12:26 PM
Under the Watchful Eyes of the Regulators
Compliance Doesn't Equal Security
Gordan further warns of the compliance mentality trap. ""Many companies will think that if they meet the compliance deadline, the company is secure,"" she adds. ""You may be compliant, but that does not translate, necessarily, into secure. Technology changes every five minutes. Processes and procedures have to be in place that can account for new technology development and technology threats. Staying compliant will involve a combination of technology and policy,"" Gordan says. ""Having a properly configured firewall is the technology part. Making sure the firewall is up to date six months after it is installed is policy.""
For instance at BCBS-SC, Castro works closely with the company's HIPAA officer to make sure all technology initiatives and HIPAA business processes are properly aligned. ""I help to make sure the systems side is ready to deal with HIPAA,"" Castro says. ""We have many dedicated project teams working on it.""
However, technology will be required, in most circumstances, to implement a company's privacy and security policy. For starters, Schofield says, getting a grasp on the workflow processes inside a company will make handling a policyholder's information easier. ""Business process management is a broad term, but it encompasses a number of technologies,"" including imaging and rules-based workflow management. ""Content management is going to play a large part in securing patient records because records are moved throughout an insurance organization.""
Rules-based technology, such as rules-based workflow or role-based access, help fulfill the major HIPAA ""minimum necessary"" privacy requirement, where only the information that is needed to complete a transaction is ""released.""
""We use a product called DirectorySmart for directory management and authorization,"" says Castro of BCBS-SC. ""The technology makes sure that only the proper people see what they are supposed to see."" DirectorySmart, an OpenNetwork Technologies (Clearwater, FL) product, tracks all of a company's users and defines access privileges, based on a rules-based engine that is tailored to each carrier.
Mark Griese, senior solutions architect, OpenNetwork, says delegating access to information and applications is very important to the HIPAA standards, since access to insureds' information will be granted to internal users and external business partners, such as agents and providers. ""Agents should have access to certain types of information,"" Griese says. ""But an agent's administrative assistant should probably not have the same level of access.""
A tool that can help provide role-based access is LDAP, or Lightweight Directory Access Protocol, a protocol used to access a directory, says Jennifer Covich, healthcare marketing manager, OpenNetwork. ""A manager of an LDAP directory can manage who has what access to content,"" she says.
When it comes to complying with security regulations, many types of technology can help a carrier, including firewalls to prevent hacking; SSL (Secure Sockets Layer); encryption technology; and biometrics and electronic signatures.
""Electronic signatures will become important for insurers, as they begin to track more and more data electronically,"" says Jennifer Scanlon, senior vice president, insurance and financial services, Keane Consulting Group (Boston). ""Since the industry is paper intensive, moving away from physical signatures is important. Electronic signatures are legal. The major obstacle is user comfort.""
------------------------------------------------
REGULATION POST-SEPTEMBER 11
While health insurers are focusing on HIPAA, the reinsurance and P&C industries are focusing on Capitol Hill. ""We are hoping some form of terrorism bill will pass that will help protect insurers from future losses,"" says Valerie Brown, assistant secretary, director of state filings, Utica National Insurance Group ($1.9 billion in assets, New Hartford, NY). ""With some government subsidies, we will be able to underwrite exposures"" that result from terrorist acts. ""As of January 1, most reinsurers are not covering losses from terrorist acts.""
However with Congress looking at press time to back insurance when it comes to future terrorist attacks, it is a pretty safe bet that along with financial support will come some federal insurance oversight.
""If we end up with a terrorism bill as a back-stop to the industry, we may see some erosion of state-based regulation,"" says former NY Insurance Department deputy superintendent John Cashin, now counsel, insurance regulation, at Stroock & Stroock & Lavan (New York). ""You can be sure that Congress is not going to commit funds and sit back without any federal oversight."" And financial support from Washington, DC, may not be the only change in regulations. A new debate on privacy has insurers paying attention.
For carriers, a shift in privacy rulesespecially those that conflict with HIPAAcould mean drastic systems changes. ""Currently, privacy laws are set up to protect the individual,"" says Michael L. Schofield, product strategy director, Image Process Design (IPD, Bloomfield Hills, MI). ""However, recent talk...may make accessing information easier,"" under the banner of anti-terrorism.
For instance, points out Simmi Singh, senior vice president, Silverline (Piscataway, NJ), many HIPAA regulations would have been violated immediately following September 11. ""In New York, people were providing DNA samples,"" she says. ""Under HIPAA, a person's DNA sample can not be given without consent."" And since no certificates had been issued when samples were collected, HIPAA was violated, Singh contends. ""HIPAA may already be outdated even before they go into effect. We may see some...other proposals.""
One controversial proposal is to issue national ID cards. ""It will involve biometrics,"" says Marne Gordan, director, regulatory affairs TruSecure (Herndon, VA). ""What information will insurers be allowed to put on the cards, or even want on the cards,"" and how will carriers equip agents with biometric technology to verify identities of customers seeking coverage?
Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio