For your eyes only: this month insurers face the first of three federally mandated privacy compliance deadlines. (Industry Strategies: Privacy).Seven years after its enactment--and following many bureaucratic bu·reau·crat n. 1. An official of a bureaucracy. 2. An official who is rigidly devoted to the details of administrative procedure. bu twists and turns, a mountain of public comments and numerous modifications--the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when is finally coming into its own with the first of three compliance deadlines looming looming: see mirage. for insurers this month. This first key date, April 14, 2003, applies to the law's Privacy rule, which creates national standards to protect individuals' personal health information and gives patients increased access to their medical records. The rule states that a health-care provider can share information with a patient's health plan for treatment, payment or health-care operations, but the information must be specifically for treatment, payment or operations of the provider and not the plan. Most covered entities, such as health-care providers and health plans that conduct certain financial and administrative transactions electronically fall under the first deadline, while smaller health plans have another year to comply. Implementation of the HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, Privacy rule follows closely on the heels of privacy requirements imposed by the Financial Services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. Modernization modernization Transformation of a society from a rural and agrarian condition to a secular, urban, and industrial one. It is closely linked with industrialization. As societies modernize, the individual becomes increasingly important, gradually replacing the family, Act of 1999, otherwise known as Gramm-Leach-Bliley. While this law allows financial institutions, such as banks, insurance companies and securities firms to affiliate, it also provides rules giving consumers more control over disclosure of their personal financial information. Under Gramm-Leach-Bliley, an insurer annually must notify policyholders of its information-sharing policies and give them the ability to "opt-out," or refuse to permit the insurer to share nonpublic personal information with third parties for marketing purposes. Building a Framework The HIPAA Privacy rule "is largely a policy and procedure issue, requiring that you have policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental , safeguards on those policies and procedures, that you educate your employees and enforce the policies and procedures," said John Quinn' a principal in Cap Gemini Ernst & Young's National Health Care Consulting Practice. He has been working with large hospitals and insurance companies on HIPAA compliance, and continues to field questions from clients on how the new Privacy rule applies to them. "There's less confusion on the payor side than on the provider side, primarily because the payor organizations tend to be coherent, hierarchical and closed organizations," he said. In contrast, hospital personnel can include volunteers, physicians who aren't actually hospital employees and employees working under hundreds of different contracts. "You come to the realization that having an employee's policy and procedure book and a set of policies and procedures that you follow is a little more challenging in the provider space than it is in the payor space," he said. But this process is not nearly as costly as the one prompted by Gramm-Leach-Bliley, with its estimated price tag of as much as $2 billion in employee labor, mailing costs and other expenses. "Much of the security required is already in companies' computer systems in terms of user name passwords and ability to audit what employees do in their systems," he said. "It may take a few extra employees to manage those policies and procedures and the auditing that needs to go on, but that's pretty much it." An Early Start Nevertheless, insurers say that gearing for the Privacy rule, in tandem Adv. 1. in tandem - one behind the other; "ride tandem on a bicycle built for two"; "riding horses down the path in tandem" tandem with preparations to meet the Transactions and Code Sets rule and the Security rule, began drawing their attention some years ago. For example, Nationwide Insurance Co., Columbus, Ohio Columbus is the capital and the largest city of the American state of Ohio. Named for explorer Christopher Columbus, the city was founded in 1812 at the confluence of the Scioto and Olentangy rivers, and assumed the functions of state capital in 1816. , began work on HIPAA compliance in 2001, attacking it in much the same way it did Gramm-Leach-Bliley, said Kirk Herath, chief privacy officer. But unlike Gramm-Leach-Bliley's requirements, HIPAA's do not have the same universal effect on his company, he said. "We have pockets of covered entities throughout our enterprise--a small health plan, self-insured employee plans, and we had a small long-term-care plan that was covered in our life company," Herath said. At the time the company began this effort, it also had a number of individual health policies on its books as well as a Medicare claims operation that administered all Medicare claims for Ohio and West Virginia West Virginia, E central state of the United States. It is bordered by Pennsylvania and Maryland (N), Virginia (E and S), and Kentucky and, across the Ohio R., Ohio (W). Facts and Figures Area, 24,181 sq mi (62,629 sq km). Pop. . The Medicare claims business has since been sold. Nationwide quickly formed teams to focus on HIPAA compliance for its health business and to see that self-insured programs also met the deadlines. "Unlike GLBA GLBA Gramm-Leach-Bliley Act of 1999 (Financial Modernization Act of 1999) GLBA Gay and Lesbian Business Association GLBA Great Lakes Booksellers Association GLBA Glacier Bay National Park and Preserve [Gramm-Leach-Bliley Acti, which affected everyone in the company uniformly, HIPAA only affected a small number of our operations," Herath said. The team preparing for the Transactions and Code Sets rule started in earnest more than 18 months ago, he said. "It really took that long to get all the uniform code sets in place and to get the systems reworked," Herath said. The groundwork to meet the Privacy rule began about a year ago. "One of the first big things we had to do was to create the policies and procedures by which we were going to operate to comply with HIPAA, and that really was a job for a team of lawyers," he said. The company created a privacy legal working group and, to expedite ex·pe·dite tr.v. ex·pe·dit·ed, ex·pe·dit·ing, ex·pe·dites 1. To speed up the progress of; accelerate. 2. the process, hired an outside legal expert who answered the company's questions and provided Nationwide with templates for the policies and procedures. "What we did was divvy div·vy Slang tr.v. div·vied, div·vy·ing, div·vies To divide. Often used with up: divvied up the loot. n. pl. div·vies A share or portion. them up among about 10 company lawyers, including myself, so nobody had too much of a workload, and we gave ourselves about a three-month window to get them done," Herath said. Once that was completed in July 2002, the company began implementing the new policies and procedures during the remainder of that year. Funding Implementation The other key component in Nationwide's privacy compliance plan was to develop an online training module. The company developed this proprietary product in house, paying "a quarter of the $200,000 that some of the big consulting firms Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a wanted to charge us," Herath said. "We partnered with an outside Web firm that does training modules. We created all the content, we basically designed it, and they built it for us." Although the training program touches upon security, it mostly tackles the HIPAA Privacy rule, and includes all of Nationwide's policies and procedures in a back-end glossary A term used by Microsoft Word and adopted by other word processors for the list of shorthand, keyboard macros created by a particular user. See glossaries in this publication and The Computer Glossary. . Because HIPAA is very specific about what training is required according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. an employee's function, few people at Nationwide have had to undergo the entire training program. The software "will tell you you have to take modules 1, 3, 5, 8 and 10 and then it'll track your progress, allowing you to log off and log back on where you were," he said. "When you complete the program, it documents it for us for compliance purposes and the employee receives a certificate." Herath said the training module is so good that the company Nationwide worked with is licensing a version of it for sale to the public. Addressing the HIPAA requirements has cost the company about $500,000 in hard costs for printing and mailing statements as well as some systems work, a sum far below the estimated $6 million for hard costs associated with Gramm-Leach-Bliley compliance, Herath said. But then the Gramm-Leach-Bliley effort also piled on considerable soft costs in employee hours. "Everybody was doing it--we had literally hundreds of people running around doing this work in some cases for tip to two years," he said, putting those soft costs in the $3 million to $4 million range. Unaware and Unprepared While Nationwide and many other insurers have done their homework, industry experts question the readiness of other covered entities, especially those that HIPAA labels self-insured, to meet the 2003 deadlines. "We're talking about many employers across the country--and in my experience at least 50% are not aware that they are covered or are under the mistaken belief that someone else is handling the compliance issues for them," said attorney John A. Knapp, a member of Cozen coz·en v. coz·ened, coz·en·ing, coz·ens v.tr. 1. To mislead by means of a petty trick or fraud; deceive. 2. To persuade or induce to do something by cajoling or wheedling. 