Data Analytics as a Risk Management Strategy

Risk-Management-Monitor-Com

In our increasingly competitive business environment, companies everywhere are looking for the next new thing to give them a competitive edge. But perhaps the next new thing is applying new techniques and capabilities to existing concepts such as risk management. The exponential growth of data as well as recent technologies and techniques for managing and analyzing data create more opportunities.

Computer Network Wires

Enterprise risk management can encompass so much more than merely making sure your business has purchased the right types and amounts of insurance. With the tools now available, businesses can quantify and model the risks they face to enable smarter mitigation strategies and better strategic decisions.

The discipline of risk management in general and the increasingly popular field of enterprise risk management have been around for years. But several recent trends and developments have increased the ability to execute on the concept of enterprise risk management.

First, the amount of data being produced everywhere has exploded and continues to accelerate. The typical executive today is swamped by data coming from all directions. Luckily, just as the raw amount of data has grown, the cost of the hardware to store data has decreased at an exponential rate. For example, in the last 10 years, retail hard-drive costs have dropped from about $1.20 per gigabyte (GB) in 2004 to about 4 cents per GB today. What’s more, the cost of hardware to store all that enterprise data is quickly becoming negligible.

But such huge amounts of data present a problem: Somebody has to manage and analyze it. All data is not equally important or relevant to the problems business executives need to solve or the risks they’re trying to manage. The explosion of data has created a greater amount of helpful and relevant data, but it can get lost in an even greater amount of useless, irrelevant, and distracting data. So an effective data management and analytics program is crucial to take advantage of the opportunities resident in the new flood of data.

One job of analytics is to sort the important from the unimportant and analyze and synthesize the data in new ways that create actionable information. Fortunately, the tools and techniques to manage large volumes of data have been progressing over the past several years. In particular, there has been a lot of buzz about big data. The field of big data has developed from a specific platform to manage large volumes of data into an entire ecosystem of related technologies. These tools are critical to the process of picking out the grains of useful intelligence from the vast quantities of distracting chaff that are characteristic of many big data sources.

Of course, all the recent technical developments and analytic techniques that make it possible to extract actionable information from a flood of data are all professionally exciting—if you’re an analyst. However, analytics for analytics’ sake does not help an organization. Often, analytics groups can remain isolated from the business itself. When such groups ultimately present what they have discovered, they may simply talk about the part most interesting to them—the analytics process—rather than focusing on the resulting information.

It is important to remember that actionable information is the ultimate goal of the entire exercise. The information must reach the decision makers in an understandable form when it is needed—the right information at the right place and at the right time. When designing information systems or even just presenting information to business executives, it is important for technical professionals to keep technical details to a minimum and focus on the actionable information. A feedback mechanism is critical. Users of the information must have a method to tell the creators of the information whether it was sufficient, correct, timely and understandable.

It’s been said that the three most important factors in real estate are location, location, and location. Similarly, the three most important factors in effective analytics are data, data, and data. Good data can sometimes make up for mediocre analytics, but even the best analytics will never produce anything useful from poor data.

Where should a business begin to leverage the new data and risk analytics? It has to start with the data itself. So start collecting and storing the data that’s available to you. Every business generates vast amounts every day. Collecting, managing, and analyzing internal data is necessary; but by looking outside the organization at social media, government data sources and third-party data vendors, a company can really begin to illuminate the environment in which it operates.

Managing data for analytics is a specialized field in its own right, and a topic for another day. But the business that can effectively leverage data and analytics to manage the risks it faces will be rewarded by seeing the future more clearly, making better decisions and ultimately being more successful than those companies that cannot.

Article authored by Phil Hatfield, modeling data services executive for ISO Insurance Programs and Analytic Services (IPAS), a Verisk Analytics (Nasdaq:VRSK) business.

OF

Cyber and Technology Risk Insurance for the Construction Sector

Much Shelist law firm logo

The recent, well-publicized retail store data breach controversies have spawned a number of lawsuits and insurance claims. Not surprisingly, insurers have responded with attempts to fight claims for coverage for such losses. Insurance underwriters are carefully monitoring decisions being handed down by courts in these lawsuits. All of this activity has led to a new emphasis on cyber and technology risk and assessments, as well as on insurance-program strategies.

These developments have ramifications for the construction industry that include, and go well beyond, the data-breach context. Contractors, design professionals and owners may find that in addition to losses caused by data breaches, other types of losses occasioned by technology-related incidents may not be covered by their existing insurance programs.

Specifically, insureds may find themselves with substantial coverage gaps because:

  • data and technology exclusions have been added to general liability policies.

  • such losses typically involve economic losses (as opposed to property damages or personal-injury losses) that insurers argue are not covered by general liability policies.

  • data and technology losses may be the result of manufacturing glitches rather than professional negligence covered by professional liability policies.

Coverage for claims involving glitches, manufacturing errors and data breaches in technology-driven applications — such as Building Information Modeling (BIM), estimating and scheduling programs, and 3D printing — may be uncertain. A number of endorsements are currently available for data breach coverage, but insurers don’t necessarily have the construction industry in mind as they provide these initial products.

In addition, there is no such thing as a “standard” cyber liability policy, endorsement or exclusion. Insurers have their own forms with their own wording, and as seemingly minor differences in language may have a significant impact in coverage, such matters should be run past counsel.

Construction insurance brokers are telling us that insurers are in the process of determining how to respond to cyber and technology risk claims, what products to offer going forward, and how to underwrite and price these products. Keith W. Jurss, a senior vice president in Willis’s National Construction Practice warns:

“As the construction industry continues to identify the unique “cyber” risks that it faces we are identifying gaps in the current suite of “cyber” insurance coverages that are available.  In addition, new exclusionary language related to cyber risk under CGL and other policies adds to the gap.  The insurance industry is slowly beginning to respond with endorsements that give back coverage or new policies designed to address the specific risks of the construction industry.

“As we identify cyber insurance underwriters willing to evaluate the risks specific to the construction industry, we are seeing the development of unique solutions in the market. There is, however, more work required and as construction clients continue to demand solutions the industry will be forced to respond.”

Consequently, this is a time to stay in close touch with qualified construction insurance brokers who understand the sector and have their hands on the pulse of the latest available cyber and technology risk products. As these products become available, clients may also want to consider what cyber and technology risk coverage to require on projects and whether to include these requirements in downstream contracts.

ARTICLE BY

OF

Illinois Guaranty Fund Gets Setoff From Statutory Dram Shop Limit Rather Than Jury Verdict

Heyl Royster Law firm

Eighteen-year-old boy was killed in a head-on collision with a vehicle driven by an intoxicated person. His parents received $26,550 from the drunk driver’s insurance carrier and $80,000 from their own insurance carrier. They subsequently filed a dram shop suit. While it was pending, the dram shop’s insurance carrier was declared insolvent, and the Illinois Guaranty Fund assumed the defense. The issue was whether the $106,550 should be set off from a potential jury verdict or from the statutory dram shop limit of $130,338.51. The Fifth District held the setoff should be applied against the jury verdict.

The Supreme Court reversed and held the setoff should be applied against the statutory limit. The Fund’s obligation cannot be expanded by a jury verdict. It can only be reduced by other insurance. Rogers v. Imeri, 2013 IL 115860.

© 2014 Heyl, Royster, Voelker & Allen, P.C
OF

New Ridesharing Legislation in California and Oregon Highlights Insurance Uncertainty in Emerging Industries

Proskauer Law firm

Managing a company’s exposure to new types of risks is often a complicated endeavor.  We’ve previously reported on the uncertainty that can arise when existing coverage models are applied to a new risk—such as losses arising from data breaches and other cyber-attacks.  Applying existing coverage models to emerging industries presents similar challenges.  These challenges were highlighted recently in the years-long dispute over insurance of ridesharing companies, like Lyft and Uber, which recently reached some degree of closure in California with the enactment of new insurance legislation for these companies.

Ridesharing companies have arisen in the past few years as an alternative to traditional forms of transportation, such as taxis.  These companies neither employ the drivers nor own the cars used for transportation; they essentially serve as an online “middleman” connecting passengers with freelance drivers for hire and expressly disavow that they provide any sort of “transportation services.”  This new business model—blurring the lines between traditional services and social media—presented many questions as to liability and, consequently, risk management.  These questions were brought to the fore earlier this year, when the family of a six year old girl killed by a ridesharing driver sued the ridesharing company.  The company disclaimed liability on the basis that it is not responsible for the acts of its drivers, especially when the drivers do not have ridesharing passengers or are not en route to pick up one.

