[Skip to Content]
Sign In
Individual Sign In
Create an Account
Institutional Sign In
OpenAthens Shibboleth
Purchase Options:
[Skip to Content Landing]
Table 1.  
Pooled Collection of Recycling by Location Among 5 Teaching Hospitals in Toronto, Ontario
Pooled Collection of Recycling by Location Among 5 Teaching Hospitals in Toronto, Ontario
Table 2.  
Type of Personally Identifiable Information Found by Location in Recycling Among 5 Teaching Hospitals in Toronto, Ontario
Type of Personally Identifiable Information Found by Location in Recycling Among 5 Teaching Hospitals in Toronto, Ontario
1.
Government of Ontario.  Personal Health Information Protection Act, 2004, SO 2004, c3, sched A. https://www.ontario.ca/laws/statute/04p03. Accessed December 7, 2016.
2.
Continuous Improvement Fund.  Curbside waste audits: considerations for small communities. http://thecif.ca/wp-content/uploads/2016/09/CIF-Waste-Audit-Curb-Sm-Communities.pdf. Accessed April 10, 2017.
3.
Ponemon Institute.  Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data. https://media.scmagazine.com/documents/121/healthcare_privacy_security_be_30019.pdf. Accessed February 14, 2018.
4.
Liu  V, Musen  MA, Chou  T.  Data breaches of protected health information in the United States.  JAMA. 2015;313(14):1471-1473.PubMedGoogle ScholarCrossref
5.
Cheng  P-S.  Private medical records found in trash outside NYC health center. https://www.nbcnewyork.com/news/local/medical-records-trash-Mount-Sinai-Beth-Israel-Senior--371731581.html. Accessed December 7, 2016.
6.
Liginlal  D, Sim  I, Khansa  L.  How significant is human error as a cause of privacy breaches? an empirical study and a framework for error management.  Computers & Security. 2009;28(3–4):215-228. doi:10.1016/j.cose.2008.11.003. Accessed February 14, 2018.Google ScholarCrossref
Views 1,603
Citations 0
Research Letter
March 20, 2018

Disposal of Paper Records Containing Personal Information in Hospitals

Author Affiliations
  • 1Department of Surgery, University of Toronto, Toronto, Canada
JAMA. 2018;319(11):1162-1163. doi:10.1001/jama.2017.21533

Patients have the right to expect safekeeping of personal information. In Ontario, as in many jurisdictions, protection of personal health information (PHI) is codified in legislation.1 With patient information increasingly maintained in the electronic health record (EHR), paper records are frequently discarded, creating risk of paper-based privacy breaches. We assessed the presence, amount, and sensitivity of personally identifiable information (PII) and PHI (a subset of PII) found in hospital recycling bins.

Methods

We conducted a recycling audit2 of 5 teaching hospitals in Toronto, Ontario, Canada, from November 2014 to May 2016. Each institution’s research ethics board determined that this study did not qualify as human subjects research. All hospitals had established PHI policies; for paper disposal, each hospital had recycling bins, garbage, and, for confidential information, secure shredding receptacles. At each site, all recycling was collected at least 3 times per week over 4 weeks from predesignated locations, including inpatient wards, outpatient clinics, emergency departments, physician offices, and intensive care units. Using definitions from the Personal Health Information Protection Act of Ontario, we considered PII information “that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.” When coupled with information related to medical care, the items were considered PHI. Recovered items were single entities that contained PII, whether a single sheet or stapled multipage document, and were classified by potential sensitivity—low (PII only), medium (PHI including diagnosis), and high (PHI including a description of the patient’s medical condition). We calculated the number of items recovered per kilogram of recycling.

Results

We recovered 591.6 kg of recycling, including 2687 documents with PII. Of these items, 802 were low, 843 medium, and 1042 high sensitivity (Table 1). PII and PHI were found in recycling at all hospitals. Most items were recovered at physician offices (1449 items). Physician offices had the highest proportion of PHI and PII recovered relative to weight sampled (15.79 PHI items/kg and 18.41 PII items/kg, respectively). Clinical notes, summaries, and medical reports were the most frequent type of PII inappropriately discarded (Table 2).

Discussion

A substantial amount of personal information, most of it PHI, was found in the recycling at 5 teaching hospitals in Toronto, Ontario, despite institutional policies in place for protection of personal information. Little is known about the prevalence of privacy breaches in hospitals. Studies have focused primarily on privacy risks related to electronic records;3,4 however, migration to the EHR may have heightened risks of other privacy breaches. For example, when there is no need to maintain a paper chart, the potential for improper disposal of printed patient information may paradoxically increase. The frequent presence of PII and PHI in recycling at these institutions indicates potential privacy breaches are not isolated, but should be expected in locations where patient information is printed and there is an option for nonconfidential paper disposal.

