Musculoskeletal Disorders (MSDs) represent 28% of all recordable OSHA injuries and account for 33% of the total cost of work-related injuries. Each recordable OSHA musculoskeletcal disorder involving lost time results in an average of 20 or more lost work days, compared to 9 lost work days for all other recordable injury types. Since the enactment of OSHA in 1970, the regulations have evolved to increasingly focus on the reduction of job hazards potentially leading to fatalities, amputations, and other serious injuries. Accordingly, a significant decline in the number of those types of injuries is evidenced in OSHA's records. However, muskuloskeletal disorders and other "soft tissue" injuries continue to plague workers and their employers with no indication of decline.

In fact, all indications point to an increase in muskuloskeletal disorders given that the percentage of workers ages 55-64 will increase by 36% during the next 5-year period while the percentage of workers under the age of 25 will decline. Obviously, older workers are more susceptible than younger workers to work-related muskuloskeletal disorders because of decreasing functional capacity due to degenerative conditions, pre-existing conditions and old injuries. Also troubling about this muskuloskeletal disorder injury forecast is the fact that older workers require longer recovery periods, inevitably driving up direct medical and disability costs. Indirect costs include overtime, training, and lost productivity related to injured workers' inability to perform their normal work. According to OSHA, for every $1 of medical-only claims, employers sustain $4.50 in indirect, uninsured costs.

Safety is an investment in future profitability for every employer and the well-being of every worker. However, an employer must exercise caution in its safety programs so as to avoid OSHA's anti-discrimination policies. Recently, Richard Fairfax, OSHA's Deputy Assistant Secretary, issued a memo addressing employers' safety incentive programs and suggesting that some such programs are merely a pretense to save workers' compensation costs and actually resulting in discriminatory disincentive policies and practices. Fairfax's memo emphasizes that a worker's reporting of a claim is a protected act, and identifies four approaches that potentially expose the employer to discriminatory practices:

1. Taking disciplinary action against injured workers;
2. Penalizing injured workers for failure to timely report an injury;
3. Penalizing injured workers for violation of safety rules; and,
4. Implementing certain performance incentive programs.

Under OSHA, Section 1904.4 (Recording Criteria) the employer must ascertain whether a work-related injury or illness has occurred, and if so, record the appropriate report with OSHA. If the employer is uncertain about whether an actual injury or illness has occurred, the employer may refer the worker to a physician or other health care professional for evaluation. The employer may then consider the health care professional's opinion in determining whether a recordable injury or illness exists.

One vehicle to objectively identify work-related injuries is the Electrodiagnostic Functional Assessment (EFA) Soft Tissue Management baseline program. The Electrodiagnostic Functional Assessment Soft Tissue Management baseline program is the proven non-discriminatory solution to OSHA compliance in the area of muskuloskeletal disorders. This program involves pre-injury soft tissue testing of workers that provides an objective baseline for later reported muskuloskeletal disorder injury claims. When the post-loss Electrodiagnostic Functional Assessment is compared to the baseline EFA, objective evidence is generated to determine if there is an acute injury arising out of the course and scope of employment. If no change is documented, there is no claim and thus, no reportable OSHA incident. Furthermore, no state or federal statues are triggered if evidence shows no sustained injury.

Conversely, if a change is documented, the employer is alerted to a recordable OSHA injury, and can reliably report the muskuloskeletal disorder in compliance with OSHA. More importantly, the Electrodiagnostic Functional Assessment further provides recommendations for site-specific and appropriate muskuloskeletal disorder treatment, resulting in quicker worker recovery, expeditious return-to-work, efficient compliance with OSHA's work readiness requirements, and, ultimately, limiting the employer's exposure and costs.

For more information about the Electrodiagnostic Functional Assessment Soft Tissue Management baseline program, contact the author at MReaston@emergedx.com or 702.234.1014.

Just when you thought that everything was settling down, the "Slither-Ins" from the Dark Side have once again reared their ugly heads. The latest and ongoing attempt to seize control over your claims goes like this:

Employers currently have a minimum of 30 days within which to control the medical treatment of an injured employee. This remains true unless the employee has correctly "Pre-designated" his or her Primary Treating Physician before the injury. If you are smart enough to have a Health Care Organization (HCO) in place, you have a minimum of 90 and possibly 180 days of absolute medical control over the claim. Or, if you have put a Medical Provider Network (MPN) in place, you have cradle-to-grave control over the medical treatment of your injured employee if it is handled correctly by both you and your insurance carrier.

Your ability to retain control is a given unless you do not follow the rules regarding the treatment of an injured employee. It is in the initial stages of the claim that you are most vulnerable and subject to having your control taken away by an attorney/doctor team from the dark side if you do not strictly follow the letter of the law. However, do not despair as we have once again been forewarned of their latest tactic and are ready to meet them head-on.

You Have To Open The Mail Every Day
The current law (L/C 5401) says "Within one working day of receiving notice or knowledge of injury under Section 5400 or 5402, in which an injury results in lost time beyond the employee's work shift at the time of injury or which results in medical treatment beyond first aid, the employer shall provide, personally or by first class mail, a claim form and notice of potential eligibility for benefits."

This is the first place that the applicant's attorney is going to try to get you. If you have not provided the Workers' Compensation Claim Form (DWC-1) to the injured employee, they will claim that you failed to follow the law and will attempt to seize control regardless of the medical control program you have in place. It is therefore important that this requirement be strictly adhered to by the person within your organization who you have designated as being responsible for watching your workers' comp claims.

Next, current law (L/C 5402) says "Within one working day after an employee files a claim form (DWC-1) under Section 5401, the employer shall authorize the provision of all treatment,... for the alleged injury and shall continue to provide the treatment until the date the liability for the claim is accepted or rejected..."

In a previous article, I recommended that each of you change your policy regarding how you deal with the DWC-1 when there is an injury. I stated that it is "best practice" for you to have the injured employee complete the top part of the DWC-1 in their own handwriting at the time of the injury. This gives you a record of what allegedly happened (in the employee's own words) and signed by them. If you receive an amended DWC-1 later from an attorney, we then have a basis to object to the added body parts.

You should then fill in the bottom half of the DWC-1 and give them a completed copy. Under this scenario, you have complied with the labor code and can then either accept the claim or delay it while you investigate the incident to see if it really is work related. The need for this approach has become clearer with the current filing of claims we are seeing.

In a recent claim, the employer's failure to timely provide treatment caused him to lose control of a claim that was covered by his Medical Provider Network. The first the company heard from the employee was through a fax sent by an attorney. The rule on receiving notice by ax is the same as if it comes by mail, i.e. you add 4 days to the notice.

So, if you were to receive a fax on Thursday, you add 4 days and the following Monday becomes your official notice date. Several lawyers have tried to use the date of the fax as their official notice trying to gain medical control because the employer did not act timely in getting the injured employee in for treatment. The law is clear that in order for the date of a fax to be effective as notice, both parties must agree in writing for the fax notice to be effective. So watch these carefully and call if there is ever a question.

Another employer also received a letter from the injured employee's attorney which contained a DWC-1 for his alleged specific injury along with another DWC-1 for a cumulative trauma (CT) claim. The forms were mailed to the employer and not the claims examiner. The letter sat on a desk for several days and was not dealt with in a timely manner. The person designated to handle the company's workers' comp program had not been properly trained in the new rules so that the attorney's letter sat for 4 days on her desk before she decided that it might be important enough to open and should be forwarded to their carrier.

