Hospitals leave patient data vulnerable by simply throwing out thousands of pages of private documents instead of shredding them, a new study warns.
Researchers at the University of Toronto and St Michael’s Hospital retrieved 1,300 lbs of paper from recycling bins at five hospitals and found that more than 2,500 sheets contained private patient information.
As hospitals transition to digital record-keeping, patients and their advocates have become increasingly concerned that hackers could access their data.
But, as this study confirms, the disposal of outdated paper records represents an even greater – but more easily avoided – threat to patients’ privacy.
Researchers from the University of Toronto found thousands of pages with sensitive patient information when they went ‘dumpster diving,’ through more than 1,300 lbs of recycled paper
As cutting-edge as many medical treatments, technologies and devices are, the transition to digital records has not been a smooth one for hospitals and the medical industry at large.
The records that doctors use to track their patients’ health contains a great deal of sensitive private information, which, in the US, is protected under the 1996 Health Insurance Portability and Accountability Act (HIPAA).
The Ontario province of Canada has a comparable law, called the Personal Health Information Protection Act (PHIPA), enacted in 2004.
Information can include personal phone numbers, addresses and insurance information that could be used to steal someone’s identity.
Perhaps more importantly, these documents include diagnoses that many may want to keep private.
‘This gap [in expectations and reality of privacy] needs to be addressed so that patients feel confident that their information is kept confidential. Otherwise, they may not say things freely to their doctors,’ says lead study author Dr Nancy Baxter.
During the proliferation of the internet and affordable technologies, concerns over the security of this information took on a new importance as patients and providers worried that files could be accessed from locations outside hospitals.
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in the US.
You’d think that maybe this problem should be less of one than it was in the past, but…the piece of paper you got was the only result you get, so you actually held onto that paper because it was precious
Dr Nancy Baxter, lead study author
The legislation allocated a stimulus budget of more than $30 billion of taxpayers’ money to move health records from countless rows of filing cabinets and folders into digital form.
Canada initiated a similar move to electronic patient files, but did so through a coordinated effort between provincial and territorial governments, hospitals, and a specially-created non-profit entity called Infoway.
The idea – in both countries – was to make healthcare systems function more efficiently and keep patient information safer, incentivizing hospitals to modernize with public funding.
Change came slowly, and painfully, as the record-keeping systems implemented in hospitals and doctors’ offices proved less than perfect, and quickly became outdated.
What’s more, facilities tended to hang on to their paper documents.
Even now, doctors often use paper forms during patient appointments, and these have to be subsequently transferred to digital records.
‘You’d think that maybe this problem should be less of one than it was in the past, but, when I started training, we didn’t have an electronic record, so the piece of paper you got was the only result you get, so you actually held onto that paper because it was precious,’ says Dr Baxter.
Now, the information on those pieces of paper is nearly guaranteed to exist on a computer as well, and the easily reproducible documents are often not properly disposed of by doctors, custodians or even patients themselves.
‘So actually, this problem may have been made worse by the electronic records,’ Dr Baxter says.
In fact, Dr Baxter got inspired to do the study when she was working in a Minnesota hospital and saw a custodian rolling a giant bin of recycling down the hall.
‘Out of the corner of my eye, I could see stuff from patient charts from the floor,’ she says.
Dr Baxter confronted the employee. She insisted the paper needed to be shredded, he insisted it needed to go into the recycling dumpster.
‘We ended up in a standoff, where I wouldn’t let him move forward and had to call security to get him to take it to shredding,’ Dr Baxter says.
The interaction bolstered her long-held suspicion that these records were not being disposed of properly, at the Minnesota hospital or anywhere.
So Dr Baxter and her team from the University of Toronto and the affiliated St Michael’s Hospital went ‘dumpster diving,’ she says, and sifted through thousands of pounds of paper that was recycled at five Toronto-area teaching hospitals between 2014 and 2016.
A 500-sheet ream of paper weighs about five lbs, meaning they went through more than 310,000 documents.
Less than one percent, of those documents contained sensitive information, but that still amounted to 2,687 sheets of paper that did leave patient information vulnerable.
We ended up in a standoff, where I wouldn’t let him move forward and had to call security to get him to take it to shredding
Dr Nancy Baxter, led study author
‘The vast majority [of documents are] shredded, but if you’re dealing with 10,000 sheets of paper a day, and even just 0.1 percent gets put in the wrong place, it still ends up being a lot of personal information a year,’ Dr Baxter says.
Though she and her team only looked at documents from five hospitals, ‘you will find this everywhere,’ she says.
On the other hand, she says that patients need not panic over what goes into the recycling.
‘There are lots of reports of this information misused…but they don’t usually do the dumpster diving that we did,’ says Dr Baxter.
The solutions that she offers are simple, but not easy.
In general, ‘we create too much paper waste, so having everyone think twice before printing anything – for both confidentiality and environmental reasons – could help,’ Dr Baxter says.
If hospitals made it a policy to shred all paper that had even the slightest possibility of containing sensitive material, the risk of confidentiality breeches could be minimized, but the financial cost would be likely be high.
Finally, she says that ‘we need to empower custodial staff.
‘When people put things in the recycling, custodians don’t feel empowered to make decisions about that, but they should be,’ Dr Baxter says.