United Healthcare 2012 Annual Report Download - page 28

Download and view the complete annual report

Please find page 28 of the 2012 United Healthcare annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 128

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128

CMS uses various payment mechanisms to allocate funding for Medicare programs, including adjusting monthly
capitation payments to Medicare Advantage plans and Medicare Part D plans according to the predicted health
status of each beneficiary as supported by data from health care providers as well as, for Medicare Part D plans,
risk-sharing provisions based on a comparison of costs predicted in our annual bids to actual prescription drug
costs. Some state Medicaid programs utilize a similar process. For example, our UnitedHealthcare Medicare &
Retirement and UnitedHealthcare Community & State businesses submit information relating to the health status
of enrollees to CMS or state agencies for purposes of determining the amount of certain payments to us. CMS
and the Office of Inspector General for HHS periodically perform risk adjustment data validation (RADV) audits
of selected Medicare health plans to validate the coding practices of and supporting documentation maintained
by health care providers, and certain of our local plans have been audited. Such audits have in the past resulted
and could in the future result in retrospective adjustments to payments made to our health plans, fines, corrective
action plans or other adverse action by CMS. In February 2012, CMS published a final RADV audit and payment
adjustment methodology. The methodology contains provisions allowing retroactive contract level payment
adjustments for the year audited, beginning with 2011 payments, using an extrapolation of the “error rate”
identified in audit samples and, for Medicare Advantage plans, after considering a fee-for-service (FFS) “error
rate” adjuster that will be used in determining the payment adjustment. Depending on the plans selected for audit,
if any, and the error rate found in those audits, if any, potential payment adjustments could have a material
adverse effect on our results of operations, financial position and cash flows.
We have been and may in the future become involved in various governmental investigations, audits, reviews
and assessments. These include routine, regular and special investigations, audits and reviews by CMS, state
insurance and health and welfare departments, state attorneys general, the OIG, the Office of Personnel
Management, the Office of Civil Rights, the FTC, U.S. Congressional committees, the DOJ, U.S. Attorneys, the
SEC, the CVM, the IRS, the SRF, the DOL, the FDIC and other governmental authorities. Certain of our
businesses have been reviewed or are currently under review, including for, among other things, compliance with
coding and other requirements under the Medicare risk-adjustment model. Such investigations, audits or reviews
sometimes arise out of or prompt claims by private litigants or whistleblowers that, among other things, we failed
to disclose certain business practices or, as a government contractor, submitted false claims to the government.
Governmental investigations, audits, reviews and assessments could expand to subjects beyond those targeted by
the original investigation, audit, review, assessment or private action and could lead to government actions,
which could result in the assessment of damages, civil or criminal fines or penalties, or other sanctions, including
restrictions or changes in the way we conduct business, loss of licensure or exclusion from participation in
government programs, any of which could have a material adverse effect on our business, results of operations,
financial position and cash flows. See Note 12 of Notes to the Consolidated Financial Statements included in
Item 8, “Financial Statements” for a discussion of certain of these matters.
If we fail to comply with applicable privacy and security laws, regulations and standards, including with
respect to third-party service providers that utilize sensitive personal information on our behalf, or if we
fail to address emerging security threats or detect and prevent privacy and security incidents, our
business, reputation, results of operations, financial position and cash flows could be materially and
adversely affected.
The collection, maintenance, protection, use, transmission, disclosure and disposal of sensitive personal
information are regulated at the federal, state, international and industry levels and requirements are imposed on
us by contracts with customers. These laws, rules and requirements are subject to change. Further, many of our
businesses are subject to the Payment Card Industry Data Security Standards (PCI DSS), which is a multifaceted
security standard that is designed to protect credit card account data as mandated by payment card industry
entities. See Item 1, “Business — Government Regulation” for additional information. HIPAA also requires
business associates as well as covered entities to comply with certain privacy and security requirements. Even
though we provide for appropriate protections through our contracts with our third-party service providers and in
certain cases assess their security controls, we still have limited oversight or control over their actions and
practices.
26