With the deadline to comply with HIPAA (Health Insurance Portability and Accountability Act of 1996) lurking in the not-so-distant future, the healthcare industry's IT professionals are revamping their storage infrastructures to fulfill the law's security and patient record accessibility requirements.
For example, HIPAA compliance played a role in the Seattle, WA-based Swedish Medical Center's decision to move to a SAN. The company chose to implement a XIOtech Magnitude array, which is the basis for XIOtech's SANbuilder for Healthcare bundle.
Not only did the SAN centralize all of Swedish Medical Center's disparate storage, making it easier to manage, it also provided better performance, security and availability than other forms of networked storage (e.g., NAS), says Robert Strasser, lead senior distributed systems analyst at the hospital.
The success of Swedish Medical Center's SAN can be gauged by its size: Starting out at .5TB in June 2001, it's already up to 2TB. Next year, Swedish expects to mirror its array, bringing its raw SAN capacity to 5TB. "Once we got it in the door, and saw what it could do for us, we just started adding more servers onto it," Strasser says.
Even without HIPAA, Swedish had been considering taking the SAN route, but HIPAA legislation "pushed us over the edge," Strasser says.
But HIPAA's real impact on storage will lie with what consultant Jon Bogan, president of consulting firm HealthCIO Inc., calls "an increased emphasis on business continuity and due diligence among healthcare organizations regarding backup and disaster recovery."
Case in point, St. Vincent's Hospital in Indianapolis is in the process of revamping its disaster recovery capabilities, says Andy Porter, senior engineer. The hospital's XIOtech and Compaq SAN fabrics are currently fully redundant internally, and it will soon move the redundancy "down the road" to a mirror site in Indiana. The hospital is also working with SunGard to establish a disaster recovery site.
HIPAA has also impacted how long hospitals store data. Before, says Porter, St. Vincent's would purge records from its radiology department's PACS (Picture Archiving and Communication Systems) system after a year or two. Now, "we've figured out that if you were born at St. Vincent's, we have to keep your data forever; and if you weren't - for 21 years."
At least, that's what St. Vincent's lawyers have been able to determine. What HIPAA compliance actually entails - and how it will be enforced - is anyone's guess. "I don't know any real HIPAA experts," Porter says. "There's still a lot of speculation about how the government will enforce HIPAA once it actually takes effect."