A Critical Analysis on Insurers and Third-Party Administrator (TPAs), Being Called as Data Fiduciaries
1. ABSTRACT
Insurers and Third-party Administrators (TPAs) grapple with intricate challenges as designated data fiduciaries. Amidst increasing regulatory scrutiny and evolving consumer expectations, they confront the delicate balance between data protection and operational efficiency. This abstract delves into the complexities insurers and TPAs face as they navigate the landscape of data fiduciary responsibilities, examining the strategies employed and the implications for both the industry and consumers. Understanding and effectively addressing these challenges are crucial for maintaining trust, ensuring compliance, and fostering innovation in the insurance sector.
2. Introduction- A Brief background
The digital age has progressed by introducing the DPDP Act[1]. This act came into effect on August 11th, 2023, and has caused significant upheaval in all industries, including the health and insurance industry, which is responsible for safeguarding customer data as data fiduciaries.
This digital revolution no doubt enhances efficiency works for these industries of the health and Insurance sector, including the Intermediaries involved. Still, the real challenges arise in using and handling the customer’s data in terms of privacy and security.
With Data privacy laws already placed by the Indian Governments under the IT Act[2] and the Information Technology Rules[3] (Lawyers Associated World Wide, 2023), and now the DPDP Act[4], Insurance Regulatory and Development Authority (“IRDAI”) has also laid down its own frameworks, which are to be followed by the Insurance industries, including its Third Party Administrators (TPAs).
As the world shifts towards transparency, security, protection and accountability of information and data, lots of attention is drawn towards the insurance sectors, TPAs & the Intermediaries where the implementation of IT Act[5] and DP Laws impacts its various stakeholders via penalties if found non-compliant.
In today’s digital age, data has become the lifeblood of industries, and the insurance sector is no exception. With the proliferation of information and the advent of advanced analytics, insurers and TPAs find themselves in a unique position as guardians of vast amounts of sensitive data. However, this role comes with its own set of challenges, particularly in the realm of data protection and privacy regulations.
Various data protection laws globally enshrine the concept of a data fiduciary, which places a significant responsibility on entities that collect, process, and store personal data. Insurers and TPAs handle a treasure trove of personal and financial information, and they are termed data fiduciaries tasked with safeguarding the privacy and security of their data.
One of the foremost challenges faced by insurers and TPAs in fulfilling their role as data fiduciaries is the ever-evolving landscape of data privacy regulations. Laws such as the GDPR[6] in the European Union and the CCPA[7] (Whitepapers and Ebooks, n.d.) Impose stringent requirements for collecting, processing, and sharing personal data. Compliance with these regulations demands significant workforce and technology resources, posing a considerable challenge for insurers and TPAs, particularly smaller entities with limited resources.
Moreover, the nature of insurance operations inherently involves exchanging sensitive information with various stakeholders, including policyholders, healthcare providers, and regulatory bodies. This interconnected ecosystem amplifies the complexity of data management and introduces additional vulnerabilities that could compromise data security.
3. Role of TPAs and Intermediaries
TPAs act as coordinators between the insurer and the hospital/ insured for the claim settlement process, wherein through their emerging technologies, they collect customers data through their investigation process, where they deep dive into the insight of customer’s historical health data before any claim gets processed or settled. Companies constantly seek efficiency, cost-effectiveness, and seamless operations in today’s intricate business landscape. Many turn to Third-Party Administrators (TPAs) and intermediaries to achieve these goals. However, it is crucial to understand their roles and how they contribute to business success. Let us delve into this intricate web of operations and explore the significance of TPAs and intermediaries.
However, IRDAI, through its regulatory framework, ensures that TPAs or such Intermediaries involved in collecting customer’s data have to comply with IRDAI regulations as prescribed from time to time for protecting the customer’s or the policyholder Information and such other data as shared with the TPAs or with the Intermediaries.
Firstly, let’s clarify what TPAs and intermediaries entail.
a. Third-Party Administrators (TPAs): These entities specialize in managing specific operational tasks or processes on behalf of other organizations. They provide claims processing, benefits administration, and risk management services. TPAs serve as outsourced extensions of a company’s operations, offering expertise and efficiency in handling particular functions. TPAs play a pivotal role in streamlining operations for businesses across various industries. Here’s how:
i. Specialized Expertise: TPAs often possess specialized knowledge and resources in specific areas such as insurance claims processing, employee benefits management, or healthcare administration. By leveraging their expertise, businesses can improve these critical functions’ accuracy, efficiency, and compliance.
ii. Cost Savings: Outsourcing tasks to TPAs can result in significant cost savings for organizations. Rather than allocating resources to develop and sustain internal competencies for specific functions, businesses can utilize TPAs on a pay-for-service basis, reducing overhead costs and enhancing financial efficiency.
iii. Risk Management: TPAs play a crucial role in risk management by ensuring compliance with regulations, minimizing errors, and optimizing processes. Whether managing insurance claims or overseeing compliance with healthcare regulations, TPAs help mitigate risks associated with operational tasks, thereby safeguarding businesses’ interests.
iv. Enhanced Focus: By delegating specific tasks to TPAs, businesses can redirect their focus and resources towards core activities that drive growth and innovation. It enables organizations to retain a competitive advantage in their respective industries while ensuring trusted third-party experts efficiently manage essential operational functions.
b. Intermediaries: Intermediaries act as liaisons between parties in a transaction or business relationship. They facilitate communication, negotiation, and sometimes even transactions between buyers and sellers or service providers and clients. Depending on the context of the business interaction, intermediaries can take various forms, including brokers, agents, consultants, or advisors. Intermediaries serve as essential facilitators in various business transactions and relationships. Here is how they contribute:
i. Market Access: Intermediaries allow businesses to access broader markets by leveraging their networks and connections. They play a crucial role in facilitating market entry and expansion strategies, connecting suppliers with buyers, and helping companies expand into new territories.
ii. Negotiation and Mediation: Intermediaries excel in negotiation and mediation, helping parties navigate complex transactions and resolve conflicts amicably. Their impartiality and expertise enable them to bridge gaps, facilitate communication, and foster mutually beneficial agreements between parties.
iii. Risk Mitigation: Intermediaries assist businesses in mitigating transaction risks by providing insights, due diligence, and risk assessment services. Whether evaluating potential partners or ensuring compliance with regulatory requirements, intermediaries help businesses navigate risk factors effectively.
iv. Value Addition: Beyond transactional facilitation, intermediaries add value through advisory services, market insights, and strategic guidance. By leveraging their industry knowledge and expertise, intermediaries empower businesses to make informed decisions and capitalize on emerging opportunities.
TPAs and intermediaries play indispensable roles in modern business operations, offering specialized expertise, facilitating transactions, and mitigating risks. Understanding the nuances of their roles is essential for leveraging their full potential and gaining a competitive advantage in the marketplace.
4. Regulatory Frameworks
IRDAI has ensured and made it necessary that all Insurance sectors, TPAs, and Intermediaries comply with its regulatory Framework as prescribed to ensure the security and the confidentiality of data apart from the Framework laid down under the IT Act[8] and the SDPI[9] Rules. Below are some critical regulations as laid down by the IRDAI are listed as below:
I. GOVERNING INSURANCE COMPANIES:
For insurance companies below are some key regulations that need to be followed or which the Insurance Companies need to comply with are:
a. As per Regulations 3(3) (b) and 3(9) of IRDAI Regulations 2015[10], insurers must ensure that their system for maintaining policy and claim records has adequate security features. Additionally, insurers must store records of policies issued and claims made in India, including those held in electronic form, in properly maintained data centers located within India.
b. Under Regulation 35(c) of IRDAI Regulations 2016[11], insurers, third-party administrators (TPAs), and network providers (e.g., hospitals) are required to comply with data-related matters as may be specified in guidelines prescribed by the IRDAI (if any).
c. Under Regulation 19(5) of IRDAI Regulations 2017[12], insurers must maintain total confidentiality of policyholder information unless disclosing it to statutory authorities is legally necessary.
d. According To Regulation 12 of IRDAI Regulations 2017[13], Insurers Have To Ensure That:
-
-
- The outsourcing service provider has appropriate security policies in place to safeguard the confidentiality and security of policyholder information.
- Information and data shared with outsourcing service providers remain confidential.