3. O'Connor's health/law unit in Philadelphia. "Oftentimes of·ten·times also oft·times adv. Frequently; repeatedly. Adv. 1. oftentimes - many times at short intervals; "we often met over a cup of coffee" frequently, oft, often, ofttimes , a group health plan will believe that whoever their insurer is--whether it's Blue Cross, Aetna or any of the large commercial companies--those insurance entities are taking care of all of the HIPAA compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). for the group health plan. And that's usually not the case. There are many, many who have not even tackled this issue. It's my expectation that HIPAA compliance, even on the Privacy rule, will go on well past the April 14 deadline." Broader Obligations Every U.S. employer that provides health benefits to its employees and has 50 or more people in its plan is a covered entity under HIPAA, Knapp said, and of that group, self-insured employers have a broader set of compliance obligations than those that are fully insured. Under I-HIPAA, a company is considered self-insured if any part of its health-benefit program is self insured, and that could be as little as offering what's called a flexible spending account flexible spending account, n an employee reimbursement account primarily funded with employee-designated salary reductions. Funds are reimbursed to the employee for health care (medical and/or dental), dependent care, and/or legal expenses and are or cafeteria cafeteria: see restaurant. program to employees, Knapp said. Knapp, a co-leader of his firm's HIPAA team, estimates that 75% of his time over the last nine months has been spent on HIPAA work. Recently, he was dealing with a dozen HIPAA compliance projects involving healthcare providers or group health plans--employers offering health benefits to their employees. Enforcement Plans In cases of noncompliance noncompliance failure of the owner to follow instructions, particularly in administering medication as prescribed; a cause of a less than expected response to treatment. noncompliance , HIPAA provides penalties as low as $100 an infraction Violation or infringement; breach of a statute, contract, or obligation. The term infraction is frequently used in reference to the violation of a particular statute for which the penalty is minor, such as a parking infraction. INFRACTION. , with a maximum of $25,000 for each type of infraction a year, Knapp said. Penalties can become more severe--a maximum of 10 years in jail and a $250,000 fine--for such violations as selling protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the for commercial profit. Practically speaking, however, enforcement of the Privacy rule under HIPAA is the responsibility of the Office of Civil Rights of the Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS . This office, Knapp noted, does not have a large budget for enforcement efforts, and it has made public announcements that its intent is to approach enforcement, at least for now, in an educational mode. "That may change in the future, but initially no one really expects a widespread harsh enforcement policy," he said. Establishing Standards After HIPAA's Privacy rule deadline, comes its Oct. 16, 2003, deadline for the rule on Transactions and Code Sets, a provision that seeks to establish standards and requirements to enable the electronic exchange of some health information. Finally, the third component, the Security rule deadline, is in April 2005. The Security rule, which had been issued in proposed form a number of years ago, addresses the electronic and mechanical security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security that a covered entity is required to take to safeguard protected health information that is stored or transmitted electronically. The Security rule does not affect paper records. Security Awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. Peggy Weigle, chief executive officer of Sanctum, a Santa Clara Santa Clara, city, Cuba Santa Clara (sän`tä klä`rä), city (1994 est. pop. 217,000), capital of Villa Clara prov., central Cuba. , Calif.-based security company founded by two former members of the Israeli Defense Forces Noun 1. Israeli Defense Force - the ground and air and naval forces of Israel IDF military force, military group, military unit, force - a unit that is part of some military service; "he sent Caesar a force of six thousand men" , credits HIPAA with spurring companies on to greater realization of the need for tighter electronic security. "We've been tracking both GLBA [Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition ] and HIPAA for two to three years now, and both pieces of legislation really heightened the security awareness in the corporate world' she said. But the interest the company has seen in the past year is the direct result of HIPAA's Privacy deadline, coupled with the fact that HIPAA has more teeth than Gramm-Leach-Bliley in sending executives to jail or, at least, imposing fines, if private information is exposed, she said. "What we have seen in our customer base alone is a dramatic increase in the number of health-care and insurance companies that have bought our products," Weigle said. The company has more than 350 customers worldwide and added 150 of those in 2002 alone. Of the new 150, 35% were health-care and insurance companies in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , she said. Vulnerable Web Sites But despite implementation of some electronic security measures, most companies remain vulnerable to hackers at their Web sites, she said. Her firm has audited more than 300 sites at companies' requests and has been able to break into 98% of them. "That's just a stunning number, and that includes health-care companies, insurance companies and brokers," she said. "Lots of companies, and insurance companies in particular, have invested in things like anti-virus software anti-virus software n → Antivirensoftware f and network firewalls, and they