Data Migration: Is Your PACS Running Naked?

Many think of PACS data migration as something that only needs to be addressed when the decision has been made to convert from one PACS vendor to another. Yet, recent HIPAA Security requirements are an immediate regulatory driver for data migration projects and new storage management strategies.

April 20th was the deadline for compliance with the HIPAA Security Rule, although most healthcare organizations were not ready to meet the deadline to fully comply, according to survey results from the American Health Information Management Association (AHIMA) and Healthcare Information and Management Systems Society (HIMSS). (See chart "HIPAA Security: Missing the Deadline.")

Specifically, referencing the HIPAA documents (45 CFR part 164.308(a)(7)(ii)), there is a contingency plan obligation placed on the covered entities in Section (A) to establish and implement procedures to create and maintain retrievable exact copies of  electronic protected health information. Section (B) of the rule calls for a disaster recovery plan, and Section (C) calls for an emergency mode operation.

To be in compliance with the security requirements, current PACS users have the obligation to not only have the policies and procedures in place to administer the security requirements, but also to take the appropriate steps to provide for disaster recovery and business continuity.

The penalties for lack of compliance are detailed in section SEC. 1176. (a) GENERAL PENALTY: "(1) IN GENERAL. - Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000."

The recently conducted U.S. Healthcare Industry HIPAA Compliance Survey by HIMSS reports that only 9 percent of 400+ bed facilities reported being compliant and 18 percent of institutions with fewer than 400 beds said they were compliant with the security regulations. It would appear that America's hospitals are still unprepared.

For those hospitals that have been using a PACS as the primary means for diagnostic reading and have been storing images on some sort of media (MOD, DLT, AIT), this means that if a second copy of the patient image data is not available and stored in a way as to provide data recovery in the event of a disaster to the main system, then the facility is not in compliance with the HIPAA Security requirements.

How can this be, one might ask? "We have religiously been backing up our data every night," many facilities are answering. The important question is exactly what data have been backed up? In all likelihood the database which contains the patient demographic information has been backed up, but rarely have the image files been backed up. The image files have been stored on various forms of digital media and either placed on the shelf or have been stored in some type of robotic media reading device. It is rare that second copies of the original image files have been made.

What's a facility to do?

So what are some of the options that are available to current PACS users that will speed their compliance with the disaster recovery and business continuity requirements of the HIPAA Security Rule? There are four general approaches:

  1. Make backup copies on your existing system. Your existing system may have the capability to create disaster recovery copies of the disks or tapes containing image data. This may require reconfiguration or expansion of your system, generally involving additional products services from your PACS vendor. For example, it may require an additional disk or tape drive in the robotic library to accomplish the copy operation without negatively impacting the system's clinical operations. Such a project may take a number of months to complete. It addresses only disaster recovery requirements and not business continuity needs, as a destroyed PACS archive would have to be replaced before the backup tapes can be loaded into it. Check with your PACS vendor to learn if this option is available to you.
  2. Replace your PACS and migrate data to the new system. This admittedly costly option may be appropriate if your system is nearing replacement age. A new system should enable you to meet the requirements of the Security Rule, but remember that HIPAA compliance is your responsibility - not the vendor's - so don't buy a system that won't help you comply! Data must then be migrated from the old PACS to the new system, a process that can take from less than a month to more than a year, as discussed below.
  3. Copy data to a networked archive Application Service Provider.  Several firms provide services that transfer image data to secure remote data centers, delivering images on-line in the case of a breakdown of local systems. There are concerns about the business continuity aspects of such services in disaster situations, as communications are the first thing to fail in disasters. However, some of these services also can offer physical delivery of a loaded storage system to the recovering disaster site.
  4. Copy data to a separate repository. A fourth option is to copy your PACS data to a secondary repository. This could be an enterprise image repository, or a low cost second archive optimized for backup purposes.  The cost of such secondary storage could further be reduced by using lossy compression (at modest ratios), which is arguably adequate for these backup and recovery purposes.

Migrating the data

The last three options discussed above require a data migration project to copy your present image data to the new storage system. The approaches to data migration can be classified as either "conventional" or "rapid" migration.

Conventional Migration pulls data from the DICOM query/retrieve interface of the legacy PACS archive. This method has the benefit of a standard connection to the source system, but suffers from the limited speed available from the older system. Since conventional migration may take a year or more to complete, the migration appliance is usually optimized to minimize inconvenience to clinical operations during the lengthy migration period. "Smart" algorithms, using appointment schedules and registration messages from the target PACS, may enable proactive migration of patient folders, thereby reducing the workflow disruptions of slow "stat" queries.

Rapid Migration bypasses the processors and networks of the old PACS, reading image data directly from storage media of the legacy system.  Rapid migration can achieve rates up to 1 Terabyte (TB) per day. This method requires engineering specific to each type of source system, and requires specialized migration hardware to be brought in for the project.  The additional cost of this approach is offset by efficiencies of dramatically shorter project engagements.


If your PACS is running without disaster recovery backup, today is the day to start forming a plan to begin acting on nearly immediately. Delay will not only increase the likelihood of data loss, but also increase the likelihood and severity of penalties under HIPAA enforcement procedures. The best approach will depend on your circumstances, but the time to act is now.


Jim Maughan and Fred Behlen are the co-founders of Migratek ( which provides PACS data migration services. Maughan can be reached at, and Behlen can be reached at