With IT budgets tightening, and many projects being forced to show a fast return on investment, some non-mission-critical technology initiatives are being delayed, or even scrapped. However, there are projects in insurance that are still high priority, even without an immediate ROIthose supporting insuranceregulation compliance.
Complying with insurance regulations is a must for carriers, and technology is at the center ofor at least part ofthe solution to comply quickly with state-based and even federally initiated insurance regulation. And on top of every insurance executive's mind is the security and privacy of personal information, especially in the wake of the September terrorist attacks and the soon-to-be-announced HIPAA (Health Insurance Portability & Accountability Act) privacy and security guidelines.
Many carriers have already passed a privacy yardstick by complying with the privacy rules in the 1999 Gramm-Leach-Bliley (GLB) act, and many state legislatures have taken it upon themselves to enact other privacy rules. However, the HIPAA privacy and security standards may be the biggest privacy challenge of all.
In fact, HIPAA's charge is so big that many have compared it to the Y2K. "Even Y2K was a lot simpler than HIPAA," says Simmi Singh, senior vice president, Silverline, (Piscataway, NJ), a software and integration services firm. "With Y2K, the problem was the same throughout the industry: Fix the date. However, HIPAA requires a lot of company and industry intelligence to become compliant. Every transaction is a little different, and people with an understanding of the insurance process will have to review each transaction for privacy."
With Y2K, Singh adds, a company could hire more programmers and systems analysts to get all systems ready for the new millennium. With HIPAA, it is not as simple. "There are only so many workers available that have the knowledge for this task. The labor pool for people with knowledge of health insurance transactions and a knowledge of technology is very small."
Also making it harder for insurers is the fact that the Department of Health and Human Services (HHS) has not yet released the privacy portion of HIPAA. "The final privacy rules have not come out yet," says Anne Castro, chief design architect at Blue Cross Blue Shield of South Carolina (BCBS-SC, Columbia, SC, more than $1 billion in assets). "Since there was a significant difference between the proposed HIPAA transaction rules and the final rules, we really want to see the final privacy guidelines." Castro points out that the Internet guidelines for HIPAA were added to the final rules well after the initial proposed guidelines were released.
"As an insurance carrier, we are expecting to see anything and everything, in terms of privacy" from HIPAA, Castro adds. "We are taking steps now to make things as secure as possible for our customers."
Some Say Tomato...
However with HIPAAas well as with other state-based regulationsthe intended purpose or end result may be clear, but the road to get there is not, making preparation even harder. "It should not be too difficult for companies to understand what the purpose and the end result of HIPAA should be," says Keith Fraser, group product manager, InSystems (Markham, ON), an e-business financial service solutions provider. "The guidelines tell insurance companies where they should be when they finish, but it does not tell them how to get there.
"It is a matter of interpretation, and every time interpretation is involved, each company will use slightly different methods and technology," Fraser adds. "That may be a problem, but it is not exactly clear how much of a problem it will be." For instance, if carriers use different types of firewalls and security technology, it may become hard for companies to share information. However, Fraser says that the HIPAA transaction rules will safeguard the integrity of communicating with partners.
Also, if anything can be read into the transaction guidelines, it is that the privacy and security guidelines may give insurance companies a lot of leeway when it comes to privacy and security compliance. "The HIPAA transaction guidelines are very loosely written and are open to a lot of interpretation from insurance carriers," says Steve Manning, HIPAA national practice director, SBC Datacomm (San Antonio), a networking communications service provider. "In the transaction standards, a four-letter code is the code, so there is not much wiggle room there. But the carrier's underlying systems may be different in order to be compliant. When it comes to the privacy and security guidelines, there may be much more creativity."
However, some states have passed separate privacy rules that carriers will have to comply with even before the HIPAA security/privacy deadline of April 2003. "There are a number of states that have passed their own set of privacy rules," says Michael L. Schofield, product strategy director, Image Process Design (IPD, Bloomfield Hills, MI), a workflow and content management solutions provider. "HIPAA is clear that it will supercede state rules, unless the state's rules are more stringent."
Luckily, most states probably will not be more stringent than HIPAA. "I haven't seen any states that are exponentially more strict than what we expect to see from HIPAA," says Marne Gordan, director of regulatory affairs, TruSecure Corp. (Herndon, VA), an Internet managed security solutions provider. "Many insurance regulations follow the big states, California and New York."
In fact, says InSystems' Fraiser, being compliant in New York is a good sign. "If you can sell in New York, you can sell anywhere," he says. "The New York standards for almost any regulation are usually the toughest. If carriers can pass privacy and security standards in New York," they will most likely be compliant with other states and with HIPAA, he adds.
According to former New York Insurance Department deputy superintendent John Cashin, now counsel, insurance regulation, at Stroock & Stroock & Lavan LLP (New York), most states have followed the National Association of Insurance Commissioners' (NAIC, Kansas City) model regulations for security and privacy. "It makes sense to stick to a standard, or best practices, when it comes to privacy and security," he says. "There are no guarantees that a state legislature won't make more strict privacy standards, especially in some consumer-oriented states."
To date, Cashin says, only one state has deviated significantly from the NAIC model, with 22 states passing privacy rules that are equal to or less strict than GLB or the NAIC models. "One state has considered requiring that a carrier's technology receive an independent certification every two years from a third-party," such as a technology consulting firm. "The technology integrity certification is a concern to carriers. If there are 50 state certifications, compliance will be a challenge," he adds. He also says that most insurance departments do not have the tech expertise to oversee an audit program.
Whatever the regulatory mandate an insurer is trying to comply with, the firm must realize that technology alone will not cure its headache. "The good thing about both HIPAA and GLB is, both recognize compliance is not just about technology," says TruSecure's Gordan. "There are policies, procedures and administrative functions that also have to be compliant."
Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio