Suffering losses from 2005’s Hurricane Katrina was bad enough for many businesses and individuals, but to make matters worse for many, certain losses were not covered by their insurance policies.
So said several Marsh experts during a June 17 webinar entitled, “Lessons from Hurricane Katrina, Looking Back, Planning Ahead,” which outlined ways in which Hurricane Katrina, which devastated New Orleans almost 10 year ago, impacted insurance underwriting, business interruption and claims handling.
The first lesson learned: businesses should thoroughly read their commercial property policies before they purchase them, said Duncan Ellis, leader of Marsh’s U.S. property practice. However, far too many find out the hard way what’s in their policies — or not in them — after sustaining major losses from catastrophes and other events.
“That’s the wrong time to find out that you are not covered for something, or that certain conditions do not apply,” Ellis said.
“After Katrina, many of our clients were sorely surprised to learn that despite having windstorm coverage, they weren’t covered for storm surge. Understanding what you are buying really can pay off.”
Ellis and Paul McVey, leader of Marsh Risk Consulting’s property claims consulting practice, outlined a number of “tripwires” in property policies that occurred after Katrina, for business owners to now be mindful of in case of future events.
The goal when dealing with major catastrophes is for insurers and policyholders to work as allies, McVey said. As part of a policyholder’s loss management plan, they should meet with their carrier and agree upon communication protocols and upon each party’s roles and responsibilities after an event. They should determine the appropriate carrier representative with the authority to make decisions on claims.
“After Katrina, many of our clients were sorely surprised to learn that despite having windstorm coverage, they weren’t covered for storm surge. Understanding what you are buying really can pay off.” — Duncan Ellis, U.S. property practice leader, Marsh
“What we see after Katrina, when decisions had to be made as to reinstatement, replacement, mitigation, there weren’t a lot of people involved at [carriers’] mid-management level to make those decisions,” he said. “That put the process on hold to a degree, and some of the things became confrontational. Insureds should make the effort to establish a relationship with an empowered senior claims representative.”
Other policy tripwires that caught businesses by surprise in Katrina that all businesses should now be aware of include:
- Determining the exact definition of special high-hazard flood zones, such as a 100-year flood plain, and how damage within those zones can impact sublimits. Typically within policy sublimits are further internal sublimits for these special zones. For example, if a business has a $200 million sublimit for flood, it is probable that there is a further internal sublimit of $50 million for high-hazard flood.
- Understanding policy definitions that determine whether an event was a named windstorm or a flood, which can impact whether the policy excludes surges from wind-driven water.
- Determining how coverage is typically triggered by civil or military authority and ingress/egress. There have been disputes about whether Katrina claims regarding ingress/egress issues should be paid after politicians told people to stay away from New Orleans, as carriers have argued that those politicians were actually not acting with civil or military authority.
- Determining how “wide area impact” or “idle period” impacts claims.
- Determining whether contingent business interruption coverage extends not only to suppliers or customers, but also to suppliers of suppliers and customers of customers.
- Determining the scope, time limits and corresponding disappearing deductibles within contingent business interruption coverage due to local utility companies’ service interruptions.
- Determining whether deductibles apply by occurrence and/or by location, and whether there are separate deductibles for property damage and “time element.”
- Determining whether costs, such as overtime for contractors rebuilding properties, fall under sublimits or “expediting expenses.”
- Determining what is — and is not — covered under business interruption, and how claim costs may be calculated.
“The property damage piece is very easy to figure out, but business interruption is probably the most misunderstood coverage and probably the most difficult in settling claims,” Ellis said.
“It’s not replacing revenues — it’s replacing profits lost and continuing expenses that the property generates when it’s not operational. For example, a continuing expense could be taxes and non-continuous expenses could be heat, light and power.”
Also often misunderstood is the indemnity period for contingent business interruption claims, McVey said. The timeframe is typically defined as the time to replace, reinstate or repair the property, but businesses should be aware that many variables could impact payment of claims. That’s why it’s so important to discuss these issues ahead of time with their broker or claims representative — particularly before renewal.
Factor Compliance into Wearable Tech Plans
More employers are considering whether to encourage or even require employees to use wearables to reduce workplace injuries, lower workers’ comp claims and even lower health care benefit costs. But they should take note: any potential exposure to workers’ private health information could subject employers to rules under the Health Insurance Portability and Accountability Act (HIPAA).
Wearables such as Google Glass, smart safety helmets and any number of sensor-enabled devices can identify hazardous conditions on worksites such as toxic chemical fumes or equipment under excessive pressure. Employers are also looking into clothing that carry embedded biosensors, actuators and gyroscopes to follow movement, heart rate, stress level, fatigue, and countless other metrics … all of it connected wirelessly to mobile devices and computers.
