- Even as healthcare providers are increasingly implementing EHRs and patient data is being transferred to electronic form, organizations cannot overlook PHI data security measures with their paper records.
Researchers at Toronto's St. Michael's Hospital conducted a recycling audit at five teaching hospitals in Canada, and found that documents containing medium- and high-sensitivity items were being disposed of in the recycling.
In total, 2,687 documents containing personally identifiable information (PII) were discovered, along with 1,885 personal health information items, according to the study that was published in the Journal of the American Medical Association (JAMA).
“All hospitals had established PHI policies; for paper disposal, each hospital had recycling bins, garbage, and, for confidential information, secure shredding receptacles,” researchers wrote. “At each site, all recycling was collected at least 3 times per week over 4 weeks from predesignated locations, including inpatient wards, outpatient clinics, emergency departments, physician offices, and intensive care units.”
The study found that 821 items were related to clinical notes, summaries, and medical reports. Labels and patient identifiers (385), billing forms (345), and diagnostic test results (340) were the next most common items found.
“Patients have the right to expect safekeeping of personal information,” the research team said. “In Ontario, as in many jurisdictions, protection of personal health information (PHI) is codified in legislation.”
“With patient information increasingly maintained in the electronic health record (EHR), paper records are frequently discarded, creating risk of paper-based privacy breaches.”
While the US has its own data privacy and security regulations for health information under HIPAA, it does have requirements with how organizations are allowed to dispose of paper documents.
Disposal methods are not specified, but organizations “are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” HHS states in a fact sheet.
“Shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed” are acceptable methods of disposing of paper records, according to HHS.
Covered entities can also take their own circumstances into consideration. If a hospital does not have the ability to shred its own documents, it is permitted to maintain PHI for disposal in a secure area. The hospital can then work with a disposal vendor as a business associate that will pick up the PHI and shred or destroy it.
“In justifiable cases, based on the size and the type of the covered entity, and the nature of the PHI, depositing PHI in locked dumpsters that are accessible only by authorized persons, such as appropriate refuse workers,” the fact sheet said.
The HIPAA Privacy Rule also does not require covered entities or business associates to keep patient medical records for a certain amount of time.
“State laws generally govern how long medical records are to be retained,” HHS explained. “However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.”
Improper disposal is typically not one of the leading causes of healthcare data breaches, but it can still create data security concerns.
One of the largest breaches reported to OCR in 2016 stemmed from a 2015 incident where paper records were found on the street.
Florida-based Radiology Regional Center notified 483,063 individuals that their information may have been exposed after “a small quantity of records” fell onto the street while being transported by Lee County Solid Waste Division, which is responsible for the disposal of Radiology patient records.
“As a result of our numerous searches, we believe that virtually all of the records were retrieved. To ensure an incident like this does not happen again, we have taken steps to change how paper records are transported and destroyed,” Radiology Regional said in a statement. “Lee County Solid Waste Division will no longer be responsible for transporting our records for disposal.”
NYU Langone Health reported a similar incident to OCR in 2017, when it discovered that a binder containing a log with certain patient PHI was mistakenly recycled. The binder contained information related to presurgical insurance authorizations from NYU Langone Health Pediatric Surgery Associates.
Approximately 2,000 patients may have been affected in that incident, NYU Langone Health said.
“Staff was reeducated on the importance of safeguarding patient information and the practice updated their workflow to further protect such information,” the organization stated.
Healthcare organizations need to regularly review their physical safeguards, and ensure that paper copies of PHI remain secure even as entities make the move into digital.