For your eyes only: this month insurers face the first of three federally mandated privacy compliance deadlines. (Industry Strategies: Privacy).
The rule states that a health-care provider can share information with a patient's health plan for treatment, payment or health-care operations, but the information must be specifically for treatment, payment or operations of the provider and not the plan. Most covered entities, such as health-care providers and health plans that conduct certain financial and administrative transactions electronically fall under the first deadline, while smaller health plans have another year to comply.
Implementation of the HIPAA Privacy rule follows closely on the heels of privacy requirements imposed by the Financial Services Modernization Act of 1999, otherwise known as Gramm-Leach-Bliley. While this law allows financial institutions, such as banks, insurance companies and securities firms to affiliate, it also provides rules giving consumers more control over disclosure of their personal financial information. Under Gramm-Leach-Bliley, an insurer annually must notify policyholders of its information-sharing policies and give them the ability to "opt-out," or refuse to permit the insurer to share nonpublic personal information with third parties for marketing purposes.
Building a Framework
The HIPAA Privacy rule "is largely a policy and procedure issue, requiring that you have policies and procedures, safeguards on those policies and procedures, that you educate your employees and enforce the policies and procedures," said John Quinn' a principal in Cap Gemini Ernst & Young's National Health Care Consulting Practice. He has been working with large hospitals and insurance companies on HIPAA compliance, and continues to field questions from clients on how the new Privacy rule applies to them.
"There's less confusion on the payor side than on the provider side, primarily because the payor organizations tend to be coherent, hierarchical and closed organizations," he said. In contrast, hospital personnel can include volunteers, physicians who aren't actually hospital employees and employees working under hundreds of different contracts. "You come to the realization that having an employee's policy and procedure book and a set of policies and procedures that you follow is a little more challenging in the provider space than it is in the payor space," he said.
But this process is not nearly as costly as the one prompted by Gramm-Leach-Bliley, with its estimated price tag of as much as $2 billion in employee labor, mailing costs and other expenses.
An Early Start
Nevertheless, insurers say that gearing for the Privacy rule, in tandem with preparations to meet the Transactions and Code Sets rule and the Security rule, began drawing their attention some years ago. For example, Nationwide Insurance Co., Columbus, Ohio, began work on HIPAA compliance in 2001, attacking it in much the same way it did Gramm-Leach-Bliley, said Kirk Herath, chief privacy officer. But unlike Gramm-Leach-Bliley's requirements, HIPAA's do not have the same universal effect on his company, he said.
"We have pockets of covered entities throughout our enterprise--a small health plan, self-insured employee plans, and we had a small long-term-care plan that was covered in our life company," Herath said. At the time the company began this effort, it also had a number of individual health policies on its books as well as a Medicare claims operation that administered all Medicare claims for Ohio and West Virginia. The Medicare claims business has since been sold.
Nationwide quickly formed teams to focus on HIPAA compliance for its health business and to see that self-insured programs also met the deadlines. "Unlike GLBA [Gramm-Leach-Bliley Acti, which affected everyone in the company uniformly, HIPAA only affected a small number of our operations," Herath said.
The team preparing for the Transactions and Code Sets rule started in earnest more than 18 months ago, he said. "It really took that long to get all the uniform code sets in place and to get the systems reworked," Herath said. The groundwork to meet the Privacy rule began about a year ago. "One of the first big things we had to do was to create the policies and procedures by which we were going to operate to comply with HIPAA, and that really was a job for a team of lawyers," he said.
The company created a privacy legal working group and, to expedite the process, hired an outside legal expert who answered the company's questions and provided Nationwide with templates for the policies and procedures. "What we did was divvy them up among about 10 company lawyers, including myself, so nobody had too much of a workload, and we gave ourselves about a three-month window to get them done," Herath said. Once that was completed in July 2002, the company began implementing the new policies and procedures during the remainder of that year.
The other key component in Nationwide's privacy compliance plan was to develop an online training module. The company developed this proprietary product in house, paying "a quarter of the $200,000 that some of the big consulting firms wanted to charge us," Herath said. "We partnered with an outside Web firm that does training modules. We created all the content, we basically designed it, and they built it for us."
Although the training program touches upon security, it mostly tackles the HIPAA Privacy rule, and includes all of Nationwide's policies and procedures in a back-end glossary. Because HIPAA is very specific about what training is required according to an employee's function, few people at Nationwide have had to undergo the entire training program. The software "will tell you you have to take modules 1, 3, 5, 8 and 10 and then it'll track your progress, allowing you to log off and log back on where you were," he said. "When you complete the program, it documents it for us for compliance purposes and the employee receives a certificate."
Herath said the training module is so good that the company Nationwide worked with is licensing a version of it for sale to the public.
Addressing the HIPAA requirements has cost the company about $500,000 in hard costs for printing and mailing statements as well as some systems work, a sum far below the estimated $6 million for hard costs associated with Gramm-Leach-Bliley compliance, Herath said. But then the Gramm-Leach-Bliley effort also piled on considerable soft costs in employee hours. "Everybody was doing it--we had literally hundreds of people running around doing this work in some cases for tip to two years," he said, putting those soft costs in the $3 million to $4 million range.
Unaware and Unprepared
While Nationwide and many other insurers have done their homework, industry experts question the readiness of other covered entities, especially those that HIPAA labels self-insured, to meet the 2003 deadlines.
"We're talking about many employers across the country--and in my experience at least 50% are not aware that they are covered or are under the mistaken belief that someone else is handling the compliance issues for them," said attorney John A. Knapp, a member of Cozen O'Connor's health/law unit in Philadelphia. "Oftentimes, a group health plan will believe that whoever their insurer is--whether it's Blue Cross, Aetna or any of the large commercial companies--those insurance entities are taking care of all of the HIPAA compliance requirements for the group health plan. And that's usually not the case. There are many, many who have not even tackled this issue. It's my expectation that HIPAA compliance, even on the Privacy rule, will go on well past the April 14 deadline."
Every U.S. employer that provides health benefits to its employees and has 50 or more people in its plan is a covered entity under HIPAA, Knapp said, and of that group, self-insured employers have a broader set of compliance obligations than those that are fully insured. Under I-HIPAA, a company is considered self-insured if any part of its health-benefit program is self insured, and that could be as little as offering what's called a flexible spending account or cafeteria program to employees, Knapp said.
Knapp, a co-leader of his firm's HIPAA team, estimates that 75% of his time over the last nine months has been spent on HIPAA work. Recently, he was dealing with a dozen HIPAA compliance projects involving healthcare providers or group health plans--employers offering health benefits to their employees.
In cases of noncompliance, HIPAA provides penalties as low as $100 an infraction, with a maximum of $25,000 for each type of infraction a year, Knapp said. Penalties can become more severe--a maximum of 10 years in jail and a $250,000 fine--for such violations as selling protected health information for commercial profit.
Practically speaking, however, enforcement of the Privacy rule under HIPAA is the responsibility of the Office of Civil Rights of the Department of Health and Human Services. This office, Knapp noted, does not have a large budget for enforcement efforts, and it has made public announcements that its intent is to approach enforcement, at least for now, in an educational mode. "That may change in the future, but initially no one really expects a widespread harsh enforcement policy," he said.
After HIPAA's Privacy rule deadline, comes its Oct. 16, 2003, deadline for the rule on Transactions and Code Sets, a provision that seeks to establish standards and requirements to enable the electronic exchange of some health information. Finally, the third component, the Security rule deadline, is in April 2005. The Security rule, which had been issued in proposed form a number of years ago, addresses the electronic and mechanical security measures that a covered entity is required to take to safeguard protected health information that is stored or transmitted electronically. The Security rule does not affect paper records.
