George Florentine, Executive Vice President of Engineering at Flatirons, presents 5 ways Flatirons' clients have used Application Retirement with EMC's InfoArchive to boost their ability to comply with data regulations.
13. Place Holder for Image
#1 Facilitate Recovery Audits
A review of disbursement transactions and the related supporting data to
identify and recover various forms of over payments and under-deductions
to suppliers.
• Patient data spread over 600+ applications, many legacy
• Legacy apps, when no longer needed, aren’t supported, may present security
vulnerabilities and risk of data loss, increasing risk of compliance violations
• Consolidating 600 applications with 15 years of data into one data center
• Providing one repository with an easily accessible and unified archive
• Makes it easy to access legacy patient data to comply with RAC audits
• Reduces risk of losing legacy data on unsupported applications
What is a Recovery
Audit?
Client Situation
How Application Decommissioning with InfoArchive Helps
Example: Large non-profit hospital network in the
U.S.
14. Place Holder for Image
#2 Enforce Capitation Agreements
• Spending 100s of millions of $$ hosting, maintaining 100s of applications no
longer needed but that had to be retained for legal reasons
• Physical hosting machines and applications themselves were decades old
• Finding people to keep the data active was difficult
• Retire three legacy systems (Healthcare Information, Explanation of Benefits, and
Billing Statements) – composed of 10 specific applications – as a first phase
• Extract 8 TB of data from various databases, convert to XML, consolidate in a central
InfoArchive repository
• Develop 45+ easy searches and core screens for access to data to keep in compliance
Client Situation
How Application Decommissioning with InfoArchive Helps
Example: Leader in health benefits and services
Serving 75 million people worldwide
A healthcare plan that allows payment of a flat fee for each patient it
covers. Under a capitation, an HMO or managed care organization pays a
fixed amount of money for its members to the health care provider.
What is a Capitation Agreement?
15. Place Holder for Image
#3 Easily Produce Legal Medical Records
(LMRs)
The documentation of patient health information that is created by a health
care organization, required to prove quality of care, substantiate billing
invoices, etc.
• Client had moved to new Epic EMR system but still spending significant $$ to
maintain original home-grown legacy applications for legal and compliance
reasons
• The EBCIDIC-based mainframe systems and applications were decades old and
finding people to keep the data active was difficult
• Retire three applications (HR, Patient Information, Medical Records) as a first
phase
• Convert 2.4 TB of legacy data to XML, move it to a central InfoArchive repository,
integrate with Active Directory, and develop several easy searches and core
screens to allow access to the data to keep client in compliance
• Consolidate all the applications into a single, inexpensive, hosting environment,
all under 5 months
What is an LMR?
Client Situation
How Application Decommissioning with InfoArchive Helps
Example: Network of hospitals and primary care
clinics
16. Place Holder for Image
#4 Enable Business Continuity After M&A
Example: To show all lending activity for a banking customer, including
lending activity that occurred prior to an acquisition.
• Acquisitions and mergers resulted in duplication of numerous systems,
applications, and data
• PeopleSoft application cost BMO $5M+ a year to maintain
• PeopleSoft data referenced infrequently, therefore ideal for retirement
• Performed 2-week assessment to determine feasibility and scope of project
• Retired 4 PeopleSoft modules using EMC XML archiving technology, inclusive
of process to export, translate, load (ETL), test and retain data
• BMO achieved $5 M savings, while providing long-term access to business-
critical data for reporting and regulatory compliance
• Project executed in 3 months; project payback achieved in 4 months
When is data continuity required?
Client Situation
How Application Decommissioning with InfoArchive Helps
Example: Bank of Montreal (BMO) Harris
17. Place Holder for Image
#5 Easily Execute 1000s of Compliance
Policies
Global organizations may define data retention policies by geography or
region. Complying with regulatory requirements to keep the policies current
and apply them correctly across disparate systems is a challenge.
• Complex retention policy rules (5,000+)
• Difficulty applying retention rules consistently across a wide variety of application
data spanning many years of operation in a global market
• InfoArchive configured to support thousands of retention polices
• Consistently applied across a diverse set of sourcing applications
• Configured to leverage customer’s use of EMC’s Isilon SmartLock clustered
file system technology
• Reduced risk and financial exposure from failed audits
What makes compliance policies complex?
Client Situation
How Application Decommissioning with InfoArchive Helps
Example: Multinational financial services
organization
The Health Insurance Portability and Accountability Act, or HIPAA, originally known as the Kennedy-Kassebaum Bill, is a set of regulations that became law in 1996. Its purpose is to help people carry their health insurance from one company to the next, as well as streamline the movement of medical records from one health care institution to another. In addition, HIPAA created a system to recognize and enforce the rights of patients to protect the privacy of their medical records. HIPAA is a series of laws that have required health care organizations to invest time and money into training for strict compliance. Source: RecordNations.com
According to Healthcare IT News…
Since 2009, when the HIPAA breach notification requirement took effect, nearly 31.4 million people have had their protected health information compromised in privacy and security breaches. The Office for Civil Rights, the HHS division responsible for enforcing HIPAA, has levied more than $25.1 million in fines against healthcare organizations responsible for violating the privacy and security rules.
The three biggest HIPPA fines are:
1. $2.25 million – improper disposal of protected health information
A 2007 OCR investigation, launched in response to media reports on the topic, found several pharmacies were disposing of protected health information in public dumpsters. In collaboration with OCR, the Federal Trade Commission also launched an investigation. Officials determined the pharmacy chain did not have adequate policies and safeguards in place to protect patient data and dispose of it in the proper way.
2. $4.3 million – denied patient requests for their medical records
The Maryland-based health center from 2008 to 2009 denied 41 patient requests for their medical records, for which the medical group practice was fined $1.3 million. Moreover, during the investigation into allegations, the practice subsequently refused to respond to several of OCR's demands to produce the records and failed to cooperate with investigation requests, OCR officials said. For this, the practice was fined $3 million.
3. $4.8 million –ePHI made accessible on Google
An OCR investigation discovered the HIPAA breach transpired when a physician, who developed applications for the organization, attempted to deactivate a personally owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on Google. The data was so widely accessible online that the entities learned of the breach after receiving a complaint by an individual who saw the ePHI of their deceased partner, a former NYP patient, online.