Geriatrix
Using LiveVault to Comply with HIPAA
Customer Challenge:
Protecting patient medical information in order to comply with HIPAA Security Final Rule, which will take effect in April 2005.
“LiveVault is the ideal solution for us because it runs automatically,
is easy to use and guarantees the recovery of our data. Plus, when
HIPAA goes into effect in April 2005, we will be in compliance with
the data safeguarding requirements. LiveVault already assures us
that all of our patient information is safe and secure.”
Kirk Stanley, Senior Vice President and CFO, Geriatrix
HIPAA Ensures Health of Medical Data
For businesses in the health care industry, the federal government’s Health Insurance Portability and Accountability Act (HIPAA) Security Final Rule—due to take effect in April 2005—presents a real challenge. HIPAA comprises three sets of standards—transactions and code sets, privacy and security. Among the goals of these standards are to protect electronic protected healthcare information (EPHI) from threats of loss or disclosure. The HIPAA Security Final Rule defines specific requirements for “Covered Entities” and “Business Associates” and includes some 18 standards and 35 specifications. Arguably, eight to 10 of these specifications deal with EPHI data safeguards, backup and recovery.
While it seems obvious that EPHI should be kept safe and secure, in practice, patient data stored electronically is often at risk, due to shaky data protection methods by healthcare organizations. Currently, data protection by smaller health care companies and by remote locations of larger organizations is often done in an ad hoc fashion. Medical professionals and administrative staff who have primary job responsibilities other than in IT often conduct tape backups on a sporadic basis. The tapes are sometimes taken offsite, but more frequently are left onsite, or in an employee’s car. This lax method of data protection puts critical medical information in jeopardy.
Under HIPAA, these data protection methods need to change. The HIPAA Security Rule ensures EPHI confidentiality, integrity and availability. This means that healthcare businesses, health insurance companies, doctors’ offices, hospitals and other health-related companies will need to take a hard look at their data protection strategies and take steps to comply with HIPAA.
The Old Way of Backing Up Data Doesn’t Cut It
Geriatrix is a healthcare company based in Brentwood, Tennessee, with offices in Phoenix, Boston and New York City. The company’s core business is the medical treatment of the frail elderly, defined as those seniors living in nursing homes. The company works with healthcare plans and brings value to patients and the community by reducing costs, improving clinical outcomes and improving patient satisfaction.
Geriatrix stores important data on electronic servers at each location. This includes data such as critical patient information, health plan information, sales and marketing information, and business and operational analysis. If the company were to lose this data, it would have severe ramifications, as it would clearly disrupt Geriatrix’s ability to provide healthcare to its patients, process claims and meet its contractual obligations to its customers. Due to the nature of its business model, under the HIPAA security law, Geriatrix is considered both a “Covered Entity” and a “Business Associate” so compliance is an absolute must.
Geriatrix already had a robust data protection plan in place at its headquarters in Tennessee. However, until recently, Geriatrix protected its data using traditional methods at its satellite locations in Phoenix and New York. At these offices, Geriatrix backed up its data to tape. The problem with this method of data protection was that the tape backups frequently did not work and required constant repair. Because, like many companies, Geriatrix did not employ IT professionals at its remote locations, this meant that a technician would often have to fly from Tennessee to perform the repairs. Even when the tape devices did work, Geriatrix still had to get them to an offsite location.
“Tape-based backup just wasn’t providing the safeguards we knew we needed, plain and simple,” said Kirk Stanley, senior vice president and CFO of Geriatrix. “We were spending a lot of money on data protection for a method that fell short of our defined requirements and required a fair amount of maintenance. We knew it was time for a change, especially in light of the new HIPAA requirements.”
LiveVault Provides Robust Data Protection
Geriatrix researched several forms of backup and recovery that would provide for simple, yet complete data protection at its remote locations, without hiring IT professionals. The solution would obviously have to comply with HIPAA as well.
Geriatrix ultimately selected the LiveVault Online Backup and Recovery Service to use at its Phoenix and New York locations. With LiveVault, Geriatrix is able to automatically and continuously back up all of its server data via an Internet connection to a secure offsite location. The data is then immediately available for recovery in the event of a virus, server crash, fire, flood or other disaster.
“LiveVault provides us with a peace of mind because it operates
on a continuous basis and automatically gets our data offsite,”
said Stanley. “The LiveVault service allows us to protect our
data at the same high level as large enterprises, but because it
works automatically, we do not need to hire any staff to oversee
the backup process.”
Cost-Effective Data Protection that Complies with HIPAA
Stanley says that he pays less for LiveVault than he did for backing up his data to tape and having it taken offsite three days a week. Experts recommend that data backed up to tape should get offsite every night. Even still, the failure-to-restore rates for tape are alarming. Analysts estimate up to 50 percent of all backups to tape fail to fully restore. Conversely, LiveVault offers a 100 percent guarantee on data recovery.
“Thankfully, we never had a major data disaster when we backed up to tape,” says Stanley. “If we did, it would have severe consequences for our business. Fortunately, we no longer need to worry about that because LiveVault quickly gets our data offsite and data can be immediately restored, should something go wrong.”
When Geriatrix does need to restore data, employees can log on through a Web browser, find the data they need to retrieve, and with the click of a button, the data is restored. LiveVault even enables employees to restore data from a remote server, meaning that when Stanley is in Tennessee, but there is a server crash in Phoenix, he can still have his network manager easily restore the data. Geriatrix also benefits from LiveVault’s superior customer service, which monitors all backup and restore operations, and proactively contacts customers to make sure their restores are successful.
“LiveVault is the ideal solution for us because it runs automatically, is easy to use and guarantees the recovery of our data,” said Stanley. “Plus, when HIPAA goes into effect in April 2005, we will be in compliance with the data safeguarding requirements. LiveVault already assures us that all of our patient information is safe and secure.”
|
