Paper Records Disposal Still a Messy ProblemDocuments Discovered in Dumpsters Raise Privacy Concerns
The recent discovery of stacks of paper patient records in dumpsters at an Ohio recycling center offers an important reminder: Any effort to safeguard patient information must include not just high-tech breach prevention measures but also proper policies on the disposal of paper records.
On Thanksgiving day, Leroy Clouser of Springfield, Ohio, says he made a stunning discovery while dropping off some items at an area recycling center: Dumpsters contained patient medical records and other paperwork and folders displaying the names of Community Mercy Health Partners and some of its current and former facilities, including Mercy Memorial Hospital, Community Hospital and Springfield Regional Medical Center.
Unfortunately, breaches involving improper disposal of paper or electronic records are common.
A Dec. 11 snapshot of the Department of Health and Human Services' "wall of shame" website listing health data breaches affecting 500 or more individuals shows that since September 2009, there have been at least 52 incidents involving improper disposal of paper, X-ray film or electronic media containing PHI.
Privacy attorney Adam Greene of the law firm David Wright Tremaine says appropriate disposal of records, such as through consistent shredding, remains challenging for many organizations.
"If you rely on your workforce to put confidential information in appropriate bins, you may need to repeat training on the point regularly and get your hands dirty with audits of trash and recycling," he says. "Recycling bins can be particularly problematic, as many employees may incorrectly assume that information that is put into recycling is securely disposed of."
The alternative is to securely dispose of all trash, taking the decision-making process out of the hands of most employees, he notes. "This likely is the most effective solution, but at a cost that may not be feasible. At a minimum, it may be worth documenting that you have considered this solution and why it was not reasonable to implement, as this will likely be a question on regulators' minds if an incident occurs."
In the incident affecting patients of Community Mercy Health Partners' facilities, the stacks of records, visible in three dumpsters, included surgical pathology and other medical documents - including lab request forms for HIV testing and X-rays - that dated back to 2001 to 2013, Clouser tells Information Security Media Group. Patient names, Social Security numbers, and other personal and medical information, were also visible on some of the documents, he says. Clouser says he contacted local police, who alerted Community Mercy Health Partners.
"Springfield police notified our security that some records were found at a recycling station," a Community Mercy Health Partners spokesman says in a statement provided to ISMG. "We responded immediately and retrieved any disposed documents to review. We are now in the investigative stage."
Community Mercy Health Partners has not yet determined how many patients were impacted by the incident, the spokesman says. But Clouser says "thousands" of papers appeared to be in the stacks. One of the dumpsters was filled to the top with medical paperwork, he says.
Clouser says he returned to the recycling center the day after his initial discovery when a Community Mercy Health Partners' security officer showed up to investigate. "When he looked at the papers in the dumpsters, the security officer fell backwards, saying, 'oh my God, this is a full security breach,'" Clouser says.
Community Mercy Health Partners is evaluating the scope of the incident.
"We will review the storage and disposal procedures, particularly older records of this nature. We will meet or exceed federal HIPAA guidelines to directly contact any impacted individuals by mail. As part of the notification, we will offer identity protection. We deeply regret any inconvenience this may cause any patients," Community Mercy Health Partners spokesman says. "We take seriously the privacy and confidentiality of our patients' information. We are thoroughly investigating the circumstances regarding the unintentional disposal of some old laboratory information."
Regulators, including the HHS Office for Civil Rights and a few state attorneys general, have come down hard on some healthcare organizations that have reported breaches involving improper disposal of PHI.
For example, OCR in June 2014 announced an $800,000 HIPAA settlement with Parkview Health Systems, an Indiana community health system, after paper medical records for up to 8,000 patients were dumped in the driveway of a retiring physician's home.
Also, in a 2010 settlement with OCR, Rite Aid Corp. agreed to pay a $1 million fine and take corrective action after some of its stores improperly disposed of prescription information in dumpsters. A $2.25 million HHS settlement was reached in a similar case against CVS Caremark in February 2009.
In January, California officials announced a settlement with grocery store chain Safeway that included a $9.87 million penalty in a case related, in part, to improper disposal of confidential pharmacy records and hazardous waste in dumpsters. Also in January, the Indiana attorney general's office said it had reached a settlement, including a $12,000 monetary penalty, with a former dentist, Joseph Beck, for mishandling medical records for more than 5,600 patients. More than 60 boxes of patient records from Beck's former dental clinic were found discarded in an Indianapolis dumpster in March 2013, authorities said.
Steps to Take
Privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group, says organizations need to take a thoughtful approach to their PHI disposal practices.
"Organizations should start with policy and then implement it through physical means such as desk-side shredders and locked shred bins," she says. Ongoing training on responsibilities is also necessary, she adds.
"This has long been routine in hospitals," Borten notes. Community Mercy Health Partners "may well be doing all those things, and the vast majority of paper disposal may be proper," she says. "But typically organizations stop there. The problem is in ensuring that all parts of an organization get the message and that there is active, formal monitoring within the organization, followed by enforcement and consequences for individuals who fail to follow policy."
In the scope of information security and privacy threats facing healthcare providers, there's good and bad news when it comes to incidents involving improper disposal of PHI, Borten notes.
"The good news is that this is a non-technical problem, and everyone should understand the risk and the proper way to dispose of individually identifiable papers and other organization-confidential documents," she says. "The bad news is that there is not a technical solution and we have to rely on people to do the right thing. That is why active monitoring and enforcement are essential. Yet these pieces of the process are typically not done in hospitals today."