Peggy Weigle, chief executive officer of Sanctum, a Santa Clara, Calif.-based security company founded by two former members of the Israeli Defense Forces, credits HIPAA with spurring companies on to greater realization of the need for tighter electronic security. "We've been tracking both GLBA [Gramm-Leach-Bliley Act] and HIPAA for two to three years now, and both pieces of legislation really heightened the security awareness in the corporate world' she said. But the interest the company has seen in the past year is the direct result of HIPAA's Privacy deadline, coupled with the fact that HIPAA has more teeth than Gramm-Leach-Bliley in sending executives to jail or, at least, imposing fines, if private information is exposed, she said.
"What we have seen in our customer base alone is a dramatic increase in the number of health-care and insurance companies that have bought our products," Weigle said. The company has more than 350 customers worldwide and added 150 of those in 2002 alone. Of the new 150, 35% were health-care and insurance companies in the United States, she said.
Vulnerable Web Sites
But despite implementation of some electronic security measures, most companies remain vulnerable to hackers at their Web sites, she said. Her firm has audited more than 300 sites at companies' requests and has been able to break into 98% of them. "That's just a stunning number, and that includes health-care companies, insurance companies and brokers," she said. "Lots of companies, and insurance companies in particular, have invested in things like anti-virus software and network firewalls, and they definitely are encrypting the data that they are moving back and forth across the Internet. But the problem is that the majority of them have not protected the last mile, or the Internet site itself."
Herath thinks Nationwide's early efforts to comply with HIPAA rules forced some strategic decision making. While he can't say that HIPAA was the driving force behind Nationwide's determination that health insurance wasn't a core business, and therefore it would stop writing individual health and transfer or sell its Medicare claims operation, he does acknowledge that the law played a role in that change. Another benefit for the company in meeting the HIPAA privacy requirements was a continued understanding of how its business flows, Herath said. Before Gramm-Leach-Bliley and continuing with HIPAA, "there were very few people if any who ever sat down and said, 'How do all these different business units relate to each other, where's all the information coming in from, where does it reside and how is it protected?'" he said.
Quinn sees HIPAA as a plus for both patients and insurance companies in providing "a defined floor of privacy" showing what a company can or cannot do with personal medical information. "From an insurance company's perspective, it's good in that it sets up some parameters to keep them from ultimately being sued," he said. "You can never say it prevents suits, but the law specifically does not allow violations of the provisions to be used as a basis for a suit. Of course, anyone with specific concerns about HIPAA and suits should talk to their legal counsel."
Insurance companies also will get a public relations boost by saying that they are acting as a good trustee of the private information of their customers, Quinn said. "You can be a cynic and say they're only doing it because they're afraid to go to jail, but that's neither here nor there," he said. "The fact is that they're doing it, and this law is the catalyst that's making it happen."
GLBA Privacy Regulations and Legislation Proposed and Enacted as of 2/3/03 With passage of the Gramm- Leach-Billey Act in 2000, all 50 states addressed the privacy issue to ensure compliance with the new law. Several states still have proposals pending. States are listed below according to the wording they embraced. If a state privacy regulation is more stringent than those in Gramm-Leach-Billey, it takes procedence over the federal law. 1982 NAIC Model Regulation Amended Arizona * Enacted Legislation with workers' comp Georgia * Adopted Regulation expecting GLBA compliance Maine * Enacted Legislation includes p/c Massachusetts * (1982 excludes p/c) New Jersey * DOI Bulletin 01-10 advising compliance with GLBA (1982 excludes p/c) North Carolina * Enacted Legislation Oregan * Adopted Rule that complies with GLBA in addition to statute Virginia Enacted Legislation 2000 NAIC Model Regulation Arkansas Adopted Regulation without workers' comp Colorado Adopted Regulation Florida Adopted Regulation Iowa Adopted Regulation Kansas * Enacted Legislation health compliance 2/1/02 - 4/14/03 Kentucky Adopted Regulations Separate Regs for financial and health Maryland