape. Many other plastic piping materials exist, but not without similar controversies.

New Polypropylene Pipe
A newcomer to the pipe materials selection is polypropylene — polypropylene is a common recyclable material with important uses in medical and food grade applications. Polypropylene is a very simple molecule of carbon and hydrogen — nothing bad goes in so nothing bad can leach out. While new to the US, we have traced its use in Europe to at least 30 years back with a very low failure incident rate. Polypropylene has excellent thermal and acoustic properties and is widely considered the most environmentally friendly piping material available. Some disadvantages are that special fusing irons and specially trained installers are required.

Water system renewal can be a confusing process — and certainly not a hands-off affair for the insurer. A qualified owner's representative is needed to help navigate the landscape of technologies and contractors who sell them. When the project is complete, the representative can help petition the underwriter, the financial industry, and the real estate market for adjustments that reflect the value of your renewed new system. The technical representative can help eliminate engineering and construction risks without interfering with the normal dynamics of a wise and proactive homeowners association.

Traditional burglar alarms have lost much of their value as a tool for loss control, but video alarms are taking their place. Police response to burglar alarms is degrading and in many cases police departments have stopped responding to traditional alarms unless they are verified.

Millions of traditional alarm systems have created an enormous problem, wasting shrinking police resources on millions of false alarms. It is a big concern that has the attention of national law enforcement leadership.

International Association of Chiefs of Police (IACP) president, Chief Craig Steckler specifically addressed false alarms as a key issue in his inaugural address of October, 2012, "According to studies, last year there were more than 38 million false alarm calls in the United States. In many agencies alarm calls were the number one call for service, and statistically, these calls often account for nearly ten percent of all the calls for service the agency handles on an annual basis. Additionally, every study of the issue continually finds that 95 to 99 per cent of all alarms are false." Chief Steckler bluntly states, "We must take a critical look and unbiased look at false burglar alarms, and determine whether in the new norm, this type of call (police responding to alarms) is truly a prudent use of severely limited resources."

Chief Steckler is not exaggerating. Police consider traditional burglar alarms an enormous waste of resources. Officers no longer make arrests, and alarm companies focus on selling deterrence instead of apprehensions. From the police perspective, many simply no longer care.

The situation has degraded to the point that many major cities like Las Vegas, Salt Lake City, San Jose, and Milwaukee stopped responding to traditional burglar alarms altogether. This trend is gathering momentum. The public/private partnership of the police/alarm company/insurance industry has atrophied, and neither the police nor underwriters find effective loss control in traditional burglar alarms.

In contrast, this video underscores the value that law enforcement places on video verified alarms to combat property crime. The president of the National Sheriffs Association describes Priority Response and how effective they are at delivering arrests. There are many actual video clips of real burglaries in the video itself.

Response Differentials
Video verified alarms are an increasingly important evolution to combat property crime. They continue to deliver priority police response and lead to arrests. The reason is the video verified alarms mean that police respond faster to the alarm, making arrests and reducing claims.

The "response differential" between a traditional alarm and a video verified alarm is significant. The following chart illustrates the differences in different sample cities across the USA: large and small, east and west, north and south. The key issue is that video verified alarms deliver police response faster, around 15 minutes faster in many jurisdictions. Those 15 minutes makes a big difference in reducing claims for property crime.

Real Examples Of Alarm/Police Interaction
Perhaps the most effective way to illustrate the value of video verified alarms is to show 4 actual examples of real events with different outcomes based upon the alarm and jurisdiction. This is what the alarm business really looks like from the police side of things. Two of these examples lead to arrests. Insurers must realize the importance of central station dispatchers using video to become virtual eyewitnesses to a crime in progress.

All of the examples are not positive. In the final alarm, the 911 call taker says to the central station operator: "This doesn't meet our criteria for response," meaning that the municipality won't respond to the alarm without the video verification. The central station operator sounds a bit stunned on the phone. But this is the scenario that is happening increasingly around the country. This last example is what insurers are trying to avoid by promoting video verified alarms to their policy holders.

Now What?
We need a strong public/private partnership to combat property crime. Underwriters must answer the question, "How can we encourage policyholders to use video alarms and police response to reduce losses?"

One answer would be to join the Partnership for Priority Video Alarm Response (PPVAR), a nonprofit public/private partnership based in St. Paul, Minnesota. The organization brings together alarms companies, insurers, and law enforcement to promote Priority Response and Video Alarms to reduce property crime and insurance losses. The PPVAR board of directors includes law enforcement, alarm companies and the National Insurance Crime Bureau (NICB) that is supported by 1,100 property/casualty insurance companies.

To further strengthen leadership from the insurance industry, the PPVAR recently added Verisk Crime Analytics Vice President Anthony Canale to its board of directors. There are now two strong insurance organizations to help build the partnership with law enforcement and the alarm companies. Verisk owns and operates national crime databases that provide services to the construction, retail, transportation, manufacturing and insurance industries.

"Our involvement with the PPVAR fits with the mission of Verisk Crime Analytics to use data and analytical tools to support public safety operations and to help our clients reduce the impact of crime," said Canale.

As the successes grow, the PPVAR is expanding its membership in the insurance industry — individual insurance companies joining the partnership and embracing the message. The PPVAR welcomes additional insurance companies and associations to work with us to help use video alarms to reduce claims and losses.

Five years ago, members of a risk management discussion group I belong to on Yahoo Groups raised the question of whether or not illegal immigrants (i.e., undocumented immigrants) were entitled to workers' compensation benefits. The answer most of the respondents gave was yes, but with some restrictions depending upon the state. One respondent in particular even provided the group with documents from the Independent Insurance Agents & Brokers of America, Inc. (IIABA) that gave the pros and cons in the debate on whether undocumented immigrants were entitled to benefits or not.

The purpose of this article is not to rehash the debate points, but to explore what impact impending immigration reform, which has been promised by the Obama administration in the upcoming second term of the president, will have on workers' compensation and the likelihood that injured newly legal immigrant workers, especially from Mexico and other Latin American countries, will avail themselves of the benefits of medical tourism to their home countries as an option if injured on the job.

According to the IIABA White Paper, which cited a Pew Hispanic Center report published in 2006, there are probably 11 to 12 million undocumented immigrants in the US, depending upon how many have "self-deported" recently due to the current US economic slowdown. Demographically, this represents 5.4 million men, 3.9 million women, and 1.8 million children. In addition, there are 3.1 million children who are US citizens, having been born here (64% of all children of the undocumented) from one or more parent.