Many ridesharing drivers have relied primarily on their personal automobile policies, eschewing business coverage altogether, reportedlyat the recommendation of the ridesharing companies themselves.  While ridesharing companies have carried excess insurance policies to cover ridesharing accidents, the insurance industry took the position that these policies did not cover such accidents because there was no primary coverage.  In other words, because the only “primary” insurance policies were personal use automobile policies that did not cover commercial livery use, the excess insurance could not be triggered.

On September 17, 2014, California AB-2293 was enacted to address this uncertainty of coverage.  The statute was the result of discussions between legislators, ridesharing companies, insurers, and traditional taxi companies.  It requires ridesharing companies in the state to provide $100,000 in coverage for their drivers that takes effect the moment a driver connects to the ridesharing company’s dispatch software and increases to $1 million once the driver agrees to pick up a passenger.  It also states that a personal automobile insurer does not have the duty to defend or indemnify claims arising out of ridesharing, unless the policy expressly provides such coverage, and it requires ridesharing companies to disclose this fact to their drivers.

Whether other states will follow California’s lead remains to be seen.  Legislation addressing ridesharing has been introduced across the country, and as one Pennsylvania state legislator observed, “By far the biggest issue is insurance.”  In other states, regulators are addressing the possible insurance gap.  Just days after California’s new statute was enacted, Oregon’s State Insurance Division issued a consumer advisory, warning of the potential unavailability of insurance coverage under personal insurance policies for ridesharing and other services provided in the peer-to-peer marketplace.

As Oregon Insurance Commissioner Laura Cali observed in connection with ridesharing, “When a new industry emerges, it often creates unique insurance situations.”  New industries may exist under insurance uncertainty for years or decades before legislation, regulation, or litigation clarifies the issue.  It is therefore critical when expanding into a nascent industry to consider how the risks of that industry may be managed, under either new or existing types of insurance coverage.

ARTICLE BY

OF

Not By "Any Manner" Of Means: Securing Cyber-Crime Coverage After Zurich v. Sony

Gilbert LLP Law Firm

Much has been written about the New York Supreme Court’s landmark ruling in Zurich American Insurance Co. v. Sony Corp., Index. No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), in which a New York trial court denied coverage to Sony Corporation for liabilities stemming from a 2011 cyber-attack on its PlayStation Network. The court held that while a wide-scale data breach represents a “publication” of private information, the PlayStation Network breach did not fall within the ambit of Sony’s commercial general liability (“CGL”) policy because the policy covered only publications by the insured itself—not by third-party hackers. The court rejected Sony’s argument that the phrase “in any manner,” which qualified the word “publication” in Sony’s policy, sufficed to broaden coverage to encompass third-party acts. Instead, the court determined that the “in any manner” language referred merely to the medium by which information was published (e.g., print, internet, etc.), not the party that did the publishing.

Most of the commentary surrounding Sony has focused on the court’s interpretation of the phrase “in any manner.” But that aspect of the court’s ruling was relatively unremarkable: other courts have similarly limited the phrase, most notably the Eleventh Circuit Court of Appeals inCreative Hospitality Ventures, Inc. v. United States Liability Insurance Co., 444 Fed. App’x 370 (11th Cir. 2011) (holding that the issuance of a receipt to a customer containing more than the last five digits of the customer’s credit card number does not represent a publication). Lost in theSony debate is the fact that Sony may be able to prevail on appeal even if the appellate court refuses to adopt a broad reading of the “in any manner” language. Indeed, Sony can make a compelling case that the term “publication,” when read in context with the policy as a whole, is intended to encompass both first-party and third-party acts.

In focusing narrowly on the language of the advertising injury coverage grant, the Sony court overlooked a “cardinal principal” of insurance law: namely, that an insurance policy “should be read to give effect to all its provisions and to render them consistent with each other.”Mastrobuono v. Shearson Lehman Hutton, Inc., 514 U.S. 52, 63 (1995). Had the court taken a more holistic approach, it might have noticed that language in other parts of the policy evidenced the insurers’ intent to cover third-party publications. If Sony’s policy resembled the standard Insurance Services Office, Inc. (“ISO”) CGL policy, its exclusions section was surely riddled with clauses restricting coverage for certain types of injury “caused by or at the direction of the insured.” Only six of the exclusions in the ISO policy are not so qualified, including the absolute pollution exclusion and the exclusion for publications that occur prior to the policy period. It makes sense that insurers would wish to broadly exclude such categories of injury, just as it makes sense that exclusions for intentionally injurious acts would be written narrowly to apply only to the insured’s own actions. These carefully worded exclusions—when read together and in context with the policy as a whole—evidence a conscious decision by Sony’s insurers to exclude some injuries only if caused by the insured, while excluding other types of injury regardless of who, if anyone, is at fault. This, in turn, suggests that the insurers contemplated coverage for third-party acts unless such acts are expressly excluded.

