HIPAA Deadline Boosts Healthcare Data Practices Page 2 - EnterpriseStorageForum.com

HIPAA Deadline Boosts Healthcare Data Practices Page 2

Continued From Page 1

An Ongoing Process for Healthcare Providers

Ron Rawson, privacy officer at St. Louis University, says that much of the university's 2-1/2 year HIPAA compliance effort has revolved around data centralization and access control. Says Rawson, "In the past, a lot of people have relied on their local computers, perhaps using CDs" for data storage, but with HIPAA, "we're going to rely more on the larger servers, on the SAN and the network data storage servers."

For SLU, HIPAA has had the greatest impact on data security. "HIPAA was the catalyst to our establishing a security program," says Rawson. "I don't think that we had an adequate security program prior to HIPAA."

The Health Sciences Center at SLU houses most of the information covered by HIPAA, and part of the compliance effort was to put the Health Sciences Center on to its own network segment. Then came the initial effort to inventory data, classify it, and control access, nearly complete but still ongoing. According to Rawson, "Over the next 60 days, we plan to finalize collecting information on where data exists, identifying it, and identifying who has access to it. If it happens to be on a server, we need to make sure that someone is accountable for administering the rights to those directories."

“To comply with HIPAA is an ongoing issue. There is no test we need to run on April 21st, no report to submit.”

— Austin Winkleman, St. Louis University

Though the university is in good shape for the implementation deadline of the HIPAA security rule, SLU's Information Security Officer, Austin Winkleman, points out that HIPAA compliance is not an event. Says Winkeleman, "To comply with HIPAA is an ongoing issue. There is no test we need to run on April 21st, no report to submit."

For the most part, SLU's internal policies already required longer storage periods for medical records than those mandated by HIPAA. But HIPAA has had some impact on retention times, says Rawson, requiring policies that ensure that all components of a patient's record remain stored for the full period.

Moving from Paper and Film to Digital

Wisconsin-based ProHealth Care Inc. may be ahead of the curve in the transition from paper and film to digital storage. Says Bill Bailey, ProHealth Care's enterprise architect, "We're actually as close to filmless as you can be on the clinical side."

HIPAA isn't driving the conversion, but its requirements provide additional incentive for the move to digital storage. In the last year, ProHealth Care has upgraded to a next- generation EMR system. The company's storage volume, according to Bailey, is driven by electronic imaging, still principally PACS, but with document storage a growing contributor.

“HIPAA really demands that you have the audit trail. That's actually more important than locking down every record.”

— Bill Bailey, ProHealth Care

In response to HIPAA's security requirements, ProHealth Care has tightened up data access, prohibiting the use of shared logins (once a common practice, also addressed at SLU), requiring that every clinician have an individual electronic identity. This is necessary for proper permission management, but even more so for effective auditing, which Bailey sees as critical for HIPAA. Says Bailey, "HIPAA really demands that you have the audit trail. That's actually more important than locking down every record."

Bailey feels his organization is well prepared for the security rule. Much of the work has been in reorganization and storage classification to enable policy-driven retention. Says Bailey, "We've been doing the work to actually review our storage requirements, retention requirements, to actually figure out the classifications."

"We're looking at retention differently than we did before, but I'm finding that it's a good thing," says Bailey. Because HIPAA forces an effective classification of data, and an effective retention policy, ProHealth Care is able to "not store some of this stuff for 20 or 30 or 50 years when we only are really required to store it for five."

For more storage features, visit Enterprise Storage Forum Special Reports

Page 2 of 2

Previous Page
1 2

Comment and Contribute


(Maximum characters: 1200). You have characters left.



Storage Daily
Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date