HIPAA compliance using serial ATA.
What do today's government regulations require from IT professionals? What are the best solutions available for meeting those requirements in times of constrained budgets and increasing business requirements? More specifically what technologies are best suited to help IT professionals meet those requirements while maintaining or improving committed service levels?
HIPAA compliance will require RAID storage that can provide petabytes of readily available, affordable, reliable, performance storage--attributes now associated with SATA RAID.
SATA offers increased performance, data protection features such as hot plug capability, signal integrity, easier integration based on reduced pin count, lower voltage requirements and improved cable and connector plants. The availability of sophisticated RAID solutions based on SATA enhances the inherent applicability of SATA to the issues of regulatory compliance and makes it a compelling technology for satisfying HIPAA compliance requirements.
In a period of flat or shrinking IT budgets and heightened scrutiny of medical costs, the additional federal requirements for standardization, protection and audit ability of individually identifiable health data and metadata will force some difficult choices for IT managers in environments required to comply with the provisions of the Health Insurance Portability and Accountability Act of 1996.
WHAT is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places significant requirements on holders of medical information to safeguard, and be able to document the safeguarding of that information. These regulations specify what patient information must be kept private; how companies must secure the information; and the standards for electronic communication between medical providers and insurance companies.
WHAT INFORMATION IS COVERED?
HIPAA requires organizations and individuals to protect a subset of individually identifiable health information, known as protected health information, or PHI, that is held or maintained by covered entities or their business associates acting for the covered entity.
WHAT COMPANIES MAY BE AFFECTED?
Companies likely to be covered under HIPAA range across the health care or health-care-related business segments such as medical providers, insurance companies, claims clearinghouses, and employers that self-insure workers' health benefits. These companies are referred to in the Act as "Covered Entities".
Covered entities are defined as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.
The Act also defines Hybrid Entities like universities with teaching hospitals or employee health plans managed in-house, where a part of the entity may fall under HIPAA regulations.
The third major category of organization potentially effected by HIPAA is defined as the "Business Associate" of a Covered Entity. A Business Associate can be a person or entity who performs or assists in performance activities such as data analysis, claims processing or administration, utilization review, and quality assurance reviews. Think of outsourcing claims payments, or processing, or your company's Storage Services Provider, where your employee accident and injury or health benefit records are stored.
WHAT NEEDS TO BE DONE?
In order to comply with HIPAA, it appears that the following general activities need to be accomplished:
* PHI data must be backed up on a periodic basis.
* There must be an 'audit trail' for backed up data that leaves the facility.
* Access to backup media must be restricted to authorized personnel only.
* There must be a backup plan and disaster recovery plan in place.
* Data must be "a retrievable, exact copy"
Much PHI originates in a Point of Contact (POC) model and is stored in a variety of formats on a variety of devices in a heterogeneous collection of DAS, NAS and SAN Storage environments. This means PHI could originate in the field, at a secure location in desktop applications or as a record created directly to a live corporate database or to a replicated database for later aggregation, and because this information often carries critical weight in a healthcare as well as business sense, it is stored on the best available premium equipment. That impulse is only strengthened by the pressure of regulatory compliance placed on IT officers in organizations covered by HIPAA.
So the varying ways in which PHI can enter a covered entity, the varying formats and record contents, the desire to store, protect and recover PHI, all in an economic climate of flat to declining IT budgets and tightening scrutiny of medical costs, create a strong demand for storage technology that is fast, flexible, reliable, inexpensive and scalable.
SERIAL ATA IS THE ANSWER
One of the best solutions lies in today's emerging Serial IO Technologies currently making their way into commercial application. SATA has several characteristics that make it an appropriate technology to build a compliance strategy around for HIPAA, other legal requirements currently in place, while responding to the normal pressures of business requirements on IT infrastructure.
Serial storage architectures support flexible configurations, enabling an assortment of system connection options that help improve system performance and have the high availability feature set required to protect data. SATA was created to introducing technical enhancements over older technologies in the areas of hot plug capability, signal integrity, reduced pin count, reduced power requirements and improved cable and connector plants for smaller form factor drives.
SATA is a point-to-point interface protocol, designed for improved scalability at tremendous cost savings over today's Fibre Channel and parallel SCSI interfaces. Each device is directly connected to the host via a dedicated link. Each device, therefore, has the entire bandwidth dedicated to it, and there is no interaction between devices. This means that software can be streamlined, eliminating the overhead associated with coordinating accesses between the master and slave device sharing the same cable.
SATA architecture changes the physical interface layer only. It conforms to the ATA-PI command set, which is the standard used on hundreds of millions of drives. It maintains register and software compatibility with Parallel ATA. No device driver changes are necessary and the SATA architecture is transparent to the BIOS and the operating system. This means, SATA is 100 percent software compatible to IDE drives ensuring a smooth transition from software and driver perspectives reducing or eliminating data migration costs associated with rewriting drives and re-qualifying software allowing, existing operating systems to work seamlessly with SATA drives
With its volume potential replacing IDE drives, it is believed that the cost of SATA drives will be parity to IDE drives, which is one third or less than today's SCSI or FC drives. Industry Analysts currently project that two thirds of all hard drives shipped in 2007 for multi-user applications will be serial. This equates to approximately 24 million units.
In addition to direct attached storage for notebooks, desktop, workstation, and servers, SATA drives will be implemented as network storage with target applications such as large data farms, imaging, video storage, near-line storage, and high-performance back-up, all of which could be appropriate uses in support of an organizations efforts to comply with HIPAA requirements.
The current generation of SATA runs at a data rate of 150 MB/sec, and the second generation of SATA is 300 MB/sec and will be introduced in the year 2004, followed by 600 MB/sec in the year 2007, roughly 3 years apart for each generation.
SATA enjoys strong support from the industry, making it a safe technology to consider for desktop, department and data center applications, whether the application is driven by business needs or regulatory requirements. The feature set available on SATA storage products today delivers the type of performance and data protection that are required for enterprise-critical applications, including enclosure management, error handling/reporting, (SMART), hot plug capability, tagged command queuing, and dual path capability. With all of its inherent benefits, including price, performance and scalability, SATA storage technology will be the realistic remedy to the emerging HIPAA headache.
Barbara Murphy is vice president marketing at AMCC, San Diego, CA
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Connectivity; Health Insurance Portability and Accountability Act of 1996|
|Publication:||Computer Technology Review|
|Date:||Jun 1, 2005|
|Previous Article:||4Gb/s storage systems: when should I plan for them?|
|Next Article:||Perpendicular recording: opening the doors for 10-fold hard drive capacity expansion.|