Nowhere is this better illustrated that in the ISO policy’s exclusion for intellectual property infringement. This exclusion purports to broadly bar coverage for injury “arising out of the infringement of copyright, patent, trademark, trade secret or other intellectual property rights.” However, this broad exclusion is qualified by the caveat that it “does not apply to infringement,in your ‘advertisement’, [sic] of copyright, trade dress or slogan.” Thus, the exclusion bars coverage in the first instance for all intellectual property infringements irrespective of the identity of the perpetrator, then adds back coverage for certain acts of the insured. This evidences the insurer’s understanding that unless otherwise excluded, the policy affords coverage for advertising injury regardless of who caused it.

At minimum, the fact that the ISO policy exclusions vary with respect to whether they exclude all acts or only first-party acts should be sufficient to raise an ambiguity, thus triggering “the common-law rule of contract interpretation that a court should construe ambiguous language against the interest of the party that drafted it.” Mastrobuono, 514 U.S. at 62. Even if the policy does not unambiguously afford coverage for third-party publications, it is at the very least “susceptible to more than one reasonable interpretation.” Discovision Assocs. v. Fuji Photo Film Co., Ltd., 71 A.D.3d 448, 489 (N.Y. App. Div. 2010) (internal quotation marks and citation omitted). Pointing to ambiguity in the policy as a whole would provide policyholders such as Sony with a more plausible and straightforward avenue to securing coverage for third-party publications than does narrowly parsing the phrase “in any manner.”

The question of whether third-party publications are covered under the typical CGL policy is of crucial importance to policyholders seeking insurance recovery for cyber-crime injuries. Importantly, victory on this point by Sony or another hacking victim would transform Sony into a policyholder-friendly decision, because the Sony court answered the other difficult question presented in the case—whether a data breach represents a “publication”—in favor of coverage. If the appellate court is willing to look past the narrow language of the advertising injury coverage grant and focus on Sony’s policy as a whole, Sony will have a good chance of prevailing on appeal and, in doing so, will set a strong precedent in favor of cyber-crime coverage for hacking victims.

ARTICLE BY

Government Shutdown Now Over – But What About Sequestration?

DrinkerBiddle

The government may be back up and running and funded under a short-term continuing resolution (CR), but the battle is far from over as Congress heads toward new deadlines to address budgetary matters.  There has been some confusion about what the current budget agreement means in terms of sequestration’s annual cuts to discretionary and mandatory programs instituted in 2012.  The law signed by the President to address the short-term continuing resolution and temporarily raise the debt ceiling does not provide federal agencies flexibility to administer new sequestration cuts at this time.  With the government spending levels remaining at FY 2013 levels for the duration of the CR, a new round of sequester cuts are not set to kick in until January 2014.

The law established a short-term budget conference committee, with a set deadline of Dec. 13, 2013 to outline recommended spending levels and program cuts.  Of note is that the committee deadline is set in advance of when the second year of the sequester will begin.  The deadline provides a window of opportunity for the new budget conferees to address how the sequester cuts are applied in FY 2014.   The conferees may contemplate making other adjustments to entitlement programs (Medicare and Medicaid) to address health care spending issues that will be negotiated during their deliberations.  In addition, Medicare payments to physicians are set to be cut by approximately 25 percent if Congress does not address the cut by December 31, 2013 and offset the cut with a payfor that would likely include cuts to other health care entities. Any of these negotiations and decisions, if ultimately accepted by Congress, could impact the size of the Medicare sequester cuts in January FY 2014.

Article By:

 of

Alleged STOLI Producers Found Guilty of Fraud and Other Criminal Charges

DrinkerBiddle

Earlier today, a jury in the United States District Court for the Southern District of New York found independent insurance producers Michael Binday, James Kergil, and Mark Resnick guilty of mail and wire fraud, and conspiracy to commit those offenses.  The jury also convicted Kergil and Resnick of conspiracy to obstruct justice.  Sentencing has been scheduled for January 15, 2014.  The convicted defendants may face up to 80 years in prison.

During the 12 day trial, federal prosecutors argued that Binday, Kergil, and Resnick lied to insurers to perpetrate the scheme and then lied again to cover it up.  Based on the testimony of insiders and insureds, along with the defendants’ own emails and other documents, prosecutors specifically argued that the defendants:

  • recruited brokers to solicit elderly clients to serve as straw-buyers for the policies, with promises of large commissions to the brokers and payments to the clients upon the sale of the policies;
  • submitted applications to insurers for more than $100 million in life insurance, which grossly misrepresented the insureds’ income and net worth and lied about the intent to sell the policies, the fact that the premium would be financed by third-parties, and that multiple policies were being applied for or had been issued in the name of the insured;
  • recruited accountants and other professionals to submit bogus inspection reports and other documents purporting to verify the insureds’ financials;
  • conspired to thwart insurers’ attempts to investigate the representations made in the policy applications and to disguise the source of premiums paid for the policies by wiring funds into insureds’ accounts; and
  • earned millions of dollars through commissions and in some cases by arranging to cash in themselves on the death benefits upon an insured’s death.

Insurance industry leaders Jim Avery, the former Vice Chairman and President of Individual Life Insurance for Prudential, and Mike Burns, a Senior Vice President at Lincoln Financial Group, also testified during the government’s case in chief.  Both testified about their companies’ anti-STOLI policies, the harm to insurers that STOLI caused, and the measures the companies took to try to screen it out.

The evidence relating to the conspiracy to obstruct justice charges against Kergil and Resnick included alleged recorded calls that a scheme insider, who testified under a plea agreement, had with Kergil and Resnick, and testimony from an employee of the Apple computer store where Resnick allegedly had taken his computer to have the hard drive wiped clean.  The alleged calls, which were recorded in cooperation with the FBI, involved discussions about Kergil’s instruction to Resnick and the insider to destroy all records with Binday’s name on them and to wipe their computer hard drives clean.

Each of the defendants was separately represented by his own counsel, and none of the defendants took the stand in his defense.  Instead, the defendants presented excerpts from approximately a dozen files for policies that the defendants submitted to the insurers and that supposedly contained STOLI red flags.  Based on these documents, the defendants argued that the insurers were not deceived by the defendants’ lies and that the scheme was profitable for all involved and not criminal activity.  On rebuttal, the prosecutors introduced additional evidence from the insurer files showing that the insurers’ attempts to investigate the STOLI red flags were met with more lies on the part of the defendants and their associates.

This criminal prosecution has already spawned at least one civil action by an insurer seeking to have a STOLI policy allegedly involving Resnick and Binday declared null and void.

Mandatory Paid Sick Leave Arrives in New York City

VedderPriceLogo

On Thursday, June 27, members of the New York City Council voted to override Mayor Michael Bloomberg’s veto of the City’s Earned Sick Time Act (the Act). New York City thus became the latest (and the most populous) of a growing number of localities – including San Francisco; Washington, DC; Seattle; Portland, ME; and the State of Connecticut – to impose mandatory sick leave obligations on employers.

The NYC Earned Sick Time Act: An Overview

Virtually all private sector employers within the geographic boundaries of New York City are covered by the Act’s provisions. Notable exceptions include a limited number of manufacturing entities, as well as employers whose workers are governed by a collective bargaining agreement that expressly waives the Act’s provisions while at the same time providing those workers with a comparable benefit.

The Act will eventually cover more than one million employees, providing each of them with up to five days of paid leave each year. In its first phase of implementation, currently scheduled to take effect on April 1, 2014, the Act will apply only to those employers that employ 20 or more workers in New York City. The second phase of implementation will begin 18 months later (currently, October 15, 2015), at which time the Act will expand to those employers with at least 15 City-based employees. The Act will require employers with fewer than 15 City-based employees to provide their employees with unpaid, rather than paid, sick time.

New York City-based employees (regardless of whether they are employed on a full- or part-time, temporary or seasonal basis) who work more than 80 hours during a calendar year will accrue paid sick time at a minimum rate of one hour for each 30 hours worked. The Act caps mandatory accrual of paid sick time at 40 hours per calendar year (the equivalent of one five-day workweek). Although the Act provides only for a statutory minimum, employers are free to provide their employees with additional paid time if they so desire. Accrual of paid leave time begins on the first day of employment, but employers may require employees to first work as many as 120 days before permitting them to make use of the time they have accrued.

