HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Suggests Improper Disposal of PHI is Commonplace

A recent study (published in JAMA) has highlighted just how frequently hospitals are disposing of PHI in an insecure manner. While the study was conducted in Canada, which is not covered by HIPAA, the results highlight an important area of PHI security that is often overlooked.

Improper Disposal of PHI is More Common than Previously Thought

Researchers at St. Michael’s Hospital in Toronto checked recycled paperwork at five teaching hospitals in Canada. Each of the five hospitals had policies covering the secure disposal of documents containing PHI and separate recycling bins were provided for general paperwork and documents containing sensitive information. The latter were shredded before disposal.

Despite the document disposal policies, paperwork containing personally identifiable information (PII) and personal health information (PHI) were often incorrectly placed in the bins. The researchers identified 2,867 documents containing PII and 1,885 items containing personally identifiable health information in the standard recycling bins. 1,042 documents contained high sensitivity PII, 843 items contained PII with medium sensitivity, and 802 contained low sensitivity data.

821 items included clinical notes, summaries, and medical reports, there were 385 discarded labels with patient identifiers clearly visible, 345 billing forms, 340 diagnostic test results, and 317 requests and communications containing personally identifiable information.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The study shows that even with policies in place covering the proper disposal of paper records, sensitive information is still regularly disposed of in an insecure manner.

Improper Disposal of PHI in the United States

In February, 23% of the month’s healthcare data breaches involved paper/film records. Those breaches impacted 121,607 individuals. In January 33% of the month’s data breaches involved paper/film records. Those breaches impacted 13,513 individuals.

Overall, between January 1, 2010 and December 31, 2017, there have been 514 healthcare data breaches involving 500 or more paper records. Those breaches have impacted 3,393,240 individuals.

Breaches of Physical PHI

Patients Impacted by Breaches of Physical PHI

Improper Disposal of Paper/Films and ePHI

Patients Impacted by Improper Disposal of all Forms of PHI

Many privacy incidents involving paper records only impact a few patients and are not made public, so it is difficult to determine exactly how many incidents have occurred and how many patients have been impacted, although the Canadian study suggests these types of breaches are incredibly common.

To prevent these types of privacy breaches, HIPAA covered entities should carefully review their policies, procedures and physical safeguards for PHI and strengthen controls as appropriate.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.