Private Health Insurance (Insurer Obligations) Amendment Rule 2012 (No. 1)

Link to law: https://www.comlaw.gov.au/Details/F2012L01530

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now
Private Health Insurance (Insurer Obligations) Amendment Rule 2012 (No. 1)1
Private Health Insurance Act 2007
The Private Health Insurance Administration Council makes the following rule under section 333-25 of the Private Health Insurance Act 2007.
Dated 9 July 2012
 
LYNN RALPH
Commissioner of Private Health Insurance Administration
1              Name of rule
                This rule is the Private Health Insurance (Insurer Obligations) Amendment Rule 2012 (No. 1).
2              Commencement
                This rule commences as follows:
                (a)    sections 1 to 3 and item [4] of Schedule 1—on the day after it is registered;
               (b)    the remainder—on the later of:
                          (i)    the day after registration; and
                         (ii)    1 October 2012.
3              Amendment of Private Health Insurance (Insurer Obligations) Rules 2009
                Schedule 1 amends the Private Health Insurance (Insurer Obligations) Rules 2009.
Schedule 1        Amendments
(section 3)
  
[1]           Rule 4
insert
outsourced service provider has the meaning given by rule 4A.
outsourcing arrangement has the meaning given by rule 4A.
Outsourcing Standard means the standard set out in Schedule 4.
[2]           After rule 4
insert
4A           Outsourcing arrangements
         (1)   In these Rules, outsourcing arrangement means an arrangement between a private health insurer and another party (the outsourced service provider), including an entity within the insurer’s corporate group, under which the outsourced service provider agrees to perform, on a continuing basis, an activity that is:
                (a)    currently undertaken, or could be undertaken, by the insurer itself; and
               (b)    a material business activity of the insurer.
         (2)   For the meaning of outsourcing arrangement, an activity is a material business activity if the activity has the potential, if disrupted, to have a significant impact on the insurer’s business operations or the insurer’s ability to manage risks effectively.
         (3)   For subsection (2), the following factors must be considered in determining if an activity is a material business activity:
                (a)    the financial, operational, regulatory or reputational impact of a failure of the outsourced service provider to perform the activity;
               (b)    the cost of the outsourcing arrangement as a share of management expenses;
                (c)    the difficulty, including the time taken, in finding an alternative outsourced service provider or bringing the business activity in-house;
               (d)    potential losses to the insurer’s policy holders and other affected parties in the event of the failure of the outsourced service provider to perform the activity.
Examples of material business activities
Activities that are material business activities include the following:
(a)     an outsourcing arrangement under which an outsourced service provider agrees to provide to the insurer a management function or significant human resource function of the insurer;
(b)      a benefit claims processing service;
(c)     a service relating to the negotiation of contracts for hospital treatment and general treatment;
(d)      an internal audit function.
[3]           After rule 12
insert
13            Outsourcing Standard
                Schedule 4 sets out the Outsourcing Standard.
[4]           Schedule 2, after section 10
insert
Part 3          Exemptions and modifications by Council
11            Exemptions and modifications by Council
                The Council may, on written application by a private health insurer or on its own initiative, in writing:
                (a)    exempt the insurer from all or specified provisions of this Standard; or
               (b)    modify the application of specified provisions of this Standard in relation to the insurer.
[5]           After Schedule 3
insert
Schedule 4        Outsourcing Standard
(rule 13)
Part 1          Outsourcing policy
1              Outsourcing policy
         (1)   A private health insurer must have an outsourcing policy.
         (2)   The insurer’s outsourcing policy must:
                (a)    be approved by the board of the insurer; and
               (b)    require the insurer, when assessing options to outsource a material activity to a third party outside of the insurer’s corporate group, to do the things mentioned in subsection (3); and
                (c)    require the insurer, when assessing options to outsource a material activity to an entity within the insurer’s corporate group, to do the things mentioned in subsection (4).
         (3)   When assessing options to outsource a material business activity to a third party outside of the insurer’s corporate group, the insurer must:
                (a)    prepare a business case, for the purpose of allowing the insurer to make an informed decision on the merits of any new, or renegotiated, outsourcing arrangement; and
               (b)    undertake a tender process or other selection process for service providers; and
                (c)    undertake a due diligence review of the chosen provider; and
               (d)    involve the board, relevant board committee or officer of the insurer with delegated authority from the board, in the decision; and
                (e)    develop appropriate monitoring and renewal processes, including criteria for service levels; and
                (f)    establish dispute resolution procedures; and
               (g)    develop contingency planning, to address a situation in which the outsourced service provider is unable to continue to provide the service; and
               (h)    ensure that the terms of the outsourcing arrangement are set out, in writing, in a legally binding agreement.
         (4)   When assessing options to outsource a material activity to an entity within the insurer’s corporate group, the insurer must consider:
                (a)    the ability of the outsourced service provider to undertake the activity cost effectively and on an ongoing basis; and