President Obama's Executive Order last year gave many of these children a reprieve from deportation while they are attending college here and until more comprehensive reform can be achieved for all undocumented immigrants. Undocumented immigrants account for almost one-third of all foreign-born residents of the US, and about 80% of these are from Mexico and other Latin American countries.

The report also states that out of the total number of 9.3 million undocumented adults, 7.2 million (77%) are employed and account for around 5% of the US workforce. They comprise a disproportionate percentage in some industries, such as 24% of farm workers, 17% of cleaning workers, 14% of construction workers, and 12% of food preparers.

These industries typically account for much of the claims filed under the US workers' compensation system. Within a particular industry, undocumented workers comprise a higher percentage of more hazardous occupations. For example, 36% of insulation workers and 29% of all roofing employees are estimated to be undocumented.

In my blog post, The Stars Aligned, I briefly touched upon the issue of immigration reform's impact on medical tourism for workers' compensation in regard to Mexican workers in the US. But since President Obama and Florida Senator Marco Rubio have recently outlined different reform plans, which I will discuss here in this post, it is important to mention first how undocumented workers are treated under the various laws each state has established to govern their workers' compensation systems.

A document I mentioned in that blog post was a chart of the laws governing workers' compensation and undocumented workers that one of the respondents had forwarded to the discussion group.

Undocumented workers are entitled to workers' compensation benefits in thirty-eight states; however, six states have statutes that allow or restrict benefits for various reasons such as:

• if the employment was obtained under false pretenses (Florida);
• if disability benefits were payable or they were unable to work because of the injury (Georgia);
• if they were entitled to medical, but not disability benefits because of a commission of a crime under the Immigration Reform and Control Act (IRCA) of 1986 signed by Ronald Reagan (Michigan);
• if vocational rehabilitation benefits were covered since the worker could get employment outside the US (Nevada);
• if disability payments were recoverable at US wages rather than those of the home country or if the employer was aware or should have been aware of the undocumented status (New Hampshire); or,
• if disability benefits were not payable if the worker was unable to work due to his status and not the injury (North Carolina).

Three states — California, Georgia and Nebraska — have statutes that indicate that undocumented workers are not entitled to benefits in certain situations. California case law establishes that undocumented workers could be refused vocational rehabilitation benefits. Georgia case law establishes that disability benefits are not payable if the worker is unable to work due to his status and not his injury. And, Nebraska case law established that a worker named Ortiz could be refused vocational rehabilitation benefits because he could not legally work in the US and did not plan to return to Mexico to work.

Only Wyoming has a statute that expressly includes only "legally employed ... aliens." And case law in 1999 confirmed that undocumented workers were not entitled to benefits. Eleven states — Alaska, Delaware, Indiana, Maine, Missouri, Rhode Island, South Dakota, Vermont, Washington, West Virginia and Wisconsin — were listed in the chart as unknown as to whether or not undocumented immigrants are entitled to benefits.

As we begin the second Obama Administration, immigration reform has risen to the top of the list, only to be preceded by the debt crisis and the fiscal cliff. As I mentioned above, both President Obama and Florida Senator Marco Rubio have outlined their own versions of what immigration reform would look like. Senator Rubio's plan would rely more on skilled workers such as engineers and seasonal farm workers while tightening border enforcement and immigration law. Senator Rubio's plan would not provide blanket amnesty to those already here.

On the other hand, President Obama's plan, as outlined in a recent New York Times article, would seek to give undocumented workers a path to citizenship. Sen. Rubio's plan would focus more on merit and skill as prerequisites for entry into the US, much like earlier immigration laws passed in the 1920s and other decades. The president's plan would be broader and more immediate, and would probably have less of an impact on the economic stability of those industries that currently rely on undocumented workers.

Whatever form immigration reform will take, the opportunities to offer medical tourism as an option to injured undocumented workers, once they achieve some legal form of citizenship, will no doubt increase. The likelihood that something will be done this year has already been the topic of many news programs and even has been discussed by congressional leaders such as Harry Reid, the Senate Majority leader.

Once the currently undocumented can legally remain in the US and continue to work in the industries they occupy, it is more likely that they will opt to go to their home country for medical treatment should they get injured on the job. With the benefits of doing so, such as not having language barriers, cultural barriers, and being able to be visited by friends and family living there, they will be more open to receiving treatment at facilities they normally could never get into. And as many of these countries are fast becoming "rising stars" as medical tourism destinations, the more likely they will want to get treated at the best hospitals in their countries, which will have a huge impact on their recovery, their well-being and their standing with friends and family. And the financial burden of not having to look for a job back home and being able to return to the US will convince them to opt for medical tourism as injured workers.

In an attempt to simplify the ever-confusing Workers' Compensation world in the great State of California, our legislative branch drafted SB 863 in 2012. With the stroke of his pen, Governor Brown enacted sweeping legislation, with effective and varying start dates for various provisions of the new law. However, with varying start dates comes confusion regarding various provisions. A spinal surgery request is one of the areas which appears to have a problem with the implementation date of July 1, 2013.

Effective January 1, 2013, provisions under Labor Code § 4062(b) pertaining to the spinal surgery second opinion process have been eliminated from the Labor Code. Overall, this is a positive result for the Defendant from SB 863. The new independent medical review (IMR) process kicks in on July 1, 2013, for dates of injury prior to January 1, 2013. However, a new question has surfaced as a result of this substantial change. How do we address spinal surgery requests for dates of injury prior to January 1, 2013?

The new regulations and the Labor Code conflict in their guidance. Labor Code § 4062 (b) reads: "For injuries on or after 1/1/2013 and for UR decisions communicated on or after 7/1/2013, regardless of date of injury, all employee objections to utilization review disputes under Lab Code § 4610 are resolved only IMR pursuant to 4610.5 and not through the QME process." Simple enough. Yet with the provisions of Labor Code § 4610.5 regarding the IMR process not starting until July 1, 2013, we have a sizeable gap of six months where the parties are seemingly unable to participate in a second opinion process as well as the independent medical review process.

