Case Study: Humana Tackles Compliance Early and Often - ' New Security Director '
(
Page 3 of 8 )
New Security Director
Still, Goodman quickly realized that he needed someone who would act as his overall security director for HIPAA. So he tabbed Jonathan Moore, director of IT security and regulatory compliance, to fill the job. Moore became Goodman's go-to guy for all HIPAA-related issues, a kind of IT liaison for compliance and security concerns, and he has continued in that capacity for subsequent rollouts such as Sarbanes-Oxley compliance. He also led the security tiger team. Jim Theiss, Humana's chief privacy official and a veteran executive with experience in both IT and compliance, led the privacy team.
Humana also put together a fourth team—a kind of über-tiger team—made up of six senior managers: two vice presidents within information technology, the head of its senior management team, and the heads of compliance, service operations and provider operations. Known as the HIPAA Steering Committee, it met with each tiger team on a monthly basis. The teams would present their progress, compare it to what they were supposed to be accomplishing, and the steering committee would then reset priorities if necessary.
Some organizational restructuring was necessary as well. Humana already had a regulatory compliance department, a Medicare department, a department for state insurers and various groups making sure its health plans were accredited by quality-assurance bodies. It adapted these into HIPAA compliance centers for the company, with each establishing the policies needed for Humana to comply with the HIPAA rules that applied to its organization. Humana then extended the compliance center concept to its internal-audit group for handling Sarbanes-Oxley issues.
As another step in Humana's compliance strategy, Moore decided he'd need a new IT security group, separate from his existing operation. The group already in place would continue to handle day-to-day operations—defending the perimeter, keeping the lights on. But he felt he needed an additional group that could develop a data-security strategy with compliance in mind. "One of the things we really struggled with was the old IT security model," Moore says. "It was solely focused on keeping the bad guys out." That wasn't going to be enough to comply with HIPAA, where data needed to be protected from internal eyes as well. Hence, the new strategic security department was designed to deal with new security questions driven by regulatory environments, like HIPAA, and also with the expanding use of the Web, interactive voice systems and wireless connectivity. Moore has hired almost 40 people to staff the group.
Story Guide:
Humana Tackles Compliance Early and Often
Compliance Inc.
New Security Director
IT's Role in Compliance
Good Corporate Hygiene
The Culture of Compliance
From Regulated To Heavily Regulated
Sidebar: The Cost of Compliance
IT's Role in Compliance
test
Case Studies 
