[BreachExchange] Patient details in the recycling? Hospitals should cut down on paper to protect privacy: study

Thu Mar 22 10:15:53 EDT 2018

http://www.cbc.ca/news/canada/toronto/hospitals-documents-
paper-patient-privacy-1.4584093

Hospitals should step up their efforts to protect patient privacy by trying
to generate less paper and ensure confidential files are shredded rather
than recycled, a new study suggested Tuesday.

The research, undertaken by staff at Toronto's St. Michael's Hospital and
published in the medical journal JAMA, found that thousands of documents
containing sensitive and potentially identifying patient information make
it out of hospitals in recycling bins where they become potential privacy
liabilities.

Dr. Nancy Baxter, study author and St. Michael's chief of general surgery,
said the vast majority of patient information appeared to be properly
disposed of.

The electronic age, however, has paradoxically created a stronger impetus
for hospitals to tighten their document disposal practices.

"Before, if you got a test, … you treated that piece of paper as precious,"
Baxter said in a telephone interview. "But now that we have it on our
computers electronically, if you print out a chart for ease of review or to
facilitate work flow, we're just throwing it out. So we've actually
generated a lot more pieces of paper to throw out. So actually with the
electronic records I think many people would have thought that this problem
had gone away when in fact it likely is worse."

Baxter and a team of St. Michael's researchers spent a month collecting
more than half a tonne of paper from recycling bins at five Toronto-area
hospitals and combing through the documents they recovered.

They gathered papers from recycling bins three times a week from the
hospitals' in-patient wards, out-patient clinics, emergency departments,
doctors' offices and intensive care units. Baxter said the names of the
participating hospitals could not be disclosed.

Researchers collected 591.6 kilograms of paper and found 2,687 documents
containing personal information, a number Baxter characterized as
relatively low.

But she said some of those documents contained very sensitive material,
such as clinic notes, detailed health records or financial information. The
bulk of the sensitive documents came from physicians' offices, while
financial matters were most likely to surface, the study found.

Personal details were collected from all five hospital sites included in
the study.

Doctor blocks custodian

This did not surprise Baxter, who said her interest in this issue was
peaked while working in the United States years ago.

After observing a member of the custodial staff wheeling a recycling cart
brimming with patient files out to recycling, she
said she physically barred his path and called hospital staff to make sure
the documents were redirected to shredding for more secure disposal.

"It got me thinking that it probably has happened before or something
similar to it, and I probably wasn't going to be there next time it
happened," Baxter said, noting the issue is not unique to Ontario.
Hospitals in the province, in fact, must comply with legislation meant to
safeguard patient privacy.

Baxter said all collection sites involved in the study have policies and
protocols around document protection, but said the
research results highlight areas in which those could be improved.

While generating less paper would make a great start, she said health-care
facilities could consider other measures to limit the potential for human
error.

Hospitals, for instance, could dictate that all documents being purged from
doctor's offices should go directly to shredding rather than recycling in
order to minimize the possibility of sending patient records through the
wrong disposal channel.

She also suggested hospitals could train custodial staff to recognize
personally identifying documents so they can send such files for shredding
if they spot them.

Baxter does not know of any instances in which recycled personal documents
were actively misused and said patients need not worry about widespread
carelessness with their information.

Nonetheless, she said the matter is still a valid privacy concern.

"Obviously, we need to take this very seriously, and I think this is an
important step towards thinking about our processes."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180322/162519a3/attachment.html>