Automating Redaction of Protected Personal Health Information in the Healthcare Setting

Overwhelming responsibility continues to be placed on healthcare leaders to maintain the security of patient records. Maintaining the accuracy, privacy and control of this data is one of the most crucial roles within the care setting.

However, because of expanded enforcement of HIPAA, leaders managing the release of information need to be more vigilant now than they have been in the past. Their processes for handling the release of protected information need to meet the requirements of the law and what's in the best interest of their patients.

The rise of HIPAA and solutions to protect against unintended ROI
A significant rise in HIPAA enforcement is underway now that the regulation has matured, and enforcement of breaches is occurring at a more rapid pace — driving healthcare's leaders to increase IT spend to implement systems that better protect their patient's health information, according to the research firm Gartner.

Designed to protect the confidentiality and security of healthcare information, HIPAA enforcement has been lacking up to this point mostly because federal funds to support it have been limited. In 2011, however, the HHS awarded a $9.2 million contract to KPMG to launch the audit program as mandated by the HITECH Act.

The HITECH Act extended certain HIPAA security and privacy requirements and set the stage for greater enforcement, including:

  • Widening the scope of the law, requiring health information exchanges to be business associates of healthcare entities and applying HIPAA privacy and security requirements directly to the HIEs.
  • Enacting greater penalties for noncompliance.
  • Redirecting civil monetary penalties back into enforcement activities instead of into the general fund. This provides additional funds for future enforcement and incentivizes proactive enforcement activities.
  • Adding breach notification requirements to entities that operate personal health records or otherwise maintain personal health information for purposes other than healthcare delivery or payment.
  • Opening the way for enforcement by state attorneys general.

The HITECH Act also incentivizes a more aggressive pursuit of HIPAA violations, which means it's more likely healthcare organizations will be audited more regularly.

The HITECH Act and enhanced HIPAA regulation put more responsibility on health systems to protect patient information. As such, tools providing redaction capabilities that automate removal of PHI, and integrate with existing technology like electronic health records to search and remove any protected information are becoming a necessity.

Staying ahead of HIPAA requirements
The HIPAA Privacy Rule created standards to protect patients' medical records and other personal information. It applies to health plans, healthcare clearinghouses and providers that conduct certain healthcare transactions electronically. The rule also requires safeguards for protecting the privacy of patients' personal health information and limits release of information without patient authorization.

The Privacy Rule allows for two redaction methods:  a formal determination by a qualified expert or the removal of specified individual identifying information, as well as the absence of actual information that could be used to identify an individual.

"Both methods, even when properly applied, yield de-identified data that retains some risk of identification. Although the risk is very small, it is not zero, and there is a possibility that de-identified data could be linked back to the identity of the patient to which it corresponds," HHS states.

Removing risks associated with the release of PHI is possible with automated redaction solutions. They remove data fields like names of patients, dates of service, medication lists and other general information in the health record. The systems help save time and money and ensure HIPAA compliance during ROI for health systems.

Also, because of the HIPAA Safe Harbor standards, 18 identifiers associated with the patient, their household members, relatives and employers must be removed, including:

  • Names
  • All geographic subdivisions smaller than a state, including street addresses, cities, counties, precincts and ZIP codes
  • All elements of dates (except year)
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers, including finger and voice prints
  • Full-face photographs and any comparable images
  • Any other unique identifying number, characteristic or code

Additional information that should be redacted from the health record includes anything that concerns the following:

  • Adoption information of birth parents
  • Child/spouse abuse
  • Protection of minor's information
  • Behavioral health
  • Chemical/alcohol dependency
  • Reproductive health
  • HIV/AIDs status
  • Genetic information
  • Other information as required by state laws

Even though solutions exist to automate the redaction of protected PHI, most organizations process records manually even as health systems migrate to electronic systems in other areas.

Effectively Managing the RIO Process through Redaction
According to Gartner, healthcare organizations are scrambling to find new ways to ensure patient health records remain secure. To mitigate HIPAA infractions, healthcare providers should consider shifts in IT spending for protective technologies. As the implementation of systems such as EHRs can lead to leaner, more efficient processes in the care setting, the same can be said for automated redaction. These solutions ensure security throughout the ROI process and provide additional protection against breach.

Most healthcare organizations continue to use manual processes. This is a liability, as there's greater room for manual error. Automated redaction solutions reduce error and the need for continuous manual review of records, streamlining the overall process. Automated redaction allows for the electronic processing of ROI forms as the technology can scan forms and documents, searching for specific fields and pieces of data, removing sensitive information from the health record.

Using redaction in existing workflows reduces manual redundancy, and increases security and peace of mind for those managing the process. Because there's more federal oversight and enforcement of HIPAA — and more fear of audits and fines from healthcare leaders — those looking to stay ahead of an evolving HIPAA Privacy Rule may find value in using an electronic solution to redact personal health information.

For more than a dozen years, David Rasmussen had led Extract Systems as its president. Extract Systems provides advance data capture and automated redaction for health systems and government agencies and municipalities. With more than 20 years' experience leading software companies, David is actively involved in the day-to-day operations of Extract Systems. Under Mr. Rasmussen's leadership, Extract Systems’ ID Shield won the Wisconsin Governor’s Best New Product Award. He is currently chairman of the Board for Accelerate Madison and serves on the Greater Madison Chamber of Commerce Business Advisory Council, where Extract Systems is based.

More Articles on HIPAA:
Report: Healthcare Lags Other Industries in Mobile Strategy  
4 Top Vulnerabilities Affecting PHI Security  
Data Privacy, Security Advice From the ONC 

Copyright © 2023 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars