A recently published study by JAMA has emphasised just how often hospitals are disposing of PHI in an unsafe manner. While the study was carried out in Canada, which is not included in HIPAA, the outcomes highlight an important area of PHI security that is often overlooked.
Inadequate Disposal of PHI is Common
Experts at St. Michael’s Hospital in Toronto reviewed recycled paperwork at five teaching hospitals in Canada. Each of the five hospitals had policies including the secure disposal of documents containing PHI and separate recycling bins were supplied for general paperwork and documents containing sensitive information. The latter were shredded before being thrown away.
Despite the document disposal policies being in place, paperwork containing personally identifiable information (PII) and personal health information (PHI) were often improperly placed in the bins. The researchers discovered 2,867 documents containing PII and 1,885 items containing personally identifiable health information in the standard recycling bins. 1,042 documents included high sensitivity PII, 843 items included PII with medium sensitivity, and 802 included low sensitivity data.
821 items included clinical notes, summaries, and medical reports, there were 385 discarded labels with patient identifiers clearly viewable, 345 billing forms, 340 diagnostic test results, and 317 requests and communications including personally identifiable information.
The study reveals that even with policies in place including the proper disposal of paper records, sensitive information is still regularly disposed of in an unsafe manner.
Unsafe Disposal of PHI in the United States
In February, 23% of the month’s healthcare data breaches recorded involved paper/film records. Those breaches affected 121,607 individuals. In January 33% of the month’s data breaches involved paper/film records. Those breaches affected 13,513 individuals.
In total between January 1, 2010 and December 31, 2017, there have been 514 healthcare data breaches involving 500 or more paper records. Those breaches have affected 3,393,240 people.
Many privacy incidents affecting paper records only impact a few patients and are not made public, so it is difficult to estimate exactly how many incidents have occurred and how many patients have been impacted, although the Canadian study suggests these sorts of breaches are incredibly common.
To stop these types of privacy breaches, HIPAA covered entities should carefully look at their policies, procedures and physical safeguards for PHI and strengthen controls as proper.