definitely are encrypting the data that they are moving back and forth across the Internet. But the problem is that the majority of them have not protected the last mile, or the Internet site itself." Herath thinks Nationwide's early efforts to comply with HIPAA rules forced some strategic decision making. While he can't say that HIPAA was the driving force behind Nationwide's determination that health insurance wasn't a core business, and therefore it would stop writing individual health and transfer or sell its Medicare claims operation, he does acknowledge that the law played a role in that change. Another benefit for the company in meeting the HIPAA privacy requirements was a continued understanding of how its business flows, Herath said. Before Gramm-Leach-Bliley and continuing with HIPAA, "there were very few people if any who ever sat down and said, 'How do all these different business units relate to each other, where's all the information coming in from, where does it reside and how is it protected?'" he said. Quinn sees HIPAA as a plus for both patients and insurance companies in providing "a defined floor of privacy" showing what a company can or cannot do with personal medical information. "From an insurance company's perspective, it's good in that it sets up some parameters to keep them from ultimately being sued," he said. "You can never say it prevents suits, but the law specifically does not allow violations of the provisions to be used as a basis for a suit. Of course, anyone with specific concerns about HIPAA and suits should talk to their legal counsel." Good Trustees Insurance companies also will get a public relations public relations, activities and policies used to create public interest in a person, idea, product, institution, or business establishment. By its nature, public relations is devoted to serving particular interests by presenting them to the public in the most boost by saying that they are acting as a good trustee of the private information of their customers, Quinn said. "You can be a cynic cyn·ic n. 1. A person who believes all people are motivated by selfishness. 2. A person whose outlook is scornfully and often habitually negative. 3. and say they're only doing it because they're afraid to go to jail, but that's neither here nor there," he said. "The fact is that they're doing it, and this law is the catalyst that's making it happen."
GLBA Privacy Regulations and Legislation Proposed and Enacted as of
2/3/03
With passage of the Gramm- Leach-Billey Act in 2000, all 50 states
addressed the privacy issue to ensure compliance with the new law.
Several states still have proposals pending. States are listed below
according to the wording they embraced. If a state privacy regulation is
more stringent than those in Gramm-Leach-Billey, it takes procedence
over the federal law.
1982 NAIC Model Regulation
Amended
Arizona * Enacted Legislation
with workers' comp
Georgia * Adopted Regulation
expecting GLBA compliance
Maine * Enacted Legislation includes p/c
Massachusetts * (1982 excludes p/c)
New Jersey * DOI Bulletin 01-10
advising compliance with
GLBA (1982 excludes p/c)
North Carolina * Enacted Legislation
Oregan * Adopted Rule that
complies with GLBA in
addition to statute
Virginia Enacted Legislation
2000 NAIC Model Regulation
Arkansas Adopted Regulation
without workers' comp
Colorado Adopted Regulation
Florida Adopted Regulation
Iowa Adopted Regulation
Kansas * Enacted Legislation
health compliance
2/1/02 - 4/14/03
Kentucky Adopted Regulations
Separate Regs for
financial and health
Maryland Enacted Regulation
Mississippi Adopted Regulation
Nebraska Adopted Regulation
New Hampshire Adopted Regulation
New York Adooted Regulation
North Dakota Adopted Regulation
without workers' comp
Oklahoma Adopted Regulation
without workers' comp
and 3rd-party claimants
Health compliance is 1/1/03
Pennsylvania Adopted separate regulations
for financial and health
Rhode Island Adopted separate regulations
for health and financial.
Both without workers' comp
South Carolina Adopted Regulation
without workers'
comp and 3rd-party claimants
Health compliance is 1/1/03
Texas Adopted separate regulations
for financial and health
Utah Adopted Regulation in Rule 590-206
Washington Adopted Regulation
Health compliance 12/30/2002
West Virginia Adopted Regulation
Wisconsin Adopted Regulation
Wyoming Adopted Regulation
Health compliance 1/1/2002
2000 NAIC Regulation Without
Health
Alabama Adopted Regulation
without workers' comp
and 3rd party claimant
Connecticut * Adopted Regulation
Delaware Adopted Regulation
D.C. Adopted Emergency Regulation
without workers' comp
Hawaii * Enacted Legislation
without examples (i.e.,
workers' comp consumer)
Idaho Pending Rule without claimant and
workers' comp
Illinois * Adopted Regulation
without workers' comp
Indiana Adopted Regulation
without workers' comp
Louisiana Adopted Regulation
without workers' comp
Michigan Enacted Legislation
without workers' comp
Missouri Adopted Regulation
without workers' camp
Nevada * Adopted Regulation
without workers' comp
New Jersey * Proposed Legislation
01/02-NJA 1091
South Dakota Adopted Regulation
Tennessee Adooted Regulation
Individually Drafted
Alaska Proposed Regulation with
opt-in and no affiliate sharing
California Regulation based on the
NAIC Model regulation
but with 1982 Statute
exceptions and applies to
all commercial lines.