               (b)    any changes in the risk profile of the insurer that arise from outsourcing the activity within the group and how the changes will be addressed within the insurer’s existing risk management framework; and
                (c)    the monitoring procedures required to ensure that the outsourced service provider is performing effectively; and
               (d)    how any ineffective or inadequate performance by the outsourced service provider would be addressed.
Part 2          Outsourcing monitoring processes
2              Risk management
         (1)   A private health insurer must, for each material business activity that is subject to an outsourcing arrangement:
                (a)    conduct a risk assessment; and
               (b)    develop and implement risk controls that address any risks identified in the risk assessment; and
                (c)    regularly report to the board on the status of the risks that have been identified and the effectiveness of the risk controls that have been developed and implemented.
         (2)   The insurer must establish procedures to ensure that all of the insurer’s business units are aware of, and comply with:
                (a)    the outsourcing policy mentioned in section 1; and
               (b)    any risk controls that are developed and implemented as a result of a risk assessment mentioned in subsection (1).
3              Monitoring arrangements
         (1)   A private health insurer must monitor its outsourcing arrangements.
         (2)   The monitoring must include:
                (a)    regular contact with the outsourced service provider, under the outsourcing arrangement; and
               (b)    monitoring of the outsourced service provider’s performance against agreed service levels, set out in the outsourcing arrangement.
4              Council access to information held by outsourced service providers
         (1)   An outsourcing arrangement must include a requirement that the outsourced service provider allow the Council access to documentation and information related to the outsourcing arrangement with the private health insurer.
         (2)   The Council may request an outsourced service provider to allow the Council access to any documentation and information, or premises of the service provider, related to the outsourcing arrangement with the insurer.
         (3)   The Council must not request information from an outsourced service provider under subsection (2) unless:
                (a)    the Council has first made the same request of the insurer; and
               (b)    the insurer has not provided the information that the Council requires.
         (4)   An outsourced service provider must comply with a request by the Council under subsection (2).
         (5)   The insurer must take all reasonable steps to ensure that an outsourced service provider does not disclose to any other person that the Council has sought access to the service provider’s information or premises, except to the extent necessary to conduct business with an insurer that is an existing client of the service provider.
Part 3          Notification requirements
5              Offshore outsourcing
         (1)   A private health insurer must, before entering into an outsourcing arrangement to be performed outside of Australia:
                (a)    notify the Council, in writing, of the proposed outsourcing arrangement; and
               (b)    provide the Council with the risk assessment and risk controls developed under section 2.
         (2)   If the Council is not satisfied that the risk management for a proposed outsourcing arrangement mentioned in subsection (1) is adequate, the Council may require the insurer to make other arrangements for the performance of the activity that is the subject of the proposed outsourcing arrangement.
6              Disclosure requirements
         (1)   A private health insurer must, within 28 days, notify the Council, in writing, if the insurer enters into an outsourcing arrangement.
         (2)   If an outsourcing arrangement is terminated, the insurer must, within 28 days of the outsourcing arrangement being terminated:
                (a)    notify the Council, in writing, that the outsourcing arrangement has been terminated; and
               (b)    give the Council, in writing, details about the transition arrangements and future strategies for carrying out the activity that was the subject of the outsourcing arrangement.
         (3)   If the termination of an outsourcing arrangement may result in a significant or unexpected disruption to a material business activity, the obligations of the insurer under this section are in addition to any notification requirement under the Disclosure Standard.
Part 4          Exemptions and modifications by Council
7              Exemptions and modifications by Council
                The Council may, on written application by a private health insurer or on its own initiative, in writing:
                (a)    exempt the insurer from all or specified provisions of this Standard; or
               (b)    modify the application of specified provisions of this Standard in relation to the insurer.
Part 5          Transitional
8              Transitional
         (1)   On the commencement of this Standard, a private health insurer that is not able to comply with all of the provisions of the Standard must, in writing to the Council:
                (a)    identify the provisions of the Standard with which the insurer is not able to comply; and
               (b)    specify a date by which the insurer expects to be able to comply with the identified provisions.
         (2)   The Council must, after considering information provided by the insurer under subsection (1), set a date for compliance by the insurer with the identified provisions and tell the insurer, in writing, of the date.
Note   The date set by the Council under subsection (2) need not be the same date as the date specified by the insurer under paragraph (1) (b).
         (3)   However, an outsourcing arrangement that is in place on the commencement of this Standard is not subject to the requirements of this Standard, unless the arrangement is renewed or renegotiated.
Note
1.       All legislative instruments and compilations are registered on the Federal Register of Legislative Instruments kept under the Legislative Instruments Act 2003. See www.comlaw.gov.au.