Risk Management User Group
Wednesday, February 5, 2003
Welcome
Michael L. Hay, CGFM, CPPM
Meeting Agenda
8:30 – 9:00 am – Welcome, Overview of SORM 200 Data
9:00 – 9:15 am – Legislative Overview 9:15 – 9:45 am – Business Continuity Management
Update 9:45 – 10:15 am – Terrorism Insurance Act,
Employee Dishonesty, and What’s Up Next 10:15 – 10:30 - Break
Meeting Agenda
10:30 – 11:00 am – HIPAA 11:00 – 11:30 am – SORM 200 FY03 Data
Entry, TWCC 1S & TWCC 6 11:30 – 11:45 am – FY03 Assessments 11:45 – 12:00 pm – Questions, Discussion
SORM 200 Data Overview
Michael L. Hay, CGFM, CPPM
SORM 200 Expenditures Summary
Category Risk Mgmnt. Expenditures Category %
F Salary & Wages $17,648,930 53.061%
G Benefits 5,052,092 15.189%
H Travel 436,891 1.313%
I Training & Education 177,078 0.532%
J Supplies & Consumables 755,820 2.272%
K Capital Outlay 1,112,161 3.344%
L Rentals & Leases 429,799 1.292%
M Telephones & Utilities 339,571 1.021%
N Other Operating Expenses 2,192,067 6.590%
O Safety Supplies & Equipment 442,853 1.331%
P Consultant Services & Fees 762,694 2.293%
Q Other Services 3,824,547 11.498%
R Other Fees, Taxes 87,174 0.262%
TOTALS $33,261,677 100%
Correlation of Risk Management Expenditures to Amount of Claims
Conclusion: There is obviously a linear correlation between risk management expenditure and claims amount: The higher the claims amount - the higher risk management expenditure.
0 5000000 10000000 15000000
0
5000000
10000000
claim amount
expe
nditu
re
man
agem
ent
risk
555714 + 0.733432 claim amountrisk management exp=
S = 220591 R-Sq = 99.6 % R-Sq(adj) = 99.6 %
Regression Plot
Correlation of Risk Management Expenditures to FTE’s
Conclusion: FTE and Risk Management Expenditure have positive correlation, close to linear but not totally linear: more FTE, more risk management expenditure spent
0 5000000 10000000
0
10000
20000
ExpenditureRisk Management
FTE
FTE = 21.8095 + 0.0022222 Risk Managem - 0.0000000 Risk Managem**2
S = 615.625 R-Sq = 92.2 % R-Sq(adj) = 92.1 %
Regression Plot
Total Number of Claims ReportedBoth Insured and Uninsured
# of Claims
Automobile Physical Damage 129
Accident 4
Automobile Liability 285
Crime 8
Directors & Officers 16
Electronic Data 3
Employment Practices Liability 191
General Liability 397
Inland Marine 0
Property 70
Professional Liability 57
TOTAL 1160
SORM 200 FY02 Total Claims
Professional Liability5% (57)
General Liability35% (397)
Inland Marine0% (0)
Property6% (70)
Automobile Physical Damage
11% (129)Accident0.34% (4)
Auto Liability25% (285)
Employment Practices Liability
16% (191)
Electronic Data0.25% (3)
Directors & Officers
1.37% (16)
Crime0.7% (8)
Insured Claims
Demand Settlement Difference
Auto Physical Dmg. $0 $57,631 $57.631
Accident 0 26,527 26.527
Automobile Liability 2,625 93,794 91,169
Crime 0 0 0
Directors & Officers 130 3,040 2,910
Electronic Data 12,345 0 -12,345
Employment Practices Liability
4,001,352 391 -4,000,961
General Liability 100,167,946 7,007 -100,160,939
Inland Marine 0 0 0
Property 84,955 609,962 525,007
Professional Liability 0 362,403 362,403
TOTAL $104,269,353 $1,160,755 -$103,108,598
Insured Claims - Demand Amounts
General Liability96.0665%
Employment Practices Liability3.8375%
Directors & Officers0.0001%
Property0.0815%
Electronic Data0.0118%
Auto Liability0.0025%
Insured Claims-Settlement Amounts
Auto Liability8.1%
($93,794)
Directors & Officers0.26%
($3,040)
Employment Practices Liability
0.034%($391)
General Liability0.6%
($7,007)
Accident2.29%
($26,527)Automobile
Physical Damage5%
($57,631)
PL31%
($362,403)
Property53%
($609,962)
Uninsured ClaimsDemand Settlement Difference
Auto Physical Dmg. $161,268 $0 -$161,268
Accident 0 0 0
Automobile Liability 1,524,339 795,473 -728,866
Crime 0 0 0
Directors & Officers 20,000,000 234 -19,999,766
Electronic Data 0 18,561 18,561
Employment Practices Liability
25,800,000 1,131,779 -24,668,221
General Liability 159,126,564 669,366 -158,457,198
Inland Marine 0 0 0
Property 0 111,005 111,005
Professional Liability 0 1,649 1,649
TOTAL $206,612,171 $2,728,067 -$203,884,104