Several cities passed
ordinances that require
notices with opt-in.
SB1 with opt-in introduced
Massachusetts * 2003 Legislation MAH295
opt-in for banks
Minnesota * Issued memo mandating
compliance with GLBA
Montana * 2001 Enacted Legislation
requires specific
notice. 2003 proposed
legislation H205
changing the 2001 legislation.
New Jersey * Proposed Legislation 6/02 -
NJA2621 with opt-in
New Mexico Adopted Regulation with opt-in
Ohio * DOI issued Bulletin 2000-1
mandating compliance
Vermont Adopted Regulation
with opt-in for financial
information without
enabling legislation *
* The sttes that had a priviacy statute in place prior to
Gramm-Leach-Biley
Note: Even though a state might be proposing or recommending a
particular model, that state might also be proposing changes to that
model.
Source: National Association of Independent Insurers
RELATED ARTICLE: What's Next on Privacy? Reynold E. Becker More than three years have passed since the enactment of the federal Gramm-Leach-Bliley Financial Services Modernization Act. As of late February, every state except Alaska had either a statute or regulation in place addressing the basic privacy notice and disclosure requirements of Title V of the act, but legislative interest in the topic on both the state and federal level is far from over. Legislative activity already is taking place in the following key areas: Information Safeguarding. As of late February, only 10 state insurance departments had adopted regulations implementing the additional information-safeguarding component of Title V, using a 2002 National Association of Insurance Commissioners The National Association of Insurance Commissioners (NAIC) is an Internal Revenue Code Section 501(c)(3) non-profit organization which seeks to organize the regulatory and supervisory efforts of the various state insurance commissioners from around the United States. model regulation. The regulation is pending as a proposed regulation or legislation in another nine states. More than half of the states still need to act. Opt-In. Both Title V of Gramm-Leach-Bliley and the 2000 NAIC NAIC See National Association of Investors Corporation (NAIC). model privacy regulation established an "opt-out" system for financial information shared with nonaffiliates. Only two state insurance departments have deviated from this approach by adopting a new "affirmative AFFIRMATIVE. Averring a fact to be true; that which is opposed to negative. (q.v.) 2. It is a general rule of evidence that the affirmative of the issue must be proved. Bull. N. P. 298 ; Peake, Ev. 2. 3. consent" or "opt-in" approach: New Mexico New Mexico, state in the SW United States. At its northwestern corner are the so-called Four Corners, where Colorado, New Mexico, Arizona, and Utah meet at right angles; New Mexico is also bordered by Oklahoma (NE), Texas (E, S), and Mexico (S). and Vermont. A proposed Alaska regulation along those lines also is pending. Interestingly, barely 1% of all property/casualty insurance premium nationally is written in those three states. The Alliance of American Insurers and other national insurer trade associations have a legal challenge pending against the Vermont regulation. Opt-in legislation is pending in California, Maine, Minnesota, New Jersey, New Mexico, New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of , North Dakota North Dakota, state in the N central United States. It is bordered by Minnesota, across the Red River of the North (E), South Dakota (S), Montana (W), and the Canadian provinces of Saskatchewan and Manitoba (N). , Oregon and South Dakota South Dakota (dəkō`tə), state in the N central United States. It is bordered by North Dakota (N), Minnesota and Iowa (E), Nebraska (S), and Wyoming and Montana (W). , with more expected to be introduced. California will be the major state battleground in 2003. In addition, several units of local government in the San Francisco Bay area “Bay Area” redirects here. For other uses, see Bay Area (disambiguation). The San Francisco Bay Area, colloquially known as the Bay Area or The Bay have taken the unprecedented step of adopting opt-in ordinances. These municipal laws are under challenge in federal court. The financial services industry may face opt-in referenda on the ballots in California and Maine in 2004. Affiliate Sharing. Congress intentionally in·ten·tion·al adj. 1. Done deliberately; intended: an intentional slight. See Synonyms at voluntary. 