The Imation® InfiniVault® not only delivers significant economic benefits to healthcare organizations through its archiving of information (including the optional capability to store DICOM images), it also helps meet multiple regulatory compliance requirements—a key consideration today. The Health Insurance Portability and Accountability Act (HIPAA) is just one of the many regulations for which the InfiniVault can help automate compliance by its end users.
The Department of Health and Human Services administers HIPAA, which has two main elements: the privacy rule and the security rule. The privacy rule has many parts that relate to the handling of patient information. The privacy rule took effect in 2004, the security rule in 2005; both have significant implications for the managing and storing of computerized information.
Beginning in 2006, enforcement of these rules led to civil penalties and fines for numerous institutions. The increasing number of audits, and threats of audits, has led to a new urgency in understanding what is required of professionals in information technology in order to comply with the law.
In 2010, the HITECH Act fundamentally changed the enforcement of HIPAA violations and extends these penalties and liabilities to business associates – newly defined as persons and organizations that perform activities involving the use or disclosure of individually identifiable health information, such as claims processing, data analysis, quality assurance, billing, and benefit management, as well as those who provide legal, accounting, or administrative functions.
INFORMATION STORAGE REQUIREMENTS FOR HIPAA
Protected Health Information (PHI) is the term describing healthcare data that is subject to the privacy and security rules of HIPAA. There are many areas of data handling that have proscriptive rules, but the handling of PHI in computerized operations has received the most focus from an enforcement standpoint. The technical safeguards required to protect data privacy and security—and how the Imation InfiniVault helps meet these requirements—are noted in the following table:
| Requirement |
Imation InfiniVault Solution |
|
Control of access to information
|
Imation InfiniVault requires that authentication be established to allow authorized access to information contained within the InfiniVault archive. Passwords are required for identification and for access to administrative functions.
|
| Audit trail of access |
Imation InfiniVault keeps an audit trail log of every action taken on a file. The audit trail includes information about the ingestion, every subsequent access, the disk cartridges and locations where the file resides, and the retention period and actions performed. The audit trail provides a complete chain-of-custody for the PHI.
|
| Media protection - availability |
A minimum of two copies of the PHI are made automatically by Imation InfiniVault. Additional copies (up to a total of four) may be made.
|
| Media protection - retention |
Ingested files are put into independent archives within Imation InfiniVault; within the archives, multiple folders may be configured. Each folder within an archive has a retention period setting. Files will be retained until that retention period expires.
|
| Media protection/integrity - protection from alteration or destruction |
Imation InfiniVault stores PHI in WORM (Write Once Read Many) mode, both in the Active Archive and on the RDX® removable disk cartridges. The hardware-enforced WORM on these cartridges ensures that data cannot be altered or deleted until the retention period has expired. Additionally, a hash algorithm is performed on the data to create a unique content address that is used to verify that no data has been changed during any transmission or storage operation. |
| Media protection - encryption |
Media that is removable must be encrypted to be considered protected. Imation InfiniVault encrypts all PHI that is stored on disk cartridges using an AES-256 algorithm. In addition, the InfiniVault manages all of the encryption keys, ensuring security and eliminating the need to manage them separately. |
SUMMARY
Non-compliance with HIPAA can lead to significant civil and criminal penalties for organizations such as hospitals, clinics, doctor’s offices, etc. Imation InfiniVault provides a simple, easy-to-use solution to help meet HIPAA health information regulations, while delivering significantly more cost-efficient data archiving. With the Imation InfiniVault, expense and complexity are no longer barriers to meeting today’s strict regulatory and legal requirements.