Uninsured Claims-Demand Amounts
General Liability
77.0% ($159,126,564)
Employment Practices Liability
12.5% ($25,800,000)
Automobile Physical Damage
0.1% ($161,268)
Auto Liability0.7%
($1,524,339)
Directors & Officers
9.7% ($20,000,000)
Uninsured Claims-Settlement Amounts
PL0.06%
($1,649)
Property4%
($111,005)
Employment Practices Liability
41%($1,131,779)
General Liability25%
($669,366)
Auto Liability29%
($795,473)
Electronic Data0.68%
($18,561)
Directors & Officers0.01%($234)
Legislative Overview
Lucinda Saxon
Business Continuity Management Update
Todd Roberts, CBCP
Roger Thormahlen, CIC
Business Continuity Management
Business Continuity Management (BCM) is a comprehensive, integrated, and enterprise-wide process to ensure the continued availability of time-sensitive and critical services, prevent or limit injury to personnel, as well as damage to structures and equipment.
Business Continuity Planning (BCP) is the actual 10 step, ‘best practices’, model for advanced planning and preparation.
Is Business Continuity the same as Disaster Recovery?
Answer = NO
Disaster Recovery focuses on the ability to recover the IT infrastructure, applications, and the data network in the event of a catastrophic loss or damage to this infrastructure.
Business Continuity focuses on the coordination and development of acceptable overall recovery strategies, creating and implementing individual departmental planning and testing, as well as risk mitigation and crisis management. Disaster Recovery is just a part, albeit a critical part, of a Business Continuity Management Program.
Purpose of BCM
1. Develop a process to identify and categorize known risk and associated recovery objectives and to maintain a “minimal level of acceptable service” for the organization across all levels
Business functions Facilities Voice/data network infrastructure Operations support and associated applications
2. Develop “availability standards” and RTO (recovery time objectives) for business continuity plans and alternate recovery solutions for all business functions and facilities
3. Identify the appropriate resource/risk ratio
4. Mitigate or minimize business interruptions to agencies, customers, systems and associates
5. Minimize duration of disruptions to business functions when they occur
Why Plan and Why SORM?
Good Business Practice
SORM’s Mission Statement – “SORM will provide active leadership to enable State of Texas Agencies to protect their employees, the general public, and the state’ physical and financial assets by reducing and controlling risk in the most efficient and cost-effective manner.”
TAC Title 1 Part 10 Chapter 202 Rule202.6 Business Continuity Planning
(a) Business Continuity Planning covers all business functions of an agency and it is a business management responsibility. Agencies should maintain a written Business Continuity Plan so that the effects of a disaster will be minimized, and the agency will be able to either maintain or quickly resume mission-critical functions.
Planning Benefits
Execute a planned and timely response to any loss or interruption of business functions.
Ensure continuous availability and /or total recovery of critical business activities.
Validate current disaster recovery and restoration efforts of IT resources. Contribute additional information for strategic future planning in business continuity and disaster recovery.
Significantly increases our ability to continue operations efficiently, thereby, reducing liabilities and meeting the expectations of customers.
Scope of Planning Effort
Planning for events of limited duration includes:1. Loss of the department or facility (worst case scenario)2. Weather-related outages3. Loss of
Data center Systems Telecommunications Agency mail or distribution centers Other technology outages
SORM’s BCM Goals
Create BCP awareness at the agency level Provide BCM standards and guidelines using
BCP “Best Practices” Assist all agencies in the development and
testing of BCP All State agencies have a BCP plan in place
by the end of calendar year 2004.
Where We are Today
Combined effort of DIR and SORM State Agency Disaster Recovery Work Group Evaluated and selected planning software for
agencies interested in a common look and feel. Completed “State of the State” survey SORM Risk Managers are asking to see plan to
heighten awareness Developing BCP guidelines and procedures
document to be used as a standard in the future.
Business Continuity“A shared Responsibility”
SORM’s Responsibilities
Development of BCP standards and procedures using “Best Practices” methodology
Assist agencies with BIA, Risk Analysis, and/or Risk Assessment
Assist with Education and Awareness Assist in plan development and testing Periodic review of plans and enhancement
recommendations Share information and expertise with agencies.
SORM’s Resources
BCP Generator SoftwareRisk Managers Two dedicated BCM associatesParticipants in the State Agency
Disaster Recovery Work Group
A hypertexted template based on Microsoft Word
Asks logical & sequential questions Easy to use Inexpensive
BCP SoftwareWhat to Look For
Agency’s Responsibilities
Conduct a BIA to identify critical functions, processes, and requirements
Identify critical dependencies (including people, resources, skills and knowledge)
Identify RTO (recovery time objectives) Select the proper balance between risk and expense BCP integration Create and maintain plan Plan testing and follow-up Share information and expertise with other agencies.
Recap
Disaster recovery is not BCP … just one piece
A shared responsibility between agency and SORM
SORM’s resources available to agencies BCP roadmap—planning tool
Recap (cont.) .
SORM contacts: Todd Roberts (512) 936-1528
[email protected] Roger Thormahlen (512) 936-2944
Break Time!
See you at 10:30!
Insurance
Terrorism Insurance Act
Employee Dishonesty
What’s Up Next
Sally Becker, CPCU, ARM
Terrorism Risk Insurance Act of 2002
Officially signed into Federal Law on November 26, 2002
Goals of the Act
To ensure the availability of commercial property and casualty insurance coverage for losses resulting from certain acts of terrorism through 2005.
To allow for a transitional period for the private insurance markets to stabilize, resume pricing of such insurance, and build capacity to absorb any future losses.
Acts of Terrorism - Definition
An “ACT OF TERRORISM" means any act that is certified by the Secretary of Treasury, in concurrence with the Secretary of State and the Attorney General to be: A violent act or an act that is dangerous to human life, property,
or infrastructure. To have resulted in damage in the US or outside the US in case
of an air carrier or vessel or the premises of a US mission, and To have been committed by an individual or individuals acting
on behalf of any foreign person or foreign interest as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the U.S. Government by coercion.
Not Covered By the Act
An act or event that is committed in the course of war declared by Congress
Domestic Terrorism acts
Losses under $5 million dollars, per act
Excluded Lines
Life and health
Medical Malpractice
Flood
Personal Line policies
Crop insurance
Mandatory Involvement of Insurers
During the period beginning on the 1st day of the Transition Period and ending on the last day of 2005, each eligible insurer shall: Participate in the program Make terrorism coverage available in all of its
property and casualty policies
Note: Terrorism coverage can not differmaterially from the terms, conditions, amounts,and coverage limitations of other provisions.
Effects of the Act
Any provision of a contract for commercial property and casualty insurance that is in force on the date of enactment, which excludes losses resulting from acts of terrorism shall be “VOID”
Requirements of Insurers
For Policies currently in force: Notification must be sent to insureds within 90 days
of the enactment (11/26/02) advising of the cost of the terrorism coverage.
For Policies issued during or after the 90 day period: A separate line item identifying terrorism coverage
must be included at time of offer, purchase or renewal.
Reinstatement of the Terrorism Exclusion
An insurer may reinstate the terrorism provision only if:
The covered entity provides written notice declining the coverage, or
The covered entity fails to pay any increased premium charge within 30 days of notice
Your Exposure
Terrorism insurance should be considered just like any other line of insurance or peril.
Evaluate potential loss exposure in relation to the likelihood of a terrorist act.
Exposure (cont’d)
Questions to ask yourself:
Does our agency need this insurance?
Is our agency an obvious terrorist target?
What is our proximity to a terrorist targets?
Is our agency close to a critical infrastructure?
