Mare: Ron, let’s talk about HIPAA, the Health Insurance Portability and Accountability Act of 1996. You mentioned last week that HIPAA addresses the security and privacy of patient health data. So is it like the healthcare industry’s equivalent of PCI DSS?
Ron: In some ways it is, but unlike PCI, which is an industry-imposed standard, HIPAA is an act of Congress.
Mare: You mean like taxes?
Ron: Yeah, more than you want to know. Unlike PCI, HIPAA’s origins were really to encourage the widespread adoption of technology in healthcare to save money. One example is electronic patient data interchange, which was meant to give all of your healthcare providers access to all of your records so that you wouldn’t need to repeat your medical history to each specialist that you see or carry your records from one office to another.
Mare: Sounds like a good law to me! I switched pediatricians recently and trying to get access to my child’s immunization records from the previous doctor has been such a pain. Is that all that HIPAA covers?
Ron: While only a small part of HIPAA, there are rules that address the protection of healthcare records. Like PCI, HIPAA specifies large monetary penalties for HIPAA violations, but in reality, there has been very little application of these penalties to hospitals, clinics, or doctors for infractions.
Mare: So why pass a law if you’re not going to enforce it?
Ron: You know, I think in another life, Mare, you would have made a good cop. In any case, you don’t have the whole story yet. Another law, called the HITECH Act, was passed in February 2009 that put significantly more teeth into HIPAA. For example, it put in place more stringent rules around the breach of personal health information, including notification requirements in the event of a security breach or loss of personal health information (PHI).
Mare: (Rolling her eyes) Yes, I recently received a notice from Wellpoint/Anthem Blue Cross letting me know that they had failed to secure my confidential and personal information. Is that what you’re talking about?
Ron: Yes Mare, you’ve mentioned your love for those letters before. Yes, in addition to adding notification requirements, the HITECH Act also significantly expanded the kinds of entities that must comply. It’s not just hospitals and physician practices anymore; it’s also IT vendors that sell healthcare solutions, health plans, healthcare clearinghouses, and more.
Mare: Every hospital or healthcare entity I have dealt with is on a budget, though. How can they afford to implement these compliance measures?
Ron: Well, part of the HITECH act also included financial incentives for adopting health information technology, allocating more than $20 billion in reimbursements to healthcare facilities that invested in IT that handles patient medical data. So that was intended help to alleviate some of the budgetary issues that you’ve mentioned.
Mare: Can NetApp help healthcare entities comply with HITECH and HIPAA? Or is your answer going to be, “sort of,” similar to what it was with PCI-DSS?
Ron: Yes, my answer is going to be, “sort of.” You have to understand that there are front-end systems that interface with the customer (from the time a patient walks into the facility, gets registered, sees a physician, has tests performed, and so on and so forth), and then there are back-end systems that store and process the data generated by the front-end systems. NetApp storage systems are part of the “back-end.” While we interface with the front-end, our storage platforms are not regulated by HIPAA or HITECH. Those apply only to the clinical side, where medical devices actually touch the patient.
Mare: But don’t our data storage systems play a major role in managing the short- and long-term retention of these records? As well as keeping them confidential?
Ron: Yes, they do. You’re right there. NetApp offers healthcare facilities a complete and flexible storage solution, whether they’re a two-physician practice or a 2,000+ bed hospital. For example, SnapMirror is widely used in the healthcare industry to provide disaster recovery protection for patient data. Our SnapLock software aids in compliance with records retention regulations that require healthcare providers to archive e-mails, documents, audit information, and other patient data in an unalterable state for years. Remember our discussion on data immutability?
Mare: How could I forget? You made fun of me when I tried to make a Star Trek reference.
Ron: Well, this is a perfect example of an industry that requires unalterable data. And you’ll like this: our encryption products come into play here as well. The HITECH Act specifies methodologies for rendering health information unusable, unreadable, or indecipherable to unauthorized individuals, and two of these methods are encryption and destruction.
Mare: And NetApp offers fabric-based encryption switches and the key management to go with them.
Ron: Yes, and don’t forget NetApp Storage Encryption, which is a full disk encryption solution that protects data if the drives are shipped from one location to another, sent back to the manufacturer for upgrades or spare parts, sold, repurposed, or decommissioned altogether.
Mare: What about backup and recovery? I would hate to think of any pictures of my innards being lost or irrecoverable.
Ron: Rest assured, your innards are safe with NetApp’s SnapProtect, a disk-to-disk-to-tape backup solution for reliable, low-overhead backup and recovery that is suitable for any healthcare environment. So you could say that NetApp has a full “array” of backup, disaster recovery, encryption, and archive solutions for healthcare IT managers that can help them meet HIPAA and HITECH requirements.
Mare: Wait, did you actually just make a pun? A full “array?”
Ron: I did. Aren’t you proud of me? I can be “punny” after all.
Mare: Okay, that’s it. Let’s quit while we’re ahead. We’ll be back next week to talk about how NetApp storage can help you save the evidence yet get back to work quickly after your network has been hacked.