As regulatory, operational and legal risks abound for nursing home operators, strong relationships with commercial insurance carriers and brokers continue to be key in countering costs.
Operators facing higher insurance premiums and greater administrative burdens have turned to using strong commercial insurance risk management companies as well as data-driven solutions that factor in the new regulations.
And because one of the drivers of insurance costs is cybersecurity in the aftermath of the Change Healthcare attack, operators are also focusing on education and advocacy efforts to address the issue in the midst of inadequate funding for cybersecurity integration.
Mary Oliver, vice president of risk and regulatory compliance at Brickyard Healthcare in Indiana, said that commercial insurance has evolved significantly in response to increasing regulatory oversight, with more stringent risk assessments and higher premiums. Brickyard operates 23 facilities in the state.
“Insurers are employing more rigorous risk assessment models to comply with regulatory requirements, resulting in more detailed, data-driven underwriting processes,” Oliver said in an email. “Compliance with regulatory requirements often leads to higher operational costs for insurers too, which are typically passed on to policyholders in the form of higher premiums.”
Insurers face increased administrative costs as well, Oliver said, due to the need for enhanced reporting, documentation and compliance monitoring. And, more stringent regulatory environments often require insurers to allocate more resources to claims handling, also impacting overall commercial insurance costs.
Moreover, the cost of coverage has gone up dramatically over the last couple of decades and continues to rise, said Steve LaForte, director of corporate affairs and general counsel for Idaho-based Cascadia Healthcare. Cascadia operates 58 facilities across five Western states.
“Underwriting becomes tougher, exclusions have become more rife,” said LaForte. “One of the things that we’ve found that has led to our relative success is having a strong commercial insurance risk management partner.”
Insurance relationships and cybersecurity costs
Cascadia meets with its insurance partners twice a year to go over risk, and they’ve been able to get relatively low, manageable increases because they’ve developed these relationships. Brickyard, meanwhile, consults with legal experts to understand the implications of risks like data breaches.
Legal consultations also ensure contractual agreements cover liability and responsibilities, Oliver said. It helps to ensure that technology vendor service level agreements (SLAs) include clauses on data protection and security responsibilities, she noted, and also perform regular audits of vendor practices and their adherence to security standards.
Cybersecurity and insurance programs are intertwined, “inextricably,” he said, and insurance programs specifically for cybersecurity have changed drastically in the last nine years. Similar to its general commercial insurance, Cascadia has a strong partnership with its outside brokerage risk management organization that supports them with cybersecurity education.
“We brought them in and we have them do educational programming. We’ve had them help us with creating best practice protocols within the organization,” said LaForte.
In terms of funding to bolster cybersecurity, LaForte said there are some state grant programs that can be accessed, but that’s a small fix compared to the collaboration needed between the Centers for Medicare & Medicaid Services (CMS) and state survey agencies relative to this funding. If cybersecurity costs go up, it needs to be matched by Medicare and Medicaid, just like clinical care or other costs to the business.
Balancing cybersecurity and the Change Healthcare attack
After the February cyber attack on Change Healthcare, talk of how to avoid cybersecurity breaches has been huge, he said. In the last year, Cascadia has spent a considerable amount of money and time upgrading their cybersecurity.
“[The Change attack] really pointed out the hole that exists relative to post-acute care, long-term care, relative to the HITECH Act, and funding for cybersecurity, integration between electronic health record systems,” said LaForte. “Hospitals are all integrated. We are not. We’re not integrated with them and the money it takes to integrate and change systems on a massive, sector-wide basis is huge.”
Federal and state government agencies aren’t meeting the industry in terms of funding. The issue needs more advocacy, ever since the Change attack pointed out inadequacy relative to the sector, he said.
Still, the company’s IT systems team has grown, the compliance team has increased relative to cybersecurity, he noted.
“It’s tough because the cost is high, and the protocols are high,” LaForte said of these upgrades and team additions. “Not everybody does well in the protocols, when you have to do two-step verification every time … I’m surprised I have any air left, because the protocols that we have to jump through are huge. But I also understand why we have to do it.”
It’s a balancing act, he said, between maintaining an IT department post-Change, while also having a legal department that understands cybersecurity risks and the heightened security Cascadia has to put in place. Then, there’s how this all translates to the field.
“It’s tough because they just want to provide care, they want to be sure their residents are comfortable, and are healthy … it really bumps up against their ability on a real time basis to provide that care,” said LaForte.
Operators are working to avoid cybersecurity risk while also integrating new software or technology that can significantly alleviate staff workload, said Oliver.
The biggest strength for operators, as new apps come online to make the work day easier, is to have a robust education program for those on the floor providing care or other services.
It’s good practice to conduct a risk assessment before implementing new technology, said Oliver, and assess the vendor’s reputation, history of data breaches and security protocols, and make sure they comply with relevant regulations.
Companies featured in this article:
Brickyard Healthcare, Cascadia Healthcare, Centers for Medicare & Medicaid Services, CMS