Healthcare and HIPAA Redaction

HIPAA and Protected Health Information

Under HIPAA, Protected Health Information (PHI) includes any individually identifiable health information. When sharing medical records for research, legal proceedings, or authorized third-party access, you must remove or redact PHI unless a specific exception applies.

The 18 HIPAA identifiers that typically require redaction include:

• Names
• Geographic data smaller than state
• Dates (except year) related to an individual
• Phone and fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle and device serial numbers
• Web URLs and IP addresses
• Biometric identifiers
• Full-face photos
• Any other unique identifying characteristic

Why Standard Redaction Fails HIPAA

A HIPAA violation doesn't require intent. If you use annotation-based "redaction" and PHI is later extracted, you've had a breach. It doesn't matter that you thought it was redacted—the data was still there.

Healthcare organizations have faced significant penalties when redacted documents were later unredacted:

• Records shared with attorneys in malpractice cases
• Documents provided to researchers
• Files sent to insurance companies
• Records transferred to other providers

In each case, black-box annotations gave false confidence that PHI was protected.

Redacting Medical Records Properly

ActuallyRedactPDF processes files entirely in your browser—PHI never leaves your computer or touches our servers. This is critical for HIPAA compliance because:

• No data transmission: Files are processed locally using JavaScript
• No storage: Nothing is saved anywhere except your download folder
• True content removal: Text is eliminated, not hidden

When you redact with our tool, the PDF is converted to images before redaction, then reconstructed. The original text layer is completely destroyed.

Common Healthcare Redaction Scenarios

Research Data Sharing: De-identifying records for clinical studies requires removing all 18 HIPAA identifiers. Researchers need assurance that the data they receive cannot be re-identified.

Legal Discovery: When subpoenaed for medical records, you must produce documents but may need to redact information about other patients or privileged peer review materials.

Insurance Communications: Sharing records with insurers for claims or appeals, while protecting unrelated diagnoses or treatment information.

Patient Portals: Providing patients access to their own records may still require redaction of provider notes or third-party information.

Verification Is Mandatory

Before sharing any redacted medical document:

• Attempt to copy-paste from under redaction boxes
• Search for patient identifiers that should be removed
• Run the file through our Un-Redact Checker

Given HIPAA's strict liability standard, verification isn't optional—it's essential risk management.