The US HIPAA (Health Insurance Portability and Accountability Act of 1996) governs health insurance for employees and specifies minimum standards for electronic health record retention.
But what is so interesting about HIPAA compliance for storage professionals in organisations that have nothing to do with healthcare in the US? Well, HIPAA compliance best practices have a lot to say about storage security, risk assessments, backup and disaster recovery and their relationship to the wider IT landscape.
In this podcast, Computer Weekly storage editor Antony Adshead talks with CEO of Vigitrust, Mathieu Gorge, about HIPAA compliance and the best practices that can be learned by any IT organisation that deals with confidential business critical information.
Antony Adshead: What requirements does compliance with the US HIPAA regulations place on an organisation’s storage, backup and disaster recovery and why is it something we can learn from?
Mathieu Gorge: Yes, it is a US regulation that essentially deals with what is known as PHI – protected health information – and, in particular, electronic health records, known as EHR or EPHI. Part of the reason why this is important in the UK and Europe is that protected health information or any type of health information is regarded as personal data under the Data Protection Act and under the EU Data Protection Directive.
And so, therefore there are a few things that we can learn from HIPAA and also from HITECH (Health Information Technology for Economic and Clinical Health Act), which I suppose completed HIPAA when the Obama administration came in, in 2009.
HIPAA applies to all the entities that deal with PHI, so that could be a hospital, a general practitioner or any type of supplier known as a “business associate” that deals with PHI. And while HIPAA doesn’t actually specifically refer to storage or the creation of a storage plan, it does refer to a standard contingency plan and suggests that you need to have five documents in place in order to comply.
The first one is a data backup plan, the second is a disaster recovery plan, the third an emergency-mode operation plan. Then you have testing and revision procedures as well as applications and data criticality analysis.
But really, from a storage perspective, we need to focus on the first three, the data backup plan which really is all about restoring all the protected health information.
[Then] in terms of an exact copy of the original electronic protected health information, the DR plan, the intent of which is to create policies and procedures to restore electronic PHI in the event of a loss.
And finally the emergency-mode operations plan, which is about how a HIPAA entity accesses electronic information during an emergency.
As you can see, it’s aimed towards health information. However, you could easily see that it would apply to any kind of customer data, credit card data, confidential data and so on, so we have something to learn from that model.
Adshead: What, in more detail, does HIPAA compliance specify that brings storage into line with risk management and security best practice?
Gorge: Again, HIPAA and HITECH are all about protecting personal health information. As such, what it’s asking people to do is to take a granular approach to risk [concerning] the protected health information they hold on customers or patients.
What’s interesting is that the documents can become very granular. For instance, if we look into the storage of information on tape and it requires a proper labelling process, a retention policy, a policy for storage of tapes off-site and they [the regulations] mention that it applies to all storage components, so that includes virtual storage.
But, in terms of HITECH which is all about managing third parties it’s about having the right contracts in place to make sure the suppliers and people within that supply chain are all in compliance.
So, the requirements of HIPAA are really to make sure that a granular analysis of how protected health information is being handled by entities has been taken, a full risk assessment has been performed, including the storage of that data.
As you can imagine, in the event of a system failure you still need medical help. A perfect example would be a city being hit by a hurricane somewhere, or by an earthquake or terrorist attack, doctors still need to have access to that data at all times.
Therefore, classifying the data, storing it the right way and making sure it’s available to the right people at the right time, even during the crisis is very important. In that respect, the model offered by HIPAA is a good model for any type of organisation, regardless of whether they operate in the US or not.
This was first published in February 2013