Meeting Agenda 8:30 – 9:00 am – Welcome, Overview of SORM 200 Data 9:00 – 9:15 am – Legislative Overview 9:15 – 9:45 am – Business Continuity Management Update 9:45 – 10:15 am – Terrorism Insurance Act, Employee Dishonesty, and Whats Up Next 10:15 – 10:30 - Break
Meeting Agenda 10:30 – 11:00 am – HIPAA 11:00 – 11:30 am – SORM 200 FY03 Data Entry, TWCC 1S & TWCC 6 11:30 – 11:45 am – FY03 Assessments 11:45 – 12:00 pm – Questions, Discussion
SORM 200 Data Overview Michael L. Hay, CGFM, CPPM
Correlation of Risk Management Expenditures to Amount of Claims Conclusion: There is obviously a linear correlation between risk management expenditure and claims amount: The higher the claims amount - the higher risk management expenditure.
Correlation of Risk Management Expenditures to FTEs Conclusion: FTE and Risk Management Expenditure have positive correlation, close to linear but not totally linear: more FTE, more risk management expenditure spent
Total Number of Claims Reported Both Insured and Uninsured # of Claims Automobile Physical Damage129 Accident4 Automobile Liability285 Crime8 Directors & Officers16 Electronic Data3 Employment Practices Liability191 General Liability397 Inland Marine0 Property70 Professional Liability57 TOTAL1160
Business Continuity Management Update Todd Roberts, CBCP Roger Thormahlen, CIC
Business Continuity Management Business Continuity Management (BCM) is a comprehensive, integrated, and enterprise-wide process to ensure the continued availability of time- sensitive and critical services, prevent or limit injury to personnel, as well as damage to structures and equipment. Business Continuity Planning (BCP) is the actual 10 step, best practices, model for advanced planning and preparation.
Is Business Continuity the same as Disaster Recovery? Answer = NO Disaster Recovery focuses on the ability to recover the IT infrastructure, applications, and the data network in the event of a catastrophic loss or damage to this infrastructure. Business Continuity focuses on the coordination and development of acceptable overall recovery strategies, creating and implementing individual departmental planning and testing, as well as risk mitigation and crisis management. Disaster Recovery is just a part, albeit a critical part, of a Business Continuity Management Program.
Purpose of BCM 1.Develop a process to identify and categorize known risk and associated recovery objectives and to maintain a minimal level of acceptable service for the organization across all levels Business functions Facilities Voice/data network infrastructure Operations support and associated applications 2.Develop availability standards and RTO (recovery time objectives) for business continuity plans and alternate recovery solutions for all business functions and facilities 3.Identify the appropriate resource/risk ratio 4.Mitigate or minimize business interruptions to agencies, customers, systems and associates 5.Minimize duration of disruptions to business functions when they occur
Why Plan and Why SORM? Good Business Practice SORMs Mission Statement – SORM will provide active leadership to enable State of Texas Agencies to protect their employees, the general public, and the state physical and financial assets by reducing and controlling risk in the most efficient and cost-effective manner. TAC Title 1 Part 10 Chapter 202 Rule202.6 Business Continuity Planning (a) Business Continuity Planning covers all business functions of an agency and it is a business management responsibility. Agencies should maintain a written Business Continuity Plan so that the effects of a disaster will be minimized, and the agency will be able to either maintain or quickly resume mission-critical functions.
Planning Benefits Execute a planned and timely response to any loss or interruption of business functions. Ensure continuous availability and /or total recovery of critical business activities. Validate current disaster recovery and restoration efforts of IT resources. Contribute additional information for strategic future planning in business continuity and disaster recovery. Significantly increases our ability to continue operations efficiently, thereby, reducing liabilities and meeting the expectations of customers.
Scope of Planning Effort Planning for events of limited duration includes: 1.Loss of the department or facility (worst case scenario) 2.Weather-related outages 3.Loss of Data center Systems Telecommunications Agency mail or distribution centers Other technology outages
SORMs BCM Goals Create BCP awareness at the agency level Provide BCM standards and guidelines using BCP Best Practices Assist all agencies in the development and testing of BCP All State agencies have a BCP plan in place by the end of calendar year 2004.
Where We are Today Combined effort of DIR and SORM State Agency Disaster Recovery Work Group Evaluated and selected planning software for agencies interested in a common look and feel. Completed State of the State survey SORM Risk Managers are asking to see plan to heighten awareness Developing BCP guidelines and procedures document to be used as a standard in the future.
SORMs Responsibilities Development of BCP standards and procedures using Best Practices methodology Assist agencies with BIA, Risk Analysis, and/or Risk Assessment Assist with Education and Awareness Assist in plan development and testing Periodic review of plans and enhancement recommendations Share information and expertise with agencies.
SORMs Resources BCP Generator Software Risk Managers Two dedicated BCM associates Participants in the State Agency Disaster Recovery Work Group
A hypertexted template based on Microsoft Word Asks logical & sequential questions Easy to use Inexpensive BCP Software What to Look For
Agencys Responsibilities Conduct a BIA to identify critical functions, processes, and requirements Identify critical dependencies (including people, resources, skills and knowledge) Identify RTO (recovery time objectives) Select the proper balance between risk and expense BCP integration Create and maintain plan Plan testing and follow-up Share information and expertise with other agencies.
Recap Disaster recovery is not BCP … just one piece A shared responsibility between agency and SORM SORMs resources available to agencies BCP roadmapplanning tool
Recap (cont.). SORM contacts: Todd Roberts (512) 936-1528 firstname.lastname@example.org Roger Thormahlen (512) 936-2944 email@example.com
Insurance Terrorism Insurance Act Employee Dishonesty Whats Up Next Sally Becker, CPCU, ARM
Terrorism Risk Insurance Act of 2002 Officially signed into Federal Law on November 26, 2002
Goals of the Act To ensure the availability of commercial property and casualty insurance coverage for losses resulting from certain acts of terrorism through 2005. To allow for a transitional period for the private insurance markets to stabilize, resume pricing of such insurance, and build capacity to absorb any future losses.
Acts of Terrorism - Definition An ACT OF TERRORISM" means any act that is certified by the Secretary of Treasury, in concurrence with the Secretary of State and the Attorney General to be: A violent act or an act that is dangerous to human life, property, or infrastructure. To have resulted in damage in the US or outside the US in case of an air carrier or vessel or the premises of a US mission, and To have been committed by an individual or individuals acting on behalf of any foreign person or foreign interest as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the U.S. Government by coercion.
Not Covered By the Act An act or event that is committed in the course of war declared by Congress Domestic Terrorism acts Losses under $5 million dollars, per act
Excluded Lines Life and health Medical Malpractice Flood Personal Line policies Crop insurance
Mandatory Involvement of Insurers During the period beginning on the 1st day of the Transition Period and ending on the last day of 2005, each eligible insurer shall: Participate in the program Make terrorism coverage available in all of its property and casualty policies Note: Terrorism coverage can not differ materially from the terms, conditions, amounts, and coverage limitations of other provisions.
Effects of the Act Any provision of a contract for commercial property and casualty insurance that is in force on the date of enactment, which excludes losses resulting from acts of terrorism shall be VOID
Requirements of Insurers For Policies currently in force: Notification must be sent to insureds within 90 days of the enactment (11/26/02) advising of the cost of the terrorism coverage. For Policies issued during or after the 90 day period: A separate line item identifying terrorism coverage must be included at time of offer, purchase or renewal.
Reinstatement of the Terrorism Exclusion An insurer may reinstate the terrorism provision only if: The covered entity provides written notice declining the coverage, or The covered entity fails to pay any increased premium charge within 30 days of notice
Your Exposure Terrorism insurance should be considered just like any other line of insurance or peril. Evaluate potential loss exposure in relation to the likelihood of a terrorist act.
Exposure (contd) Questions to ask yourself: Does our agency need this insurance? Is our agency an obvious terrorist target? What is our proximity to a terrorist targets? Is our agency close to a critical infrastructure?
Exposure (contd) Is there a HIGH or LOW risk? The cost of the insurance must be weighed against the cost of risk.
SORMs Involvement Because each agency has unique terrorist exposures based on their location in the state and their particular operations, The State Office of Risk Management will not make the business decision to purchase or not. However, SORM will assist in evaluating and analyzing the exposure and costs.
EMPLOYEE DISHONESTY Definitions Employee Dishonesty is the unlawful taking of money, securities and other property by an employee. Employee is any person compensated to perform services for you; temporarily furnished to you; or trustee, officer and administrator. Money means currency, coins, bank notes, travelers checks, money orders and register checks.
