Improper Disposal of Paper Records With PHI is Still Common

JAMA recently published a study that highlighted the frequent improper disposal of PHI. Although the study was based in Canada, which is a location not covered by HIPAA, the findings show an important aspect of PHI security that is often ignored.

The study was conducted by researchers at St. Michael’s Hospital in Toronto. They checked the recycled paperwork in five of Canada’s teaching hospitals. All five hospitals claim to have policies regarding secure disposal of documents with PHI. Recycling bins for general paperwork are separate from recycling bins for documents with PHI. Documents with sensitive information must be shredded first prior to disposal.

Although the hospitals are implementing the above mentioned document disposal policies, disposing paperwork with protected health information (PHI) and personally identifiable information (PII) into the wrong recycling bins still happen. After checking the recycling bins, the researchers found 2,867 documents with PII and 1,885 documents with PHI in the general recycling bins. An inspection of all the items resulted in finding

  • 802 documents with low sensitive data
  • 843 documents with medium sensitivity PII
  • 1,042 documents with high sensitivity PII
  • 821 items with clinical notes, medical reports and summaries
  • 385 discarded labels with clearly visible patient identifiers
  • 340 diagnostic test results
  • 345 billing forms
  • 317 requests and communications with PII

This list of breached documents /items proves that many paper records with sensitive information from hospitals are still often insecurely disposed of.

According to the healthcare data breach report in February, 23% of the data breaches involved paper and film records, which resulted to the exposure of PHI of 121,607 individuals.  About 33% of data breaches in January involved paper and film records, which resulted to the exposure of PHI of 13,513 individuals. From January 1, 2010 to December 31, 2017, 514 healthcare data breaches involved paper records. The total number of affected individuals of said breaches is 3,393,240.

Many of the data breaches involving paper records do not affect a significant number of people and are not made known to the public. Because of this, the exact number of breach incidents involving paper records and the number of affected individuals cannot be determined accurately. To address the problem of this type of privacy breaches, HIPAA covered entities need to review their policies and procedures and strictly implement the required physical safeguards to ensure the security of patient PHI.