In 2020, Anthem, one of the largest health benefits companies, agreed to implement corrective action and pay $16 million in a settlement with the Office for Civil Rights (OCR). This was the highest-ever HIPAA settlement following the largest U.S. Health Data Breach in history, affecting almost 79 million people. The total amount of fines and settlements paid to the OCR stands at almost $143m.
Crushing costs, corrective action, and a damaged reputation: this is what a violation of the Health Insurance Portability and Accountability Act (HIPAA) looks like. A key factor in this case was the improper management of protected health information (PHI). When organizations fail to securely process, store, and dispose of this data, they expose the private information of their patients to cybercriminals, hackers, and medical identity thieves.
The most effective way for health plans, healthcare providers, and healthcare clearinghouses to protect this information is by redacting it from all documents where possible. Not only is this a core part of HIPAA compliance, but it also helps limit the impact of compromised records if they are hacked or leaked.
Clearly understanding redaction’s central place in compliance begins by first answering the question of what needs to be redacted in HIPAA. The answer may be more complicated than you think.
In this article, you’ll find everything you need to know about HIPAA redaction requirements so that you can avoid financial penalties, protect your organization, and maintain the privacy of your patients’ data.
What is HIPAA redaction?
HIPAA redaction involves removing private information from documents before they are stored, transmitted, or shared with a third party. This is done to ensure that sensitive and confidential health information is not accessible for unauthorized viewing.
For example, when sharing patient records as part of clinical trials, healthcare providers and institutions must redact all personally identifiable information (PII) and PHI to maintain patient confidentiality while still presenting valuable data for research purposes. Another example of HIPAA redaction requirements is when sharing information with external vendors. When your organization outsources services such as billing, coding, or IT support, your facility must redact PHI before sharing any documents.
Redacting this data type prevents it from being used without an individual’s explicit permission. Additionally, it guards against unapproved access to personal health records by individuals or organizations.
If the redaction process is typically done manually by a trained professional, this can be time-consuming and costly, which is why automated solutions are becoming increasingly popular.
PHI under HIPAA compliance
The most crucial aspect of what needs to be redacted for HIPAA is PHI. This is any information related to health care that can be used to identify an individual.
Organizations in healthcare are required to abide by the Privacy Rule of HIPAA, which mandates that organizations protect PHI from unauthorized access, use, or disclosure.
Identifying PHI in documents, especially longer ones, can be extremely challenging. Manually combing through extensive records to locate all instances of a multitude of different types of information requires meticulous attention to detail and a deep understanding of what constitutes PHI. Human error becomes a significant risk, as even a single missed piece of sensitive information can lead to a compliance violation.
Nonetheless, overcoming these challenges and achieving complete PHI redaction is non-negotiable. Failure to adhere can be met with hefty fines and other sanctions imposed by the Department of Health and Human Services. HIPAA punishes violations according to a four-tier structure. Violations are ranked according to their severity, and by how much the organization knew and could have done to protect the information before it leaked.
The fine amounts are:
- Tier 1: Minimum $100 per violation, up to $50,000 total
- Tier 2: Minimum $1,000 per violation, up to $50,000 total
- Tier 3: Minimum $10,000 per violation, up to $50,000 total
- Tier 4: Minimum $50,000 per violation
Accurate redaction is essential for avoiding these penalties and other negative consequences.
What needs to be redacted for HIPAA?
A broad range of PII and PHI information must be redacted from documents in order to comply with HIPAA. But just what is considered phi information? Here are some of the most important types of information to remove:
- Personal Identifiers: Names, addresses, phone numbers, email addresses, Social Security numbers.
- Medical Identifiers: Medical record numbers, health plan beneficiary numbers, and account numbers.
- Dates: Birthdates, admission and discharge dates, and any other date directly related to an individual.
- Biometric Identifiers: Fingerprints, voiceprints, and other unique biometric data.
- Device Identifiers: Serial numbers and other unique device identifiers.
- Full Face Photographic Images: Any photographs or images that include the patient’s face.
- Geographic Data: Detailed geographic data such as street address, city, county, and ZIP code.
- Any Other Unique Identifying Number, Characteristic, or Code: Any other specific data that can be used to identify an individual.
The three reasons why securing sensitive medical records is so difficult
Knowing the categories of what needs to be redacted in HIPAA is only an initial step in the course of redacting documents to ensure compliance. Locating this information and keeping it secure tends to be highly complex due to the following:
- Scattered data
Firstly, data is fragmented all over modern organizations. Medical records are often distributed across various departments and locations, making them difficult to keep track of and coordinate between multiple sources.
