Secret identity: insurers have spent countless hours working to meet policyholder privacy requirements. Now the results are paying off in customer satisfaction and retention. (Industry Strategies).
Most insurers believe the new requirements have had a positive effect. In addition, they believe the result is increased customer satisfaction, greater customer loyalty and higher retention, because customers know their personal financial information is secure.
Insurers were busy last year preparing and mailing thousands of financial-privacy notices to consumers. The Financial Services Act, better known as Gramm-Leach-Bliley, allows financial institutions, such as banks, insurers and securities firms, to affiliate under one corporate roof. It also established rules to give consumers more control over disclosure of their personal financial information. Under the act, financial institutions must send customers annual notice of their information-sharing policies and give customers the ability to "opt-out," or direct their bank or insurer not to share their nonpublic personal information to third parties for marketing purposes.
Allstate Insurance Co. began its compliance efforts with the creation of a multidisciplinary task force to study the company's cross-organizational practice of collecting and using customer information. From the task force's findings, legally compliant privacy notices were written and mailed to policyholders beginning in January 2001. Allstate plans to ensure that all practices described in the notices are carried out and to keep a watchful eye on state-by-state variances of privacy regulations that could affect language and the way notices will be sent in the future.
Columbus, Ohio-based Nationwide Insurance Co. has been preparing for Gramm-Leach-Bliley compliance for several years. The company assembled a cross-functional team of nearly 200 employees to concentrate on getting notices out by the July 1, 2001, deadline, amending contracts and notifying business partners that they, too, had privacy responsibilities. Gramm-Leach-Bliley requires that business partners be in compliance with federal and state privacy laws. To meet the requirement, Nationwide defaulted to signed contracts, but the insurer plans to establish a more formal process in the coming months.
Nationwide is now educating employees about privacy practices and plans to roll out an online "privacy university" later this year. The program will include a general educational module providing a privacy overview and legal information and more specialized modules geared to individual departments and featuring real-life scenarios in which employees are asked questions about how they would handle hypothetical situations.
Minnesota-based St. Paul Cos. took a somewhat different approach. After identifying seven business units with about 207,000 affected policyholders, the company modified its systems to automatically generate privacy notices to these policyholders by the July 1 deadline. "Our privacy compliance efforts were made easier, because we're predominantly a commercial insurer that, with regards to Gramm-Leach-Bliley and the NAIC regulation, didn't have the magnitude of policyholders that a larger insurer had, and traditionally we have been very conservative in the way we market customer information to third parties. The bottom line is, we don't do it," said Jeff Slack, assistant vice president and senior regulatory counsel. These two factors made St. Paul's due diligence efforts a much simpler process, he said.
Overall, insurers met the compliance process head-on and "most, if not all, companies got the July 1, 2001, initial privacy notices out' said Scott Harrison, partner in charge of the insurance regulatory practice for the professional services firm KPMG LLP. He believes the industry is now facing several new challenges, however, including dealing with security requirements contained in the statute. New York has taken the lead to promulgate a specific security regulation modeled after the federal guidelines adopted last year by various federal banking regulatory affiliates, he said.
Insurers, such as Louisville, Ky.-based Humana Inc., are assessing security systems and ensuring that privacy and protection processes are in place. Humana also will look at new technologies, such as secure messaging or encryption systems, that will assist in the privacy protection process.
While most insurers seamlessly moved into Gramm-Leach-Bliley privacy compliance, there were a few bumps along the way.
The extra time, effort and money needed to come into compliance were felt by some insurers. "Whenever you have something that affects the entire enterprise, it takes time to ensure you are touching all necessary bases and doing all you have to do to comply with the law and serve the needs of your customers," said JoAnne Kron, counsel, law and regulation for Allstate Insurance Co.
State regulations are adding some extra wrinkles in the privacy patchwork. If a state privacy regulation is more stringent than those in Gramm-Leach-Bliley, it takes precedence over the federal law. "Many of the larger companies are dealing with how each state is going to interpret Gramm-Leach-Bliley within its own regulatory framework," said Karen Skarupski, associate general counsel for Erie, Pa.-based Erie Insurance Co. "It has become a huge compliance issue for many companies, because we are regulated by each state, as opposed to many banks which have only one primary regulator."
In addition, some states have not yet finalized rules, which poses difficulties for insurers within those jurisdictions. One example is California, where a handful of proposals call for regulations stricter than those in Gramm-Leach-Bliley, including some that target an "opt-in" approach, in which information can't be disclosed unless consumers take affirmative steps to agree, rather than the "opt-out" requirement in the act.
