News Stay informed about the latest enterprise technology news and product updates.

Healthcare users struggle with HIPAA

Healthcare providers, especially small and midsized companies, say HIPAA has made them rethink their approach to storage.

Increased regulation, according to healthcare users, has hit their industry hard. Harder, most estimate, than regulations in other industries where businesses are more used to staying on top of trends in IT.

In fact, most of the healthcare users spoke with had only made the move from DAS systems last year, and then only grudgingly in response to the Health Information Portability and Accountability Act (HIPAA).

Though HIPAA was originally passed back in 1996, the section that has had the most impact on the healthcare industry, Title II, didn't actually come into effect until April 2005. And users say, it was then, and only then, that most of the healthcare market, particularly the smaller and midsized enterprises, made the move to storage strategies other industries have been using for years.

Related articles

Privacy expert calls for action on Specter-Leahy bill

E-mail archivers keep companies legit


Not too small for SAN

"It was a year of upheaval," said Brian Asselin, director of IT for Harborside Healthcare, a consortium of 30 long-term rehabilitation facilities based in New England, with locations in the mid-Atlantic and Midwest.

Before HIPAA came into effect, Asselin said his company was backing up data over the Internet with AmeriVault Corp., but with a surge in stored data, backups were routinely taking between nine and 18 hours. Moreover, Asselin said, his storage consisted of whatever disk came with some 30 Windows servers spread out among his different facilities -- it was time to consolidate.

In late 2004, Asselin purchased an array from EqualLogic Corp., a PS200E. By this past September, he added another one and connected them in a small IP SAN. The EqualLogic arrays have helped him consolidate backups and given him some room to grow, he said, as well as provided better throughput, since the PS arrays use a Gigabit Ethernet SAN, as compared to Harborside's 100 Mb LAN. Harborside is also in the process, he said, of moving production databases over to the arrays from separate media servers in order to limit the transactions needed to pull data.

Before buying the EqualLogic array, Asselin said he looked briefly at EMC Corp.'s Clariion and a Storage Technology Corp. array, but said "they couldn't beat EqualLogic's price point."

Still, he admitted, "we don't have a large staff and there's not a lot of time to do full scale evaluations" of many different vendors, or even necessarily to get the most features for his dollar. According to Asselin, both EqualLogic and Cambridge Computer Services, who did the installation, came on recommendation, and the company's market research was minimal.

"Businesses like mine, I'm sure, didn't move to implement solutions like this before HIPAA hit," he said. "Everyone I've talked to in the user groups I frequent has been concerned with HIPAA and the amount of storage requirements. I don't think most of the healthcare market has passed completely out of the woods yet at all."

Including his own company, Harborside, Asselin said it remains stuck in the first stage of revamping its storage and still hasn't gotten its disaster recovery (DR) site up to speed. Right now, the data being managed on the EqualLogic arrays has grown to just over a terabyte (TB), and Asselin said he is aware that number will probably explode in the next year to 18 months. Already, Asselin said he expects to add a third EqualLogic array in 2007 for his DR site, and conceded that would probably be just the minimum.

Scott Sudlow, IT director for Fulton County Hospital in Wauseon, Ohio, is also an EqualLogic customer, who bought a PS200E in July. Like Asselin, Sudlow had been using DAS with his Hewlett-Packard Co. (HP) application servers, and like Asselin, liked EqualLogic's cost compared with the other products he compared, including HP's EVA SAN.

Like Asselin, Sudlow said he has yet to set up off-site replication for DR. However, Sudlow admitted, he's behind Asselin in HIPAA compliance.

"We're still working on the logging systems required by HIPAA," he said. "The EqualLogic array probably won't even really come into play until next year, when we get the logging issue straightened out."

Sudlow said he is also facing another regulatory headache in the form of the Senate's recent passing of the "Wired for Health Care Quality Act" (S. 1418), the first major step toward a national electronic health system. A domain,, has already been registered to wire Americans to online medical records -- medical records it's now up to healthcare providers like Sudlow to produce in electronic format.

"We're scrambling to get our records into electronic form," Sudlow said.

Bigger facilities offer experience, some advice

Curtis Damhof, network manager for St. Peter's Hospital, the largest teaching hospital in Albany, N.Y., had less difficulty meeting HIPAA requirements than his smaller counterparts. But that doesn't mean he had none.

The data growth brought about by regulation had overwhelmed St. Peter's previous storage system, which used Veritas' Backup Exec to write to an HP tape library. Eventually, the hospital made the switch to disk-based backup beginning with Avamar's Axion box, a move detailed in a previous story, "Hospital ditches Veritas, tape," June 22.

Damhof said St. Peter's learned its lesson from that process -- putting data on disk helps meet requirements. Today, St. Peter's also uses a 10 TB EMC Clariion 700 array and a 20 TB EMC Centera disk-based archive.

"Anything away from tapes is good," Damhof said. "You can recover things better and faster. Tape is always an issue."

Another large provider, Blue Cross/Blue Shield Tennessee, is in a similar boat -- ahead of smaller players, but far from ahead of the game, according to Bob Venable, manager of enterprise systems for the company.

"We're not even sure what the full impact of HIPAA will be long term," Venable said. "It requires a massive amount of data be stored that's useful for regulation and auditing, but has no business value. The costs raised can be unbelievable."

Venable said Blue Cross is taking steps toward automating tiered storage using IBM Content Manager, "But what I really want is a content-addressable file system, something that would automatically apply a storage policy as soon as I name a file, and then automatically migrate it through tiers of storage throughout its lifecycle."

Venable said his advice to smaller shops struggling with HIPAA is to enlist the help of other departments, and make a committee comprised of human resources, legal and IT department representatives. That way, Venable said, organizations can at least be on the same page with what they want to see happen, even if the technical implementation is easier said than done.

According to Venable, even the largest enterprises can benefit from this type of cooperation. "I have one and a half people managing 200 plus terabytes myself," he said. "I need all the help I can get, too."


Dig Deeper on Data storage compliance and regulations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.