Enacted Regulation Mississippi Adopted Regulation Nebraska Adopted Regulation New Hampshire Adopted Regulation New York Adooted Regulation North Dakota Adopted Regulation without workers' comp Oklahoma Adopted Regulation without workers' comp and 3rd-party claimants Health compliance is 1/1/03 Pennsylvania Adopted separate regulations for financial and health Rhode Island Adopted separate regulations for health and financial. Both without workers' comp South Carolina Adopted Regulation without workers' comp and 3rd-party claimants Health compliance is 1/1/03 Texas Adopted separate regulations for financial and health Utah Adopted Regulation in Rule 590-206 Washington Adopted Regulation Health compliance 12/30/2002 West Virginia Adopted Regulation Wisconsin Adopted Regulation Wyoming Adopted Regulation Health compliance 1/1/2002 2000 NAIC Regulation Without Health Alabama Adopted Regulation without workers' comp and 3rd party claimant Connecticut * Adopted Regulation Delaware Adopted Regulation D.C. Adopted Emergency Regulation without workers' comp Hawaii * Enacted Legislation without examples (i.e., workers' comp consumer) Idaho Pending Rule without claimant and workers' comp Illinois * Adopted Regulation without workers' comp Indiana Adopted Regulation without workers' comp Louisiana Adopted Regulation without workers' comp Michigan Enacted Legislation without workers' comp Missouri Adopted Regulation without workers' camp Nevada * Adopted Regulation without workers' comp New Jersey * Proposed Legislation 01/02-NJA 1091 South Dakota Adopted Regulation Tennessee Adooted Regulation Individually Drafted Alaska Proposed Regulation with opt-in and no affiliate sharing California Regulation based on the NAIC Model regulation but with 1982 Statute exceptions and applies to all commercial lines. Several cities passed ordinances that require notices with opt-in. SB1 with opt-in introduced Massachusetts * 2003 Legislation MAH295 opt-in for banks Minnesota * Issued memo mandating compliance with GLBA Montana * 2001 Enacted Legislation requires specific notice. 2003 proposed legislation H205 changing the 2001 legislation. New Jersey * Proposed Legislation 6/02 - NJA2621 with opt-in New Mexico Adopted Regulation with opt-in Ohio * DOI issued Bulletin 2000-1 mandating compliance Vermont Adopted Regulation with opt-in for financial information without enabling legislation * * The sttes that had a priviacy statute in place prior to Gramm-Leach-Biley Note: Even though a state might be proposing or recommending a particular model, that state might also be proposing changes to that model. Source: National Association of Independent Insurers
RELATED ARTICLE: What's Next on Privacy?
Reynold E. Becker
More than three years have passed since the enactment of the federal Gramm-Leach-Bliley Financial Services Modernization Act. As of late February, every state except Alaska had either a statute or regulation in place addressing the basic privacy notice and disclosure requirements of Title V of the act, but legislative interest in the topic on both the state and federal level is far from over. Legislative activity already is taking place in the following key areas:
Information Safeguarding. As of late February, only 10 state insurance departments had adopted regulations implementing the additional information-safeguarding component of Title V, using a 2002 National Association of Insurance Commissioners model regulation. The regulation is pending as a proposed regulation or legislation in another nine states. More than half of the states still need to act.
Opt-In. Both Title V of Gramm-Leach-Bliley and the 2000 NAIC model privacy regulation established an "opt-out" system for financial information shared with nonaffiliates. Only two state insurance departments have deviated from this approach by adopting a new "affirmative consent" or "opt-in" approach: New Mexico and Vermont. A proposed Alaska regulation along those lines also is pending. Interestingly, barely 1% of all property/casualty insurance premium nationally is written in those three states.
The Alliance of American Insurers and other national insurer trade associations have a legal challenge pending against the Vermont regulation.
Opt-in legislation is pending in California, Maine, Minnesota, New Jersey, New Mexico, New York, North Dakota, Oregon and South Dakota, with more expected to be introduced. California will be the major state battleground in 2003. In addition, several units of local government in the San Francisco Bay area have taken the unprecedented step of adopting opt-in ordinances. These municipal laws are under challenge in federal court. The financial services industry may face opt-in referenda on the ballots in California and Maine in 2004.