EMPLOYEE DISHONESTY Definitions contd Securities means negotiable and nonnegotiable instruments or contracts representing money or property. Other Property means tangible property other than money or securities that has intrinsic value
EMPLOYEE DISHONESTY Protects an employer from financial loss due to fraudulent activities of one or more employees Committed with the manifest intent To cause the employer to sustain a loss To obtain financial benefit for employee or another person or entity
EMPLOYEE DISHONESTY Public Employees – Special forms O means occurrence: loss caused by or involving one or more employees whether resulting from a single or series of acts P means employee: loss up to the limit caused by each employee whether resulting from a single or series of acts.
EMPLOYEE DISHONESTY Exclusions Employee cancelled under prior insurance Inventory shortages Treasurer or Tax Collector
EMPLOYEE DISHONESTY State Agencies - 28 Limits range from $5,000 to $5,000,000 Deductibles range from $0 to $10,000 Several different forms Total Premium - $45,380 Per Survey conducted Fall, 2002
Next Step Prepare Request for Information or Proposal Information Interested markets Program description Underwriting criteria Proposal Designed program Detailed terms and conditions Premiums
Health Insurance Portability and Accountability Act Texas Department of Health HIPAA Project Management Office February 2003
HIPAA Overview Remember its one P …. …. and two As Health Insurance Portability Accountability Act
What is HIPAA? Health Insurance Portability & Accountability Act of 1996 (HIPAA) passed by Congress.
HIPAAs Major Purpose Protect and Enhance the Rights of Healthcare Consumers Improve the Quality of Healthcare in the US Improve the Efficiency and Effectiveness of Healthcare Delivery
HIPAAs Four Parts Transaction & Code Set Standards (referred to as Electronic Data Interchange -EDI) Privacy Security National Identifiers
HIPAA Compliance Due Dates Privacy – Implement by 04/14/2003 Transaction & Codes Set Standards – Implement by 10/16/2003 (extension date) Security – Pending, anticipate 02/2003 National Identifiers - Pending
HIPAA Compliance Challenges Compliance will cause many changes in systems, policies and procedures. HIPAA compliance is not a one-time event – standards are intended to be dynamic in order to meet evolving needs No Budget established!
Covered Entities – (Transactions & Privacy) Health Plans Health Care Clearinghouses Health Care Provider who transmits any health information in electronic form in connection with a covered transaction Their Business Associates (Anyone who does work for your or on your behalf.)
Health Plans Group health plans Health insurance issuer HMOs Medicare & Medicare + choice Medicaid Medicare supplemental policies Long-term care policies CHAMPUS & other military plans Indian Health Service Plan FEHBP (federal employee health plan) State Child Health Plan Catch All – any plan that providers or pays for Medical care
Health Care Clearinghouse An entity that does either of the following: 1.Processes health information received from another entity in a non-standard format into a standard format 2.Processes health information received in a standard format into a non-standard format
Health Care Provider A provider of services as defined by the social security act A provider of medical and other health services as defined by the SSA Catch-all - any other person or organization who furnishes, bills or is paid for health care in the normal course of business
Providers of Services (as defined by the SSA) Hospitals Critical access hospitals Skilled nursing facilities Comprehensive outpatient rehabilitation facilities Home health agencies Hospices
Provider of medical and other health services Any entity that provides physician services Services and supplies incidental to a physicians services Certain diagnostic and screening services Durable Medical Equipment Other miscellaneous services
Health Care is defined as Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care and counseling, service assessment or procedure with respect to the physical or mental condition or functional status of an individual that affects the structure or function of the body
Health Care definition, continued The sale or dispensing of a drug, device, equipment or other item in accordance with a prescription
TDH is a Hybrid-Covered Entity TDH is considered a hybrid-covered entity by HIPAA definitions, which means that there are certain TDH business functions that must comply with HIPAA EDI standards, while other functions are exempt. TDH has documented the parts of the agency function that must comply with HIPAA and those that do not.
