Share this article on:
A recent study (published in JAMA) has highlighted just how frequently hospitals are disposing of PHI in an insecure manner. While the study was conducted in Canada, which is not covered by HIPAA, the results highlight an important area of PHI security that is often overlooked.
Improper Disposal of PHI is More Common than Previously Thought
Researchers at St. Michael’s Hospital in Toronto checked recycled paperwork at five teaching hospitals in Canada. Each of the five hospitals had policies covering the secure disposal of documents containing PHI and separate recycling bins were provided for general paperwork and documents containing sensitive information. The latter were shredded before disposal.
Despite the document disposal policies, paperwork containing personally identifiable information (PII) and personal health information (PHI) were often incorrectly placed in the bins. The researchers identified 2,867 documents containing PII and 1,885 items containing personally identifiable health information in the standard recycling bins. 1,042 documents contained high sensitivity PII, 843 items contained PII with medium sensitivity, and 802 contained low sensitivity data.
821 items included clinical notes, summaries, and medical reports, there were 385 discarded labels with patient identifiers clearly visible, 345 billing forms, 340 diagnostic test results, and 317 requests and communications containing personally identifiable information.
The study shows that even with policies in place covering the proper disposal of paper records, sensitive information is still regularly disposed of in an insecure manner.
Improper Disposal of PHI in the United States
In February, 23% of the month’s healthcare data breaches involved paper/film records. Those breaches impacted 121,607 individuals. In January 33% of the month’s data breaches involved paper/film records. Those breaches impacted 13,513 individuals.
Overall, between January 1, 2010 and December 31, 2017, there have been 514 healthcare data breaches involving 500 or more paper records. Those breaches have impacted 3,393,240 individuals.
Breaches of Physical PHI
Patients Impacted by Breaches of Physical PHI
Improper Disposal of Paper/Films and ePHI
Patients Impacted by Improper Disposal of all Forms of PHI
Many privacy incidents involving paper records only impact a few patients and are not made public, so it is difficult to determine exactly how many incidents have occurred and how many patients have been impacted, although the Canadian study suggests these types of breaches are incredibly common.
To prevent these types of privacy breaches, HIPAA covered entities should carefully review their policies, procedures and physical safeguards for PHI and strengthen controls as appropriate.