Do you know tens of thousands of patient records were posted to the dark web last year?
According to NBC News, hackers published extensive patient data from different hospitals and medical centers. These files comprised tens of thousands of diagnostic test results and letters to insurers, including the personal information of patients.
In this digital era, you can now access your medical information easily with just one click. Technological advancements have produced many benefits that include easy access to health-related information, communication with healthcare providers, educating students through digital media, etc.
Along with these benefits, there are some security risks as well. Healthcare data is private.
Nobody wants his medical records to be accessed publicly!
It is our utmost responsibility to protect personal health information from third parties at all levels.
Sometimes, sharing medical records is not restricted to medical professionals and patients only; it can be shared with third parties (educational institutions, Government) for legal or research purposes.
Therefore, redaction of PHI (Protected Health Information) is necessary, and it is a requirement as per the standard Privacy Rule of HIPAA.
In this article, we will cover HIPAA redaction rules for you. We will also discuss an AI-based tool that you can use to redact PHI conveniently.
PHI Under HIPAA Compliance: An Overview
Health Insurance Portability and Accountability Act (HIPAA) is an act that was passed by the U.S. Department of Health and Human Services in 1996 and updated with the HITECH act in 2009. It provides the rules for the privacy and protection of medical records and health information of patients.
All covered entities (Health Providers, Health Plans) and business associates that collect Patient Health Information (PHI) are bound to follow the HIPAA rules. HIPAA ensures that an individual’s health information is secured.
All health information is considered PHI when it includes individual identifiers.
PHI data under HIPAA compliance could be any information in the form of:
Protected Health Information (PHI) is any health information, including demographic information, which is associated with:
Past and present physical and mental health conditions of an individual.
Provision of healthcare to the individual.
Payments for the provision of healthcare to the individual.
As per HIPAA Privacy Rule, there are 18 identifiers of PHI:
All elements of dates, including birthdates, admission and discharge dates, date of death etc.
Social Security numbers
Medical record numbers
Health Plan Beneficiary numbers
Certificate or license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Internet Protocol IP Address
Finger or voice print
Photographic Images (Not limited to Face only)
Any other characteristic that could uniquely identify the individual
Who is Bound to Follow HIPAA Privacy Rule?
All covered entities (Healthcare Providers, Health Plans and Healthcare Clearinghouses) and business associates that collect and maintain a record of Patient Health Information (PHI) are bound to follow the HIPAA rules.
HIPAA ensures that an individual’s health information is secured. Covered entities can include a person, organization or any institution. HIPAA Privacy Rule applies to the following covered entities:
The breach of the above-mentioned information is considered a HIPAA violation and is a serious crime that results in penalties.
According to American Medical Association,
“Violation of HIPAA compliance rules results in penalties ranging from min $100 to max $50,000 per violation with an annual max of $25,000 for a repeat violation.”
De-identification/Redaction Rules Under HIPAA
To prevent violations, PHI needs to be redacted before being shared with others. Redaction under HIPAA is covered in the Privacy Rule, which is responsible for regulating the use and disclosure of personal health information.
According to the Privacy Rule of HIPAA, it is termed as ”deidentification,” where you can easily hide one of the 18 identifiers of PHI.
The basic principles of the HIPAA Privacy Rule are as follows:
The rule protects all PHI, including individually identifiable health or mental health information held or shared by covered entities.
It limits the conditions under which covered entities may disclose PHI.
The covered entity is responsible to give access to individuals with their own PHI.
HIPAA Privacy Rule permits patients and medical professionals to access their medical records for treatment, payment, and health care purposes.
But this rule is not just applicable to healthcare organizations only; in fact, sometimes health records need to be shared with covered entities.
“Covered Entities” include Health plans, healthcare providers, healthcare clearinghouses, business associates, and health insurers. For example, health insurers can gain access to PHI for billing information with patients' consent ensuring that PHI is properly protected.
In certain circumstances, covered entities can use and disclose health information without patients' authorization which is as follows:
When required by federal law for public health purposes.
When required by law enforcement agencies.
For clinical research purposes.
Conducting health care operations (quality assurance, compliance monitoring).
Reporting abuse victims and violence cases.
Health oversight activities.
Judicial or administrative matters.
On account of the rules and regulations mentioned above, covered entities are held accountable for the proper handling and deidentification of personal information before disclosure. Therefore, redaction is necessary to remove personal health-related information from medical records before sharing ahead.
Redaction is a time-consuming process, so many organizations are looking for an efficient HIPAA-Compliant Redaction Tool that saves time.
VIDIZMO: As a HIPAA Compliant Redaction Tool.
Are you looking for a redaction software that is fully compliant with HIPAA Privacy Rule and fulfill all your redaction needs?
Then here is a solution for you!
VIDIZMO is a HIPAA-compliant redaction software that redacts audio recordings and videos highlighting personal health information in medical records using artificial intelligence services.
Key features of the VIDIZMO redaction tool include:
Detect and track faces and bodies and redact them automatically by using artificial intelligence.
Blur objects in images, mute or bleep audio segments, and hide specific words in documents containing PHI.
Hide sensitive PHI appearing in videos, such as names, medical records, full-face photos, etc.
Redact multiple files simultaneously.
AI-Powered redaction with manual redaction capabilities for accurate results.
It has an IDC-recognized Digital Evidence Management System* with a chain of custody, transcription, translation, and secure sharing features.
It also offers a HIPAA-Compliant Video Platform with various security features to protect PHI.
We offer much more... See all features offered in VIDIZMO Redaction Software.
If u want to buy our product, there are three ways to do so:
Standalone Redaction Tool
VIDIZMO offers simple software to upload files and quickly redact them. With the VIDIZMO HIPAA-compliant redaction tool, the process is simple and fast.
All you need to do is upload audio/video files. Our AI (Artificial Intelligence) will detect all appearing faces and objects, select the ones you want to redact, and they will be blurred throughout the video.
Video Content Management System
We have Gartner recognized Video Content Management platform with multiple features that enable end-to-end video management and streaming. You can upload videos and manage them securely here.
Learn more about EnterpriseTube.
Digital Evidence Management System
You can opt for our IDC-Recognized Digital Evidence Management System*, which enables law enforcement agencies and other organizations to store, manage, and share digital evidence collected at crime scenes through various sources like dashcams, body-worn cameras, drones, and CCTV cameras while ensuring the highest level of compliance with CJIS and FedRAMP.
All these three options are available as SaaS, or you can deploy in Azure Commercial/Government cloud or your on-premises data center.
Read More: HIPAA Compliant vs. HIPAA Ready
Do check out our detailed guide on redaction to understand the requirements under other compliances, tools available and more.
*This is about the document: IDC MarketScape: Worldwide Digital Evidence Management Solutions for Law Enforcement 2020 Vendor Assessment, #US44848219e, November 2020.