To many insurance industry executives, compliance means spending gobs of money to avoid having their companies go public with ugly security lapses or pay fines from regulators, or avoid having themselves hauled off to the slammer for misstating information. However, the process of meeting compliance mandates need not be costly-and may actually help increase profits in the long run.For many carriers, there are ways to establish a common base of processes to address multiple mandates, as well as any future requirements. In addition, compliance management can bring new opportunities for gaining better efficiencies and supporting new business growth.
Few, if any, insurance companies are untouched by the slew of new reporting requirements thrust upon North American businesses over the past few years-up to 150 laws and regulations from federal, state, international and industry oversight bodies that impose various requirements on the way information is handled or presented.
For publicly traded companies, or those doing business with publicly traded companies, the Sarbanes-Oxley Act (SOX) mandates that corporate information be traceable and auditable. The Health Insurance Portability Act (HIPAA) requires strict security for customer medical records. The Gramm-Leach-Blilely Act (GLBA) requires accountability for the use of customer data by third parties. And local state regulations, most notably the California Database Protection Act, requires notification to affected customers when data has been stolen or compromised.
These are just a few of the more prominent regulations, which put the onus on insurance executives to rethink the way their company's data and documents are obtained, managed, stored and distributed.
A HUGE CHALLENGE
For the insurance industry as a whole, the compliance challenge is huge, particularly regarding the way documents are handled, says Craig Weber, an analyst with Celent LLC, a Boston-based research and advisory firm. "Virtually every carrier we talk to is either re-examining their existing providers, or trying to find new ones, to address compliance concerns about documents. The issue is not new, but some of the new regulations have made document retention practices much more specific than they have ever been."
Not only do regulations dictate that companies better secure their documents; they also require insurers to keep important documents and correspondence on hand and available. This includes documents that traditionally have been paper, such as policies, memos, application forms and claims documentation, as well as electronic documents, such as e-mail, images and word processing files.
In addition, companies need to account for the systems and processes they have in place to manage their information. They're even required to document when changes have been made along the way. And many back-end processes, such as IT governance and change management, are now scrutinized by auditors, which reflects the overall concern about the security and trustworthiness of data that comes from these systems.
Compliance mandates are affecting all phases of carriers' operations, says Dawn Barker, an analyst with Chicago-based CCH Insurance Services, an industry consulting and advisory service. "It starts at point of sale and data collection," she says. "Once data is collected and input, that data is then shared, normally within the organization, and sometimes offshore. Companies have to protect that data from the beginning to end."
OVERWHELMING FOR MANY ORGANIZATIONS
If tracked manually, supplying compliance reports for documents is overwhelming for many organizations. However, the move to electronic data and formats has enabled more automated approaches.
"Five to 10 years ago everything was paper," says Paul Kelley, services manager at AIM Mutual Insurance Co., a Burlington, Mass., workers' compensation provider. "If documents were needed by regulators, vendors or our attorneys, people had to spend their whole day photo-copying, pulling files apart and mailing documents," he says.
Working with Laserfiche Document Management from Compulink Management Center of Long Beach, Calif., AIM Mutual recently began evolving its paper-based document systems to electronic ones to speed up the process. "It's helping us get documents from regulatory agencies into our process more quickly, allowing us to file documents with them on a timely basis," Kelly adds.
Overall, despite the enforcement club hanging over companies, there's still a lot of work to be done. For example, a survey conducted by AIIM, an enterprise content management industry association based in Silver Spring, Md., found nearly half of American companies still haven't adopted comprehensive record retention policies, despite increasing pressure from regulators and the courts to store and maintain all documents, including electronic documents and messages.
In AIIM's survey of 2,100 records and information managers, more than two-thirds (68%) don't have a plan in place to preserve electronic records that need to be migrated off of current production systems and onto an archiving system to ensure their accessibility over time.
E-mail retention is an especially vexing issue, since many organizations now conduct the bulk of their communications with agents, customers and partners through this channel. Although AIIM found that 49% of organizations have yet to adopt a record retention policy for e-mail, at least some insurers recognize they can't take any chances.
"Right now, we save all e-mail and everything else, no matter how far back it's dated," says Greg Lane, director of technical services for Humana Inc., a Louisville, Ky.-based health insurance carrier.
Currently, Humana employs EMC WORM (write once, read many times)-based disk arrays to maintain a permanent record of e-mail correspondence. The system keeps a permanent archive of all e-mail transactions within the organization, which cannot be deleted, says Lane. "We leveraged that from a hardware perspective, and put EMC software on top of that, which allows us to have access to those archives, to be able to search those archives, and to be able to manage that information."
