United Healthcare 2011 Annual Report Download - page 21

Download and view the complete annual report

Please find page 21 of the 2011 United Healthcare annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 104

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104

19
If we fail to comply with applicable privacy and security laws, regulations and standards, including with respect to
third-party service providers that utilize sensitive personal information on our behalf, or if we fail to address emerging
security threats or detect and prevent privacy and security incidents, our business, reputation, results of operations,
financial position and cash flows could be materially and adversely affected.
The collection, maintenance, protection, use, transmission, disclosure and disposal of sensitive personal information are
regulated at the federal, state, international and industry levels and requirements are imposed on us by contracts with
customers. These laws, rules and requirements are subject to change. Further, many of our businesses are subject to the
Payment Card Industry Data Security Standards (PCI DSS), which is a multifaceted security standard that is designed to protect
credit card account data as mandated by payment card industry entities. See Item 1, “Business - Government Regulation” for
additional information. HIPAA also requires business associates as well as covered entities to comply with certain privacy and
security requirements. Even though we provide for appropriate protections through our contracts with our third-party service
providers and in certain cases assess their security controls, we still have limited oversight or control over their actions and
practices.
Our facilities and systems and those of our third-party service providers may be vulnerable to privacy and security incidents;
security attacks and breaches; acts of vandalism or theft; computer viruses; coordinated attacks by activist entities; emerging
cybersecurity risks; misplaced or lost data; programming and/or human errors; or other similar events. Emerging and advanced
security threats, including coordinated attacks, require additional layers of security which may disrupt or impact efficiency of
operations.
Compliance with new laws, regulations and requirements may result in increased operating costs, and may constrain our ability
to manage our business model. For example, our ability to collect, disclose and use sensitive personal information may be
further restricted, and we are awaiting final HHS regulations for many key aspects of the ARRA amendments to HIPAA, such
as with regard to marketing, electronic health records and access reports (which may necessitate system changes). In addition,
HHS has announced a pilot audit program to assess HIPAA compliance efforts by covered entities through 2012. Although we
are not aware of HHS plans to audit any of our covered entities, an audit resulting in findings or allegations of noncompliance
could have a material adverse effect on our results of operations, financial position and cash flows.
Noncompliance or findings of noncompliance with applicable laws, regulations or requirements, or the occurrence of any
privacy or security breach involving the misappropriation, loss or other unauthorized disclosure of sensitive personal
information, whether by us or by one of our third-party service providers, could have a material adverse effect on our
reputation, results of operations, financial position and cash flows, including the following consequences: mandatory disclosure
of a privacy or security breach to the media; significant increases in the cost of managing and remediating privacy or security
incidents; enforcement actions; material fines and penalties; an impact on our ability to process credit card transactions as well
as an increase in related expenses; litigation; compensatory, special, punitive, and statutory damages; consent orders regarding
our privacy and security practices; adverse actions against our licenses to do business; and injunctive relief.
Our businesses providing PBM services face regulatory and other risks and uncertainties associated with the PBM
industry that may differ from the risks of our business of providing managed care and health insurance products.
We provide PBM services through our OptumRx and UnitedHealthcare businesses. Each business is subject to federal and state
anti-kickback and other laws that govern their relationships with pharmaceutical manufacturers, customers and consumers. In
addition, federal and state legislatures regularly consider new regulations for the industry that could materially and adversely
affect current industry practices, including the receipt or disclosure of rebates from pharmaceutical companies, the development
and use of formularies, and the use of average wholesale prices. See Item 1, “Business - Government Regulation” for a
discussion of various federal and state laws and regulations governing our PBM businesses.
OptumRx also conducts business as a mail order pharmacy and specialty pharmacy, which subjects it to extensive federal, state
and local laws and regulations. The failure to adhere to these laws and regulations could expose OptumRx to civil and criminal
penalties.
Our PBM businesses would be materially and adversely affected by an inability to contract on favorable terms with
pharmaceutical manufacturers, and could face potential claims in connection with purported errors by our mail order or
specialty pharmacies, including in connection with the risks inherent in the packaging and distribution of pharmaceuticals and
other health care products. Disruptions at any of our mail order or specialty pharmacies due to an accident or an event that is
beyond our control could affect our ability to timely process and dispense prescriptions and could materially and adversely
affect our results of operations, financial position and cash flows.
In addition, our PBM businesses provide services to sponsors of health benefit plans that are subject to ERISA. The DOL,
which is the agency that enforces ERISA, could assert that the fiduciary obligations imposed by the statute apply to some or all
of the services provided by our PBM businesses even where our PBM businesses are not contractually obligated to assume
fiduciary obligations. In the event a court were to determine that fiduciary obligations apply to our PBM businesses in
connection with services for which our PBM businesses are not contractually obligated to assume fiduciary obligations, we