Hospital Recycling Bins May Contain Sensitive PHI

Posted on April 6, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A group of Canadian researchers studying hospitals information security practices found that hospital recycling bins contained a substantial amount of PHI.

The researchers, who summarized their findings in a letter published in JAMA, spent two years collecting materials from the recycling bins at five teaching hospitals in Toronto. The “recycling audit,” which took place November 2014 and May 2016, included­­­­ data for inpatient and outpatient care settings, emergency departments, physician offices and ICUs.

When they did their audit, the researchers found more than 2,600 items which contained personally identifiable information, including 1,885 items related to medical care. The majority of the items containing PHI (65%) had been created by medical groups.

Their audit also found that the most common locations at which they found particularly sensitive patient-identifiable information for physician offices (65%) and inpatient wards (19%).

The most commonly-found items included patient-identifiable information included clinical notes, medical reports (30%), followed by labels and patient identifiers (14%). Other items which contained PHI included diagnostic test results, prescriptions, handwritten notes, requests and communications, and scheduling materials.

According to the researchers, each of the five hospitals they audited had policies in place to protect PHI, along with secure shredding containers for packaging up private information. That being said, they guessed that as the hospitals transitioned to EHRs, they were discarding a high volume of paper records and losing control of how they were handled.

I don’t know what the EHR adoption rate is in Canada, but nearly all U.S. hospitals already have an EHR in place, so on first glance, it might appear that this couldn’t happen here. After all, once a hospital has digitized records, one would think the only way hospitals would expose PHI would be when someone deliberately steals data.

But the truth is, a great deal of hospital business still gets done on paper, and it seems likely that one could find a significant number of documents with PHI on them in U.S. recycling bins. (If someone was willing to do the dirty work, there might be a meaningful amount of PHI found in regular garbage cans as well.)

What I take away from this is that hospitals need to have stiffer policies in place to protect against paper-based security breaches. It may be time for hospital administrators to pay closer attention to this problem.