United Healthcare 2015 Annual Report Download - page 24

Download and view the complete annual report

Please find page 24 of the 2015 United Healthcare annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 113

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113

CMS uses various payment mechanisms to allocate funding for Medicare programs, including adjusting monthly
capitation payments to Medicare Advantage plans and Medicare Part D plans according to the predicted health
status of each beneficiary as supported by data from health care providers for Medicare Advantage plans, as well
as, for Medicare Part D plans, risk-sharing provisions based on a comparison of costs predicted in our annual
bids to actual prescription drug costs. Some state Medicaid programs utilize a similar process. For example, our
UnitedHealthcare Medicare & Retirement and UnitedHealthcare Community & State businesses submit
information relating to the health status of enrollees to CMS or state agencies for purposes of determining the
amount of certain payments to us. CMS and the Office of Inspector General for HHS periodically perform risk
adjustment data validation (RADV) audits of selected Medicare health plans to validate the coding practices of
and supporting documentation maintained by health care providers, and certain of our local plans have been
selected for audit. Such audits have in the past resulted and could in the future result in retrospective adjustments
to payments made to our health plans, fines, corrective action plans or other adverse action by CMS.
We have been and may in the future become involved in routine, regular and special governmental
investigations, audits, reviews and assessments. Certain of our businesses have been reviewed or are currently
under review, including for compliance with coding and other requirements under the Medicare risk-adjustment
model, our chart review programs and related processes. Such investigations, audits or reviews sometimes arise
out of or prompt claims by private litigants or whistleblowers that, among other allegations, we failed to disclose
certain business practices or, as a government contractor, submitted false claims to the government.
Governmental investigations, audits, reviews and assessments could lead to government actions, which could
result in the assessment of damages, civil or criminal fines or penalties, or other sanctions, including restrictions
or changes in the way we conduct business, loss of licensure or exclusion from participation in government
programs, any of which could have a material adverse effect on our business, results of operations, financial
position and cash flows.
If we fail to comply with applicable privacy, security and data laws, regulations and standards, including
with respect to third-party service providers that utilize sensitive personal information on our behalf, our
business, reputation, results of operations, financial position and cash flows could be materially and
adversely affected.
The collection, maintenance, protection, use, transmission, disclosure and disposal of sensitive personal
information are regulated at the federal, state, international and industry levels and requirements are imposed on
us by contracts with customers. These laws, rules and requirements are subject to change. Compliance with new
privacy and security laws, regulations and requirements may result in increased operating costs, and may
constrain or require us to alter our business model or operations. For example, the HITECH amendments to
HIPAA imposed further restrictions on our ability to collect, disclose and use sensitive personal information and
imposed additional compliance requirements on our business. While we transitioned to ICD-10 as a HIPAA-
regulated entity, providers may use ICD-10 codes differently than they used ICD-9 codes in the past, which could
result in lost revenues under risk adjustment or increased medical costs for full-risk health insurance products.
Many of our businesses are also subject to the Payment Card Industry Data Security Standard, which is a
multifaceted security standard that is designed to protect credit card account data as mandated by payment card
industry entities.
HIPAA requires business associates as well as covered entities to comply with certain privacy and security
requirements. While we provide for appropriate protections through our contracts with our third-party service
providers and in certain cases assess their security controls, we have limited oversight or control over their
actions and practices. Several of our businesses act as business associates to their covered entity customers and,
as a result, collect, use, disclose and maintain sensitive personal information in order to provide services to these
customers. HHS has announced that it will continue its audit program to assess HIPAA compliance efforts by
covered entities and expand it to include business associates. An audit resulting in findings or allegations of
noncompliance could have a material adverse effect on our results of operations, financial position and cash
flows.
22