The Wall Street Journal posted on You Tube a video interview of Aetna CEO Mark Bertolini, an impressive guy, as part of its Future of Health Series. It's 50 minutes long and worth a listen.
Mr. Bertolini compliments Medicare Advantage for its practice of compensation insurers for risk. The FEHBP in contrast does not have a risk adjustment practice. Features like risk adjustment do carry legal risk as the Minnesota Star Tribune evidences today in a story about a whistleblower initiated and federal government supported False Claims Act lawsuit against United Healthcare's Ingenix (now called Optum) unit for allegedly falsifying risk adjustment reports for Medicare Advantage plans in the last decade. Health care business risks go way beyond insurance.
And in that regard, HHS's Office for Civil Rights thumped Memorial Health Systems with a $5.5 million negotiated penalty for HIPAA Privacy and Security Rule violations according to this HHS News release:
MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth, and social security numbers. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules. Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.
“Access to ePHI must be provided only to authorized users, including affiliated physician office staff” said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights. “Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”Finally, falling into the truth may be stranger than fiction category is this Benefits Pro report that the IRS does not question any taxpayer who fails to check the yes or no box on the federal tax return's question about compliance with individual health mandate. The Obama Administration first took this loose approach and as Mr. Obama was headed out the door late last year, the IRS announced a change in enforcement policy. The Service now is returning to its silence is golden approach based on President Trump's Executive Order to use a light touch on ACA enforcement.