Director's Duty of Care to Monitor Information Systems in HMOs: Some Lessons from the Oxford Health Plan
O'Byrne, Mary E., Journal of Law and Health
Directors of "for profit" and "nonprofit" health maintenance organizations (HMOs), like all corporate directors, are subject to the duty of care in their oversight of the business. This duty extends over business performance as well as compliance with applicable laws and regulations. Within the scope of this duty is the responsibility for attentive oversight of the corporation's information systems.
Directors may be held personally liable for business losses stemming from the failure to meet their duty of care. Most states apply the gross negligence standard when evaluating directors' conduct. This standard reflects the statutory and judicial views that corporate goals, and those of the nation's economy, are best served by a degree of risk-taking that may be greater than that of the prudent person. Only where directors' actions are based in self-dealing, fraud or are found to be wholly lacking in good faith will courts find conduct which constitutes gross negligence.
The art and science of managed care for the majority of health maintenance. organizations (HMOs) is wholly dependent on the plan's automated information systems. HMOs are distinctive for the volume, variability and volatility of the data on which they rely to conduct business. This degree of reliance makes effective information systems a fundamental prerequisite for the HMO's success. Indeed, "[c]ompetition, employer concerns over costs, and government awareness of health care budgets are merely bit players in a drama that has information systems technology as the central character.(2)
The HMO's information management task is prodigious. The major areas of information requirements: membership, provider contracts, utilization review and claims payment -- each in themselves complex - require a seamless integration in order to manage care effectively, run a business profitably, and comply with myriad external reporting requirements. It is common for HMOs to utilize multiple information systems, running the different business applications, e.g., enrollment and billing, claims and authorizations, and utilization review and case management, on separate operating software and hardware.(3) In this paper, the terms "information system" and "systems" are used to refer generally to all of the computer based or automated business functions of an organization.
HMOs and other health insurers are subject to substantial state and federal regulatory requirements. Publicly traded companies must also comply with the rules of the Securities Exchange Commission (SEC) and the securities exchange markets on which the stock is traded. Violations of these requirements carry the risk of substantial fines, exclusion from government entitlement programs, criminal sanctions and delisting from the trading exchanges. Compliance with these requirements is heavily dependent on the quality and integrity of the HMO's information systems.
Information systems have evolved from an expense item to a strategic investment in the future of the company.(4) Although the health care industry lags others in the extent of information systems investment, spending by managed care companies on information systems is about 2% of revenues and growing.(5) Considering the scale of the larger HMOs such as Kaiser Permanente and the combined Blue Cross Blue Shield HMOs, the information system investment can be enormous. Kaiser, for example, plans on spending $1.5 billion to upgrade its information systems over the next four years.(6)
Given this scale of investment, the centrality of information systems to the success of an HMO, the obligation of regulatory compliance, plus the attention now focused on the year 2000 "millenium bug" problem,(7) information systems are clearly a major area of concern and oversight by corporate directors. This paper analyzes the role of information systems in HMOs and the nature of the HMO directors' duty of care in monitoring the integrity of the information systems to determine when directors may be held personally liable for losses suffered by the corporation when the systems collapse. …