HIPAA prompts hospitals to reconsider storage

With the deadline to comply with HIPAA (Health Insurance Portability and Accountability Act of 1996) lurking in the not-so-distant future, the healthcare industry's IT professionals are revamping their storage infrastructures to fulfill the law's security and patient record accessibility requirements.

For example, HIPAA compliance played a role in the Seattle, WA-based Swedish Medical Center's decision to move to a SAN. The company chose to implement a XIOtech Magnitude array, which is the basis for XIOtech's SANbuilder for Healthcare bundle.

Not only did the SAN centralize all of Swedish Medical Center's disparate storage, making it easier to manage, it also provided better performance, security and availability than other forms of networked storage (e.g., NAS), says Robert Strasser, lead senior distributed systems analyst at the hospital.

The success of Swedish Medical Center's SAN can be gauged by its size: Starting out at .5TB in June 2001, it's already up to 2TB. Next year, Swedish expects to mirror its array, bringing its raw SAN capacity to 5TB. "Once we got it in the door, and saw what it could do for us, we just started adding more servers onto it," Strasser says.

Even without HIPAA, Swedish had been considering taking the SAN route, but HIPAA legislation "pushed us over the edge," Strasser says.

But HIPAA's real impact on storage will lie with what consultant Jon Bogan, president of consulting firm HealthCIO Inc., calls "an increased emphasis on business continuity and due diligence among healthcare organizations regarding backup and disaster recovery."

Case in point, St. Vincent's Hospital in Indianapolis is in the process of revamping its disaster recovery capabilities, says Andy Porter, senior engineer. The hospital's XIOtech and Compaq SAN fabrics are currently fully redundant internally, and it will soon move the redundancy "down the road" to a mirror site in Indiana. The hospital is also working with SunGard to establish a disaster recovery site.

HIPAA has also impacted how long hospitals store data. Before, says Porter, St. Vincent's would purge records from its radiology department's PACS (Picture Archiving and Communication Systems) system after a year or two. Now, "we've figured out that if you were born at St. Vincent's, we have to keep your data forever; and if you weren't - for 21 years."

At least, that's what St. Vincent's lawyers have been able to determine. What HIPAA compliance actually entails - and how it will be enforced - is anyone's guess. "I don't know any real HIPAA experts," Porter says. "There's still a lot of speculation about how the government will enforce HIPAA once it actually takes effect."

For more information:

Tip: Legislative mandates and cyber threats demand secured networks

Expert response: Choosing the best way to encrypt data

Tip: How do you store data for a really long time?

Check out the rest of the SAN/NAS trends column library. View the latest.

Sign up for your free copy of Storage magazine here.

Rate this Tip To rate tips, you must be a member of SearchDataManagement.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data storage strategies Off-site data storage: How far away is far enough? Storage device: Before you purchase Keep end-user storage under control CIOs choked by storage costs, complexity Storage capacity for SMBs Remote backup for network disaster recovery Storage offerings meet SMB needs Off site data storage tips Backup procedure: Seven rules to follow for effective data backups Managing data migration among storage tiers Governance, risk and compliance software (GRC) Governance, risk and compliance software trends and best practices Sarbanes-Oxley four years later: Governance, risk and compliance now demands a comprehensive approach Risk management surpasses compliance as top GRC priority Chief Compliance Officer: Top three responsibilities of a CCO IBM releases compliance warehouse for unstructured content GRC tools for business intelligence security Sarbanes-Oxley compliance: GRC technology vs. spreadsheets IBM to buy Princeton Softech for data management, archiving and classification Regulatory compliance Data leakage could be caused by messaging technology RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data classification  (SearchDataManagement.com) synthetic backup  (SearchDataManagement.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.