Many think of PACS data migration as something that only needs to be addressed when the decision has been made to convert from one PACS vendor to another. Yet, recent HIPAA Security requirements are an immediate regulatory driver for data migration projects and new storage management strategies.
April 20th was the deadline for compliance with the HIPAA Security Rule, although most healthcare organizations were not ready to meet the deadline to fully comply, according to survey results from the American Health Information Management Association (AHIMA) and Healthcare Information and Management Systems Society (HIMSS). (See chart "HIPAA Security: Missing the Deadline.")
Specifically, referencing the HIPAA documents (45 CFR part 164.308(a)(7)(ii)), there is a contingency plan obligation placed on the covered entities in Section (A) to establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. Section (B) of the rule calls for a disaster recovery plan, and Section (C) calls for an emergency mode operation.
To be in compliance with the security requirements, current PACS users have the obligation to not only have the policies and procedures in place to administer the security requirements, but also to take the appropriate steps to provide for disaster recovery and business continuity.
The penalties for lack of compliance are detailed in section SEC. 1176. (a) GENERAL PENALTY: "(1) IN GENERAL. - Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000."
The recently conducted U.S. Healthcare Industry HIPAA Compliance Survey by HIMSS reports that only 9 percent of 400+ bed facilities reported being compliant and 18 percent of institutions with fewer than 400 beds said they were compliant with the security regulations. It would appear that America's hospitals are still unprepared.
For those hospitals that have been using a PACS as the primary means for diagnostic reading and have been storing images on some sort of media (MOD, DLT, AIT), this means that if a second copy of the patient image data is not available and stored in a way as to provide data recovery in the event of a disaster to the main system, then the facility is not in compliance with the HIPAA Security requirements.
How can this be, one might ask? "We have religiously been backing up our data every night," many facilities are answering. The important question is exactly what data have been backed up? In all likelihood the database which contains the patient demographic information has been backed up, but rarely have the image files been backed up. The image files have been stored on various forms of digital media and either placed on the shelf or have been stored in some type of robotic media reading device. It is rare that second copies of the original image files have been made.
What's a facility to do?
So what are some of the options that are available to current PACS users that will speed their compliance with the disaster recovery and business continuity requirements of the HIPAA Security Rule? There are four general approaches:
- Make backup copies on your existing system. Your existing system may have the capability to create disaster recovery copies of the disks or tapes containing image data. This may require reconfiguration or expansion of your system, generally involving additional products services from your PACS vendor. For example, it may require an additional disk or tape drive in the robotic library to accomplish the copy operation without negatively impacting the system's clinical operations. Such a project may take a number of months to complete. It addresses only disaster recovery requirements and not business continuity needs, as a destroyed PACS archive would have to be replaced before the backup tapes can be loaded into it. Check with your PACS vendor to learn if this option is available to you.
- Replace your PACS and migrate data to the new system. This admittedly costly option may be appropriate if your system is nearing replacement age. A new system should enable you to meet the requirements of the Security Rule, but remember that HIPAA compliance is your responsibility - not the vendor's - so don't