Retaining e-mail records is one challenge; ensuring privacy and security is another. During one system audit, Nodak Mutual Insurance Co., a Fargo, N.D.-based property/casualty insurance provider, uncovered areas through which private information was inadvertently leaving the company's network.
With assistance from BEW Global USA, a Castle Rock, Colo., provider of information security solutions, the carrier established a monitoring, filtering and encryption system that ensures the privacy of data within its e-mail system, keeping it compliant with GLBA and other regulations.
TAKING A HARD LOOK AT WORKFLOWS
With so much regulation coming from the states and the federal government, we just want to be ready," says Herb Doele, director of networking services at Nodak Mutual. One area Nodak needed to address, for example, was the fact that its human resources department was sending, via e-mail, sensitive employee financial data to the bank that administers its benefit plans.
"We wanted to make to sure that information was going out secure," Doele explains. "We now capture that information at the spam filter, and then automatically send it over to the security mail gateway so it gets encrypted. Anything that's going out with Social Security number information also gets captured and encrypted," he adds.
To meet the challenges posed by compliance mandates, many industry executives are taking a hard look at their organization and workflows, and putting processes in place to enable greater visibility and auditability.
For example, the AIIM survey finds that 53% of mid-sized organizations and 60% of large organizations use scanning and capture technologies for corporate correspondence, litigation and contracts. Another 52% of mid-sized organizations and 62% of large organizations use scanning and capture technologies for financial processes, including invoice processing, order processing, cash receipts and expense accounts.
Despite the technologies available to help them, and despite the heat they feel from regulators, some research indicates carriers are not investing in new initiatives to address them. For example, a survey of large data centers conducted by the SHARE user group, the IBM mainframe and large system user group headquartered in Chicago, finds that IT executives and managers often hit a wall when it comes to getting organizational support for compliance projects.
More than one third (36%), report they have experienced issues in securing funding for new systems required to meet compliance mandates, and another 34% say compliance is driving changes to their business processes, a task that often falls beyond the scope of IT departments.
BEFORE THE INK WAS DRY
Often, an enterprisewide effort is required to understand how and where a mandate will affect a business. At Humana, for instance, a concerted effort began to understand the implications of SOX, even before the ink was dry on the legislation in 2002. "Before the legislation was finalized, we already had rallied a lot of folks together to begin to understand what it all really meant," says Tom Cooper, director of the information technology project management office at Humana.
"We knew [SOX] was going to be a significant audit issue and wanted to get in front of it. We worked with our internal audit organization for more than a year and a half to understand what the law really meant. It was similar to when HIPAA first came out. We really didn't know for sure what it meant."
At Humana, he adds, the internal audit group took a leadership role in creating a consistent approach to how the insurer would address SOX compliance. Humana also already had a comprehensive document automation initiative underway, employing tools from InSystems, a document management software company recently acquired by Whitehill Technologies Inc., Moncton, New Brunswick.
Another compliance challenge insurers face is managing and controlling processes that have never been centralized. This involves "getting control around a set of information that typically is not under control-both in paper form and electronic form," says Craig Rhinehart, vice president for compliance markets and products at FileNet Corp., a Costa Mesa, Calif.-based enterprise content management vendor.
"If you don't have good controls around your paper, chances are you're not going to have good controls around your electronic information. Get good controls and understand your retention requirements around all forms of information," says Rhinehart. "And remember: A document has a life. It's born. It's used in an active state. It sometimes goes to an inactive state. And eventually it gets destroyed."
"At the end of every [insurance] process, a document is produced, and has to go back to the participants, and typically that delivery is either slow or expensive, and oftentimes both, says Celent's Weber. "Document management is data collection, assembly, customization and archiving, which are very important steps in our industry because of compliance. The challenge is to save these documents for intelligent reuse."
While only 5% of documents are likely to require permanent storage, according to Rhinehart, it's important to review the mandated storage life for all classes of information, records or documents. "That typically goes hand-in-hand with understanding your regulatory environment, so you know what you're legally bound to keep, and how long you're legally bound to keep it," he says.
BENEFITS BEYOND COMPLIANCE
Under SOX, the Security and Exchange Commission (SEC) mandates that companies archive and maintain audit-related data for seven years, and communication records for three years. This includes all financial records, including annual reports, quarterly filings, inventory lists, sales receipts and financial or customer data within e-mails, instant messages and faxes.
Of course, organizations that automate document management gain benefits beyond simply meeting the letter of the law. In fact, the AIIM survey reveals that most executives seek to streamline their organizations as a first priority for document management initiatives, well ahead of compliance.