Exposure (cont’d)
Is there a HIGH or LOW risk?
The cost of the insurance must be weighed against the cost of risk.
SORM’s Involvement
Because each agency has unique terrorist exposures based on their location in the state and their particular operations, The State Office of Risk Management will not make the business decision to purchase or not.
However, SORM will assist in evaluating and analyzing the exposure and costs.
EMPLOYEE DISHONESTY
Definitions Employee Dishonesty is the unlawful taking of money,
securities and other property by an employee. Employee is any person compensated to perform services
for you; temporarily furnished to you; or trustee, officer and administrator.
Money means currency, coins, bank notes, travelers checks, money orders and register checks.
EMPLOYEE DISHONESTY
Definitions cont’d Securities means negotiable and nonnegotiable
instruments or contracts representing money or property.
Other Property means tangible property other than money or securities that has intrinsic value
EMPLOYEE DISHONESTY
Protects an employer from financial loss due to fraudulent activities of one or more employees
Committed with the manifest intent To cause the employer to sustain a loss To obtain financial benefit for employee or
another person or entity
EMPLOYEE DISHONESTY
Public Employees – Special forms “O” means occurrence: loss caused by or
involving one or more employees whether resulting from a single or series of acts
“P” means employee: loss up to the limit caused by each employee whether resulting from a single or series of acts.
EMPLOYEE DISHONESTY
Exclusions Employee cancelled under prior insurance Inventory shortages Treasurer or Tax Collector
EMPLOYEE DISHONESTY
State Agencies - 28 Limits range from $5,000 to $5,000,000 Deductibles range from $0 to $10,000 Several different forms Total Premium - $45,380
Per Survey conducted Fall, 2002
Next Step
Prepare Request for Information or Proposal Information
Interested marketsProgram description Underwriting criteria
ProposalDesigned program Detailed terms and conditionsPremiums
What’s Up Next
Automobile Liability
Health Insurance Portability and Accountability Act
Texas Department of HealthHIPAA Project Management Office
February 2003
HIPAA Overview
Remember it’s one “P” ….
…. and two “A”s Health Insurance Portability Accountability Act
What is HIPAA?
Health Insurance Portability & Accountability Act of 1996 (HIPAA) passed by Congress.
HIPAA’s Major Purpose
Protect and Enhance the Rights of Healthcare Consumers
Improve the Quality of Healthcare in the US Improve the Efficiency and Effectiveness of
Healthcare Delivery
HIPAA’s Four Parts
Transaction & Code Set Standards
(referred to as Electronic Data Interchange -EDI) Privacy Security National Identifiers
HIPAA Compliance Due Dates
Privacy – Implement by 04/14/2003Transaction & Codes Set Standards –
Implement by 10/16/2003 (extension date)
Security – Pending, anticipate 02/2003National Identifiers - Pending
HIPAA Compliance Challenges
Compliance will cause many changes in systems, policies and procedures.
HIPAA compliance is not a one-time event – standards are intended to be dynamic in order to meet evolving needs
No Budget established!
Covered Entities – (Transactions & Privacy)
Health Plans Health Care Clearinghouses Health Care Provider who transmits any
health information in electronic form in connection with a covered transaction
Their Business Associates (Anyone who does work for your or on your behalf.)
Health Plans
Group health plans Health insurance issuer HMOs Medicare &
Medicare + choice Medicaid Medicare supplemental
policies Long-term care policies
CHAMPUS & other military plans
Indian Health Service Plan FEHBP (federal employee
health plan) State Child Health Plan Catch All – any plan that
providers or pays for Medical care
Health Care Clearinghouse
An entity that does either of the following:
1. Processes health information received from another entity in a non-standard format into a standard format
2. Processes health information received in a standard format into a non-standard format
Health Care Provider
A “provider of services” as defined by the social security act
A provider of “medical and other health services” as defined by the SSA
Catch-all - any other person or organization who furnishes, bills or is paid for health care in the normal course of business
Providers of Services (as defined by the SSA)
Hospitals Critical access hospitals Skilled nursing facilities Comprehensive outpatient rehabilitation
facilities Home health agencies Hospices
Provider of medical and other health services
Any entity that provides physician services Services and supplies incidental to a
physician’s services Certain diagnostic and screening services Durable Medical Equipment Other miscellaneous services
Health Care is defined as
Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care and counseling, service assessment or procedure with respect to the physical or mental condition or functional status of an individual that affects the structure or function of the body
Health Care definition, continued
The sale or dispensing of a drug, device, equipment or other item in accordance with a prescription
TDH is a Hybrid-Covered Entity
TDH is considered a “hybrid-covered entity” by HIPAA definitions, which means that there are certain TDH business functions that must comply with HIPAA EDI standards, while other functions are exempt.