The Act specifies that employees will be able to use their accrued time for absences from work that occur because of: (1) the employee’s own mental or physical illness, injury or health condition, or the need for the employee to seek preventive medical care; (2) care of a family member in need of such diagnosis, care, treatment or preventive medical care; or (3) closure of the place of business because of a public health emergency, as declared by a public health official, or the employee’s need to care for a child whose school or childcare provider has been closed because of such a declared emergency.

Although the Act allows employees to carry over accrued but unused leave time from year to year, it does not require employers to permit the use of more than 40 hours of paid leave each year. Likewise, it does not require employers to pay out accrued, but unused, sick leave upon an employee’s separation from employment.

Employers that have already implemented paid leave policies – such as policies that provide for paid time off (PTO), personal days and/or vacation – that provide employees with an amount of paid leave time sufficient to meet the Act’s accrual requirements may not be required to provide their employees with anything more once the Act takes effect. As long as an employer’s current policy or policies allow the paid leave in question to be used “for the same purposes and under the same conditions as paid sick leave,” nothing more is necessary.

The Act Requires Proper Notice to Both Employees and Employers

Once the Act is implemented, employers will be required to inform new employees of their rights when they are hired, and will have to post additional notices in the workplace (suitable notices will be made available for download on the Department of Consumer Affairs website). In addition to providing information about the Act’s substantive provisions, employees must also be informed of the Act’s provision against retaliation and how they may lodge a complaint.

Likewise, an employer may require reasonable notice from employees who plan to make use of their accrued time. The Act defines such notice as seven days in the case of a foreseeable situation, and as soon as is practicable when the need for leave could not have been foreseen.

Penalties and Enforcement

The Act will be enforced by the City’s Department of Consumer Affairs. Because the Act contains no private right of action, an employee’s only avenue for redress will be through the Consumer Affairs complaint process. Employees alleging such a violation have 270 days within which to file a complaint. Penalties for its violation are potentially steep; they include: (1) the greater of $250 or three times the wages that should have been paid for each instance of sick time taken; (2) $500 for each instance of paid sick time unlawfully denied to an employee, or for which an employee is unlawfully required to work additional hours without mutual consent; (3) full compensation, including lost wages and benefits, for each instance of unlawful retaliation other than discharge from employment, along with $500 and equitable relief; and (4) $2,500 for each instance of unlawful termination of employment, along with equitable relief (including potential reinstatement).

Employers found to have violated the Act may also face fines from the City of up to $500 for the first violation, $750 for a second violation within two years of the first, and $1,000 for any subsequent violation within two years of the one before. Additionally, employers that willfully fail to provide the required notice of the Act’s substantive provisions will be fined $50 for each employee who did not receive such notice.

The Act, meanwhile, does not prohibit employers from requiring that such an employee provide documentation from a licensed health care professional to demonstrate the necessity for the amount of sick leave taken. Employers are free under the Act to discipline employees, up to and including termination, who take sick leave for an improper purpose. They are prohibited, however, from inquiring as to the nature of an employee’s injury, illness or condition.

Countdown to HITECH Compliance: How to Redistribute Your Notice of Privacy Practices

Poyner SpruillSeptember 23, 2013 is the fast-approaching compliance deadline for the final omnibus HIPAA/HITECH rules.  Many provisions required revisions to Notices of Privacy Practices (NPPs) maintained and distributed by covered entities.  The U.S. Department of Health and Human Services (HHS) has made clear that these changes are material.  As a result, covered entities must redistribute their NPPs shortly in order to meet HITECH’s requirements.  This alert describes the manner of redistribution dictated by HIPAA.

General Requirements

When revising NPPs, keep in mind that whether paper or web-based, HHS requires them to be accessible to all individuals, including those with disabilities.  Covered providers required to comply with Section 504 of the Rehabilitation Act or the Americans with Disabilities Act must also take steps to ensure effective communication with individuals with disabilities, including making the revised NPP available in Braille, large print, or audio.  HIPAA also requires NPPs to be written in plain language.

Changes to the NPP may not be implemented prior to the NPP’s new effective date, unless otherwise required by law.  Typically, any change to the practices described within the revised NPP may only be applied to PHI created or received after the effective date of the change.  All previous versions of the NPP and any acknowledgments of its receipt must be maintained for six years from the last effective date.

