Tag Archives: CMP

Hard Lessons on Protecting Health Data

The $2.5 million payment and corrective action plan that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) required for CardioNet to settle potential charges of noncompliance with the Health Insurance and Portability Act (HIPAA) Privacy and Security Rules contains many important lessons for other healthcare providers, health plans, healthcare clearinghouses (Covered Entities) and their business associates.

A remote cardiac monitoring provider, CardioNet is paying the $2.5 million settlement payment and implementing a corrective action plan to settle potential OCR charges it violated HIPAA by impermissible disclosure of unsecured electronic protected health information (ePHI).

The first OCR HIPAA settlement involving a wireless health services provider, the CardioNet Resolution Agreement and Corrective Action Plan (Resolution Agreement) announced by OCR on April 24, 2017, adds to the rapidly growing list of announced OCR HIPAA enforcement actions that clearly show all covered entities and their business associates the substantial enforcement liability risks of failing to finalize and actually adopt, implement, administer and maintain the necessary HIPAA Privacy and Security policies and procedures required by HIPAA as well as some of the steps OCR expects to fulfill these requirements.

CardioNet OCR Investigation and Resolution Agreement

As has become increasingly common in recent years, the CardioNet settlement arose from concerns initially brought to OCR’s attention in connection with a HIPAA breach notification report. On Jan. 10, 2012, OCR received notification from the provider of remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias that a workforce member’s laptop with the ePHI of 1,391 individuals was stolen from a parked vehicle outside of the employee’s home. CardioNet subsequently notified OCR of a second breach of ePHI 2,219 individuals.

The facts outlined in the resolution agreement highlight compliance weaknesses existing in the operations of many HIPAA covered entities and business associates. According to the resolution agreement, OCR’s investigation in response to these breach reports revealed a series of continuing compliance concerns, including:

  • CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities;
  • CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented;
  • CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices;
  • CardioNet failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of its facilities, the encryption of such media, and the movement of these items within its facilities until March 2015; and
  • CardioNet failed to safeguard against the impermissible disclosure of protected health information by its employees, thereby permitting access to that information by an unauthorized individual, and failed to take sufficient steps to immediately correct the disclosure.

See also: Healthcare Buyers Need Clearer Choices

To resolve these OCR charges, CardioNet agrees to pay $2.5 million to OCR and implement a corrective action plan. Among other things, the corrective action plan requires CardioNet to complete the following actions to the satisfaction of OCR:

  • Prepare a current, comprehensive and thorough risk analysis of security risks and vulnerabilities that incorporates its current facility or facilities and the electronic equipment, data systems and applications controlled, currently administered or owned by CardioNet, that contain, store, transmit, or receive electronic protected health information (“ePHI”) and update that risk analysis annually or more frequently, if appropriate in response to environmental or operational changes affecting the security of ePHI.
  • Assess whether its existing security measures are sufficient to protect its ePHI and revise its risk management plan, policies and procedures and training materials and implement additional security measures, as needed.
  • Develop and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis as required by the risk management plan.
  • Review and, to the extent necessary, revise, its current security rule policies and procedures based on the findings of the risk analysis and the implementation of the risk management plan to comply with the HIPAA Security Rule.
  • Provide certification to OCR that all laptops, flashdrives, SD cards and other portable media devices are encrypted, together with a description of the encryption methods used.
  • Review and revise its HIPAA security training to include a focus on security, encryption and handling of mobile devices and out-of-office transmissions and other policies and practices required to address the issues identified in the risk assessment and otherwise comply with the risk management plan and HIPAA train its workforce on these policies and practices.
  • Investigate all potential violations of its HIPAA policies and procedures and notify OCR in writing within 30 days of any violation.
  • Submit annual reports to OCR, which must be signed by an owner or officer of CardioNet attesting that he or she has reviewed the annual report, has made a reasonable inquiry regarding its content and believes that the information is accurate and truthful.
  • Maintain for inspection and copying, and provide to OCR, upon request, all documents and records relating to compliance with the corrective action plan for six years.

Implications of CardioNet and Other HIPAA Enforcement For Covered Entities and Business Associates

The CardioNet resolution agreement contains numerous lessons for other covered entities and their business associates, including:

  • Like many previous resolution agreements announced by OCR, the resolution agreement reiterates the responsibility of covered entities and business associates to properly secure their ePHI and that as part of this process OCR expects all laptop computers and other mobile devices containing or with access to ePHI will be properly encrypted and secured.
  • It also reminds covered entities and their business associates to be prepared for, and expect an audit from, OCR when OCR receives a report that the organization experienced a large breach of unsecured ePHI.
  • The resolution agreement’s highlighting of the draft status of CardioNet’s privacy and security policies also reflects that OCR expects covered entities to actually finalize policies, procedures and training for maintaining compliance with HIPAA.
  • The discussion and requirements in the corrective action plan relating to requirements to conduct comprehensive risk assessments at least annually and in response to other events, and to update policies and procedures in response to findings of these risk assessments also drives home the importance of conducting timely, documented risk analyses of the security of ePHI, taking prompt action to address known risks and periodically updating the risk assessment and the associated privacy and security policies and procedures in response to the findings of the risk assessment and other changing events.
  • The requirement in the resolution agreement of leadership attestation and certification on the required annual report reflects OCR’s expectation that leadership within covered entities and business associates will make HIPAA compliance a priority and will take appropriate action to oversee compliance.
  • Finally, the $2.5 million settlement payment required by the resolution agreement and its implementation against CardiNet makes clear that OCR remains serious about HIPAA enforcement.

