Problem solve Get help with specific problems with your technologies, process and projects.

HIPAA -- a bang or a whimper?

The April '03 deadline for compliance to the Health Insurance Portability and Accountability Act (HIPAA) is propelling momentum for several, major IT and storage implementations.

HIPAA, the Health Insurance Portability and Accountability Act, has been a major consideration for the information technology people at healthcare and healthcare-related organizations since it was passed by Congress back in 1996. But now deadlines for compliance are clicking into place (the privacy rule becomes effective April 14, 2003) and a flurry of last minutes changes -- such as the HIPAA security regulations released in February -- must now be figured into IT implementation plans. Indeed, it is a situation that is somewhat reminiscent of Y2K.

Brian Babineau, analyst with the Enterprise Storage Group, says HIPAA has powerful implications for storage in the handling of health information, billing processes and the claims adjustment process and insurance enrollments. According to Babineau, HIPAA has three main components:

  • A privacy rule (ensuring that patient confidentiality isn't breached),
  • The security rule (outlining appropriate security practices),
  • and
  • The transaction code set and unique identifier rule (which discuss how electronic records are to be moved and handled)

"All of that now has to be handled electronically under HIPAA using standardized methods," says Babineau. He predicts that the new HIPAA-compliant applications from vendors like GE Medical, Cerner, and Siemens, will "drag in expanded storage, backup and data protection requirements."

Then there's the requirement to make available legacy paper- and film-based records as well as newer electronic records. Under HIPAA, Babineau says that medical records need to retained at least 6 years, and at least 2 years after the death of a patient, though most are kept forever.

Babineau says another challenge for organizations is the wide range of sources that generate protected health information -- doctors, medical labs, even including e-mails. "We are constantly creating more and more sources of electronic data," he adds.

Although painting a similar picture regarding HIPAA, Gartner analyst Jim Klein reaches somewhat different conclusions. "I don't see the privacy regulations having much impact at all on storage -- at most, perhaps an additional 10 percent," he says. Klein says that impact could come from a slight increase in digitizing legacy records; a process he says has already been going on for many years.

On the security side, Klein says the final regulations actually offer more latitude to organizations than the draft regulations, against which people have been planning for several years. "I think most of these organizations have already been doing the kind of backup and disaster recovery planning specified by HIPAA. So, I don't see more than a 10 percent boost in storage activity here, either," he added.

What does seem to be growing, says Klein, quite independent of HIPAA, is the volume of medical imaging "which is poised for a price-performance explosion."

Still, Babineau believes HIPAA should not be underrated. Why? Babineau points to the threat of lawsuits rather than any government enforcement action. "The tripping point for HIPAA will occur the first time a patient is seriously injured and medical records couldn't be established in a timely fashion or when some medical records are exposed," said Babineau. That, he believes, could release a flood of lawsuits and the fear of that possibility will compel healthcare organization to invest heavily in storage and IT to try to "get it right."

Indeed, Michael Wagner, an attorney and HIPAA expert at the law firm of Baker & McKenzie in Chicago agrees that HIPAA could prove a legal Pandora's box. While HIPAA doesn't specifically create a private right of action, Wagner say it is likely to produce an increase in the number of lawsuits. This is due to the fact that state law, judges, and juries will see HIPAA as setting the benchmark for performance.

"It is likely that HIPAA will be admissible when privacy and patient health information arises," he adds. In short, organizations will have all the reasons in the world to make themselves as HIPAA-compliant as possible.

For more information:

  • Alan Earls often writes about things NAS and SAN for the "SAN/NAS Update: Trends" column. View the latest
  • About the author: Alan Earls is a freelance writer in Franklin, MA.

    Dig Deeper on Data storage compliance and regulations

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.