Health insurance data breech: a predicted result of PPACA rules


February 5, 2015 by Tony Novak

Yesterday the nation’s second largest health insurance company announced serious data breech due to hacking. Let’s be clear that this is a problem that could easily have been prevented but was not, due to the federal law built into the Patient Protection and Affordable Care Act of 2010 (PPACA) known as Minimum Loss Ratio. This law prohibits insurance companies like Anthem from spending as much as is prudent on administrative costs to perform functions like ensure customer data privacy.

The Centers for Medicare and Medicaid Services (CMS) charged with implementing the law has been consumed with winning premium rebates for customers through enforcement of regulations relater to calculation of MLR as a public relations move for Obamacare rather than focusing on what it takes to run a great and secure health insurance system.

My following comments were added to the Wall Street Journal’s coverage of the issue:

The reason that health insurance companies do not spend more on data security is the spending restriction initiated by the PPACA provision commonly known as Minimum Loss Ratio (MLR). Many health insurance industry observers including myself have warned for years that the rules promulgated by the Department of Health and Human Services (HHS) to implement the MLR would have adverse consequences in data security.

In 2011, for example, the U.S. House of Representatives Committee On Energy and Commerce Subcommittee took expert testimony about the undesirable and unintended consequences of the PPACA’s minimum loss ratio regulations with an expert’s recommendation to “simply repeal the PPACA’s misguided and badly design minimum loss ratio regulations”. Health care data security experts are justly smug today in saying “told you so”.

So why isn’t this federal law specifically named in WSJ and other media coverage as the direct underlying cause of Anthem’s data security problem? Is it now time for us to realize that sending premium rebates to insurance customers is not as important as keeping our health care data secure?

At a minimum, I join with the many other industry voices in urging CMS to revise its rules and to allow the cost of health insurance company administrative functions that are judged beneficial to customers to escape the MLR requirements.

3 thoughts on “Health insurance data breech: a predicted result of PPACA rules

  1. kamalamarshall says:

    Thanks for pointing out this connection! I am a new to Health Plan analyst learning about implications of MBRs/MLRs and was discussing this exact issue with an ED this week. Simple but awesome insight into unintended consequence.

  2. Roach Mark says:

    While it is a great argument, I wouldn’t use Anthem as an example unless you can prove they were MORE secure BEFORE PPACA – which I seriously doubt. Performance plays a curtail role in the design of IT initiatives. Encryption is known to complicate and slow IT systems. Slow systems means less productive employees which impacts the bottom line. We all know that $$$ talks, as you mentioned above. I would fault the companies lack of expenditure as related to performance and remote interface requirements before blaming PPACA this early in the PPACA game. Companies won’t spend the additional money until something bad happens, regardless of government regulations. It’s the way capitalism works…..

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: