Dear Healthcare Professional,
Welcome to the November issue of the Indidge Advantage newsletter and Happy Thanksgiving. The Indidge Advantage is produced by Indidge Systems, a healthcare software solutions company specializing in Compliance and Risk Management solutions.
Timely News You Can Use
By Attorneys Paul Banker, Chris Lynch, Tom Mielenhausen, and Chris Yetka Lindquist & Vennum, PLLP
riskVue.com
As aware as we all are about the slowing of our economy, how the downturn can affect the myriad aspects of operating a business can be more ambiguous and sometimes overlooked. This month, we examine how insurance coverage and the claims process are affected when the market takes a dip.
How might a slowing economy affect the relationship I have with my insurance company?
Insurers make money by collecting premiums and investing the proceeds. Their profit is the return on their investment, reduced by expenses like claim payments. As returns on investments become smaller, pressure increases to reduce claim-payment expenses or spread them out over time. In a slowing economy, one can expect increased scrutiny of claims, with the result being that claims typically paid quickly in a robust market are likely to meet resistance in a slow one. In addition, the time-value of money dictates that certain claims paid during good times might well, in an economic downturn, be litigated with the goal of a discounted settlement, or to take advantage of the lengthy time required to resolve disputes in court. Expect increased claim scrutiny as insurers try to better manage their cash flow.
As a proactive measure, policyholders should maintain b relationships with their insurance brokers, and if possible, their claims adjusters. Your broker and your insurer want to write coverage to bring in premiums, and with an established relationship to rely on, you may encounter a less hostile environment if you need to make a claim.
Will a softening economy provide any opportunities for policyholders? Is now a good time to review my coverage?
Like many other industries, the insurance industry experiences cycles of good and bad economic times. The insurance industry--like many segments of American industry--is currently in a "soft market" and will be for at least the immediate future. This means that demand has decreased and, as a result, competition among carriers for business has increased. For prudent risk managers in the market to purchase or expand insurance coverage, this may be an excellent time to reevaluate coverage pricing and options.
There can be benefits to purchasing or expanding coverage in a soft market. Because of a decrease in demand and a surplus of products, a soft insurance market generally means that insurers will lower their rates to attract business. Therefore, it is possible to secure existing or even higher levels of coverage at significantly reduced rates. In addition, insurers may develop new types of coverage programs to differentiate themselves from the competition, and the opportunity to obtain specialized coverage can be greater in a soft market than a hard market. In a soft market, insurers also tend to be less stringent with their underwriting standards, resulting in opportunities to obtain coverage generally not available during a hard market.
Prudent risk managers considering purchasing coverage in a soft market must weigh the disadvantages along with the benefits. Insurance companies desperate for business may issue coverage that will, in the long term, be expensive, either because the rates are too low or the risk insured against is too great. And those shiny "new" insurance products that looked so good at the outset can be fraught with uncertainty and more prone to coverage disputes down the line. It doesn't benefit your business to obtain bargain rates or expanded coverage if the insurer or policy you purchased isn't around when you need it.
For those in a position to purchase coverage in a soft economy, the market can yield excellent rates and increased coverage, but there are risks. Risk managers should thoroughly research each insurer's financial position, ask hard questions about what the insurer is doing to weather the soft market, and avoid being swayed by promises of low, low prices. While a soft market presents opportunities for obtaining expanded coverage at reduced rates, risk managers evaluating pricing and coverage options should be mindful of the adage "if a deal looks to good to be true, it probably is."
What steps can company directors and officers take to reduce the likelihood of economy-driven lawsuits brought by shareholders?
An increase in shareholder suits is inevitable during a downswing in the economy, even against well-run companies. However, directors and officers can take steps to ensure that their insurance programs are b.
First, maintain sufficient limits in any applicable D&O policy. This is particularly important if you have a "wasting policy where limits are eroded by the payment of defense costs." Shareholder and employee lawsuits can be extremely expensive, and defense costs can quickly eat into amounts that could be used to pay any settlement or judgment. Further, the adequacy of limits is particularly important if the policy provides coverage to not only officers and directors, but also the company. Most insurers will offer additional limits of liability dedicated to executives.
Second, closely analyze any arbitration provisions in your policies. In package policies, some insuring agreements will include arbitration provisions. While those may make sense in the context of valuing losses, they can become hurdles for policyholders when the issue of coverage is at stake. For example, if a claim is brought by a shareholder asserting not only D&O claims, but also claims that may qualify for coverage under an employment-practices-liability provision, a policyholder may be forced to litigate coverage issues with the insurer in more than one forum. Further, insurers historically fare much better in arbitration than in court, and policyholder safeguards such as appeals and burdens of proof are often lost.