Because of the delay in dealing with the alleged injury, medical control over the claim was lost. The employer had failed to authorize treatment (L/C 5401) within 24 hours as required by the statute as well as failing to have the employee seen by a doctor within 3 days as required by the Medical Provider Network statute (L/C 4616). So what is the message here?

If you have not already done so, review your internal policy regarding how you handle claims, especially the provision of dealing with the DWC-1 form when there is an injury. I again strongly recommend that you have the employee fill out the top part of the form first and you do the same for the bottom section giving a completed copy of the form back to the employee and documenting that you did so.

Next, you must open your mail and deal with it every day. This is the only way that you will protect yourself from attacks from the Dark Side.

This is Part 1 in a two-part series about what employers should expect from their insurance brokers. Part 2 in the series will be forthcoming soon.

Setting The Stage
The world of health care finance is changing and the role of the health insurance broker is changing just as rapidly. The role of a trusted advisor is more important than ever. Health benefits for any size employer demand a benefits professional who has the client's best interests at heart. Employers must explore current benefits offerings and demand a package best suited to their needs.

Voluntary benefits, self funding, and Consumer Directed Health Care are just a few of the many options every employer must discuss with their broker. Many employers are also demanding that their brokers account for their income.

The days where brokers were paid a commission by the carrier and counted on a regular double digit raise simply by telling the employer to re-enroll are gone. Some carriers are changing their compensation model. Instead of paying a percentage commission they are paying per head, also known as a capitation model. This model eliminates the automatic pay raise brokers have been experiencing and forces brokers to explore other options to replace lost revenue.

Employers should insist on a written agreement outlining the broker's commissions and the services they will receive. A good broker will help an employer design a plan, market the plan to carriers, and analyze the costs and benefits of suitable plans. Beyond that, some brokers may handle open enrollment, resolve billing and claim issues, and help communicate with employees, but it's essential to clarify such expectations up front.

If your company is self-insured or experienced-rated, retain a competitive broker group to periodically conduct an independent market pricing comparison. You will pay a consulting fee for such services, but the initiative may result in significant savings.

Discussions regarding containing health care costs have traditionally focused on educating and influencing the employee consumer of health insurance. But now, as soaring costs and growing complexity have become the norm, employers too need to educate themselves in order to understand how brokers are compensated and how they can reap the most value from the employer-broker relationship.

Technology As Differentiator
Just as the Internet has empowered consumers, so has it empowered health insurance brokers. While once the task of acting as conduit between insurance company and policyholder required long administrative hours, computers now allow broker and insurance company to instantly transfer information.

Still, time saved by computer must be made up by competing for a limited and educated client base. The new technology has in part driven a trend towards specialization: brokers are marketing themselves as specialists in a given industry. One might be the specialist in non-profit health insurance while another may specialize in the travel industry. This allows brokers to be aware not just of policy options but also of the typical wants, needs and budgets of a given industry.

What directions technology will propel the industry will be revealed only with time. One thing that remains clear is that Americans do not want to worry about their health coverage and will look to experts for help securing the best service at the right price.

Every broker has the best service and every broker offers the best products, just ask them. What differentiates a broker is their technology. Not only the technology a broker uses in their office but more importantly the technology the broker provides to the employer groups. Most brokers are very reactionary. They provide technology to their clients only when the client demands it. All parties — employers, employees, Third Party Administrators, carriers, and brokers — must utilize technology tools.

Benefits administration software, COBRA administration tools, HRIS, and consolidated billing services are just a few of of the technology tools used by brokers and their clients. The days of brokers providing quotes and enrollments are over.

In the next article in this series, we will explore in more detail how top brokers are using these technologies to run their business.

• inadequate capability: physical/physiological — mental/psychological
• lack of knowledge
• lack of skill
• stress — physical/physiological — mental/psychological
• improper motivation

1. endangers the health, safety or welfare of the workers, the environment or the public;
2. precipitates a higher rate for insurance coverage; and/or,
3. threatens to distract the focus of the workers away from production of the job task.

• Achieve contact with each conflicting party.
• Boil down what the presenting problems are.
• Cope with the problems by developing plans of action.

1. Attending behaviors. Attitude and actions of concern must be shown. This involves good body posture, appropriate meeting place, manners, eye contact, etc.
2. Listening. Excellent listening skills must be demonstrated-not verbally forcing the issue of resolution on others. Facilitators should listen to complaints without judging each party, indicating to them that an objective, neutral ear is listening. This will disarm those in conflict and influence them to sit down and work out a solution.

• What do the participants want to see happen?
• Who or what can help them?
• What else can be done to help out?
• How is the plan to be carried out?
• What evaluation is to be done to tell how the plan is doing?

A captive insurance company that qualifies for the tax exemption found in section 831(b) of the Internal Revenue Code is a time-tested and useful risk management mechanism that offers the entrepreneur excellent tax and financial planning benefits.

It looks simple — form a small insurance company and pay no more than $1,200,000 in annual premiums to it, which are fully tax-deductible and then later remove the profits of the captive at more favorable dividend (for now) or capital gains rates.

But it is not so simple. There are many pitfalls. Aggressive captive providers have proliferated recently who are ignoring common sense risk management and taxation issues to the potential peril of their clients. And they hide behind actuarial opinions and regulatory acceptance arguing that their plans and pricing are perfectly acceptable.

The problem is that actuarial opinions are only as good as the assumptions that the actuaries are given. And regulators examine different issues than the IRS when they are approving a captive's license. The existence of an actuarial opinion or a license does not assure the client that their captive is truly compliant with the complicated tax issues that are involved.

There are two current "hot buttons" that anyone contemplating forming a captive should consider:

Pricing of Risk: Once the types of risks to be transferred to the captive are identified, the next challenge is to properly calculate the premium for such risk. Underwriting is as much an art as it is a science, with factors such as coverage details, loss history, limits, deductibles, exclusions and the financial strength of the issuing insurance company all coming into play along with sound actuarial practices.

Given these variables, it is easy for different people to offer diverse opinions on what an appropriate premium may be. But common sense must prevail. For tax purposes, the IRS will only allow a deduction for premiums that are reasonable in amount. The starting point for "reasonable" is the market rates for the coverages in question. However, market rates are not the end point for small captives, but they absolutely do create a benchmark. If a taxpayer is considering paying premiums that are vastly beyond that benchmark, they had better have very strong and well documented arguments for doing so.

Let's take an actual case in point. A captive provider suggested that a client's captive issue a $3,000,000 excess policy for Employment Practices Liability for a premium of over $250,000. Yet the client already had a $3,000,000 primary layer for this type of coverage for which he had paid less than $12,000.

Given that the primary layer would have to pay out full limits of $3,000,000 in order to trigger a loss on the excess layer, insurance companies would normally charge less than the premium paid for the primary layer of the same size. And when we compared what actual clients paid for this type of excess coverage, we found a rate of about $3.00 per employee. The suggested premium for the captive, however, equated to $808.50 per employee. A review of the actual excess policy language did not reveal any special provisions that could possibly justify such a high premium.

While it is true that a small insurance company may need to charge more than market rates because it has a very low capital base, common sense (and the IRS) would never accept a premium that is 269 times the market rate as in any way "reasonable." [When presented with this argument, the captive provider in question simply stated that they felt that they could defend the premium in the event of an audit. The client was not comforted.]

Terrorism insurance is another area of controversy in the small captive market. It is a coverage that can legitimately be placed in a captive insurance company, but pricing is a serious issue. Given the fact that TRIA does not cover loss of income from a terrorist attack and that such coverage is not easily available in the domestic market, some captive providers have suggested that small captives can charge $500,000 to $600,000 for a $5,000,000 limit of such coverage.

