A team of researchers dug through recycling bins to study hospital information security practices, uncovering almost 2,000 items with sensitive personal health information in less than two years.
In a research letter published in JAMA March 20, seven scientists from the surgery department at the University of Toronto detailed a "recycling audit" they conducted at five teaching hospitals in the city. Between November 2014 and May 2016, the team collected materials from recycling bins in inpatient wards, outpatient clinics, emergency departments, physician offices and intensive care units.
During the audit, the researchers recovered more than 2,600 items containing personally identifiable information, 1,885 of which also contained data related to medical care. Of the 1,885 items containing PHI, the majority — 65 percent — were surfaced from physician offices.
The most commonly recovered items including PII were clinical notes, summaries and medical reports (30 percent) and labels and patient identifiers (14 percent). After categorizing the items on potential sensitivity, the researchers determined the most common locations to recover "high sensitivity" PII were physician offices (65 percent) and inpatient wards (19 percent).
Each of the five hospitals had established PHI policies and secure shredding containers for confidential information. However, the researchers hypothesized that with physicians increasingly transitioning to electronic records, paper records were "frequently discarded, creating risk of paper-based privacy breaches."