What Information Should Be Redacted from Medical Records?
Data Privacy in healthcare has become a hot button issue in the news lately, especially with firms such as Facebook coming under increasing scrutiny in the aftermath of the Cambridge Analytica scandal. Did you know, according to recent legislation, patients or their legal representatives have the right to request access to their medical records? It is now common knowledge that when patients, their representatives, or other third parties require access to their medical records, a portion of that information ought to be redacted using document redaction software. This is especially true when dealing with information that relates to third parties or which could bring about considerable harm to the parties involved if disclosed.
Healthcare Data Legislation
The FOIA (Freedom of Information Act) is essential to public health practitioners because of three key factors: its capacity to encourage public health advocacy, its effect on government accountability and openness, and its ability to support public health practice and policymaking. Many states have also passed laws restricting open access to government records, many with similar requirements to the Federal FOIA.
The Health Insurance Portability and Accountability Act (HIPAA) is a law that puts in place rules and regulations with regards to the appropriate utilization of confidential patient information. Identifying what kind of third party information merits this standard is not an easy and straightforward task. In fact, in the UK, there is a requirement that patients have full access to their electronic records by April 2020. Indeed, the Information Commissioner noted that since the GDPR came into force in May last year, medical practices have registered a substantial rise in subject access requests (SARs) and have provided some practical tips in response. Such tips include having online access to records where appropriate, or an exhaustive encrypted electronic duplicate of the files. The Information Commissioner points out that activities should explain what details can satisfy the SAR and will bill for any extra copies of the documents.
The Growth of HIPAA and Strategies to Defend Against Unintentional ROI
Significant growth in HIPAA compliance is underway now that the law has progressed, and implementation of violations is happening at a faster rate. This growth has pushed healthcare executives to accelerate IT budgets to incorporate programs such as PDF and document redaction software that better secure their patient’s health information.
Built to protect the confidentiality and protection of healthcare records, HIPAA compliance has been lacking to this point mainly because it has been constrained by federal funds to help it.
However, in 2011, the HHS awarded KPMG a contract of $9.2 million to start the audit program as required by the HITECH Act. The HITECH Act promotes a more proactive avoidance of breaches of HIPAA, which means it is more likely to be audited more frequently by healthcare organizations.
The HITECH Act and the revitalized HIPAA legislation put great responsibility for the safety of patient data at the hands of health institutions. As such, it has become a growing need in the industry to have tools that provide video redaction capabilities and that automate fast and easy redaction of PHI. This technology also integrates with existing technology such as electronic health records to search for and facilitate fast redaction of any protected information.
What Information Should Be Redacted from Medical Records?
1. Information likely to Cause Significant Harm
The GDPR advocates the importance of considering what information can and can not be published. There are specific well-established rules when dealing with HIPAA or providing patients with complete electronic access to their medical records. For example, if access is ‘likely to cause significant harm to the physical or mental health or condition of the data subject or any other person,’ access could be restricted or withheld unless it is information already known to the patient. However, this is unlikely to be a regular occurrence, and in these cases, the doctor responsible for the health treatment of the individual must first make an assessment. Having a record of that evaluation is necessary. Bear in mind that knowledge can not be omitted because you think it might be detrimental to your job, or simply because you believe it may disturb the patient.
2. Information of Third Parties
Provisions of the GDPR provide another exception for the coverage of information of third parties. General Practitioners (GPs) have questions about what to write from the records of patients before they comply with the SAR in the MDU experience. The general point of departure is that you can redact part of the record using document redaction software or maintain unique documents relating to third parties unless you receive permission from the designated person.
Examples involve confidently revealed information from a patient’s relative, which is essential to the clinical treatment of that patient, without the patient being present.
The subject access code of practice of the ICO, chapter 7, deals with how to manage requests for subject access when any of the information relates to individuals other than the subject. While the version currently available on the ICO website has not yet been modified to reflect the 2018 Data Protection Act becoming law, this will be done in the near future. Every case of redaction by a third party needs to be individually considered. Next, we discuss specific questions posed by members of the MDU regarding editing information from third parties in medical reports.
3. Staying Ahead of HIPAA Requirements
The HIPAA Privacy Rule defined guidelines to protect the medical records and other personal information of patients. It refers to insurance plans, health care clearinghouses, and companies performing other electronic healthcare transactions. The rule also requires protections to protect the privacy of personal health information of patients and prohibits the release of information without the patient’s permission. The Privacy Rule provides for two methods of redaction: a formal decision by a professional expert or the elimination of specified individual identity details, as well as the absence of specific information that could be used to identify a person specifically.
“Both approaches, even if properly implemented, produce de-identified data that retains some risk of identification. While the probability is very low, it is not zero, and there is a probability that de-identified data may be connected back to the identity of the patient to whom it corresponds,” HHS says. They delete data fields in the health record, such as patient names, service dates, prescription lists, and other general information. The systems help save time and money for health systems and ensure compliance with HIPAA during ROI. Although solutions exist for the automatic redaction of protected PHI, most organizations process records manually even as health systems in other areas migrate to electronic systems.
Effectively Controlling the RIO Cycle by Automatic Redaction
Most healthcare organizations are struggling to find new ways to keep patient health records safe. Healthcare providers will have to adjust to the changes in IT spending on security technology to reduce HIPAA offenses. Given that implementing systems such as EHRs will lead to leaner, more effective care setting processes, the same can be said for automated redaction.
These solutions ensure safety throughout the ROI process and provide additional breach protection. Manual processes continue to be used by most healthcare organizations. This is a liability, as the room for manual error is greater. Automated redaction solutions reduce the chance of an error and the need to manually review records continuously, hence streamlining the overall process. Automatic redaction allows ROI forms to be processed electronically as the technology can scan forms and documents, search for specific fields and data pieces, remove sensitive information from the health record.
Using redaction in current workflows decreases manual complexity and improves protection and tranquility of mind for the process managers. Since there is more federal scrutiny and regulation by HIPAA — and more fear of healthcare leaders’ audits and penalties — those trying to keep ahead of an emerging HIPAA Privacy Law may find it useful to have an easy to use redaction software to redact personal health details.
Public health workers in government agencies who understand FOIA’s intent and related state laws may help promote transparency and accountability in government by responding to FOIA requests when they are received and by properly understanding the applicable exemptions, and when and how they should be implemented, especially with regard to maintaining privacy through video and audio redaction software. Easy to use redaction software can go a long way in treading the precarious line of Freedom of Information as envisaged by the FOIA and privacy as advocated by the GDPR. Alongside other related laws such as the GDPR and HIPAA, FOIA will help ensure public transparency of sensitive information and help supporters of all backgrounds and viewpoints engage in policy decision-making.
The efficacy of FOIA ultimately depends on both the attitude and dedication with which organizations, agencies, and their staff members implement it and on the willingness of the public that the law should be enforced in a way that fulfills its essential goal.