Managing and protecting all enterprise data


Wrestling with regulations

In the health care industry, complicated regulations such as HIPAA, combined with new technologies that require enormous amounts of storage, are driving storage managers to the emergency room.

For decades, data storage at the average health care institution was low tech: Stacks of file folder-stuffed boxes were tucked away in some out-of-the-way rooms. Over time, the logistics of dealing with the accumulated volume of patient records, even in microfiche format--as well as a not-so-gentle nudge from the federal government in the form of HIPAA--propelled health data into the digital age.

Compounding the storage problem are medical technology advances like MRIs, as well as a growing number of network connections to pharmacies, other health care organizations and physicians. Add in the fact that HIPAA requires some patient records to be accessible for up to 21 years. Then throw in dramatically increased requirements for security and patient confidentiality, and it all adds up to a recipe for a health care storage emergency.

HIPAA raises the bar
Whether by direct order or inference, there's no denying that HIPAA has upped the storage ante for health care providers. For example, the Commonwealth Health Corp., Bowling Green, KY, has three medical campuses with a total of 537 beds. CIO Matt Ebaugh estimates his storage at about 1TB, which is growing at 10% a year.

That's about average, says Hardy North, Dell Computer Corp.'s director of business development for health care. "Providers in the 200 to 300 bed range typically approach a terabyte in storage needs."

Bill Lazarus, assistant VP of IS technology and communications at St. Joseph's Health System in Orange County, CA, has 9TB of storage. He expects storage needs to double at the 14-hospital system in the next two years because of the new backup and archiving systems he's installing to meet HIPAA requirements.

Andy Porter, senior engineer at St. Vincent's Hospital in Indianapolis says, "In the past, there was no hard and fast rule about how long you needed to keep data around. There were some JCAHO [Joint Commission on Accreditation of Health care Organizations] guidelines, but not everyone subscribed to them." HIPAA storage retention guidelines, for example, suggest five years for mammograms, 10 years for adult records and 21 years for pediatric care patient records. Even though Porter feels that the clarity of HIPAA's storage guidelines "is about 10 degrees worse than IRS regulations," he errs on the cautionary side."

Couple the HIPAA guidelines, Porter adds, "with PACS [Picture Archiving and Communication System], where the images are getting larger." For example, a technician can take a CT scan, slice it up in different ways and do a three-dimensional modeling of it. That takes massive amounts of storage, he says, and if it's involved in a patient diagnosis, it's data that must be kept. Currently, St. Vincent's utilizes 45TB on two storage area networks (SANs) and about 18TB in direct-attached storage (DAS).

Adding to the storage bulk is the necessity to transfer paper-based patient records to disk--a labor-intensive and costly process. One option is to scan in old documents as images. The last option is to simply ignore old records.

St. Joseph's is letting the old data sit. Lazarus says a majority of his departments don't see value in pulling that data forward at the expense of their existing storage capacity.

Security and data migration
Getting records from paper to disk is easy compared to transferring data outside the hospital, according to transfer protocols established by HIPAA regulations.

In one of the biggest two steps forward, one step back, HIPAA allows faxing from paper originals, but once the information is on disk. Any transmission of the data that's automatically generated by computer through an automated fax routine must be made from and to encrypted devices encryption. Regarding radiology images, Lazarus says, "We can burn a patient's study to CD and provide them with a viewer. As far as the electronic medical records, I don't know of a way that protects their privacy."

Keep everything?
HIPAA's basic storage requirement is six years, which corresponds to the federal statute of limitations for civil penalties. Add in other federal, state and/or local regulations for patient-related information, and it's no wonder that storage managers in health care are frustrated.

The key to avoiding disk clutter, according to Jerry Carleo, a storage systems consultant with StorServer Inc. is to not think about the patient record as the umbrella under which all related data is stored. Instead, each data element should be considered a record unto itself associated with the patient.

Systems such as EMC Corp.'s Centera, a disk-based write once, read many (WORM) device, can already do the job, using an object-based storage system that also lets applications embed retention periods that prevent the record from being deleted before the end of the period. The downside is that Centera is expensive.

How much storage?
With some industry analysts predicting that storage needs will increase in the range of 52% per year, why are health care storage managers only quoting jumps in the 10% to 32% range? They're both correct, at least in part, and for different reasons.

St. Vincent's Porter says: "Storage growth is never steady. Every year, we'll purchase 25% to 50% more storage, but it's a percentage of what we previously purchased and that's probably what the analysts are looking at." The best advice from experts is to carefully examine your current storage capabilities with an eye toward consolidation, plus a detailed analysis of online, nearline and offline storage requirements.

Article 9 of 17

Dig Deeper on Data storage compliance and regulations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Storage

Access to all of our back issues View All