HIMSS: To save or not to save: HIPAA data management
ATLANTA - In terms of managing medical data, the rules, regulations and laws always change, explained Tracey Kirsteins, director of IT at Temple University Health Systems, during a session she hosted Tuesday at HIMSS 2010 called “Managing/accessing data to meet changing compliance regulations."

“The new thing is the HiTech Act. The HiTech Act puts teeth into HIPAA, and if you don’t follow, that’s where the teeth come in,” said Kirsteins, who manages over 200 terabytes of data for more than 6,000 users at her academic medical system. She also spoke on HIPAA and Joint Commission requirements and how they impact an organization’s technologyrequirements and outlined steps that other facilities can follow in order to ensure compliance.

“All these regulations mean we have to keep the data safe,” she explained. “Where you store, archive and how you access your data has to be safe, so there’s a lot of barriers.”  To begin with, Kirsteins suggested reading over the regulations, starting with the glossary of acryonms. “Read [the regulations] over even if you don’t fully understand them, ask questions, and knowing the acronyms is key,” she said.

Kirsteins said that the big question for many facilities is how long you keep data, backups and archives.  While there is not one answer across the board for all facilities--there are different rules for specialties and for keeping pediatric as opposed to adult patient information--the decision should be dictated by each facility’s general counsel and executive board.  “Always start with the largest common denominator,” Kirsteins suggested.  “You may have patients with seven-year retentions; you may have patients with 100.  You’re not going to keep data for the smallest common denominator.”

While keeping and storing data is a major concern for facilities, accessing data may be more crucial, noted Kirsteins, referring to this challenge as “keeping versus finding. You can keep your data forever and back it up all you want, but accessing it is key. You have to decide what data to archive."

In overcoming this challenge, talking with colleagues and learning how they are storing and accessing their information is a valuable tool, noted Kirsteins. “This solution doesn’t happen overnight.  Asking [colleagues] what vendors they like and building a network is a great way to get candid information.”

In addition, with healthcare facilities having less people doing more work in today’s economy, Kirsteins spoke on the value of consolidating scattered data, noting that it may help facilities cut costs.  However, despite the idea of data consolidation, keeping some data separate in different databases (having one database for children, ect.) will help facilities access patient information more quickly, as well as decide what to archive, she said.

Kirsteins noted that keeping patient data safe presents a significant challenge for  facilities, and identified seven rules that facilities must have in place in order to keep their data safe, including strong authentication; role- based privileges; superior reporting; extensive audit logging; data encryption; and secure storage.

Despite the challenge that facilities are tasked with by way of recent legislation, there are tools and processes that facilities can utilize in keeping data safe and retaining data.  Back-ups and restores are important, Kirsteins noted.  “Unless you are doubling your storage capacity, and storage is not cheap,” she said, “You are stuck with back-up tapes for a while.”  Moreover, Kirsteins said that back-ups are only as good as the last restore, and advised facilities to make multiple copies. “It’s not the backup that’s important – it’s the restore,” she said.

The process of archiving data comes with many strings attached, noted Kirsteins. “You really need to get your application vendor to work with your archiving vendor so that the database does not need to be restored,” she explained. What you archive, when the system can be purged and how far back archives should be kept are all factors that facilities must answer, noted Kirsteins.

For facilities moving towards compliance, Kirsteins stressed that the most important factors for facilities to remember are to keep everything that their general counsel and executive board says to keep, read over the regulations and always ask questions.