TDH has documented the parts of the agency function that must comply with HIPAA and those that do not.
What Are the HIPAA (EDI) Transaction Designations?
270 = Eligibility Inquiry 271 = Eligibility Inquiry Response 276 = Claim Status Inquiry 277 = Claim Status Inquiry Response 278 = Authorization Request and Authorization Response 820 = Health Insurance Premium Payment 834 = Beneficiary Enrollment 835 = Remittance / Payment 837 = Claim or Encounter
HIPAA HIPAA TransactionsTransactions
WICOutreach
State HealthPolicy
TDH - CBS(Central Billing
System)-
ClearingHouse
HIPAA IT ScopeTDH Central Billing System
Interview: n/aModified: 01/29/2003
HIPAA IT Systems Scope - TDH Central Billing System
Claim Status X12 277Matches the X12 837
claim for claim NHICCompass21
SYSTEM
MCO's
DH FileMedicaidEligibility
Information
Medicaid Claims X12 837
CSHCN
PACTClient MedicaidEligibility Match
Client MedicaidEligibility Match
Client MedicaidEligibility Match
MedicaidEligibility Inquiry(Local Codes)Kidney Health
Automated KidneyInformation Tracking
System (ASKIT) IMMBILLSystem
Health CarePayment
Paper R&S& Check
ICES
EncounterInformation
ImmunizationEncounterInformation
DHSSAVERR
Client MedicaidEligibility Match
HIV/STD Health
Resources
(RAFA)Budget &Revenue
Revenue Reportingfrom On-line access
Billing Status ReportsInformation (Paper)
Types of Covered TransactionsIf the Line is dotted the process is currently a Non-EDI ProcessHealth Claims and Equivalent Encounter Information - 837Enrollment and Disenrollment in a Health Plan 834Eligibility Inquiry/Response for a Health Plan ASC X12N-270 / X12-271Health Care Payment/Remittance Advice 835Health Plan Premium Payments 820Health Claim Status Request-276 / Notif ication-277Referral Certif ication and Authorization 278Coordination of Benefits Institutional 837Privacy Related Information
Health Care EncounterAll Health Care Payment
Information tagged as TDH regardless of submission path.
X12 835
Client MedicaidEligibility DUMP
Client MedicaidEligibility DUMP
WICWIN
MedicalClaims
MedicalClaims
LocalHealthDept
TDHProviders
Health CarePayment
Paper R&S& Checks
PaperR&S
Billing Status ReportsInformation (Paper)
Encounter Information
Encounter Information
HCFA1500 &
UB92
FunctionalAcknowledgement
X12 997
Health CarePayment
Paper R&S& Checks
SDI
MedicaidEligibility Inquiry
SAVERR
HealthLynxSoftware
MT FileMedicaidEligibility
Information
DNS:NIGHT
DNS:BLUETIP
DH File
Women'sHealth Lab
MedicalClaims
Central OfficeLaboratoriesMedical
Claims
X12 835Information File
(Special Format)Client MedicaidEligibility Match
HCFA1500 & UB92
Sent to Cytology
HIPAA Transaction (EDI) Standards
Standards: ANSI ASC X12 version 4010 for most
transactions
HIPAA Code Sets
HIPAA specifies national code sets to be use for: Diagnoses – ICD 9 Procedures - CPT 4, CDT Supplies - HCPCS
HIPAA specified administrative codes set for use in conjunction with certain transactions
HIPAA eliminates state-specific local codes
Privacy Rule Basics
Privacy rule relates to “protected health information” (PHI).
Protected health information is: Individually identifiable Related to physical or mental health care or condition
Privacy Rule Basics
A state law (Health and Safety Code, Chapter 181) extends most of the federal HIPAA privacy regulations to anyone in Texas who comes into possession of “protected health information.”