- Once the outsourcing agreement is terminated, customer data will be retrieved, and the service provider will not be allowed to use it again.
-
II. GOVERNMENT INTERMEDIARIES
Intermediaries play a crucial role in the insurance sector. They act as a link between customers and insurance companies by helping customers choose and buy insurance products, managing policies, and assessing claims. The primary intermediaries in the insurance sector are Brokers, Individual Agents, Corporate Agents, TPAs, Surveyors, Loss Assessors, and Web Aggregators. Intermediaries, such as Insurance Agents and Brokers, are entrusted with confidential information, and they must ensure that the information needs to be protected under the data protection and confidentiality regulations prescribed by the IRDAI.
Each intermediary is subject to its regulations and code of conduct, as outlined in the table below. However, data protection provisions for policyholders are standard for all intermediaries. Surveyors and loss assessors are not allowed to use confidential information for their benefit or that of a third party.
The IRDAI Regulations Of 2016[14] specifically require TPAs to refrain from disclosing the personal information of customers they receive while servicing insurance policies or claims.
5. Should THE insurer or the TPAs be CALLED AS direct Data FIDUCIARIES?
It is debatable between the insurer and the TPAs who will be regarded or called as or shall have the status of data fiduciaries. Now, this can only be proved through the agreement executed between the insurer and the TPAs, where the TPAs or the insurers must acknowledge their Fiduciary status, which needs to be clearly outlined. There are certain situations where the TPAs disclaim or limit their Fiduciary status.
According to the DPDP Act[15], a data fiduciary is someone who, alone or with others, determines the purpose and methods of processing personal data. It could be an individual, a company, a firm, an association, a group of individuals (even if unincorporated), the state itself, or any artificial juristic person. It is important to note that a data fiduciary can only be defined if it is found that either the insurer or TPA defines the purpose or meaning of processing data.
Both insurers and Third-Party Administrators (TPAs) are crucial in handling sensitive personal data related to insurance policies and claims. Determining who should be the direct data fiduciaries can vary depending on the specific case-to-case basis and jurisdiction.
i. Insurers: Insurers typically collect a wide range of personal information from policyholders, including medical history, financial details, and other personal data necessary for underwriting and claims processing. As such, insurers often act as custodians of this data and are responsible for ensuring its confidentiality, integrity, and proper use. They have a legal and ethical obligation to handle this data securely and transparently.
ii. Third-Party Administrators (TPAs): TPAs are entities contracted by insurers to handle certain administrative functions related to insurance policies and claims processing. While TPAs may not own the insurance policies themselves, they often have access to policyholders’ data to manage claims, provide customer service, and perform other administrative tasks. As such, TPAs also have responsibilities regarding protecting and properly handling this data.
6. Steps AND MEASURES that need to be IMPLEMENTED OR TAKEN TO avoid being called as data fiduciaries
The status of Insurers and TPAs is still questionable until they are not aware of the below facts wherein they can be regarded as data fiduciaries until they don’t have the standard operating procedure or the process map within their organisation. Below are key facts on how they can avoid themselves to be called as data fiduciaries which are as highlighted:
I. Data Handling and Protection:
Ensuring the confidentiality and security of personal data collected from policyholders and claimants involves implementing a comprehensive approach encompassing various measures. Here are some critical steps typically that need to be taken by insurance and TPAs companies:
a. Data Encryption: All sensitive data, including personal information, should be encrypted in transit and at rest. Encryption algorithms render data unreadable to unauthorized users without the encryption keys, providing a crucial layer of protection.
b. Secure storage: Personal data should be stored in secure databases or servers protected by firewalls, intrusion detection/prevention systems, and other security measures. Security software and patches should be regularly updated to address vulnerabilities and prevent unauthorized access.
c. Employee Training: Comprehensive training programs should educate employees about best data security practices, the importance of safeguarding personal data, and how to recognize and respond to security threats like phishing attacks. Regular awareness campaigns reinforce the significance of data confidentiality and security.
d. Data Minimization: The organization should only collect and retain data necessary for business purposes. Implement data minimization strategies to reduce the risk of storing excessive amounts of sensitive information, limiting exposure during a breach.
