# How to Measure Data Breach Costs?

Businesses typically have a hard time quantifying potential losses from a data breach because of the myriad factors that need to be considered.

A recent disagreement between Verizon and the Ponemon Institute about the best approach to take for estimating breach losses could make that job a little harder.

For some time, Ponemon has used a cost-per-record measure to help companies and insurers get an idea of how much a breach could cost them. Its estimates are widely used.

The institute recently released its latest numbers showing that the average cost of a data breach has risen from \$3.5 million in 2014 to \$3.8 million this year, with the average cost per lost or stolen record going from \$145 to \$154.

Infographic: Data breaches drain profits

The report, sponsored by IBM, showed that per-record costs have jumped dramatically in the retail industry, from \$105 last year to \$165 this year. The cost was highest in the healthcare industry, at \$363 per compromised record. Ponemon has released similar estimates for the past 10 years.

But, according to Verizon, organizations trying to estimate the potential cost of a data breach should avoid using a pure cost-per-record measure.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

ThirdCertainty spoke with representatives of both Verizon and Ponemon to hear why they think their methods are best.

Verizon’s Jay Jacobs

Ponemon’s measure does not work very well with data breaches involving tens of millions of records, said Jay Jacobs, Verizon data scientist and an author of the company’s latest Data Breach Investigations Report (DBIR).

Jacobs says that, when Verizon applied the cost-per-record model to breach-loss data obtained from 191 insurance claims, the numbers it got were very different from those released by Ponemon. Instead of hundreds of dollars per compromised record, Jacobs said, his math turned up an average of 58 cents per record.

Why the difference? With a cost-per-record measure, the method is to divide the sum of all losses stemming from a breach by the total number of records lost. The issue with this approach, Jacobs said, is that cost per record typically tends to be higher with small breaches and drops as the size of the breach increases.

Generally, the more records a company loses, the more it’s likely to pay in associated mitigation costs. But the cost per record itself tends to come down as the breach size increases, because of economies of scale, he said.

Many per-record costs associated with a breach, such as notification and credit monitoring, drop sharply as the volume of records increase. When costs are averaged across millions of records, per-record costs fall dramatically, Jacobs said. For massive breaches in the range of 100 million records, the cost can drop to pennies per record, compared with the hundreds and even thousands of dollars that companies can end up paying per record for small breaches.

“That’s simply how averages work,” Jacobs said. “With the megabreaches, you get efficiencies of scale, where the victim is getting much better prices on mass-mailing notifications,” and most other contributing.

Ponemon’s report does not reflect this because its estimates are only for breaches involving 100,000 records or fewer, Jacobs said. The estimates also include hard-to-measure costs, such as those of downtime and brand damage, that don’t show up in insurance claims data, he said.

An alternate method is to apply more of a statistical approach to available data to develop estimated average loss ranges for different-size breaches, Jacobs said

While breach costs increase with the number of records lost, not all increases are the same. Several factors can cause costs to vary, such as how robust incident response plans, pre-negotiated contracts for customer notification and credit monitoring are, Jacobs said. Companies might want to develop a model that captures these variances in costs in the most complete picture possible and to express potential losses as an expected range rather than use per-record numbers.

Using this approach on the insurance data, Verizon has developed a model that, for example, lets it say with 95% confidence that the average loss for a breach of 1,000 records is forecast to come in at between \$52,000 and \$87,000, with an expected cost of \$67,480. Similarly, the expected cost for a breach involving 100 records is \$25,450, but average costs could range from \$18,120 to \$35,730.

Jacobs said this model is not perfectly accurate because of the many factors that affect breach costs. As the number of records breached increases, the overall accuracy of the predictions begins to decrease, he said. Even so, the approach is more scientific than averaging costs and arriving at per-record estimates, he said.

Ponemon’s Larry Ponemon

Larry Ponemon, chairman and founder of the Ponemon Institute, stood by his methodology and said the estimates are a fair representation of the economic impact of a breach.

Ponemon’s estimates are based on actual data collected from individual companies that have suffered data breaches, he said. It considers all costs that companies can incur when they suffer a data breach and includes estimates from more than 180 cost categories in total.

By contrast, the Verizon model looks only at the direct costs of a data breach collected from a relatively small sample of 191 insurance claims, Ponemon said. Such claims often provide an incomplete picture of the true costs incurred by a company in a data breach. Often, the claim limits also are smaller than the actual damages suffered by an organization, he said.