While the $2.5 million settlement payment sends a strong message about the risks of violating HIPAA by itself, this lesson takes on even greater significance when considered in light of OCR’s January 2017 announcement of its imposition of another HIPAA civil monetary penalty against Children’s Medical Center of Dallas and the growing list of expensive settlement payments that OCR has exacted from other covered entities wishing to avoid CMPs for their alleged HIPAA violations.

In January 2017, for instance, OCR announced Children’s paid a $3.2 million CMP assessed by OCR for failing to adequately secure electronic protected health information (ePHI) and correct other HIPAA compliance deficiencies that resulted from its failure to take appropriate, well-documented actions to timely to secure ePHI on systems and mobile devices and other actions needed to comply with other HIPAA privacy or security requirements.

Of course, covered entities and business associates need to keep in mind that that actions and inactions that create HIPAA liability risks also carry many other potential legal and business risks. For instance, since PHI records and data involved in such breaches usually incorporates Social Security Numbers, credit card or other debt or payment records or other personal consumer information, and other legally sensitive data, covered entities and business associates generally also may face investigation, notification and other responsibilities and liabilities under confidentiality, privacy or data security rules of the Fair and Accurate Credit Transaction Act (FACTA), the Internal Revenue Code, the Social Security Act, state identity theft, data security, medical confidentiality, privacy and ethics, insurance, consumer privacy, common law or other state privacy claims and a host of other federal or state laws. Depending on the nature of the covered entity or its business associates, the breach or other privacy event also may trigger fiduciary liability exposures for health plan fiduciaries in the case of a health plan, professional ethics or licensing investigations or actions against health care providers, insurance companies, administrative service providers or brokers, shareholder or other investor actions, employment or vendor termination or disputes and a host of other indirect legal consequences.

See also: Healthcare Disruption: Providers Are Making Newspaper Industry Mistakes  

Beyond, and regardless of the technical legal defensibility of its actions under these and other laws, however, the most material and often most intractable consequences of a HIPAA or other data or other privacy breach report or public accusation, investigation, admission also typically are the most inevitable:

  • The intangible, but critical loss of trust and reputation that covered entities and business associates inevitably incur among their patients, participants, business partners, investors and the community; and
  • The substantial financial expenses and administrative and operational disruptions of investigating, defending the actions of the organization and implementation of post-event corrective actions following a data or other privacy breach, audit, investigation or charge.

In light of these risks, covered entities business associates and their management should use the experiences of CardioNet and other covered entities or business associates caught violating HIPAA or other privacy and security standards to reduce their HIPAA and other privacy and data security exposures. Management of covered entities and their business associates should take steps to ensure that their organizations policies, practices and procedures currently are up-to-date, appropriately administered and monitored, and properly documented. Management should ensure that their organizations carefully evaluate and strengthen as necessary their current HIPAA risk assessments, policies, practices, record keeping and retention and training in light of these and other reports as they are announced in a well-documented manner. The focus of these activities should be both to maintain compliance and position their organizations efficiently and effectively to respond to and defend their actions against a data breach, investigation, audit or accusation of a HIPAA or other privacy or security rule violation with a minimum of liability, cost and reputational and operational damages.

As the conduct of these activities generally will involve the collection and analysis of legally sensitive matters, most covered entities and business associates will want to involve legal counsel experienced with these matters and utilize appropriate procedures to be able to use and assert attorney-client privilege and other evidentiary privileges to mitigate risks associated with these processes. To help plan for and mitigate foreseeable expenses of investigating, responding to or mitigating a known, suspected or asserted breach or other privacy event, most covered entities and business associates also will want to consider the advisability of tightening privacy and data security standards, notification, cooperation and indemnification protections in contracts between covered entities and business associates, acquiring or expanding data breach or other liability coverage, or other options for mitigating the financial costs of responding to a breach notification, investigation or enforcement action.

Survey: Predictive Modeling Lifts Profits

The breadth and depth of predictive modeling applications have grown, but, of equal importance, the percentage of participants reporting a positive impact on profitability has dramatically increased, Towers Watson’s most recent predictive modeling survey finds.

Our 2014 Predictive Modeling Benchmarking Survey indicates the use of predictive modeling in risk selection and rating has increased significantly for all lines of business over the last year, continuing a long-term trend. For instance, in the personal auto business, 97% of participants said that in 2014 they used predictive modeling in underwriting/risk selection or rating/pricing, compared with 80% in 2013, a 17-percentage-point increase. For standard commercial property/commercial multiperil (CMP)/business-owner peril (BOP), the number jumped 19 percentage points, to 51%, during the same time period (Figure 1). In fact, the percentage of participants that currently use predictive modeling increased for every line of business covered in the survey.

Figure 1. The use of predictive modeling in risk selection/rating has increased significantly for all lines of business over the last year

Does your company group currently use or plan to use predictive modeling in underwriting/risk selection or rating/pricing for the following lines of business?

Sophisticated risk selection and rating techniques are particularly important in personal lines, where models have now penetrated most of the market. An overwhelming 92% of survey participants cited these techniques as essential drivers of performance or success. To a significant degree, this was also true for small to mid-sized commercial carriers, with 44% citing sophisticated risk selection and rating techniques as essential and another 42% identifying them as very important.

Even as the use of predictive modeling extends to more lines of business, there is an increasing depth in its use. Predictive modeling applications are increasingly being deployed by insurance companies more broadly across their organizations as their confidence in modeling increases. For example, 57% of survey participants currently use predictive modeling techniques for underwriting and risk selection, and another 33% have plans to use them over the next two years. Although a more modest 28% currently use predictive modeling to evaluate fraud potential, a sizable additional 36% anticipate using it for this purpose over the next two years. Survey participants report plans to deploy predictive modeling applications in areas including claim triage, evaluation of litigation potential, target marketing and agency management. These applications will favorably affect loss costs, expenses and premium growth.

THE BOTTOM LINE

Eighty-seven percent of our survey participants report that predictive modeling improved profitability last year, an increase of eight percentage points over 2013 (Figure 2). The increase continues a pattern of growth over several years.

Figure 2. Companies implementing predictive models have increasingly seen favorable profitability impacts over time

What impact has predictive modeling had in the following areas?

Slide 9 of Executive Summary

A positive impact on rate accuracy helps explain the improvement. In fact, the percentage of carriers citing a positive impact on rate accuracy has increased every year since 2010, when 70% cited a positive impact. In three of the past four years, the percentage-point increase in carriers citing a positive impact has hovered around 10%. In this year’s survey, nearly all (98%) of the respondents reported that predictive modeling has improved their rate accuracy. Improved rate accuracy has both top- and bottom-line benefits: It boosts revenue because it enables insurers to price more effectively in very competitive markets, retaining existing customers and attracting potential customers with rates that accurately reflect their level of risk. At the same time, rate accuracy drives profit because it also helps carriers identify and write more profitable business,and not focus solely on market share and price.

More accurate rates also improve loss ratios, which have improved in parallel, according to our survey participants. In 2014, 91% of survey participants cited the favorable impact of predictive modeling on loss ratios, an increase of 14 percentage points over 2013. When premiums more accurately reflect risk, losses are more likely to be properly funded.

TOP-LINE GROWTH

The bottom-line fundamentals — profitability, rate accuracy and loss ratio improvement — identified in our survey are complemented by top-line benefits. Positive impacts were registered on renewal retention (55%), underwriting appetite (46%) and market share (41%).

THE NEXT STEP

Sophisticated risk selection and rating are cited as essential by many of our participants, but our survey indicates that, despite favorable trends, insurers are still far from leveraging sophisticated modeling techniques to their fullest, even in pricing. Two-thirds of participants aren’t currently using price integration (the overlay of customer behavior and loss cost models to create metrics that measure different rate scenarios) for any products. A few are past price integration and are currently implementing price optimization (harnessing a mathematical search algorithm to a price integration framework to maximize profit, volume and other business metrics) for some products.

The disparity between what is viewed as the optimal use of modeling techniques and the current level of implementation needs to be bridged if insurers want to leverage predictive modeling as a competitive advantage to identify and capture profitable business. Increasingly, insurers are making greater use of analytics including by peril rating (which replaces rating at the broad, line-of-business level with specific rating by coverage), proprietary symbol (customizing vehicle classifications for personal automobile policies) and territorial and credit analysis.

Those insurance companies that can’t employ sophisticated risk identification and management tools face the possibility of losing profitable business and adverse selection.

MORE PROGRESS IS STILL POSSIBLE

Profitability is hard-earned in the current competitive property/casualty market, and predictive modeling is recognized by a steadily growing number of companies as an invaluable tool to improve both top- and bottom-line performance that ultimately reflects in earnings growth. Our survey suggests that insurers are increasingly comfortable with predictive modeling and are using it in a growing number of capacities. However, participant responses also indicate that there are still many benefits offered by predictive modeling and other more sophisticated analytical tools that have not been achieved, such as treating data as an asset and more effectively using predictive modeling applications to improve claim and other functional results. Improving performance on these issues alone could make a significant difference in the profitability of insurance companies and offers all the more reason to explore new ways to benefit from data-driven analytics and predictive modeling.

ABOUT THE SURVEY

Towers Watson conducted a web-based survey of U.S. and Canadian property/casualty insurance executives from Sept. 3 through Oct. 22, 2014. The results discussed in this article represent the views of 52 U.S. insurance executives. Responding companies represent a significant share of the U.S. property/casualty insurance market for both personal lines carriers (17%) and commercial lines carriers (22%).