Health Net 2015 Annual Report Download - page 20

Download and view the complete annual report

Please find page 20 of the 2015 Health Net annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 237

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237

18
Medicaid is administered at the federal level by CMS. The dual eligibles demonstrations under the CCI are regulated
and administered in Los Angeles and San Diego counties by CMS and DHCS.
See the discussion above under the heading “—Western Region Operations Segment—Medicaid Expansion and
Recent State Legislation,”“—Western Region Operations Segment—California Coordinated Care Initiative,” and “Item
1A. Risk Factors—Government programs represent an increasing share of our revenues. If we are unable to effectively
administer these programs, if we do not effectively adapt to changes to these programs, or if we experience a significant
reduction in revenues from these government programs, it could have a material adverse effect on our business,
financial condition or results of operations.
Privacy Regulations. State, federal, and local laws and regulations govern the privacy and security of Protected
Health Information (“PHI”), Personal Information (“PI”), and other categories of legally protected data that our
businesses handle. Such laws and regulations include, but are not limited to: the Health Insurance Portability and
Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009
(“HITECH Act”) along with implementing regulations for both (collectively, “HIPAA Rules”); the Federal Trade
Commission Act; the privacy provisions in the federal Gramm-Leach-Bliley Financial Modernization Act of 1999 (the
“Gramm-Leach-Bliley Act”); state privacy and security laws such as the California Confidentiality of Medical
Information Act, the California Online Privacy Protection Act, and state laws that specifically regulate the use and
disclosure of social security numbers; and state breach notification laws that require providing notification in the event
of a breach of PI (such as Cal. Code § 1798.82). Privacy and security laws and regulations often change due to new or
amended legislation, regulations or administrative interpretation. A variety of state and federal regulators enforce these
laws, including but not limited to HHS, the Federal Trade Commission, state attorneys general, and other state
regulators.
The HIPAA Rules impose privacy and security obligations regarding PHI on Covered Entities (which refers to
certain health plans, health care clearinghouses and providers) including but not limited to:
complying with various requirements and restrictions related to the use, storage and disclosure of PHI,
implementing internal policies and procedures to maintain the privacy and security of PHI,
entering into written agreements with those entities that provide services to or on behalf of a Covered Entity
and use, disclose, transmit, or maintain PHI in connection with these services (known as “Business
Associates”), and
notifying individuals and regulatory authorities (and in some cases, the media) if PHI is compromised.
These regulations also establish significant criminal penalties and civil sanctions for non-compliance. These
requirements have evolved over time through the enactment and subsequent implementation of the HITECH Act (which
enhanced enforcement, set additional limitations on the use and disclosure of PHI, and imposed additional potential
penalties for non-compliance) and the Genetic Information Nondiscrimination Act of 2008 (“GINA”) (which clarified
that genetic information is protected under the HIPAA Privacy Rule and prohibited most health plans from using or
disclosing genetic information for underwriting purposes).
On January 17, 2013, HHS issued a final rule (“Omnibus rule”) that strengthened the privacy and security
protections for PHI by modifying the HIPAA Privacy, Security, and Enforcement Rules and implementing statutory
amendments required by the HITECH Act and GINA. For example, the Omnibus rule enhances an individual’s privacy
protections, provides individuals new rights with respect to their PHI, strengthens the government’s ability to enforce
the HIPAA Rules, sets limits on how information is used and disclosed for marketing and fundraising purposes, and
prohibits the sale of an individuals’ health information without their permission. In addition, the Omnibus rule
expanded the definition of which entities must be classified as a Business Associate and imposed on Business
Associates many of the same privacy and security standards for protecting PHI that apply to Covered Entities. The final
Omnibus Rule was effective on March 26, 2013. See “Item 1A. Risk Factors—We must comply with requirements
relating to patient privacy and information security, including requiring through contract that business associates that
handle certain information on our behalf comply with relevant privacy and security requirements, including, but not
limited to HIPAA” and “—We must comply with requirements relating to patient privacy and information security,
including requiring through contract that business associates that handle certain information on our behalf comply with
relevant privacy and security requirements, including, but not limited to HIPAA” for additional information about the
risks related to privacy and security breaches.
The Gramm-Leach-Bliley Act generally requires insurers to provide customers with notice regarding how their
personal health and financial information is used and, in certain circumstances, gives customers the opportunity to “opt
out” of having their information shared with non-affiliated third parties. Like HIPAA, this law sets a “floor” standard,