Gaining access to patient data is one of the biggest bugbears for health insurers across the globe.
Where providers can access this data, customers can benefit from smoother underwriting processes and cheaper insurance.
Getting consent from the customer makes all the difference – but restrictions to this data abound across the globe – not just in the UK. And there is evidence that they are being enforced more stringently.
The risk for the customer is that these restrictions lead to poorer outcomes due to elongated underwriting processes and claims journeys.
Cost drivers
“Data restrictions may limit insurers’ ability to drill into specific cost drivers, which could shed light on whether a customer’s health issues are acute or chronic, the result of genetics, environmental influences, or personal choices,” Michelle Bishop, global practice leader, multinational benefits and mobility at Gallagher, tells Health & Protection.
“As a result, it may become more challenging for insurers to create an accurate assessment of a client’s health and liability profile.”
UK strict on health data access
This challenge is particularly acute in the UK, according to Peter Lurie, managing director at Proactive Medical & Life.
“The UK is strict on health data access, making it harder for insurers to get the info they need for underwriting and risk assessment,” Lurie says.
“GDPR, NHS rules, and privacy concerns are all tightening the grip. Claiming this data takes time and effort.
“The NHS is the toughest to crack,” Lurie continues.
“Getting access to patient records is heavily restricted, even when it could help insurers provide better policies or support claims.”
In terms of the impact, Lurie maintains that it “slows everything down”.
“Claims can take longer, pricing becomes more of a guessing game, and insurers can’t offer personalised policies because they don’t have enough info,” Lurie says.
Data collection complications in the Middle East
But complications with collecting health data are not the preserve of only the UK as Amber Musson-Thorp, commercial director for Middle East and Africa (MEA) (GM Qatar) health and insurance sector at Lifecare International, points out.
“Looking at the IPMI space, most large insurers operationalise their service centre by region anyway,” Musson-Thorp continues.
“But what’s interesting is that it’s not just keeping data within region, it can be specific to each territory which can lead to local- and government-owned organisations requesting data privacy to neighbouring GCC [Gulf Cooperation Council] countries,” she adds.
“That’s coming up even before the regulation is in place.
“For the larger insurers, this is easily tacked via their network and fronting solutions, but this may become an issue for ‘offshore’ non-admitted insurers to comply now or as this progresses.”
Consent is key
Most of these complications evaporate however, where customer consent is secured.
“With consent, and also via private facilities things may be more easy or there may be more flexibility,” Lurie says.
In terms of how this consent is secured, for Kieran Brown, managing director UK at SIP Medical Family Office, this is gained at the start of the process.
“When we get appointed to looking at a client, we’re mandated right from the very beginning for the explicit medical consent of the individual,” Brown explains.
“It’s so that if we have to call into the insurer we can demonstrate that’s provided from the very beginning. So that’s something that we make a point of.
“For example, if you’ve got somebody who’s got their insurance in place, we get what’s called a letter of appointment or a mandate. When our clients sign that mandate, it’s not just a case of appointing us, it also gives us their explicit medical consent. So it serves two purposes.
“Most of the time that means we don’t have too much of an issue, but most brokers are probably not getting too involved with the claims administration whereas we get quite heavily involved.”
GDPR complications
While gaining consent can help matters, General Data Protection Regulation (GDPR), introduced in 2018, continues to create complications.
William Cooper, marketing director at William Russell, reports existing data protection regulations are being enforced more stringently.
“For example, gradual entrenchment of GDPR principles is challenging the long-standing assumption that a policyholder can collect and communicate medical data on behalf of dependants,” Cooper says.
“This has, for example informed our design approach to our application forms, which enforce a separation between adult insured members in terms of data collection and sharing.”
GDPR is non-negotiable
Compounding the situation, as Gallagher’s Bishop points out – these requirements are non-negotiable.
“They will have measurable impacts on how insurers do business and the kind of business they can write,” Bishop says.
“In short, tighter data controls will make data administration a more complex task for insurers,” she continues.
“The upshot of this is that the cost of administration will increase for clients. We may also see that insurers are more limited in what they can include in their data reporting.
“In many cases, data protection regulations for medical records will vary depending on the jurisdiction, and so it may prove difficult for data holders to share relevant and timely personal information to inform a customer’s medical treatment.
“Naturally, this would pose a real problem for expatriates.
“In terms of underwriting, the regulations on health data will make it more difficult to identify the potential areas of leverage for cost containment. This will hamper underwriters, reducing their ability to forecast and offer competitive pricing.
“As a result, we may see medical inflationary rates rise as a precautionary measure.”
More stringent processes expected
But the bad news, according to Cooper, is that now that the data protection genie is out of the bottle by way of European legislation, processes are only likely to become even more stringent around the world.
“Most countries seem to model their approaches on Europe’s GDPR,” Cooper says.
“This may make processes such as onboarding and renewal rather onerous for health insurers.
“For example, it’s foreseeable that insurers will have to issue separate certificates of insurance for each adult insured member to prevent the disclosure of sensitive medical information about insured dependants to the policyholder (or vice versa) without express consent.”
