Health Insurance (prudential standard) determination No. 4 of 2015 - HPS 231

Health Insurance (prudential standard) determination No. 4 of 2015 - HPS 231 - Outsourcing

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Unlimited Searches
Weekly Updates on New Laws
Access to 5,345,848 Global Laws from 110 Countries
View the Original Law Side-by-Side with the Translation

Subscribe Now for only USD$40 per month.

Health Insurance (prudential standard) determination No. 4 of 2015
Prudential Standard HPS 231 Outsourcing

Private Health Insurance (Prudential Supervision) Act 2015

I, Ian Laughlin, delegate of APRA under subsection 92(1) of the Private Health Insurance (Prudential Supervision) Act 2015 DETERMINE Prudential Standard HPS 231 Outsourcing in the form set out in the Schedule, which applies to all private health insurers.

This instrument takes effect on the day the Private Health Insurance (Prudential Supervision) Act 2015 commences.

Dated: 26 June 2015

[Signed]

Ian Laughlin
Deputy Chairman

Interpretation
In this Determination:
APRA means the Australian Prudential Regulation Authority.
Private health insurer has the meaning given in the section 4 of the Act.
Schedule

Prudential Standard HPS 231 Outsourcing comprises the 7 pages commencing on the following page.

Prudential Standard HPS 231
Outsourcing
Objectives and key requirements of this Prudential Standard
This Prudential Standard sets out minimum requirements for outsourcing of a private health insurer’s business activities.
The key requirements of this Prudential Standard are that:
·                a private health insurer must have an outsourcing policy approved by the board of the insurer;
·                a private health insurer must consider a number of factors when assessing options to outsource a material business activity to a third party outside of the insurer’s corporate group;
·                a private health insurer must, for each material business activity that is subject to an outsourcing arrangement conduct a risk assessment, develop and implement risk controls that address any risks identified and regularly report to the board on the status of the risks;
·                a private health insurer must monitor its outsourcing arrangements;
·                a private health insurer must include a requirement that the outsourced service provider allow APRA access to documentation and information related to the outsourcing arrangement with the private health insurer; and
·                a private health insurer must meet certain notification requirements.

Authority
1.             This Prudential Standard is made under subsection 92(1) of the Private Health Insurance (Prudential Supervision) Act 2015 (the Act).
Application
2.             This Prudential Standard applies to all private health insurers[1], except where expressly noted otherwise.
3.             All private health insurers have to comply with this Prudential Standard in its entirety, unless otherwise expressly indicated.
4.             This Prudential Standard takes effect on the day the Private Health Insurance (Prudential Supervision) Act 2015 commences.
Interpretation
5.             Terms that are defined in Prudential Standard HPS 001 Definitions appear in bold the first time they are used in this Prudential Standard.

6.             Where this Prudential Standard provides for APRA to exercise a power or discretion, the power or discretion is to be exercised in writing.
7.             Unless otherwise indicated, the term health benefits fund will be used to refer to a health benefits fund of a private health insurer, as relevant.

Outsourcing policy
8.             A private health insurer must have an outsourcing policy.

9.             The private health insurer’s outsourcing policy must:

(a)           be approved by the board of the private health insurer; and

(b)          require the private health insurer, when assessing options to outsource a material activity to a third party outside of the private health insurer’s corporate group, to do the things mentioned in paragraph 10; and

(c)           require the private health insurer, when assessing options to outsource a material activity to an entity within the private health insurer’s corporate group, to do the things mentioned in paragraph 11.

10.         When assessing options to outsource a material business activity to a third party outside of the private health insurer’s corporate group, the private health insurer must:
(a)           prepare a business case, for the purpose of allowing the private health insurer to make an informed decision on the merits of any new, or renegotiated, outsourcing arrangement[2]; and

(b)          undertake a tender process or other selection process for service providers; and

(c)           undertake a due diligence review of the chosen provider; and

(d)          involve the board, relevant board committee or officer of the private health insurer with delegated authority from the board, in the decision; and

(e)           develop appropriate monitoring and renewal processes, including criteria for service levels; and

(f)           establish dispute resolution procedures; and

(g)          develop contingency planning, to address a situation in which the outsourced service provider is unable to continue to provide the service; and

(h)          ensure that the terms of the outsourcing arrangement are set out, in writing, in a legally binding agreement.

11.         When assessing options to outsource a material activity to an entity within the private health insurer’s corporate group, the private health insurer must consider:

(a)           the ability of the outsourced service provider to undertake the activity cost effectively and on an ongoing basis; and

(b)          any changes in the risk profile of the private health insurer that arise from outsourcing the activity within the group and how the changes will be addressed within the private health insurer’s existing risk management framework; and

(c)           the monitoring procedures required to ensure that the outsourced service provider is performing effectively; and

(d)          how any ineffective or inadequate performance by the outsourced service provider would be addressed.

Outsourcing arrangement
12.         In this Prudential Standard, outsourcing arrangement means an arrangement between a private health insurer and another party (the outsourced service provider), including an entity within the private health insurer’s corporate group, under which the outsourced service provider agrees to perform, on a continuing basis, an activity that is:

(a)           currently undertaken, or could be undertaken, by the private health insurer itself; and

(b)          a material business activity of the private health insurer.

13.         For the meaning of outsourcing arrangement, an activity is a material business activity if the activity has the potential, if disrupted, to have a significant impact on the private health insurer’s business operations or the private health insurer’s ability to manage risks effectively.