“In general, the use of claims data as surrogate for breach costs is a huge problem, because it underestimates the true costs” significantly, Ponemon said.

Verizon’s use of logarithmic regression to arrive at the estimates also is problematic because of the small data size and the fact the data was not derived from a scientific sample, he said.

Ponemon said the costs of a data breach are linearly related to the size of the breach. Per-record costs come down as the number of records increases, but not to the extent portrayed by Verizon’s estimates, he said.

“I have met several insurance companies that are using our data to underwrite risk,” he said.

# ‘Data on the Move’ Means Data at Risk

Everywhere we look today, data is on the move. The downside:  When personal information and data are being moved electronically, they’re more vulnerable to identity theft.

At the Identity Theft Resource Center,  a crucial part of our analysis when we track data breaches is to look for emerging trends.  Unfortunately, one trend has become evident: The number of breaches linked to “data on the move” in the healthcare industry is up significantly.  In fact, these types of data breaches – say, when a laptop or flash drive is stolen or back-up tapes are lost in the mail – have risen above other industries quite dramatically.

But there’s hope. Companies and organizations can take steps to reduce these data breaches. They can provide more robust employee training and stricter controls over what devices are allowed to leave the premises. Organizations can also review what data is stored on devices and how the devices are protected. Adding encryption to laptops that contain sensitive data – and that must leave the premises – will also improve the situation without busting the bottom line.

Breach incidents because of data on the move have been trending downward as a percentage of all breach incidents, from 20% in 2008 to 12% in 2012. Although the percentage increased slightly to 13% in 2013, most industry sectors have seen a payoff from preventive measures.

The medical sector is not having a similar experience. More than half of the breaches because of data on the move occurred in the health/medical sector.

For instance, in California, Palomar Health recently experienced a data breach when an encrypted laptop and two unencrypted flash drives were taken from a staff member’s car. The devices exposed the personal health information of 5,000 patients. In Michigan in late January, a laptop computer and flash drive were stolen from an employee of the state Long Term Care (LTC) Ombudsman’s Office. Information on the laptop was encrypted, but data on the flash drive was not. The flash drive contained personal information about 2,595 living and deceased individuals, including names and addresses and, for some individuals, dates of birth. Either a Social Security number or a Medicaid identification number was included with 1,539 records.

Data breaches pose a significant risk to consumers because of the correlation between breaches and identity theft. According to Javelin Research, one out of three people whose information was breached fell victim to fraud in the same year. When medical records or personal health information (PHI) are compromised, consumers are not only  facing an increased risk of medical identity theft. The risk for all types of identity theft is increased. (For more information on medical identity theft and its impact on the community, see the Medical Identity Theft and Fraud article on ITL).

The information entrusted to medical providers and insurance companies is often the same information that can be used to steal a person’s identity and commit financial identity theft, government identity theft and even criminal identity theft. In addition to receiving medical goods and services or prescriptions in the victim’s name, a thief could obtain loans or new lines of credit, apply for government benefits or file a false tax return. The perpetrator could even use the victim’s name if caught while committing a crime.

“Whether sensitive data is at rest or in transit, it should have appropriate risk-based controls and policies applied to its governance,” says Ann Patterson, program director with Medical Identity Fraud Association, which unites all the stakeholders and helps to convey the importance of these best practices. “The same judicious enterprise-wide data protection principles that you apply to your data at rest should also be considered for your data in transit and your mobile data. Particularly for mobile, BYOD policies (Bring Your Own Device) are essential.”

According to MIFA, many organizations are feeling the impact of shrinking budgets and may be tempted to reduce costs by limiting financial resources for internal fraud detection and prevention programs.  This may provide immediate help to the bottom line. But in the long term it’s the wrong solution. Costs creep up in other areas when fraud is ignored.  This could result in an organizational culture shift; as the old saying goes, what we allow, we encourage.

Coupled with human resources divisions, the fraud detection and prevention programs often provide employee training and formulate best practices in regard to fraud reduction.

The ITRC realizes the critical importance of information management and data security. We believe strongly in the importance of educating consumers and businesses about  the value of our individual data and the importance of personally identifying information (PII). For this reason, our organization began tracking data breaches in 2005. Tracking breaches has allowed us to look for patterns in regard to how our information is being safeguarded, or compromised, by those we trust with it.

The ITRC defines a data breach as an event in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format. The ITRC will capture breaches that do not, by the nature of the incident, trigger data-breach-notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information. These breach incidents will be included by name but without the total number of records exposed. (For a more detailed explanation of our methods, visit the ITRC breach report page).