2. Having to do with intention. left disclosures between and among affiliated companies Affiliated Companies A situation that occurs when one company owns a minority interest (less than 50%) in another company. Also refers to companies that are related to each other in some way. Notes: An affiliated company is sometimes referred to as a subsidiary. unregulated Adj. 1. unregulated - not regulated; not subject to rule or discipline; "unregulated off-shore fishing" regulated - controlled or governed according to rule or principle or law; "well regulated industries"; "houses with regulated temperature" 2. under Title V. State efforts to regulate in this area have been blunted, in large part because the federal Fair Credit Reporting Act The Fair Credit Reporting Act (FCRA) is legislation embodied in title VI of the Consumer Credit Protection Act (15 U.S.C.A. § 1681 et seq. [1968]), which was enacted by Congress in 1970 to ensure that reporting activities relating to various consumer transactions are conducted in a pre-empts state laws concerning affiliate sharing of credit-related information. That pre-emption PRE-EMPTION, intern. law. The right of preemption is the right of a nation to detain the merchandise of strangers passing through her territories or seas, in order to afford to her subjects the preference of purchase. 1 Chit. Com. Law, 103; 1 Bl. Com. 287. 2. is scheduled to "sunset" Jan. 1, 2004, however. There already is renewed interest in the U.S. Congress and state legislatures A state legislature may refer to a legislative branch or body of a political subdivision in a federal system. The following legislatures exist in the following political subdivisions: Joint Marketing. As with affiliate sharing, Congress also intentionally left "joint-marketing" arrangements loosely regulated. As of late February, bills to regulate these practices are pending in California, New Mexico, North Dakota and Oregon, with more expected. Privacy Notice Content. Privacy advocates have been very critical of financial-services-industry privacy notices, accusing them of being purposely pur·pose·ly adv. With specific purpose. purposely Adverb on purpose USAGE: See at purposeful. Adv. 1. "confusing con·fuse v. con·fused, con·fus·ing, con·fus·es v.tr. 1. a. To cause to be unable to think with clarity or act with intelligence or understanding; throw off. b. " or "legalistic le·gal·ism n. 1. Strict, literal adherence to the law or to a particular code, as of religion or morality. 2. A legal word, expression, or rule. ." They also are disappointed by the relatively low percentage of customers electing to "opt-out!' The Alliance is resisting "readability read·a·ble adj. 1. Easily read; legible: a readable typeface. 2. Pleasurable or interesting to read: a readable story. " mandates, like those adopted in California. Social Security Numbers. As of late February, legislation was pending in 15 states to restrict insurer collection, use, disclosure or display of individual Social Security numbers, and the number is expected to grow. California started this ball rolling in 2001 in its zeal Zeal Bows, Mr. crippled fiddler with intense feelings. [Br. Lit.: Pendennis] Cedric of Rotherwood zealous about restoring Saxon independence. [Br. to combat "identity theft." Health Information. U.S. Department of Health and Human Services health-information privacy regulations will kick in by mid-April. While the regulations do not apply directly to property/casualty insurers, there are considerable indirect implications for claims handling. Reynold E. Becker is vice president of Property/casualty for the Alliance of American Insurers, Downers Grove Downers Grove, village (1990 pop. 46,858), Du Page co., NE Ill.; settled 1832, inc. 1873. Downers Grove has undergone population growth and commercial development that include the construction of new office complexes. , Ill. Electronic Security Firm Is Battle Hardened Like many security firms with Israeli roots, Sanctum employs technology developed by a super-secret unit in the Israeli army. Sanctum was formed more than six years ago when founders recognized that many companies, among them insurers and health-care providers, were hosting private and confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead on their Internet sites, yet faced major security problems because of poorly designed applications and increasingly complex sites, Chief Executive Officer Peggy Weigle said from her office in Santa Clara, Calif. To address this, Sanctum introduced two automated Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. solutions that can help organizations detect hacking See hack and hacker. forays and block them. One product, AppShield, "does for the Internet site what network firewalls do for the network,' Weigle said. This monitors what a user does on a Web site and which applications are being accessed, and if it recognizes so-called "bad behavior," it will stop the user cold in his tracks, she said. The second product, AppScan, is an auditing tool that Sanctum uses when asked to assess the vulnerability of a Web site at the application level, where most security breaches occur. AppScan also is used by internal application developers, application quality assurance and security audit groups at large corporations to assess and fix their Web application vulnerabilities. In one case, Blue Cross Blue Shield Blue Shield A US not-for-profit health care insurer that is a reimbursement intermediary for physicians. Cf Blue Cross. of Kansas City Kansas City, two adjacent cities of the same name, one (1990 pop. 149,767), seat of Wyandotte co., NE Kansas (inc. 1859), the other (1990 pop. 435,146), Clay, Jackson, and Platte counties, NW Mo. (inc. 1850). called in the security firm when the insurer suspected its six-month-old Web site, which services a sizable siz·a·ble also size·a·ble adj. Of considerable size; fairly large. siz  a·ble·ness n. population, might be vulnerable to "cookie
