- Despite strict laws requiring healthcare providers to secure patients’ personal information, some organizations risk privacy breaches by disposing of paper-based records in garbage and recycling bins, according to a research letter published this week in JAMA.
- The authors conducted a recycling audit of five Toronto, Ontario, teaching hospitals from November 2014 to May 2016 and found personally identifiable information (PII) and personal health information (PHI) in recycling at each of them.
- PII totaled 2,687 documents and included patient identifiers, prescriptions, test results and billing forms, among other information. Of those, 1,042 were deemed “high sensitivity," meaning they had PII and a description of their medical condition. Another 843 included the patient’s diagnosis.
The most frequent items found in recycling were clinical notes, summaries and medical reports. The majority of items were recovered at physician offices, the authors note.
The audit points out the vulnerability of patients’ information as hospitals transition to EHRs. All of the hospitals had established PHI policies, but still discarded paper documents in garbage, recycling or, for confidential information, shredding machines.
“[W]hen there is no need to maintain a paper chart, the potential for improper disposal of printed patient information may paradoxically increase,” the authors wrote. "The frequent presence of PII and PHI in recycling at these institutions indicates potential privacy breaches are not isolated, but should be expected in locations where patient information is printed and there is an option for nonconfidential paper disposal.”
In 2016, HHS’ Office for Civil Rights put healthcare organizations on notice that its regional offices would step up enforcement of minor breaches — those involving PHI of fewer than 500 people.
The audit of Toronto hospitals had some limitations, the authors note. It was limited to recycling and did not reveal whether professional staff or patients discarded the items.
Given the risk of human error, organizations should find ways to improve security of paper records. These may include eliminating alternative disposal options and keeping the printing of patient documents to a minimum.