Data breaches and identity theft have been on the rise and have a significant effect on the individual victims as well as on the U.S. economy.  We acknowledge that there is no panacea to rid ourselves of this issue entirely. However, encouraging negligence by not providing employees with the proper tools, and simply not acknowledging the problem, is not the answer, either.

Small and steady gains can be made by implementing training and increasing accountability for the individuals and organizations that we entrust to be good stewards of our PII.  A good start would be to understand and recognize how each type of incident plays a role and identify deficiencies.

Another option for organizations is to get involved with industry and trade organizations that also tackle issues related to data breach best practices daily. Businesses want to keep proprietary information close to the vest, but best practices about breaches should not be a trade secret.  A highly engaged and enlightened health/medical community would be a step in the right direction.

# Using Strong Carrots And Sticks To Drive Health Care That Works

On a recent call with a large manufacturer, my company's team expected to describe how we develop primary care medical homes that become platforms for managing comprehensive health care clinical and financial risk. But the team on the other end of the phone beat us to it. Their remarks — that health care cost is a multi-headed monster that requires a broad array of simultaneously executed approaches — were a breath of fresh air.

They wanted to avoid approaches that don't work or are designed to accrue to a vendor's disproportionate financial advantage and focus instead on mechanisms that measurably improve health and reduce cost. Their conventional current clinic vendor wasn't onboard, philosophically or in terms of capabilities, and so wasn't getting results. They were looking for a replacement vendor that could help them drive more appropriate care, with clear rules for patients and providers.

Often we have to cajole clients into more aggressive actions: restructuring their benefits or their PBM formularies, redirecting care to high performing doctors or hospitals, direct contracting for advanced images or ambulatory surgeries, creating stronger incentives for approaches that are most likely to produce better results. But now we're finding more employers exhausted and eager to pursue out-of-the-box approaches that can drive more appropriate care and cost.

Since the end of World War II, when employers began offering health benefits to recruit and retain better employees, a tug-of-war has been waged over the rules of engagement. Employers want competitively healthy and productive work forces, but see health care as an unpredictable significant cost that must be managed. Employees may bristle at participating in risk assessments, or seeing certain doctors or working toward a healthier lifestyle. These may be seen as brazen invasions of privacy, as work overflowing into personal life, as constraints on patients' abilities to obtain quality care.

Until now, most employers have been reluctant to be too dictatorial. But the financial threats of relentlessly surging cost — 4.5 times general inflation for more than a decade — and overwhelming evidence of industry excess have been impossible to ignore, fueling a focus on using strong carrots and sticks to steer behaviors that follow what works.

This is no small task, because a profiteering health care industry has developed scores of ways to extract more money than it is entitled to. Low primary care reimbursements have translated into rushed visits, driving up specialty referrals, diagnostics, procedures and costs for complicated patients. Egregious unit pricing on drugs, devices and specialty procedures — think stents, advanced images and complex spinal surgeries — encourage delivering more unnecessary products and services. Yellow-pages provider networks give patients “choice” to unwittingly see lousy doctors who consistently produce poorer outcomes at higher episodic cost, or get care in hospitals where there are higher opportunities to experience an error or acquire an infection. Leaving all this to health plans that have, for decades, been unwilling or unable to manage these vectors or control costs is repeating a behavior while hoping for a different result.

Last year, Walmart contracted for heart, spine and transplant surgeries with six Center of Excellence health systems around the country. These organizations use salaried specialists who are more likely to diagnose and treat correctly the first time for lower overall utilization and cost. They use and share evidence-based protocols, share data and coordinate care with local providers. Walmart employees who visit these Centers pay nothing. Many large and mid-sized firms are now pursuing this design.

Jerry Reeves MD, a medical management innovator, structured an alternative health plan design for one of his clients. His plan used rules that strongly encouraged approaches that work. Employees who adhered to the rules paid about one-third less for their coverage. But the program required a commitment. Participants who signed up had to use one of eight primary care medical homes that had been established. They needed to visit within 90 days for an exam, including a biometric profile. If the medical home called to recommend visiting a nurse coach, the patient needed to do that. Patients seeing specialists needed to make sure that the specialist information came to the primary care doctor. The medical homes were structured to accommodate walk-ins, so urgent care visits in Emergency Departments were not covered until after hours. There were other rules as well.

There are rules for doctors and hospitals too. To participate in good standing, they had to develop and sign documented care plans for patients, so patients and physicians could know what to expect. They had to be able to exchange clinical information so care could be better coordinated.

Patients failing to follow any of these rules would receive “strikes,” and three strikes would land the patient in health care timeout for a year, back to the original health plan, with more choice but 35 percent more cost.

Dr. Reeves' numbers were striking. 97 percent of the group signed up for the plan, and only one person struck out. Hospital days dropped 55 percent. Advanced images dropped 35 percent. Health improved and costs plummeted.

Employers are waking up, and are tying stronger incentives to approaches that get results. On the hook for exorbitant health care costs, employers and employees are game to know who delivers value and what works. They want good care for their families without financial peril. And they want help orchestrating that process without financial conflict.

More employers are making this shift. Broad-spectrum medical management organizations see this as an opportunity to succeed by bringing health care back into balance.

# OCR Nails Hospice For \$50K In First HIPAA Breach Settlement Involving Small Data Breach

Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!

That’s the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).

The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.

Since the Breach Notification Rule took effect, the Office of Civil Rights’ announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights \$50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.

The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.

Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. In fact, the Office of Civil Rights’ first resolution agreement — reached before the enactment of the HIPAA Breach Notification Rules — stemmed from such a breach (see Providence To Pay \$100000 & Implement Other Safeguards).

Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect. See, e.g., OCR Hits Alaska Medicaid For \$1.7M+ For HIPAA Security Breach. Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.

Furthermore, the Hospice of North Idaho settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; \$1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; and, HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warnings by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

Office of Civil Rights Director Leon Rodriguez, in OCR’s announcement of the Hospice of North Idaho settlement, reiterated the Office of Civil Rights’ expectation that covered entities will properly encrypt ePHI on mobile or other devices. “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

In the face of rising enforcement and fines, the Office of Civil Rights’ initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights’ investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

New Office Of Civil Rights HIPAA Mobile Device Educational Tool
While the Office of Civil Rights’ enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of the Office of Civil Rights.

To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The program offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. For more information, see here.

For more information on HIPAA compliance and risk management tips, see here.

# The Search For True Healthcare Transparency

Transparency, The New Buzzword In Healthcare
Healthcare price and quality have been nearly impossible to determine. Consumers can compare prices and quality of nearly everything they purchased, except healthcare — which truly has life and death implications.

Today, there is a new demand for healthcare transparency driven by:

• Employers’ efforts to contain escalating costs
• High-performing providers distinguishing their efficiency (price) and proficiency (quality)
• Consumers seeking better value

Accomplishing this requires unearthing true and independently determined value — not just “secret” negotiated insurance rates, artificial fee schedules and quality metrics of questionable relevance.

Unknowingly purchasing healthcare with large price variations is a major cause of healthcare inflation and is estimated to cost Americans with employer-sponsored insurance as much as \$36 billion a year.1 A recent study published in the Archives of Internal Medicine revealed prices ranging from a low of \$1,529 to a whopping high of \$182,955 for an appendectomy!2

The mystery of healthcare pricing contributes significantly to the escalating cost of healthcare burdening consumers, employers and taxpayers. Introducing transparency to the healthcare market will shrink price and quality disparities — saving employers and employees money while they receive better quality care.

Quality is as important a factor as price, yet most consumers do not incorporate it into their healthcare decisions, largely because that information is not readily available. Online opinions of physicians and hospitals generally focus on wait times or communication skills rather than clinical qualifications and outcomes. The former makes you comfortable or uncomfortable; the latter can be costly, even deadly.

So quality does matter. In fact, more than one quarter of inpatient stays experience a medical error: 13.5 percent of Medicare/Medicaid hospital patients experienced an adverse event (a serious event, including death and disability) and another 13.5 percent experienced some other temporary harm that required intervention, according to the Department of Health and Human Services.

Transparency — The Good, The Bad And The Ugly

The Good: Consumers want full transparency and with the convergence of technology, data availability and better analytics, it’s increasingly available and affordable.

The Bad: With more companies entering the transparency market, each one defines transparency as they see it, causing confusion and making comparison difficult. Worse, some parties actively impede transparency by claiming data ownership and censoring data for their own benefit.

The Ugly: Many companies touting transparency merely slap the transparency tag on products having little or nothing to do with transparency. Or worse, advertise it but then suggest a plan to develop it; in another word, vaporware. Perhaps most disturbing are companies selling their version of transparency while failing to disclose conflicts of interest.

Transparency Criteria
Optimal transparency solutions should, at the least, meet criteria in four categories: unbiased, credible, meaningful and measurable. This article examines findings from a comparative summary of “transparency” companies in these four important categories.

Monocle Health Data conducted a study of seven companies alleging to provide either price and/or quality transparency of some sort. We developed and applied 25 criteria in the four categories named above. We did our best to verify accuracy and graded each company by these criteria using a simple three-tiered grade.

• Plus — the capability was confirmed
• Unknown — capability could not be determined
• Minus — the capability did not exist or there was a clear deficiency

This study includes 200 footnotes documenting the findings. If you are interested in using our proprietary transparency comparison format or want more info, you may request it through info@monoclehealth.com. There is no charge. The following is a summary of significant findings.

Unbiased

1. Three of the seven were founded, owned or controlled by insurance companies or healthcare providers. This creates an inherent conflict of interest. What is most disturbing about these three is their lack of, well, transparency. They don’t reveal their potential conflicts. With a little research we found the conflicts, but no customer should have to work that hard — especially for a service that purports to give customers the full truth. These three companies’ conflicts were numerous and included:

• Being founded by a consortium of state hospital associations;
• Partially owned by a well-known hospital system;
• Owned by a company marketing U.S. provider networks;
• Publicly stated plans to offer its own provider network; and finally,
• Owned by a global medical tourism company representing its own network.

2. Two of the seven promoted a provider network from which they receive compensation. Any time a seller claims to sell a “truth” product such as transparency, other sources of compensation from influential parties in the transaction should be divulged. In fact, for many industries it’s the law (think auto dealer rebates and real estate agencies). The conflict isn’t just the unseemly hidden compensation. In order to make networks attractive, their reps sell on access first and foremost, not quality or price. And there’s the rub. When networks include 90 percent of providers in the market, in the best case scenario, the network includes the best 50 percent and worst 40 percent of providers. And we all know about the wide disparities in healthcare price and quality. Broad network access — by definition — engenders disparities.

If a transparency company is selling access to a preferred network, it no longer has an incentive to reveal disparities (aka deficiencies) within its network. They’re paid to sell their network — not reveal provider-specific performance. And if they can get you to pay an access fee for the privilege of ignorance, well, they see that as an even more profitable sale — at your expense.

3. Three of the seven accept advertising revenues from providers as a primary source of revenue. Any transparency solution accepting ad revenues from those it’s supposed to evaluate without bias should be taken off the list of legitimate transparency solutions; they’re just one level away from “pay-to-play.”

Credible

1. Pay to play — Two companies use third-party sources that charge providers to participate in their “quality” assessment or to be more prominently displayed. And if the provider doesn’t pay the participation fee, it receives a “no score” which translates to a failing score. You can’t buy credibility. Worse yet, much of the data used in these companies’ “transparency” tools are from their own databases — not independent, recognized organizations.

2. Most companies did not use independently verified, fact-based information that has been cross-referenced from nationally recognized organizations. In fact, two of them used opinion surveys as their primary transparency tool, emphasizing the patient experience while ignoring independently verified, fact-based information. Opinion surveys are nice but patients want the best care possible, not just a pleasant experience, despite the trendy (and misleading) exclamation, “It’s all about the customer experience!”

3. Healthcare price and quality transparency is not the primary business for four of these companies. Those four companies’ primary businesses range from hospital consulting to selling networks to medical tourism to selling mobile apps. If a company’s primary business isn’t transparency, you know the business has other priorities that can change quickly — unbeknownst to the customer. If you want dedicated transparency services, free of conflicts, you’re most likely to receive that from a company dedicated to it as a primary business and core competency.

4. Use of appropriate comparative data — amazingly, six of the seven transparency companies failed this test. Most incorrectly compare Medicare data to commercial populations, use generic UCR fee schedules instead of the average cash payment, use market ranges instead of provider-specific data, or use an overall quality score that isn’t disease or procedure specific. Consumers have a right to know more than just whether a hospital earned a superior overall score — they have a right to know the score for treating their specific illness, and to know where each provider ranks for treating that illness.

5. Verifiable information from multiple credible sources and not just a company’s own database. Proprietary algorithms are one thing, but referencing a company’s own database as a valid source is intellectually dishonest. If the transparency company won’t or can’t provide auditable detail to support its findings, it lacks credibility. Keep in mind that data from at least two credible organizations is needed to validate conclusions. Only one transparency company met this standard.

