Case Study: Humana Tackles Compliance Early and Often - ' The Culture of Compliance '
(
Page 6 of 8 )
The Culture of Compliance
Sarbanes-Oxley, HIPAA and other recent legislation have managed to scare the pants off high-level executives, consequently spurring them to action, however misguided. But what is far more difficult for many companies is creating a culture of compliance that pervades the organization and filters all the way down to the most menial jobs. For Humana, that has meant getting every one of its 20,000 employees to care about compliance.
It helps to have top executives deeply involved with projects such as the HIPAA steering committee. That shows the company is serious about compliance. But Humana knows that it needs buy-in at every level of the company to comply with sweeping initiatives like HIPAA and SOX.
"Really, at the end of the day, compliance with these initiatives begins and ends with our employees," Moore says. "We had to reshape the way people thought about protecting information."
Humana's privacy tiger team drew up a plan of action that started with something called the "clean-desk policy," which states that no one can leave patient information on their desk at the end of the day. Enforcing this policy has meant beefing up security staff in facilities, so that all desks are checked after working hours each day.
Employees are also told they must memorize passwords, instead of writing them down. HIPAA suggests changing passwords regularly, and those passwords must meet certain complexity requirements. Humana's size meant that automating the password-generation process was key to compliance. The company's existing system generated passwords from a dictionary of terms, which wouldn't cut it for HIPAA. So Humana purchased M-Tech Information Technology Inc.'s P-Synch system, which automatically generates new passwords for each of its stakeholders as they log in for the day.
Employee training on how to handle patient data in a way that complies with HIPAA has also been crucial. Annual compliance training for all employees is a mandate at Humana. Laura Kelley's compliance staff develops the training curricula, which can be taken in person or online. Goodman's staff created a dashboard-style tracking system for Kelley. "I can come back to it each day and see who still needs to take the training," she says. As compliance deadlines loom, her department starts placing calls directly to employees who have not yet completed the course.
Humana has added plasma screens to the lobbies of its facilities, on which the company broadcasts regulatory updates and company news, constantly reminding employees that they work in a culture of compliance. (A scroll bar lists compliance tips for Humana employees.) Compliance e-mails go out on what Theiss called "a regular basis" and help keep employees abreast of security policies. Meanwhile,
Humana rotates company policies and procedures on the front page of its intranet throughout the year.
Humana's privacy tiger team even held Privacy Month, a sort of extended corporate pep rally to reinforce privacy practices. Privacy Month featured security training and education for all employees, privacy articles on the intranet, privacy posters placed at visible points in buildings, and contests for employees built around privacy protections.
Story Guide:
Humana Tackles Compliance Early and Often
Compliance Inc.
New Security Director
IT's Role in Compliance
Good Corporate Hygiene
The Culture of Compliance
From Regulated To Heavily Regulated
Sidebar: The Cost of Compliance
Next page: From Regulated to Heavily Regulated
test
Case Studies 
