Crisis Center Intervention and Redaction
November 17, 2020 | 7 minutes read
HIPAA Redaction Standards
The Federal Department of Health and Human Services (HHS) passed the HIPAA privacy regulations in 1996 to enforce the protection of the private medical information of patients. HIPAA, or Health Insurance Portability Accountability Act, is less widely known as the Kennedy-Kassebaum Act and became a federal statute by the 104th United States Congress. Clinton followed by signing the Act into law on August 21, 1996.
HIPAA created a single set of standards to protect patients’ medical records and other personal information. The primary reasons the law was enacted were to modernize the flow of healthcare information, regulate protections for personally identifiable information (PII), give guidance on how this type of data is maintained, stored, or released, and protect both patients and health insurance agencies from fraud and theft, as well as address certain limitations on health coverage.
HIPAA applies to patient data, health plans, healthcare clearinghouses, and all medical providers that conduct specific types of healthcare transactions electronically. The rule also safeguards patient privacy and limits the release of healthcare data without patient authorization. The Privacy Rule, a particular rule within HIPAA guidelines, allows for two methods of redaction. Redaction by a qualified expert for removing specific individual identifying data and the complete absence of actual data could be used to identify a single individual. Both methods provide protection and are approved uses of redaction in health records.
The HHS states the following about these types of redaction applications. “Both methods, even when properly applied, yield de-identified data that retains some risk of identification. Although the risk is minimal, it is not zero, and there is a possibility that de-identified data could be linked back to the identity of the patient to which it corresponds.”
HHS also approves the use of automated redaction solutions to remove risks associated with the release of personal health information or PHI. These systems remove specified data fields like patient names, dates of service, lists of medications, or other diagnostic health data. These systems help save time and money, increase accuracy, and ensure complete compliance with HIPAA regulations.
Crisis Centers
Crisis Centers and hotlines are services offered to address a crisis in an individual’s life. These situations can include health and mental health counseling and referrals to additional benefits for assistance. These centers’ priority is to help individuals through their time of crisis without further exacerbating their situation. Most of these agencies, whether the patient is seen in person, by phone, or through text, collect and use personally identifiable information (PII). Since PII is data that can be used to identify an individual uniquely, specific details are considered under protection through regulations like HIPAA.
During a patient’s crisis, some PII data is asked to be voluntarily provided to the agency. These details could include but are not limited to: names, addresses, birthdates, or patient identification numbers. Many crisis centers have policies to only ask for these details to provide specific service-related activities or referrals. Due to federal regulations as medical providers, the facts that are given by the patient must be kept confidential.
The data that many crises or intervention agencies collect is primarily used to operate and improve services, contact and respond to your needs, fulfill requests for referrals or prescription services, and other health care intervention assistance. Many centers use automated processes to redact PII from stored data and determine some of the best options that may be available to provide a better quality of care and treatment. This type of automation can also select those in the most immediate need first and triage crisis services.
Substance Abuse Interventions
When a patient seeks treatment for substance abuse intervention, the Centers for Medicare and Medicaid Services apply specific codes, including diagnostic and procedural codes, that can relate directly to substance abuse. These types of codes were used in inpatient records from 2013 to 2017. The policy to redact such data came into effect with the Affordable Care Act. This coincided with the opioid epidemic increase that occurred across the US and the globe. The redaction policy caused an alteration in the numbers or estimates of the prevalence of some common chronic conditions that can co-occur with substance abuse.
In 2013 the federal regulations governing the confidentiality of drug and alcohol treatment and prevention caused a reinterpretation of redaction rules for patient records through the Centers for Medicare and Medicaid Services (CMS). After this policy change, any health care encounter that included any diagnosis or codes related to substance abuse was required to be redacted from the patient’s records. The resulting consequence created difficult-to-identify gaps in the claims data statistics.
This was more prevalent among those records related to the use of inpatient services. These data gaps made it much more difficult for the research community to understand the implications of substance abuse on health, the number of patients affected or facing difficulty with substance abuse, and to readily predict the amount of funding needed to treat patients.
In 2017, the research community breathed a sigh of relief when the Federal Substance Abuse and Mental Health Services Administration announced a change in the confidentiality rules for Substance Use Disorder within a patient’s record. Further passed regulations restored access to this type of patient data that had in previous years been redacted. Due to the stigma associated with drug abuse or a mental health diagnosis, patients were pleased that the data was redacted from their health records.
Misinformation or insecure patient records can lead to severe consequences to the patients’ lives should the data about their health problems be released publicly. Public disclosure of drug use or diagnosed mental health condition can cost individuals their jobs, education, or social standing. Many patients felt that the redaction process helped them keep their personal problems out of their physical health records.
The gap created in the data during this time frame allowed many different agencies to have skewed results during a time in history. The ACA was being dismantled, and the missing data caused future policies and protections for patients to be short-funded. The data is now fully restored in most patients’ data records; however, under the HIPAA guidelines, this medical information must be kept private and not be released without the patient’s consent.
Redaction for Protection
When faced with legal repercussions from penalties for failing to protect patients through HIPAA legislation, many healthcare leaders feel an overwhelming responsibility to maintain patient records’ security. One of the most crucial roles within the healthcare setting is maintaining the accuracy, privacy, and control of health data. Through expanded enforcement of HIPAA, those medical professionals who manage information release are now more vigilant than they have been in the past. Their processes for controlling the release of protected data must meet federal and state legislative requirements and remain available to their patients’ best interests.
HHS guides healthcare providers regarding the deidentification of personal health data. Deidentification is one of the primary approaches to protecting data. In addition to healthcare, deidentification is commonly used in communications, multimedia, biometrics, big data, cloud computing, data mining, the internet, social networks, and audio-video surveillance. The de-identification of data sets is when personal information is removed from the data, but the remaining data is left intact. It is a weaker form of anonymization, and unless the information is kept in-house and not distributed is not a guarantee of privacy for personal data.
Redaction is the process of removing data entirely. By redacting PHI, the data can be shared, distributed, or posted without the concern of releasing an individual’s PHI or identity. Many health providers use redaction as a means to protect the data of patients within their computer systems.
Automating Redaction Results
Crisis Centers and intervention records are included as part of a patient’s health record. Healthcare providers across the country process many patient records and transmit large quantities of personal health data to referred providers. These transactions are part of the daily operations of providing quality medical care. The sheer amount of these records that need to be processed or redacted for use can be staggering. Many healthcare providers continue to provide quality care to patients and keep ahead of HIPAA requirements to handle personal health data through automation.
Automated redaction software systems can be used to protect patient privacy. CaseGuard offers an automated redaction software system. When records are redacted manually, this can take hours to go through the data on one patient’s files. To save time, and money, and improve accuracy levels, medical providers turn to automatic redaction.
Automatic redaction systems, such as CaseGuard, include artificial intelligence, machine learning, and data search options. Using smart algorithms, CaseGuard provides an accurate and fast solution for both medical providers and patients. The additional resource provided by artificial intelligence improves speed, and accuracy, and allows for speedier health care options for patients when time is of the essence.