Affiliate Sharing. Congress intentionally left disclosures between and among affiliated companies unregulated under Title V. State efforts to regulate in this area have been blunted, in large part because the federal Fair Credit Reporting Act pre-empts state laws concerning affiliate sharing of credit-related information. That pre-emption is scheduled to "sunset" Jan. 1, 2004, however. There already is renewed interest in the U.S. Congress and state legislatures to regulate such disclosures. The Alliance expects the U.S. Senate Banking Committee to look at this issue in 2003. Bills concerning affiliate sharing are pending in California, New Jersey, New Mexico and Oregon, with more expected.
Joint Marketing. As with affiliate sharing, Congress also intentionally left "joint-marketing" arrangements loosely regulated. As of late February, bills to regulate these practices are pending in California, New Mexico, North Dakota and Oregon, with more expected.
Privacy Notice Content. Privacy advocates have been very critical of financial-services-industry privacy notices, accusing them of being purposely "confusing" or "legalistic." They also are disappointed by the relatively low percentage of customers electing to "opt-out!' The Alliance is resisting "readability" mandates, like those adopted in California.
Social Security Numbers. As of late February, legislation was pending in 15 states to restrict insurer collection, use, disclosure or display of individual Social Security numbers, and the number is expected to grow. California started this ball rolling in 2001 in its zeal to combat "identity theft."
Health Information. U.S. Department of Health and Human Services health-information privacy regulations will kick in by mid-April. While the regulations do not apply directly to property/casualty insurers, there are considerable indirect implications for claims handling.
Reynold E. Becker is vice president of Property/casualty for the Alliance of American Insurers, Downers Grove, Ill.
Electronic Security Firm Is Battle Hardened
Like many security firms with Israeli roots, Sanctum employs technology developed by a super-secret unit in the Israeli army. Sanctum was formed more than six years ago when founders recognized that many companies, among them insurers and health-care providers, were hosting private and confidential information on their Internet sites, yet faced major security problems because of poorly designed applications and increasingly complex sites, Chief Executive Officer Peggy Weigle said from her office in Santa Clara, Calif.
To address this, Sanctum introduced two automated Internet security solutions that can help organizations detect hacking forays and block them. One product, AppShield, "does for the Internet site what network firewalls do for the network,' Weigle said. This monitors what a user does on a Web site and which applications are being accessed, and if it recognizes so-called "bad behavior," it will stop the user cold in his tracks, she said. The second product, AppScan, is an auditing tool that Sanctum uses when asked to assess the vulnerability of a Web site at the application level, where most security breaches occur. AppScan also is used by internal application developers, application quality assurance and security audit groups at large corporations to assess and fix their Web application vulnerabilities.
In one case, Blue Cross Blue Shield of Kansas City called in the security firm when the insurer suspected its six-month-old Web site, which services a sizable population, might be vulnerable to "cookie poisoning," Weigle said. This "poisoning' involves altering a cookie, or series of numbers that identifies a user when he or she logs onto a site. The "cookie" then follows the user in moving from one part of the site to another. "Once hackers get on a site, they can go in and try to steal someone else's cookie and then you have access to that user session," Weigle said. "If you don't protect against cookie poisoning, you are allowing somebody to steal your identity and then get access to the private information of another person."
"Let's say you're. logging on to your favorite healthcare provider site, and there's a user name and a pass-word field to fill in," Weigle said. "If you're a hacker and the developer of the site certainly didn't anticipate that you would do anything other than put in a user name and password, you can basically insert a program or script in that field that can run a query against the database sitting behind there holding all the private information."
If the site developer didn't explicitly write the application code to protect against data manipulation by using special characters such as ampersands and carrot signs, then it's very likely that a hacker will be able to hack a site and obtain confidential information, she noted. "This is another portion of the whole infrastructure that really desperately needs protection because it's the easiest place to penetrate," she said.
