HIPAA Deadline Boosts Healthcare Data Practices

Friday Mar 18th 2005 by Steve Apiki

In the second part of our series on compliance and storage issues, we look at the effect that a looming rule mandating electronic records security is having on healthcare providers.

In the second part of our series on compliance and storage issues, we look at the effect that a looming rule mandating electronic records security is having on healthcare providers.

Healthcare organizations face a tough challenge under HIPAA, the Health Insurance Portability and Accountability Act: they must secure data, regulate its access, and retain it for periods sometimes measured in decades.

That can be tough enough if you're dealing with centralized data in a SAN , but when you consider that hospitals often begin the compliance process with a mix of paper records and direct-attached storage (DAS), the confidentiality and security goals of HIPAA look even harder to attain.

HIPAA's Privacy Rule, in effect since 2003 or 2004 depending on the size of the organization, requires confidentiality of patient records on paper and sets retention periods for some kinds of medical information, regardless of media. These retention requirements can stretch from birth to 21 years of age for pediatric records, or beyond the lifetime of the patient for other medical records.

But it is the Security Rule, which goes into effect on April 21 for larger organizations, that most affects IT, because it mandates protection and control of electronic records.

Controlling Access

HIPAA's immediate effect on electronic storage is more about compelling better organization and access control than requiring drastically increased capacity. In the long run, the combination of HIPAA's mandated retention times and the increasing use of digital medical imaging will drive up storage requirements as well.

According to Peter Gerr, senior analyst at Enterprise Strategy Group, for many healthcare organizations, the first step in gaining a handle on their data is simply to move from DAS to networked storage to "establish a foundation on which to consolidate all of their information."

Without centralization and consolidation, says Rob Pegler, vice president of technical solutions at Xiotech, HIPAA compliance is "impossible." Hospitals used to operate with data stores in individual departments, says Pegler. Referring to HIPAA's maximum wrongful disclosure penalty, he adds, "20 years ago this wasn't given a thought. But today with HIPAA, with the quarter-million dollar hammer, they are painfully aware of this. It has forced a change in storage design."

Pegler also sees HIPAA driving a trend away from CD-ROM, DVD and optical media to spinning network storage. Such formats had been popular because of their portability and ease of recording, but their very portability is now a privacy liability. "The good news is that you can hand the DVD from the doctor to another doctor," Pegler says. "The bad news is they get lost. Under HIPAA, this is a violation." Digital information stored on a SAN, in contrast, can be audited and guarded by access controls.

The privacy knock can also be applied to the portability of film, and in that way, HIPAA may be helping to accelerate the move from film to digital PACS (picture archival and communications systems). And PACS is clearly a driver of capacity growth. Mike Marchi, senior director of compliance and ILM solutions at Network Appliance, says that most of NetApp's healthcare compliance implementations "have been tied to PACS and X-ray images," where customers want to keep the information online to improve care, "and they're locking them down at the same time."

While hospitals often stored some components of medical records for long periods, HIPAA may require more complete coverage. Also, HIPAA has varying retention times based on the type of information, so classification becomes increasingly important. Says Gerr, "Before HIPAA, many hospitals would simply purge records from radiology, the PACS system, after a year or two years." Now, common practice is to retain this data for the life of the patient.

E-mail is also covered by HIPAA wherever confidential patient information might be transmitted. Francis Lambert, product partnerships consultant for Zantaz, sees "an emerging need for auto-classification of e-mails, to know whether or not they need to be retained for compliance." Though the lines are not clear here on what constitutes protected health information, Lambert says, "we think it's prudent for healthcare practitioners to store any email discussing a patient's condition."

It's certainly prudent to protect that information, agrees Gerr, who says that he expects most companies covered by HIPAA to implement e-mail encryption.

Page 2: A Look At Two Healthcare Providers

Continued From Page 1

An Ongoing Process for Healthcare Providers

Ron Rawson, privacy officer at St. Louis University, says that much of the university's 2-1/2 year HIPAA compliance effort has revolved around data centralization and access control. Says Rawson, "In the past, a lot of people have relied on their local computers, perhaps using CDs" for data storage, but with HIPAA, "we're going to rely more on the larger servers, on the SAN and the network data storage servers."

For SLU, HIPAA has had the greatest impact on data security. "HIPAA was the catalyst to our establishing a security program," says Rawson. "I don't think that we had an adequate security program prior to HIPAA."

The Health Sciences Center at SLU houses most of the information covered by HIPAA, and part of the compliance effort was to put the Health Sciences Center on to its own network segment. Then came the initial effort to inventory data, classify it, and control access, nearly complete but still ongoing. According to Rawson, "Over the next 60 days, we plan to finalize collecting information on where data exists, identifying it, and identifying who has access to it. If it happens to be on a server, we need to make sure that someone is accountable for administering the rights to those directories."

“To comply with HIPAA is an ongoing issue. There is no test we need to run on April 21st, no report to submit.”

— Austin Winkleman, St. Louis University

Though the university is in good shape for the implementation deadline of the HIPAA security rule, SLU's Information Security Officer, Austin Winkleman, points out that HIPAA compliance is not an event. Says Winkeleman, "To comply with HIPAA is an ongoing issue. There is no test we need to run on April 21st, no report to submit."

For the most part, SLU's internal policies already required longer storage periods for medical records than those mandated by HIPAA. But HIPAA has had some impact on retention times, says Rawson, requiring policies that ensure that all components of a patient's record remain stored for the full period.

Moving from Paper and Film to Digital

Wisconsin-based ProHealth Care Inc. may be ahead of the curve in the transition from paper and film to digital storage. Says Bill Bailey, ProHealth Care's enterprise architect, "We're actually as close to filmless as you can be on the clinical side."

HIPAA isn't driving the conversion, but its requirements provide additional incentive for the move to digital storage. In the last year, ProHealth Care has upgraded to a next- generation EMR system. The company's storage volume, according to Bailey, is driven by electronic imaging, still principally PACS, but with document storage a growing contributor.

“HIPAA really demands that you have the audit trail. That's actually more important than locking down every record.”

— Bill Bailey, ProHealth Care

In response to HIPAA's security requirements, ProHealth Care has tightened up data access, prohibiting the use of shared logins (once a common practice, also addressed at SLU), requiring that every clinician have an individual electronic identity. This is necessary for proper permission management, but even more so for effective auditing, which Bailey sees as critical for HIPAA. Says Bailey, "HIPAA really demands that you have the audit trail. That's actually more important than locking down every record."

Bailey feels his organization is well prepared for the security rule. Much of the work has been in reorganization and storage classification to enable policy-driven retention. Says Bailey, "We've been doing the work to actually review our storage requirements, retention requirements, to actually figure out the classifications."

"We're looking at retention differently than we did before, but I'm finding that it's a good thing," says Bailey. Because HIPAA forces an effective classification of data, and an effective retention policy, ProHealth Care is able to "not store some of this stuff for 20 or 30 or 50 years when we only are really required to store it for five."

For more storage features, visit Enterprise Storage Forum Special Reports

Mobile Site | Full Site
Copyright 2018 © QuinStreet Inc. All Rights Reserved