Information Faster Blog

HIPAA creates 4 new accountabilities for healthcare IT

The year was 1996.  The U.S. Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) to protect health insurance coverage for workers and their families when they change or lose their jobs (Title I).  This applies to healthcare providers (e.g., hospitals, dentists and physicians), payers (e.g., insurance companies), and intermediaries (e.g., clearing houses).


The year was 2003.  HIPAA was expanded (Title II) to address patient information privacy.  The Privacy Rule applies to Protected Health Information (PHI), including paper and electronic data.  It governs the privacy of patient information and establishes regulations for the use and disclosure of PHI.


The year was 2004.  Most healthcare organizations had to be “compliant” with the Privacy Rule by this time and then HIPAA Title II was augmented with the Security Rule.  This rule specifically deals with electronic PHI and mandates that administrative, physical, and technical safeguards be in place and demonstrable if an audit presents.  I put “compliance” in quotes because back then (and today) there were no HIPAA police.


The year was 2005.  “Compliance” was now required for both aforementioned HIPAA rules.  The pressures were mounting on healthcare IT, as HIPAA was driving the need to have privacy and security officers on staff to mediate the rules to ensure “compliance”.  The looming question was, “where will these roles fit in the healthcare enterprise”?  The answer was: healthcare IT, a group who’s primary responsibility had been the business side of the organization.  This required healthcare IT to become tightly integrated with the clinical side of the organization, and as such, four new accountabilities for healthcare IT manifested: compliance/security, access demand, explosive growth in connected devices, and data lifecycle management costs.  Historically, these four accountabilities were managed at the departmental level.


The year is 2008. The departmental vision is still largely the perspective of healthcare IT.  But, by now medical imaging growth is exploding at ~30%/year.  The majority (70-80%) of patient data is medical fixed content, but it is mixed in with transactional data in an information democracy like I recently blogged about.  PACS adoption is close to 95% in mid to large hospitals and academic institutions with many adding second and third PACS.  So what does healthcare IT need to build in order to resolve the accountability requirements?  An enterprise image storage environment.


In two weeks I’ll have a great educational resource for you to learn specific steps that healthcare IT should take to build an enterprise storage management environment.  But for now, here’s a synopsis of what this environment must contain:  At a high level, a virtualization layer should be built that both virtualizes departmental devices and has a policy engine to enable low cost migration of data from devices that are going obsolete.  Beneath this should be an IT business layer where the underlying storage is virtualized and where the IT business policies regarding data retention and location are mediated.  Here, transactional data should be separated from medical fixed content so that data is stored on media that aligns with its business and clinical value.   Also, this layer needs redundancy to ensure business continuity and disaster resiliency.


The year will be 2009 soon.  But stay tuned because before then, in early November, HP will help you understand how you can manage those four new accountabilities and:

        Improve compliance/security with disaster resiliency and continuous access.

        Enable faster response to access demand by maximizing storage infrastructure utilization.

        Address current and future technologies to manage explosive growth in connected devices.

        Reduce data lifecycle management costs with technology-independent data migration.


| ‎10-24-2008 02:59 PM

Privacy of data in today’s world is a critically important issue.  Man & Machine, Inc. has introduced an all in one LCD computer privacy monitor in conjunction with 3M and Samsung.  The device is call Private Eye and helps companies protect sensitive data such as financial information or medical records.  To learn more visit  

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.