AIIM found 73% of survey respondents say "improving efficiency and productivity" are the most important reasons for implementing scanning and capture technologies in their organization, while 30% say "improving customer service" and 28% say "compliance" is important.
Prior to compliance, however, companies often had to make a strong ROI case for bringing in automated solutions.
For example, FileNet's Rhinehart observes, "There are many cases that get into how compelling or not compelling the economics are to move something from physical to electronic form. For example, most insurance companies do business with commercial records centers that provide offsite storage of paper. In that business model, offsite storage facilities also charge you every time you request paper back from these warehouses. Plus, you have the burden of it sitting in a warehouse. You can't see it. You don't really know what's in the document."
However, Rhinehart says, "if you store documents properly, you will get reduced risk, and you will achieve and sustain compliance." The time and resources that now go into compliance-driven practices can also deliver "a huge return on investment," he says. "There are great returns in properly managing your information your records and your documents. It takes down your discovery and storage costs."
REDUCING STORAGE AND DISCOVERY COSTS
Indeed, compliance mandates have added a new element to the business case for investing in imaging, says Celent's Weber. "Best practice carriers are taking imaging all the way out to the point of receipt of paper, and they rely on image from that point forward in the process. Some carriers have imaging centers attached to their mailrooms. As mail is opened and sorted, it is imaged and indexed, so it van be routed as an image to whomever needs to see it," he says.
At Nodak Mutual, bringing messaging and e-mail systems into compliance is also opening up possibilities for additional interactions with customers, according to Nodak's Doele. Since the carrier has been able to establish security in its e-mail, it is looking at possibly using e-mail as a secure delivery channel for additional correspondence, such as for policies, he says.
Such improved methods may also pay dividends in terms of more streamlined data management processes and improved productivity. For example, IT governance addresses and documents all changes that are made to systems, applications and databases. Some mandates, particularly SOX, require an audit trail that can establish the source of information, and how that information moved through the organization.
Likewise, since insurers need to hold on to all documentation, from e-mail to policy riders, many are turning to hierarchical storage management and archiving, in which records are permanently stored in electronic format, and are easily accessible to auditors. Such methodologies and technologies not only help meet the letter of the law, but also help businesses gain more value from their IT assets.
Streamlining and consolidation was a positive outcome at AIM Mutual following its migration to electronic documents, says Kelley.
"We currently have 20,000 policy files in our Burlington offices, as well as 10,000 loss-control files. These same files are duplicated in our four regional offices for the policyholders in that territory," he explains. Moving to an electronic format will eliminate all storage of these files in all offices by the end of this year, he predicts.
Currently, up to three years of policy information will be accessible from the carrier's Laserfiche system. Kelley estimates that the company is saving about $48,000 a year in copying and mailing costs. In addition, he says, "we have improved our time of getting documents to our technicians faster and of getting the same amount of work done more quickly with a smaller staff."
While each regulation or mandate has its own nuances, a comprehensive effort that incorporates auditability and security can be leveraged for numerous mandates. "We're starting to see a common thread to all this," says CCH's Barker. "Your procedures are documented, they are audited, and they are followed. There are common procedures, a common thread."
At Humana, efforts around HIPAA established the carrier's compliance management processes, which later were applied to SOX. "HIPAA required a tremendous amount of due diligence in the security and privacy world," says Humana's Cooper. This directly related to a lot of the general controls for Sarbanes-Oxley. Sarbanes then took our efforts to another level, and involved application development. These regulations all build on top of each other."
Integrating a common core of policies to meet multiple compliance requirements produces savings, says FileNet's Rhinehart.
HIPAA PROCESSES APPLIED TO SOX
"If your organization has to comply with each regulation as a one-off, it will be really costly. Much of this is new, and organizations are just getting their arms around SOX. Some organizations went out and started buying point solutions for each compliance problem-be it HIPAA or SOX. If you keep doing that, you're going to pay 10 or 20 times as much for compliance," he says. "You need a holistic strategy that addresses multiple compliance applications and problems."
Most, if not all, compliance mandates are "one part process and one part content," he adds. In terms of process, "every compliance regulation has a requirement for you to prove that you're in compliance: What was your business process at the time and did you follow it? They all have a process component, a workflow component and policies."
The other component of most compliance mandates is content, Rhinehart continues. "Can you prove you followed your process and you have a record of the records?" The value in compliance is found when you build your compliance program on a common infrastructure that addresses process and content, he says. "This is where you can start taking out some of the costs of compliance."