A recently completed study (published in JAMA) has emphasized just how often hospitals are disposing of PHI in an unsafe fashion. While the study was completed in Canada, which is not subject to HIPAA, the results emphasize a critical area of PHI security that is often neglected.
Incorrect Destruction of PHI is More Commonplace than Previously Thought
Researchers at St. Michael’s Hospital in Toronto reviewed recycled paperwork at five teaching centers in Canada. Each of the five hospitals had policies to account the secure disposal of documents that included PHI and separate recycling bins were supplied for general paperwork and documents containing sensitive data. The latter were shredded before being disposed.
Despite the document disposal procedures, paperwork containing personally identifiable information (PII) and personal health information (PHI) were often incorrectly put in the bins. The researchers found 2,867 documents containing PII and 1,885 items incorporating personally identifiable health information in the standard recycling bins. 1,042 documents included high sensitivity PII, 843 items contained PII with medium sensitivity, and 802 contained minimal sensitivity data.
821 items included clinical comments, summaries, and medical reports, there were 385 discarded labels with patient identifiers clearly identifiable, 345 billing paperwork items, 340 diagnostic test results, and 317 requests and communications containing personally identifiable data.
The study reveals that even with policies established covering the proper disposal of paper records, sensitive data is still regularly disposed of in an unsafe fashion.
Incorrect Disposal of PHI in the USA
In February 2018, 23% of the month’s healthcare data violations involved paper/film records. Those breaches affected 121,607 persons. In January 33% of the month’s data breaches involved paper/film records. Those breaches affects 13,513 persons.
In total, between January 1, 2010 and December 31, 2017, there have been 514 healthcare data violations involving 500 or more paper records. Those breaches have affected 3,393,240 people.