The industry also is faced with the added expense of the compliance process. Industry officials estimate that final privacy compliance costs could be as high as $1 billion to $2 billion, resulting from employee labor, mailing costs and countless additional expenses. Nationwide estimated its privacy compliance spending at about $10 million in hard costs, including mass mailings and educational programs. The company projects it will continue to spend between $3 million and $4 million annually on privacy-related processes.
Many insurers, however, said compliance expenses were not material enough to warrant disclosure. In addition, many said these added expenses were well below those spent on becoming Y2K-compliant.
Recognizing the Benefits
Despite the challenges, insurers agree the overall transition process of becoming compliant was relatively smooth. "We didn't experience any insurmountable obstacles along the way," said Jack Armstrong, assistant vice president and senior regulatory counsel of Boston-based Liberty Mutual. Rather, he said the greatest benefit of the new privacy regulation is the increased level of customer trust in the way institutions handle their information.
Another benefit of complying with privacy regulations is a clearer respect for consumers' information.
"Most people knew what the right thing was, but now the regulations institutionalized what the right thing is," said Kirk Herath, chief privacy officer for Nationwide. "The whole purpose of business boils down to one thing--trust. And if customers don't trust a company to use their personal information appropriately, they're unlikely to stay customers for long."
St. Paul's privacy notices assure customers m writing that the insurer has a very conservative position in protecting policyholders' personally identifiable information, said Slack. "Judging from the lack of customer calls or complaints since we began mailing notices, we think privacy has been a good selling point for us," he said.
In addition to increased customer satisfaction, insurers point to a greater level of customer loyalty and retention as a major benefit of having privacy regulations in place. "The rules are a constant reminder that we have to keep customers' information private," said Allstate's Kron. "And while this may sound obvious, the message may sometimes get lost in everyone's effort to do their job and focus on consumers needs."
Preparing for HIPAA
Protecting consumers' health information is a focus of HIPAA, and insurers are gearing up for the April 14, 2003, deadline for compliance with the act's medical privacy provisions.
"People generally have three main concerns from a privacy standpoint-- online privacy, identity theft and protection of health information," said Ira Friedman, chief privacy officer and special counsel for MetLife, New York. "HIPAA has hit one of these major areas, and it has become one of MetLife's top efforts to make sure we are in compliance with the act when the deadline comes around."
Washington, D.C.-based Blue Gross Blue Shield Association also plans to be in full compliance by the deadline, said Alissa Fox, executive director of privacy. "While there may be some unintended consequences that will surface over the next year, we want to make sure the process is as hassle-free as possible."
In the next several months, insurers will identify strategies they need to become compliant. "This generally involves a lot of the same internal communication issues they had in respect to Gramm-Leach-Bliley, such as identifying who within the organization has access to information," said KPMG's Harrison.
Blue Gross Blue Shield plans, for example, will continue performing gap analysis on their own privacy practices to study what they are currently doing to protect privacy, what the regulation requires and how it compares with current practices. "This will help us evaluate what gaps we need to fill," said Fox.
In the end, insurers hope compliance will provide added security for what many believe is the most important information to protect. "Society places a very high premium on health information--holding it as something that demands the utmost care by insurance companies and providers alike," Harrison said. "Payors understand this, so that is why I believe companies are striving to get HIPAA right the first time around."
State vs. Federal
Some insurers are concerned about what will happen if more states impose stricter rules than those outlined by Gramm-Leach-Bliley.
"The sentiment of Congress appears to be to give time for the industry and the marketplace to adjust to the requirements of Gramm-Leach-Bliley and see if the controls now in place are sufficient to protect consumers from unwanted disclosure of information," Harrison said.
Insurers hope that attitude prevails. While most were content to embrace the Gramm-Leach-Bliley approach, they believe more time is needed before Congress and states should begin contemplating changes to the financial-privacy rules.
"I hope before the government goes a step further, it gives us a couple years to let the machine work before they tinker with it," said Nationwide's Herath. "While the system is not perfect, as no system ever is I'm fearful that if they go too far, it may possibly bring more harm than good to the business." Insurers need to try to do the right thing while still trying to stay solvent in today's tough economy, he added.
Insurers also are concerned that states will continue to compete with one another to outdo Gramm-Leach-Bliley, which they believe will hinder the system.
Potential Powder Keg
MetLife's Friedman said one of the negative things the act did for consumers and companies was to allow states to impose greater restrictions than the federal rule. "That's going to lead to a number of states that will take Congress up on that. California, although well-intentioned, is headed in that direction," he said Friedman also believes that increased state-to-state variation of financial privacy will be both expensive for insurers and confusing for consumers, who would be subject to an even greater number of privacy notices from various organizations.