Her biggest challenge has been convincing company officials that safeguarding their Web sites should be a top priority. The security personnel understand the needy Weigle said, but in many organizations, security budget dollars are very tight. Executives who hold the purse strings are under spending constraints, and without a clear corporate mandate, Web site security isn't given a high enough priority because it's technical and they have already spent a lot of money on security, she said. "They've bought firewalls and anti-virus protection, and they really thought that they had bought enough technology to protect them," Weigle said. "Until established Internet sites, that was probably true, but once you open up all your private information via these Web sites, you've basically created a portal into your back-end systems that a hacker can manipulate unless the company has secured this last mile."
But the implementation of HIPAA's Privacy and Security rules, which she sees as naturally linked, has made her sales job easier, Weigle said. She likes to point to the track record of AppShield, which has more than 150 installations worldwide and has been battle-tested on the company founders' home turf. Sanctum installed it in Front of several Israeli Web sites including the Jewish state's Knesset, or Parliament, site in September 2000. 'Those sites had been routinely and ferociously attacked y anti-Israel hackers," Weigle said, "They could not keep the Knesset site up and running for more than a few minutes--it would get attacked again and it would fall over. So we were brought in. WE installed the software in 48 hours, and when we turned on the logging capability, :hey saw that there were 3,000 hacking attacks against he site a day and this product was blocking every single one of them."
In recent months, the political environment in Israel has worsened and the Knesset site now is logging on 10,000 direct attacks a clay, Weigle said. " But in more than two years' time," she added, "the application has never een breached."
Privacy on a Case-by-Case Basis
John A. Knapp, a member of law firm Cozen O'Connor in Philadelphia, has been working extensively with health-care providers and group health plans to prepare them to meet new rules on privacy and security under provisions of the Health Insurance Portability and Accountability Act.
Knapp, who works in the firm's health/law unit and has an extensive background as a healthcare executive and practicing attorney, said his firm's HIPAA compliance program amounts to a four-step process:
* First, Knapp's firm performs a HIPAA awareness session for senior management and others within the organization who handle "protected health information." Under HIPAA, this is individually identifiable health information that has been transmitted or stored by the covered entity and most of it is protected under the legislation. The session aims at showing these employees how HIPAA affects their organization, Knapp said.
* Second, the firm performs what's often referred to as a gap analysis. "We assess the organization's current processes with regard to individually identifiable health information, try and figure out how the organization receives it, where it stores, it, what it does with it, who handles it, what measures are currently in place to protect the privacy and insure the security of that information," Knapp said.
During this phase, his firm also helps the organization identify "business associates" under HIPAA. Business associates are third parties that receive or create protected health information from, or on behalf of, the covered entity and perform some function for the covered entity. For example, these might be third-party administrators, billing companies, lawyers or accountants.
Under HIPAA, covered entities are required to enter into written agreements with business associates, who are not themselves covered entities, but are then obligated to enact protective measures to ensure the privacy and security of their protected health information, Knapp said.
"Some third parties are not aware of it; other third parties who recognize that their business involves servicing covered entities are well aware of this and have already taken proactive measures themselves," Knapp said.
* Third, the firm develops HIPAA compliance policies and procedures for the covered entity. At this stage, it also prepares the necessary amendments to the covered entities' Employee Retirement Income Security Act plans, a requirement "to provide the requisite degree of separation between the plan and the employer," he said.
* And fourth, the firm conducts employee training focused on the policies and procedures that it has developed for the covered entity.
"The key issue under HIPAA for group health plans is to insure that the protected health information that the group health plan has access to--information that a particular employee has a disease, or a mental health condition or some other situation--is segregated and prevented from being known to the employer at large," Knapp said.
Otherwise, he added, there is concern that the employer might use this information in the context of hiring, firing, promotion, demotion and compensation. "So the main goal here is to enact policies, procedures and mechanical safeguards, such as passwords or storage on separate servers with limited access, to make sure that this information does not become known to the employer," Knapp said.
|Printer friendly Cite/link Email Feedback|
|Date:||Apr 1, 2003|
|Previous Article:||Breaking barriers: risk managers and information technology managers need to work together to protect their companies from cyber-crime. (Cover Story:...|
|Next Article:||Surviving the storm: by spending 5% to 10% more upfront to fortify the construction of a new home, dwellings can be made more resistant to...|