Automating the redaction process in healthcare is now a necessity.
As HIPAA is more rigorously enforced, fines and violations are likely to come at a much more regular pace than they have in the past.
Simply put, redaction technology automates the removal of protected health information (PHI) from a health record or other patient documentation. It eliminates the need for manual, black marker redaction that's been the norm.
Perhaps most important, though, is that redaction software allows health systems and their business associates to remove personal information in a timely manner and keep patient's personal information personal.
Protecting Against Unintended ROI
Redaction is necessary when confidential information concerning an individual's past, present or future mental or physical condition is contained within a patient record that will be released to a third party. Protected health information must be removed from all records, regardless of the type-including fax, voice mail, email or data within the EHR, for example.
The final HIPAA omnibus rule greatly increases patients' privacy protections and strengthens the government's ability to enforce the law. When releasing medical records to a third party, healthcare administrators must be more vigilant to ensure that an individual's confidential information is protected. The processes for handling the release of protected information must meet the requirements of HIPAA and what's in the interest of their patients.
Until now, HIPAA enforcement has been mostly lax because federal funds have been limited. However, in 2011 the U.S. Department of Health and Human Services (HHS) awarded a $9.2 million contract to KPMG, an audit and advisory firm, to launch the audit program as mandated by the HITECH Act.
The HITECH Act also incentivizes more aggressive pursuit of HIPAA violations, which means it's more likely that healthcare organizations will now be audited if any red flags pop up.
Given this, organizations may do well to add tools and capabilities to protect themselves from HIPAA fines and punishment. With the rise in HIPAA enforcement, healthcare leaders should consider increasing their IT spend to implement systems that better protect patient's health information, according to research firm Gartner.
SEE ALSO: Personal Health Information Exchanges
The HITECH Act also extends certain HIPAA security and privacy requirements and sets the stage for greater enforcement, including:
- Widening the scope of the law, requiring health information exchanges to be business associates of healthcare entities, and applied HIPAA privacy and security requirements directly to the HIEs
- Greater penalties for noncompliance
- Redirecting civil monetary penalties back into enforcement activities instead of into the general fund. This provides additional funds for future enforcement and incentivizes proactive enforcement activities
- Adding breach notification requirements to entities that operate personal health records or otherwise maintain personal health information for purposes other than healthcare delivery or payment
- Opening the way for enforcement by states' attorneys general
HIPAA's Redaction Requirements
The HIPAA Privacy Rule originally created standards to protect patients' medical records and other personal information . The rule applies to health plans, healthcare clearinghouses and providers that conduct certain healthcare transactions electronically. The rule also requires safeguards to protect the privacy of patients' personal health information and limits release of information without patient authorization. Specifically, the HIPAA Privacy Rule was designed to protect individually identifiable health information from being distributed publicly and in a harmful manner.
The Privacy Rule allows for two redaction methods: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifying information, as well as the absence of actual information that could be used to identify an individual.
According to HHS, "both methods, even when properly applied, yield de-identified data that retains some risk of identification. Although the risk is very small, it is not zero, and there is a possibility that de-identified data could be linked back to the identity of the patient to which it corresponds."
Also, because of the HIPAA Safe Harbor standards , 18 identifiers associated with the patient, their household members, relatives and employers must be removed, including:
- All geographic subdivisions smaller than a state, including street address, city, county, precinct and ZIP codes
- All elements of dates (except year)
- Health plan beneficiary numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers such as serial numbers
- Biometric identifiers, including finger and voice prints
- Full-face photographs and any comparable images
- Any other unique identifying number, characteristic or code
Additional information that should be redacted from the health record includes:
- Adoption information of birth parents
- Protection of minor's information
- Chemical/alcohol dependency
- Other information as required by state laws
Even though solutions exist to automate the redaction of protected PHI, most organizations redact records manually even though health systems are streamlining repetitive, manual processes in other areas of their practices.
Effectively Managing RIO through Redaction
Healthcare organizations are scrambling to find new ways to ensure patient health records remain secure, Gartner says. Additionally, consequences for HIPAA infractions are translating into huge shifts in IT spending for technologies to mitigate risks of breach. Typically, however, organizations have, or should have, policies in place to determine when redaction is required. Healthcare facilities, health plans and business associates must routinely redact PHI and they need to know how redaction should be performed.
Just as the argument can be made for the implementation of EHRs and how they can lead to leaner and more efficient processes, the same can be said for redaction software.
Using redaction in existing workflows, like when partnered with the functionality of an EHR, creates a more HIPAA-compliant environment where information is better protected from leaks. Liability also is likely mitigated. And, with greater federal oversight and enforcement of HIPAA, those looking to stay ahead of an evolving HIPAA Privacy Rule may find value in an automated process to redact personal health information.
Dave Rasmussen is the president of Extract Systems.