HIPAA fines prompt action by health care firms on data storage

The Health Information Technology for Economic and Clinical Health Act (HITECH) Act added more bite to the HIPAA law, with requirements regarding data access controls, breach notification, and storage and retrieval of patient information.

For healthcare firms storing thousands of legacy records, the implication of archiving and retaining electronic medical records is a critical issue for regulatory compliance. Businesses are coming to the conclusion that it makes sense to search, extract and purge information in a defensible manner rather than just storing and ignoring, said Jim McGann, vice president of information discovery at Index Engines. His company provides products that help companies index, store, and retrieve data from current and legacy storage.

Storage and retrieval of data is “catching up to haunt [health care firms] in that there is a lot of liability contained in that legacy data”, McGann told Infosecurity. “Customers are remediating all the legacy data they don’t need to keep, according to HIPAA regulations, getting rid of what they don’t need and keeping what they do need”, he explained.

“Companies are going back to legacy tapes and applying the policy according to HIPAA requirements – finding sensitive data that needs to be put into a formal archive system, moving it there, and getting rid of stuff they shouldn’t have been keeping”, he said.

The first HIPAA privacy fines levied by HHS was against Cignet Health Care for not providing patient information when requested by 41 patients. The fines were stiff, $1.3 million for violating patient rights and another $3 million for obstructing the HHS investigation. The HIPAA privacy rule requires health care providers to supply a patient with a copy of his or her medical records within 30 days of the patient’s request.

While Cignet did not give a reason why it did not provide the patient records, one can imagine that the firm just could not find them. A data indexing and archiving system would help companies avoid penalties for non-compliance with HIPAA.

“Our customers are proactively getting data from difficult sources that are on networks, discovering and indexing them, and determining what needs to moved, encrypted, or archived. So they are using our tools…to index all that information and making it discoverable, and then applying the policy to it and taking action on it”, McGann said.

What’s Hot on Infosecurity Magazine?