Case Study: Humana Tackles Compliance Early and Often

By Michael Fitzgerald  |  Posted 06-19-2006

Case Study: Humana Tackles Compliance Early and Often

Ah, compliance. Regulation comes in many shapes and sizes. And though it has been with us for hundreds of years, it seems that every new wave of government oversight sends even the most organized and scrupulous companies scrambling for cover. Somehow, they never see it coming.

"Our clients call us because the pain and the cost and the inability to meet all of their obligations is, in a sense, a perfect storm," says Alex Fowler, a director in IT risk and compliance at PricewaterhouseCoopers. A perfect storm that hits every decade or so, and lasts for years at a time.

But it doesn't have to be this way. Some companies, believe it or not, have learned to live with compliance on an ongoing basis, incorporating the costly and time-consuming tasks associated with regulation into their very business models. These organizations view the most recent wave of regulation as merely a continuation of an endless string of government demands; they see compliance as not just a necessary evil, but as an internal business benefit and a selling point to customers. Humana Inc., the $14 billion, Louisville, Ky.-based healthcare firm, is one of them.

While other firms gripe about the financial impact Sarbanes-Oxley is having on their bottom lines, falling all over themselves to explain the difficulties of compliance to shareholders and regulators, Humana's president and CEO, Mike McAllister said in a recent interview, "As things have heated up over the last two years, there hasn't been a major change at Humana—because compliance was part of our corporate culture already."

Humana, with 9.3 million medical members in all 50 states and Puerto Rico, has adhered to a litany of federal, state and local regulations for decades, including Medicare, state insurance requirements, accreditation such as the National Committee for Quality Assurance and the Utilization Review Accreditation Commission, and TriCare (which provides healthcare for the Department of Defense). And when the federal government rolled out the most onerous piece of healthcare regulation in recent years—the Health Insurance Portability and Accountability Act, or HIPAA—Humana tackled the challenges early and often. By comparison, SOX has been a walk in the park.

"Don't get me wrong. We had to do a lot of work to make sure we were compliant," says Humana CIO Bruce Goodman. "But it wasn't like, 'Oh my god, it's the end of the world.'"

Indeed, Humana faced some problems in meeting the HIPAA requirements. But because of an organizational structure that incorporates compliance into every part of the business, and a corporate culture that constantly reminds employees at all levels to be aware of regulations, the company had a far easier time than most. The model Humana has developed is one that any company could achieve, if they would just stop kicking and screaming long enough to figure it out. Essentially, Humana is speaking to us from the future, where regulation is accepted as a fact of life, adopted into business operations, and occasionally even used as a competitive advantage. As futures go, that's not such a bad place to be.

Story Guide:

  • Humana Tackles Compliance Early and Often
  • Compliance Inc.
  • New Security Director
  • IT's Role in Compliance
  • Good Corporate Hygiene
  • The Culture of Compliance
  • From Regulated To Heavily Regulated
  • Sidebar: The Cost of Compliance

    Next page: Compliance Inc.

    Compliance Inc

    .">
    Compliance Inc.
    A legacy of compliance is to be expected from a company founded by a pair of lawyers. Humana got its start in 1961, when two attorneys had an idea for a better way to run a nursing home, figuring they could provide more personalized care than was typically offered. Their firm went public in 1968 as a nursing-home operator called Extendicare, shifted to running hospitals in 1972, and changed its name to Humana in 1974. The company got into the benefit business in 1984; it was a natural offshoot of Humana's emergence as the nation's largest operator of hospitals at the time. Then, in 1993, Humana spun off the hospitals to focus exclusively on the benefits business.

    Goodman joined Humana in 1999, coming over from the consultancy and systems integrator C2K Technology Partners, where he had been CEO. At the time, Humana had some compliance issues that were of a rather immediate nature: Y2K was front and center for every major company in the world. And while the Year 2000 bug failed to deliver on some very dire predictions, the effort Humana marshaled to deal with it produced a model for future compliance challenges.