poisoning The modification of or theft of a cookie in a user's machine by an attacker in order to release personal information. If the cookie contains username and password, thieves can use their own computers and confiscated cookies to enter victims' accounts. See cookie. ," Weigle said. This "poisoning' involves
altering a cookie cookieFile or part of a file put on a Web user's hard disk by a Web site. Cookies are used to store registration data, to make it possible to customize information for visitors to a Web site, to target Web advertising, and to keep track of the products a user wishes to , or series of numbers that identifies a user when he or she logs onto a site. The "cookie" then follows the user in moving from one part of the site to another. "Once hackers get on a site, they can go in and try to steal someone else's cookie and then you have access to that user session," Weigle said. "If you don't protect against cookie poisoning, you are allowing somebody to steal your identity and then get access to the private information of another person." Sanctum performed an audit for Blue Cross Blue Shield of Kansas City and confirmed the company's fears. Because of the Health Insurance Portability and Accountability Act, the insurer's management decided to act immediately, Weigle said. One solution could have meant deploying three or four people to completely rewrite re·write v. re·wrote , re·writ·ten , re·writ·ing, re·writes v.tr. 1. To write again, especially in a different or improved form; revise. 2. the applications so that they did not use cookies, a process that would have taken four months with the site down the entire time. That option was rejected. Instead, the insurer opted for one-day results by installing Sanctum's AppShield, which is designed to be put up in front of a company's application servers to detect and deter any hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. attempts, Weigle said. "Let's say you're. logging on to your favorite healthcare provider site, and there's a user name and a pass-word field to fill in," Weigle said. "If you're a hacker and the developer of the site certainly didn't anticipate that you would do anything other than put in a user name and password, you can basically insert a program or script in that field that can run a query against the database sitting behind there holding all the private information." If the site developer didn't explicitly write the application code to protect against data manipulation Processing data. by using special characters such as ampersands and carrot carrot, common name for some members of the Umbelliferae, a family (also called the parsley family) of chiefly biennial or perennial herbs of north temperate regions. signs, then it's very likely that a hacker will be able to hack a site and obtain confidential information, she noted. "This is another portion of the whole infrastructure that really desperately needs protection because it's the easiest place to penetrate," she said. Her biggest challenge has been convincing company officials that safeguarding their Web sites should be a top priority. The security personnel understand the needy need·y adj. need·i·er, need·i·est 1. Being in need; impoverished. See Synonyms at poor. 2. Wanting or needing affection, attention, or reassurance, especially to an excessive degree. Weigle said, but in many organizations, security budget dollars are very tight. Executives who hold the purse strings purse strings or purse·strings pl.n. Financial support or resources, or control over them: the politicians who control federal purse strings; tightened the corporate purse strings. are under spending constraints, and without a clear corporate mandate, Web site security isn't given a high enough priority because it's technical and they have already spent a lot of money on security, she said. "They've bought firewalls and anti-virus protection, and they really thought that they had bought enough technology to protect them," Weigle said. "Until established Internet sites, that was probably true, but once you open up all your private information via these Web sites, you've basically created a portal into your back-end systems that a hacker can manipulate unless the company has secured this last mile." But the implementation of HIPAA's Privacy and Security rules, which she sees as naturally linked, has made her sales job easier, Weigle said. She likes to point to the track record of AppShield, which has more than 150 installations worldwide and has been battle-tested on the company founders' home turf. Sanctum installed it in Front of several Israeli Web sites including the Jewish state's Knesset, or Parliament, site in September 2000. 