Best Practices a Moving Target
Although modern claims management technology can capture all manner of information to identify where employers and carriers spend — and misspend — their insurance money, a third-party administrator’s (TPA) success in managing an insurance program depends on the underlying human intelligence and a disciplined application of its own best practices.
However, universally applicable “best practices” resist codification because too many variables contribute to how a claim should be handled, including local laws, industry, line of insurance, and the size of the client company, said Randy Jouben, risk manager, Five Guys Enterprises, LLC in Virginia and a member of the Risk Management & Insurance Society (RIMS) Standards & Practices Committee.
Instead, companies develop internal best practices based on their own closely observed and analyzed experience, and some share their findings with each other, said Janet Warren, managing director, Beecher Carlson.
These best practices are customized to the client’s sophistication, needs, industry and internal staffing.
The principles underlying all modern best practices emerged from the financial stewardship and speedy communications principles codified in the Unfair Claims Settlement Practices Act of 1997, Jouben said. Created by the National Association of Insurance Commissioners, the act provides guidance to states wishing to protect consumers and regulate insurance carriers. These best practices include timely communications, responsible stewardship of the client’s money, and fair and speedy settlement.
Philosophies Must Align
Jouben regards openness and honesty as qualitative best practices. “Things go wrong in claims. Don’t cover up those mistakes.” Instead, he said, “work together to seek resolution instead of crucifying the person who made the error.”
The relationship breaks down when the TPA and client don’t have equal expectations. “You need specific, realistic expectations on both sides for it to work,” he said.
Consistent engagement in and monitoring of a TPA is a client’s chief best practice, said Frank Ramsay, Towers Watson senior consultant and head of its claims management practice.
He recalled a client with a bafflingly high legal spend. “We visited the TPA, and within a few minutes of walking in the door, we learned that this TPA’s claims philosophy was to litigate everything.”
His client hadn’t been aware of this approach, which differed sharply from its own.
“First, there was a basic breakdown in communication,” Ramsay said, “and second, nobody at the client’s organization monitored and oversaw the TPA.”
Critical Judgment is Vital
Settlement authority requires complete accord between TPA and client. The threshold depends on the level of trust in the relationship, Warren said. “After the TPA establishes credibility, the client raises settlement authority as the relationship matures.”
Even then, appropriate authority is nuanced, subject to the types of claim and other factors. A TPA administering product liability claims might have lower settlement authority than, say, workers’ compensation, because the client’s brand is at stake, Warren said. In workers’ compensation claims, where the jurisdiction defines rules and regulations more clearly, the TPA might have higher settlement authority.
And still the claims adjuster makes judgment calls. “Administering the claims properly requires critical thinking skills and all the knowledge and experience the adjuster brings to the relationship,” Warren said. “One little piece of fact can change the complexion of the case and the adjuster’s decision about its disposition.”
Rob Blasio, president and chief executive officer of Western Litigation Inc., a professional liability claims and risk management company, agreed that appropriate settlement authority practices depend on the TPA’s relationship with the client and especially their line of business.
In workers’ compensation cases, he said, a TPA’s settlement authority is “prudent” for the sake of expedience, but his company generally has no settlement authority at all, which is appropriate for the health care professional liability claims he handles. Instead, he recommends settlement amounts to his sophisticated, high-end clients, who give settlement authority accordingly. In the final reckoning, he said, “collaboration and communication are the best practices.”
Tom Doney, president, Cypress Benefit Administrators, said his role as TPA shifted from the traditional claims payment to medical risk management as health care costs soared.
“When it’s our job to pay a claim, we ask, ‘Does this claim make sense? Is the billing appropriate?’ There’s a lot of fraud out there.” — Tom Doney, president, Cypress Benefit Administrators
His assignment is clear: Save money for the self-funded benefit plans his company administers. “As the cost of doing nothing continues to rise,” he said, he focuses on cost savings such as employee wellness programs that reduce total health care expenses, and identifying claims that shouldn’t be paid.
“If the inevitable happens and employees need care, we give them tools to make decisions about who they see, what type of procedures they may undergo and why,” Doney said. “When it’s our job to pay a claim, we ask, ‘Does this claim make sense? Is the billing appropriate?’ There’s a lot of fraud out there.”
Doney credits the industry’s attention to cost controls with the success of the TPA business and the reason self-funding is now the dominant method of administering employee benefits. The Henry J. Kaiser Family Foundation study, “2013 Employer Health Benefits Survey,” reported 16 percent of covered workers at small firms and 83 percent at larger firms are enrolled in plans that are either partially or completely self-funded.
