The Health Insurance Portability and Accountability Act of 1996 (HIPAA) created national standards to simplify information exchange between healthcare plans, providers, and clearinghouses as well as to ensure the privacy and security of medical records and other personal health information. Ironically, complying with these simplification standards has turned out to be complex.

In radiology facilities, where the department’s view is on the details, administrators must keep an eye on the big picture before devising a data strategy too limited in its scope. What follows are some long-term issues that experts advise thinking about before creating a data strategy.

HIPAA Primer

HIPAA aims to protect the privacy and security of an individual while allowing those who service this person to communicate necessary healthcare data. Though specific standards must be met, HIPAA does not provide the steps to achieve them. Too many variables are in the institutions and individuals covered. Rather, each facility has been allowed to develop its own compliance process.

Covered institutions must comply in four general areas:

  1. transactions and code sets, governing the electronic transmission of specified administrative and financial transactions;
  2. unique identifiers, which identify health plans, healthcare providers, employers, payors, and individuals;
  3. security, which requires administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information; and
  4. privacy, controlling what uses and disclosures are authorized or required, and what rights patients have with respect to their health information.

HIPAA’s implementation is occurring in stages. As of October 16, 2003, all covered entities needed to be in compliance with the electronic healthcare transactions and code sets standards. And all facilities should have achieved privacy compliance in 2004. By 2006, security standards should be implemented for all, and in 2008, national provider identifiers should be in place.

The staggered deadlines recognize the cost and time required to achieve these measures-keeping up with the technology is just a small part. Jason Launders, senior project officer of ECRI (formerly the Emergency Care Research Institute of Plymouth Meeting, Pa), says, “HIPAA is more managerial than technical.”

Issue 1: Should data management be kept in-house or outsourced?

“HIPAA specifies the need for an in-house privacy officer and a security officer. This can be the same person, but whoever it is should have some oversight on IT purchasing,” says Launders, who suggests it’s best to appoint a senior executive.

Depending on the facility size, this job could be for one or many; however, smaller facilities might be able to get away with one in-house person handling the responsibilities. “There is not a lot of management required for data. Work focuses primarily on failures,” says Paul Nagy, PhD, assistant professor of radiology at the University of Maryland (College Park).

Not everyone agrees. Organizations must weigh their staff’s size and expertise, the near- and long-term costs, the risk to the data, and technological issues. “Essentially, an ASP [application service provider] allows you to ?rent’ off-site software and data storage for a fee on an as-needed basis,” says Brian Bonanno, senior healthcare consultant for Medical Learning Inc (MedLearn of St. Paul, Minn).

Launders adds, “An ASP can limit the risk due to the unpredictability of the amount of data that will need to be stored and which technologies will come out. The ASP can be a more predictable cost.”

But the facility loses some control and assumes a different kind of risk. Don Baune, manager of global practices and integrated solutions at StorageTek (Louisville, Colo), advises that ASP clients find out who owns the data, the hardware, the passwords, and the encryption. If a company goes out of business, who is responsible for the data? “It’s important to understand how the ASP is storing the data and how a facility would bring the individual pieces and set up in-house if it needed to,” he notes.

Issue 2: Is there a need to classify data beyond DICOM?

DICOM offers some classification methods, including patient name and modality, but facilities might want to consider creating additional groupings for the long term. It’s not always obvious how frequently a report will be needed from the file itself; what matters is what is in the report.

Steve Higgins, director of business continuity and security solutions for EMC Corp (Hopkinton, Mass), says, “The classification method sets the tone and foundation for data storage and management, and spells out strategy, design, and implementation.”

Nagy, however, feels that classification can be challenging when one is unsure how the data will be used. “The clinical value of data is frequently very short-lived. Roughly 80 percent of relevant priors are accessed within 6 months,” he says.

Yet, classification can identify what needs to be done with a particular piece of data. How long should it be kept? How much space will certain types of data require? Will the data be used elsewhere in the enterprise? The answers to these questions can help determine when, if ever, a file can be deleted, and, subsequently, how much memory a facility needs to have available.

Issue 3: Isn’t it easier and more convenient just to store data rather than delete any?

It’s absolutely easier to keep all data available immediately on disk; in some cases, it could be cheaper. Baune notes that most PACS solutions don’t work similarly and that different file-retention rates can make system deletions more of a hassle than they are worth. “It’s been cheaper and easier to add storage than delete [files],” he says.

But unlimited storage is not necessarily the best solution for the long term. “Right now, the amount of data stored by individual radiology facilities is not enormous because PACS [usage] has become mainstream only in the past 5 to 10 years,” Launders says. “But that will grow, and at some point, these institutions will need to consider storage options, including the deletion of data.”

Hospitals consistently under-calculate volume data by anywhere from 10% to 50%, failing to factor in items like procedural protocol changes, significantly increased slice counts with new multi-slice CT scanners, and procedural volume growth.1

State governments and/or types of treatment already regulate how long data must be kept. In most cases, oncology patient records should be readily available for 1 year after remission; pediatric patient records are kept at least until the patient turns 21; and mammography exams are retained forever. Other exams, such as a chest or back image, might be needed only for a short while, and their deletion from the system can free up space for necessary files.

Mike Kimball, worldwide product line manager for archiving, storage, and back office at Eastman Kodak Co (Rochester, NY), says, “A system using this classification method can be programmed to automatically delete or retain certain files. Normal [exams] can be purged after a year. Mammography files can be kept forever.”

Issue 4: How can data be kept private, secure, and safe?

StorageTek's Flexline 600 series is a disk-based data-management system due this year.
StorageTek’s Flexline 600 series is a disk-based data-management system due this year.

Even old data must be kept private, secure, and safe. A facility’s HIPAA officer will quickly realize that there is a difference between the three. Privacy relates to the use and disclosure of medical information, whatever the form; security protects electronic data; and safety ensures that information is backed up and available in case of emergency.

With regard to privacy, HIPAA codifies what many already do and expect, Launders notes. But Bob Porper, VP of development and a HIPAA officer for InSiteOne Inc (Wallingford, Conn), notes that HIPAA also requires auditable logs of who has access to what and when. “Facilities must put together policies and procedures. They need to conduct employee-awareness training and create agreements with all business associates not already covered under HIPAA,” he says.

Higgins believes one of the biggest security challenges is providing information to physicians while pushing them to comply with security measures, which they find cumbersome. Baune notes that strong security is important, but it should never get in the physician’s way. He suggests that new technologies, such as dongles (devices that attach to a computer to control access to an application), can help staff and physicians maintain compliance.

Nagy feels that PACS solutions offer enough security and that the real challenge lies in a disaster-recovery plan that really considers the time it will take to reassemble the data. If a disaster strikes, how long will it take to obtain the necessary backup data? And does a facility really need all that data?

Institutions need to begin to assess the risks, which operations are critical, and what data will be needed immediately. “It’s likely a facility won’t need its long-term archive in an emergency. So how do you make what you need available 24/7?” Launders asks.

Many small facilities tend to keep the backup right next to the regular server, which eases business continuity but decreases safety. To comply with HIPAA, this exact copy backup needs to be off-site.

Some institutions have developed unique solutions. Baune has seen hospitals that do not overlap in geographic markets or in customer base share data centers. “This works if they are not in competition,” he says.

Issue 5: Does data need to be upgraded with technology?

Even with a good plan, facilities need to continue to manage data storage. “New technology is developed every 3 to 5 years, and institutions must keep up to avoid becoming obsolete,” says Kimball.

Just as facilities need to consider the life cycle of the patient information, they must also consider the life cycle of the hardware. Old data must be migrated to new technology so that it remains available.

Issue 6: Should data storage be centralized?

The need to continually migrate data is one reason facilities might want to think about centralizing their data storage and management. Centralization also allows staff to retrieve queries more easily and IT to implement best practices throughout the organization.

“The concept of consolidation squeezes cost, decreases complexity, increases business continuity, makes regulations easier to implement, and simplifies the process,” says Higgins. Just a few more reasons to look at the big picture.

Renee DiIulio is a contributing writer for Medical Imaging.


  1. Cannavo MJ. Changes in latitudes, changes in attitudes: technology changes and their impact on PAC system designs. InSiteOne Inc white paper. November 26, 2004.