Causing even more confusion is the second half of Labor Code § 4062(b) which reads: "For injuries on or after 1/1/2013 and for objections to diagnosis of treatment recommendations within the MPN, regardless of the date of injury, all employee objections to diagnosis or treatment recommendations within the MPN are also resolved only through independent medical review pursuant to § 4610.5."

Curiously, this seems to imply that the independent medical review process is the method which should be used, since a request for spinal surgery is clearly a request for care. Further, the process is to be implemented "regardless of the date of injury." That being said, we must note that the objections must come from care within the medical provider network (if applicable). Further, it appears that this section refers only to "employee" (not employer) objections.

So what is the correct answer? In my research, I consulted with numerous publications. I also consulted with fellow colleagues. All presented varying answers. Ultimately, I found the answer in Labor Code § 4610(g)(3) which provides: "(3) (A) Decisions to approve, modify, delay, or deny requests by physicians for authorization prior to, or concurrent with, the provision of medical treatment services to employees shall be communicated to the requesting physician within 24 hours of the decision. Decisions resulting in modification, delay, or denial of all or part of the requested health care service shall be communicated to physicians initially by telephone or facsimile, and to the physician and employee in writing within 24 hours for concurrent review, or within two business days of the decision for prospective review, as prescribed by the administrative director. If the request is not approved in full, disputes shall be resolved in accordance with Section 4610.5, if applicable, or otherwise in accordance with Section 4062."

As Labor Code § 4610.5 is not applicable until July 1, 2013, Labor Code § 4062 will apply and the medical-legal process takes over. Which means the Defendant would adhere to the requirements under the guidelines established under the utilization review process when we are faced with a spinal surgery request.

Upon receipt of the request, they must proceed with a timely and proper review and furthermore must properly convey the denial for care as indicated above. It is important to remember that the Defendant must notify the "employee" by a copy to the employee and their attorney. In their notice to the physician, the correct, identified physician must be served as indicated above. Finally, it is my recommendation that with any utilization review determination, a proof of service should accompany the final, written decision. Although this step may be seen as a small one and potentially burdensome, a proof of service signed under penalty of perjury usually eliminates a claim of late or improper service, and can be a very valuable tool at the time of a hearing.

Assuming the utilization review process was completed properly and a denial issued, the parties would then proceed with a medical-legal evaluation under Labor Code § 4062 to resolve the dispute.

Come July 1, 2013, many areas of Workers' Compensation that have these sorts of "gap" problems will simply go away. And the parties will fully participate in the independent medical review process on all claims. Until that time, however, we must continue to infer what the legislature intended, and litigate items such as this, if necessary.

*Special thanks to Jake Jacobsmeyer.

You knew it was coming. Reality TV has come to health care.

WDEY network began filming a new reality show last month — it's called Medicine Unlocked¹. It follows real patients navigating the health care system in search of treatment for their ailments. Each two-hour episode focuses on four patients who share a specific preliminary diagnosis; one week it's back pain, another it may be gall bladder problems or men with suggested prostate cancer.

Each patient-contestant receives a pre-loaded health savings account and debit card and earns "keys" that allow passage through a series of decision "gates." Gate 1 is Who (will be their doctor); Gate 2 is What (confirming their diagnosis); Gate 3 is How (the problem will be treated); and Gate 4 is Where (the treatment will occur). By successfully getting through the gates to a successful treatment, patients become eligible for a $1 million grand prize.

The reason this is a reality show rather than a documentary is that the Who, What and How gates consists of a choice among three options. Two options are real, one is fictional. As an example, in the arthritis episode, a pretend bone-specialist convinces one patient that a new nano-Teflon coating can be applied to his knee with a robotic needle at half the price of knee replacement. For gallstones, a radiologist explains how the small dots on the image were actually undigested items blocking her bile duct ("Tell me, have you ever swallowed your gum in the past, Mrs. Jefferson?").

If the patient selects a real option, he or she pays the cost of the option, gets a key and passes through the gate. If the patient chooses the phony option, he or she must pay a stiff penalty, and choose a new, non-sham treatment to get their key. Expert judges comment on the contestants' choices and what they might have done differently. Not surprisingly, they don't all agree.

For the final Where gate, things get even more challenging. Patients select from three treatment locations (all real). To earn the final gold key, they must not only select the facility they want to use, but also rank order the facilities by their safety ranking (1st, 2nd, 3rd) and by cost of the surgery (1st, 2nd, 3rd). They only have four hours to investigate using whatever online or phone or other resources they want. The ultimate winner is the contestant with enough money left in the health savings account to get the treatment, who correctly ranks the greatest number of facilities. While six out of six correct rankings gives them $1M eligibility, TV viewers get the last word as they choose their favorite among the qualifiers.

If you are like me, you won't know whether to be impressed or appalled by this series. Useful, teachable moments occur at every gate. The viewing public sees first-hand the disturbing level of uncertainty, inconsistency, and misinformation faced by almost every patient. However, the authentic pain and emotion borders on exploitation. The detailed discussion of the potential consequences facing one prostate cancer patient (impotence, incontinence) will leave a pit in most viewers' stomachs. And, without spoiling the story, there is one tragic result in a mid-season episode.

Maybe we need a show like this.

For readers who haven't looked at the footnote yet, there is no reality show, except in my imagination. But the more I learn about the gap between what consumers know and care about, and what the experts say about quality and safety, the more I daydream (obviously) about ways to shift popular culture to prompt more active questioning of the safety, quality, and cost of health care.

It's not a coincidence that the reality show idea coincides with this week's release of Altarum Institute's latest consumer survey results. Some trends are encouraging. The majority of respondents reported wanting to play a primary role in making decisions. Younger consumers report asking about cost and quality more often. When choosing a hospital for surgery, consumers rate safety and experience as most important.

On the other hand, other areas reveal a great opportunity for building awareness. To name a few:

• Consumers still rely most heavily on the advice of family and friends for selecting a doctor.
• More than half of the population has never asked about price before getting a medical service.
• Two-thirds are not confident that they can get lower-cost care by shopping around.
• Consumers rate convenience and bedside manner above quality measures in importance for selecting a doctor.

One can interpret these findings in several ways. Some have suggested to me that many consumers do not have the interest or the ability to be involved in decisions about care. Some say it is a generational bias reflecting our parents' experience that "doctors know best." While these explanations may have elements of truth, my sense is that the general public has simply lacked reasons to pay attention and examples to emulate. It is more reassuring to think of medicine as concrete, scientific, and altruistic than to acknowledge its inherent risk, fallibility, and perverse business incentives. So, most depictions of medicine have heroes and affordable, happy endings.

While we can hope our health care industry will promote consumer involvement in decisions through education and transparency, it may take a more disruptive intervention to shift perceptions.

Anyone want to volunteer for Season 1?

¹ WDEY stands for "We Don’t Exist Yet." The show does not exist. I dreamed it up.

This article first appeared on the website of Altarum Institute

What if a captive insurance company has virtually no real practical risk except to its own related insured? Is risk distribution really present?

Every captive insurance company must demonstrate, among other things, that it has sufficient "risk distribution" to qualify as an insurance company for tax purposes. This concept was first mentioned by the United States Supreme Court in 1941 with little further definition or guidance. As a result, since that time, many judicial opinions and two Revenue Rulings have attempted to interpret and quantify the "law of large numbers" inherent in the idea of distributing risk.

This article will not analyze all of the case law on the subject, but instead will highlight the typical manner in which captives today attempt to achieve risk distribution and will question whether the attempts will ultimately prove successful.

The Internal Revenue Service issued two Revenue Rulings in 2002 that set their standard for determining whether a captive insurance company has "adequate" risk distribution to be considered an insurance company for tax purposes. This determination is critical since the ability of the taxpayer to deduct premiums paid to a captive is dependent on a finding that the captive qualifies as an insurance company for tax purposes. The standards set forth in the Rulings are arguably tougher than those found in the judicial opinions on the subject, but they remain the basis on which the IRS conducts audits of captive insurance companies.

The two Revenue Rulings represent two different paths to risk distribution. Revenue Ruling 2002-90 examines the number of related companies that must be insured in order to sufficiently distribute risk. If the insured cannot provide a sufficient number of separate insureds, then the captive must rely on Revenue Ruling 2002-89. That Ruling establishes the amount of third party risk that a captive must carry in order to qualify as an insurance company for tax purposes.

Revenue Ruling 2002-90 requires that the captive insure at least 12 separate companies (single member LLCs do not count), with no one company representing more than 15% of the total premium paid to the captive. [In practice, the IRS seems to accept as few as 6 separate insureds with none paying more than 45% of the total premium, but it is difficult to rely too heavily on such practice as it may change without notice.]

Most closely-held companies cannot meet the standard of Revenue Ruling 2002-90. While the entrepreneur may own separate companies for real estate, distribution, etc., usually there is one main operating company that carries the bulk of the exposures.

Captives insuring those companies must therefore rely on Revenue Ruling 2002-89 for guidance as to risk distribution. That Ruling states that the captive must show that "more than 50%" of its risk comes from unrelated third parties. ("Risk" in this case is typically measured by premium). [For captives located in the Western United States, a Ninth Circuit Court of Appeals case reduces that percentage to 30%, but the opinion is not binding on the IRS outside of that jurisdiction.]

The typical way for small captives (such as those qualified under section 831(b) of the Code) to accept risk from unrelated parties is through a pooling mechanism where a number of unrelated captives "swap risk." This risk sharing is accomplished a number of ways, with two common forms:

• First, the captive may pay all of its premium to a single "fronting captive" (usually owned by the captive manager) who then will cede 50% back to the captive as reinsurance premium and retain 50% for a year or more to potentially pay losses of the other captives who are also using this fronting mechanism.
• The second common method is a direct ceding/retrocession agreement among unrelated captives under which each promises to pay for 50% or more of the losses of the other captives who have signed the agreement.

In theory, either one of these approaches to third-party risk should qualify under Revenue Ruling 2002-89. But in actual practice, questions arise.

Many risk sharing programs exempt the first $250,000 of any loss of any single captive from the pooling arrangement. In other words, if the captive pays its insured less than $250,000 on any single claim, that captive will have no right to receive reinsurance from the other captives in the pool. Indeed, it is possible that the captive could pay multiple claims — each less than $250,000 — and still not have any reinsurance. On the other hand, any client considering such a pool might feel comfortable that his captive would not be at much risk to pay reinsurance out to other captives, absent a large loss.

These pools are constructed so that in a catastrophic loss, at least 50% is paid by the other captives. They therefore argue that the pool still qualifies under 2002-89. But few captive pools ever suffer such losses — particularly pools that share risk among 831(b) captives. The types of risks generally insured by these types of small captives rarely generate large losses. Indeed, one captive manager boasts that in 12 years, no captive in his pool has ever suffered a loss above that first "no reinsurance" layer.

So, is this really risk distribution?

Large group captives typically use a similar A/B loss structure, but the nature of the risks insured by group captives (auto, general liability and workers' compensation) commonly result in losses above the A layer, so risk distribution is not an issue.

The judicial opinions on the subject of third-party risk have never addressed the question of layers within a risk sharing pool. Perhaps that is why these types of pools apparently continue to pass muster when one of their captives faces an IRS audit.

Several years ago at a national captive insurance conference, an IRS representative stated that if he found that actual captive losses always fell within an exempted layer, he would deny the existence of sufficient risk distribution. But he has now retired and there is no current indication that the IRS is thinking that way.

Logic would dictate that the lack of actual shared losses would also indicate the lack of risk distribution. The IRS may soon test this question in the Tax Court. If logic prevails, then many risk sharing pools will be in trouble.

Recently, my boss Steve and I were talking about his early career days with one of those Big 8, then Big 6, then Big 5, then Big 4 intergalactic consulting firms. Steve came out of college with an engineering degree, so it was natural to start in the manufacturing industry. Learning about bills of material, routings, design engineering, CAD/CAM ... "Ah yes," he recalled, "Those were heady days." And all those vendor-packaged manufacturing ERP systems that were starting to take the market by storm.

Eventually Steve found his way into the insurance industry, and thus began our discussion. One of the first things that struck Steve was the lack of standard software packages in the insurance industry. I don't mean the lack of software vendors — there are plenty of those. Seemingly, though, each software solution was a one-off. Or custom. Or some hybrid combination. "Why?" we wondered.

