Health Net 2011 Annual Report Download - page 46

Download and view the complete annual report

Please find page 46 of the 2011 Health Net annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 307

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307

In addition, we intend to enhance and modernize interactions with our customers, brokers, agents, providers,
employees and other stakeholders through web-enabled technology, among other things. Our failure to maintain
successful e-business capabilities could result in competitive and cost disadvantages for us as compared to our
competitors.
We must comply with requirements relating to patient privacy and information security, including taking steps
to ensure compliance by our business associates with HIPAA.
The Department of Health and Human Services has regulations in place under HIPAA relating to the
privacy and security of protected health information (“PHI”). These regulations, as amended, require health
plans, clearinghouses and providers to, among other obligations: comply with various requirements and
restrictions related to the use, disclosure, storage, and transmission of PHI; adopt rigorous internal policies and
procedures to safeguard PHI; and enter into specific written agreements with business associates that receive, use
and/or create PHI on our behalf. HIPAA also established significant civil and criminal sanctions for violations.
These regulations expose us to liability for, among other things, violations of the regulations by our business
associates, including the third party vendors involved in our outsourcing projects. The Health Information
Technology for Economic and Clinical Health Act (the “HITECH Act”), which became fully effective in
February 2010, expanded HIPAA’s requirements for security and privacy safeguards, including improved
enforcement, additional limitations on use and disclosure of PHI and additional potential penalties for violations,
and imposed notice obligations in the event of a breach of unsecured PHI. Although our contracts with our
business associates provide for protections of PHI by our business associates, we may have limited control over
the actions and practices of our business associates. Compliance with HIPAA and state and federal privacy and
security laws and regulations has resulted in and may in the future result in significant costs to us due to
necessary systems changes, the development of new administrative processes and the effects of potential
noncompliance by us or our business associates. See also “—If we fail to comply with requirements relating to
patient privacy and information security, including taking steps to ensure that our business associates who
obtain access to sensitive patient information maintain the privacy and security of such information, our
reputation and business operations could be materially adversely affected.
If we fail to comply with requirements relating to patient privacy and information security, including taking
steps to ensure that our business associates who obtain access to sensitive patient information maintain the
privacy and security of such information, our reputation and business operations could be materially
adversely affected.
The collection, maintenance, use, disclosure and disposal of individually identifiable health information or
data, including PHI, by our businesses are regulated at the federal and state levels. Despite the privacy and
security measures we have in place to ensure compliance with applicable laws and regulations, our facilities and
systems, and those of our third party vendors and service providers, are vulnerable to privacy and security
incidents including, but not limited to, computer hacking, breaches, acts of vandalism or theft, computer viruses
or other forms of cyber attack, misplaced or lost data, programming and/or human errors or other similar events.
For example, in January 2011, we were notified by a third party vendor that certain of our server drives could not
be accounted for in connection with the migration of our data center to a facility owned and operated by our third
party vendor. We subsequently commenced an investigation of the contents of the unaccounted for server drives,
including a detailed forensic review by computer experts, and determined that certain of these unaccounted for
drives contain PHI and other personally identifiable information relating to certain individuals. We reported the
loss to authorities and notified affected individuals. This matter is under review by various regulatory authorities.
In addition, we, and our third party vendor, are currently party to various putative class action lawsuits brought in
federal and state courts on behalf of individuals who claim to be affected by this incident. See “Part I—Item 3.
Legal Proceedings” and “—We face risks related to litigation, which, if resolved unfavorably, could result in
substantial penalties and/or monetary damages, including punitive damages. In addition, we incur material
expenses in the defense of litigation and our financial condition, results of operations, cash flow and/or liquidity
44