Meaningful

1. Only one of the seven transparency companies used severity adjustments of appropriate data populations using at least two recognized severity-adjustment methodologies. Four of the seven didn’t demonstrate any severity adjustment capability. Severity adjustments allow for valid comparisons on a disease-specific, provider-specific basis so individuals can find providers who treat similar patients proficiently and efficiently.

2. Provider price rankings and quality ratings for both chronic illnesses and episodic care for hospitals and doctors on the same platform was offered by only one of the seven companies. The standard approach was to provide a price for each procedure, office visit, prescription, lab test, imaging procedure, etc. and let the user compile the total cost — if they can. With chronic illnesses comprising two-thirds of all benefit costs, it is critically important to rank and rate providers based on price and quality on a severity-adjusted basis for managing a chronic illness, including all costs for treatment, over an entire year.

3. In- and out-of-network provider comparisons were offered by only three of the seven companies (see Unbiased above). A meaningful transparency solution should provide consumers with ratings and rankings on providers who are both in- and out-of-network. Any “transparency” solution that excludes out-of-network providers isn’t transparency, it’s self-serving censorship detrimental to the consumer.

This is particularly important with high-deductible plans. I’ll give my personal experience: Pfizer sent me a Lipitor \$4 copay card. I took it to CVS Pharmacy and was told that under my health plan, I would have to pay \$250 for using a brand medication instead of generic — but they’d gladly reduce this by \$4. I thought this surely was a mistake so I called CIGNA and was told its in-network pharmacy’s interpretation (CVS) was correct. CIGNA doesn’t tell consumers that it’s cheaper to fill prescriptions at out-of-network providers.

Excluding out-of-network providers isn’t transparency — it’s charging users for the privilege of buying high-cost services from in-network providers. Perhaps it’s time to question the value of networks — and any transparency solution that ignores out-of-network providers.

4. Robust analytic report package updated monthly. Six of the seven companies don’t offer monthly analytic reports. Another transparency requirement should be timely reports generated from robust analytics and the ability to “drill down” into the data to see exactly why and how each provider earned their ranking and rating. You deserve to know the supporting facts — after all this is transparency. True transparency is driven by analytics and subject matter expertise, not just a provider directory lacking supporting analytics.

Measurable

1. Only one solution ranks by price and rates quality by quartile. Almost all of the transparency companies use a three-, four- or five-star rating system. Unfortunately, since half of the transparency companies in this study also sell networks, the rankings and ratings are largely meaningless — they only rate in-network providers and almost all of the providers are rated as average or better. This is unrealistic. In fact, the biggest disparities between provider price and quality performance are in the bottom 50 percent. Consumers deserve to know true rankings and ratings so they can avoid the bottom 50 percent of doctors and find a doctor in the top 50 percent who best meets their needs. Ranking doctors and hospitals by quartile gives consumers a short list of the best doctors, for specific diseases, to choose from — not just an endorsement of another network.

2. Only one solution offers an on-line, interactive data cube to support users requiring sophisticated analytics. This enables a robust, flexible, user-friendly reporting package that’s population-specific to each employer and allows employers to establish dashboards and benchmarks for health plan performance and their vendors (e.g. network performance, disease/medical/case management). Five companies did not offer any reporting package.

3. Only two companies offer a savings measurement tool. One company provides an ROI worksheet using employer-specific assumptions to calculate savings. An important transparency feature is the ability to project accurate ROI and savings using employers’ own assumptions — before and after engaging the transparency company. Savings projection tools, along with the analytic reports, give the employer actionable intelligence to identify areas of improvement and measure vendor performance.

Summary
The rise of healthcare transparency is inevitable — it epitomizes the old saying, “How do you keep them down on the farm once they’ve seen the big city?” Consumers are slowly realizing that not only should they be able to see price and quality information on healthcare providers — they have the right to see accurate, meaningful information.

The healthcare industry is on the cusp of tremendous change brought about by the adoption of healthcare IT solutions. The ability to extract data which can then be shared with consumers will forever change the way healthcare quality is measured, and create new pricing metrics that extend far beyond in-network and out-of-network.

1 Save \$36 Billion in U.S. Healthcare Spending Through Price Transparency (White paper), Thompson Reuters, February 2012.

2 Renee Y. Hsia, MD, MSc; Abbas H. Kothari, BA; Tanja Srebotnjak, PhD; Judy Maselli, MSPH. Health Care as a “Market Good”? Appendicitis as a Case Study; Arch Intern Med. 2012;172(10):818-819.