'Those sites had been routinely and ferociously fe·ro·cious adj. 1. Extremely savage; fierce. See Synonyms at cruel. 2. Marked by unrelenting intensity; extreme: ferocious heat. attacked y anti-Israel hackers," Weigle said, "They could not keep the Knesset site up and running for more than a few minutes--it would get attacked again and it would fall over. So we were brought in. WE installed the software in 48 hours, and when we turned on the logging capability, :hey saw that there were 3,000 hacking attacks against he site a day and this product was blocking every single one of them." In recent months, the political environment in Israel has worsened and the Knesset site now is logging on 10,000 direct attacks a clay, Weigle said. " But in more than two years' time," she added, "the application has never een breached." Privacy on a Case-by-Case Basis John A. Knapp, a member of law firm Cozen O'Connor in Philadelphia, has been working extensively with health-care providers and group health plans to prepare them to meet new rules on privacy and security under provisions of the Health Insurance Portability and Accountability Act. Knapp, who works in the firm's health/law unit and has an extensive background as a healthcare executive and practicing attorney, said his firm's HIPAA compliance program amounts to a four-step process: * First, Knapp's firm performs a HIPAA awareness session for senior management and others within the organization who handle "protected health information." Under HIPAA, this is individually identifiable health information that has been transmitted or stored by the covered entity and most of it is protected under the legislation. The session aims at showing these employees how HIPAA affects their organization, Knapp said. * Second, the firm performs what's often referred to as a gap analysis. "We assess the organization's current processes with regard to individually identifiable health information, try and figure out how the organization receives it, where it stores, it, what it does with it, who handles it, what measures are currently in place to protect the privacy and insure the security of that information," Knapp said. During this phase, his firm also helps the organization identify "business associates" under HIPAA. Business associates are third parties that receive or create protected health information from, or on behalf of, the covered entity and perform some function for the covered entity. For example, these might be third-party administrators, billing companies, lawyers or accountants. Under HIPAA, covered entities are required to enter into written agreements with business associates, who are not themselves covered entities, but are then obligated ob·li·gate tr.v. ob·li·gat·ed, ob·li·gat·ing, ob·li·gates 1. To bind, compel, or constrain by a social, legal, or moral tie. See Synonyms at force. 2. To cause to be grateful or indebted; oblige. to enact protective measures to ensure the privacy and security of their protected health information, Knapp said. "Some third parties are not aware of it; other third parties who recognize that their business involves servicing covered entities are well aware of this and have already taken proactive measures In antiterrorism, measures taken in the preventive stage of antiterrorism designed to harden targets and detect actions before they occur. themselves," Knapp said. * Third, the firm develops HIPAA compliance policies and procedures for the covered entity. At this stage, it also prepares the necessary amendments to the covered entities' Employee Retirement Income Security Act The Employee Retirement Income Security Act of 1974 (ERISA), 29 U.S.C.A. § 1001 et seq. (1974), is a federal law that sets minimum standards for most voluntarily established Pension and health plans in private industry to provide protection for individuals enrolled in these plans. plans, a requirement "to provide the requisite degree of separation between the plan and the employer," he said. * And fourth, the firm conducts employee training focused on the policies and procedures that it has developed for the covered entity. "The key issue under HIPAA for group health plans is to insure that the protected health information that the group health plan has access to--information that a particular employee has a disease, or a mental health condition or some other situation--is segregated and prevented from being known to the employer at large," Knapp said. Otherwise, he added, there is concern that the employer might use this information in the context of hiring, firing, promotion, demotion de·mote tr.v. de·mot·ed, de·mot·ing, de·motes To reduce in grade, rank, or status. [de- + (pro)mote. and compensation. "So the main goal here is to enact policies, procedures and mechanical safeguards, such as passwords or storage on separate servers with limited access, to make sure that this information does not become known to the employer," Knapp said. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion