Federal Register of Legislation - Australian Government

Primary content

Rules/Other as made
This rule amends the Private Health Insurance (Insurer Obligations) Rules 2009 to establish an Outsourcing Standard which requires private health insurers to comply with minimum requirements if entering into, renewing or renegotiating an outsourcing arrangement.
Administered by: Health
Registered 10 Jul 2012
Tabling HistoryDate
Tabled HR14-Aug-2012
Tabled Senate14-Aug-2012
Date of repeal 19 Mar 2014
Repealed by Health (Spent and Redundant Instruments) Repeal Regulation 2014

Commonwealth Coat of Arms

Private Health Insurance (Insurer Obligations) Amendment Rule 2012 (No. 1)1

Private Health Insurance Act 2007

The Private Health Insurance Administration Council makes the following rule under section 333-25 of the Private Health Insurance Act 2007.

Dated 9 July 2012

 

LYNN RALPH

Commissioner of Private Health Insurance Administration


1              Name of rule

                This rule is the Private Health Insurance (Insurer Obligations) Amendment Rule 2012 (No. 1).

2              Commencement

                This rule commences as follows:

                (a)    sections 1 to 3 and item [4] of Schedule 1—on the day after it is registered;

               (b)    the remainder—on the later of:

                          (i)    the day after registration; and

                         (ii)    1 October 2012.

3              Amendment of Private Health Insurance (Insurer Obligations) Rules 2009

                Schedule 1 amends the Private Health Insurance (Insurer Obligations) Rules 2009.


Schedule 1        Amendments

(section 3)

  

[1]           Rule 4

insert

outsourced service provider has the meaning given by rule 4A.

outsourcing arrangement has the meaning given by rule 4A.

Outsourcing Standard means the standard set out in Schedule 4.

[2]           After rule 4

insert

4A           Outsourcing arrangements

         (1)   In these Rules, outsourcing arrangement means an arrangement between a private health insurer and another party (the outsourced service provider), including an entity within the insurer’s corporate group, under which the outsourced service provider agrees to perform, on a continuing basis, an activity that is:

                (a)    currently undertaken, or could be undertaken, by the insurer itself; and

               (b)    a material business activity of the insurer.

         (2)   For the meaning of outsourcing arrangement, an activity is a material business activity if the activity has the potential, if disrupted, to have a significant impact on the insurer’s business operations or the insurer’s ability to manage risks effectively.

         (3)   For subsection (2), the following factors must be considered in determining if an activity is a material business activity:

                (a)    the financial, operational, regulatory or reputational impact of a failure of the outsourced service provider to perform the activity;

               (b)    the cost of the outsourcing arrangement as a share of management expenses;

                (c)    the difficulty, including the time taken, in finding an alternative outsourced service provider or bringing the business activity in-house;

               (d)    potential losses to the insurer’s policy holders and other affected parties in the event of the failure of the outsourced service provider to perform the activity.

Examples of material business activities

Activities that are material business activities include the following:

(a)     an outsourcing arrangement under which an outsourced service provider agrees to provide to the insurer a management function or significant human resource function of the insurer;

(b)      a benefit claims processing service;

(c)     a service relating to the negotiation of contracts for hospital treatment and general treatment;

(d)      an internal audit function.

[3]           After rule 12

insert

13            Outsourcing Standard

                Schedule 4 sets out the Outsourcing Standard.

[4]           Schedule 2, after section 10

insert

Part 3          Exemptions and modifications by Council

11            Exemptions and modifications by Council

                The Council may, on written application by a private health insurer or on its own initiative, in writing:

                (a)    exempt the insurer from all or specified provisions of this Standard; or

               (b)    modify the application of specified provisions of this Standard in relation to the insurer.

[5]           After Schedule 3

insert

Schedule 4        Outsourcing Standard

(rule 13)

Part 1          Outsourcing policy

1              Outsourcing policy

         (1)   A private health insurer must have an outsourcing policy.

         (2)   The insurer’s outsourcing policy must:

                (a)    be approved by the board of the insurer; and

               (b)    require the insurer, when assessing options to outsource a material activity to a third party outside of the insurer’s corporate group, to do the things mentioned in subsection (3); and

                (c)    require the insurer, when assessing options to outsource a material activity to an entity within the insurer’s corporate group, to do the things mentioned in subsection (4).

         (3)   When assessing options to outsource a material business activity to a third party outside of the insurer’s corporate group, the insurer must:

                (a)    prepare a business case, for the purpose of allowing the insurer to make an informed decision on the merits of any new, or renegotiated, outsourcing arrangement; and

               (b)    undertake a tender process or other selection process for service providers; and

                (c)    undertake a due diligence review of the chosen provider; and

               (d)    involve the board, relevant board committee or officer of the insurer with delegated authority from the board, in the decision; and

                (e)    develop appropriate monitoring and renewal processes, including criteria for service levels; and

                (f)    establish dispute resolution procedures; and

               (g)    develop contingency planning, to address a situation in which the outsourced service provider is unable to continue to provide the service; and

               (h)    ensure that the terms of the outsourcing arrangement are set out, in writing, in a legally binding agreement.

