In a March 20, 2017, press release, the University of North Carolina Health Care System (UNC Health Care) announced that it had notified 1,300 patients about a potential breach of information that involved the mistaken disclosure of forms used to collect patient information. Patients seen at two UNC Health Care clinics between April 2014 and February 2017 may have been affected.

The forms at issue are completed by Medicaid-eligible prenatal patients during their clinic visits and are shared with local health departments to determine patients’ eligibility for further support services. The forms contained certain identifying information, such as name, address and Social Security numbers, as well as sensitive physical and mental health information, such as HIV status, drug and alcohol use and information related to prior and current pregnancy. The Privacy Office of UNC Health Care discovered that a potential breach may have occurred when forms completed by patients who were not eligible for Medicaid may have inadvertently been forwarded to the patients’ local county health departments.

UNC Health Care has requested all local county health departments involved to return any paper forms for patients not covered by Medicaid to the clinic and purge any electronic records about non-Medicaid patients from their electronic information systems. Additionally, the UNC Health Care states in the press release that its obstetric clinics revised their procedure to ensure that only forms completed by Medicaid patients are sent to local county health departments.

UNC Health Care has also provided a number of support options available to patients whose information may have been breached, including credit report monitoring and fraud resolution services.

Over the past several years, there has been a heightened focus by regulators on breaches of electronic health information resulting from aggressive hacking and other security deficiencies. This incident is a reminder that a breach of patient information can occur in any form, including paper. The breach notification requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires certain notifications to be made following a breach of “unsecured protected health information.” Protected health information is secure only where it is rendered unusable, unreadable or indecipherable through certain government-specified technology. Paper records generally cannot be rendered secure through technology. A breach carries considerable exposure for health care entities subject to HIPAA, as such entities are required to notify the affected patients, report the breach to the U.S. Department of Health and Human Services and in cases involving more than 500 individuals, report the breach to the media. Once the breach is reported to HHS, the health care entity could potentially be audited for compliance with the HIPAA privacy and security requirements, and deficiencies can result in significant penalties. For this reason, health care entities should routinely audit their policies and procedures related to the privacy and security of protected health information, both paper and electronic.