This study was multi-institutional, and collected a large volume of recycled material without widespread awareness of the intent of collection. However, some limitations are acknowledged. First, this study was restricted to recycling and did not include an audit of garbage disposal, another potential source of privacy breaches. Second, it is not known who discarded the items, patients or hospital staff. Third, although sensational cases of improper disposal of PHI have been reported,5 the authors are unaware of a case of inappropriate use or harm related to such privacy breaches.

Because human error is a common cause of privacy breaches within institutions,6 organizational solutions to improve paper PHI security should be considered. Elimination of any alternatives to nonconfidential disposal of discarded paper (irrespective of content) in areas of clinical activity may be an effective, albeit expensive strategy to reduce the risks of paper-based privacy breaches. Minimizing the printing of documents containing PHI would be a complementary approach.

Section Editor: Jody W. Zylke, MD, Deputy Editor.
Back to top
Article Information

Accepted for Publication: December 19, 2017.

Corresponding Author: Nancy Baxter, MD, PhD, Division of General Surgery, St Michael’s Hospital, 040-16 Cardinal Carter Wing, 30 Bond St, Toronto, ON, M5B 1W8, Canada (baxtern@smh.ca 416-864-5168).

Author Contributions: Dr Baxter had full access to all of the data in the study and takes responsibility for the integrity of the data and the accuracy of the data analysis.

Concept and design: Baxter, Ramjist, Urbach, Scott.

Acquisition, analysis, or interpretation of data: All authors.

Drafting of the manuscript: Baxter, Ramjist, Coburn.

Critical revision of the manuscript for important intellectual content: All authors.

Statistical analysis: Ramjist, Coburn, Urbach.

Administrative, technical, or material support: Ramjist, Coburn, Urbach, Govindarajan, Armstrong, Scott.

Supervision: Baxter, Ramjist, Coburn.

Conflict of Interest Disclosures: All authors have completed and submitted the ICMJE Form for Disclosure of Potential Conflicts of Interest and none were reported.

Funding/Support: This study was conducted with the support of the Canadian Institutes of Health Research (CIHR) Foundation grant (competition 201509).

Role of the Funder/Sponsor: The funder had no role in the design and conduct of the study; collection, management, analysis, and interpretation of the data; preparation, review, or approval of the manuscript; and decision to submit the manuscript for publication.

Disclaimer: The findings and conclusions in this report are those of the authors and do not necessarily represent the views of the CIHR.

Additional Contributions: We thank Nik Goyert, MA (Sunnybrook Health Sciences Centre), Annie Ritter, MD (Queen’s University), Mina Siddiqui, MD (Sunnybrook Health Sciences Centre), and Chris Pauley, MASc (St Michael’s Hospital), who assisted with data collection; Corinne Daly, MSc (Canadian Partnership Against Cancer), for project management; and John Semple, MD, MSc (Women’s College Hospital), for organizational support. Corinne Daly provided assistance while employed by St Michael’s Hospital. They did not receive compensation for their contributions.

References
1.
Government of Ontario.  Personal Health Information Protection Act, 2004, SO 2004, c3, sched A. https://www.ontario.ca/laws/statute/04p03. Accessed December 7, 2016.
2.
Continuous Improvement Fund.  Curbside waste audits: considerations for small communities. http://thecif.ca/wp-content/uploads/2016/09/CIF-Waste-Audit-Curb-Sm-Communities.pdf. Accessed April 10, 2017.
3.
Ponemon Institute.  Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data. https://media.scmagazine.com/documents/121/healthcare_privacy_security_be_30019.pdf. Accessed February 14, 2018.
4.
Liu  V, Musen  MA, Chou  T.  Data breaches of protected health information in the United States.  JAMA. 2015;313(14):1471-1473.PubMedGoogle ScholarCrossref
5.
Cheng  P-S.  Private medical records found in trash outside NYC health center. https://www.nbcnewyork.com/news/local/medical-records-trash-Mount-Sinai-Beth-Israel-Senior--371731581.html. Accessed December 7, 2016.
6.
Liginlal  D, Sim  I, Khansa  L.  How significant is human error as a cause of privacy breaches? an empirical study and a framework for error management.  Computers & Security. 2009;28(3–4):215-228. doi:10.1016/j.cose.2008.11.003. Accessed February 14, 2018.Google ScholarCrossref
×