HIPAA Deadline Boosts Healthcare Data Practices Page 2Continued From Page 1
An Ongoing Process for Healthcare Providers
Ron Rawson, privacy officer at St. Louis University, says that much of the university's 2-1/2 year HIPAA compliance effort has revolved around data centralization and access control. Says Rawson, "In the past, a lot of people have relied on their local computers, perhaps using CDs" for data storage, but with HIPAA, "we're going to rely more on the larger servers, on the SAN and the network data storage servers."
For SLU, HIPAA has had the greatest impact on data security. "HIPAA was the catalyst to our establishing a security program," says Rawson. "I don't think that we had an adequate security program prior to HIPAA."
The Health Sciences Center at SLU houses most of the information covered by HIPAA, and part of the compliance effort was to put the Health Sciences Center on to its own network segment. Then came the initial effort to inventory data, classify it, and control access, nearly complete but still ongoing. According to Rawson, "Over the next 60 days, we plan to finalize collecting information on where data exists, identifying it, and identifying who has access to it. If it happens to be on a server, we need to make sure that someone is accountable for administering the rights to those directories."
Austin Winkleman, St. Louis University
For the most part, SLU's internal policies already required longer storage periods for medical records than those mandated by HIPAA. But HIPAA has had some impact on retention times, says Rawson, requiring policies that ensure that all components of a patient's record remain stored for the full period.
Moving from Paper and Film to Digital
Wisconsin-based ProHealth Care Inc. may be ahead of the curve in the transition from paper and film to digital storage. Says Bill Bailey, ProHealth Care's enterprise architect, "We're actually as close to filmless as you can be on the clinical side."
HIPAA isn't driving the conversion, but its requirements provide additional incentive for the move to digital storage. In the last year, ProHealth Care has upgraded to a next- generation EMR system. The company's storage volume, according to Bailey, is driven by electronic imaging, still principally PACS, but with document storage a growing contributor.
Bill Bailey, ProHealth Care
Bailey feels his organization is well prepared for the security rule. Much of the work has been in reorganization and storage classification to enable policy-driven retention. Says Bailey, "We've been doing the work to actually review our storage requirements, retention requirements, to actually figure out the classifications."
"We're looking at retention differently than we did before, but I'm finding that it's a good thing," says Bailey. Because HIPAA forces an effective classification of data, and an effective retention policy, ProHealth Care is able to "not store some of this stuff for 20 or 30 or 50 years when we only are really required to store it for five."
For more storage features, visit Enterprise Storage Forum Special Reports