Cost savings is not always her clients’ primary goal, said Michele Tucker, vice president, claims, for CorVel, a national risk management provider for workers’ comp, health care liability and auto claims. One client’s goal could be service-related results, while another may focus on something completely different.
For example, best practices for a transportation company’s claims-management program would look very different from that of a retailer.
The transportation company has staff in the field, not in shopping malls, and it needs immediate access to a claims -eporting mechanism in its unpredictable, fluid work environments.
“That means a mobile application from which they can call in a claim and get access to immediate care,” Tucker said.
After an accident, the TPA would arrange immediate medical care to address the injury component and the liability insurance claims team to take care of property damage and any subrogation or recovery.
In the retail environment, on the other hand, injuries are fewer and less severe, but customer-related claims — which back into product and general liability cases, which themselves may by derived from chain-of-production issues — are more frequent.
Both involve multi-line claims management, which blurs both insurance and responsibility lines. These blurred lines demand informed, experienced humans.
“At implementation, the client and TPA need to decide how they’ll partner when workers’ compensation and liability lines run into each other,” Tucker said. “You need subject experts in these completely different subjects to get the best results.”
Analytics are not just a powerful reporting tool, said Tucker, but a powerful diagnostic and prescriptive tool as well. Her company has a simple best practice regarding analytics: Use them.
“Things go wrong in claims. Don’t cover up those mistakes. … Work together to seek resolution instead of crucifying the person who made the error.”
— Randy Jouben, risk manager, Five Guys Enterprises LLC
When CorVel saw a spike in claims for one of its retail clients, Tucker said, it analyzed data and found that the claims originated with employees who had been injured while handling a new clothing rack. The client phased out the rack. CorVel also uses analytics as a predictor of “creeping catastrophic” claims — the kinds that can go nuclear unless managed swiftly — with its pharma clients.
“TPAs and their clients can gain insights from data and predictive modeling to drive better decisions and actions,” said Kirsten Hernan, director, Deloitte Consulting LLP. “For example, when you see a potentially troublesome claim, you can escalate it to a more experienced adjuster,” who may be able to snuff out the fire before it starts.
TPAs can capture and report all kinds of data, said Kevin Grady, managing director of Beecher Carlson’s “ZOOM,” a data disaggregation process that allows a company to focus on strategies to reduce costs.
But data alone doesn’t solve problems, he said. “How you use it creates value.”
Grady described the process of turning a practical problem into a statistical problem, then turning a statistical solution — a goal — into a practical solution.
For example, he said, say the TPA traces a cost increase to injured workers bringing suit, which are expensive because of attorney and court costs. “That’s the practical problem,” he said.
Next, he’d convert the data to a rate. If 30 percent of claims were litigated last year, say, the company would target only 20 percent this year. “That’s the statistical solution.”
To achieve that, he’d ask, Where were the lawsuits coming from? The Northeast? Southeast? Midwest? “The location becomes the statistical problem.”
Then Grady sets the goal — the statistical solution. “If suits were clustered in the Southeast, we’d ask, ‘How effective is our response to claims in the Southeast? Are we reporting late?’ ”
When claims are reported late, injured workers get nervous, he said. “They worry about how they’ll feed their kids, so they get attorneys,” whereas they tend not to if the company approaches them promptly with a robust injury response process that responds in a timely manner, informs workers of their rights, establishes a path to recovery and maintains communications.
Thus armed with information, the TPA can help the client reduce injuries, claims and litigation. But not every problem is equally worth solving, Grady said. By analyzing claims data, employers and TPAs can prioritize the problems. “You know which to go after first.” The same applies to claims. “You go after the 20 percent of conditions that drive 80 percent of claims.”
Aim for Avoidance
Avoiding litigation is the best practice to manage litigation, said Beecher Carlson’s Warren. “Better yet, avoid the claim in the first place and you avoid the litigation too.”
In fact, said CorVel’s Tucker, workplaces are becoming safer, thanks in part to analytics that inform employers where to apply fixes.
When accidents occur anyway, Warren said, the decision whether or not to litigate depends on the facts of case, and every case must adhere to the Fair Claims Practice Act.
Closing cases proactively is the best policy for cost control, said Blasio of Western Litigation.
“Evaluate cases quickly, make decisions about whether they need to be resolved and close them expeditiously to reduce allocated losses and adjustment expenses on your files.”
Short of that, have vetted litigation guidelines that outline and control relationships with outside attorneys and experts called in to defend cases.
“It’s about managing expectations at the outset,” said Blasio. This could mean demanding a budget from attorneys and “holding their feet to the fire” about sticking to it.
Cyber security breaches among retailers, health care companies and governments have become the stuff of tabloids and courtrooms. To a large extent, they’re also avoidable.
“The organizations that succeed are those that take cyber security seriously.” — Marty Frappolli, senior director of knowledge resources, The Institutes
“Companies can hire experts to make their data securely available to those who need it and inaccessible to everyone else,” said Marty Frappolli, senior director of knowledge resources for The Institutes, a nonprofit provider of insurance education.
“The organizations that succeed are those that take cyber security seriously. The value of the data far exceeds the cost of protecting it, so take preventive steps first and buy cyber security insurance as a backup plan.”
Clients and TPAs also should be willing to bring in outside help, especially on complex, high-exposure cases, Blasio said. These could include jury consultants and structured settlement specialists. “If there are other experts in the industry who can help strategize how to get the case in the best position for resolution, an existing relationship with a TPA or counsel shouldn’t preclude another.”
This best practice applies most to self-administered plans. “They spend hundreds of thousands of dollars retaining medical experts, but they rarely think about calling an expert who might have resolved 20 cases with the plaintiff’s attorney and can cut through the noise.”
A Marriage of Compatibility
For all that modern client and third-party administrator (TPA) interaction depends on technology, compliance expertise, analytics and efficient claims administration, the most important factor in its success is still the partners’ compatibility, industry experts agree.
“It comes back to the relationship,” said Fred Hunt, active past president, Society of Professional Benefits Administrators (SPBA), a national association of TPA firms.
Since the client and TPA can interact daily on government compliance and such delicate issues as fluctuating reserves and claims escalation, “you have to like and trust your TPA,” Hunt said. “It’s like getting married.”
Scott P. Rogers, executive vice president, casualty operations, Sedgwick Claims Management Services Inc., agreed, since in many cases the self-insured employer, insurance collective, union or insurance carrier is entrusting the health of employees to a third party.
“Companies hire TPAs when they believe the right partner can do a better job dealing with their most important assets, their employees, and their most important constituents, their customers,” he said.
Other than the bread-and-butter claims payment services, Hunt said, clients depend on “ERISA nerds” like his organization’s members to stay in compliance with complex, shape-shifting state and federal laws and regulations. “The TPA will call to say, ‘The IRS just issued this new reg, and we’re going to have to do this or that.’ ”
Companies may delegate because they don’t have in-house expertise, Hunt said, and penalties for violations can be devastating.
The right fit depends on a program customized to the company’s appetite for risk, cost threshold and company culture, said Rogers.
Size and scope matter also, said Richard Messick, specialist leader, Deloitte Consulting. “Larger companies may need a larger TPA with national or even global providers and regulatory experts. Smaller companies with only one or two local locations may do perfectly well with a regional TPA that doesn’t have the broad geographical reach of the larger companies.”
But Rogers said smaller clients, especially those who enhance their buying power by joining captive and affinity groups, such as public university insurance collectives, can benefit from the resources and expertise large TPAs may offer.
“The smaller clients get the same customization as the big companies,” he said, including access to a broad base of claims expertise, legislative updates and technology advancements. “It goes back to how the client and TPA partner together.”
Large or small, said Karen Stankevitz, managing director of consulting and analytics, Aptus Risk Solutions, all TPAs have strengths and weaknesses apart from the basic claims-payment services all provide.
“When you assemble your list of requirements in your request for proposals, don’t put down the basics,” she said. Instead, clients should figure out what they need beyond the basics, such as expertise and presence in all 50 jurisdictions or deep and broad contacts within the managed care community.
“Look at their differences,” Stankevitz said. Aptus, a consultant specializing in medical cost containment, claims and litigation management, sees prospective vendors’ strengths and differentiators emerge in sales presentations.
“The more a client asks a TPA to do outside their standard services, the harder it is for the TPA to perform optimally, and the more it will cost to get those services.”
When comparing sales presentations, Aptus suggests that clients may see desirable services one vendor provides that the client may not even have thought about requesting.
Regardless of their size and specialty, prospective clients and TPAs should meet and get to know each other rather than depend on a broker to vet candidates, SPBA’s Hunt said. If possible, clients should pay site visits to their prospective partners’ locations.
Brokers, however, can and do play an important role in partnering clients with the right TPA, said Srivatsan Sridharan, senior vice president, product development, Gallagher Bassett Services. The broker compares the client’s exposure data (such as industry, state and job type) against outcomes from various TPAs to find those with the best track record.
For example, if a client wants to contain medical management costs, the broker could collect data on its exposure in a given state for a given type of claim, then superimpose it on a TPA’s discounts, outcomes and penetration for those bill types in the states where the client operates.
When vetting candidates, said Ivan Dolowich, managing partner, Kaufman Dolowich & Voluck, which specializes in professional lines of business, “it’s good to look at claims systems,” some of which are highly automated and specialized. The industry was slow to invest in technology, he said, and TPAs’ systems are sometimes better than insurers’ legacy systems that they developed on their own and adapted to the type of claims they’re handling.
“At the end of the day, actions speak louder than words. Employers quickly recognize genuine performance.” — Scott P. Rogers, executive vice president, casualty operations, Sedgwick Claims Services Inc.
Not all due diligence is so high tech. In the course of a bidder’s conference, said Rogers, the prospective client and TPA may compare core values and decide their shared cultures bode well for the partnership.
“At the end of the day,” Rogers said, “actions speak louder than words. Employers quickly recognize genuine performance.”
To Bundle or Not to Bundle?
There are pros and cons to bundling and unbundling, said Stankevitz. A client has more buying power if it uses one TPA for multiple lines of business, and it may lose some negotiation leverage if it splits up the concentration. Reporting and analytics may also be better and easier with a single TPA.
“With all data in one system, running reports will be less complicated and more standardized,” she said.
But TPAs have different areas of expertise. “If you’re heavy in products claims,” she said, “you might want to assign that part of your business to a TPA that specializes in that line of business.” And if a client assigns different TPAs to different lines, it has a broader knowledge base, she said.
“If you have two TPAs, you have more resources to ask your questions. It opens up the networking,” she said.
A pilot program may be an option. “You can pilot a TPA in a state or a different line of business to get a sense of how they operate and manage your requests. It will give you a better sense of marketplace.”
Clients should be prepared to invest time and money in the process of unbundling a program, although with good planning the investment should provide returns. Transport operator FirstGroup America unbundled its bill review, pharmacy benefits management, field and case management, independent medical examinations, and occupational and physical therapy services in its self-insured program.
Two and a half years later, Frank Lott, the company’s corporate claims director, reported cost savings, and greater control and flexibility in the providers it chooses for its employees, and far greater transparency in its bill review.
During a Risk & Insurance® webinar, “Succeeding with an Unbundled Claims Management Approach,” Lott said that before unbundling, “We could never get a true understanding of our managed care costs.” After unbundling, the company found “a higher level of expertise in these areas, and they’ve become an extension of our team.”
However, these gains didn’t come without effort. “There’s an implementation phase,” Lott said, to allow each TPA on the team to “talk” to each other electronically.
“You have to look at connectivity. You have to look at how much time and money it will cost to build systems and interfaces. Can all the partners access the different systems?” There was also a training element that involved both the vendors and the TPA. “The goal was to not put additional work on the adjuster’s plate,” he said.
“A company needs to ask itself, ‘Do we have the internal resources to drive an effective program?’ ”
If a company decides to take on this process, said Suzanne Flynn, a webinar participant and senior vice president and risk management consultant for Wells Fargo Insurance Services, it should coincide with the initial execution or renewal of a TPA contract, some of which prohibit unbundling or impose punitive costs or fees, such as an exorbitant $9 per check writing fee.
“A company needs to ask itself, ‘Do we have the internal resources to drive an effective program?’” —Frank Lott, corporate claims director, FirstGroup America
The contractual definition of “managed care” can also catch companies off guard, Flynn said, and may restrict programs without their administrators’ knowledge.
“Is it the traditional definition of fee schedule audit, preferred provider organization and utilization review? Or has the definition been expanded to include things like telephonic case management, field case management, pharmacies and/or durable medical equipment, thus becoming an even greater source of revenue for the entity?”
While some TPA contracts forbid unbundling, in other cases, clients are obliged to unbundle if their TPAs don’t service all their insurance lines, said Deloitte’s Messick. This is especially true for specialty liability lines, such as medical malpractice and directors’ and officers’ insurance.
After prospective clients and TPAs perform due diligence and decide they can work well together, they negotiate a contract that assigns their respective roles and responsibilities. The language in the contract should exceed the boilerplate contractual language of most service agreements, and include as much detail as possible, including the performance standards that define the parties’ respective roles, said Michael T. Griffin, partner, Edwards Wildman Palmer LLP in Hartford, Conn., who specializes in insurance law.
For example, he said, if the TPA will maintain a call center, the contract should detail the service standards the TPA must maintain. How many hours will it be open? How many people will staff it? How quickly will the staff answer phone calls? How quickly must claims be paid, or carriers and employees notified of their progress?