In fact, such a policy is available from Lloyds of London at rates significantly lower than those used by these captive providers. For example, one of our clients, a $100 million (revenues) company in Dallas, Texas was recently quoted a price of $10,000 for $5,000,000 of terrorism coverage that includes loss of income as a result of a terrorist attack anywhere in the United States, not just in Dallas. Lloyds obviously has the financial strength to price risks lower than the average captive, but the disparity between the real market price and the pricing quoted by captive providers with little or no insurance experience once again defies common sense.

One of the basic tenets of risk management is that if the risk of loss is severe, and coverage can be purchased at a low price from the third-party market, it is not a sound business decision to self-insure that exposure. If a client is truly concerned about a terrorism related loss, it therefore would make more sense to buy the coverage from Lloyds rather than self-insure it in their own captive. Except, of course, for the tax benefits of doing so. Thus, the decision to form and fund such a captive clearly indicates a lack of economic substance and is motivated primarily by tax considerations. Such a captive would most likely fail an audit by the IRS.

Of course, even Lloyds might not have the ability to pay a claim in the event of an enormous terrorist event, which could be a reason to self-insure this risk in a captive. But pricing the premium at a "worst case plus" rate is not sensible and would likely not survive an IRS audit.

Finally, terrorism quotes in the captive market rarely take into account individual risk characteristics. If the client is located in a "target rich" area, such as near a nuclear facility, some higher rates certainly can be justified, but common sense says that such a rate is not applicable to everyone, particularly in lower exposure areas.

What about an actuarial opinion? Certainly an opinion that is specific to the actual policy coverages in question and to the client's unique risk characteristics can go a long way to justifying the given premium. But clients must be careful that a proffered opinion truly relates specifically to them and not just to the type of coverage in general. When it comes to terrorism insurance, however, we submit that there can be no such "coverage in general" that makes economic or common sense.

Life Insurance: Whole life insurance can be an acceptable part of a captive's investment portfolio. But that statement has opened the door to abuses — abuses that the IRS is well aware of and is determined to quash. A captive must be formed first and foremost for risk management purposes. The tax benefits that follow are wonderful, but must be secondary, and the investment portfolio then ranks third.

Some life insurance agents (who likely know nothing about property & casualty risk management) are touting the formation of a captive for (effectively) the benefit of purchasing life insurance with the premiums received by the captive. This, in effect, allows life insurance to be purchased with pre-tax dollars. Not only does this approach likely violate section 264 of the Internal Revenue Code (that disallows the deduction, directly or indirectly, of premiums paid for life insurance), it violates the economic substance doctrine.

Again, common sense would show that if the primary purpose of forming a captive insurance company is to buy life insurance with pre-tax dollars, that would not constitute a valid reason to become involved with what is, first and foremost, a risk management vehicle.

It is our understanding that the Internal Revenue Service has a specific internal mandate to find and close captives that are marketed in this manner.

To avoid this issue, we suggest the following: (a) do not purchase a captive from anyone promoting it as a vehicle for the purchase of life insurance, particularly an immediate purchase; (b) make any life insurance decisions a part of an overall investment strategy; (c) do not use any unearned premium to purchase life insurance (which means no purchases in the first year); and, (d) do not use more than 50% of the captive's premiums in such an investment.

These issues of pricing and the use of life insurance are particularly important to the CPAs who are being asked to sign the client's tax return showing deductions to a captive. CPAs now have a higher financial and professional risk when signing a tax return and must be acutely aware of these potential issues with respect to their clients' captives.

Historically, many good business ideas that have tax benefits have been abused and distorted by greedy promoters and unsuspecting taxpayers. The end result is often a complete closure of the benefit by Congress or the IRS. We hope that the few "bad actors" in the 831(b) space do not cause the same result with this excellent risk management and financial planning tool.

Authors
James Landis collaborated with Rick Eldridge in writing this article. Rick Eldridge is the President & CEO of Intuitive Insurance Corporation and, along with James Landis, a Managing Partner of Intuitive Captive Solutions, LLC.

The construction industry's reputation has been tarnished by poor quality performance. Construction defects decrease the satisfaction of property owners and erode the confidence of the financiers, buyers, and end users of construction projects.

Total construction costs are increased by lost productivity, and higher rework and insurance costs. Defective construction undermines the reputations of affected contractors and threatens their profitability.

Until recently, Construction Financial Managers outside the homebuilding sector may not have heard of or thought much about construction defects. However, these defects are now an industry-wide issue.

Likewise, while formerly concentrated in the western states, construction defects are now a national concern to all Construction Financial Managers involved in either general contracting or the specialty trades within commercial building.

With a rise in reported construction defects, companies — now more than ever — need to improve quality during the construction life cycle.

This article discusses the basics of construction defects, and presents the barriers to and indicators of quality construction — in addition to the risk management consequences of poor quality performance.

The Origins of Construction Defects

Construction defects occur at the intersection of construction operations, real estate transactions, contract law, and business insurance.

A construction defect is a component of construction that is not built according to plan, specification, or in conformance to established construction codes and industry standards of care.

To be considered a construction defect in the eyes of the legal and judicial systems, physical damage to tangible property or bodily injury must result from the alleged defective construction.¹ Construction defects can also include the loss of use of the "impaired property" — property that is not physically damaged, but is rendered unusable due to defective construction work.

Unfortunately, in our litigious judicial system, reality does not always match theory. Sometimes, "alleged" construction defects are pursued because attorneys think there's a good chance of winning a verdict or receiving a settlement. This can also happen when a group of people, such as a homeowners association, is "unified" for the purpose of class-action litigation.

In the U.S., the general legal doctrine that governs the sale of property is caveat emptor, or "let the buyer beware." In order to receive legal protection, buyers have a general duty to inspect their prospective purchases before taking possession. The legal system recognizes the inherent limitations of such inspections, and therefore distinguishes between two types of defects: patent vs. latent.

There is a fundamental and legal difference between patent defects found during the course of construction and latent defects that manifest later.

Patent defects are regarded as conditions that can clearly be observed or detected in a reasonably thorough inspection prior to the sale or transfer of the property from the seller to the buyer. In contrast, latent defects are faulty conditions in a property that could not have been discovered during a reasonably thorough inspection.

Types of Construction Defects

The types and causes of construction defects vary and are influenced by many factors, which are commonly categorized into the following eight types:

1. Improper design;
2. Poor workmanship that leads to poor finishing quality;
3. Improper means or methods of installation or fastening;
4. Improper materials;
5. Defective material or poor material performance;
6. Missing or inadequate protection from weather or environmental conditions;
7. Water intrusion/infiltration and moisture; and
8. Soil subsidence or settlement.

These types of construction defects result from one or more common causal factors. Researchers at the University of Florida reviewed the common causes and types of building occupancies most often implicated in construction defects.

This study revealed that 45% of all construction defect claims occurred in multifamily housing.² (A large percentage of which presumably relates to condominiums, given the potential for class-action litigation by homeowners associations.)

Another major study found that "...84% of claims are associated with moisture-related defects in building envelope systems (69%) and building mechanical systems (15%)."³

Causes of Construction Defects

The most common causes of construction defects are: 1) the nature of the construction industry itself, and 2) climate, weather, and environmental factors. Let's look at how scheduling pressures and sequencing issues are driven by both causes, and review their potential negative impact on construction quality.

Scheduling Pressures
Contractors face increasing demands for shorter schedules and faster project completion. The potential adverse effects of these types of pressures include cost overruns and nonconformance to specifications, as well as other quality issues.

As these increased schedule pressures contribute to compromised quality performance, the number of construction defects increases. The rework necessary to rectify these quality issues also adversely impacts productivity — and jeopardizes the project's overall profitability, as well as the profitability of all parties involved.

Sequencing Issues
A problem related to scheduling pressures is the improper sequencing of material delivery and/or subcontractor trades. Construction projects require precise coordination of various suppliers and subcontractors. Conditions are ripe for latent construction defects when weather-sensitive materials, such as drywall boards, are delivered to a jobsite before the building has been enclosed and is weather-tight.

For example, if a load of drywall is exposed to moisture from humidity, dew, or rain, then the likelihood of mildew or mold increases. Likewise, if the various subcontractor trades are not properly sequenced, then additional punch list items or rework can result.

Exhibit 1 below summarizes quality management barriers and lists the factors that contribute to construction defects at the industry, company, and project levels.

Exhibit 1: Barriers of Implementing Quality Management in the Construction Industry

The Role of Insurance

Risk Financing
Insurance is a financial risk transfer method that may help resolve construction disputes or litigation that involves alleged defective construction. Insurance pays on behalf of an individual or business when two conditions are met:

1. It is proven that one party is liable for causing or contributing to the construction defect; and
2. It is determined that the party has a legal duty to correct or otherwise remedy the defective conditions.

Commercial General Liability Coverage
Specifically, Commercial General Liability Insurance is purchased to cover payments for bodily injury and property damage sustained by third parties arising out of business operations. These damage claims are known as third-party liability claims.⁴

Construction-related Commercial General Liability property damage losses are further divided into losses that occur during two different timeframes: the course of construction and completed operations.

Course of Construction
The course of construction involves construction operations from the inception of building activity until a certificate of occupancy (CO) is issued for the facility.

Completed Operations
The completed operations aspect of Commercial General Liability coverage responds to allegations of construction defects. The completed operations component provides coverage from the time a certificate of occupancy is issued through coverage termination.

The increased severity and volatility of losses in construction insurance primarily stems from losses with a "long tail" — the length of insurance coverage extending beyond the term of the policy.

It's common for the coverage period to extend between 3-10 years (often to match the length of the statute of repose and/or statute of limitation). During the extended coverage period, latent conditions often manifest as insurance claims with associated monetary losses. In construction insurance, the long tail results from alleged and actual construction defects.

Completed Operations vs. Products-Related Coverage
While coverage for completed operations and products are included in the same limit of the policy, there is a distinction between the two types of coverage.

A general rule of thumb: Once a product is incorporated into real property, it loses its characteristic as a product and is considered a "completed operation."

For example, a contractor that is also a supplier of ready-mix concrete has a "products liability" exposure until the time the concrete is incorporated into the building. At that point, it becomes a "completed operation," and is subject to all of the provisions of that coverage part — including the potential to respond to construction defect claims.

Statute Of Repose vs. Statute Of Limitation
Generally, companies involved in construction seek to purchase completed operations insurance to correspond with either the legal statute of repose or statute of limitation. Both the statutes of repose and limitation restrict the total time period contractors are subject to liability.

What's the difference? The statute of repose is a specific legal limitation or length of time following the completion of the project in order to provide the owner or occupants an opportunity to discover if defects or non-conformance to specifications need to be rectified by the contractor. The statute of limitation bars legal action after a specified length of time following the discovery of a deficiency.

These statutes are state-specific and are used to adjudicate alleged construction defect cases in state court systems. After the expiration of the statute of repose, buyers have no standing to bring legal suit against the property seller.

The statutes of repose range from a low of four years in Tennessee to a high of 15 years in Iowa.⁵ The most common length of statutes of repose is either seven or ten years.

However, statutes of limitation are shorter for bringing suits once damage is discovered and usually range from 1-3 years.⁶

Subcontractors & Contractual Risk Transfer
Contracts govern how expectations are communicated, responsibilities are assigned, and risks are allocated to facilitate successful project execution.

Generally, subcontractors are expected to assume responsibility for the work they perform (both financially and legally). One of their legal responsibilities is to purchase insurance as a means to protect the owner and all other parties.

A gap between legal and financial risk transfer can occur if subcontractors are not able to obtain the required types of insurance coverage. This gap can also occur if the required policy limits cannot be obtained or if the coverage has exclusions for particular perils or exposures that are likely to occur during the course of construction.

Quality Management In The Construction Industry

When strictly adhered to, quality management systems instituted by contractors can minimize the need for rework on construction projects.

As the amount of rework decreases, a contractor's performance increases in the areas of quality, productivity, and profitability. Unfortunately, a universal or standard definition of "quality" does not exist within the industry. Instead, many competing definitions are used, including:

• Customer satisfaction
• Contract requirements met
• On-time completion
• Conformance to specifications
• Project completed within budget
• No rework required within warranty period
• Zero punch list items at project turnover
• Continuous quality improvement

Leading Indicators
In my article on "Risk Performance Metrics" (in the September/October 2007 issue of CFMA Building Profits), lagging indicators were defined as "passive metrics of prior results without consideration of the activities that influence the results." So, lagging indicators are retrospective and trigger reactive, tactical responses.

In contrast, leading indicators are metrics established to gauge the effect of activities designed to prevent or counter the metrics that are monitored by the lagging indicators. Accordingly, leading indicators are drivers of strategic and proactive activities consistent with continuous improvement. Exhibit 2 below presents leading indicators for project quality management for the three distinct phases of construction: pre-construction, course of construction, and post-construction.

Exhibit 2: Representative Examples of Leading Project Quality Indicators

The ability to deliver a quality project safely provides a significant competitive advantage among contractors. The integration of safety with quality management enables projects to be built within budget and schedule constraints.

Safety performance is improved through the quality management discipline of "continuous improvement" that increases communication and feedback among workers and supervisors. Similarly, projects with reduced safety incidents experience improved quality, schedule, and cost performance.³

As a risk management professional, I've seen proactive construction companies take various actions to minimize the adverse effects of quality issues.

These actions are divided into the following stages or phases:

• Awareness
• Prevention
• Detection and measurement
• Mitigation
• Documentation for defense

The 5 Ps & 5 Rs
Similar to the 6P model as described in my article on "Return to Work: The Foundation for Successful Workforce Development" (in the September/October 2008 issue of CFMA Building Profits), the 5P and 5R models are offered to help increase awareness of construction defect prevention and response. (See Exhibit 3 below)

Exhibit 3: Strategic Processes for Construction Defect Prevention

The 5 Ps are proactive steps focused on quality control and assurance that help prevent construction defects: Program, Policies, Procedures, Protocols, and Practices.

The 5 Rs are reactive steps taken in response to potential or suspected occurrences of defective construction: Report; Response/Investigate; Root Cause Analysis; Remediate, Repair, or other Recourse; and Recordkeeping.

For construction companies, there are potential consequences of not implementing effective quality management systems. One adverse consequence is unintended and undesirable exposure to risk.

As shown in Exhibit 4 below, poor quality performance impacts a company's reputation and has financial, operational, insurance, and legal consequences.

Exhibit 4: Risk Management Consequences of Poor Quality Performance

Industry Changes Since 2009: Proceed with Caution

Since this article first appeared (in the January/February 2009 issue of CFMA Building Profits), the construction industry has experienced challenges and changes that have led to the continued emergence of construction defects as a pressing industry issue. Most notably, the U.S. and global financial crises have contributed to the protracted economic recession and lingering recovery.

There have been some positive outcomes as a result of these changes, including growing awareness of supply chain risk management practices, improvements in building envelope design, the adoption of controls for moisture and water damage prevention, and other construction quality improvement methods and techniques.

