June 24, 2009, 11:41 AM — As an insurer, you probably recognize the value of digital storage and workflow automation for business. Not only does it accelerate processing speeds and improve service; it makes the burden of regulatory compliance significantly easier. In order to meet regulatory standards, efficient data collection across the enterprise is critical. You need to be able to use that data when and where it is needed.
From HIPAA and Sarbanes Oxley to market conduct examinations, regulatory issues such as Solvency II, and more, mounting regulations continue to dictate the way we store information and conduct everyday business. Establishing clear policies that respond promptly to regulatory changes and implementing them effectively helps you to protect your leaders and your company. Still, you need immediate, thorough, and accurate audit trails to demonstrate your commitment to the policies you create.
The time-consuming measures you have to put in place to respond to increasing regulations can be frustrating, but they aren’t avoidable. The regulations are not going to disappear; in the wake of numerous recent financial scandals and the ensuing economic crisis, they are expected to proliferate. The sooner you get a handle on your information, the better equipped you will be to survive public and private scrutiny from government, compliance officers, and auditors.
Here are a few tips to help you stay afloat in the turbulent sea of changing regulations:
Create a central repository for all of your information. Although digital capture and storage improves data quality and makes data access easier, faster, and more secure, ‘going digital’ alone is not enough. Electronic files should be stored in a single, central electronic document management (EDM) repository, or that repository should point to the location of files that are stored in multiple systems. This enables centralized queries and searches, rather than probing through multiple digital data silos when you need information quickly. It gives you and your auditors instant, detailed insight into your business transaction details.
Configure your document management system to restrict access to information in accordance with regulations and your internal policies. Make sure your system has the flexibility to let you define and limit access by business unit, department, a person’s role or position, and individual. Make sure it can also prohibit access to specific pages within routine documents that contain sensitive information.
Take into consideration the enterprise-wide needs for the data within your documents that you weren’t originally planning to catalog as you create a file indexing plan. The data may be vital to another department’s or individual’s process. Understand how people with diverse job functions search for information so you can make it quick and easy for them to find it when it’s needed. Make sure any data they need to find from the files is included in your indexing plan. Making changes in the indexing scheme later in order to correct current oversights is very costly.
Take care that your enterprise search application fully integrates with your electronic storage repository. This helps you to guarantee a complete return of requested files and data. Otherwise, you may encounter errors and omissions as a result of poor interoperability between your document management repository and the search tools you use.
Choose an enterprise search application that lets you access data in structured forms and files as well as unstructured data stored in your repository, such as data stored in handwritten correspondence or emails. Comprehensive search will save you and your staff considerable time, and you will rest easier knowing that your queries aren’t overlooking anything.
Make sure your system provides clear, structured data in an auditable format that will meet the needs of auditors and compliance officers. Electronic queries should provide details of all file access and business transactions involving digital media. This makes it easier to prove compliance with the information governance policies you establish and communicate.
Don’t forget to include email archival and indexing in your document management system. Some sources suggest that businesses store as much as 90% of their critical data in email communications. The ability to search email messages and attachments that have been archived and indexed ensures thorough and fast access to important information, saving you time and money. When you need to search email to show proof of compliance or to support other documentation, you’ll be glad not to have to resort to slow manual searches.
Compliance Scenario: Before and After EDM
Let’s imagine someone in your company—for whatever reason—obtains and shares private information about a person whom the company recently insured, who has health problems. The insured person learns through a conversation related to a job application that her potential employer is aware of her health issues, but she knows that she has never mentioned them. She suspects that someone on the insurer’s staff saw information on the health insurance application and leaked it to the potential employer, and she files a lawsuit against the company. The court issues a subpoena for her application and any records pertaining to who accessed it, when, and for what reason.
In a paper-based system, your compliance routine might look like this:
- Management talks with the appropriate person about the files that need to be pulled.
- The records manager discovers that the health insurance application is missing. Only pre-specified employees who are legally allowed to access the files – those who rely on the information to do their jobs and service the client – are permitted access.
- Management approaches every person in the office who was permitted to access the insured’s files, but no one claims to have pulled the document since the day it was approved and sent to the records manager for appropriate storage.
- Management assumes staff is innocent, but asks the appropriate staff members to search their offices for the application, which is not found.
- The records manager is instructed to search through the files of others whose applications were logged as being pulled from the files on the same day.
- Fortunately, the file is found, stuck to another applicant’s file that was checked out the same day.
- Since there was no record of authorization to pull the applicant’s file from storage, and yet it was missing, the company can not prove its staff is innocent of foul play. The lawsuit moves forward, requiring additional records relating to a staff member who is accused and suspected. An inordinate amount of time is wasted on searching for and pulling documents. In addition, the company pays considerable fines because it can not prove compliance without a doubt.
- In a mixed media system with partly digital records and partly paper, the same routine might look like this:
- The records manager searches the paper files for the application in question.
- The human resources manager searches through sensitive digital records that are under her domain as well as supporting paper documentation.
- Files are compiled and presented for analysis.
- There is some data inconsistency about the employee, most likely resulting from errors in the manual data entry of information.
- Both the records manager and HR manager lose valuable time conducting an exhaustive search. Since not all files are digital, nor are they in one place, considerable time is wasted, and the audit trail is not complete.
Imagine the same scenario, with everything stored in a single, centralized EDM system:
- The court subpoenas the applicant’s form and the HR records that are specific to the employee who is suspected of foul play.
Queries are built to retrieve the application as well as the suspected employee’s files.
- The compliance officer and auditor are granted access to query the electronic files. They examine the file interactions remotely from their laptops, giving them direct access to the information they need and allowing the company’s staff to remain focused on other mission-critical work.
- Clear audit trails show that the suspected person (the applicant’s agent) accessed the file and inappropriately forwarded its contents to a friend who works at the company where the insured had applied.
- Company policy and corporate communications show the insurer regularly and clearly communicated about the proper and improper use of files in multiple ways to its staff, including the agent, and that misuse could lead to immediate termination.
- Digital records show that the agent accessed those communications and was not oblivious of the rules. The insurer was also able to locate and produce a form signed by the employee in question that affirmed that he was aware of corporate policy.
- Result: The insurer is able to demonstrate corporate compliance with the policies the company set in place.
Today’s electronic document management and reporting tools give management, compliance officers, and auditors unquestionable proof of the access, movement, interaction with, and use of files and data. 24/7 remote desktop access provided by web-based document management systems make auditing a breeze, giving those who audit your files easy access while removing the burden of search from your shoulders. Effective enterprise search not only lets you deliver information and improve service to your customers; it provides information to others who need it while making sure you aren’t distracted from focusing on the business at hand.
Meeting regulatory standards for compliance is only going to become more complicated as regulations increase. By digitizing your information, storing it in one place, and establishing effective search across your enterprise, you gain control over your information and how it is used. How you use the extra time you gain through the increased efficiency is up to you.