Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
Data analytics is at work every time Amazon tells a customer he or she may want to buy a product, each time Facebook recommends a resource page, and when a life insurance company assesses risk and set rates for potential policyholders. It’s an area governed by layers of laws and rules that are impacting the highly regulated insurance industry in a significant way.
THIS ARTICLE PROVIDES PRACTICAL GUIDANCE FOR ATTORNEYS on managing data analytics in the insurance industry. It focuses on data related to complaints, claims, call centers, privacy, and security. Rules and regulations on how companies need to keep specific types of data are also discussed.
The Health Insurance Portability and Accountability Act, the New York Department of Financial Services Rule Cyber Security Rule, and the General Data Protection Regulation speak to an insurer’s obligation to make sure that data is protected from cybersecurity threats and that breaches of data are properly and timely reported. Specific types of data that are governed by these rules include protected health information (PHI), personally identifiable information (PII), and personal financial information (PFI). These rules and regulations do not speak to the collection of data or how an insurer may use the data.
Although legislators and regulators have addressed these issues, they are beyond the scope of this article. Insurance companies analyze their data and look for ways to provide a better customer service experience, streamline processes, create efficiencies, reduce claims and complaints, and detect and reduce fraud.
A consistent, repeatable process should be outlined and defined to clearly articulate the process for collecting data and to help ensure data that is collected may be accurately measured, analyzed, and assessed. If all employees charged with collecting and reporting on data are not following the same process and data is not collected on a regular basis and for a specified period of time (e.g., quarterly or monthly), then measuring and analyzing the data will not work. Specificity, clear definitions, and a consistent, repeatable process are imperative.
State rules and regulations require authorized insurance companies to maintain a complaints policy and procedure and designate a department within the company to manage complaints. Management of customer complaints by the designated department should also include management of complaints data. Analyzing complaints can speak to broader issues and concerns with respect to company processes, complaint response timeliness, claim denials, and overall customer service and satisfaction.
The most effective way to analyze complaints data is by outlining a clear and consistent repeatable process. A complaint must be defined and then universally agreed upon by all business areas. All communications meeting the definition of a complaint are then reported using a centralized database. Database reports are generated regularly using specific categories. The results are reviewed and analyzed, helping to identify trends that may provide insight into the company, its policies, and procedures.
Adding a data analyst proficient in Structured Query Language (SQL) will help to assist the department in organizing and outlining how complaints data will be gathered, reviewed, and analyzed. SQL is a programming language used to run analytical queries and manage relational databases.
Categories for organizing complaints data for review and analysis include:
Analyzing these fields may help identify trends in the way the company handles complaints in addition to targeting where greater resources may need to be provided. Examples of discoveries made during data analysis can include:
A centralized reporting system and a complaints policy that clearly defines a complaint and complainant are essential, especially if you are looking to provide metrics on complaints data. Analyzing data and providing metrics without a centralized approach and clear policy will not add value and will not provide accurate data or reliable insights.
In addition to reviewing and analyzing customer complaints, you should also look at internal complaints received through human resources (HR) and through an ethics hotline and/or portal. HR complaints should be centralized with a policy on reporting HR complaints. HR complaints should be categorized by fields including age, gender, nature of the complaint including harassment, and employee terminations. A series of complaints related to a specific individual may speak to employee behavior that violates company policy.
A policy on sexual harassment and a system for reporting such complaints is essential. Analyzing that data may speak to broader concerns with the company culture. The data may only be effectively analyzed if the system for reporting this data is consistent and repeatable.
If you would like to measure claim denials and appeals, a centralized policy for reporting claim denials and appeals should be established. Claim denials and appeals may be categorized by:
These are just a few of the categories the claims team may wish to use for collecting and analyzing data. For this data to be properly scrubbed, reviewed, and analyzed, the process for collecting and reporting the claims data must be consistent and repeatable. Adding a data analyst proficient in SQL will assist the department in organizing and outlining how claims data will be gathered, reviewed, and analyzed.
Examples. Many claim denials in a specific geographic area over a certain period of time may speak to a coverage concern (e.g., was a policy incorrectly issued). Many complaints related to how the claim was handled may speak to the claims analyst’s ability and knowledge. This may prompt the company to look at its training program and perhaps provide additional training and education to ensure claims analysts understand the policy, coverage, and how to adjust claims.
