United Healthcare 2013 Annual Report Download - page 26

Download and view the complete annual report

Please find page 26 of the 2013 United Healthcare annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 120

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120

If we fail to comply with applicable privacy, security, and data laws, regulations and standards, including
with respect to third-party service providers that utilize sensitive personal information on our behalf, our
business, reputation, results of operations, financial position and cash flows could be materially and
adversely affected.
The collection, maintenance, protection, use, transmission, disclosure and disposal of sensitive personal
information are regulated at the federal, state, international and industry levels and requirements are imposed on
us by contracts with customers. These laws, rules and requirements are subject to change. Compliance with new
privacy and security laws, regulations and requirements may result in increased operating costs, and may
constrain or require us to alter our business model or operations. For example, the HITECH amendments to
HIPAA may further restrict our ability to collect, disclose and use sensitive personal information and may
impose additional compliance requirements on our business. While we have prepared for the transition to ICD-10
as a HIPAA-regulated entity, if unforeseen circumstances arise, it is possible that we could be exposed to
investigations and allegations of noncompliance, which could have a material adverse effect on our results of
operations, financial position and cash flows. In addition, if some providers continue to use ICD-9 codes on
claims after October 1, 2014, we will have to reject such claims, which may lead to claim resubmissions,
increased call volume and provider and customer dissatisfaction. Further, providers may use ICD-10 codes
differently than they used ICD-9 codes in the past, which could result in lost revenues under risk adjustment.
During the transition to ICD-10, certain claims processing and payment information we have historically used to
establish our reserves may not be reliable or available in a timely manner.
Many of our businesses are also subject to the Payment Card Industry Data Security Standard, which is a
multifaceted security standard that is designed to protect credit card account data as mandated by payment card
industry entities.
HIPAA also requires business associates as well as covered entities to comply with certain privacy and security
requirements. While we provide for appropriate protections through our contracts with our third-party service
providers and in certain cases assess their security controls, we have limited oversight or control over their
actions and practices. Several of our businesses act as business associates to their covered entity customers and as
a result, they collect, use, disclose and maintain sensitive personal information in order to provide services to
these customers. HHS has announced that it will continue its audit program to assess HIPAA compliance efforts
by covered entities and expand it to include business associates. An audit resulting in findings or allegations of
noncompliance could have a material adverse effect on our results of operations, financial position and cash
flows.
Through our Optum businesses, including our Optum Labs business, we maintain a database of administrative
and clinical data that is statistically de-identified in accordance with HIPAA standards. Noncompliance or
findings of noncompliance with applicable laws, regulations or requirements, or the occurrence of any privacy or
security breach involving the misappropriation, loss or other unauthorized disclosure of sensitive personal
information, whether by us or by one of our third-party service providers, could have a material adverse effect on
our reputation and business, including mandatory disclosure to the media, loss of existing or new customers,
significant increases in the cost of managing and remediating privacy or security incidents, and material fines,
penalties and litigation awards, among other consequences, any of which could have a material and adverse
effect on our results of operations, financial position and cash flows.
Our businesses providing PBM services face regulatory and other risks and uncertainties associated with
the PBM industry that may differ from the risks of our business of providing managed care and health
insurance products.
We provide PBM services through our OptumRx and UnitedHealthcare businesses. Each business is subject to
federal and state anti-kickback and other laws that govern the relationships of the business with pharmaceutical
manufacturers, physicians, pharmacies, customers and consumers. OptumRx also conducts business as a mail
order pharmacy and specialty pharmacy, which subjects it to extensive federal, state and local laws and
24