14.         For paragraph 13, the following factors must be considered in determining if an activity is a material business activity:

(a)           the financial, operational, regulatory or reputational impact of a failure of the outsourced service provider to perform the activity;

(b)          the cost of the outsourcing arrangement as a share of management expenses;

(c)           the difficulty, including the time taken, in finding an alternative outsourced service provider or bringing the business activity in house; and

(d)          potential losses to the private health insurer’s policy holders and other affected parties in the event of the failure of the outsourced service provider to perform the activity.

15.         Examples of activities that are material business activities include the following:

(a)           an outsourcing arrangement under which an outsourced service provider agrees to provide to the private health insurer a management function or significant human resource function of the private health insurer;

(b)          a benefit claims processing service;

(c)           a service relating to the negotiation of contracts for hospital treatment and general treatment; and

(d)          an internal audit function.

Risk management
16.         A private health insurer must, for each material business activity that is subject to an outsourcing arrangement:
(a)           conduct a risk assessment; and

(b)          develop and implement risk controls that address any risks identified in the risk assessment; and

(c)           regularly report to the board on the status of the risks that have been identified and the effectiveness of the risk controls that have been developed and implemented.

17.         The private health insurer must establish procedures to ensure that all of the insurer’s business units are aware of, and comply with:

(a)           the outsourcing policy mentioned in paragraph 8 to 11 inclusive; and

(b)          any risk controls that are developed and implemented as a result of a risk assessment mentioned in paragraph 16.

Monitoring arrangements

18.         A private health insurer must monitor its outsourcing arrangements.

19.         The monitoring must include:

(a)           regular contact with the outsourced service provider, under the outsourcing arrangement; and

(b)          monitoring of the outsourced service provider’s performance against agreed service levels, set out in the outsourcing arrangement.

APRA access to information held by outsourced service providers

20.         An outsourcing arrangement must include a requirement that the outsourced service provider allow APRA access to documentation and information related to the outsourcing arrangement with the private health insurer. It must also include a requirement allowing APRA to access the premises of the outsourced service provider in relation to the outsourcing arrangement if APRA considers this necessary in its role as prudential supervisor.

21.         APRA may request an outsourced service provider to allow APRA access to any documentation and information, or premises of the service provider, related to the outsourcing arrangement with the private health insurer.

22.         APRA must not request information from an outsourced service provider under paragraph 21 unless:

(a)           APRA has first made the same request of the private health insurer; and

(b)          the private health insurer has not provided the information that APRA requires.

23.         The private health insurer must take all reasonable steps to ensure that an outsourced service provider does not disclose to any other person that APRA has sought access to the service provider’s information or premises, except to the extent necessary to conduct business with a private health insurer that is an existing client of the service provider.

Offshore outsourcing

24.         A private health insurer must, before entering into an outsourcing arrangement to be performed outside of Australia:

(a)           notify APRA, in writing, of the proposed outsourcing arrangement; and

(b)          provide APRA with the risk assessment and risk controls developed under paragraphs 16 and 17.

25.         If APRA is not satisfied that the risk management for a proposed outsourcing arrangement mentioned in paragraph 24 is adequate, APRA may require the private health insurer to make other arrangements for the performance of the activity that is the subject of the proposed outsourcing arrangement.

Disclosure requirements

26.         A private health insurer must, within 28 days, notify APRA, in writing, if the private health insurer enters into an outsourcing arrangement.

27.         If an outsourcing arrangement is terminated, the private health insurer must, within 28 days of the outsourcing arrangement being terminated:

(a)           notify APRA, in writing, that the outsourcing arrangement has been terminated; and

(b)          give APRA, in writing, details about the transition arrangements and future strategies for carrying out the activity that was the subject of the outsourcing arrangement.

28.         If the termination of an outsourcing arrangement may result in a significant or unexpected disruption to a material business activity, the obligations of the private health insurer under paragraph 27 are in addition to any notification requirement under Prudential Standard HPS 350 Disclosure to APRA.

Adjustments and exclusions
29.         APRA may, by notice in writing to a private health insurer, adjust or exclude a specific requirement in this Prudential Standard in relation to that private health insurer.

Transition arrangements
30.         Any approval, determination or other exercise of discretion by PHIAC under Schedule 4 – Outsourcing Standard (the PHIAC outsourcing standard) of the Private Health Insurance (Insurer Obligations) Rules 2009 as they existed prior to 1 July 2015 will continue to have effect following 1 July 2015 as though exercised pursuant to a corresponding power under this Prudential Standard. In particular, exemptions or modifications made by PHIAC under section 7 of the PHIAC outsourcing standard, and in force immediately before 1 July 2015, continues in effect as if determined under paragraph 29 of this Prudential Standard.
31.         However, an outsourcing arrangement that was in place on the commencement of the PHIAC outsourcing standard is not subject to the requirements of this Prudential Standard, unless the arrangement is or has been renewed or renegotiated after the commencement of the PHIAC outsourcing standard.

32.         An outsourcing arrangement that was in place on the commencement of this Prudential Standard is not subject to the requirements of the second sentence of paragraph 20 (which relates to access to the premises of the outsourced service provider) unless the arrangement is or has been renewed or renegotiated after the commencement of this Prudential Standard.

[1]            Refer to subsection 92(1) of the Act.
[2]           Outsourcing arrangement is defined in paragraph 12.