Third, put your insurer on notice of any claim, or potential claim, as quickly as possible. Insurers will universally assert late notice, or "known loss," if there is any hint that facts were withheld or notice was delayed. Have a program in place to analyze the likelihood of claims, and notify your insurer of claims immediately.
Finally, work with your insurance agent and broker to determine risks and analyze the completeness of your insurance program. Agents and brokers deal with claims every day and can serve as good evaluators of risk.
At what point in a potential claim situation should I begin talking with my coverage attorney?
You should consult with your coverage attorney as soon as you learn of a potential claim that may be covered under your insurance policy.
It's important to understand that, in any claims situation, insurers are potential adversaries until they unequivocally waive any and all rights to deny their duties under the insurance policy, including their duties to defend, to pay defense costs without recoupment, and to indemnify for settlements or judgments. This express waiver is rarely granted. Typically, insurers reserve the right to deny coverage on any and all grounds based on future developments and, in some jurisdictions, can remain silent about whether they are reserving rights.
This puts you and your business in a difficult situation, because an insurer might steer the investigation and development of a case in a way that fabricates support for fact-dependent coverage defenses, such as those based on the knowledge or intent of directors, officers, or employees; notice of claim or occurrence; purported misrepresentations in the insurance application; or apportionment of damages. In an effort to deny or diminish coverage, the insurer might use communications made by your company's employees in a way in which they were never intended to be used. The insurer might even try to obtain privileged or protected communications to which no adversary would be entitled.
Thus, it's wise to consult with your coverage attorney promptly. The attorney should be able to advise you about the potential coverage defenses associated with the claim, help you communicate carefully with the insurer, and assist you in protecting privileged information.
An ounce of preventative advice is worth a pound of litigation cure.
By Christina Torode, Senior News Writer
SearchWinIT.com
IT managers don't need to hear horror stories about TJX Corp.'s recent lapse of data security to know just how high the stakes have become when a corporation doesn't have proper data protection in place.
Although IT managers are already stretched to their limits, they are faced with the growing responsibility for regulatory compliance. Government regulations evolving over the last few years are firmly in place today, and it has fallen to the IT managers and those in the trenches to make sure safeguards are in place so that corporate data is protected.
Two regulations in particular, Sarbanes-Oxley and the Payment Card Industry (PCI) data security standard are garnering the most attention in IT shops.
Sarbanes-Oxley, also known as SOX, was enacted in 2002 in response to accounting irregularities at energy firm Enron Corp. The law sought to keep track of company finances more closely so that company officials could produce complete financial data more quickly for regulators. Sarbanes-Oxley alone is responsible for 5,000 to 20,000 man hours in 48% of IT shops per year, according to a recent survey by Gartner Inc., based in Stamford, Conn.
Enacted in 2004, PCI is intended to protect credit card holder data wherever it resides or is transmitted. The security breach at TJX, where about 45 million customer records were accessed is exactly what PCI is intended to prevent. In December, Visa offered its merchants and transaction services providers $20 million in incentives to comply with industry rules.
"PCI impacts any part of the IT infrastructure through which credit card data is transferred, viewed -- even home users connecting to the company need to be PCI compliant," said Alex Bakman, founder of compliance reporting software vendor Ecora Software Corp. in Portsmouth, N.H. "The only way a part of your infrastructure does not fall under this guideline is if it's physically separated, and that is not feasible for most organizations."
Privacy legislation requiring that companies publicly disclose information security breaches to customers is also in effect in 31 states. Compliance experts expect that it will not be long before all 50 states have such laws in place.
Then there are more industry focused guidelines, such as the Gramm-Leach-Bliley Act, designed to govern banks and other financial institutions.
More regulations mean more data scrutinized
All these rules and regulations mean that more and more data needs to be scrutinized. In fact, roughly 20% of the 161 exabytes of data created in 2006 are subject to compliance guidelines, according to research group IDC.
To ensure that organizations are following federal compliance regulations and other safeguards, government agencies regularly send auditors to companies to conduct checks. These auditors, who are becoming increasingly tech-savvy, are asking IT managers some tough questions -- and IT managers must be able to answer them and document the results.
In anticipation of compliance audits, some IT managers are being asked by their employers to sign and certify that their systems are protected against internal and external threats. These signed documents are becoming part of the audit trail when companies are pulled into compliance litigation.
And, in this process, the IT staff's role is changing -- not just in the hours they spend on compliance, but also how they approach every day tasks such as change management.
Compliance ranks high among daily tasks
IT manager Bill Grigonis said compliance remains high on the list of his daily tasks and has had an impact on just about every change made to servers and desktops at the American Bible Society, a $1 billion New York-based publisher of religious materials. "Everything we do focuses on regulatory compliance -- from the adds and changes we make to the servers down to the network. It's always in the back of our minds," he said.
