Right to Patient Privacy and Document Redaction in Medical Contexts
May 19, 2020 | 7 minutes read
Healthcare is personal. It is private, and the law helps to ensure that it stays that way. Just imagine the horror that could result if everyone’s medical records could easily be accessed. Who wants random people or their employer to know they take certain medications or have a certain condition? Given the stigma for various types of illness – particularly things like mental health – keeping a patient’s medical records private makes moral sense. And, as we noted above, it is also the law.
Laws around the protection of what is called personally-identifying information, have had to evolve along with technology. As more and more of our medical information is digitized, which allows it to be shared in real-time, with a wide range of medical providers or other interested parties, it is more important than ever before to ensure that all sensitive information remains protected at every level of healthcare administration.
It isn’t just the sharing of medical records between different healthcare systems or medical professionals. Digital transmission brings about a whole host of new concerns about vulnerability to hacking or other breaches of security. Additionally, records may need to be shared with third parties, such as educational institutions and government departments for compliance and research purposes. Sometimes, a legal matter may also require a hospital, doctor, or health system to turn over patient records.
What Rights Do Patients Have Under HIPAA?
Before we dive into the patient protections enshrined in law by the federal government, we need to discuss the varied forms that medical records may take. When most of us think of medical records, we imagine a manilla folder full of papers. This is part of it, but most certainly not all of it.
Most medical records are kept in physical and digital form. Test and other lab results are often transmitted digitally and become part of the overall health record. Many doctors take verbal notes using a recording device, which they use to enhance their reports and understanding of each patient. And many medical institutions have cameras in use either in their public areas or even in their examination rooms.
All of these things comprise a person’s overall health record. This means there is a lot more to the protection, and that needs to be protected than merely making sure files are securely held.
People have a legal right to privacy when it comes to their medical data. All medical providers and administrators are required, by law, to ensure that patient data remains protected and secure. It also stipulates that if information must be shared with an outside source, such as for reasons described above, it must be properly redacted to ensure all personally identifiable information has been removed from all materials.
The Health Insurance Portability and Accountability Act, or HIPAA, is the law that, among other things, sets the standards and rules for the appropriate use and requirements for the protection of patient information. Originally enacted by Congress in 1996 under President Bill Clinton, this law has undergone several revisions to deal with changes in technology and the need for newer protections.
HIPAA allows patients to gain access to their entire medical records for their personal use. It also defines how a patient’s medical information may be shared with third-party entities.
One thing a lot of people don’t know is that their medical information can legally be shared with other entities so long as personally identifiable information is removed from all documents and other materials before it is transmitted to said third party.
This presents a whole host of potential issues that lawmakers will have to deal with in the future. The more our information is available digitally, and online, the greater the need to ensure data security and privacy. It must also be said that the more people who have access to this information, the greater the chance of a bad actor making use of said information. At present, the law requires that medical institutions, insurance providers, and any other entity that holds medical information, must inform users in the event of a data breach.
People might be uncomfortable with the idea that their medical information is shared so widely, but it should be noted how important this sharing truly is. This data helps to inform current and future research that can help dramatically improve health outcomes for untold numbers of people.
What Information is Protected Under HIPAA?
Under HIPAA, so-called personal health information (PHI) is protected by law. Personal information refers to any information or data that could identify an individual. This means that all medical record information shared with third parties must be fully redacted of a range of information that may be used to identify a particular individual.
Protected information includes a person’s name, address, geographical information, addresses, phone numbers, social security numbers, and the like. Only the state that the records come from may be identified.
Specific dates must be redacted from any information shared with third parties. Year of birth and, in some cases, the year of some procedure, event, or treatment may be provided. Any account numbers or information that pertains to a person’s financial information must be protected. Vehicle information must be redacted as well. Any audio, video, or pictures, may not be shared without full redaction of individual faces and any other identifying features, such as tattoos or piercings. Voice information and any biometric information may not be shared.
Who is Subject to HIPAA, and How Do They Comply?
The short answer is anyone who works in the health care system in any way, shape, or form. From doctors and nurses to administrators and billing professionals to insurance providers – all of these parties are responsible for the proper handling of medical records under HIPAA. There are severe legal and financial repercussions for failure to properly ensure that all personal health information is protected, in all forms it may take. Serious data breaches in recent years show just how important data security and privacy are, especially when it comes to someone’s health records, so anyone dealing with medical records must take this seriously.
Most commonly, a process called redaction is used to remove personal or protected information from medical records. In times past, this meant going through by hand and blacking out this information in physical records and blurring out faces in pictures or videos. Redaction is a time-consuming process that is prone to human error. Many companies now use redaction software, which utilizes machine learning and increases the efficiency of redaction while also reducing errors.
Redaction software makes it easy to thoroughly redact text and remove all personal health information from all documents, lab reports, correspondence, and the like. Many software suites also include a range of tools that allow you to edit audio and video per HIPAA regulations. This software goes beyond just a surface redaction. As many know, there is a lot of metadata that is “behind the scenes” of digital information. Redaction software also scrubs this to ensure that security cannot be breached, even by someone with technological skills. Many of these software suites redact automatically and can cut the amount of time it takes to redact a document by a considerable percentage.
Conclusion
Those who handle medical information in any way are responsible for the protection and privacy of this information. It is not only the right thing to do, but it is also the law. HIPAA was enacted to help ensure that a patient’s personal information is protected when shared with a third party and sets parameters around what types of data can or cannot be shared. No personal health information or any data that can identify an individual may be shared with a third party. While sharing information with universities, government institutions, and other research organizations is incredibly important to improving the health and treatment options for everyone, it cannot come at the expense of people’s privacy.
Proper redaction of all medical information – whether they be physical or digital documents, audio files, or footage from examinations – is imperative to following the law and avoiding the myriad of problems associated with a data breach. This process removes all information that may identify any individual while complying with information requests from the government and other institutions. Redactions software automates that process using machine learning and advanced algorithms that ensure full redaction, both front- and back-end, of all information that needs to be protected.
Manual redaction is incredibly time-consuming and leaves way too much room for human error. A data breach can dramatically impact a healthcare provider or insurance company to the point of potential failure. People need to be able to trust that their information is secure and protected and utilizing the latest in technology to provide that peace of mind makes much sense in an ever-increasingly digitized and connected world.
This software allows for the real-time sharing of valuable information between medical providers and institutions, without putting any individual’s privacy on the line in the process. As our world continues to become more digital, people who handle medical information will have to stay ahead of the proverbial curve to ensure that all personal information remains private and secure.