While IT outsourcing (ITO) is commonplace across all industries, some sectors must exercise much more caution than others when considering the potential risks and rewards of partnering with a third party. Health insurance companies are a strong example of this, as they are bound by highly specific compliance demands, so any action that courts the possibility of failing to meet those demands can lead to devastating consequences.
Outlined here are several strategies that health insurance policy distributors should utilize to identify, evaluate, and alleviate the inherent risks associated with outsourcing IT.
HIPAA Obligations and Protective SLAs
The unique obligations required by HIPAA (the Health Insurance Portability and Accountability Act) initially had a limiting effect on the prevalence of IT outsourcing within the health insurance industry, but recent developments — including, among other things, the incentives created by ARRA, or the American Recovery and Reinvestment Act — have offset HIPAA’s limiting effect, increasing the likelihood of IT outsourcing within the industry. Despite this fresh increase, the handling and protection of confidential patient data remains a critical priority for companies operating within the health insurance industry.
Regardless of whether a company owns or outsources its data center, for example, there will be serious repercussions to deal with in the aftermath of a data breach or service interruption. The difference between owning and outsourcing a data center lies in the manner in which the issue is addressed following a breach or interruption, which is why any company that outsources its data center must do so with a great deal of foresight, especially when drawing up a service-level agreement (SLA).
Given the severity of the potential consequences of even a minor breach or interruption, the SLA should include clearly defined and agreed-upon service-level standards, along with specific consequences for failing to meet those standards. Among other things, the agreement should include the specific circumstances that represent grounds for terminating the agreement.
Every SLA should also outline a clear exit strategy in the event the company chooses not to renew the agreement at the conclusion of the contract. Healthcare companies are required to adhere to specific regulatory standards, so must outline any industry-specific obligations that the third-party service provider must meet at the conclusion of the contract or during the transition from one service provider to another.
Accounting for the Typical IT Outsourcing Business Model
Third-party service providers operate under a fairly typical business model that accounts for the inherent disincentive created by the prohibitive cost to transition from one service provider to another. This is why outsourcers tend to bid so low to secure a contract and then systematically raise the service rates they charge.
Since IT outsourcers are accounting for the potential transition costs when drawing up a service agreement, health insurance companies must do the same by favoring agreements that include multiyear, long-term pricing structures.
Maintaining Leverage: Service Changes and Regulatory Compliance
When insurance companies take steps to protect against rising outsourcing costs, and clearly delineate the obligations of the external vendor during any transition away from the IT service, the insurance company effectively wields all the leverage necessary to ensure it strictly adheres to any regulatory guidelines throughout the duration of the agreement.
This leverage also allows the insurance company to ensure its third-party service providers incorporate new functionalities whenever appropriate and regularly update its system or platform so there are no adverse effects on other software platforms, further ensuring continued compliance with industry rules and regulations.
Ultimately, health insurance companies should follow these guidelines when weighing the risks and rewards associated with outsourcing IT, and then ensure that strategies to mitigate those risks are included in the SLAs. Such an approach is vital when it comes to ensuring the health insurance company continues to live up to its regulatory compliance obligations when working with a third-party IT service provider.