However, the aftermath of these challenges includes such negative effects as the precipitous decline in the residential housing and construction markets and marked shifts between private and public construction funding and hard bid vs. negotiated work.

As always, contractors must consider the financial, operational, risk management, and insurance impacts from these and other changes to avoid increased risk.

Specifically, unique challenges occur when contractors pursue business in new states and/or with new partners (owners, subcontractors, and/or joint ventures), use new delivery methods, and involve new types of projects/occupancies and new products and/or materials, with which they have less experience and are beyond their core competencies.

Shifting Sands & Slippery Slopes
The resulting and ever-changing landscape of construction defects has been caused by such factors as:⁸

• State legislation and judicial case law interpretations to the legal definitions of an occurrence, property damage, and resulting loss under CGL policies;
• Increased contention between GCs and subcontractors on matters of contractual risk transfer;
• The expansion of "business risk" exclusions and exclusionary insurance endorsements vs. the growing availability of construction defect coverage;
• Unproven impacts of innovative design features, new products, and integrated technologies involved in Leadership in Energy and Environmental Design (LEED) and green construction; and
• The emergence of e-discovery in construction litigation.

Unfortunately, the lack of aggregated industry data on alleged vs. actual construction defects increases the challenge of finding proven proactive solutions that are focused on prevention. As a result, information has been focused on reactive mitigation strategies based on lessons learned from construction defect litigation outcomes.

Moving Forward

The adoption of quality management systems can positively influence the construction industry's reputation and contractors' bottom lines.

Moreover, those companies that elect to implement quality management systems are more likely to gain a competitive advantage in the form of improved productivity and reduced rework, which leads to higher profitability.

Upfront coordination and rigorous pre-project planning can reduce schedule dynamics that disrupt the entire system of a construction project. Successful project management entails quality, risk, and safety management among owners, designers, engineers, contractors, subcontractors, and suppliers.

Ultimately, with respect to construction defects, prevention is a better strategy than mitigation, and mitigation is a better strategy than litigation.

As incidents of alleged construction defects rise, they pose a serious risk to your company's tangible and intangible assets.

It's critical for contractors to fully understand the specific state legislation and case law that governs construction defects in the jurisdictions in which their companies have completed projects or plan to perform work.

Active, ongoing collaboration with construction specialty professionals in the areas of law, insurance, surety, and accounting can help your company stay abreast of the ever-changing landscape and make informed business decisions.

Endnotes:

¹ Wielinski, Patrick J. Insurance for Defective Construction, 2nd Edition, 2005. International Risk Management Institute, Inc. (IRMI). Dallas, TX.

² Grosskopf, K.R. & Lucas, D.E. "Identifying the Causes of Moisture- Related Defect Litigation in U.S. Building Construction." www.rics.org/site/download_feed.aspx?fileID=3158&fileExtension=PDF.

³Grosskopf, K.R., Oppenheim, P. & Brennan, T. "Preventing Defect Claims in Hot, Humid Climates." ASHRAE Journal, July 2008, 40-52.

⁴ For more information on Commercial General Liability, see Wm. Cary Wright's article, "The Anatomy of a CGL Policy," CFMA Building Profits, January/February 2009.

⁵ "Statute of Repose Limitations for Construction Projects." American Insurance Association, Inc., January 7, 2007.

⁶Ibid.

⁷ Chang, A.S., & Leu, S.S. "Data Mining Model for Identifying Project Profitability Variables." International Journal of Project Management, April 2006, Volume 24, Issue 3, 199-206.

⁸ "Construction defects: Managing risk, covering exposure." Business Insurance, www.businessinsurance.com/section/NEWS070102.

© 2012 by the Construction Financial Management Association. All right reserved. This article first appeared in CFMA Building Profits. Used with permission.

"One of the biggest cost drivers in Workers' Compensation is seemingly 'average' claims that take a turn for the worst and result in several years of medical treatment and disability."¹

Too often seemingly innocuous claims lay under the radar, unnoticed until the damage is done. In this article, Mark Walls does an excellent job of pointing to several conditions that should serve as indicators of impending trouble. He discusses issues such as return to work, comorbidities, and psycho-social factors that can contribute to claim deterioration. His ideas are good and there are many more indicators that can be added to the list to recognize creeping calamity.

More Indicators
In fact, there are many subtle tip-offs in claims that could lead to effective prevention if noticed earlier. Delayed injury reporting and treatment is one. We know from industry research that a delay between the date of injury and first medical treatment is a predictor of claim complexity, regardless of the reason. Speculation regarding motivators of delay in filing a claim or to seeking medical treatment may not be as important as actually identifying the situation early and intensifying scrutiny of the claim. The opportunity is to discover claims with migrating intensity early, thereby avoiding unnecessary cost.

Knowing Is Not Enough
Unfortunately, knowing what conditions in claims might lead to trouble is not quite enough. Trying to apply the knowledge without a defined process has variable results. Manually identifying claims with perilous conditions is an inconsistent and inefficient endeavor because mere humans simply cannot do it well. Professionals, busy with a myriad of tasks, cannot monitor claims consistently enough to detect insidious conditions. Better process tools are needed and, happily, they are available.

Computer-Aided Medical Management
Technology can be made a powerful work tool in Workers' Compensation. A specially designed computer software program will monitor current claim data combined with historic data continuously, something mere humans cannot do. A custom computer program will detect trouble every time and notify the appropriate person in the organization so that focused intervention is mobilized.

A software program designed to spot combinations of data elements that portend risk and cost is a powerful cost control tool. It continually searches the data without human involvement. When an adverse situation is discovered, it automatically notifies the right persons.

Work-In-Progress Tool
Computer-aided medical management programs are designed to be work-in-progress tools that inform the claims management process in real time. They are driven by combinations of data elements that when they appear together in a claim, portend developing risk. Importantly, the computer-aided management tool must continually monitor current and historic data to uncover risk from the broad spectrum. For instance, ICD-9's in a claim are data elements that can reveal impending trouble in near real time when monitored by a specialized program.

ICD-9's As Windows Into Risk
ICD-9's (The International Classification of Diseases, 9th Revision), the medical description of the injury or illness in a claim, can disclose much more than previously thought. ICD-9's are documented in each bill submitted by treating medical doctors and other providers. They are windows into claim complexity at the start, but they are also powerful real time predictors of impending trouble.

Migrating Claim Severity
One true thing about claims is as they migrate from medical-only status to increasing complexity they accrue ICD-9's. As the situation deteriorates, more medical providers enter the picture, more medical services are provided, and more ICD-9's are added to the data. Stated simply, monitoring current and accumulated ICD-9's will reveal those claims that are unstable and migrating downward. A system designed to monitor ICD-9's for severity (seriousness) will spot migrating claims.

Smart Systems
A system designed to monitor ICD-9's is a smart system containing information about how serious individual ICD-9's are. Like pharmacy programs that alert for unsafe drug combinations, an ICD-9 scoring system will alert for dangerous combinations of comorbidities, age, and accumulated diagnoses. A claim is dynamically and continuously scored for severity and the right persons are notified automatically.

Smart systems that monitor current and historic data for combinations that portend complexity and cost can significantly recharge managed care initiatives. They are the next generation business solutions that are available now for those who are serious about controlling costs.

¹Walls, Mark. Creeping Catastrophic Claims-How to Spot Them and Stop Them. Business Insurance. June, 12, 2012. http://www.businessinsurance.com/article/99999999/NEWS080105/120609913

A $27 million plus settlement announced by the Department of Labor on July 7 shows the big liability that employer, union or association plan sponsors and their fiduciaries risk by failing to take appropriate steps when deciding who will serve as fiduciaries or other plan sponsors or setting the compensation paid by the plan for those services.

