Retaining all company records will require a significant investment in additional storage capacity, along with the ongoing costs of managing and maintaining that storage. "It's not practical or cost-effective to keep everything," says Gerr. Saving everything can also hamper compliance by making it more difficult to produce information in a timely manner when requested by a regulatory agency. There's also the very real danger of saving too much information--information that may be used to your company's detriment during legal or regulatory proceedings.
Some storage managers may think that they've covered the compliance bases because they have an effective backup system in place. But backup doesn't necessarily equate with data retention for compliance purposes. "Backup is for recovering from failures of one kind or another. Archiving serves a different purpose and has different objectives and performance criteria," says Contoural's Casey. Relying on backups for compliance may make it difficult--or even impossible--to find and produce the requested information in a timely manner.
Lars Linden, a principal at State Street Global Advisors in Boston, MA, an institutional investment firm managing more that $1.2 trillion, is equally dubious about relying on backups. "You'd better darn well be extremely well-funded both in terms of time and dollars," says Linden, because of the effort required to rebuild records from the backup data.
To be sure, determining storage requirements and procedures for regulatory compliance is a group effort. "It really does require a close working relationship with the clinical units," says Daniel Morreale, CIO of the North Bronx Healthcare Network in New York City, describing his formula for success when dealing with HIPAA requirements. Morreale advises that IT take an active role and ask questions such as: "What [data] are you collecting; why are you collecting it; how will you need to see it now; and what do you anticipate your needs with this data are going to be down the road?"
Developing a written policy for all involved parties to sign off on is a critical step. In some cases, putting together a compliance plan might require interpreting dozens of regulations. For multinational companies, this task can be daunting. Lois Hughes, senior manager of business application systems at Tektronix, says her team had to understand the requirements of the dozens of countries where they do business to put together their retention system. "We have a central retention document that is maintained current for all 27 countries where we do business," says Hughes.
But even without the special demands imposed by a global business model, creating a policy can be taxing. Although his organization primarily heeds only to state regulations, David Taylor, CIO of the Florida Department of Health in Tallahassee, FL, says, "The most difficult thing in the project was developing policy, and getting all the people and partners to agree on the policy, rather than the technical implementation." As with most organizations faced with compliance issues, the Department of Health formed a working group: "We pulled together the legal staff, the HIPAA compliance staff, the security and privacy staff, as well as folks that were administering the system," says Taylor.
While preparing for compliance can be an arduous process, it can be regarded as an opportunity to finally get a handle on storage and data management. "Compliance shouldn't be seen as a corporate tax, but really as an opportunity--a strategic investment, actually," says ESG's Gerr, noting that an effective compliance effort also "helps organizations both improve their ability to manage and protect valuable information."
"First of all, it's good business," says John Halamka, CIO of Harvard Medical School and six affiliated hospitals, in describing his organization's HIPAA compliance efforts and the related benefits they discovered. "The timing was right--we could both achieve what we thought was essential for our users and meet what we imposed on ourselves as HIPAA reliability standards."
