August 2021 – In this edition of Gibson Talks, Matthew LaGanke, a compliance executive recruiter at Gibson Consultants, and Russ Matuszak, Vice President of Compliance, Privacy, and Equity at Highmark Blue Cross Blue Shield, sat down to discuss the long-term view of compliance. Looking ahead, Russ shares his perspective on the issues facing compliance, the opportunities for growth, and the remote work environment.

Q: What is the biggest issue you see facing compliance over the next five years?

I think there will be one continued risk and one that is becoming more prevalent in the compliance arena. Third-party risk will continue to be a focus for regulators and, in turn, compliance programs. There has been a lot of talk about third-party risk over the past few years, and I believe it will continue to be at the forefront of compliance issues. It has been an increasing focus of regulators to ensure appropriate oversight and risk management of third-party activities. Health care payers can’t provide everything they need or want on their own to give the best experience for members, and often there is expertise and efficiency that third parties can provide. You only need to look at the headlines to see the most significant privacy risk involving third parties. Regulators are also becoming more focused on ensuring the covered entity is managing risk and providing compliance oversight. If not on the third parties themselves, I expect there to be continued focus on health plans that need to provide appropriate oversight.

The second risk that I think will be more prevalent shortly is environmental, social, and governance (ESG) risk. Health plans are already focusing on social determinants of health. Regulators are also already helping the health insurance industry focus on other ESG risks by requiring analysis of associated environmental risks on your business at all levels and requiring appropriate reporting and oversight by the Board. As an example, the New York State Department of Financial Services recently created a regulatory framework for climate risk. The NYSDFS issued a Circular Letter and draft guidance requiring insurers to take climate change into considerations when considering financial risks. This is not something that has been considered by health insurers historically. From a compliance perspective, whenever the insurer or health plan has a regulatory requirement, that exact regulatory requirement must be followed by downstream vendors the insurer uses, which circles us back to the continually evolving third-party risk management issue.

Q: Now that more businesses are adopting a permanent approach to a more significant remote workforce, how will the remote work environment impact compliance programs long term?

During the pandemic, businesses adapted quickly to a remote workforce from an operational perspective, but, in my opinion, compliance programs may not have adapted to the remote workforce as quickly. More and more businesses are announcing that they are taking a more hybrid approach to their workforce, with onsite employees in a brick-and-mortar location and offsite employees at home. And, although many businesses allowed periodic work-from-home days, not many had full-time remote work approaches for a significant portion of their staff. That is now rapidly changing. Compliance programs will need to adapt as well. For insurers, a remote workforce presents many new environments that they cannot assess physically. Data privacy is critical, and a physical environment that can’t be controlled poses a significant risk. For example, an employee working at home may be doing so through a secure virtual desktop (VDI), but a family member or partner could be looking over their shoulder while viewing PHI or PII or sitting nearby off-camera while discussing PHI or PII over a video conference. So technology controls will be essential, but more frequent training and other important reminders may help mitigate some risks. But it’s not just a technology and data issue.

Incident response plans, business continuity plans, internal investigations, fraud prevention, and engagement of employees with the compliance program are some of the other potential risks lurking in a remote world.

Compliance programs are not just about policies. There are many other elements of a compliance program, and Compliance Officers should focus on how to better adapt to the hybrid work environment. The compliance focus during the year and a half was about staying afloat and learning as individuals how to work remotely for an extended time. Now we must figure out a long-term approach to compliance in a hybrid work-from-anywhere approach.

Q: What area of compliance or privacy do you think will continue to evolve and become more refined over the next few years?

Data Ethics. Insurers collect a lot of very personal data about individuals. Many laws and regulations force ethical obligations upon insurers to be good stewards of that data, especially when it comes to disclosures, use, and protection of the information they receive.

However, data is evolving, especially with more artificial intelligence (AI) tools becoming more prevalent. Health plans are already very focused on data analytics in the furtherance of helping to improve health care for members. Machine learning algorithms may lead to creating other types of data, which certainly can benefit improvements in health care but might not always be beneficial to the people whose data is being analyzed. The immediate question to ask is what data is needed and why it is needed.

Algorithms should only gather the minimum information necessary. In addition, if not created carefully, unintentional bias in an algorithm can also create serious harm to a population.

The health care industry must learn to balance interests and goals and be thoughtful and objective to be better stewards of this information and act ethically.

About the Participants

Russ Matuszak was most recently Vice President,  Compliance, Privacy, and Ethics at Highmark BlueCross BlueShield of Western New York and Highmark BlueShield of Northeastern New York. A seasoned corporate attorney and former general counsel, his core expertise is in corporate governance, litigation management, business contracts, healthcare law, project implementations, compliance, and privacy. At Highmark BlueCross BlueShield of Western New York and Highmark BlueShield of Northeastern New York, Russ was also the Chief Compliance and Privacy Officer and the Interim Chief Audit Executive. Connect with him on LinkedIn

Matthew LaGanke is an executive recruiter at Gibson Consultants and focuses on Compliance. His team works with managed care organizations such as Medicare Advantage, Medicaid, PACE, Special Needs Plans, ACA, and commercial plans.