Call center employees should be trained, and data received through the call center should be centralized and collected consistently and repeatedly. Call center employees must operate under the same definitions and processes. Call center data may be categorized in several ways including by:
Adding a data analyst proficient in SQL will assist the department in organizing and outlining how call center data will be gathered, reviewed, and analyzed.
Examples. If a large number of calls are reported shortly after the new year and related to the issuance of a new policy, the calls may speak to a processing or coverage error. Repeated calls regarding a customer call center representative may speak to the call center representative’s professionalism and/or lack of product understanding. Both scenarios afford the company an opportunity to address the expressed concerns before the matter gains external traction—perhaps preventing a matter from trending and thus mitigating company reputational harm.
A privacy breach is the loss of, unauthorized access to, or disclosure of personal information. Privacy breaches occur when personal information is lost, stolen, or inadvertently shared. A privacy breach can also happen because of faulty business procedures or operational breakdowns. Like the processes outlined for complaints and call centers, privacy data reporting should follow a consistent and repeatable process. Questions you should ask include:
Collecting privacy data consistently and repeatedly over a specified period will allow the incidents and breaches to be accurately analyzed and interpreted. Adding a data analyst proficient in SQL will assist the privacy department in organizing and outlining how privacy data will be gathered, reviewed, and analyzed. If a number of reports from a specific region surface, you may be able to assess why the privacy incident or breach occurred and take corrective action quickly. Privacy incidents and breaches should be reported through a centralized repository. The categories for privacy incidents and breaches may include:
Example. If you received many complaints claiming a breach of PII from the same geographic region and yet there is no indication of any type of systematic error leading to a privacy breach, the breach may be an internal one by a rogue employee. The company may need to look at the security controls around the data and who has access and who should have access to information.
Unlike a privacy breach, which involves personal information, a security breach or security violation is an act from inside or outside an organization that bypasses or contravenes security policies, practices, or procedures. Security incidents should follow the same process for collection of data. Is there a clearly defined policy for reporting security incidents with a clear definition of a security incident? Do employees know where and how to report security incidents? The incidents should be reported on a consistent basis through a centralized repository. Adding a data analyst proficient in SQL will assist the department in organizing and outlining how security data will be gathered, reviewed, and analyzed. Categories for security incidents may include:
A data analyst should produce reports on the data on a regular basis to allow the security data to be analyzed and assessed.
Data may be used to analyze and assess company policies and efficiencies, company behavior, and patterns of conduct. Clearly drafted data analysis policies can help to ensure that the approach to the collection of data is consistent, thereby yielding data that may be analyzed for trends and broader company issues and concerns. A company best practice is to utilize a data analytics specialist to collate the data and present the findings on an agreed-upon regular basis for further analysis and assessment. Companies may try to standardize collection of data across the company, enabling the company to paint an even broader picture and allowing the company to, over time, follow and address trends.
Attorneys managing data need to understand how data can assist companies in providing greater efficiencies, helping to reduce claims and complaints, detect fraud, and curtail privacy and security incidents. The key is creating a successful program and implementing a consistent repeatable process. Data can only be analyzed and used to create metrics if the process is the same each time and collected on a regular basis.
To find this article in Lexis Practice Advisor, follow this research path: RESEARCH PATH: Insurance > Trends and Insights > Practice Notes
For information about responding to complaints, see
> COMPLAINT RESPONSE
RESEARCH PATH: Insurance > Conducting Insurance Company Operations > Practice Notes
For step-by-step guidance on handling complaints, see
> COMPLAINT RESPONSE CHECKLIST
RESEARCH PATH: Insurance > Conducting Insurance Company Operations > Checklists
For a discussion of coverage for data breaches, see
> CYBER INSURANCE AND COVERAGE FOR DATA BREACH RISK
RESEARCH PATH: Insurance > Assessing Claims and Coverage > Types of Insurance > Practice Notes
For information about the regulation of innovation in the insurance industry, including data analytics, see
> HISTORY OF INSURANCE REGULATION
RESEARCH PATH: Insurance > Interacting with Regulators and Responding to Investigations > Secondary Materials
For forms to use when handling complaints from policyholders, see
> COMPLAINT INTAKE FORM (CUSTOMER CALLS), COMPLAINT/COMMENT/INQUIRY ACKNOWLEDGMENTS (SOCIAL MEDIA), AND COMPLAINT RESPONSE (EMAIL AND US MAIL)
RESEARCH PATH: Insurance > Conducting Insurance Company Operations > Forms