What Are the HIPAA (EDI) Transaction Designations? 270 = Eligibility Inquiry 271 = Eligibility Inquiry Response 276 = Claim Status Inquiry 277 = Claim Status Inquiry Response 278 = Authorization Request and Authorization Response 820 = Health Insurance Premium Payment 834 = Beneficiary Enrollment 835 = Remittance / Payment 837 = Claim or Encounter
HIPAA Transaction (EDI) Standards Standards: ANSI ASC X12 version 4010 for most transactions
HIPAA Code Sets HIPAA specifies national code sets to be use for: Diagnoses – ICD 9 Procedures - CPT 4, CDT Supplies - HCPCS HIPAA specified administrative codes set for use in conjunction with certain transactions HIPAA eliminates state-specific local codes
Privacy Rule Basics Privacy rule relates to protected health information (PHI). Protected health information is: Individually identifiable Related to physical or mental health care or condition
Privacy Rule Basics A state law (Health and Safety Code, Chapter 181) extends most of the federal HIPAA privacy regulations to anyone in Texas who comes into possession of protected health information.
Privacy Rule Basics Gives individuals certain rights regarding their own health information. Requires covered entities to implement policies and procedures related to maintaining the privacy of individually identifiable health information.
Rights of Individuals Receive Privacy Notice Access certain PHI about themselves Request to amend certain PHI about themselves Request restrictions on uses and disclosures Grant or withdraw permission for special uses and disclosures Request PHI in alternate format or location Receive a list of certain disclosures for past 6 yrs. File a complaint
Privacy Policies and Procedures Provide reasonable safeguards for PHI. Lock files Log-out of computer applications Check fax machines frequently Etc. Limit uses and disclosures of PHI to the minimum necessary. Obtain authorization from clients for non-routine uses and disclosures. Research, marketing, etc.
Privacy Policies and Procedures De-identify statistical health data before disclosure to the public, using very stringent standards for de-identification. Ensure that employees receive privacy training as needed. Maintain documentation. Client authorizations, denials of client requests, training records, policies and procedures, etc.
TDHs Approach to HIPAA A coordinated, unified effort spanning across the entire agency and … …in collaboration with HHSC
Executive Steering Committee TX Department of Health Mary Jane Berry Project Manager HIPAA Program Management Office Cathy Lorenzen, Director Policy Analysts, Stakeholders, IT Staff Texas HIPAA Enterprise Structure TX Department of Human Services Lena Brown Owens Project Manager TX Department of Mental Health & Mental Retardation Frances Kendall Project Manager TX Health and Human Services Commission Akin Ogunrinade Project Manager Policy Analysts, Stakeholders, IT Staff INTERAGENCY WORKGROUPS All Stakeholder Participation Transaction Sets, Unique Identifiers, Legal, Privacy and Security
Steps to HIPAA Compliance for EDI and Privacy Follow Project Management Guidelines Assessment – Identify covered entities within TDH Fit Gap Analysis – Identify gaps to be closed Compliance Plan – Outline business process improvements & systems remediation needs & costs for executive approval Remediation/Testing activities for electronic data interchange (EDI) Provider Outreach – Coordinate with business partners on changes in business practices, systems and contracts Train staff Implement by Compliance Dates
TDH Status Transactions (EDI) Assessment on 204 TDH programs potential covered entities. Gap Analysis completed on HIPAA covered programs. Remediation and provider outreach activities underway. Privacy Assessments completed – all TDH programs are covered by HIPAA Privacy or TX SB 11 Security Assessment of TDH network completed Final rules pending, anticipate February 2003 National Identifiers Final rules pending, on indefinite hold
TDH HIPAA Project Office TDH Executive Sponsor – Ben Delgado TDH Project Director – Judy Sandberg TDH Project Manager– Mary Jane Berry firstname.lastname@example.org TDH Privacy Officer – John Scott email@example.com
HIPAA Web sites www.hhsc.state.tx.us Health and Human Services Commission www.tdh.state.tx.us Texas Department of Health www.ama-assn.org American Medical Association www.dhhs.gov Dept. of Health & Human Services www.cms.gov Centers for Medicare & Medicaid www.dhhs.gov/ocr Office of Civil Rights aspe.hhs.gov/admnsimp Administrative Simplification Regulations for HIPAA Legislation
Texas Department of Health HIPAA Project Management Office February 2003
Online Reporting System SORM 200 FY03 Data Entry TWCC 1S TWCC 6 Ralph Hutchins, MBA
- 374 Agency Representatives are now registered - Representing 177 agencies
Currently available Agency Reports on Workers Compensation Claims Online Property and Casualty Claims Reporting