Is your storage management process HIPAA compliant?

Beginning in April 2005, being compliant with the HIPAA security regulations turns into serious business. The question for CIOs, IT directors, and everyone charged with securing the company's network is: When the auditors come looking at your operation, will you be HIPAA compliant?

If you work in the healthcare or insurance industry, you have heard about HIPAA, the Health Insurance Portability and Accountability Act. In fact, if you work in any industry whose computer systems store and process data such as a patient's medical records number, a Social Security Number, a patient's home address or diagnosis code, you may be subject to HIPAA's security regulations.

Beginning in April 2005, being compliant with the HIPAA security regulations turns into serious business. The question for CIOs, IT directors, and everyone charged with securing the company's network is: When the auditors come looking at your operation, will you be HIPAA compliant?

To find out what HIPAA compliance means for the Information Technology Department in terms of enterprise storage management, we talked to Cass Solomon, an IT audit consultant who knows what it takes to make sure your IT Department passes the HIPAA compliance test.

Introducing the IT auditor

TECHREPUBLIC: Cass, you're a Cisco Certified Network Associate, a Certified Novell Engineer, you've had two years of law school, and you spent eight years doing telecommunications and network design consulting. That technical expertise has helped you launch a successful career as an IT audit consultant. For the record, let me say to TechRepublic readers up front that I know you, and you and I have worked together in consulting with healthcare companies to help them comply with HIPAA and Sarbanes-Oxley.

Okay, we'll cut to the chase. What does the IT department have to do to be HIPAA compliant?

SOLOMON: You back up your ePHI (electronic protected health information) incrementally, Monday through Thursday, with a full backup on Friday. You store that backup media offsite or in a fireproof safe. When asked to restore files, you comply. You have written policies regarding backups.

TECHREPUBLIC: Will that make the storage-management function HIPAA compliant?

SOLOMON: You may well be compliant–or not.

TECHREPUBLIC: Tell us what you mean. Can you give us a checklist of things we ought to be doing, storage-wise?

SOLOMON: Here are some questions that'll help you get started. What steps are you taking to ensure that stored data is kept confidential, available, and that the integrity of the data is maintained?  Do you have policies in place that, in the past, have proved sufficient to fulfill ongoing business needs?

TECHREPUBLIC: Okay, so I've formed a committee and we've written a policy that says, in so many words, "Thou shalt back up your important data in a timely manner and be able to recover it." Is that enough?

SOLOMON: Assuming you have that documentation in place, your next step in compliance will be to "prove it." What was once sufficient for the continuity of business operations is called into question in our new regulatory environment. How will you document that your policies match your procedures and what procedures should you consider?

You'll notice that peppered throughout the final HIPAA rule are references to NIST documents. The NIST 800 series of documents provide guidance for compliance with federally mandated regulations.

[EDITOR'S NOTE: NIST stands for the National Institute of Standards and Technology. Check out their Web site at]

The four qualities of HIPAA-compliant data

TECHREPUBLIC: Cass, I understand that companies are supposed to protect the privacy of the data on their systems. So why is storage management such a hot button?

SOLOMON: There are three things about data that come into play under HIPAA: integrity, availability, and confidentiality. The criticality of "always-available" health care data is integral to the delivery of quality care. Backup and storage were once considered entry-level positions with the IT industry–no more. Backup and storage are critical for diagnosis, treatment, and postmortem decision-making. In a weather or national security emergency, information that can be restored seamlessly to a point in time may make the difference in an effective health care delivery system.

TECHREPUBLIC: So how does an IT department document its ability to restore data to a point in time?

SOLOMON: Simply stated, the quantity and quality of data backed up equals what is contained on your backup media. As a daily practice, document the file size from the server to the backup media, noting discrepancies and the person responsible for the supervision of the backup. A complete archival index of application or e-mail files should be retained. If there is a problem with the backup, documentation should be retained to detail remediation and the person responsible for the remediation outcome.

TECHREPUBLIC: In other words, HIPAA means making sure you never have to say you're sorry because a backup failed.

SOLOMON: That's one way to put it. I'm just saying you have to take precautions to ensure that the media you are storing hasn't reached the end of its useful life. How do you do that? Test your backup media to ensure that what is stored can be restored. Testing your backup media on a regular basis will provide assurance that the backup media is usable, recoverable, and is not in conflict with any changes made to the underlying operating system and/or application that needs to be compatible with the ePHI.

TECHREPUBLIC: So make a backup set, then try to restore it and make sure it worked?

SOLOMON: Of course. That's what you should be doing even if you aren't subject to HIPAA. And here's another best practice when it comes to storage management. The person that validates the successful restore should not be the person that performs backups.

Implications for data retention and recoverability

TECHREPUBLIC: We've talked about backups and restores. How long do we have to store our data under HIPAA?

SOLOMON: Without the right data retention requirements, restoring legacy files can be difficult if not impossible over time. So how do you manage that risk? First, you have to sit down and write a contingency plan. You meet with those responsible for change management, configuration management, and business continuity. You find out what changes will inevitably have an impact on the availability of the ePHI information on your systems. If you're an application service provider, you're going to be held to standards that match your requirements and, under law, HIPAA requires that your vendors adhere to the same requirements of confidentiality, integrity, and availability. Make sure you review, retain, inspect, and document any non-compliance findings that conflict with your own.

TECHREPUBLIC: So are you talking about vendors that pick up backup tapes and store them twenty miles away from the corporate office?

SOLOMON: That's one example. You've got to establish and enforce a mechanism that correctly receipts what media leaves your facility and what is stored at your offsite storage facility. You should periodically review contractual agreements for offsite storage and follow up to inspect offsite storage to validate that secure and environmentally controlled off-site storage meets your needs.

So, can you pass the test?

TECHREPUBIC: Cass, you have been a most gracious interviewee. Any parting thoughts for TechRepublic readers who will have to document HIPAA compliance in their shops?

SOLOMON: You mean aside from the knowledge of "we should have been doing this all along anyway?" [laughs]

Okay, here's the great thing about compliance with HIPPA. When you document HIPAA compliance thoroughly—and that means documenting by whom, what is done, time and date of action, place of action, that sort of granular detail—that documentation goes a long way toward helping your efforts with Sarbanes-Oxley compliance.

And here's my summary in a nutshell. If you are already taking the “bare-bones” steps I've mentioned, you will need to “prove it." Procedures should match your policies and they will need to be documented. Here’s a test for managers: Do my procedures adequately answer by whom, what, when, where and how my policies were implemented? If not—a risk analysis may be in order. Construct a checklist for your procedures and ensure that it is in use. In the end, documentation of implementation and adherence to best practices will be your key to successful compliance.

Jeff Davis has been writing for TechRepublic since 1999. Cass Solomon is an IT audit consultant based in Louisville, Kentucky.


Editor's Picks