Directors of "for profit" and "nonprofit" health maintenance organizations (HMOs), like all corporate directors, are subject to the duty of care in their oversight of the business. This duty extends over business performance as well as compliance with applicable laws and regulations. Within the scope of this duty is the responsibility for attentive oversight of the corporation's information systems.
Directors may be held personally liable for business losses stemming from the failure to meet their duty of care. Most states apply the gross negligence standard when evaluating directors' conduct. This standard reflects the statutory and judicial views that corporate goals, and those of the nation's economy, are best served by a degree of risk-taking that may be greater than that of the prudent person. Only where directors' actions are based in self-dealing, fraud or are found to be wholly lacking in good faith will courts find conduct which constitutes gross negligence.
The art and science of managed care for the majority of health maintenance. organizations (HMOs) is wholly dependent on the plan's automated information systems. HMOs are distinctive for the volume, variability and volatility of the data on which they rely to conduct business. This degree of reliance makes effective information systems a fundamental prerequisite for the HMO's success. Indeed, "[c]ompetition, employer concerns over costs, and government awareness of health care budgets are merely bit players in a drama that has information systems technology as the central character.(2)
The HMO's information management task is prodigious. The major areas of information requirements: membership, provider contracts, utilization review and claims payment -- each in themselves complex - require a seamless integration in order to manage care effectively, run a business profitably, and comply with myriad external reporting requirements. It is common for HMOs to utilize multiple information systems, running the different business applications, e.g., enrollment and billing, claims and authorizations, and utilization review and case management, on separate operating software and hardware.(3) In this paper, the terms "information system" and "systems" are used to refer generally to all of the computer based or automated business functions of an organization.
HMOs and other health insurers are subject to substantial state and federal regulatory requirements. Publicly traded companies must also comply with the rules of the Securities Exchange Commission (SEC) and the securities exchange markets on which the stock is traded. Violations of these requirements carry the risk of substantial fines, exclusion from government entitlement programs, criminal sanctions and delisting from the trading exchanges. Compliance with these requirements is heavily dependent on the quality and integrity of the HMO's information systems.
Information systems have evolved from an expense item to a strategic investment in the future of the company.(4) Although the health care industry lags others in the extent of information systems investment, spending by managed care companies on information systems is about 2% of revenues and growing.(5) Considering the scale of the larger HMOs such as Kaiser Permanente and the combined Blue Cross Blue Shield HMOs, the information system investment can be enormous. Kaiser, for example, plans on spending $1.5 billion to upgrade its information systems over the next four years.(6)
Given this scale of investment, the centrality of information systems to the success of an HMO, the obligation of regulatory compliance, plus the attention now focused on the year 2000 "millenium bug" problem,(7) information systems are clearly a major area of concern and oversight by corporate directors. This paper analyzes the role of information systems in HMOs and the nature of the HMO directors' duty of care in monitoring the integrity of the information systems to determine when directors may be held personally liable for losses suffered by the corporation when the systems collapse.
Section I addresses in general the nature of the corporate director's duty of care to monitor business performance. Section II considers the requirements of finding a director liable for negligence in failing to meet this duty. Section III gives an overview of the HMO industry's dependence on information systems. Section IV focuses specifically on the recent experience of the Oxford Health Plan. Section V discusses the potential liability of an HMO's board in light of the events at Oxford and applicable legal standards for the director's duty of care in monitoring. Section VI concludes with observations on the limits to directors' liability.
THE NATURE OF DIRECTORS' RESPONSIBILITIES
The structure of corporations is governed largely by state law. "Corporations are creatures of state law and it is state law which is the font of corporate directors' powers."(8) Although some states base their corporate laws on the Revised Model Business Corporation Act (RMBCA) and others, such as Delaware and Maryland, have their own distinctive corporate codes, all states require that corporations be managed under the direction of a board of directors.(9)
In broad terms, the board of directors is responsible for the conduct of the business. In a large corporation, typically the day to day management responsibilities are delegated to the executive and other senior staff. This delegation does not release the directors from responsibility to oversee the actions of management.(10)
All corporate boards are accountable to certain groups. In a publicly owned corporation, the directors answer to the shareholders.(11) In a mutual benefit corporation accountability runs to the members.(12) In public benefit or religious corporations the state of incorporation, typically in the person of the attorney general, speaks for the beneficiaries under the doctrine of parens patriae, and may call the corporation's directors to account.(13)
Accountability may take different forms. A director may be voted out of office by shareholders or members if they do not approve of the director's performance.(14) Although a director cannot act on behalf of the corporation as an individual (unless the director is also an officer of the corporation) a director may be personally liable for failing to carry out her fiduciary duties. The usual vehicle for finding personal liability is a derivative suit, brought by shareholders(15) or members(16) on behalf of the corporation against the directors and officers. Such cases typically sound in negligence, alleging that the directors' conduct fell short of the duties of loyalty or care and as a result the corporation was harmed. These cases can result in substantial damages awards against directors.(17) Corporations typically indemnify their directors by terms of the corporate bylaws or charters and acquire Directors and Officers liability insurance for this purpose.(18)
The specific roles and responsibilities of directors are not enumerated in great detail in corporation codes, rather the size and nature of the business will influence what exactly the board will do. The role of the director is largely one of monitoring, for example reviewing financial statements and other reports, overseeing compliance with local, state and federal laws, punctuated by relatively few decisions. One commentator characterizes the balance as ninety percent monitoring and ten percent decision-making.(19) According to Newton Minow, former member of the Federal Commerce Commission and director of Sara Lee, Manpower and Aon, two of the most important decisions directors make are selecting a new chief executive officer and "figuring out what to do when the place is in trouble."(20) This observation appears to overlook the importance of the board's decision about how to evaluate the CEO. The choice of evaluation criteria, for example, long term versus short term results, may affect whether the corporation gets into trouble in the first place. The board will be involved in both the beginning and ending of any major corporate initiative, such as an acquisition or divestiture(21) as well as any "material transactions affecting the assets of the enterprise."(22)
While the specific activities of directors may vary greatly based on the business, all boards share certain responsibilities. Directors are fiduciaries. The qualities of fiduciary duty have brought forth stirring descriptions in legal opinions in keeping with the weight of obligation the fiduciary shoulders. "Many forms of conduct permissible in a workaday world for those acting at arm's length, are forbidden to those bound by fiduciary ties. A trustee is held to something stricter than the morals of the marketplace. Not honesty alone, but the punctilio of an honor the most sensitive, is then the standard of behavior."(23)
Implicit in the obligations of the fiduciary are the twin duties of loyalty and Care.(24) These standards, derived from over a century of litigation, apply equally to business and nonprofit corporations.(25) The duty of loyalty requires the director to put the interests of the corporation first and her own interests last. The duty of care, the focus of this article, speaks to how a director carries out her job. Defining the duty of care with precision has proven a challenge to commentators, judges and regulators. The RMBCA adopts general standards for a director's performance: to act in good faith, with the care an ordinarily prudent person in a like position would exercise, and in a manner reasonably expected to be in the best interests of the corporation.(26) The official comment to the RMBCA notes that the elements and circumstances of the director's duty of care, referenced as an element of the business judgment rule, "are continuing to be developed by the courts."(27)
Duty of Care
In spite of the general terms of...