HIPAA Makes Data Protection a Top Priority for Health Care IT

Health care is in the headlines this week because of Monday's deadline for uninsured Americans to enroll in Obamacare. But a separate health care law, the Health Insurance Portability and Accountability Act (HIPAA), has big implications for how providers store, protect and back up their patients' data. 

HIPAA sets rules and regulations on who can access personal medical information — and with penalties up to $1.5 million per incident for noncompliance or negligence, data protection is quickly becoming a top priority for health care IT pros. 

HIPAA requires health care providers to establish a contingency plan that consists of policies and procedures for how to respond in an emergency situation when electronic health records are lost or damaged.

In conjunction with the contingency plan, organizations must develop data backup, disaster recovery and emergency operation plans. The data backup plan contains procedures for how to create and maintain exact copies of electronic health information. These records can use any backup method so long as the organization can maintain and retrieve the data. The disaster recovery plan deals with how to restore lost data, and the emergency operation plan outlines how to deal with large-scale disasters.

Health care institutions face substantial fines for violating privacy and data security, so compliance is imperative. Institutions that fail to safeguard protected health information could face huge violation penalties.

Filling out medical forms on an iPad may seem like second nature now, and this is partly because data must be stored electronically to comply with HIPAA regulations. As a result, the use of electronic records in hospitals has increased from 5 percent in 2003 to 85 percent in 2013. Digital images such as CT scans, X-rays and 3D MRIs alone require a significant amount of storage space. Hospitals typically keep these images for seven years, but they also need to back up the images and copies of the images to comply with HIPAA regulations. 

Patient data is typically stored in one of two ways: via an internal content management system with integrated storage, or through an independent storage system, typically third-party cloud storage. Doctors need immediate access to all of this data, so speed and availability are paramount.

Internal storage systems tend to be costly, so health care companies increasingly turn to cloud services. According to Wall Street Journal writer Laura Landro, about 15 percent of health care providers use less expensive cloud-based services to store digital images. 

Third-party vendors, however, aren't always aware of specific HIPAA regulations. Vendors often have multiple storage sites, and it can be difficult for health care providers to know exactly where their data is and who has access to it at any given moment.

According to the Ponemon Institute's Fourth Annual Study on Patient Privacy and Data Security (registration required), 90 percent of U.S. health care organizations suffered at least one data breach during the previous two years because of lost devices, third-party error, criminal attacks and technology glitches. All told, this data loss cost the health care industry an average of $5.6 billion per year. 

To help prevent HIPAA violations, loss of records and unauthorized access to data, health care organizations should develop a contingency plan that aligns with HIPAA protocol and ensure that IT vendors are aware of the regulations and requirements that go along with protecting medical data.

[Image via Can Stock]