Your Legacy EHR Data is at Risk: The Case for Proactive Information Archival

Jim Yuhas

Jim Yuhas serves as chief financial officer for Legacy Data Access and operating partner for Cadrillion Capital.

Unless health IT teams become more proactive, a wide range of legal, clinical and financial consequences resulting from poor legacy data management will escalate.

Healthcare technology teams worry about managing data that’s right in front of them—in whatever server, electronic health record (EHR), radiology, financial or billing system the organization is using. With a primary focus on daily operations, conversions, integrations and system optimization, IT resources are always strained. With plenty of priorities, it’s likely they’re not thinking about legacy data, a lifetime of disparate information systems with protected health information (PHI) quietly operating in the basement.

But then, a mainframe starts overheating. Or a hard drive starts clicking. Or a lawyer subpoenas patient records for a malpractice case—and there’s a tight deadline for turnaround. In 2021, these types of data emergencies are becoming increasingly more common as legacy systems age, which is why data archiving is such a critical component to a health system’s overall data and risk management strategy.

Eleven years after passage of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which sped up the healthcare information age, healthcare data has grown exponentially. According to World Economic Forum estimates, by 2025, there will be 463 exabytes of data created each day worldwide, which is the equivalent to 2.13 million movies. Researchers estimated in 2019 that as much as 30% of the entire world's stored data is health-related (based on the yottabyte scale).

The more data we have, the greater our burden to manage it properly; or the wide range of devastating legal, clinical and financial consequences of poor legacy data management will escalate. 

Legacy Data: Understanding the Costs of Mismanagement

The mere thought of archiving data in a sensible, sustainable way — before waiting until a data emergency — is about as exciting as the idea of engaging with a legacy email account. 

Imagine logging into the email account you created in 2005, which you’ve since abandoned, in order to find an old message sent by a former colleague in 2010. The big difference is that information contained within legacy servers is likely far more critical to protect than an email thread with former colleagues sent to a legacy POP address. It’s also far more costly to protect PHI too: maintaining an operating license on a legacy system is a six-figure monthly expense for large organizations, before the consideration of indirect costs of hardware, support teams. And the consequences of abandoning that data are more severe than losing access to a 20% off Bed Bath Beyond coupon.

The data held by a healthcare system’s machines carries monetary and security risks. If a healthcare system can’t produce data within a given timeframe, it could be asked to pay steep penalties, either in the form of fines or legal settlement fees. For example: If the healthcare system’s legacy data is somehow exposed or compromised (for example, via a ransomware attack) the organization faces civil monetary fines for violating HIPAA plus significant reputational damage.

These potential consequences don’t include the avoidable duplicative costs an organization incurs every month for maintaining and licensing two or more HIPAA-complaint record sets (the old and the new).

Moreover, no financial figure can touch the clinical significance of improper data management: If a patient needs an operation, and the healthcare system can’t access critical, but dated, patient medical information, physicians could miss something big that could change the patient’s care plan—and outcomes.

Proactive Data Management

For these and other reasons, healthcare organizations shouldn’t wait until a physical, legal, or clinical “fire” before considering a better approach for managing data.

Here are four considerations when updating your data archiving strategy:

1. Simplicity. A smart data archival strategy will include extraction, backup, access, reporting, migration, streamlining, and active archiving. It’s a lot. But the right partner will simply take the reins and should put negligible weight on the healthcare IT department. For example, you should never be asked to convert or standardize your own data. Not only will this place a massive burden on your team, but the whole archival process will take weeks, if not months, longer than it should. Experience matters.

2. Security. Saving on high monthly maintenance fees is great, but almost nothing comes close to the cost of a security breach—both from fines and reputation damage. Between 2009 and 2020, there were 3,705 healthcare data breaches of 500 or more records reported to the (HHS Office for Civil Rights. When working with a prospective vendor, healthcare leaders should always inquire about an organization’s approach to protecting health information at every step of the archival process.

3. Speed. Expertise is particularly useful when it comes to data archival. Every healthcare IT department knows that the dynamics of a revenue cycle management vendor system is dramatically different from a mainframe-based system, as are the variety of internally created systems. When it comes to speed of archival, it’s smart to find a partner that’s already navigated hundreds of computing languages, not to mention departmental, operational and technical specifications. This matters when it comes to turnaround time and accuracy. If a data vendor has to subcontract with a consultant, that could cause delay and impacts the ability of an organization to quickly and efficiently shuttle their data from a legacy system to a new archival solution.

4. Access. User experience is often one of the more confusing areas of data archival. Many systems, such as EHRs and practice management systems, leverage sleek, artificial intelligence (AI)-driven portal designs to minimalize administrative burden on staff. Archival strategy is a bit different. The objective is to lower cost and risk with as little disruption as possible, often most efficiently done by mimicking the previous system, but specifically for archival use. This minimizes training and unnecessary workflow delays, as your teams enter into familiar replicas of old systems with one access point for all archived systems.

These are all things healthcare organizations should consider as they head into spring-cleaning mode and look for ways to ease operations, archive old data, and protect themselves for when a data emergency does arrive. With awareness and consideration of all the avoidable risks and costs maintaining legacy systems, organizations must prioritize their archival planning. This creates the opportunity for healthcare organizations free to focus on managing the data that’s right in front of them, instead of worrying whether a hazardous situation or PHI catastrophe will leave them scrambling.

Author Information

Jim Yuhas serves as chief financial officer for Legacy Data Access and operating partner for Cadrillion Capital. Prior to joining Cadrillion, Yuhas was at Banc of America Securities as a syndicate member on the Special Situations desk within the Global Debt platform. He has more than a decade of LBO, recapitalization and leveraged finance experience. Previously, he was a CPA with KPMG.