The settlement announced last week against the National Rural Electric Cooperative Association (NRECA), like the $1.2 million plus judgment obtained by Labor Department litigators against the California fruit and nut company, Western Mixers Inc., and its owners and management in late May, shows the significant risks that employer, union and association health plan sponsors and fiduciaries run from mishandling employee benefit responsibilities.

Companies And Fiduciaries Often Face Significant, Under-Recognized Fiduciary Exposures
Employee benefit plan vendor selection and compensation arrangements made by employer or union, association or other employee benefit plan sponsors, fiduciaries and service providers are coming under increasing scrutiny by the Employee Benefits Security Administration (EBSA). While the Employee Retirement Income Security Act of 1974 (ERISA) technically grants plan sponsors and fiduciaries wide latitude to make these choices, the exercise of these powers comes with great responsibility (see these three additional articles: Plan Sponsors. Their Owners & Management & Others Risk Personal Liability If Others Defraud Plans or Mismanage Employee Benefit Plan Responsibilities, New Rules Give Employee Benefit Plan Fiduciaries & Investment Advisors New Investment Advice Options, and DOL Proposes To Expand Investment Related Services Giving Rise to ERISA Fiduciary Status As Investment Fiduciary).

Associations, employer and other plan sponsors, and other entities and individuals who in name or in function possess or exercise discretionary responsibility or authority over the selection of plan fiduciaries, administrative or investment service providers or other services to the plan or the establishment of their compensation generally must make those decisions in accordance with the fiduciary responsibility and prohibited transaction rules of the Employee Retirement Income Security Act. Among other things, these rules generally require that fiduciaries exercising discretion over these and other plan matters:

• Must act prudently for the exclusive benefit of plan participants and beneficiaries;
• Must not involve the plan or its assets in any arrangement that is listed as a prohibited transaction under ERISA § 406; and
• Must not act for the benefit of themselves or any third party.

Although often misunderstood by companies and their management, these responsibilities generally attach whenever a company or individual is either named as a fiduciary or in fact possesses or exercises discretionary responsibility or authority over plan investments, assets, administration or other fiduciary matters, including but not limited to the selection of fiduciaries and service providers, investments or expenditures of funds or other discretionary matters.

Since the earliest days of the Employee Retirement Income Security Act, the Employee Benefits Security Administration as well as private plaintiffs have aggressively enforced these and other fiduciary responsibility rules. In recent years, the Employee Benefits Security Administration has taken further steps to tighten and enforce these protections such as the new fee disclosure rules recently implemented by the Employee Benefits Security Administration and other fiduciary guidance (see, for example, Western Mixers & Officers Ordered To Pay $1.2M+ For Improperly Using Benefit Plan Funds For Company Operations, Other ERISA Violations. See also Plan Administrator Faces Civil & Criminal Prosecution For Allegedly Making Prohibited $3.2 Million Real Estate Investment and Tough Times Are No Excuse For ERISA Shortcuts).

As illustrated by the NRECA Settlement and the Western Mixers, Inc. judgment, plan sponsors or fiduciaries that violate these rules risk personal liability to the plans for the greater of profits realized or losses sustained by the plan, plus attorneys' fees and costs, as well as exposure to an EBSA-assessed ERISA civil penalty equal to 20% of the amount of the fiduciary breach.

$27+ Million NRECA Settlement
According to a July 5, 2012 announcement, the National Rural Electric Cooperative Association will restore $27,272,727 to three association-sponsored employee benefit plans covered by the Employee Retirement Income Security Act to settle U.S. Department of Labor Employee Benefits Security Administration charges that the association violated the Employee Retirement Income Security Act by selecting itself as a service provider to the plans, determining its own compensation and making payments to itself that exceeded the National Rural Electric Cooperative Association's direct expenses in providing services to the employee benefit plans.

Following an investigation, the Employee Benefits Security Administration accused the National Rural Electric Cooperative Association of violating the Employee Retirement Income Security Act by selecting itself to act as the administrator of various association employee benefit plans and arranging for the National Rural Electric Cooperative Association to receive unreasonable compensation for these services which the National Rural Electric Cooperative Association set without the use of independent parties to prudently verify the appropriateness of the selection or compensation arrangements. The Employee Benefits Security Administration said these arrangements violated the self-dealing and other fiduciary responsibility requirements of the Employee Retirement Income Security Act.

Headquartered in Arlington, the National Rural Electric Cooperative Association is a nonprofit trade association for electric power cooperatives. The sponsored plans are open to members of the trade association as well as the association's employees. As of 2010, the latest information available, the National Rural Electric Cooperative Association 401(k) Plan had 68,970 participants, the National Rural Electric Cooperative Association Retirement Security Plan had 64,286 participants and the National Rural Electric Cooperative Association Group Benefits Plan had 73,644 participants.

Under the terms of the agreement, the National Rural Electric Cooperative Association will not provide administrative services to the National Rural Electric Cooperative Association Retirement Security Plan, the National Rural Electric Cooperative Association 401(k) Plan and the National Rural Electric Cooperative Association Group Benefits Plan without entering into a written contract or agreement with the plans that must be approved by an independent fiduciary. The independent fiduciary must determine whether the use of the National Rural Electric Cooperative Association to provide administrative services to the plans is prudent and reasonable, determine the categories of direct expenses that the National Rural Electric Cooperative Association may charge to the plans and the methods of calculating those expenses, and monitor the National Rural Electric Cooperative Association's compliance with certain terms of the agreement.

The agreement also provides that during a 60-month period following the implementation date, the National Rural Electric Cooperative Association shall discount the amount of permissible direct expenses for which it seeks reimbursement from all three plans in the amount of $22,727,272. The balance of the settlement payment, $4,545,455, already has been paid directly to the National Rural Electric Cooperative Association 401(k) Plan. In addition to the amounts returned to the plans, the National Rural Electric Cooperative Association will pay $2,727,276 in civil penalties.

"This settlement sends a clear message to plan fiduciaries that they cannot profit from selecting themselves to provide services to plans," said Phyllis Borzi, assistant secretary of labor for employee benefits security in announcing the settlement.

Western Mixers $1.2+ Million Judgment
In May, the Department of Labor got a judgment against a California fruit and nut supplier Western Mixers Inc., its owners and certain officers for failing to properly handle their company's retirement, health and other employee benefit plans moneys and other responsibilities. Under the judgment entered in Solis v. Frank L. Rudy et. al. and Western Mixers Inc. Money Purchase Pension Plan, Western Mixers Inc., its owners and officers will pay a total of $1,287,901 to the company's pension plan, plus a 20 percent penalty to the Department of Labor.

Following an investigation by the Labor Department's Employee Benefits Security Administration, the Labor Department charged that Western Mixers Inc. and two officers who served as trustees of the plan failed to make approximately $952,511 in mandatory employer contributions for the benefit of participants and beneficiaries. Investigators also found that the same two officers as well as the company's chief financial officer made $565,000 in unauthorized withdrawals from the plan accounts, comingling those funds in the company's general accounts and using them for the benefit of the business.

Labor Department officials sued the company and the officers for violation of the fiduciary responsibility rules of the Employee Retirement Income Security Act. The Employee Retirement Income Security Act generally requires that plan trustees and other plan fiduciaries carry out duties with respect to an employee benefit plan assets prudently for the exclusive benefit of participants.

Pursuant to the consent judgment, the company and its officers admitted to violation of the Employee Retirement Income Security Act. During the course of the investigation leading up to the lawsuit, the company previously repaid to the plan $485,000 of the total funds identified as missing by the Labor Department. According to an announcement of the U.S. Department of Labor on May 14, 2012, Midwest Mixers Inc.'s officers agreed to repay $802,901 to participants' accounts within 10 day of the judgment.

In addition to repaying the missing funds with interest, defendants also must pay a penalty equal to 20 percent of the recovered amount. The court also has appointed an independent fiduciary to terminate the plan and to collect, marshal, pay out and administer plan assets. Frank L. Rudy and David H. Bolstad, owners of the company, are removed as plan trustees and fiduciaries. Together with Robert J. Fischer, Western Mixers, Inc.'s chief financial officer, they are permanently enjoined and restrained from violating the Employee Retirement Income Security Act and from serving as fiduciary or service providers to any ERISA-covered plan in the future.

Despite these well-document fiduciary exposures and a well-established pattern of enforcement by the Labor Department and private plaintiffs, many companies and their business leaders fail to appreciate the responsibilities and liabilities associated with the establishment and administration of employee benefit plans.

Frequently, employer and other employee benefit plan sponsors fail adequately to follow or document their administration of appropriate procedures to be in a position to demonstrate their fulfillment of these requirements when selecting plan fiduciaries and service providers, determining the compensation paid for their services, overseeing the performance of these parties, or engaging in other dealings with respect to plan design or administration.

In other instances, businesses and their leaders do not realize that the functional definition that the Employee Retirement Income Security Act uses to determine fiduciary status means that individuals participating in discretionary decisions relating to the employee benefit plan, as well as the plan sponsor, may bear liability under many commonly occurring situations if appropriate care is not exercised to protect participants or beneficiaries in these plans.

For this reason, businesses and associations providing employee benefits to employees or dependents, as well as members of management participating in, or having responsibility to oversee or influence decisions concerning the establishment, maintenance, funding, and administration of their organization's employee benefit programs need a clear understanding of their responsibilities with respect to such programs, the steps that they should take to demonstrate their fulfillment of these responsibilities, and their other options for preventing or mitigating their otherwise applicable fiduciary risks.

In light of the significant liability risks, employer, association and other employee benefit plan sponsors and their management, plan fiduciaries, service providers and consultants should exercise care when selecting plan fiduciaries and service providers, establishing their compensation and making other related arrangements.

To minimize fiduciary exposures, parties participating in these activities should seek the advice of competent legal counsel concerning their potential fiduciary status and responsibilities relating to these activities and take appropriate steps to minimize potential exposures.

The Exposure
Organizations that deal with private health information (PHI) should know how to properly handle such data in absence of a breach as well as how to respond after a breach occurs. According to the 2011 Computer Security Institute Crime and Security Survey, 97% of organizations report using anti-virus software, 95% use firewalls, 85% use anti-spyware software, 66% use data encryption and 62% use intrusion detection systems.

The Open Security Foundation's website, www.datalossdb.org, shows that despite taking meaningful steps to prevent security breaches, healthcare organizations accounted for 18% of the 1,032 data breaches reported in 2011 and 15% of all time. Further, according to the Ponemon Institute's 2011 Cost of Breach Study, the per capita costs of a breach for healthcare organizations average around $240 per record. When compared to retail, which averages $174 per record, education which averages $142 per record, and an average of $194 per record for all industries, healthcare organizations clearly have cause to be concerned about breach response expenses.

A healthcare organization or business associate¹ should also be aware of the increased standards that have been imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Privacy Rule and the Security Rule. One aspect of the Health Information Technology for Economic and Clinical Health Act act that may surprise many is the potential for the Office of Civil Rights (OCR) to fine an organization in absence of a breach.

In 2012, the Office of Civil Rights will conduct 150 audits of Covered Entities. If material security weaknesses are reported, a formal compliance review will follow. If that review uncovers blatant security violations, civil monetary fines could follow. Enforcement action around data breaches has been on the rise, and fines and penalties are being levied more frequently than in the past. The Department of Health & Human Services (DHHS) posts examples of resolutions including fines on their website. These initial audits are likely only the beginning of expanding regulatory oversight related to private health information.

Theodore Kobus III of Baker & Hostetler LLP, one of the national leaders of their Privacy, Security and Social Media Practice, advises the following regarding the current regulatory environment:

Data security extends beyond breach response and we are seeing an increasing number of regulatory investigations and fines stemming from how an organization responds to changes in its risks. A big part of being prepared includes understanding the nature and scope of the information you hold and how that data needs to be protected as risks in the organization evolve. For example, if you store data in an area that was once monitored by a security guard, but that area is now unoccupied, you may want to consider implementing other security measures.

Reducing The Exposure
In a previous article regarding lost laptops, we provided basic tips for handling a privacy breach.

With the type and volume of private health information that organizations in the healthcare arena touch, they are expected to take even more comprehensive steps to anticipate, prevent, respond to, and survive a breach. While many organizations are large enough to have entire departments dedicated to this issue, the complexity of the privacy laws means that, regardless of the organization's ability to dedicate resources, it is important to work with legal counsel that is solely focused on privacy related issues. Similarly, healthcare providers should also seek out specialized network security risk management providers who can help answer important questions like:

• Am I prepared to show that I took the proper steps before a data breach occurred?
• Do I have an effective incident response plan in place when there is a problem?
• Am I protecting digital records as well as paper records under the requirements of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act?
• Are my vendors and business associates also in compliance with the proper standards?

Many insurers have existing relationships with computer forensic firms, notification vendors, credit monitoring providers, legal forensic firms, public relations firms and others to help navigate the huge distractions following a data breach. To this end, we have seen insureds purchase cyberliability coverage solely for the value-added services provided by the insurer. Many of these buyers feel that they can afford a security breach, but that they don't have the time to line up all the necessary critical response vendors if a breach occurs.

Neeraj Sahni of Kroll Advisory Solutions points out:

The ease of access to electronic data, anywhere-anytime, makes security a challenge as negligence leads to recurring data breaches. Preventive preparation is the most important loss control mechanism for any organization that has sensitive data. Thus waiting for a breach to occur is reactive and may incur more liability for any company. An incident response plan potentially helps lessen the impact of a breach. Also note, being compliant with security and privacy regulations does not provide assurance to an organization against a data breach.

Contractual Risk Transfer May Not Be Enough
Contracts with business associates and other trading partners may be part of the solution, but not the whole solution, as observed by Theodore Kobus III:

Many organizations think that a contract shifting liability to a third party is all that you need to protect the organization in the event that a vendor causes a breach. This type of protection is good, but it does not solve all of the organization's issues. Notwithstanding the public relations issues the organization may face after a breach by a vendor, laws such as HITECH and various state laws still hold the organization who owns the data ultimately responsible for the breach. Another consideration about shifting all responsibility for a breach to the vendor is the lack of control about the messaging after a breach occurs. Remember, even though the vendor may have caused the breach, these are still your customers and your reputation is at risk.

Mr. Kobus brings up a dangerous situation. If a healthcare provider has fully shifted post-breach responsibilities to a vendor that caused the breach, the treatment of its customers or patients is in the hands of the vendor. To shift financial responsibility is one thing, but the provision of post-breach services such as call centers and identity/credit services should remain in the healthcare provider's control. When it comes to the handling of an organization's reputation, the preferred approach is to proactively protect its reputation rather than scramble to restore it after a poorly handled data breach.

The Right Insurance To Survive A Breach
Healthcare providers and business associates should have their own policy to protect their organization. The company's own employees are a significant cause of data breaches, as are external hacks. The organization will not be able to unfailingly transfer that risk to other parties.