         (4)   When assessing options to outsource a material activity to an entity within the insurer’s corporate group, the insurer must consider:

                (a)    the ability of the outsourced service provider to undertake the activity cost effectively and on an ongoing basis; and

               (b)    any changes in the risk profile of the insurer that arise from outsourcing the activity within the group and how the changes will be addressed within the insurer’s existing risk management framework; and

                (c)    the monitoring procedures required to ensure that the outsourced service provider is performing effectively; and

               (d)    how any ineffective or inadequate performance by the outsourced service provider would be addressed.

Part 2          Outsourcing monitoring processes

2              Risk management

         (1)   A private health insurer must, for each material business activity that is subject to an outsourcing arrangement:

                (a)    conduct a risk assessment; and

               (b)    develop and implement risk controls that address any risks identified in the risk assessment; and

                (c)    regularly report to the board on the status of the risks that have been identified and the effectiveness of the risk controls that have been developed and implemented.

         (2)   The insurer must establish procedures to ensure that all of the insurer’s business units are aware of, and comply with:

                (a)    the outsourcing policy mentioned in section 1; and

               (b)    any risk controls that are developed and implemented as a result of a risk assessment mentioned in subsection (1).

3              Monitoring arrangements

         (1)   A private health insurer must monitor its outsourcing arrangements.

         (2)   The monitoring must include:

                (a)    regular contact with the outsourced service provider, under the outsourcing arrangement; and

               (b)    monitoring of the outsourced service provider’s performance against agreed service levels, set out in the outsourcing arrangement.

4              Council access to information held by outsourced service providers

         (1)   An outsourcing arrangement must include a requirement that the outsourced service provider allow the Council access to documentation and information related to the outsourcing arrangement with the private health insurer.

         (2)   The Council may request an outsourced service provider to allow the Council access to any documentation and information, or premises of the service provider, related to the outsourcing arrangement with the insurer.

         (3)   The Council must not request information from an outsourced service provider under subsection (2) unless:

                (a)    the Council has first made the same request of the insurer; and

               (b)    the insurer has not provided the information that the Council requires.

         (4)   An outsourced service provider must comply with a request by the Council under subsection (2).

         (5)   The insurer must take all reasonable steps to ensure that an outsourced service provider does not disclose to any other person that the Council has sought access to the service provider’s information or premises, except to the extent necessary to conduct business with an insurer that is an existing client of the service provider.

Part 3          Notification requirements

5              Offshore outsourcing

         (1)   A private health insurer must, before entering into an outsourcing arrangement to be performed outside of Australia:

                (a)    notify the Council, in writing, of the proposed outsourcing arrangement; and

               (b)    provide the Council with the risk assessment and risk controls developed under section 2.

         (2)   If the Council is not satisfied that the risk management for a proposed outsourcing arrangement mentioned in subsection (1) is adequate, the Council may require the insurer to make other arrangements for the performance of the activity that is the subject of the proposed outsourcing arrangement.

6              Disclosure requirements

         (1)   A private health insurer must, within 28 days, notify the Council, in writing, if the insurer enters into an outsourcing arrangement.

         (2)   If an outsourcing arrangement is terminated, the insurer must, within 28 days of the outsourcing arrangement being terminated:

                (a)    notify the Council, in writing, that the outsourcing arrangement has been terminated; and

               (b)    give the Council, in writing, details about the transition arrangements and future strategies for carrying out the activity that was the subject of the outsourcing arrangement.

         (3)   If the termination of an outsourcing arrangement may result in a significant or unexpected disruption to a material business activity, the obligations of the insurer under this section are in addition to any notification requirement under the Disclosure Standard.

Part 4          Exemptions and modifications by Council

7              Exemptions and modifications by Council

                The Council may, on written application by a private health insurer or on its own initiative, in writing:

                (a)    exempt the insurer from all or specified provisions of this Standard; or

               (b)    modify the application of specified provisions of this Standard in relation to the insurer.

Part 5          Transitional

8              Transitional

         (1)   On the commencement of this Standard, a private health insurer that is not able to comply with all of the provisions of the Standard must, in writing to the Council:

                (a)    identify the provisions of the Standard with which the insurer is not able to comply; and

               (b)    specify a date by which the insurer expects to be able to comply with the identified provisions.

         (2)   The Council must, after considering information provided by the insurer under subsection (1), set a date for compliance by the insurer with the identified provisions and tell the insurer, in writing, of the date.

Note   The date set by the Council under subsection (2) need not be the same date as the date specified by the insurer under paragraph (1) (b).

         (3)   However, an outsourcing arrangement that is in place on the commencement of this Standard is not subject to the requirements of this Standard, unless the arrangement is renewed or renegotiated.


Note

1.       All legislative instruments and compilations are registered on the Federal Register of Legislative Instruments kept under the Legislative Instruments Act 2003. See www.comlaw.gov.au.