Dec 20 ’09

IT Sense: HIPAA, GLB, and SOX, Oh My!

by Editor in z/Journal

Recently, at several client sites where my firm has been working, we noticed a cadre of IT folks—sometimes permanent staff; in other cases consultants and bodies for hire—have been pulled off other projects and assigned to find ways to put data right for regulatory compliance. Sarbanes- Oxley (SOX), Graham-Leach-Bliley (GLB), and the Health Insurance Portability and Accountability Act (HIPAA) recently all hit important watershed dates, and companies spent enormous sums of money trying to plug last-minute holes in their system and data validation schemes.

Reminiscent of the Year 2000, companies worked furiously to ensure that proper controls were in place to support auditability and recovery requirements in SOX, privacy requirements in GLB, and long-term data retention, recoverability, and confidentiality requirements in HIPAA. The resulting trial would be used to demonstrate that the political machine had stepped up to the task of ensuring proper corporate governance.

And like Y2K key deadlines came and went . . . and nothing really happened. For all the chaotic momentum generated by threats of audits and investigations, by the time the hammer was supposed to drop, nobody showed up. While this may be a brief lull before the storm, the truth is nobody really seems too keen on prosecuting anybody right now.

It began with CEOs complaining that it wasn’t as much fun being CEO anymore with all the regulatory stuff. Disenchantment crescendoed in early January in a growing revolt against what some called an “overly prosecutorial” climate within federal and state regulatory groups.

Spokespersons for the U.S. Chamber of Commerce recently argued that the compliance rules and procedures are simply unfair. (Administrative procedures are not bound by the same rules of evidence as jury trials, as anyone who has ever been audited by the IRS can attest.) Moreover, they had a chilling effect on business at exactly the time when businesses needed to rise up and put the economy back on a paying basis.

In short, detractors argue, regulations are a ham-handed mechanism for enforcing ethics. The slew of laws and regulations passed at the end of the bubble collapse are now costing companies enormous amounts of money that could be better spent on things such as developing new products and services and putting people back to work.

A recent study conducted by RHR International for Directorship magazine found that big companies with $4 billion or more in revenues are spending an average of $35 million to comply with SOX. Another survey by Financial Executives International found $3.1 million in added costs for companies with average revenues of $2.5 billion.

And there’s a new report from Frost & Sullivan, proclaiming that HIPAA compliance, which is costing U.S. hospitals substantially more than the $3.8 billion originally projected by the government, is leading, rather counterintuitively, to reduced (rather than increased) IT spending in 2005. According to the analysts, not only are healthcare providers short of money, they don’t know how to spend what they have.

So, who’s job is compliance? In our less-than-scientific analysis, which is based on empirical observations and casual conversations at a small set of companies, we find that IT, working in conjunction with corporate auditing, is typically involved in, or even leading, compliance management efforts. This is interesting because IT has little to do with regulatory compliance, per se, but only with its outcome: data management.

First and foremost, compliance comes down to identifying data that is subject to regulation and to defining policies that will place the management of data in line with legal requirements. Identifying which files need special handling for regulatory reasons and ensuring those files are properly marked are people and process tasks, not IT issues.

The big issue is how to get a large organization, usually comprised of notoriously independent (and often lazy) people, to cooperate with a universal scheme of data naming and classification. Only once this has been done can you begin working on the technical support problems of provisioning the data to the right kind of storage, protecting it with WORM, encryption or what have you, including it in an acceptable disaster recovery scheme, and storing it for a period that exceeds the service life of any known storage medium.

The technical issues are daunting, to be sure. But not so daunting as the preliminary problems of information classification procedures, policymaking, and enforcement.

IT managers are almost universally concerned that if and when the regulators come calling, it won’t be senior management who gets the blame for any compliance problems. When the smoke clears, IT will get the blame.

So, it should come as little surprise that IT professionals are often leading the effort to build “regulatory compliance systems,” something that is clearly beyond their domain of authority. The bad news is that IT usually has enough to do and not enough resources to do it, without also involving itself in business management. The good news is there’s a slim possibility that all of IT’s hard work in compliance management will pay off in the form of an increased perception of IT’s value to the business: something that didn’t occur in the wake of Y2K.