Developing a Compliant Document Archive System in Changing Times

As rules and regulations expand within the insurance industry, document archiving and compliance face new and unique challenges that require systems with increased flexibility, strong security, and accurate accountability. Insurance companies are subject to governmental regulations that often vary from state-to-state, as well as the wide array of standards set by the industry itself. This year, far-reaching legislation in the health insurance and financial fields will have significant impact on companies' internal and external operations adding to the need for more extensive and specific record-keeping. Existing policies for health care, property and casualty, and other types of insurance may have to be restructured to meet new direct mandates on insurers, as well as fulfilling the changing regulatory requirements of their clients' businesses. Insurance companies can also expect new compliance rules created by new and existing governmental agencies seeking information and documentation.

Technology can help ease the burden of creating and storing information, however new technology poses several important compliance and archiving questions. For example, ten years ago, correspondence and internal memos related to a particular client account or specific broker were largely paper based and would have been stored together in a physical folder. However today, more communication is now conducted via electronic means. Should electronic communications be stored too? If so, how should they be stored, where should they be stored and how long should they be stored? Similarly, social media platforms such as Facebook and Twitter are generating new issues, mostly in the sales and marketing area. Do you save comments left by sales representatives or customers? If an insurance broker makes an offer through Facebook, is an insurance agency accountable to deliver on it?

The fluidity of electronic communications and the number of devices that now support them also create new challenges for document security. Providing access to insurance databases or client records creates a potential security risk. The types of client information insurance companies keep can be extremely sensitive, yet in the wrong hands it can be transmitted around the world today in a matter of seconds.

All of these new realities point to the need for developing a regulations-compliant and secure system for archiving and retrieving insurance documents and communications. Those companies that already have such a system are advised to take another look at its capabilities with all these new demands in mind.

Work from the ground up

In designing an archive system, a good starting point is to determine what constitutes a "document." In addition to standard paper-based correspondence, it must be determined if internally-circulated emails or other collaborative types of electronic media should be considered a "document." It is also necessary to determine compliance regulations that apply for each "document" type, so that the appropriate retention rules can be applied. For example, documents related to life insurance may need to be kept for a period of time that includes the life span of the insured, plus ten years. Furthermore, an in-depth assessment of your archiving needs should determine who is creating these documents and why. Generating and retaining superfluous "documents" not only wastes valuable storage resources, but may create additional exposure for an organization.

Most insurance companies have some type of an enterprise-wide content management system (ECM) for archiving all documents. However, given the changes in rules for compliance, overall increase in document volume, and the need to access these documents quickly and accurately, the single document repository can become overly cumbersome and increasingly difficult to navigate. Moving from an ECM "one-size-fits-all" archival system to one that is more customized and application-driven may take some careful thinking, but over the long-term, it can save time and money while increasing efficiency.

In designing or upgrading an archival system in these changing times, it is crucial to look long-term. High levels of flexibility and scalability are necessary to accommodate an increasing demand for a greater volume and variety of documents. For example, five years ago, only staff in the home office had direct access to documents, so an ECM system made perfect sense. Today, staff in remote branches, individual clients and their sales representatives, and possibly governmental regulators, may require nearly instantaneous access to insurance records. For simplicity, a system may be designed to store all documents in a standardized, "readable" format such as Adobe's PDF, to ensure their integrity and accessibility to a range of end users.

Additionally--and this cannot be stressed enough--both internal and external document accessibility brings with it the need for multiple levels of security. Customer access to documents via the Internet is a common practice; however it can create potential vulnerabilities. System security must be a critical priority both to protect customer records as well as the system's integrity. Insurance companies may face greater levels of complexity in terms of allowing "outsiders" to access documents for the simple reason that insurance records contain large amounts of confidential information on each client. The archival/retrieval software should be robust enough to support security at every user level, while also assuring that records can be accessed only by those who are authorized to see them.

The devil in the details

When planning a migration from the traditional approach to a more flexible, yet fully compliant document archiving system, it is important to clearly identify the parameters around each application that will be affected, and the regulations that apply.. For example, financial regulators require access to insurance documents for background on client's financial and/or property records. Health care regulators, hospital, and doctors must ensure their insurance documents comply with HIPAA and other existing requirements in the health care field. It is inevitable that these standards will change in upcoming years as new regulations and regulatory agencies come into being.

The process of designing a secure, flexible, and compliant document archive and retrieval solution can be broken down and described using four major considerations:

? Research storage needs so it is understood what kind of documents will be stored and how long each type of document must be retained. This will help immensely in building transparency into the business and will also allow a "best practices" response to requests for information. A good understanding of the data to be stored will allow for the system to be technically implemented so that all requests for documents will be quickly and efficiently handled.

? Establish who will have access to which documents. Develop rules for every level of user that is seeking information, including outside clients and governmental agencies. Make sure that only those who are authorized and authenticated can view appropriate records. Periodically audit the security parameters to make sure they are in agreement with current compliance policies.

? Decide on whether documents will be stored in their native formats or transformed to a simpler, more independent format such as PDF. PDF is platform-independent so you and others can view the documents on virtually any desktop, yet all will see the same version as the printed document. While offering a true image of the native file, a PDF saves a tremendous amount of storage space through its use of compression algorithms.

? Keep track of each document's life span and then destroy any document as soon as it is permitted. Removing a document from the archive-and destroying it completely-as soon as legally able, can save a company from any undue exposure during an audit.

Many large enterprises in all industries choose to outsource the handling of their documents to a third party allowing them to focus their attention on their core business. Third-party service providers specialize in archiving services and have the capabilities and experienced personnel to help design and implement a system customized to suit any organizations precise requirements. Because an outsourcer is wholly focused on this type of service, they will be committed to staying on the cutting edge of available technologies, so organizations can take advantage of the latest upgrades and technologies without having to continually retool the IT department, and without the capital investment and retraining this involves.

Stay informed

In the coming years, new broad-based legislation will be deployed that relates to almost every segment of the insurance industry. In response, insurance companies must commit to staying abreast of developments in their own, as well as their clients' businesses. Supporting the growing and ever-changing list of compliance requirements demands a well thought out, responsive, and flexible system for document archiving and retrieval. What may look like an insignificant oversight today may result in legal challenges, unforeseen fines, and penalties down the road.

Regulatory uncertainty is the bane of businesses in virtually every industry, and insurance is no exception. The best way to hedge against today's unanswered compliance questions is to design a reasonable and in-depth document archive and retrieval system that is sufficiently robust to meet all current compliance regulations and is flexible enough to satisfy any future rules and regulations.

In the most general terms, it's advisable to fortify the security surrounding all insurance documents while maintaining accessibility and transparency.. Any system you develop will need to accommodate changes in compliance standards, as well as the inevitable increase in volume of stored documents. A fundamentally sound and effective document archive and retrieval system can go a long way toward working through current uncertainties as well as meeting future compliance needs, and will help to protect all stakeholders in the organization.