e. Regular Audits and Monitoring: Insurers and TPAs must conduct regular audits of data security practices, systems, and access logs to identify and address vulnerabilities or non-compliance issues promptly. They must also implement continuous monitoring solutions to detect and respond to real-time security incidents, minimising potential breaches’ impact.
f. Incident Response Plan: Insurers and TPAs should develop a robust incident response plan outlining procedures to follow (The Real Cost of a Data Breach, n.d.) during a data breach or security incident. Establish clear lines of communication, roles, and responsibilities for responding to and mitigating the impact of breaches. Promptly notify affected individuals, regulatory authorities, and stakeholders as the law requires.
g. Vendor Management: If third-party vendors are involved in (Pinnacle Building Services, n.d.) processing personal data, insurers and TPAs should conduct due diligence assessments to ensure they adhere to stringent security standards. Contract contracts and agreements should include specific security requirements to hold vendors accountable for protecting personal data.
h. Compliance with Regulations: Insurers and TPAs need to ensure that they are in compliance with relevant DP Laws such as GDPR, CCPA, DPDP Act, IT Act and its rules. Obtain explicit consent from individuals before collecting their data and provide transparency regarding data usage and processing practices.
By implementing these measures and continuously evaluating and improving data security practices, insurance and TPA companies can effectively safeguard the confidentiality and security of personal data collected from policyholders and claimants, maintaining trust and compliance with regulatory requirements.
II. Data retention and deletion:
Insurance companies usually develop their policies and procedures for data retention and purging, ensuring compliance with applicable laws and regulations. These policies often involve retaining customer data for a certain period for regulatory and business purposes and then securely purging it when it is no longer needed. It is to be further noted that that the IT Rules 2011 framed under IT Act provides guidelines.
IRDAI[16] has issued the Third Party Administrators (TPA) Regulations, 2016, which govern the operations of TPAs in India’s insurance sector. These regulations guide various aspects of TPA operations, including data management.
However, the TPA Regulations do not explicitly outline specific data retention and purging provisions. Instead, TPAs are generally required to comply with data protection and privacy laws, including those specified by IRDAI and other relevant authorities. TPAs are typically responsible for handling policyholders’ and claimants’ sensitive personal and health-related data.
However Insurance companies usually develop policies and procedures for data retention and purging, ensuring compliance with applicable laws and regulations. These policies often involve retaining customer data for a certain period for regulatory and business purposes and securely purging it when it is no longer needed.
III. Data transparency and consent:
Transparency and clarity are paramount in informing policyholders and claimants about collecting and using their personal data. Insurers and TPAs should clearly outline policies and procedures on their website portals, which must be easily accessible public documents such as privacy policies, terms of service, or consent forms.
Informing policyholders and claimants about collecting and using their data involves clear communication, obtaining explicit consent, implementing robust data protection measures, and respecting individuals’ rights. It will enable the insurance companies to build trust with their customers and demonstrate their commitment to (Ethony, 2023) protecting their privacy.
IV. Data breach response:
Responding to a data breach or security incident (Atchuup, n.d.) requires a structured and swift approach to mitigate the impact and maintain trust with affected individuals and regulatory authorities. Complying with relevant applicable DP laws and regulations is essential when notifying affected individuals and regulatory authorities. Notifications should be timely and transparent, and guiding affected parties should be the next vital step.
In some jurisdictions, insurers and the TPAs must notify regulatory authorities within a specified timeframe after discovering a data breach. The specific requirements again vary depending on the nature of the breach and applicable laws.
Overall, a proactive and transparent approach to incident response will help the insurers and the TPAs to mitigate the impact of a data breach and maintain trust with affected individuals and regulatory authorities.
V. Data Governance and Accountability:
Within an organization, the responsibility for overseeing data protection and privacy matters typically falls under the purview of several key roles and departments, which work collaboratively to ensure the comprehensive protection of personal data which includes CISO[17], DPO[18], and Privacy Officer including but not limited to IT Security team, legal team, compliance team, HR and executive leadership team.
These roles and departments work together to establish a culture of privacy and security (Garcia, 2023) within the organization, implement appropriate safeguards for personal data, and ensure compliance with regulatory requirements. Collaboration and communication among these stakeholders are essential steps taken for adequate data protection and privacy management.
7. Conclusion
The main aim of the regulations is to promote good data management practices and uphold customer confidence in the insurance industry. Companies should view these regulations as an opportunity to not only comply but also to gain customers’ trust and an advantage over their competitors. It is noteworthy that the IRDAI (Third Party Administrators – Health Services) Regulations of 2016 prohibits third-party administrators from disclosing any data or personal information related to the customers they receive while servicing insurance policies or claims.
However, such information can be shared in the event of a legal requirement, under the consent of the provider, before any court, tribunal, government, or the IRDAI.
In many regulatory frameworks, insurers and TPAs are subject to data protection laws and regulations that (DDG Office, n.d.) outline their obligations as data controllers or processors. Insurers and TPAs are expected to implement appropriate security measures, ensure data security and privacy, and respect individuals’ rights over their data.
In summary, insurers and TPAs can be direct data fiduciaries to varying extents, depending on their roles and responsibilities in handling personal data within the insurance ecosystem. However, the precise designation may be subject to legal interpretation and vary across jurisdictions and regulatory frameworks.
8. References
Atchuup, n.d. Data Security Made Simple: Easy Steps To Keep Your Information Safe. [Online] Available at: https://www.atchuup.com/data-security-made-simple-easy-steps-to-keep-your-information-safe/ [Accessed 23 April 2024].
DDG Office, n.d. Benefits of Securely Wiping and Disposing of Old IT Equipment. [Online] Available at: https://ddgoffice.com/benefits-of-securely-wiping-and-disposing-of-old-it-equipment/ [Accessed 19 April 2024].
Ethony, 2023. Building Consumer Trust through Ethical AI Automation and Copywriting. [Online] Available at: https://techanta.com/building-consumer-trust-through-ethical-ai-automation-and-copywriting/ [Accessed 23 April 2024].
Garcia, C., 2023. How to Ensure HIPAA Compliance and Avoid Penalties?. [Online] Available at: https://www.calhipaa.com/ensuring-hipaa-compliance-and-avoiding-penalties/ [Accessed 22 April 2024].
Lawyers Associated World Wide, 2023. A DAWN OF A NEW ERA FOR DATA PROTECTION IN INDIA by King Stubb & Kasiva, Advocates & Attorneys. [Online] Available at: https://www.lawyersworldwide.com/news/a-dawn-of-a-new-era-for-data-protection-in-india-by-king-stubb-kasiva-advocates-attorneys/ [Accessed 19 April 2024].
Pinnacle Building Services, n.d. Creating a Safe Work Environment: Essential Safety Protocols for Facilities Managers. [Online]
Available at: https://www.pbsofmidohio.com/elementor-1832/ [Accessed 23 April 2024].
Riva, S., 2022. Understanding Application Security Testing And Its Components. [Online] Available at: https://www.dplmagazine.it/understanding-application-security-testing-and-its/ [Accessed 23 April 2024].
The Real Cost of a Data Breach, n.d. DigitalWell. [Online] Available at: https://digitalwell.com/blogs/revealed-the-real-cost-of-a-data-breach/ [Accessed 23 April 2024].
Whitepapers and Ebooks, n.d. Exclaimer. [Online] Available at: https://exclaimer.com/white-papers-ebooks/data-privacy-marketing/
[Accessed 18 April 2024].
[1] Digital Personal Data Protection Act (“DPDP”) of 2023
[2] Information Technology Act, 2000
[3] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules)
[4] Ibid 1
[5] Ibid 2
[6] General Data Protection Regulation
[7] California Consumer Privacy Act 2018
[8] Ibid2
[9] Ibid 3
[10] IRDAI (Maintenance of Insurance Records) Regulations, 2015
[11] IRDAI (Health Insurance Regulations), 2016
[12] IRDAI (Protection of Policyholders’ Interests) Regulations, 2017
[13] IRDAI (Outsourcing Of Activities By Indian Insurers) Regulations, 2017
[14] IRDAI (Third Party Administrators) Regulations Of 2016
[15] Ibid 1
[16] Ibid 15
[17] Chief Information Security Officer
[18] Data Protection Officer
Author Bio
