February 5, 2015 by Tony Novak
Yesterday the nation’s second largest health insurance company announced serious data breech due to hacking. Let’s be clear that this is a problem that could easily have been prevented but was not, due to the federal law built into the Patient Protection and Affordable Care Act of 2010 (PPACA) known as Minimum Loss Ratio. This law prohibits insurance companies like Anthem from spending as much as is prudent on administrative costs to perform functions like ensure customer data privacy.
The Centers for Medicare and Medicaid Services (CMS) charged with implementing the law has been consumed with winning premium rebates for customers through enforcement of regulations relater to calculation of MLR as a public relations move for Obamacare rather than focusing on what it takes to run a great and secure health insurance system.
My following comments were added to the Wall Street Journal’s coverage of the issue:
The reason that health insurance companies do not spend more on data security is the spending restriction initiated by the PPACA provision commonly known as Minimum Loss Ratio (MLR). Many health insurance industry observers including myself have warned for years that the rules promulgated by the Department of Health and Human Services (HHS) to implement the MLR would have adverse consequences in data security.
In 2011, for example, the U.S. House of Representatives Committee On Energy and Commerce Subcommittee took expert testimony about the undesirable and unintended consequences of the PPACA’s minimum loss ratio regulations with an expert’s recommendation to “simply repeal the PPACA’s misguided and badly design minimum loss ratio regulations”. Health care data security experts are justly smug today in saying “told you so”.
So why isn’t this federal law specifically named in WSJ and other media coverage as the direct underlying cause of Anthem’s data security problem? Is it now time for us to realize that sending premium rebates to insurance customers is not as important as keeping our health care data secure?
At a minimum, I join with the many other industry voices in urging CMS to revise its rules and to allow the cost of health insurance company administrative functions that are judged beneficial to customers to escape the MLR requirements.