beawolf - Fotolia

Blue Cross balances cloud with HIPAA rules

Blue Cross and Blue Shield of North Carolina has managed to navigate a tenuous triangle -- IT, business units and HIPAA regulatory requirements -- and bring elements of its operations to the cloud.

HIPAA rules have held many a company back from aggressively moving to the cloud.

But as the cloud -- and cloud providers -- matures, better data security, data sovereignty and data localization have enabled some companies to get in step with modern technology.

At Blue Cross and Blue Shield of North Carolina (BCBSNC), Matthew McClelland, manager of the information governance office, said moving to Office 365 is a high-priority project now that cloud providers are better able to support the Health Insurance Portability and Accountability Act (HIPAA) in cloud-based efforts.

"We may outsource virtually all of it to the cloud," McClelland said.

In advance of AIIM Conference 2016, he sat down with SearchContentManagement to talk about the Durham, N.C., health insurer's migration to Office 365; the importance of a broader information governance strategy, given the explosion of data everywhere; and navigating the "triangle" of IT, business units and legal department at BCBSNC.

You've been talking about your technology portfolio. Are you on Office 365 now?

Matthew McClelland: We're migrating right now. It's a two-year project, I would expect. This year, we're moving Exchange, then Outlook by June. Then, we'll move our SharePoint farm by the end of year. Then, by next year, I expect to move our network shares to OneDrive. Lync will go to Skype for Business and some archiving in Azure.

Why are you migrating to Office 365?

McClelland: Cost and the ability to stay current. We were often stuck in the old way of doing IT: Slow Waterfall-style projects that took a lot of time to roll stuff out. When you add up the cost of everyone's time, impact to our operations, the impact on the day-to-day work of users, it's expensive.

Matthew McClelland, manager of the information governance office at Blue Cross and Blue Shield of North CarolinaMatthew McClelland

The fact that we're always behind is even more expensive, because there are certain things we can't update, because we're never on the right version. It may impact three or four things down the line -- so, we're trying to get out of that. At the end of the day, maintenance is so much cheaper in the cloud.

But we're going to own the configuration of all the different components of Office 365 governance: What things will we turn on [and] turn off? We have to manage all that. We want to make it useful, but we don't want to go too far one way or the other. We don't want to be completely risk-averse and turn all the services off, or turn everything on, unless it makes sense and we can protect it.

What about compliance and HIPAA rules?

McClelland: We have more flexibility in terms of using the cloud. That was one of the other catalysts for moving to Office 365.

A lot of the cloud vendors are now HIPAA-compliant, so now, we can use them. That was a hurdle for a long time.

Things have changed so much -- it doesn't make as much sense to manage these things internally like we used to. Office, Adobe, all the stuff people dump on network shares, it's cheaper to have Microsoft manage that. We'll have some governance around it, though.

So, only some documents will reside in the cloud?

McClelland: A lot right now that will go to the cloud is unstructured data: presentations [and] Word documents. But core transactions -- claims [and] benefits systems -- those things will stay in a private cloud. That is information we need to manage; that's how we run our business.

What about moving from traditional records management to a broader information governance strategy?

McClelland: From an information governance perspective, exploding volumes of data require changing your mindset. We shifted four years ago, but it was an evolution. We were a traditional insurance company that's 80 years old, and we act that way sometimes.

In practice, going from traditional records management to governance, we reduced record classes from 400 to 120. It made it easy for people to understand and deal with the core stuff.

It's taken the burden off employees to make decisions about what is pertinent and what isn't for a hold. They have day jobs, and it isn't what they were hired to do. We manage our process to see if anything is slipping, if there are any gaps to be filled.

But the fact is you can't do any of this in today's world with the volumes of data -- cracking into a network share 17 levels deep -- without tools to help you. You'll never get anything done. You need a tool that will report back to you on what's there based on the guardrails you have created for it based on your regulatory requirements.

How could big data analytics have an impact on your work?

McClelland: We're not there yet; it’s is a two- or three-year down-the-line goal -- but I would like to be able to query unstructured content in the same way we do structured data,  because there are so many things that come in on an unstructured basis: mining the call center records or the outbound letters that we send to members.

The big key is that you have to align IT, legal and the business.
Matthew McClellandmanager of the information governance office, BCBSNC

It would help us be quicker in tying trends together. If we could see a spike in a certain condition that is out of network or not covered for a group of beneficiaries, for example, we could create a product and get it to market faster for them. If we’re able to offer a service for competitive prices that others aren't offering, it makes us more valuable to our members and provides better care.

Today, we have to wait until we get a bunch of claims in and analyze them to take action. It could help to get more coverage with our providers, help sales and marketing in getting more products out to members. It could cut three to six months in the cycle of getting products to market. Then, we're not just a cost center, but also generate revenue. If we can not only avoid risk, but bring dollars into the fold -- which makes us valuable -- that is where information governance needs to go over the next five years.

The big key is that you have to align IT, legal and the business. You have to be connected to legal to understand changes in the law and connected to the business to understand their needs. That's also where you can get your hooks into the purse strings to get funding.

That's a careful balance.

McClelland: We try to be a bit of a broker. We set the expectations within IT about what is reasonable and help the business get its end goal. It's a constant battle of tempering expectations of the business, pulling legal out of its comfort zone, and IT can be understaffed. You have to pull people along, and understand the give and take on both sides. We try to be the voice of reason.

Next Steps

There's a new information governance organization on the block

Office 365 migrations more difficult than Microsoft touts

Moving to Office 365 differs for established companies vs. startups

Dig Deeper on Information governance management