Dr. Donald Young, president of the Health Insurance Association of America, also is concerned about the possibility of states' going beyond current medical information privacy regulations. HIAA, which is working with the Department of Health and Human Services to clarify what it believes are some ambiguous areas in the HIPAA standards, is concerned that the result will be a new set of requirements, such as an "opt-in" approach for information.
"At the federal level, the clarification of intent and rules are spelled out. Insurers know what they are and continue to try to simplify them," he said. At the state level, the association is lobbying for one set of clear federal rules, "not 51 sets," Young said.
Although the future of financial privacy continues to be a "wait-and-see" game, some insurers believe other financial privacy-related changes may arise. Some insurers believe the language and complexity of financial-privacy notices will take a 180-degree turn in the future. Several groups, including the National Association of Insurance Commissioners, are exploring options to simplify notices and make them more "consumer-friendly."
"Policymakers are beginning to step back and consider letting companies communicate only the most important information, which results in better communication, and we hope to see sets of rules that will enable companies to simplify notices," said MetLife's Friedman. He said he worries that if states compete to "trump Gramin-Leach-Bliley," compliance notices will become even more complicated and will not be in the best interest of customers.
While some states continue to explore fostering their own privacy rules, the focus at the federal level has shifted since Sept. 11 from consumer protection to governmental needs for information, "However, l think the overall focus is still there, and if it has receded a little on the federal level, we see signs that consumer privacy is coming back on the federal agenda," Friedman said.
RELATED ARTICLE: Insurers Keep Watchful Eye on California
More than enough financial-privacy regulations have been proposed in California to keep insurers on an apprehensive watch for what the result may be.
Several legislators, state departments and even the state governor are looking to impose new privacy rules in California that would be more stringent than those set forth in the Financial Services Modernization Act of 1999, better known as Gramm-Leach-Bliley.
Gramm-Leach-Bliley allows corporate affiliation of financial institutions, including banks, brokerage firms, insurers and securities firms. Under the law, financial institutions are required to send customers annual notice of their information-sharing policies and give customers the ability to "opt out," or direct their bank or insurer not to share their nonpublic personal information with third parties for marketing purposes.
Only a few states have financial-privacy rules that set an even higher standard than the act with an "opt-in" approach, in which information can't be disclosed unless consumers take affirmative steps to agree to having information disclosed. Since 1999, 40 states have considered bills that would establish privacy rules that are stricter than the Gramm-Leach-Bliley rules. None of the bills passed.
California is considering several legislative regulations, including S.B. 773, which was introduced by state Sen. Jackie Speirer, D-San Francisco, and stalled on the Assembly floor in September 2001, and A.B. 1775, which was introduced by Assemblyman Joe Nation, D-San Rafael, earlier this year. In April, the California Assembly Banking and Finance Committee approved A.B. 1775 in a 10-to-3 vote. The bill would restrict financial institutions in their use of customers information for marketing financial products and services.
In addition to the various legislative regulations, some experts speculate that California Gov. Gray Davis might offer his own privacy legislation in the near future.
Whatever type of rule California drafts, some experts are speculating that the result will mean added costs for insurers. "If there's a very restrictive 'opt-in' proposal or measure that significantly restricts sharing of information among affiliates, it will probably be fairly costly for insurers," said Fred Main, senior vice president and general counsel of the California Chamber of Commerce. Restrictions would cause added expense for marketing purposes among insurers with different affiliates for different lines of insurance, because the companies would have to rely on mass marketing of products and services, rather than a target marketing approach, he said.
Sam Sorich, senior vice president of the National Association of Insurance Commissioners, agreed. "The proposed regulations would certainly impede the marketing efforts of financial-services companies and would cut off a lot of opportunities companies are now able to give to consumers around other services that can be purchased."
While California's privacy provisions fall under the adopted 1982 NAIC model privacy law, an overlay of the new federal provisions and mandates applies to insurers writing in California. "This sets the stage for the California Insurance Department to do something to try to bridge that gap between two approaches--an old law and new federal requirements," said Rey Becker, vice president of property/casualty of the Alliance of American Insurers.
Becker said the California privacy issue is currently moving along two tracks--a proposed regulation from the California Insurance Department and an ongoing debate within the state Legislature.
"Under the insurance department proposal, the good news is that it seeks to bridge the gap and make some of the changes necessary to reconcile state law with the Gramm-Leach-Bliley Act," said Becker. But he said the flip side is that the proposed regulation attempts to regulate health information privacy--an area not covered under the federal law--and inserts a concept not stated in the act or existing state law that seeks to limit disclosure of health information to only the amount reasonably necessary to fulfill the purpose of the disclosure.
In addition, Becker said that while the Gramm-Leach-Bliley Act is intended to apply only to products for personal, family or household use, the insurance department's proposal explicitly seeks to regulate commercial insurance, even though no authority is spelled out in either state or federal laws for such provisions.
