Health care organizations create terabytes of data every year in the form of patient records, lab results and medical images. State laws and the federal Health Information Portability and Accountability Act (HIPAA) require providers to store this information for years, sometimes decades.
As a result, health data archiving should be a key component of an organization's overall IT plan. In considering a data archiving strategy, health IT leaders should consider a variety of options, ranging from on-site tiered storage within a storage area network (SAN) to off-site storage by a cloud service provider. Security must be considered in every case, especially in light of the Health Information Technology for Economic and Clinical Health (HITECH) Act's changes to HIPAA, but providers should not let security stand in the way of outsourcing some health data archiving services.
- What regulations govern the storage of health data?
- How big is a typical health data file?
- How can a SAN and tiered storage improve data archiving?
- What is data deduplication?
- What are the pros and cons of cloud services for data archiving?
The HIPAA Privacy Rule requires a HIPAA covered entity to maintain adult patients' records for six years, for two years if a patient dies. If a child is born in a health care facility, the organization must retain that child's records until he reaches the age of majority, which is 18 in all U.S. states and territories except American Samoa (14), Alabama and Nebraska (19), and Mississippi and Puerto Rico (21).
In some cases, state laws require that records be retained for an even longer period. New Hampshire, for example, requires that facilities keep newborns' records for 25 years, while North Carolina requires that adult records be retained for 11 years. Additional medical image storage rules might apply in certain specialties: Under Food and Drug Administration regulations, for example, mammography scans must be retained for 10 years or until the next scan is done.
The HIPAA Privacy Rule also requires organizations to adhere to the minimum necessary standard, which stipulates that personal health information should not be disclosed if its use is not necessary for carrying out a particular function. To meet this regulation, organizations might want to monitor who is accessing, or restrict who can access, the information in a heath data archive.
The size of the files created and stored in picture archiving and communication systems (PACS) and radiology imaging systems can vary tremendously. Ultrasound; magnetic resonance imaging, or MRI scans; and computed tomography, or CT, scans all check in at less than 1 MB each. Computed radiography, or CR, scans can be 10 MB; and digital mammograms can be 25 MB or more.
As health care facilities consider adding or expanding their imaging services, IT departments must consider how these new applications will affect data archiving and image storage. For this to happen, PACS administrators, radiologists and IT staff must be on the same page.
Many health care providers use SAN technology to handle rapidly proliferating quantities of data. In a SAN, logical storage units are separated from physical storage. These logical units typically are allocated to a single application and can be expanded when the need arises; certain storage hosting applications can help CIOs monitor the ever-changing storage requirements of PACS and other imaging systems.
A SAN works well in conjunction with tiered storage, which is more a philosophy than a particular type of technology. Data becomes less mission-critical as one moves down a tiered storage architecture; this allows organizations to house older files on slower, bulkier and less expensive (per gigabyte) storage devices.
In a health care setting, images captured at the time of clinical review would be stored at tier 1 and moved to tier 2 after a set period of time, such as a month. After several more months -- past the point where the data needs to be accessed immediately -- the image would be moved to tier 3, which would essentially serve as a health data archive.
Meanwhile, some medical centers are using health data archiving software to store, manage and retrieve images from their PACS.
The process of data deduplication eliminates multiple instances of the same information. Through this process, organizations can get rid of hundreds of identical files within a health data archive.
There is another type of technology under development that could help organizations significantly reduce their health data archiving footprint. Researchers at the National Institutes of Health are examining whether compression technology, aided by human decision making and computer algorithms, can succeed in easing the burden on medical image storage by saving only the relevant area of a medical image and discarding extraneous data. The resulting images will take up less storage space and will be easier to transmit, researchers say.
Cloud computing services offer health care providers the opportunity to move data backup out of the data center and off of write once, read many tape drives, some of which might date back to the 1980s.
Because state and federal health data archiving regulations require providers to keep patient records for years, if not decades, using cloud storage services for backup files, as well as for files that don't need to be accessed readily, can free up space in the data center for new equipment. In addition, the bandwidth costs associated with using cloud services are typically much less than the cost of maintaining and upgrading an on-site data center. That fact makes remote PACS storage a cost-effective alternative to tape.
One major issue, of course, is whether third-party cloud storage services can be compatible with an organization's HIPAA compliance needs, because HIPAA requires that personal data be protected through three types of safeguards: administrative, technical and procedural. In this case, turning health data archiving over to a third party could prove to be an advantage.
Under HITECH Act changes to HIPAA, encryption is -- or should be -- central to an organization's security policies: The loss or theft of encrypted data is not considered a data breach. Many health care providers use data encryption technology in-house already, but for such reasons as cost and logistics, they don't use storage encryption. In a combination of best business practices and simple economics of scale, good cloud storage providers will offer storage encryption services, which constitute a technical safeguard under HIPAA regulations.
Let us know what you think about the FAQ; email Brian Eastwood, Site Editor.