Know Your Industry: Databases in Health Care
Although the health care industry always has been faced with the challenge of organizing voluminous amounts of sensitive patient data, it’s been something of a latecomer to the database market. Doctors and other medical professionals were comfortable with the old-school approach, with stacks of paper documents stuffed in filing cabinets.
Gradually, health care organizations did move over to databases for a couple of reasons. One was the fact that new generations of technically savvy medical personnel came onboard, and comprehension of these solutions came more naturally to these employees.
The other was the undeniable improvement in organization of information databases offered. The lure of unprecedented accessibility and nearly everlasting preservation of data made the transition to these systems irresistible. It was only a matter of time.
Yet, with this shift to databases has come challenges. And without a doubt, the biggest challenge database professionals in health care have faced — and will continue to face — in this decade is compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Obviously, this copious legislation doesn’t apply solely to operation of databases. Specifically, the parts that pertain to these systems are found in the Title II Administrative Simplification (AS) provisions, which set standards regarding electronic health care transactions for “covered entities.”
Such institutions can include health plans, health care clearinghouses and health care providers. In particular, the privacy and security rules created by the Department of Health and Human Services (HHS) as required by Title II serve as a sort of mandatory set of best practices for the covered entities.
The privacy rule deals with protected health information (PHI) — that which is associated with a patient’s treatment or payment for care.
Covered entities are required to provide PHI within specific parameters related to timeliness and meticulousness. (That is, if an individual or legal institution demands certain data, the PHI must correlate to that request and be turned around relatively quickly.)
Also, these data transactions must be confidential. The security rule, which supplements the privacy rule in many ways, outlines three kinds of defenses against breaches of information: administrative, physical and technical.
For obvious reasons, the last of these has the greatest impact on database professionals.
The specifications of technical safeguards concern limiting access to computer systems, as well as securing any electronic PHI transmissions, whether they be internal or external communications. (Encryption should be used anytime PHI data moves through an open network.)
Also, the systems that store PHI data must be defended from intrusion, and covered entities have to make sure patient information is not tampered with or erased.
Further, all the processes and configurations involved with these safeguards have to be clearly detailed in a written record, which in turn, must be readily available for government officials who want to check on HIPAA compliance. Additional documentation is required for risk analysis and management programs.
So, what are the implications for database professionals in the health care sector, besides them wondering how they’re going to get any real work done after dealing with all this HIPAA stuff?
Well, for one thing, it’s going to require a lot more knowledge of security. Database professionals, as with most other techies, have to learn how to protect their systems from information breaches and data loss because of many different factors (internal, external, malicious, accidental, etc.).
Also, more consideration must be given the amount and type of information stored. For example, a significant amount of tracking of database procedures is required — you’ll practically need another database to monitor how your database runs.
The main, overarching inference here, though, is that database professionals in health care (especially high-level ones) need to have a grasp of – surprise! – a subject outside their narrow technical realm.
In this case, they will have to grasp policy, as this is the primary rationale behind HIPAA: the establishment of sound database guiding principles to ensure the preservation and protection of information.