Study finds 2K documents with patient info dumped in recycling bins at hospitals

Records containing personal health information (PHI) and personally identifiable information (PII) were found in the recycling at five different hospitals, according to a study published March 20 in JAMA.

In this study, led by Nancy Baxter, MD, PhD, at the University of Toronto, researchers audited five teaching hospital in Toronto form November 2014 to 2016 for the amount of PII and PHI disposed in recycling bins.

Although all five hospitals had policies for paper disposal, researchers found documents containing PII and PHI in the recycling of all hospitals. Of the 2,687 documents with PII and PHI information, 802 were low sensitivity, 843 were medium and 1,042 were high. Most documents were found at physicians’ offices with clinical notes, summaries and medical report being the most frequent type of PII document being discarded.

“A substantial amount of personal information, most of it PHI, was found in the recycling at 5 teaching hospitals in Toronto, Ontario, despite institutional policies in place for protection of personal information. Little is known about the prevalence of privacy breaches in hospitals,” wrote Baxter and colleagues. “Studies have focused primarily on privacy risks related to electronic records; however, migration to the EHR may have heightened risks of other privacy breaches. The frequent presence of PII and PHI in recycling at these institutions indicates potential privacy breaches is not isolated. [It] should be expected in locations where patient information is printed and there is an option for nonconfidential paper disposal.”