Brett Curran is a chief compliance officer with a lot on his plate.
At Dallas-based insurance provider UICI, its his job to ensure that the companys 3,000 employees know their obligations for financial reporting, record-keeping and dealing with the public.
Thats a tall order. As a publicly traded company, UICI must comply with rules issued by the Securities and Exchange Commission and laws such as the Sarbanes-Oxley Act. Since it operates in the financial world, UICI also faces money-laundering and anti-fraud regulations. UICI sells products directly to consumers, so the National Do Not Call Registry comes into play. And one of its primary businesses is selling health insurance—so compliance with HIPAA (Health Insurance Portability and Accountability Act) privacy rules is required.
The story begins in mid-2001, as HIPAA loomed on the horizon. UICI executives decided they could not continue the companys strategy of letting each of its eight divisions manage compliance training on its own. HIPAA regulations would affect the whole enterprise, so management gave Curran his marching orders: Build a consistent, enterprisewide platform to track compliance procedures and monitor training.
“I began to realize that this was going to be a challenge largely of documentation, policies, procedures, training, tracking of the training—those sorts of things,” said Curran, who had more than a decades experience in UICIs IT department. “I realized the big challenge in keeping current documentation.”
A business immersed in the details of compliance training faces a risk if it misses a new rule, said Dave DeMartino, head of marketing for Prime Associates Inc., a Clark, N.J., consultancy focused on compliance needs. The content and IT requirements can be managed by an outsourced training provider; for the business the heavy lifting is more about structuring the application well rather than installing hardware or migrating software.
Curran said he envisioned a platform that could handle training not only for HIPAA but also for other regulations that might arise—and even for routine departmental procedures such as filing a claim. Company executives would identify procedures to comply with HIPAA (procedures for other regulations would come later) and store them in a repository. Employees could tap the repository for training, and management could use it for a birds-eye view of compliance know-how.
Currans first move, in late 2001, was to turn to PricewaterhouseCoopers Global Risk Advisory Services practice. He especially wanted to know what PWCs other clients were doing “for this onslaught of paper management.”
PWC replied that nobody had devised a solid solution yet. Curran then asked PWC to find a knowledge management tool, “so that as we begin building our policies and procedures, we can populate this repository and then use that same content to drive our training.”
By early 2002 PWC recommended Axentis Corp. and its flagship Axentis Enterprise software. Curran had also consulted analysis companies and professional colleagues and found several vendors that offered products to manage compliance training or to monitor such training—but not one product to manage both.
“As I recall there were only a couple that were even in the ballpark at that time,” Curran said. “None of them—including Axentis—could meet all the business requirements we had identified.”
Since Axentis was the best fit for what Curran wanted, in July 2002 he crafted a triumvirate to develop a compliance management system: PWC would bring consulting expertise on compliance requirements, Axentis would deliver a technology platform, and UICI would provide an operations perspective on what would work within the company.
Next Page: Compliance Clearinghouse
Compliance Clearinghouse
Compliance clearinghouse
To determine what information UICI wanted in its compliance repository, Curran convened a tool selection team: one to three people per business unit (roughly 10 people in total) offering design guidance, reviewing prototypes and keeping Axentis focused on critical tasks.
Curran was also clear that UICI wanted an enterprisewide tool to comply with HIPAA, “but not just build a HIPAA solution.” By then the USA Patriot Act and SarbOx had been passed, portending new anti-fraud and financial controls regulations. Curran wanted one tool to handle all of them; HIPAA just happened to arrive first. Prime Associates DeMartino said demand for such training now experiences “constant and exponential growth,” especially in the financial services industry.
“You have to show the regulators that youre doing this stuff,” DeMartino said. “You have to show proof that employees are taking the classes. Thats challenging.”
UICI wanted the first iteration of its training platform running by November 2002. By then all HIPAA compliance policies and procedures were to be documented, training courses developed, and courses assigned to the appropriate employee groups. Curran imposed another deadline of February 2003 for a final version of the platform, to give everyone two months of live training by April 1, two weeks before HIPAA privacy deadlines.
Some features were non-negotiable. For example, Curran wanted the tool to interface with UICIs personnel department so that when human resources hired a new employee, that information would automatically flow to Axentis to create a user ID and password, establish security, and define parameters of what that person could do.
“We have so many different systems that one thing we didnt want to do was create an administrative burden on setting up users,” Curran said. “We didnt want to have everyone remember yet another ID and password.”
UICI also wanted automated log-in for an internal portal used by employees. When a worker logged in to the UICI portal, Curran wanted that information automatically sent to Axentis so that the system could take the employee to the appropriate training home page for that person.
Beyond those few universal features, Curran kept the system flexible. To qualify as one entity under HIPAA, all UICIs divisions had to follow a single notice of privacy practices. But in a business with as many different operating divisions as UICI, “there was no way Id get all of them to agree to one set of procedures,” said Curran.
Instead UICIs business leaders agreed to one set of enterprisewide privacy policies, and Curran created a template document for compliance procedures. Each division then crafted its own procedures to obey UICIs overall policies, using Currans template.
Compliance culture
The project cost UICI less than $500,000, Curran said. Because Axentis hosts the tool, “we had to do very little on our side” in the way of new hardware or software, he said. Other than developing the automated security administration and providing bandwidth to employees, UICI had few other IT challenges.
Since HIPAA and SarbOx are new burdens of compliance, Curran cannot say precisely how much UICI has saved by automating its training system. But Curran is blunt about the difficulty of using separate IT systems for documenting compliance procedures and training employees on them.
“I really couldnt imagine how a company could even do it,” Curran said. “To try to apply a document management system and connect it to a training system, to fill all the gaps—I just see that as extremely costly to implement and maintain.”
Matt Kelly is a free-lance writer in Somerville, Mass. He can be reached at mkelly@mkcommunications.com.