Compliance has also caused IT managers such as Joseph Fleming, IT manager with Blue Cross Blue Shield in Helena, Mont., to become somewhat of a counselor to his staff as their work comes under closer scrutiny.
"There is a Big Brother mentality when the auditor comes in and wants to see how we track the changes we've made to systems, why we made them and who made them," he said.
Knowledge gained from IT compliance audits
There are many lessons to be learned from those who conduct audits and from those who have been through one, particularly IT managers left with the task of figuring out what the auditor, who IT professionals say speaks a different language, is looking for exactly.
Auditors also may embark on a path outside the realm they were initially called in to review, Grigonis said. "A lot of auditors ask for things that aren't part of our company guidelines [for an audit]. If we don't have a specific policy they'd like to see, they can make a recommendation for the next audit. We don't have to follow it," he said, "but we usually do because we want to have the right checks and balances in place."
In some cases, organizations run into problems before the audit even begins -- as was the case with one company that processes millions of dollars worth of credit card transactions. While it was getting ready for a PCI audit, the company sent out a request for proposals divulging sensitive information to several consulting firms that were asked to bid on its risk management project.
"They divulged too much information, to too many people, and didn't even realize it," said Ken Smith, a principal auditor with Akibia Inc., an IT consulting firm that specializes in PCI compliance audits and risk analyses. "They obviously didn't have any controls or policies in place."
Not only that, but the company revealed in the proposal that the wireless network it used to process credit cards was not secure or encrypted and that it did not perform background checks on employees who were given data access privileges, Smith said.
Good news and bad news about compliance
The bad news is that many compliance guidelines remain vague, and more seem to pop up every year. The good news is that many IT organizations that have been through an audit can benefit in many ways. For instance, after years of warning higher ups about security risks in their organizations, IT managers at last have support for improving processes within the IT environment overall.
The key to keep in mind is that while technology may be a growing piece of meeting compliance -- IT accounted for 5% of a SOX audit three years ago, but now accounts for about 30%, according to Bakman -- you should view it as a means of enforcing policies and not the end solution.
"A couple of years ago, every vendor said, 'My product will solve all your compliance needs,'" said Khalid Kark, an analyst with Cambridge, Mass.-based Forrester Research Inc.
"There is no one technology that addresses all your compliance needs. A good security framework is a function of people processes and technology, with technology playing a large role in the automation of policies and processes."
POMA is an application for the Management of Physician Standing Orders.
POMA provides a platform that empowers an organization to put evidence-based healthcare into practice and improve the quality of patient care.
POMA improves the utilization of physician resources by automating physician order sets based on pay-for-performance measures, regulatory standards and peer-reviewed literature.
Read more
By Sathya Narasimhan, Compliance Specialist with Indidge Systems
Six New chapters for 2009
- Emergency Management (EM)
- Equipment Management (EQ-Home Care only)
- Life Safety (LS)
- Record of Care, Treatment and Services (RC)
- Transplant Safety (TS)
- Waived Testing (WT)
The objective is to make sure that the standards and EPs (Element of Performance) are scored in a way that gives a valid accreditation decision, yet is simple and easily communicated. A scoring prototype, when developed, will be tested. Additionally, the Joint Commission is eliminating all compound sentences and all bulleted requirements. The goal is to make each EP speak to a very specific requirement.
EMR (Electronic Medical Record) vendors need to refresh as joint commission 2009 updates brings up changes in the existing medical records details were it incorporates all the medical records requirements either as a subsection of provision of care or as a separate chapter. The goal is to put everything related to the medical record in one place in the manual.
Answering Service At The Mental Institute
"Hello, and welcome to the mental health hotline.
If you are obsessive-compulsive, press 1 repeatedly.
If you are co-dependent, please ask someone to press 2 for you.
If you have multiple personalities, press 3,4,5, and 6.
If you are paranoid, we know who you are and what you want. Stay on the line so we can trace your call.
If you are delusional, press 7 and your call will transferred to the mother ship.
If you are schizophrenic, listen carefully and a small voice will tell you which number to press.
If you are manic depressive, it doesn't matter which number you press, no one will answer.
If you have a nervous disorder, please fidget with the hash key until someone comes on the line.
If you are dyslexic, press 6969696969.
If you have amnesia, press 8 and state your name, address, phone number, date of birth, social security number, and your mother's maiden name.
If you have post-traumatic-stress disorder, slowly and carefully press 000.
If you have bipolar disorder, please leave a message after the beep, or before the beep, or after the beep. Please wait for the beep.
If you have short-term memory loss, press 9. If you have short term memory loss, press 9. If you have short term memory loss, press 9. If you have short term memory loss, press 9.
If you have low self esteem, please hang up. All our operators are too busy to talk to you."