The Skinny on “Skinny Plans”

Recently there has been a trend among business owners to ask about how they can do as little as possible and still be compliant within the word of the law when it comes to PPACA. I came across an article in the WSJ “Employers Eye Bare-Bones Health Plans Under New Law” and was really taken aback. I know I should not have, I mean, the legislation has been filled with several oops moments but this one is a little bit different in that some businesses are actually looking at this as an opportunity to “game” the law. I would first start by saying that each company is different, and their specific work force is unique so I am not going to go into the validity of “skinny plans” as a viable course of action without having time to look at the workings and issues of each company. What I will do is speak to the facts that should be looked at when making a decision for your company.

With the  recent release of regulations from the IRS and the Department of Health and Human Services, administration officials confirmed to Wall Street Journal reporters that large employers will not have to meet all the generous standards for health insurance plans offered on the state exchanges, but can offer minimal health insurance to avoid penalties.

According to the law employers have to offer “minimum essential coverage.” This turns out to be substantially less generous than the “essential health benefits” required for plans sold to individuals and small businesses. To get a grasp on what is happening here we need to refer back to the penalties that can be imposed.

For employers greater than 50 full time employees – If the employer does not offer coverage, and at least one full-time employee receives a premium tax credit or cost-sharing reductions, the business must pay $2,000 for each full-time employee, not counting the first 30 employees. If the employer does offer coverage, and at least one full-time employee receives a premium tax credit or cost-sharing reductions because the coverage offered is determined “inadequate” or “unaffordable,” the employer will be required to pay $3,000 for each employee who receives assistance or $2,000 per full-time employee (not counting the first 30 employees), whichever is less. This penalty is per worker, not for the workforce as a whole. In most cases the $2,000 penalty will be less, which, if in effect, would apply to the entire workforce after the initial 30-worker exemption. Yes that is some crazy PPACA arithmetic!

So as you can imagine it did not take a long time for some employers, with less skilled work-forces, to look at this and determine that it can make sense to offer a plan that covers minimal requirements such as preventive services, but often little more. Some of the plans wouldn’t cover surgery, X-rays or prenatal care at all. Does offering these types of plans that meet minimal medical benefit make the grade? The answer right now is yes. The meet the letter but not the spirit of the law.

Employees are free to go to a health insurance exchange if their employer offers them a plan they do not like. They can get a premium subsidy if their employer fails to offer coverage that: (1) is affordable; or (2) provides minimum value. A plan’s minimum value is measured with reference to benefits covered by the employer that also are covered in any one of the essential health benefit benchmark plans adopted by a state.

Allen Greenberg with BenefitsPro has it exactly right when he says “employers that try to pass off bare-bones coverage as real health plans without smirking are kidding themselves… regulators (and a lot of self-respecting brokers) aren’t likely to view skinny plans as anything but a sleazy tactic that will draw plenty of scrutiny, raise eyebrows and evoke guffaws. Employers that go this route would be smart to have a Plan B ready.”

That being said skinny plans have become an option for restaurant and retail chains that are too big to fit in the small employer category or employers that up until now have offered no coverage. These types of business have a workforce that is typically made up of young and healthy workers that may find the bare bones option more attractive from a financial standpoint.  They most likely will stay in these types of plans until they actually get sick or injured and need real care. As Dennis from TWGS points out, “In most cases where an employer is seriously considering the skinny plan option, employees are not going to lose something they already have…[this segment of the employee population] doesn’t expect to get it, doesn’t care about it, cannot afford it, or for various other reasons doesn’t take it because it isn’t paid for by someone else.”

A question many will surely ask will be “is this really health insurance?” Rather than calling it insurance I find it is more of a payment plan for small maintenance care. Insurance is needed to protect people from expensive needs that befall the unlucky insured party. With all the exclusions that come with these skinny plans, it is difficult to see them as true health insurance plans.

From everything we have been told, the government’s initial intent was for employers to continue to sponsor full health benefits. This was to prevent consumers from being stuck with catastrophic bills that then become a drag on the economy. I’m curious how long it will take, before a plan that is so at odds with that intent, to catch the ire of the government. As some legal scholars watching the issue have noted, we will eventually find out whether the Obama administration will attempt to use nondiscrimination arguments to put a stop to skinny plans. All the more reason to have that “Plan B” ready.

Cybersecurity Risks, Leaks, and Securities Litigation

In the wake of the Edward Snowden and Bradley Manning information leaks, it is important for companies to consider the ramifications that leaked information can mean to your enterprise when the unforeseen happens. Digital information has not only become easier to access and store but also  much easier to leak. In their search for efficiency many businesses unwittingly put themselves in a very exposed position when it comes to cyber security. The situation is exacerbated without a proper cyber-risk management strategy of proper controls, policies, and if need be appropriate methods of risk transference through insurance.

The true complexities associated with cyber – liabilities start to take form when you consider that at stake may not only be company sensitive information, private client data, and trade secrets, but also the reputation of the company and those that do business with it. A recent article in PRWeek discusses how Booz Allen is having to fight massive reputation damage in relation to the NSA leak by former employee Edward Snowden. Booz Allen quickly made a public statement – “News reports that this individual has claimed to have leaked classified information are shocking, and if accurate, this action represents a grave violation of the code of conduct and core values of our firm. We will work closely with our clients and authorities in their investigation of this matter”.

This was not enough for Wall Street as Booz Allen shares dropped Monday on news that the leaker was associated with the company. The Associated Press printed :

NEW YORK  Shares of Booz Allen Hamilton Holding Corp. (BAH) fell on Monday, after the company’s employee, Edward Snowden, stepped forward as the person who last week leaked information about secret government surveillance programs to several news media outlets.

Shares fell 76 cents, or 4.2 percent, to $17.24 in morning trading. That’s closer to the high end of the stock’s 52-week trading range of $11.85 to $19.23.

Not only did this leak cause a monumental problem to the national security of the country but we must now consider the BAH shareholders who were financially impacted due to this security breach. In October 2011, the SEC’s Division of Corporate Finance issued “Disclosure Guidance” on cybersecurity related issues. Among other things, the Guidance clarified that the agency expects companies to disclose the risk of cyber incidents among their “risk factors” in their periodic filings and also expects companies to disclose material cybersecurity breaches in their Management Discussion and Analysis. Subsequently one can expect failure to promptly disclose a cyber breach may put a company at risk of facing formal SEC investigations, shareholder class actions, or derivative lawsuits to which having applicable insurance coverage may provide protections.

Kevin LaCroix of the D&O Diary, a periodic journal containing discussions about Directors and Officers liability issues, writes:

In addition to the risk of SEC enforcement action, companies experiencing cyber breaches also face the possibility of a securities class action lawsuit. However, the memo notes, a company experiencing a cyber breach “will likely not be a target of a securities class action unless the disclosure of the breach can be linked to a statistically significant drop in the company’s share price.” In that respect, it is worth noting that several high profile companies announcing cyber breaches have not experienced a significant drop in their stock price following the announcement. (For example, recent announcements by Facebook, Apple and Microsoft that they have been the target of sophisticated cyber attacks did not affect the companies’ share prices.) Nevertheless, it seems likely that at least some companies experiencing cyber breaches or subject to cyber attacks will also suffer a drop in their share price, and “thus result in securities class action litigation.” 

Although this can be quite troubling to most enterprises, it is not news that cybersecurity risks represent a significant concern for just about every company involved in the current economy. It is becoming more obvious that discussions pertaining to cyber-liabilities and how to manage these risks in a holistic manner will be heating up over the next year as we become more aware to the associated perils.

Study Shows Cyber Insurance Utilization Low

A recent article by Anya Khalamayzer cited that based on a Willis North American reporty, more than HALF of the Fortune 500 believe their firms would be seriously harmed by a cyber-attack. With increased cloud computing adoption, more and more small to mid sized businesses are finding themselves in situations similar to their Fortune 500 counterparts. In October of 2011, the Securities and Exchange Commission (SEC) issued guidance to U.S. listed companies to provide extensive disclosure on cyber exposures.

Ann Longmore, who is an executive vice president with Willis North America and co-author of the report said “D&O liability risk may be heightened for companies that experience cyber breaches if cyber risk disclosures are deemed not to meet SEC standards and a significant loss were to occur. This may be especially true if peers have provided more detailed disclosure.” Obviously the SEC feels that companies are not doing a good job of disclosing their exposure level for cyber-liability to their shareholders.

While most companies will fall outside of the scope of the SEC guidance, it is no less important to note the damage that can be caused by a cyber attack on a middle market company. Data is one of your most important assets yet it is not covered by standard property insurance policies. The loss of critical archive data, billing files, proposals, or other hard to replace data can be a crippling blow to a company. While data security is important to many companies, it is not the only asset  that needs to be considered.  Critical electronic systems or equipment crashing can be incredibly detrimental to a business. Imagine Point of Sale systems crashing during the holiday season, or the loss of revenue associated with that system’s  downtime.

Right now, most businesses just don’t understand the perils associated with  cyber integration. Mainly this is because it is not as tangible as a fire, flooding, or employee injuries. This does not make it any less real. It is also reasonable to note that 15 percent of the Willis study group said that they do not have the resources to protect themselves from critical attacks. Usually the costliest risks are the one’s never appreciated or considered fully. This is why I implore business owners really take stock into how bad it can be if things do go south, and realistically determine the impact a liability loss would cause them.

I believe as more companies get “plugged in” we will see a rise in losses associated with these types of risks. These experiences will become part of IT consciousness  and owners, directors, and department heads will demand ways to protect themselves; it will be our job as risk consultants to educate them as to the tools available to mitigate this new and evolving risk.