Redaction refers to editing a document, typically for erasing information. Redaction is often used in medical malpractice litigation to hide the identities of patients who aren't parties to the lawsuit. Materials needing editing generally do not comprise medical reports since these are unique to the patient whose case is in dispute. Instead, documents that require redaction are those that might infringe on other patients' privacy. These document types include:
- Doctor's office sign-in sheets. These are often used to infer that a doctor saw so many patients on a particular day that the doctor didn't spend enough time with the plaintiff to make a diagnosis correctly.
- Schedules which contain other patient identities. For example, a Radiology schedule sheet may be used to classify the duration a patient spent at a particular department. An operating room schedule may be used to establish whether a surgeon performed an operation on a specific day for an unusual length of time or was operating on many patients that day in an assembly line fashion resulting in negligence by the surgeon.
- Obstetrics Delivery logs. Delivery records can be used in addition to job assignment sheets to assess whether there was sufficient staffing. For instance, if many deliveries were made simultaneously, a complainant with a negative outcome may conclude that the adverse outcome was due to insufficient supervision by nurses in the delivery room.
- Staff duty rosters. Staff task sheets will describe what staff members were taking care of the complainant. If the assignment sheets indicate that a large number of patients were allocated to the staff member caring for the complainant, the complainant then concludes that the complainant was given insufficient care, resulting in an adverse outcome.
- Visitor logs require that the visitor write which patient is being visited. These are often used by the defense in nursing home cases to demonstrate family members' reluctance to visit their relatives. The defense can conclude that members of the family have started the case to obtain money and not out of patient concern.
Document redaction is a straightforward process but can still be done poorly. In PDf redaction of medical documents, it is vital to ensure that the information being removed is invisible even when the image is enlarged or viewed with a magnifying glass.
What's the best way to redact a document?
A. PDF redaction
- Create a copy of the document which you will be editing. This new copy will be your working copy. Do not redact an original document.
- Use a pair of scissors, a white correction liquid, a white correction tape, or a black permanent marker to cover the patient's name entirely and any other identifying details such as the social security number or medical record number. If you use scissors to cut out names and other identifiers, ensure that the details you delete are shredded afterward.
- At this point, if it's held to the light, the name might still show through. Create a copy of your working copy to ensure that the name isn't apparent. This copy of your working copy is the paper submitted to the counsel of the opposition.
B. Non-textual patient data
In compliance with this regulation, non-textual patient data made and used for a Specific Patient Care purpose must be stored indefinitely in the patient's medical record. All other non-textual patient data not contained in the electronic medical record must be maintained in a secure manner, which also enables timely recovery and preserves the privacy of the patient. The information must be protected and trashed, according to PHI (Protected Health Information) policies for the retention period required by law, regulation, or healthcare facility policy. In the processing of non-textual patient documents for malpractice litigation, the information manager should ensure that the files are reviewed, and any information that jeopardizes third party privacy or breaks the doctor-patient confidentiality must be edited out. This can be achieved through manual audio and video redactions or using automatic audio and video redaction software.
When clinical photos are taken, staff are required to respect patient privacy and safety. Note that if the patient demands a copy of their medical record, he can access the clinical photographs. Following the relevant manufacturer's instructions, the pictures captured on a digital camera, storage equipment, portable electronic devices memory card, or any portable computer (e.g., flash/thumb drive) must be adequately erased after proper preservation of any patient photograph or record.
Medical information is safeguarded by HIPAA (Health Insurance Portability and Accountability Act of 1996). HIPAA is a United States federal regulation that facilitates patient data privacy and provides security for patient information. With the emergence of health data breaches triggered by cyber-attacks and malware attacks on health insurers and providers, the legislation has risen more prominently in recent years.
The Health Insurance Portability and Accountability Act (HIPAA) data security regulations ensure the privacy and confidentiality of protected health information (PHI). PHI is described as personal medical information, consisting of the patient's name, social security number, address, and all of the other medical information on a patient.
What information is protected by HIPAA?
Under the Privacy Law, if a healthcare provider, insurance program, or health care clearinghouse does not create or collect the information, it is not protected. It can be accessed under applicable discovery laws. Under HIPAA, a protected organization can be an insurance plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a HIPAA transaction. Covered entities must not report PHI except when an exception exists. Employers that fund insurance benefits for the company are not included among covered entities. HIPAA regulates the use of PHI obtained from a covered institution, and employers need to make sure that such information is secured so that only the appropriate workers have access to it.
HIPAA doesn't provide a solution in case of breaches. Instead, the existing administrative procedures recommend filing a complaint. Courts may impose fines on parties who illegally reveal protected health information (PHI) in lawsuits, including penalties for breaches of ethics and the range of sanctions available under Federal Civil Procedure Rule 37. State legislation may require civil suits to be brought for breaching the law regarding the handling of state health care records.
What type of information has an exception?
Under HIPAA, a protected entity may disclose PHI in specific circumstances without the written authorization of a patient:
- when replying to an administrative subpoena, investigative request, or other regulatory demands
- when ensuring compliance to a court order, subpoena, or summons
- for hearings before the health board
- for use by law enforcement
Protected entities may share PHI to provide treatment, recommend patients for surgery, manage patient care, for billing purposes, for use in a facility directory. Providers may share PHI to prevent impending and significant public health and safety risks. If the individual being protected is involved in a lawsuit, PHI can be revealed as part of its medical care functions.
How does one access PHI?
There are three options for a contender. First, a litigant may seek an individually signed authorization to access the information. The signed approval will satisfy Section 164.508's clear HIPAA standards and any relevant state specifications. The second approach is a court order that allows access to particular medical data. Third, a litigant may file a warrant, request for evidence, or other legal action and either give the plaintiff notice of the application or enter a protective order authorized by HIPAA.
Responding to a request to access PHI
A party shall determine whether the requested information constitutes health information under HIPAA. Protected or covered entities must have processes in place to manage PHI requests. Other organizations that may be liable to some aspect of HIPAA specifications include employers and business associates that support community health care plans. Employers offering group health plans are not covered entities and do not fall under HIPAA rules. Employers must also secure the PHI they receive and should not use this data for work-related actions.
If the PHI of a client is requested, the opposing lawyers are expected to follow HIPAA protocols and seek a court order or warrant or use some legal mechanism to obtain it. All parties can enter a specified qualified protective order ensuring that the data is used for litigation purposes only. Under HIPAA, persons are not allowed to access their PHI if it was created in preparation for litigation.
HIPAA stipulates that the PHI should be returned to the individual, or deleted, after litigation. This can, however, contrast with the ethical concerns of the lawyer and his or her need for record-keeping. If data is preserved after the case ends, it must be labeled and rendered private and privileged. The lawyer must notify the covered entity that he or she will be retaining and safeguarding the information.
Most of the data collected from a patient by a healthcare provider such as demographic information, medical histories, test and laboratory results, mental health conditions, insurance information fall under Protected Health Information (PHI). PHI, sometimes referred to as personal health information, enables the healthcare provider to identify an individual and obtain a brief medical history. Confidentiality is central to the trust between the doctor and the patients and a core element of the doctor/patient relationship. However, sharing information, in appropriate circumstances, is also essential, both for patient care and for the safety of the patient and others.
Patient privacy should be protected by keeping records and other information about patients securely. Also, medical practitioners should guard against accidental disclosures. Before sharing or disclosing any identifiable information about patients, the Freedom of Information Act (FOIA) principles must be taken into account. The purpose of the disclosure must be clearly stated, and the patient's consent must be acquired while ensuring that other legal bases for disclosing patient information are met. The healthcare provider must also ensure that the documents are screened for any third-party data. As such, any information revealing the whereabouts of private individuals not otherwise involved in the lawsuits should be edited out. This can be achieved using accurate manual and automatic PDF, audio, and video redaction software. The amount of information disclosed should be minimal and to as few individuals as necessary. The people to whom the information is disclosed should be made aware that it is confidential and that they have their duty of confidentiality.