The reasons, as we now know, were primarily reflected in an overall industry mindset:

• A "but we are unique!" attitude was pervasive. Companies were convinced that if they all used the same software, there would be little to differentiate themselves from one another.
• There was also an accepted industrywide, one-off approach. Conversations went something like this: "XYZ is our vendor. We really don't like them. Taking new versions just about kills us. We don't know why we even pay for maintenance, but we do."

But the chief reason for a lack of standard software was the inability to separate product from process. What does this mean?

Well, you can certainly envision that your auto product in Minnesota is handled differently than your homeowners' product in California. I'm not referring to just the obvious elements (limits, deductibles, rating attributes), but also the steps required for underwriting, renewal, and cancellation. Separation of product from process must go beyond the obvious rate/rule/form variations to also encompass internal business and external compliance process variations.

But there's still plenty of processing — the heavy lifting of transaction processing — that's the same and does not vary. For example, out-of-sequence endorsement processing is not something that makes a company unique and therefore would not require a custom solution.

Where the rubber meets the road, and where vendor packages have really improved their architecture over the last several years, is by providing the capability in their policy admin systems for companies to "drop" very specific product information, along with associated variations, into a very generic transaction system.

Once product "components" (digitized) are separated from the insurance processing engine, and once companies have a formal way to define them (standard language), they can truly start making their products "unique" with reuse and mass customization. Much like those manufacturing bills of material and routings looked to Steve way back when.

This separation of policy from product has been a key breakthrough in insurance software. So what is an insurance product, at least in respect to systems automation?

From Muddled To Modeled
The typical scenario to avoid goes something like this:

• The business people pore over their filings and manuals and say, "This is the product we sell and issue."
• The IT people pore over program code and say, "That's the product we have automated."
• The business people write a lot of text in their word processing documents. They find a business analyst to translate it into something more structured, but still text.
• The business analyst finds a designer to make the leap from business text to IT data structures and object diagrams.
• The designer then finds a programmer to turn that into code.

One version of the truth? More like two ships passing, and it's more common than you may think. How can organizations expect success when the product development process is not aligned? Without alignment, how can organizations expect market and compliance responsiveness?

What's the alternative? It revolves around an insurance "product model." Much like general, industry-standard data models and object models, a product model uses a precise set of symbols and language to define insurance product rates, rules, and forms — the static or structural parts of an insurance product. In addition, the product model must also define the actions that are allowed to be taken with the policy during the life of the contract — the dynamic or behavioral aspect of the product model. So for example, on a commercial auto product in California, the model will direct the user to attach a particular form (structure) for new business issuance only (actions).

Anyone familiar with object and data modeling knows there are well-defined standards for these all-purpose models. For insurance product modeling, at least currently, such standards are more proprietary, such as IBM's and Camilion's models, and of course there are others. It is interesting to note that ACORD now has under its auspices the Product Schema as the result of IBM's donation of aspects of IAA. Might this lead to more industry standardization?

With product modeling as an enabler, there's yet another key element to address. Yes, that would be the product modelers — the people responsible for making it work. Product modeling gives us the lexicon or taxonomy to do product development work, but who should perform that work? IT designers with sound business knowledge? Business people with analytical skills? Yes and yes. We must finally drop the history of disconnects where one side of the house fails to understand the other.

With a foundation of product modeling and product modelers in place, we can move to a more agile or lean product life cycle management approach — cross-functional teams versus narrow, specialized skills; ongoing team continuity versus ad hoc departmental members; frequent, incremental product improvements versus slow, infrequent, big product replacements.

It all sounds good, but what about the product source supplier — the bureaus?

Supply Chain: The Kinks In Your Links
Here is where the comparison between insurance and manufacturing takes a sharp turn. In their pursuit of quality and just-in-time delivery, manufacturers can make demands on their supply chain vendors. Insurance companies, on the other hand, are at the mercy of the bureaus. ISO, NCCI, and AAIS all develop rates, rules, and forms, of course. They then deliver these updates to their member subscribers via paper manuals or electronically via text.

From there the fun really begins. Insurance companies must log the info, determine which of their products and territories are impacted, compare the updates to what they already have implemented and filed, conduct marketing and business reviews, and hopefully and eventually, implement at least some of those updates.

Recent studies by Novarica and SMA indicate there are approximately 3,000 to 4,000 changes per year in commercial lines alone. The labor cost to implement just one ISO circular with a form change and a rate change is estimated to be $135,000, with the majority of costs in the analysis and system update steps.

There has got to be a better way ...

ISO at least has taken a step in right direction with the availability of its Electronic Rating Content. In either Excel or XML format, ISO interprets its own content to specify such constructs as premium calculations (e.g., defined order of calculation, rounding rules), form attachment logic (for conditional forms), and stat code assignment logic (to support the full plan).

A step in the right direction, no doubt. But what if ISO used a standard mechanism and format to do this? ACORD now has under its control the ACORD Product Schema. This is part of IBM's fairly recent IAA donation. It provides us a standard way to represent the insurance product and a standard way to integrate with policy admin systems. What if ISO and the other key providers in the product supply chain started it all off this way?

Dream on, you say? While you may not have the clout to demand that the bureaus change today, you do pay membership fees, and collectively the members have a voice in encouraging ongoing improvements in the insurance "supply chain."

In the meantime, the goal to be lean and agile with product life cycle management continues. We must respond quickly and cost-effectively to market opportunities, policyholder feedback, and regulatory requirements. That all starts at the product source ... but it doesn't end there. So while the supply chain improves its quality and delivery, insurance companies will need to gain efficiencies throughout every corner of their organizations in order to achieve those lean goals.

In writing this article, David collaborated with his boss Steve Kronsnoble. Steve is a senior manager at Wipfli and an expert in the development, integration, and management of information technology. He has more than 25 years of systems implementation experience with both custom-developed and packaged software using a variety of underlying technologies. Prior to Wipfli, Steve worked for a major insurance company and leverages that experience to better serve his clients.

Insurance executives are grappling with increasing competition, declining return on equity, average combined ratios sitting at 115 percent and rising claims costs. According to a recent report from Moody's, achieving profitability in workers' compensation insurance will continue to be a challenge due to low interest rates and the decline in manufacturing and construction employment, which makes up 40% of workers' comp premium.