If You Are a Health Care Provider

For existing patients, you must make the revised NPP available upon request on or after the effective date of the changes (for most, this date will be September 23, 2013).  If you have a physical service delivery site (such as a clinic or hospital), you must have copies of the NPP available at the site for individuals to take with them upon request.  You also must post a copy of the NPP or summary of the revisions in a clear and prominent location, where it is reasonable to expect individuals to be able to read the posting.  You must ensure all new patients receive the revised NPP at the time of first service after the effective date of the changes.  The revised NPP must be made available on your website if you have one.  If patients have agreed to receive electronic notice of the NPP, you may e-mail the revised NPP to those patients.  You do not need to obtain acknowledgment of receipt from individuals, except for the initial distribution of the NPP provided at the first time of service.

If You Are a Health Plan

You must distribute the revised NPP to current plan participants.  If you post your NPP on a website, then you must post the revised NPP, or a description of the material changes, prominently on that website by the effective date of the changes.  You also must provide in your next annual mailing to participants either the revised NPP or information regarding material changes and how to obtain a copy of the NPP.  If you do not post your NPP on a website, then you must provide participants with the revised NPP or information about the material changes and how to obtain the revised NPP within 60 days of the material changes.  Note that all health plans also must continue to notify participants of the availability of the NPP and how to obtain a copy at least once every three years.

HHS has stated that if covered entities or health plans amended and redistributed NPPs prior to issuance of the final omnibus rule then they are not required to repeat the process, so long as the current NPP that was redistributed meets all the requirements in the final rule.  For all other covered entities, the NPP must be revised and effective by September 23, 2013, and redistributed as appropriate.

Article By:

 of

U.S. Medical Oncology Practice Sentenced for Use and Medicare Billing of Cancer Drugs Intended for Foreign Markets

GT Law

In a June 28, 2013 news release by the Office of the United States Attorney for the Southern District of Californiain San Diego, it was reported that a La Jolla, California medical oncology practice pleaded guilty and was sentenced to pay a $500,000 fine, forfeit $1.2 million in gross proceeds received from the Medicare program, and make restitution to Medicare in the amount of $1.7 million for purchasing unapproved foreign cancer drugs and billing the Medicare program as if the drugs were legitimate. Although the drugs contained the same active ingredients as drugs sold in the U.S. under the brand names Abraxane®, Alimta®, Aloxi®, Boniva®, Eloxatin®, Gemzar®, Neulasta®, Rituxan®, Taxotere®, Venofer® and Zometa®), the drugs purchased by the corporation were meant for markets outside the United States, and were not drugs approved by the FDA for use in the United States. Medicare provides reimbursement only for drugs approved by the Food and Drug Administration (FDA) for use in the United States. To conceal the scheme, the oncology practice fraudulently used and billed the Medicare program using reimbursement codes for FDA approved cancer drugs.

In pleading guilty, the practice admitted that from 2007 to 2011 it had purchased $3.4 million of foreign cancer drugs, knowing they had not been approved by the U.S. Food and Drug Administration for use in the United States. The practice admitted that it was aware that the drugs were intended for markets other than the United States and were not the drugs approved by the FDA for use in the United States because: (a) the packaging and shipping documents indicated that drugs were shipped to the office from outside the United States; (b) many of the invoices identified the origin of the drugs and intended markets for the drugs as countries other than the United States; (c) the labels did not bear the “Rx Only” language required by the FDA; (d) the labels did not bear the National Drug Code (NDC) numbers found on the versions of the drugs intended for the U.S. market; (e) many of the labels had information in foreign languages; (f) the drugs were purchased at a substantial discount; (g) the packing slips indicated that the drugs came from the United Kingdom; and (h) in October, 2008 the practice had received a notice from the FDA that a shipment of drugs had been detained because the drugs were unapproved.

In a related False Claims Act lawsuit filed by the United States, the physician and his medical practice corporation paid in excess of $2.2 million to settle allegations that they submitted false claims to the Medicare program. The corporation was allowed to apply that sum toward the amount owed in the criminal restitution to Medicare. The physician pleaded guilty to a misdemeanor charge of introducing unapproved drugs into interstate commerce, admitting that on July 8, 2010, he purchased the prescription drug MabThera (intended for market in Turkey and shipped from a source in Canada) and administered it to patients. Rituxan®, a product with the same active ingredient, is approved by the Food and Drug Administration for use in the United States.

Article By:

 of