The other track--the legislative debate--calls for a more "opt-in" approach. "However, we think this goes overboard and stifles commerce by putting California at odds with how much of the rest of the country is handling the privacy issue," said Becker. This approach would make it more costly for insurers to conduct business in California, in addition to giving consumers fewer choices of products and services, because they wouldn't receive such notifications, he said.
Harry W. Low, California insurance commissioner, believes many in the state are looking beyond Gramm-Leach-Bliley's "opt-out" provision to a more "opt-in" type of approach. "There's a strong public groundswell for greater protections with a more 'opt-in' type of protection," he said. But he doesn't know whether that will translate into future legislation.
Earlier this year, the National Association of Independent Insurers testified about its opposition to several points in the California Department of Insurance's proposal, including that the regulations extend requirements to business transactions and workers' compensation and that companies would be required to establish California-only notices and procedures that would create high administrative expenses for companies that would like to use the same notice in each state where they do business.
Many anticipate some action to occur in one to two years. Becker believes that the industry needs to give the federal rules a chance and to delay changing or enacting new state rules. "Everyone needs to stop and take a deep breath and let the law work and see how well it serves the interests of insurers and consumers before we start tinkering with new provisions," he said.
HIPAA Still a Work in Progress
Many insurers are now preparing for the April 14, 2003, compliance deadline of the Health Insurance Portability and Accountability Act of 1996. The HIPAA Privacy Rule, which creates national standards to protect individuals' personal health information and gives patients increased access to their medical records, has taken several turns over the past few years. Although the law contained a provision that gave Congress until April 21, 1999, to pass comprehensive privacy legislation, Congress failed to enact legislation by that date, and the law then called for the Department of Health and Human Services to craft rules for protecting personal health information.
After reviewing more than 50,000 comments, the department published the final Standards for Privacy of Individually Identifiable Health Information on Dec. 28, 2000. The rule, which took effect April 14, 2001, specifies the obligations of health-care providers and health plans to protect health information. Most covered entities, such as health plans and health-care providers that conduct certain financial and administrative transactions electronically, must comply with the patient privacy rule by April 14, 2003. Certain small health plans have until April 14, 2004, to comply.
In March 2002, Health and Human Services published proposed changes to its health privacy regulation to "ensure strong privacy protections while correcting unintended consequences that threatened patients' access to quality health care." The proposed modifications included such areas as consent and notice, minimum necessary and oral communication, business associates, marketing, parents and minors, uses and disclosures for research purposes and uses and disclosures for which authorizations are required.
Some associations, such as the American Association of Health Plans and the American Insurance Association, suggested changes during the 30-day public comment period following the release of the proposals.
The rule states that a health-care provider can share information with a patient's health plan for treatment, payment or health-care operations, but the information must be specifically for treatment, payment or operations of the provider and not the plan. AAHP suggested, among other things, that the rule be revised to indicate clearly that the provider is allowed to share information with a health plan for payment purposes and certain health-care operations; allow a transition period of up to a year for business partners to incorporate changes needed to update contracts; and provide disease management and wellness information to members.
AAHP also is concerned that not everyone will be ready to implement the rules by the deadline, estimating that one-half of the health-care community (e.g., physicians, hospitals) is still unable to catch up with those who are where they should be. AAHP believes that as the need arises, deadlines should be extended so everyone can come into compliance at the same time to create a smooth transition to a purely electronic system.
ALA also suggested several changes. According to the ALA, the proposed amendments don't address workers' compensation concerns that the association has raised repeatedly in formal comments to the department and in testimony before a Health and Human Services advisory committee. ALA also recommended several technical changes to clarify the issue of how non-covered entities, such as workers' comp insurers, could obtain medical information from covered entities, such as providers, health plans and health-care clearinghouses. ALA said it is concerned about the "minimum necessary" standard, which remains a potential threat to the free flow of information needed to process and quickly deliver benefits for workers' comp claims.
The minimum-necessary standard would establish--for the first time--a federal workers' comp rule, with enforcement subject to state and federal law, and thereby move medical-information disclosure decisions from the states to a federal agency and federal court, AIA said.
|Printer friendly Cite/link Email Feedback|
|Comment:||Secret identity: insurers have spent countless hours working to meet policyholder privacy requirements. Now the results are paying off in customer satisfaction and retention. (Industry Strategies).|
|Date:||Jun 1, 2002|
|Previous Article:||Setting the stage: Sponsorships help open the doors to business for insurers. (Industry Strategies).|
|Next Article:||Taking flight: since Sept. 11, travel insurance rates and sales have been on an upswing. (Property/Casualty).|