HIPAA Compliance: A Complete Guide to Medical Record Redaction

2025-12-22True Redact Team

The Health Insurance Portability and Accountability Act (HIPAA) sets strict requirements for protecting patient information. For healthcare providers, insurers, and their business associates, improper handling of Protected Health Information (PHI) can result in severe penalties—up to $1.5 million per violation category per year.

What is PHI?

Protected Health Information includes any individually identifiable health information. HIPAA specifically identifies 18 types of identifiers that must be removed for data to be considered de-identified:

  1. Names
  2. Geographic data smaller than a state
  3. Dates (except year) related to an individual
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. IP addresses
  16. Biometric identifiers
  17. Full-face photographs
  18. Any other unique identifying number or code

When is Redaction Required?

Redaction is necessary when sharing medical records for:

  • Legal proceedings and litigation
  • Research and clinical studies
  • Insurance claims processing
  • Quality improvement initiatives
  • Public health reporting
  • Patient record requests (when limiting information is appropriate)

Common Redaction Mistakes

Many healthcare organizations make critical errors when redacting PHI:

  • Using black boxes that don't permanently remove data: Some PDF editors simply overlay black rectangles, but the underlying text remains extractable
  • Missing embedded metadata: Author names, creation dates, and tracked changes often contain PHI
  • Overlooking handwritten notes: Scanned documents may contain handwritten PHI that basic tools miss
  • Inconsistent application: The same name redacted in one place but not another

Best Practices for HIPAA-Compliant Redaction

  • Use tools specifically designed for permanent redaction
  • Implement a review process before releasing documents
  • Maintain audit logs of all redaction activities
  • Train staff on proper redaction procedures
  • Consider AI-powered tools like True Redact that automatically detect all 18 HIPAA identifiers

How True Redact Helps

True Redact is designed with HIPAA compliance in mind. Our AI automatically detects all 18 HIPAA identifiers, permanently removes the underlying data (not just visual overlays), and provides audit logs for compliance documentation.