“If I’m a national carrier, the TPAs that represent me directly impact my reputation. I want their performance to reflect well on my brand,” he said.
Dolowich, of Kaufman Dolowich & Voluck, said he prefers contract language that defines authority lines and avoids the gray areas that can presage litigation. At what point does the TPA need the client’s approval to expand or clarify its reserve or settlement authority? Are the reserves adequate?
Those service level standards are often addressed in exhibits to the agreement, Griffin said, so if the parties want to tweak the details, they can modify the exhibit rather than amend the body of the agreement.
The contract should also provide for the eventual termination of the relationship, Griffin said, almost like a pre-nup.
“If you’re a carrier at the end of the relationship, the TPA is left with your information. How do you get it back?”
He encourages parties to think up-front about termination and transfer of data. How will information be presented? In hard copy? Pursuant to some system requirement? If costs will be incurred in the transfer of the information to its owner, who incurs those costs?
FTC Taking Action on Cyber Security
In April, a federal court sent a clear if unintended message to the business community when it permitted the Federal Trade Commission to proceed with a lawsuit against Wyndham Worldwide Corp., alleging the hotel giant failed to make reasonable efforts to protect consumer information.
“The ruling will probably — and properly — drive more companies to the cyber insurance market,” said Thomas Caswell III, partner, Zelle Hofmann in Minneapolis, who specializes in insurance coverage litigation.
“They’ll see the exposures and their potential costs for themselves. The pure threat will push them to buy cyber insurance, just as they buy general liability insurance,” he said.
With the ruling in its favor, the FTC may become more active in pursuing regulatory actions, said Rene Siemens, partner, Pillsbury Law in Los Angeles, who represents policyholders in connection with coverage claims for privacy matters.
The types of breaches the FTC may pursue include identity theft, theft of credit card information, and improper access to protected access to health information.
The likelihood that the FTC will assume more responsibility for policing cyber security isn’t necessarily a bad thing for insurance companies or their clients, said Matt Wolfe, vice president for state relations and assistant general counsel, Reinsurance Association of America.
The current voluntary standards leave companies “shooting a bit blind regarding how to protect data and the consequences for not doing so,” he said. “Enforceable standards could actually help companies know how to prepare.”
Insurance industry observers expect carriers to introduce broad standard exclusions for privacy claims, but it’s yet to be seen how broadly they will be adopted and if carriers will adopt variations on exclusions.
“The insurance industry,” Siemens said, “is focused on limiting coverage for privacy claims under conventional coverage.”
“If the FTC pursued action for violating some rule or standard of practice … most cyber liability policies insure for that,” Caswell said. “Most traditional liability coverage doesn’t.”
Getting hacked alone won’t invite a lawsuit from the FTC, said Kevin LaCroix, attorney and executive vice president, RT ProExec, an insurance intermediary focused on management liability.
“But if you are the target of a breach and fail to take corrective action, you’re subject to subsequent breaches due to the same vulnerability, and that could attract regulators’ attention.”
The FTC alleges Wyndham suffered three similar data breaches that compromised consumer information.
All companies that conduct business over the Internet, or that do business with other companies that do, are vulnerable to data breaches, said Siemens. The Gramm-Leach-Bliley Act already requires financial institutions to implement and maintain administrative, technical and physical safeguards for customer information.
“If the Department of Defense is vulnerable to hackers,” LaCroix said, “everybody’s vulnerable.”
Hackers’ motivations run the gamut from spite to greed to terrorism. “Still,” he said, “some multinational companies I’d consider high-risk targets don’t yet have privacy and network security insurance.”
Companies should also make sure their vendors and other third-party partners have sound security practices, and that they are insured against breaches they may cause, said Siemens.
That was the vulnerability for Target, when hackers broke into the retailer’s network last year using login credentials stolen from a heating, ventilation and air conditioning company that does work for a number of Target locations. It created the largest data security breach in retail history.
Increasingly, Siemens said, companies outsource data management to companies that specialize in running server farms and storing and processing data. “As that trend continues, risk managers need to be more careful about who they hire.”
LaCroix admitted to having personal experience with such woes. A “tiny” nonprofit school of which he was a board member was hacked through a vendor’s portal, costing $40,000 in notification costs alone. “That would have paid for the premium on cyber insurance for multiple years,” he said.
The take-home lesson for risk managers? Prevention and cyber insurance, said LaCroix, but if there is a breach, demonstrate a vigorous response to minimize risk of regulatory action.