    To run its Y2K compliance projects Humana appointed a "tiger team." Originally a military term that has been co-opted by IT professionals, Humana's Y2K tiger team pulled together the relevant people from different departments to run critical projects with definite deadlines. In effect, the team became a project management office, analyzing the business problem that needed to be addressed, figuring out what work needed to be done and who would do it, and then managing the project throughout its lifetime. When Humana started gearing up for HIPAA, in early 2001, the company went back to the tiger team concept.

    Passed in 1996, HIPAA is a broad piece of legislation designed to let Americans keep their health insurance if they change jobs or become unemployed. It also sets standards for the healthcare industry for such disparate concerns as patient health, data exchange and data privacy. HIPAA thus represents a blueprint for going digital for the entire healthcare industry. The law includes a series of compliance deadlines that began in 2003 and were staggered depending on the size of the organization involved.

    To meet its compliance goals, Humana pulled together three tiger teams—one to ensure that electronic-data interchange met the standards established in HIPAA, one to handle the development of privacy policies and practices, and one to handle data security and make sure it complied with HIPAA guidelines. Then the company interlocked the teams by staffing them with people from a variety of departments: internal audit, compliance, privacy, security, EDI, legal, and service providers.

    Overall, each tiger team consisted of roughly a dozen people who met weekly, and sometimes more frequently, depending on the immediacy of the issues at hand.

    Story Guide:

  • Humana Tackles Compliance Early and Often
  • Compliance Inc.
  • New Security Director
  • IT's Role in Compliance
  • Good Corporate Hygiene
  • The Culture of Compliance
  • From Regulated To Heavily Regulated
  • Sidebar: The Cost of Compliance

    Next page: New Security Director

    New Security Director


    New Security Director
    Still, Goodman quickly realized that he needed someone who would act as his overall security director for HIPAA. So he tabbed Jonathan Moore, director of IT security and regulatory compliance, to fill the job. Moore became Goodman's go-to guy for all HIPAA-related issues, a kind of IT liaison for compliance and security concerns, and he has continued in that capacity for subsequent rollouts such as Sarbanes-Oxley compliance. He also led the security tiger team. Jim Theiss, Humana's chief privacy official and a veteran executive with experience in both IT and compliance, led the privacy team.

    Humana also put together a fourth team—a kind of über-tiger team—made up of six senior managers: two vice presidents within information technology, the head of its senior management team, and the heads of compliance, service operations and provider operations. Known as the HIPAA Steering Committee, it met with each tiger team on a monthly basis. The teams would present their progress, compare it to what they were supposed to be accomplishing, and the steering committee would then reset priorities if necessary.

    Some organizational restructuring was necessary as well. Humana already had a regulatory compliance department, a Medicare department, a department for state insurers and various groups making sure its health plans were accredited by quality-assurance bodies. It adapted these into HIPAA compliance centers for the company, with each establishing the policies needed for Humana to comply with the HIPAA rules that applied to its organization. Humana then extended the compliance center concept to its internal-audit group for handling Sarbanes-Oxley issues.

    As another step in Humana's compliance strategy, Moore decided he'd need a new IT security group, separate from his existing operation. The group already in place would continue to handle day-to-day operations—defending the perimeter, keeping the lights on. But he felt he needed an additional group that could develop a data-security strategy with compliance in mind. "One of the things we really struggled with was the old IT security model," Moore says. "It was solely focused on keeping the bad guys out." That wasn't going to be enough to comply with HIPAA, where data needed to be protected from internal eyes as well. Hence, the new strategic security department was designed to deal with new security questions driven by regulatory environments, like HIPAA, and also with the expanding use of the Web, interactive voice systems and wireless connectivity. Moore has hired almost 40 people to staff the group.

    Story Guide:

  • Humana Tackles Compliance Early and Often
  • Compliance Inc.
  • New Security Director
  • IT's Role in Compliance
  • Good Corporate Hygiene
  • The Culture of Compliance
  • From Regulated To Heavily Regulated
  • Sidebar: The Cost of Compliance

    IT's Role in Compliance

    IT

    's Role in Compliance">
    IT's Role in Compliance
    Like most companies, IT is central to Humana's compliance program. For matters such as electronic-data interchange and information security, the impact is obvious. And it's a strong support leg on the privacy side of Humana—both Chief Privacy Official Theiss and Director of IT Security Moore say they have effectively been joined at the hip since 2001. "I really engaged IT security on that piece early on," says Theiss. "We felt IT security went hand-in-hand with privacy."

    Theiss wasn't the only one getting closely engaged with IT. Says Laura Kelley, Humana's corporate director of regulatory compliance: "I talk several times a day with the IT folks. In fact, I literally will have two or three meetings with them today. And I have staff all over the country that meet with IT." The meetings might cover anything from how to handle electronic signatures to new state regulations for online policy documents.

    Kelley and Goodman have the same goal in mind: to use technology to make operations run more efficiently, without running afoul of regulators. So Goodman might come to her and suggest using e-mail to respond to customer complaints, and her department will research which states allow that. Interactive voice-response systems are also high on Humana's priority list, but bring with them privacy concerns that Humana must thoroughly investigate.

    Story Guide:

  • Humana Tackles Compliance Early and Often
  • Compliance Inc.
  • New Security Director
  • IT's Role in Compliance
  • Good Corporate Hygiene
  • The Culture of Compliance
  • From Regulated To Heavily Regulated
  • Sidebar: The Cost of Compliance

    Next page: Good Corporate Hygiene

    Good Corporate Hygiene


    Good Corporate Hygiene
    Like many pieces of government regulation, HIPAA has a few areas open to interpretation, and Humana hasn't gotten everything right. It has erred in several cases by being too conservative with patient data. Initially, for instance, the company disclosed almost no patient health information to agents and brokers, which made it difficult for them to act on behalf of members they represented. Humana also started out with a very difficult process of authenticating the identity of people trying to access accounts on the Web, which made it too laborious to do something as simple as check the status of a claim.

    On the plus side, the security and privacy policies developed to help Humana comply with HIPAA work well for other aspects of the business—and Goodman believes that compliance enhances Humana's overall operations. That's because HIPAA sets standards for data exchange, and as more doctors and hospitals adopt the standards, it will smooth the back-end process needed to handle transactions.

    "When you're fully HIPAA compliant, it should make it easier for payers and providers to communicate," says Goodman. "We all have these codes—transaction type 73 or whatever. If we know that a hospital is going to comply with that transaction code, then exchanging information is easier."

    The return on HIPAA investments will increase over time, Goodman says. For instance, at some point each of the nation's 600,000-plus doctors will receive a unique provider ID that they will then use for their entire career. "Right now we have all sorts of issues trying to keep track of doctors, like all payers do," Goodman says. "So that will absolutely have bottom-line benefits."

    That's as it should be, says Eric Brown, an analyst at Forrester Research Inc. "Look, HIPAA is a big piece of work. But if you're an IT guy you would look at it and say, 'This is good hygiene.' It's stuff you're going to do anyway."

    Story Guide:

  • Humana Tackles Compliance Early and Often
  • Compliance Inc.
  • New Security Director
  • IT's Role in Compliance
  • Good Corporate Hygiene
  • The Culture of Compliance
  • From Regulated To Heavily Regulated
  • Sidebar: The Cost of Compliance

    Next page: The Culture of Compliance

    The Culture of Compliance


    The Culture of Compliance
    Sarbanes-Oxley, HIPAA and other recent legislation have managed to scare the pants off high-level executives, consequently spurring them to action, however misguided. But what is far more difficult for many companies is creating a culture of compliance that pervades the organization and filters all the way down to the most menial jobs. For Humana, that has meant getting every one of its 20,000 employees to care about compliance.

    It helps to have top executives deeply involved with projects such as the HIPAA steering committee. That shows the company is serious about compliance. But Humana knows that it needs buy-in at every level of the company to comply with sweeping initiatives like HIPAA and SOX.

    "Really, at the end of the day, compliance with these initiatives begins and ends with our employees," Moore says. "We had to reshape the way people thought about protecting information."

    Humana's privacy tiger team drew up a plan of action that started with something called the "clean-desk policy," which states that no one can leave patient information on their desk at the end of the day. Enforcing this policy has meant beefing up security staff in facilities, so that all desks are checked after working hours each day.

    Employees are also told they must memorize passwords, instead of writing them down. HIPAA suggests changing passwords regularly, and those passwords must meet certain complexity requirements. Humana's size meant that automating the password-generation process was key to compliance. The company's existing system generated passwords from a dictionary of terms, which wouldn't cut it for HIPAA. So Humana purchased M-Tech Information Technology Inc.'s P-Synch system, which automatically generates new passwords for each of its stakeholders as they log in for the day.

    Employee training on how to handle patient data in a way that complies with HIPAA has also been crucial. Annual compliance training for all employees is a mandate at Humana. Laura Kelley's compliance staff develops the training curricula, which can be taken in person or online. Goodman's staff created a dashboard-style tracking system for Kelley. "I can come back to it each day and see who still needs to take the training," she says. As compliance deadlines loom, her department starts placing calls directly to employees who have not yet completed the course.

    Humana has added plasma screens to the lobbies of its facilities, on which the company broadcasts regulatory updates and company news, constantly reminding employees that they work in a culture of compliance. (A scroll bar lists compliance tips for Humana employees.) Compliance e-mails go out on what Theiss called "a regular basis" and help keep employees abreast of security policies. Meanwhile, Humana rotates company policies and procedures on the front page of its intranet throughout the year.

    Humana's privacy tiger team even held Privacy Month, a sort of extended corporate pep rally to reinforce privacy practices. Privacy Month featured security training and education for all employees, privacy articles on the intranet, privacy posters placed at visible points in buildings, and contests for employees built around privacy protections.

    Story Guide:

  • Humana Tackles Compliance Early and Often
  • Compliance Inc.
  • New Security Director
  • IT's Role in Compliance
  • Good Corporate Hygiene
  • The Culture of Compliance
  • From Regulated To Heavily Regulated
  • Sidebar: The Cost of Compliance

    Next page: From Regulated to Heavily Regulated

    From Regulated to Heavily

    Regulated">
    From Regulated To Heavily Regulated
    Moore likes to say that the difference between Humana before and after HIPAA and SOX is that the company went "from regulated to heavily regulated."

    What that transition has meant, in practice, is there is nothing usual about business as usual at Humana. Somebody, somewhere is always changing a rule and redefining what it means to comply, and Humana must continually adjust.

    The saving grace for Humana is that while the company must accommodate itself to the twists and turns of regulation, it no longer requires reinvention of the compliance wheel. "All these regulations are not rocket science. They have common themes," says Moore. All of them require controls, ways to prove those controls are in place, security both on the perimeter and inside an organization, privacy and data-access management, the need for security, and ways to track and measure individual behavior, such as who's had training, who's changed passwords and the like.

    Even Humana's customers have gotten into the act: "They're much more concerned about how we're protecting their information," Moore says. "And they have a fairly rigid set of requirements they're evolving that they're expecting us to be able to meet." That makes compliance a selling point for Humana's services, yet another reason to stay in line.

    Story Guide:

  • Humana Tackles Compliance Early and Often
  • Compliance Inc.
  • New Security Director
  • IT's Role in Compliance
  • Good Corporate Hygiene
  • The Culture of Compliance
  • From Regulated To Heavily Regulated
  • Sidebar: The Cost of Compliance

    Sidebar: The Cost of Compliance

    Sidebar

    : The Cost of Compliance">