Insurers are also facing significant changes to how they run underwriting. The industry is affected more than most by the aging baby boomer population. In the last 10 years, the number of insurance workers 55 or older has increased by 74 percent, compared to the 45 percent increase for the overall workforce. With 20 percent of the underwriter workforce nearing retirement, McKinsey noted in a May 2010 Report that we will need 25,000 new underwriters by 2014. Where will the new underwriters come from? And more importantly, what will be the impact on underwriting accuracy?

Furthermore, there's no question that technology has fundamentally changed the pace of business. Consider the example of FirstComp reported by The Motley Fool in May 2011. FirstComp created an online interface for agents to request workers' compensation quotes. What they found was remarkable. When they provided a quote within one minute of the agent's request, they booked that policy 52% of the time. However, their success percentage declined with each passing hour that they waited. In fact, if FirstComp waited a full 24 hours to respond, their close rate plummeted to 30 percent. In October 2012, Zurich North America was nominated for the Novarica Research Council Impact Award for reducing the time it takes to quote policies. In one example, Zurich cut the time it took to quote a 110-vehicle fleet from 8 hours to 15 minutes.

In order to improve their companies' performance and meet response time expectations from agents, underwriters need advanced tools and methodologies that provide access to information in real-time. More data is available to underwriters, but they need a way to synthesize "big data" to make accurate decisions more quickly. When you combine the impending workforce turnover with the need to produce quotes within minutes, workers' comp carriers are increasingly turning toward the use of advanced data and predictive analytics.

Added to these new industry dynamics is the reality that both workers' compensation and homeowners are highly unprofitable for carriers. According to Insurance Information Institute's 2012 Workers' Compensation Critical Issues and Outlook Report, profitable underwriting was the norm prior to the 1980s. Workers' comp has not consistently made an underwriting profit for the last few decades for several reasons including increasing medical costs, high unemployment and soft market pressures.

What Is Predictive Analytics?
Predictive analytics uses statistical and analytical techniques to develop predictive models that enable accurate predictions about future outcomes. Predictive models can take various forms, with most models generating a score that indicates the likelihood a given future scenario will occur. For instance, a predictive model can identify the probability that a policy will have a claim. Predictive analytics enables powerful, and sometimes counterintuitive, relationships among data variables to emerge that otherwise may not be readily apparent, thus improving a carrier's ability to predict the future outcome of a policy.

Predictive modeling has also led to the advent of robust workers' compensation "industry risk models" — models built on contributory databases of carrier data that perform very well across multiple carrier book profiles.

There are several best practices that enable carriers to benefit from predictive analytics. Large datasets are required to build accurate predictive models and to avoid selection bias, and most carriers need to leverage third party data and analytical resources. Predictive models allow carriers to make data-driven decisions consistently across their underwriting staff, and use evidenced-based decision making rather than relying solely on heuristics or human judgment to assess risk.

Finally, incorporating predictive analytics requires an evolution in terms of people, process, and technology, and thus executive level support is important to facilitate adoption internally. Carriers who fully adopt predictive analytics are more competitive in gaining profitable market share and avoiding adverse selection.

Is Your Organization Ready For Predictive Analytics?
As with any new initiative, how predictive analytics is implemented will determine its success. Evidence-based decision-making provides consistency and improved accuracy in selecting and pricing risk in workers' compensation. Recently, Dowling & Partners Securities, LLC, released a special report on predictive analytics and said that the "use of predictive modeling is still in many cases a competitive advantage for insurers that use it, but it is beginning to be a disadvantage for those that don't." The question for many insurance executives remains: Is this right for my organization and what do we need to do use analytics successfully?

There are a few important criteria and best practices to consider when implementing predictive analytics to help drive underwriting profitability.

• Define your organization's distinct capability as it relates to implementing predictive analytics within underwriting.
• Secure senior management commitment and passion for becoming an analytic competitor, and keep that level of commitment for the long term. It will be a trial and error process, especially in the beginning.
• Dream big. Organizations that find the greatest success with analytics have big, important goals tied to core metrics for the performance of their business.

Medical identity theft (MIDT) is a crime that has profound consequences for patients, insurance providers, and health care providers. The definition of medical identity theft is the fraudulent use of an individual's personally identifiable information (PII), such as name, Social Security number, and/or medical insurance identity number to obtain medical goods or services, or to fraudulently bill for medical goods or services using an unlawfully obtained medical identity. Unfortunately, the definition of medical identity theft and the consequences that are associated with the crime are not common knowledge to the general public.

A recent study conducted by Harris Interactive on behalf of Nationwide Insurance found that only one in six (~15%) of insured adults say they are familiar or very familiar with the term "medical identity theft." Of the 15% that professed familiarity with the term, only 38% could correctly define what a medical identity was (Medical ID Theft Study 4). Unfortunately, this lack of widespread understanding of medical identity theft by consumers is part of the problem and it is costing consumers, insurers, and healthcare providers alike.

According to the most recent Ponemon Institute Research Report, 1.85 million Americans were affected by medical identity theft in 2012. This is a dramatic increase from the 1.49 million affected by medical identity theft in 2011, amounting to an almost 25% increase in just one year (Third Annual Survey 1). This rate of growth has the potential to explode due to several reasons. First, The Affordable Care Act is estimated to reduce the number of uninsured by approximately 30 million (Insurance Coverage Provisions 13), drastically increasing the number of insurers and insured patients that are targets for medical identity theft. Second, HIPAA policies and new rules under HITECH are increasing the use of electronic health records (EHRs) which can be vulnerable to data hackers. And lastly, the data hackers themselves are more sophisticated and cognizant of ways to profit off of personal data than ever before. All these factors combined pose a very serious dilemma in controlling the rate of growth for medical identity theft. Ponemon estimates that the cost of medical identity theft to consumers in 2012 was approximately $41 billion (Third Annual Survey 1). This does not include the untold cost borne by healthcare and insurance providers. We cannot afford the cost of letting this crime grow.

In order to minimize the effects of medical identity theft we must better understand the nature of medical identity theft. The Identity Theft Resource Center (ITRC) knows it is important to assess how consumers' identities are stolen, how they find out they have fallen victim to this crime, and how difficult it is to resolve once discovered. The Identity Theft Resource Center believes this information can be used to educate and make aware the general public as to what medical identity theft is and how they can minimize their risk or mitigate the cost once they become a victim.

Looking at how medical identity theft victims discover they have fallen victim to this crime is crucial in determining what can be done to discover medical identity theft sooner to avoid increased expenses and instances of fraud. The 2012 Ponemon report found that the most common way (39%) people discover they have become victims of identity theft is by receiving collection letters for delinquent bills. This is bad news as this means the costs for the fraudulent services worked their way through the providers' billing systems and languished there until they were forwarded to collection departments or agencies. In the time it took for the bill to make it to the collection department or agency, the imposter could have committed many more instances of fraud in different locations. The second most common method of discovery (32%) was by noticing mistakes in their health records, tipping them off to the medical identity theft. This is also bad news as mistakes in health records can have catastrophic consequences which can be fatal.

Fortunately, the third most common method (26%) of discovering identity theft was by victims noticing suspicious postings to a statement or invoice, such as an Explanation of Benefits statement. This is very good news as this usually means the victim is discovering their medical identity theft as early as possible. The earlier the victim notices the crime, the more likely they may avoid damage to their credit score, stop future abuse of their medical identity, and reduce the amount of time and money spent to rectify the issue. This statistic is even more interesting when compared to the previous two years of the Ponemon study, where only 9% of participants indicated that they discovered their medical identity theft via suspicious statements of invoices. This is a promising example of how educating and making consumers aware of medical identity theft can make a big difference in helping reduce the incidence of medical identity theft and its costs as a whole.

Looking into the mitigation process victims are confronted with after they discover their medical identity theft reveals the costs and trouble they have to go through to clear their names. There are two distinct objectives when mitigating medical identity theft. First, the victim must deal with an individual incident such as a thief receiving medical care under the victim's name and the associated fiscal impact the crime imposes. Second, the victim must now deal with the task of "curing" themselves of medical identity theft, insuring that their medical identity is not abused again in the future. This second objective is extremely difficult and contributes to the devastating nature of medical identity theft.

Regarding the first objective, the process for rectifying an individual incident of medical identity theft is complicated and drawn out. The victim must immediately contact the medical records and billing departments of the healthcare provider that provided the services to the imposter, request their medical records, and inform the provider that they are not responsible for the fraudulent bills. Upon learning that there may be fraudulent information in the victim's medical record, the healthcare provider may deny the victim access to their medical record for fear of violating the Health Insurance Portability and Accountability Act (HIPAA). HIPAA protects the privacy of patients' medical records making healthcare providers worry that they may be violating the imposter's privacy rights by releasing the medical record to the victim. Oftentimes, the healthcare provider does not know for a fact that the fraudulent information in the medical record was a result of medical identity theft and cannot rule out that it may simply have been an accidental mixing of two patients' records. Regardless of the situation, the healthcare provider is afraid of incurring liability under HIPAA for releasing confidential medical information even if it is under the victim's name. The victim may have to appeal the decision in order to be able to view their records.

In one case, a medical identity theft victim was charged for bills related to the alleged amputation of one of her feet. Luckily, this was easily refutable as she would simply show the hospital billing department that she still has her two feet. Unfortunately, the imposter also had diabetes which prompted a physician, during a subsequent hospitalization, to ask the victim what medications she was taking to treat her diabetes. Note, the victim has never had the disease (Menn). This case demonstrates how frustrating correcting medical records can be and reminds us how dangerous medical identity theft is to the victim.

It is also recommended that victims file a police report and submit a copy of the report to healthcare providers as it will usually help streamline the process. It is important for victims to note that medical identity theft, like any other form of identity theft, is a crime police are required to provide a police report for in most states. Once the incorrect information is identified, the victim must request that the healthcare provider either remove the information or at least flag it should the provider be reluctant to permanently remove it. After correcting the records at the location the imposter received medical services, the victim will then have to request an accounting of disclosures listing all the entities to which the healthcare provider sent the victim's fraudulent records. The victim must repeat this procedure at each location that has their fraudulent medical record. All of this creates mountains of work for healthcare providers, insurers, and the victims themselves which increases costs in the medical industry for everyone involved.

The second and more difficult objective, "curing" oneself of medical identity theft, does not have a set solution. The problem stems from the decentralized structure of the medical data system. Every healthcare provider, pharmacy, and insurer has its own records and records system. In contrast, the financial industry has three major credit reporting agencies through which almost all financial credit information is processed. Therefore, when you have suffered financial identity theft, a great way to mitigate future instances of fraud is to place a credit freeze with all three credit reporting agencies so that identity thieves cannot abuse your credit again. There is no such central medical record agency for medical records. Thus, it is possible for a medical identity thief to commit fraud with the same medical identity over and over again in multiple locations around the country. The victim will have to go through the individual incident mitigation process every time and just hope that the identity thief will stop using their medical identity.

Since there is no way to get ahead of the thief and prevent the medical fraud from occurring, the best way to mitigate the costs and effects of medical identity theft is for the victim to be vigilant and confront each instance of fraud as soon as possible in order to reduce the amount of wasted time and costs. This repetitive cycle is exhausting and costly for the victim as well as healthcare providers and insurers. In all three years Ponemon has conducted this survey, the number of victims who said they had completely resolved their medical identity theft never exceeded 11% (Third Annual Survey 11). This is an ongoing problem that does not yet have a solution, but it is imperative for all stakeholders to be involved.

All of this information points us to the realization that medical identity theft is a costly and potentially dangerous crime that is incredibly difficult to resolve. To make matters worse, medical identity theft often goes undiscovered for long periods of time and only becomes more detrimental and difficult to resolve the longer it goes undetected.

The Identity Theft Resource Center proposes that one of the best methods of reducing medical identity theft and the costs associated with it is an educated and aware consumer population. To make this point, it is useful to separate out the causes of identity theft listed in the Ponemon report into two groups. The first group includes causes of identity theft that victims have no control over: healthcare provider used identification to conduct fraudulent billing (22%), malicious employee in the health provider's office stole health information (7%), and the healthcare provider, insurer or other related organization had a data breach (6%). In total, 35% of the causes of identity theft cannot be affected by actions of the consumer. The second group consists of causes of identity theft that a consumer does have a degree of control over: family member took personal identification credentials without my knowledge (35%), mailed statement or invoice was intercepted by the criminal (6%), lost a wallet containing personal identification credentials (5%), and a phishing attack by criminal who obtained personal identification credentials (4%). Thus, the total of causes of medical identity theft that can be affected by actions of the consumer is 50%. It should be noted that 15% of the participants still did not know how they had their medical identity stolen.

Looking at the numbers above, it is clear that the consumers themselves can have the largest impact in reducing the number of medical identity theft cases and the severity of the cases that still occur. Not only do the consumers themselves have the best ability to reduce the risk of medical identity theft happening to them, they are the only people that can reduce the severity of the crime when it does happen. The Identity Theft Resource Center has long understood the ramifications of medical identity theft on the consumer population as well as the medical industry itself. We know that educating the consumer population can be cost-effective and powerful.

The Identity Theft Resource Center is a founding organization of the Medical Identity Fraud Alliance, the first public/private sector-coordinated effort with a focused agenda that unites all the stakeholders to jointly develop solutions and best practices for medical identity fraud. We encourage all industry stakeholders to join so that we can work together in galvanizing the consumer population into becoming the most effective weapon yet against medical identity theft.

How Consumers Can Minimize Their Risk Of Medical Identity Theft

• Review Explanation of Benefit statements as soon as you receive them as they may detail medical services that you never received.
• Review your credit reports multiple times a year to see if any fraudulent accounts have been opened in your name, or if any medical bills have been reported as unpaid.
• Be aware of phishing emails. These emails are designed to look like they are official communications from either a healthcare provider or insurer and ask for personal information such as a Social Security number, insurance policy number, or other information used to commit medical fraud in your name.
• Do not open attachments in emails from people you are not familiar with as it may have a virus or program to steal information from your computer.
• Use a Virtual Private Network when using the Internet outside of your home as this will encrypt your signal from your mobile device or laptop.
• Do not carry your Medicare card, Social Security card, or certain military identification as these have your Social Security number on them. Should you lose your wallet or purse or have it stolen, this information would be extremely valuable to a medical identity thief.
• Shred or safeguard any documents with personally identifiable information by either locking them in a safe hidden in the home or by storing them on an encrypted thumb drive and deleting them off your computer. Sensitive documents with PII include:
• Tax preparation papers
• Explanation of Benefits statements
• Medical Bills or Records
• Bank Statements
• Passport
• Medicare, Social Security, or military identification card

References
Nationwide Mutual Insurance Company. "Medical ID Theft Study Results." March 2012. Print.

Ponemon Institute. "Third Annual Survey on Medical Identity Theft." June 2012. Print.

Congressional Budget Office. Estimates for the Insurance Coverage Provisions of the Affordable Care Act Updated for the Recent Supreme Court Decision. U.S. Government Printing Office. July 2012. 13 December 2012. http://www.cbo.gov/sites/default/files/cbofiles/attachments/43472-07-24-2012-CoverageEstimates.pdf

Menn, Joseph. "ID Theft Infects Medical Records." Los Angeles Times. 25 Sept. 2006. N.pag. Web. 20 Dec. 2012

Health plans, their insurers, employer and other sponsors, and business associates have work to do. Health care providers, health plans, health care clearinghouses and their business associates will need to review and update their policies and practices for handling and disclosing personally identifiable health care information ("PHI") in response to the omnibus restatement of the Department of Health & Human Services ("HHS") Office of Civil Rights ("OCR") of its regulations (the " 2013 Regulations") implementing the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Rulemaking announced January 17, 2013 may be viewed here.

Since 2003, HIPAA generally has required that health care providers, health plans, health care clearinghouses and their business associates ("Covered Entities") restrict and safeguard individually identifiable health care information ("PHI") of individuals and afford other protections to individuals that are the subject of that information. The 2013 Regulations published today complete the implementation of changes to HIPAA that Congress enacted when it passed the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 as well as make other changes to the prior regulations that the Office of Civil Rights found desirable based on its experience administering and enforcing the law over the past decade.

Since passage of the HITECH Act, Office of Civil Rights officials have warned Covered Entities to expect an omnibus restatement of its original regulations. While the Office of Civil Rights had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to its HIPAA Rules. The 2013 Regulations published today fulfill that promise by restating the Office of Civil Rights' HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR's interpretation and enforcement of HIPAA.

Highlights Of Changes
Among other things, the 2013 Regulations:

• revise the Office of Civil Rights' HIPAA regulations to reflect the HITECH Act's amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA's civil and criminal penalties for violating HIPAA's Privacy, Security, and Breach Notification rules;
• update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose personally identifiable health care information is breached, the Department of Health & Human Services and in some cases, the media when a breach of unsecured information happens;
• update interim enforcement guidance the Office of Civil Rights previously published to implement increased penalties and other changes to HIPAA's civil and criminal sanctions enacted by the HITECH Act
• implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose personally identifiable health care information for marketing and fundraising purposes and prohibit Covered Entities from selling an individual's health information without getting the individual's authorization in the manner required by the 2013 Regulations;
• update the Office of Civil Rights' rules about the individual rights that HIPAA requires that Covered Entities afford to individuals who are the subject of personally identifiable health care information used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic personally identifiable health care information in electronic form;
• revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of personally identifiable health care information protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
• clarifies and revises other provisions to reflect other interpretations and information guidance that the Office of Civil Rights has issued since HIPAA was passed and to make certain other changes that the Office of Civil Rights found appropriate based on its experience administering and enforcing the rules.

Covered Entities And Business Associates Must Act To Review And Update Policies And Practices
The restated rules in the 2013 Regulations make it imperative that Covered Entities review the revised rules carefully and updated their policies, practices, business associate agreements, training and documentation to comply with the updated requirements and other enforcement and liability risks. The Office of Civil Rights, even prior to the regulations, has aggressively investigated and enforced the HIPAA requirements.

The commitment of the Office of Civil Rights to enforcement most recently was demonstrated by its recent settlement with Hospice of North Idaho (HONI). On January 2, 2013, the Office of Civil Rights announced that the Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing electronic personally identifiable health care information. The Hospice of North Idaho settlement is the first settlement involving a breach of electronic personally identifiable health care information affecting fewer than 500 individuals.

While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. Rather, the Office of Civil Rights continues to roll out a growing list of enforcement actions demonstrating that the potential risks of HIPAA violations are significant and growing. See also:

• OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach
• OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks
• $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report
• HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website
• Providence To Pay $100000 & Implement Other Safeguards.

Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities of the need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

In response to the 2013 Regulations and these expanding exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights' investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to decide if additional steps are necessary or advisable.