Table of contents
Prudential standard
HPS 231 Outsourcing
-
Current1 July 2015 – 30 June 2025
Prudential framework pillars
About this standard
This standard requires a private health insurer to manage risks from outsourced business activities. Private health insurers must maintain an outsourcing policy, conduct risk assessments and meet notification requirements. Private health insurers must consult or notify APRA about specific outsourcing agreements.
This standard supports CPS 220 Risk Management, which is a core standard in the Risk Management Pillar. It applies to all private health insurers.
Objectives and key requirements of this Prudential Standard
This Prudential Standard sets out minimum requirements for outsourcing of a private health insurer’s business activities.
The key requirements of this Prudential Standard are that:
- a private health insurer must have an outsourcing policy approved by the board of the insurer;
- a private health insurer must consider a number of factors when assessing options to outsource a material business activity to a third party outside of the insurer’s corporate group;
- a private health insurer must, for each material business activity that is subject to an outsourcing arrangement conduct a risk assessment, develop and implement risk controls that address any risks identified and regularly report to the board on the status of the risks;
- a private health insurer must monitor its outsourcing arrangements;
- a private health insurer must include a requirement that the outsourced service provider allow APRA access to documentation and information related to the outsourcing arrangement with the private health insurer; and
- a private health insurer must meet certain notification requirements.
Preamble
Health Insurance (prudential standard) determination No. 4 of 2015
Prudential Standard HPS 231 Outsourcing
Private Health Insurance (Prudential Supervision) Act 2015
I, Ian Laughlin, delegate of APRA under subsection 92(1) of the Private Health Insurance (Prudential Supervision) Act 2015 DETERMINE Prudential Standard HPS 231 Outsourcing in the form set out in the Schedule, which applies to all private health insurers.
This instrument takes effect on the day the Private Health Insurance (Prudential Supervision) Act 2015 commences.
Dated: 26 June 2015
[Signed]
Ian Laughlin
Deputy Chairman
Interpretation
In this Determination:
APRA means the Australian Prudential Regulation Authority.
Private health insurer has the meaning given in the section 4 of the Act.
Schedule
Prudential Standard HPS 231 Outsourcing comprises the 7 pages commencing on the following page.
Prudential Standard HPS 231
Outsourcing
Authority
This Prudential Standard is made under subsection 92(1) of the Private Health Insurance (Prudential Supervision) Act 2015 (the Act).
Application
This Prudential Standard applies to all private health insurers, except where expressly noted otherwise.
All private health insurers have to comply with this Prudential Standard in its entirety, unless otherwise expressly indicated.
This Prudential Standard takes effect on the day the Private Health Insurance (Prudential Supervision) Act 2015 commences.
Interpretation
Terms that are defined in Prudential Standard HPS 001 Definitions appear in bold the first time they are used in this Prudential Standard.
Where this Prudential Standard provides for APRA to exercise a power or discretion, the power or discretion is to be exercised in writing.
Unless otherwise indicated, the term health benefits fund will be used to refer to a health benefits fund of a private health insurer, as relevant.
[1]
Refer to subsection 92(1) of the Act.
Outsourcing policy
A private health insurer must have an outsourcing policy.
The private health insurer’s outsourcing policy must:
be approved by the board of the private health insurer; and
require the private health insurer, when assessing options to outsource a material activity to a third party outside of the private health insurer’s corporate group, to do the things mentioned in paragraph 10; and
require the private health insurer, when assessing options to outsource a material activity to an entity within the private health insurer’s corporate group, to do the things mentioned in paragraph 11.
When assessing options to outsource a material business activity to a third party outside of the private health insurer’s corporate group, the private health insurer must:
prepare a business case, for the purpose of allowing the private health insurer to make an informed decision on the merits of any new, or renegotiated, outsourcing arrangement; and
[2]
Outsourcing arrangement is defined in paragraph 12.
undertake a tender process or other selection process for service providers; and
undertake a due diligence review of the chosen provider; and
involve the board, relevant board committee or officer of the private health insurer with delegated authority from the board, in the decision; and
develop appropriate monitoring and renewal processes, including criteria for service levels; and
establish dispute resolution procedures; and
develop contingency planning, to address a situation in which the outsourced service provider is unable to continue to provide the service; and
ensure that the terms of the outsourcing arrangement are set out, in writing, in a legally binding agreement.
When assessing options to outsource a material activity to an entity within the private health insurer’s corporate group, the private health insurer must consider:
the ability of the outsourced service provider to undertake the activity cost effectively and on an ongoing basis; and
any changes in the risk profile of the private health insurer that arise from outsourcing the activity within the group and how the changes will be addressed within the private health insurer’s existing risk management framework; and
the monitoring procedures required to ensure that the outsourced service provider is performing effectively; and
how any ineffective or inadequate performance by the outsourced service provider would be addressed.
Outsourcing arrangement
In this Prudential Standard, outsourcing arrangement means an arrangement between a private health insurer and another party (the outsourced service provider), including an entity within the private health insurer’s corporate group, under which the outsourced service provider agrees to perform, on a continuing basis, an activity that is:
currently undertaken, or could be undertaken, by the private health insurer itself; and
a material business activity of the private health insurer.
For the meaning of outsourcing arrangement, an activity is a material business activity if the activity has the potential, if disrupted, to have a significant impact on the private health insurer’s business operations or the private health insurer’s ability to manage risks effectively.
For paragraph 13, the following factors must be considered in determining if an activity is a material business activity:
the financial, operational, regulatory or reputational impact of a failure of the outsourced service provider to perform the activity;
the cost of the outsourcing arrangement as a share of management expenses;
the difficulty, including the time taken, in finding an alternative outsourced service provider or bringing the business activity in house; and
potential losses to the private health insurer’s policy holders and other affected parties in the event of the failure of the outsourced service provider to perform the activity.
Examples of activities that are material business activities include the following:
an outsourcing arrangement under which an outsourced service provider agrees to provide to the private health insurer a management function or significant human resource function of the private health insurer;
a benefit claims processing service;
a service relating to the negotiation of contracts for hospital treatment and general treatment; and
an internal audit function.
Risk management
A private health insurer must, for each material business activity that is subject to an outsourcing arrangement:
conduct a risk assessment; and
develop and implement risk controls that address any risks identified in the risk assessment; and
regularly report to the board on the status of the risks that have been identified and the effectiveness of the risk controls that have been developed and implemented.
The private health insurer must establish procedures to ensure that all of the insurer’s business units are aware of, and comply with:
the outsourcing policy mentioned in paragraph 8 to 11 inclusive; and
any risk controls that are developed and implemented as a result of a risk assessment mentioned in paragraph 16.
Monitoring arrangements
A private health insurer must monitor its outsourcing arrangements.
The monitoring must include:
regular contact with the outsourced service provider, under the outsourcing arrangement; and
monitoring of the outsourced service provider’s performance against agreed service levels, set out in the outsourcing arrangement.
APRA access to information held by outsourced service providers
An outsourcing arrangement must include a requirement that the outsourced service provider allow APRA access to documentation and information related to the outsourcing arrangement with the private health insurer. It must also include a requirement allowing APRA to access the premises of the outsourced service provider in relation to the outsourcing arrangement if APRA considers this necessary in its role as prudential supervisor.
APRA may request an outsourced service provider to allow APRA access to any documentation and information, or premises of the service provider, related to the outsourcing arrangement with the private health insurer.
APRA must not request information from an outsourced service provider under paragraph 21 unless:
APRA has first made the same request of the private health insurer; and
the private health insurer has not provided the information that APRA requires.
The private health insurer must take all reasonable steps to ensure that an outsourced service provider does not disclose to any other person that APRA has sought access to the service provider’s information or premises, except to the extent necessary to conduct business with a private health insurer that is an existing client of the service provider.
Offshore outsourcing
A private health insurer must, before entering into an outsourcing arrangement to be performed outside of Australia:
notify APRA, in writing, of the proposed outsourcing arrangement; and
provide APRA with the risk assessment and risk controls developed under paragraphs 16 and 17.
If APRA is not satisfied that the risk management for a proposed outsourcing arrangement mentioned in paragraph 24 is adequate, APRA may require the private health insurer to make other arrangements for the performance of the activity that is the subject of the proposed outsourcing arrangement.
Disclosure requirements
A private health insurer must, within 28 days, notify APRA, in writing, if the private health insurer enters into an outsourcing arrangement.
If an outsourcing arrangement is terminated, the private health insurer must, within 28 days of the outsourcing arrangement being terminated:
notify APRA, in writing, that the outsourcing arrangement has been terminated; and
give APRA, in writing, details about the transition arrangements and future strategies for carrying out the activity that was the subject of the outsourcing arrangement.
If the termination of an outsourcing arrangement may result in a significant or unexpected disruption to a material business activity, the obligations of the private health insurer under paragraph 27 are in addition to any notification requirement under Prudential Standard HPS 350 Disclosure to APRA.
Adjustments and exclusions
APRA may, by notice in writing to a private health insurer, adjust or exclude a specific requirement in this Prudential Standard in relation to that private health insurer.
Transition arrangements
Any approval, determination or other exercise of discretion by PHIAC under Schedule 4 – Outsourcing Standard (the PHIAC outsourcing standard) of the Private Health Insurance (Insurer Obligations) Rules 2009 as they existed prior to 1 July 2015 will continue to have effect following 1 July 2015 as though exercised pursuant to a corresponding power under this Prudential Standard. In particular, exemptions or modifications made by PHIAC under section 7 of the PHIAC outsourcing standard, and in force immediately before 1 July 2015, continues in effect as if determined under paragraph 29 of this Prudential Standard.
However, an outsourcing arrangement that was in place on the commencement of the PHIAC outsourcing standard is not subject to the requirements of this Prudential Standard, unless the arrangement is or has been renewed or renegotiated after the commencement of the PHIAC outsourcing standard.
An outsourcing arrangement that was in place on the commencement of this Prudential Standard is not subject to the requirements of the second sentence of paragraph 20 (which relates to access to the premises of the outsourced service provider) unless the arrangement is or has been renewed or renegotiated after the commencement of this Prudential Standard.