Privacy Rule Basics
Gives individuals certain rights regarding their own health information.
Requires covered entities to implement policies and procedures related to maintaining the privacy of individually identifiable health information.
Rights of Individuals
Receive “Privacy Notice” Access certain PHI about themselves Request to amend certain PHI about themselves Request restrictions on uses and disclosures Grant or withdraw permission for special uses and
disclosures Request PHI in alternate format or location Receive a list of certain disclosures for past 6 yrs. File a complaint
Privacy Policies and Procedures
Provide reasonable safeguards for PHI. Lock files Log-out of computer applications Check fax machines frequently Etc.
Limit uses and disclosures of PHI to the minimum necessary.
Obtain authorization from clients for non-routine uses and disclosures. Research, marketing, etc.
Privacy Policies and Procedures
De-identify statistical health data before disclosure to the public, using very stringent standards for de-identification.
Ensure that employees receive privacy training as needed.
Maintain documentation. Client authorizations, denials of client requests,
training records, policies and procedures, etc.
TDH’s Approachto HIPAA
A coordinated, unified effort spanning across the entire agency
and …
…in collaboration with HHSC
Executive Steering Committee
TX Department of Health
Mary Jane BerryProject Manager
HIPAA Program Management Office
Cathy Lorenzen, Director
Policy Analysts, Stakeholders,
IT Staff
Texas HIPAA Enterprise StructureTexas HIPAA Enterprise Structure
TX Department of Human Services
Lena Brown Owens Project Manager
TX Department of Mental Health &
Mental Retardation
Frances KendallProject Manager
TX Health and Human Services
Commission
Akin OgunrinadeProject Manager
Policy Analysts, Stakeholders,
IT Staff
Policy Analysts, Stakeholders,
IT Staff
Policy Analysts, Stakeholders,
IT Staff
INTERAGENCY WORKGROUPS
All Stakeholder Participation
Transaction Sets, Unique Identifiers, Legal, Privacy and Security
Steps to HIPAA Compliance for EDI and
Privacy Follow Project Management Guidelines Assessment – Identify covered entities within TDH Fit Gap Analysis – Identify gaps to be closed Compliance Plan – Outline business process improvements
& systems remediation needs & costs for executive approval Remediation/Testing activities for electronic data
interchange (EDI) Provider Outreach – Coordinate with business partners on
changes in business practices, systems and contracts Train staff Implement by Compliance Dates
TDH Status
Transactions (EDI) Assessment on 204 TDH programs potential covered
entities. Gap Analysis completed on HIPAA covered programs. Remediation and provider outreach activities underway.
PrivacyAssessments completed – all TDH programs are covered by HIPAA Privacy or TX SB 11
SecurityAssessment of TDH network completedFinal rules pending, anticipate February 2003
National IdentifiersFinal rules pending, on indefinite hold
TDH HIPAA Project Office
TDH Executive Sponsor – Ben Delgado
TDH Project Director – Judy Sandberg
TDH Project Manager– Mary Jane [email protected]
TDH Privacy Officer – John [email protected]
HIPAA Web sites
www.hhsc.state.tx.us Health and Human Services Commission www.tdh.state.tx.us Texas Department of Health www.ama-assn.org American Medical Association www.dhhs.gov Dept. of Health & Human Services www.cms.gov Centers for Medicare & Medicaid www.dhhs.gov/ocr Office of Civil Rights aspe.hhs.gov/admnsimp Administrative Simplification
Regulations for HIPAA Legislation
Texas Department of Health
HIPAA Project Management OfficeFebruary 2003
Online Reporting System
SORM 200 FY03 Data Entry
TWCC 1S
TWCC 6
Ralph Hutchins, MBA
- 374 Agency Representatives are now registered
- Representing 177 agencies
Currently available
Agency Reports on Workers’ Compensation Claims
Online Property and Casualty Claims Reporting
Work in Progress
TWCC1S On-line – currently in acceptance testing after back-end redesign
TWCC6 On-line – currently in development
FY03 Assessments
Stuart B. Cargile
Questions?
Discussion
General Discussion
Comments
Items for Next Meeting
Feedback Form
Please complete the survey form at the end of your packet and turn it in before
you leave.
We value your comments.
Risk Management User Group
Thank you for attending.
See you on April 30th
in the Travis Building!