WellPoint's Patrick McIntyre on anti-fraud analytics partnerships
FierceHealthPayer: Anti-Fraud: What are some key features insurers can look for that characterize high-value fraud detection software? For example, some products claim to "blend analytics with rules." Others are marketed as "fully-integrated solutions." What's important from a performance/bang-for-the-buck perspective?
Patrick McIntyre: Flexibility in the offering is important. I believe strongly that you need a blend of built-in analytics and an ability to build your own rules.
We have very specific contracts with providers, for example, and some of the claim edit tools we use affect what claims looks like when they come out. So there are custom detection paths we must build, and we need flexibility for that.
I use an 80/20 rule: If we can buy a product that gives us 80 percent of what we need in packaged analytics, that's good. Down to 70 percent or up to 90 percent is an acceptable range, but I want to be able to create custom rules specific to our needs. I look for that in any data analytics capabilities we purchase.
The other key feature for fraud and abuse detection is whether you can move the capability to the front end to work on a prepayment basis. Capabilities that can do that move to the top of our list, while those that can't generally aren't viable solutions.
FHPAF: Do you recommend doing an information security risk management assessment on potential vendors and/or their products before contracting? Why or why not?
McIntyre: We absolutely must do that. Information security is paramount today. Information service providers that don't have an air-tight information security risk management process aren't viable partners.
Routinely monitoring security procedures for data and information sharing is a minimum requirement we have for external vendors. Besides assessing on the front end if vendors have the right types of security and controls in place, I also recommend ongoing assessments and audits. Do these at least annually, and even more often to ensure that controls still work in view of changes to business, analytic or data processes.
As we enhance these internally, we modify the basic foundational beta structure of core systems. All data feeds going downstream into different analytic environments must be continually monitored to ensure we're still meeting information security requirements.