Highlight on New York: Insurers subject to first-in-nation cybersecurity regulations affecting financial institutions

The nation’s first cybersecurity regulations governing financial institutions–including insurers–take effect March 1, 2017 in New York state. Noting that  “New York is the financial capital of the world,” Governor Andrew Cuomo (D) stressed the necessity of protecting consumers and financial systems from cyberattacks. The regulations require institutions to implement a cybersecurity program that includes regular assessments of information systems and the use of effective controls, requires compliance by third party vendors, and includes more stringent governmental reporting requirements than the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

The regulations apply to anyone operating under the Banking Law, Insurance Law, or Financial Services Law and specifically pertain to “nonpublic information.” Only electronic information qualifies as nonpublic information, which can be protected health information (PHI) as it is understood under HIPAA; business-related information that could materially and adversely impact the entity’s business, operations, or security; or any information concerning an individual that, when combined with specific data elements, including but not limited to Social Security and drivers’ license numbers, could identify the individual.

The regulations require covered entities to maintain a cybersecurity program based upon a required risk assessment. Risk assessments must be conducted on a “periodic” basis and “updated as reasonably necessary.” Entities must implement and maintain written cybersecurity policies, including policies governing vendor and third party service provider management and recurrent assessments and policies that allow for secure and periodic disposal of nonpublic information that is no longer necessary for business operations or other legitimate business purposes. They must also designate a chief information security officer (CISO) who is employed by the entity, an affiliate, or a third party service provider, and who will provide a written report to the covered entity’s board of directors at least annually.

While HIPAA does not require penetration testing, the New York regulations require annual testing and biannual vulnerability assessments, unless covered entities have in effect some other type of continuous monitoring or other system to detect changes in information systems that could create or suggest vulnerabilities. The regulations specifically require entities to limit user access privileges to nonpublic information and to periodically review those privileges. They also require multi-factor authentication whenever an individual accesses the entity’s internal network from an external network, unless the CISO has approved controls in writing that are at least reasonably equivalent. Encryption is required for all nonpublic information held or transmitted by the entity; if encryption is not feasible, the CISO must review and approve “alternative compensating controls” and review them at least annually.

Certain requirements do not apply to entities with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end total assets.

The regulations define a “cybersecurity event” as an act or attempt, successful or not, to gain unauthorized access to, or to disrupt or misuse an information system or the information stored in the system. Written incident response plans to cybersecurity events must detail the response process and its goals, including “the definition of clear roles, responsibilities and levels of decision-making authority.” Requirements for reporting to government entities are much stricter than those under HIPAA Breach Notification Rule, which requires entities to report breaches affecting 500 or more individuals to the HHS Secretary “without unreasonable delay,” but no more than 60 days since discovery of a breach, or, if affecting fewer than 500 individuals, within 60 days of the end of the calendar year in which the breach occurred.  The New York regulations, in contrast, require entities that are otherwise required to provide notice to the government or other self-regulatory agency or supervisory body, or who believe that a cybersecurity event is reasonably likely to materially harm the entity’s normal operations, to notify the Superintendent of the New York Department of Financial Services as soon as possible, but no more than 72 hours after determining that the event occurred.


Maryland CO-OP barred from enrollment pending for-profit conversion decision

Evergreen Health, a Maryland consumer-operated and oriented plan (CO-OP), came up with a plan to avoid folding like the majority of the health insurance CO-OPs established under the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148), but that plan has hit a major logistical snag as it is currently banned from selling individual plans. The timing of its removal from the individual market could not be worse, as consumers must be enrolled in a plan by December 15 to ensure coverage starting on January 1, 2017.

Evergreen hoped to convert to for-profit insurer status through private investor acquisition, allowing it to gain enough funding to continue operations. Unfortunately, the plan requires CMS approval, which appears not to be coming through in time to allow 2017 sales. Maryland Insurance Commissioner Al Redmer, Jr had no choice but to pull the plug on Evergreen’s individual plan sales, announced December 8, but those enrolled in Evergreen plans now only have a matter of days to pick a new plan in order to maintain continuous coverage. Redmer admitted that he probably waited until “past the last minute” to announce the ban on sales.

Evergreen had about 6,000 enrollees through the state marketplace for the 2016 plan year, while an additional 3,000 people bought individual plans directly  from Evergreen. Most marketplace customers will be automatically switched to similar coverage under CareFirst BlueCross BlueShield or Kaiser Permanente, but may choose alternate plans. Cigna is the third insurer offering plans on the state’s exchange. Evergreen will continue to participate in the small and large group markets in Maryland.

This delay is yet another chapter in Evergreen’s story of issues with CMS. Evergreen expected to report a profit for 2016, a feat for a co-op, but was hit with a $24.2 million risk adjustment payment bill from CMS. In June 2016, Evergreen filed suit against CMS in an attempt to prevent collection of what amounted to 26 percent of its 2015 premium revenue. Evergreen took the position that the risk adjustment program, which reallocates money from insurers covering healthier patients to those covering the sickest population, favors larger insurers and puts smaller companies at risk. The U.S. Court of Appeals for the Fourth Circuit ruled that Evergreen was required to make its payment while the lawsuit was pending.

Evergreen CEO Dr. Peter Beilenson said that he expects an agreement to be finalized with CMS in the coming days. This agreement is likely to require Evergreen to pay part of its $65 million startup loan back to CMS in order to operate without such close agency oversight. Next, Evergreen would proceed through a long state process in order to facilitate the conversion, which Beilenson hopes to finalize in April or May 2017. In the meantime, Beilenson expects to grow the number of members in small and large employer groups from 29,000 to 40,000.

Highlight on New Jersey: OMNIA plan tiers and fears

Horizon Blue Cross Blue Shield of New Jersey is trying to change the commercial health care market in New Jersey with a product called the OMNIA Health Plan. With a tiered provider network model, Horizon plans to use the OMNIA plan to reward patients who choose top-tier providers with cheaper deductibles and copays. In large part due to the manner in which Horizon has selected which providers belong to which tiers, smaller (lower-tiered) providers are objecting to the plan, noting that it will drive smaller providers and competition out of the industry.


The plan relies upon a two-tiered provider model. The highest tier—Tier 1—includes 34 hospitals and the state’s biggest health care changes. Tier 2 is comprised of smaller providers, free-standing, and Roman Catholic providers. While members of the OMNIA plan can select either type of provider, subscribers who go to a Tier 1 facility are rewarded with lower copays and deductibles. Horizon’s tiered-approach is saving on costs and, as a result, the OMNIA plan is 15 percent cheaper than Horizon’s traditional plans.


Although the New Jersey Department of Banking and Insurance agreed in September 2015, to allow the OMNIA plan to launch in November 2016, Horizon is feeling pressure from lawmakers and providers. Lawmakers announced concerns that the plan was being rushed and was not adequately vetted. Additionally 17 of the Tier 2 hospitals sued the state banking regulators in November 2015, to block the plan. The Tier 2 hospitals alleged that the Department of Banking and Insurance approved the plan before making sure OMNIA met state requirements. Subsequently, additional hospitals sued Horizon, alleging that the insurer breached in-network provider contracts by moving hospitals to lower tiers without adequate notice.


As of March 2016, an internal investigation by the New Jersey attorney general concluded that Horizon broke no state laws in creating OMNIA. Additionally, 234,000 people enrolled in OMNIA. Many of OMNIA’s enrollees—41,000—were previously uninsured.

Additional opposition

In addition to provider and lawmaker opposition, physician organizations have joined the battle against Horizon’s OMNIA. Physicians are objecting to the way Horizon requires that physicians—under threat of penalty—explain to patients that they can save money by using Tier 1 providers. If physicians do not explain the cost sharing benefits of the network to patients, physicians risk being terminated from Horizon’s Blue Cross Blue Shield of New Jersey networks. One physician group, The Medical Society of New Jersey, filed an amicus brief in support of the 17 Tier 2 hospitals challenging the Department of Banking and Insurance decision to approve the OMNIA plan.


A key issue in the OMNIA litigation is transparency surrounding the formula used to develop the two-tiered system. While the plaintiffs’ attorneys have seen the formula, the insurer’s method remains cloaked behind protective court orders. Horizon argues that the formula behind OMNIA is proprietary and essential to the insurer’s competitive advantage. Although the formula has not been made public, opponents have obtained some favorable court treatment. For example, a state court ruled that Horizon had to disclose a financial impact analysis the insurer conducted on the effects that the OMNIA plan will have on Tier 2 hospitals.