HIPAA compliance is much more than a mandate to digitize medical files in standard, auditable and readily accessible formats. It is also much more than centralized software combined with digital imaging and document input solutions. HIPAA compliance, at its core, is secured by the libraries of storage that will serve and archive billions of files.

What do government regulations require from health care IT professionals? What are the best solutions available for meeting those requirements in times of constrained budgets and increasing business requirements? More specifically, which technologies are best suited to help IT professionals meet those requirements while maintaining or improving committed service levels?

HIPAA compliance will require redundant array of independent disks (RAID) technology, a grouping of disk drives known as arrays that operate as one storage unit. The drives can be part of any storage system with random data access, which may include magnetic hard drives, optical storage or magnetic tapes. When the data transfer rate is an issue, the fastest hard drives (SCSI) are often used.

RAID allows for lost data to be recovered and the redundancy of the data can be predetermined and at which level.

Depending on the RAID level, data storage can provide the necessary data redundancy for a secure system, with an added benefit of faster retrieval of the data through multiple channels. For example, if one or a few disk drives fail, the drive(s) can typically be exchanged quickly without interruption of normal system operation. Disk arrays ensure that no data will be lost if one disk drive in the array fails.

RAID storage provides data in readily available formats, similar to what is being done with Serial ATA (SATA).

SATA provides increased performance, data protection features such as hot plug capability, signal integrity, integration based on reduced pin count, lower voltage use requirements and improved cable and connector plants. The availability of sophisticated RAID solutions based on SATA enhances the inherent applicability of SATA to the issues of regulatory compliance, including HIPAA, and makes it a viable technology for satisfying current regulatory requirements.

In a period of flat (or shrinking) IT budgets and heightened scrutiny of medical costs, the additional HIPAA requirements for standardization, protection and "auditability" for individually identifiable health data and metadata will force health care organizations to make some difficult choices in regard to HIPAA compliance.

HIPAA requirements
HIPAA places requirements on holders of medical information to safeguard it -- and to be able to document the safeguarding of the information. The regulations specify what patient information must be kept private, how health care organizations must secure that information, and the standards for electronic communication between health care providers and insurance companies.

What's covered?
HIPAA requires health care organizations and individuals to protect a subset of individually identifiable health information, known as protected health information (PHI). The challenge for any organization is to determine whether it is are required to comply with the regulations, and if so, what data falls under the requirements and must be protected. The organization must also determine what technologies should be deployed to best meet the requirements.

Organizations likely to be covered under HIPAA range from health care organizations or healthcare-related business segments such as providers, insurance companies, claims clearinghouses and employers that self-insure workers' health benefits. These companies are referred to as covered entities and are defined as: (1) health plans, (2) health care clearinghouses and (3) health care providers who electronically transmit health information in connection with transactions. Generally, the applicable transactions concern billing and payment for services or insurance coverage (e.g., hospitals, academic medical centers, physicians' practices and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities).

HIPAA also defines hybrid entities, such as universities with teaching hospitals or employee health plans managed in-house, where a part of the entity may fall under HIPAA regulations. The organization may elect to declare itself a covered entity, in which case all data generated by the organization would fall under HIPAA. The implicit benefit to this approach from an IT perspective is that PHI can move more easily inside of the covered entity and fewer separate data protection policies are required within the organization.

The organization may also declare itself a hybrid, which means that the data created, managed and used by the parts of the organization under HIPAA must be safeguarded and audited. Additionally, if any other part of the organization requires access to PHI, it must be treated as a separate entity, and the provisions for preparing, moving and safeguarding data outside the covered entity must be invoked. This suggests additional administrative burden and multiple data retention and security policies for an already burdened IT department.

The third category under HIPAA is business associate of a covered entity. A business associate can be a person or entity who performs or assists in data analysis, claims processing or administration, utilization review or quality assurance reviews. Think of outsourcing claims payments, or processing, or your company's storage services provider, where your employee's accident, injury or health benefit records are stored.

Storing PHI and other sensitive data
In order to comply with HIPAA, the following general activities need to be accomplished:

1. PHI must be backed up on a periodic basis.
2. An audit trail must be provided for data that is backed up.
3. Access to backup media must be restricted to authorized personnel.
4. A backup plan and disaster recovery plan must be in place.
5. Data must be "a retrievable, exact copy.

Much PHI originates in a point-of-contact (POC) model and is stored in a variety of formats (e.g., DAS, NAS and SAN storage environments). PHI could originate in a field, at a secure location in a desktop application or as a record created directly to a live corporate database or to a replicated database for later aggregation. And because this information often carries critical weight in a health care setting as well as in business, it is stored on the best available equipment. The impulse is only strengthened by the pressure of regulatory compliance placed on IT officers in organizations covered by HIPAA.

The varying ways that PHI can enter a covered entity, the varying formats and record contents, the desire to store, protect and recover PHI -- all in an economic climate of flat to declining IT budgets and tightening scrutiny of medical costs -- create a strong demand for storage technology that is fast, flexible, reliable, inexpensive and scalable.  

Serial ATA
One solution for addressing HIPAA is the emerging serial IO technologies currently moving into commercial applications. SATA has several characteristics that make it an appropriate technology choice to build a compliance strategy for HIPAA and other legal requirements currently in place, while responding to the normal pressures of business requirements on IT infrastructure.

Serial storage architectures support flexible configurations, enabling an assortment of system connection options that help improve system performance -- with the high availability feature set required to protect data. SATA was created to introduce technical enhancements over older technologies in the areas of hot-plug capability, signal integrity, reduced pin count, reduced power requirements and improved cable and connector plants for smaller form factor drives.

SATA is a point-to-point interface protocol, designed for improved scalability and cost savings over fiber channels and parallel SCSI interfaces. Each device is directly connected to the host via dedicated link. Each device, therefore, has the entire bandwidth dedicated to it, and there is no interaction between devices. This means that software can be streamlined, eliminating the overhead associated with coordinating accesses between the "master" and "slave" devices sharing the same cable.

SATA architecture changes the physical interface layer only. It conforms to the ATA-PI command set, which is the standard used on hundreds of millions of drives. It maintains register and software compatibility with Parallel ATA. No device driver changes are necessary and the SATA architecture is transparent to the basic input/output system (BIOS) and the operating system. This means SATA is 100 percent software compatible to IDE drives ensuring a smooth transition from software and driver perspectives, reducing or eliminating data migration costs associated with rewriting drives and re-qualifying software, allowing existing operating systems to work seamlessly with SATA drives.

With its volume potential replacing IDE hard drives, it is believed that the cost of SATA drives will be on par with IDE drives, which account for one-third or less than today's SCSI or FC drives. Industry analysts currently project that two-thirds of all hard drives shipped in 2007 for multi-user applications will be serial. This equates to approximately 24 million units.

In addition to direct attachment of storage for notebooks, desktops, workstations and servers, SATA drives can be implemented as network storage with target applications, such as large data farms, imaging, video storage, near-line storage and high-performance backup, all of which could be appropriate uses in support of an organization's efforts to comply with HIPAA requirements.

The current generation of SATA runs at a data rate of 150 MB/sec, and the second generation of SATA will run at 300 MB/sec, followed by 600 MB/sec in 2007, roughly 3 years apart for each generation.

SATA enjoys support from the industry, making it a safe technology to consider for desktop, department and data center applications, whether the application is driven by business needs or regulatory requirements. The feature set available on SATA storage products delivers the type of performance and data protection that are required for enterprise-critical applications, including enclosure management, error handling/reporting, hot-plug capabilities, tagged command queuing, and dual-path capability. With all of its inherent benefits, including price, performance and scalability, SATA storage technology will be a realistic remedy to the emerging HIPAA headache.

ATA details
Parallel ATA is the primary internal storage interconnect for the desktop, connecting the host system to peripherals such as hard drives, optical drives and removable magnetic media devices.

Parallel ATA is an extension of the original parallel ATA interface introduced in the mid 1980s and maintains backward compatibility with all previous versions of this technology. The latest revision of the Parallel ATA specification accepted by the ANSI-supported INCITS T13 committee, the governing body for ATA specifications, is ATA/ATAPI-6, which supports up to 100 MB/sec data transfers. Development of the ATA/ATAPI-7 specification, an update of the parallel bus architecture that provides up to 133 MB/sec, was recently finalized.

ATA is the next -generation internal storage interconnect, designed to replace parallel ATA technology. ATA is the proactive evolution of the ATA interface from a parallel bus to a serial bus architecture. This architecture overcomes the electrical constraints that are increasing the difficulty of continued speed enhancements for the classic parallel ATA bus. ATA will be introduced at 150 MB/sec, with a roadmap already planned to 600 MB/sec, supporting up to 10 years of storage evolution based on historical trends. Though Serial ATA will not be able to directly interface with legacy Ultra ATA hardware, it will be fully compliant with the ATA protocol and thus is software.

Ms. Murphy is vice president of marketing at AMCC, based in San Diego.