Health Net 2014 Annual Report Download - page 22

Download and view the complete annual report

Please find page 22 of the 2014 Health Net annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 187

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187

20
entering into written agreements with those entities that provide services to or on behalf of a Covered Entity
and use, disclose, transmit, or maintain PHI in connection with these services (known as “Business
Associates”), and
notifying individuals and regulatory authorities (and in some cases, the media) if PHI is compromised.
These regulations also establish significant criminal penalties and civil sanctions for non-compliance. These
requirements have evolved over time through the enactment and subsequent implementation of the HITECH Act (which
enhanced enforcement, set additional limitations on the use and disclosure of PHI, and imposed additional potential
penalties for non-compliance) and the Genetic Information Nondiscrimination Act of 2008 (“GINA”) (which clarified
that genetic information is protected under the HIPAA Privacy Rule and prohibited most health plans from using or
disclosing genetic information for underwriting purposes).
Most recently, on January 17, 2013, HHS issued a final rule (“Omnibus rule”) that strengthened the privacy and
security protections for PHI by modifying the HIPAA Privacy, Security, and Enforcement Rules and implementing
statutory amendments required by the HITECH Act and GINA. For example, the Omnibus rule enhances an
individual’s privacy protections, provides individuals new rights with respect to their PHI, strengthens the government’s
ability to enforce the HIPAA Rules, sets limits on how information is used and disclosed for marketing and fundraising
purposes, and prohibits the sale of an individuals’ health information without their permission. In addition, the
Omnibus rule expanded the definition of which entities must be classified as a Business Associate and imposed on
Business Associates many of the same privacy and security standards for protecting PHI that apply to Covered Entities.
The final Omnibus Rule was effective on March 26, 2013. See “Item 1A. Risk Factors—We must comply with
requirements relating to patient privacy and information security, including requiring through contract that business
associates that handle certain information on our behalf comply with relevant privacy and security requirements,
including, but not limited to HIPAA” and “—We must comply with requirements relating to patient privacy and
information security, including requiring through contract that business associates that handle certain information on
our behalf comply with relevant privacy and security requirements, including, but not limited to HIPAA” for additional
information about the risks related to privacy and security breaches.
The Gramm-Leach-Bliley Act generally requires insurers to provide customers with notice regarding how their
personal health and financial information is used and, in certain circumstances, gives customers the opportunity to “opt
out” of having their information shared with non-affiliated third parties. Like HIPAA, this law sets a “floor” standard,
allowing states to adopt more stringent requirements governing privacy protection. In addition, we process and maintain
personal card data, particularly in connection with our individual exchange business. As a result, we are subject to the
requirements under the Payment Card Industry (“PCI”) Data Security Standard, which is a multifaceted security
standard that is designed to protect credit card account data as mandated by payment card industry entities.
Other state and federal laws and regulations, including some of the laws noted above, impose similar privacy and
security requirements as the HIPAA Rules and the Gramm-Leach-Bliley Act.
ERISA. Many employee benefit plans are governed by the Employee Retirement Income Security Act of 1974, as
amended (“ERISA”). Employment-sponsored health coverage generally is such an employee benefit plan. ERISA is
administered and regulated, in large part, by the U.S. Department of Labor. ERISA contains disclosure requirements for
documents that define benefits and coverage, among other requirements. ERISA also provides that, in certain instances,
federal law will preempt state law in the regulation and governance of certain benefit plans and employer groups,
including the availability of legal remedies under state law. Regulations established by the U.S. Department of Labor
provide additional rules for claims payment and member appeals under health care plans governed by ERISA.
Other Federal Regulations. We must comply with, and are affected by, laws and regulations relating to the
award, administration and performance of U.S. Government contracts. Government contract laws and regulations affect
how we do business with our customers and, in some instances, impose added costs on our business. In addition,
because of our activities to support our MFLC contract and certain outsourcing arrangements we have with third party
vendors, for example, we are also subject to the U.S. Foreign Corrupt Practices Act (“FCPA”) and similar worldwide
anti-corruption laws, including the U.K. Bribery Act of 2010, which generally prohibit companies and their
intermediaries from making improper payments to non-U.S. officials for the purpose of obtaining or retaining business.
A violation of specific laws and regulations by us or our agents could result in, among other things, the imposition of
fines and penalties on us, changes to our business practices, the termination of our contracts or debarment from bidding
on contracts. See “—Segment Information—Government Contracts Segment—Other Department of Defense
Contracts” for additional information on our MFLC contract and “Item 1A. Risk Factors—We are subject to risks
associated with outsourcing services and functions to third parties” for additional information on our outsourcing
activities.