Organizations should also ensure their vendors have the financial assets or insurance to back up their contractual promises. If an entity is going to rely on a third party vendor to hold on to private health information for which they are responsible, they should be reviewing the vendor's professional liability insurance rather than just asking if they have a policy.

Types Of Risk Transfer Vehicles
Cyberliability is the generic description of the type of policy healthcare organizations will need. In a prior article, we went into some detail about what is available. Here are some of the typical insuring agreements in a Cyberliability policy:

• 1st Party Business Interruption — Covers lost business income in the event a virus infection or hacker shuts down your network.
• 1st Party Data Asset — Covers the expense to recover lost data and other expenses.
• Cyberextortion — Covers expenses and ransom if a hacker threatens your network or data.
• 3rd Party Network Security — Covers your liability when hackers use your system to inflict damage on others.
• 1st Party Privacy
  • Notification Expenses — When data is lost, you must notify all potential victims within a very brief period of time and in accordance with the state laws where the potential victims reside.
  • Forensic Expenses — The insurer will cover the expenses associated with bringing in computer experts to determine the cause of a breach and list of potential victims. Some insurers also cover legal forensic experts.
  • Credit Monitoring — The insurer may cover one to two years of credit monitoring services for those exposed.
  • Credit or Identity Repair Services — The insurer will cover the expenses for up to one year to restore compromised identities and repair a victim's credit rating following an actual identity theft.
  • Crisis Management — Public Relations expense coverage to protect the image of the organization.
• Regulatory Defense and Expenses — Many new regulations exist related to the protection of confidential data. The insurance will provide defense cost coverage and in many cases cover fines, penalties and restitution funds levied by a regulatory body, where insurable. This coverage is designed to help healthcare organizations respond to actions brought by state agencies, state attorneys general, the Department of Health and Human Services, the Office of Civil Rights and other regulatory agencies.

There are now more than 30 different insurers with dedicated cyberliability policies, and no two insuring agreements are the same. It is important to be diligent in making sure the coverage sought is the coverage bought.

Conclusion
The current regulatory oversight and monetary implications surrounding a loss of private health information means that firms in the healthcare arena should be more aware than most of privacy enforcement and how to protect their clients, constituents, reputation, and organization.

¹ A "business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity's workforce is not a business associate. (For more information, see hhs.gov.)

The Second District Court of Appeal recently issued their decision on this case which involves in part, the admissibility of non-Medical Provider Network doctor's reports. This is an unpublished decision and therefore has no precedential value. In other words, it cannot be cited in other cases with the same or similar issues. In summary, it says in part that employee-requested visits to his/her own physician under L/C 4605, i.e. non-Medical Provider Network diagnosis, treatment and attendant reports which are paid for by the employee are admissible.

While the applicant's attorney will ask the court to publish it, the probability seems very low in that the case was remanded to the trial court to deal with the admissibility issue as well as other issues left unsettled by the Workers Compensation Judge at the time of trial.

Background
Labor Code (L/C) 4605 was first enacted in 1917 under the Insurance and Safety Act. Sec. 9(a) is most interesting in that it reads:

"Such medical, surgical and hospital treatment, including nursing, medicines, medical and surgical supplies, crutches and apparatus, including artificial members, as may reasonably be required to cure and relieve from the effects of the injury, the same to be provided by the employer, and in case of his neglect or refusal seasonably to do so, the employer to be liable for the reasonable expense incurred by or on behalf of the employee in providing the same: provided, that if the employee so requests, the employer shall tender him one change of physicians and shall nominate at least three additional practicing physicians competent to treat the particular case, or as many as may be available if three cannot reasonably be named, from whom the employee may choose: the employee shall also be entitled, in any serious case, upon request, to the services of a consulting physician to be provided by the employer: all of said treatment to be at the expense of the employer. If the employee so requests, the employer must procure certification by the commission or the commissioner of the competency for the particular case of the consulting or additional physicians; provided, further, that the foregoing provisions regarding a change of physicians shall not apply to those cases where the employer maintains, for his own employees, a hospital and hospital staff, the adequacy and competency of which have been approved by the commission. Nothing contained in this section shall be construed to limit the right of the employee to provide, in any case, at his own expense, a consulting physician or any attending physicians whom he may desire (my emphasis). The same general language as to responsibilities will now be found in L/C 4600(a); 4601 and 4605.

The reason this section is important is that Section 9(a) pre-dates L/C 4616, the Medical Provider Network statute. As such, any attempt to harmonize the rights of the employee to seek their own doctor at their own expense against the later enacted Medical Provider Network statute will have to give precedent to the later enacted labor code section. I therefore offer the following as one strategy to retain medical control under the Medical Provider Network while at the same time avoiding lengthy litigation over the admissibility of the employee's non-Medical Provider Network doctor's report.

Strategy for Medical Provider Networks Going Forward
On all new claims, employers and their claims administrators (carrier or TPA) should continue to assert medical control under their Medical Provider Network. Employers will need to make sure that the notice process to the employee is complete and well documented. That is one of the issues currently facing the trial judge on remand, i.e. was there a valid Medical Provider Network in place. Had there been better documentation on the employer's notification process presented at trial, the issue of applicant attorneys' attempt to seize medical control may have been avoided.

However, the real question deals with the use by applicant attorney of L/C 4605 as a means to get his non-Medical Provider Network doctors reports admitted and relied upon. What is most interesting is the caption for that section:

"Consulting or attending physicians provided at employee's expense."

"Nothing contained in this chapter shall limit the right of the employee to provide, at his own expense, a consulting or any attending physicians whom he desires."

It must again be noted that this language was in the Labor Code long before L/C 4616, i.e. the Medical Provider Network enabling statute which became effective in 2004. As noted above, under the rules of statutory construction, the later enacted takes precedent over the former when seeking to harmonize the two as to current legislative intent.

Recommended Procedure
I therefore recommend that the injured employee be informed, as part of the employer's or carrier's acknowledgment of the claim, that a valid Medical Provider Network is in place and that the employee's cooperation is expected. Next, it should state "that they are free under L/C 4605 to seek their own consulting or attending physician, at their own expense. They will be told at that time that if they do avail themselves of this option under L/C 4605, their consulting or attending physicians medical reports will be tendered to the Primary Treating Physician for this injury who, under the Medical Provider Network statute is the controlling doctor (L/C 4061.5) This way, the consulting physician's report will have been admitted for use by the Primary Treating Physician as he/she deems appropriate.

At the same time, the normal Medical Provider Network process will be enforced as is current policy. Demand will be made that the employee continues to be seen for diagnosis and treatment by a Medical Provider Network doctor. If there is a dispute as to diagnosis or treatment by either the applicant's attorney or the L/C 4605 obtained consulting report, that dispute over the diagnosis and/or treatment will be handled under the Medical Provider Network's 2nd, 3rd and if necessary, the Independent Medical Review process.

We will also be requesting from the employee an acknowledgement, under penalty of perjury that the employee has already paid or understands that he/she is the ultimate responsible party for paying their L/C 4605 obtained physicians as well as any other related bills for testing and other costs. We will object to the fronting of said costs by the applicant's attorney or any liens from the consulting physician unless it is clear that they understand the applicant's obligation to pay their costs.

Under this scenario, employers and their carriers or Third Party Administrators will be able to use the full weight of the Medical Provider Network process while at the same time, dealing with non-Medical Provider Network procured medical diagnosis and treatment. This will help keep the employee within the Medical Provider Network and, if handled in a swift and judicious manner, help hasten a timely closure of the claim.