Compliance clearinghouse To determine what information UICI wanted in its compliance repository, Curran convened a tool selection team: one to three people per business unit (roughly 10 people in total) offering design guidance, reviewing prototypes and keeping Axentis focused on critical tasks."You have to show the regulators that youre doing this stuff," DeMartino said. "You have to show proof that employees are taking the classes. Thats challenging." UICI wanted the first iteration of its training platform running by November 2002. By then all HIPAA compliance policies and procedures were to be documented, training courses developed, and courses assigned to the appropriate employee groups. Curran imposed another deadline of February 2003 for a final version of the platform, to give everyone two months of live training by April 1, two weeks before HIPAA privacy deadlines. Some features were non-negotiable. For example, Curran wanted the tool to interface with UICIs personnel department so that when human resources hired a new employee, that information would automatically flow to Axentis to create a user ID and password, establish security, and define parameters of what that person could do. "We have so many different systems that one thing we didnt want to do was create an administrative burden on setting up users," Curran said. "We didnt want to have everyone remember yet another ID and password." UICI also wanted automated log-in for an internal portal used by employees. When a worker logged in to the UICI portal, Curran wanted that information automatically sent to Axentis so that the system could take the employee to the appropriate training home page for that person. Beyond those few universal features, Curran kept the system flexible. To qualify as one entity under HIPAA, all UICIs divisions had to follow a single notice of privacy practices. But in a business with as many different operating divisions as UICI, "there was no way Id get all of them to agree to one set of procedures," said Curran. Instead UICIs business leaders agreed to one set of enterprisewide privacy policies, and Curran created a template document for compliance procedures. Each division then crafted its own procedures to obey UICIs overall policies, using Currans template. Compliance culture The project cost UICI less than $500,000, Curran said. Because Axentis hosts the tool, "we had to do very little on our side" in the way of new hardware or software, he said. Other than developing the automated security administration and providing bandwidth to employees, UICI had few other IT challenges. Since HIPAA and SarbOx are new burdens of compliance, Curran cannot say precisely how much UICI has saved by automating its training system. But Curran is blunt about the difficulty of using separate IT systems for documenting compliance procedures and training employees on them. "I really couldnt imagine how a company could even do it," Curran said. "To try to apply a document management system and connect it to a training system, to fill all the gapsI just see that as extremely costly to implement and maintain." Matt Kelly is a free-lance writer in Somerville, Mass. He can be reached at firstname.lastname@example.org.
Curran was also clear that UICI wanted an enterprisewide tool to comply with HIPAA, "but not just build a HIPAA solution." By then the USA Patriot Act and SarbOx had been passed, portending new anti-fraud and financial controls regulations. Curran wanted one tool to handle all of them; HIPAA just happened to arrive first. Prime Associates DeMartino said demand for such training now experiences "constant and exponential growth," especially in the financial services industry.