UnitedHealth Group (UNH)

Federal Laws and Regulation

We are subject to various levels of federal regulation. Ovations and AmeriChoice Medicare and Medicaid businesses are regulated by CMS. CMS has the right to audit performance to determine compliance with CMS contracts and regulations and the quality of care being given to Medicare beneficiaries. Our Health Care Services reporting segment, through AmeriChoice and Ovations, also has Medicaid and SCHIP contracts that are subject to federal regulations regarding services to be provided to Medicaid enrollees, payment for those services, and other aspects of these programs. There are many regulations surrounding Medicare and Medicaid compliance. When we contract with the federal government, we are subject to federal laws and regulations relating to the award, administration and performance of U.S. Government contracts. In addition, the portion of Ingenix’s business that includes clinical research is subject to regulation by the U.S. Food and Drug Administration. We are also affected by laws and regulations relating to consumer protection, anti-fraud and abuse, anti-kickbacks, anti-money laundering, securities and antitrust.

HIPAA, GLBA and Other Privacy and Security Regulation. The administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA), apply to both the group and individual health insurance markets, including self-funded employee benefit plans. HIPAA requires guaranteed health care coverage for small employers and certain eligible individuals. It also requires guaranteed renewability for employers and individuals and limits exclusions based on preexisting conditions. Federal regulations

9

Table of Contents

promulgated pursuant to HIPAA include minimum standards for electronic transactions and code sets, and for the privacy and security of protected health information. The HIPAA privacy regulations do not preempt more stringent state laws and regulations that may also apply to us.

Federal privacy and security requirements change frequently as a result of legislation, regulations and judicial or administrative interpretation. The U.S. Congress is currently considering new privacy and security legislation. Some of the proposed changes include: new contracting requirements for HIPAA business associate agreements; new agreements for covered entities’ logging disclosures for treatment, payment and health care operations; HIPAA business associates being subject to most parts of the HIPAA Security Rule; and certain limitations on receiving direct or indirect remuneration for the exchange of health information. Federal consumer protection laws may also apply in some instances to privacy and security practices related to personal identifiable information. The use and disclosure of individually identifiable health data by our businesses is also regulated in some instances by other federal laws, including the Gramm-Leach-Bliley Act (GLBA) or state statutes implementing GLBA, which generally require insurers to provide customers with notice regarding how their non-public personal health and financial information is used and the opportunity to “opt out” of certain disclosures before the insurer shares such information with a third party, and which generally require safeguards for the protection of personal information. See Item 1A, “Risk Factors” for a discussion of the risks related to compliance with HIPAA, GLBA and other privacy-related regulations.

ERISA. The Employee Retirement Income Security Act of 1974, as amended (ERISA), regulates how goods and services are provided to or through certain types of employer-sponsored health benefit plans. ERISA is a set of laws and regulations subject to periodic interpretation by the U.S. Department of Labor as well as the federal courts. ERISA places controls on how our business units may do business with employers who sponsor employee benefit health plans, particularly those that maintain self-funded plans. Regulations established by the U.S. Department of Labor provide additional rules for claims payment and member appeals under health care plans governed by ERISA. Recent final and proposed regulations would require additional disclosures to employers of certain types of indirect compensation we receive. Additionally, some states require licensure or registration of companies providing third-party claims administration services for health care plans.

FDIC. The Federal Deposit Insurance Corporation (FDIC) has federal regulatory and supervisory authority over OptumHealth Bank and performs annual examinations to ensure that the bank is operating in accordance with federal safety and soundness requirements. In addition to such annual examinations, the FDIC performs periodic examinations of the bank’s compliance with applicable federal banking statutes, regulations and agency guidelines. In the event of unfavorable examination results, the bank could be subjected to increased operational expenses, governmental oversight and monetary penalties.