Not only is this data frequently spread out, but it is also typically compartmentalized. All too often, organizations struggle to achieve a clear picture of their information security and document management because of walls that block access to information across departments.
- Lack of consistency
Another key challenge in redacting PHI is the fact that the various systems and software in use frequently do not communicate easily with one another. This means that important medical records can be disjointed and inconsistent, often requiring manual integration to standardize them.
For example, consider a healthcare network that acquires a smaller clinic. The smaller clinic might store critical information, like prescriptions, in a non-standardized format. When the large network attempts to use its redaction tools, these tools fail to recognize the prescriptions in the alternate formats. This leaves sensitive information exposed.
- Data breaches and cybersecurity threats
Protecting data in the healthcare industry is also challenging because it is a highly sought-after commodity in the criminal underworld. Healthcare systems are frequent targets for sophisticated cyberattacks, including ransomware, phishing, and malware, which can lead to unauthorized access to PHI. Additionally, insider threats can also pose a significant risk to data security. Employees might misuse access privileges or fall victim to social engineering attacks.
HIPAA redaction best practices
To overcome these challenges, it’s helpful to know the best practices of HIPAA redaction. Read on for a detailed breakdown of the five key processes you need to know.
1. Follow a consistent process
First, it’s important to maintain consistency to prevent errors that could lead to the exposure of sensitive information. Develop and follow standard procedures for identifying, redacting, and verifying PHI redaction. Train your staff on the importance of HIPAA compliance and the correct methods for redaction.
2. Securely dispose of original documents
HIPAA requires the secure disposal of documents containing sensitive information. Ensure that original documents containing PHI are completely shredded or thoroughly destroyed when no longer needed. If retaining original documents, use both physical and technical safeguards to prevent unauthorized access, such as professional redaction.
3. Maintain a redaction log
Keep a log of all redaction activities, including what was redacted, who performed the redaction, and when it was done. This is important for audits and compliance verification.
4. Conduct regular audits
Periodically review your redaction processes and redacted documents to ensure ongoing compliance with HIPAA requirements. Be sure to stay informed about changes in HIPAA regulations and update your procedures as necessary.
5. Use reliable redaction tools
Manual redaction, whether for paper or electronic documents, is prone to several risks and inefficiencies, including:
- Incomplete redaction due to human error
- Easy to forget metadata removal
- Extremely slow to process, especially for documents that are hundreds of pages long
- Lack of standardization
- Difficulty in verifying redactions
A far more effective option is to use an automated redaction tool with AI-capabilities to automatically find and permanently redact confidential health information. This can reduce your workload significantly, streamlining your compliance efforts and protecting your patients’ privacy.
Support your patients' right to privacy
Protecting sensitive data requires collaboration between patients and healthcare providers. As data breaches continue to occur, patients are becoming increasingly concerned about organizations failing to secure their confidential data. Organizations must do all they can by implementing robust security measures, data management policies, and strong redaction to protect PHI.
Looking for a HIPAA redaction tool? Redactable is here to help
Redactable is designed to securely and permanently redact sensitive medical information.
Redactable’s advanced redaction technology has been carefully engineered to deliver fast, accurate, and reliable results, all in an easy-to-use platform.
Redactable's intelligent software uses powerful artificial intelligence algorithms to identify all areas that contain confidential data – including text, images, and metadata – without any manual input from you.
Along with this, the software is fully automated and requires minimal human intervention, allowing you to effectively redact large volumes of data in a fraction of the time.
Redactable is the perfect solution for quickly and securely protecting sensitive medical information while adhering to HIPAA regulations. It offers unparalleled features, including:
- AI-Powered Redaction: Advanced AI and machine learning algorithms automatically identify sensitive information for redaction
- Optical Character Recognition (OCR): Are your medical records in paper documents? No problem! Redactable handles scanned documents by converting them into editable text with high levels of accuracy.
- Collaboration Tools: Break down information silos and let all employees collaborate on redaction. This is particularly useful on larger projects requiring input from various team members.
- Automatic Logging: Redaction actions are logged automatically, with documentation showing who redacted the document and when. This is critical for maintaining transparency and accountability.
- Easy to Use: Designed with ease-of-use in mind, Redactable allows you to redact huge documents in just a few clicks.
With our ground-breaking technology and superior customer support, we make it easy to redact documents with confidence—permanently. If you're looking for a reliable HIPAA-compliant tool, try Redactable for FREE today!