But can the use of such devices expose employers to claims of HIPAA violations? What kind of due diligence will they need to do in order to ensure that their use of wearables can’t come back to haunt them later?
Julie Anderson, a principal at AG Strategy Group in Washington, D.C. said this is a murky area as policy always lags behind the development and use of technology. HIPAA was passed in 1996, and nine years later in 2005 HIPAA released its first privacy rule as it related to health care data. In 2013 those rules were updated.
“It’s a complex set of issues, and it can take that long for policymakers to react to what’s happening in the marketplace, particularly regarding how health care entities are using technology and handling the data they collect,” Anderson said.
“It is possible that all technology providers in the chain of custody of personal health care data from the wearable manufacturer to the Internet service provider to the cloud provider could someday be subject to HIPAA.” — Julie Anderson, principal, AG Strategy Group
The first category of those required to comply with HIPAA are individuals or entities that come into contact with personal health care data which could be sensitive, she said. The second category are business associates, such as an accounting firm that audits claims data containing personal care diagnostic codes for a health care insurance company. That accounting firm has to enter into a business associate agreement with the insurance company, which is a contract mandated by the federal government and enforced by the Health and Human Services Dept.
In 2013 the regulation changed, and the business associate definition was broadened to include technology and manufacturing companies that receive, transmit or store personal health care data, Anderson said.
“It is possible that all technology providers in the chain of custody of personal health care data from the wearable manufacturer to the Internet service provider to the cloud provider could someday be subject to HIPAA,” she said. “But for employers who urge their workers to use wearables, this is a murky area of law not established in case law, so it’s unclear whether they would be held liable.”
If employers are outsourcing the management and storage of their employees’ data collected from the wearables, as well as the decision-making based on that data, then every single entity that touches that data in theory needs to be HIPAA compliant, Anderson said. That could also mean the employer has potential exposure, if employees view their data on the third-party website using the employer’s computer.
“Plaintiff attorneys may want to sue as many parties as possible,” she said.
Employers considering the use of wearables first should make sure their third-party providers are covered by a business associate agreement that they have entered into with a HIPAA-covered entity such as a health care clearinghouse, Anderson said. Employers should also make sure these parties are HIPAA compliant where applicable, if they are handling personal health information.
“If it’s a situation where an employer is mandating the use of wearables which can interact with personal and private activities, and employees are not involved in policymaking, that could be inviting a world of hurt in terms of legal action,” she said. While the law is not yet settled in this area, “if they have employee participation in the development of those policies governing voluntary participation, it becomes harder for a plaintiff attorney to say the employer did this to an employee.”
David Gibson, vice president at Varonis Systems Inc., a New York City-based software vendor for the management and protection of unstructured data, said the first question employers should ask themselves is whether they are storing any health or patient-related data as a result of wearables, which would then make the company itself a business associate to a HIPAA-covered entity.
Employers also have to know exactly where that data is warehoused, he said.
“You might be surprised, but a lot of companies lose track of where their sensitive data is stored,” Gibson said. “Furthermore, the data they store — particularly in file shares and Intranets — is often not very restricted. A lot of organizations are turning to automation to find health-related data that they have lost track of, and to make sure only the right people have access to it and are using it correctly.”
Another key component is figuring out when employers no longer need to keep the data, he said. A lot of organizations are determining what data should be kept for regulatory compliance or to protect themselves if they find themselves in court, and what data can and should be deleted.
To minimize risks, employers should also consider trimming their collection wishlists at the outset.
“It used to be easy to believe that more data is better, even if you weren’t sure if or how you would use it all,” Gibson said. “But organizations really need to start limiting what they collect to what they really need.”
Michael H. Cohen, founder of the Michael H. Cohen Law Group in Beverly Hill, Calif., said that even if HIPAA does not technically apply, because no insurance claims are being submitted electronically with respect to the information, mirror-HIPAA privacy and security provisions in state law could create liabilities for companies.
“HIPAA compliance is therefore best industry practice,” Cohen said.
At minimum, compliance obligations include appointing a privacy and security official, conducting HIPAA/privacy and security training for employees, putting in place a robust set of privacy and security policies and procedures — including provisions for employee discipline in case employee negligence leads to data breaches, and conducting a risk management analysis.
“Because wearables are a relatively new technology, we are likely to see data breaches and reports of penalties in the news long before we see regulation specifically targeted to company use of wearables,” he said. “An ounce of legal prevention is more cost-effective than responding to a pound of regulatory penalties or lawsuits.”
Oklahoma Youth Safety Bill Leads the Way
Oklahoma is now the first state in the United States to mandate young worker safety education in schools, following the lead of several Canadian programs.
Advocates say the trend could spread to other states, many of which now have voluntary education programs, and as more employers begin to recognize the particular importance of training young workers on safety.
Workers aged 15 to 24 tend to get injured earlier in their jobs than older workers, according to The Center for Young Worker Safety and Health at the Georgia Tech Research Institute in Atlanta. One worker from this age group is injured on the job every nine minutes, resulting in an average of 200,000 injuries each year — with 70 of those incidents resulting in death.
Oklahoma Gov. Mary Fallin signed a bill into law in April that directs the Oklahoma Department of Labor and the Oklahoma State Department of Education to develop a program that educates students in grades 7 through 12 about workplace safety.
The curriculum will come from material developed by the National Institute for Occupational Safety and Health, entitled Youth@Work: Talking Safety, which also provides lesson plans and a teacher’s guide.
“We are teaching young workers that if they have a question to speak up, or notify the boss if they are not properly trained to do work on a particular piece of equipment,” Lester Claravall, a child labor program administrator for the department said.
“The employer has an obligation to make sure the workers are offered safety training, and we let the workers know their rights and responsibilities. If they are not trained properly, they don’t have to work and the law states they won’t get fired.”
When an inexperienced worker starts a new job, they will try to mimic what other workers may be doing, even if it’s wrong or unsafe.
Several programs in Canada also focus on young worker safety. British Columbia has a safety program within its schools, Student WorkSafe 10-12, as part of the WorkSafeBC requirements under the country’s Workers Compensation Act.
Another program, MySafeWork, is a nonprofit run by Rob Ellis and Jessica Di Sabatino, who lost a son and brother, David Ellis, in a workplace accident when he was 18. The nonprofit gives presentations to schools, corporations and community groups throughout Canada on the importance of young worker safety education.
Canada also has workplace requirements specifically for educating young workers. Under Canadian law, companies employing workers under the age of 25 must provide them with health and safety orientation and training specific to their workplace. This includes information on their rights and responsibilities, potential hazards, working alone or in isolation, workplace violence, personal protective equipment and emergency procedures.
Additionally, Canadian employers must provide young workers with extra orientation and training if they request it or if they cannot perform the work tasks safely under observation. Employers are also required to keep records of all orientation and training.
More Commitment Needed
In the United States, more employers are recognizing the need to train young workers, but many still don’t, said Dave Quezada, vice president, loss control with EMPLOYERS, a specialty workers’ comp carrier for small businesses.
According to a 2014 EMPLOYERS poll of 505 small business owners collected by SSRS SmallBiz Omnibus, 52 percent of respondents that intended to hire students for summer work said they would require students go through workplace safety training. But another 27 percent said they do not offer workplace safety training for new student workers.
“It’s disturbing that more than a quarter don’t plan to offer such training, but they really should,” said Quezada.
“Young workers should know they have a right to work in a safe place, and the right to receive training in a language they understand.”
Employers should also make sure immediate supervisors are following safety rules and instilling a culture of safety. That means making sure all workers wear hard hats, goggles, ear plugs and other safety equipment, as young workers often feel uncomfortable following safety rules when older workers don’t, he said.
Thomas Heebner, senior vice president of risk at Hub International in Chicago, said that it is well documented that young workers — particularly teenagers coming into the workplace for the very first time — are more vulnerable to accidents because have very limited knowledge of the work environment in general and they are not aware of their rights and responsibilities and what protections they have under general child labor rules.
Heebner pointed out that typically, when an inexperienced worker starts a new job, they will try to mimic what other workers may be doing, even if it’s wrong or unsafe, he said. That’s why safety training is particularly important.
“Often young workers who aren’t prepared are too intimidated to ask questions and will try to figure it out through observation or testing,” Heebner said.
The need for young worker safety training goes beyond teens and summer jobs, and is especially important for young people entering high-risk professions.
A prime example, said Tim Davidson, assistant vice president of loss prevention, safety and security at IASIS Healthcare in Franklin, Tenn., is young nurses thinking they’re strong enough to lift patients out of bed without equipment. That misunderstanding leads to numerous back injuries.
“They are not bulletproof and they don’t have to be super women.” — Tim Davidson, assistant vice president of loss prevention, safety and security at IASIS Healthcare.
IASIS owns and operates 17 hospitals in Arizona, Arkansas, Colorado, Louisiana, Nevada, Texas and Utah.
“Often nurses are trained in nursing school with the mindset of taking care of patients no matter what — to the point that sometimes they ultimately compromise their own safety,” Davidson said.
“The biggest challenges are getting new nurses fresh out of college, as well as older nurses, to utilize this equipment, or else they’re going to be the patients. They are not bulletproof and they don’t have to be super women.”