NP Privacy Partner
Search Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody on Twitter Nixon Peabody on YouTube
Subscribe:Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody's Data Privacy and Cybersecurity blog
Share Print View
UNC Health Care sends 1,300 prenatal patients a possible data breach notification

In a March 20, 2017, press release, the University of North Carolina Health Care System (UNC Health Care) announced that it had notified 1,300 patients about a potential breach of information that involved the mistaken disclosure of forms used to collect patient information. Patients seen at two UNC Health Care clinics between April 2014 and February 2017 may have been affected.

The forms at issue are completed by Medicaid-eligible prenatal patients during their clinic visits and are shared with local health departments to determine patients’ eligibility for further support services. The forms contained certain identifying information, such as name, address and Social Security numbers, as well as sensitive physical and mental health information, such as HIV status, drug and alcohol use and information related to prior and current pregnancy. The Privacy Office of UNC Health Care discovered that a potential breach may have occurred when forms completed by patients who were not eligible for Medicaid may have inadvertently been forwarded to the patients’ local county health departments.

UNC Health Care has requested all local county health departments involved to return any paper forms for patients not covered by Medicaid to the clinic and purge any electronic records about non-Medicaid patients from their electronic information systems. Additionally, the UNC Health Care states in the press release that its obstetric clinics revised their procedure to ensure that only forms completed by Medicaid patients are sent to local county health departments.

UNC Health Care has also provided a number of support options available to patients whose information may have been breached, including credit report monitoring and fraud resolution services.

Over the past several years, there has been a heightened focus by regulators on breaches of electronic health information resulting from aggressive hacking and other security deficiencies. This incident is a reminder that a breach of patient information can occur in any form, including paper. The breach notification requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires certain notifications to be made following a breach of “unsecured protected health information.” Protected health information is secure only where it is rendered unusable, unreadable or indecipherable through certain government-specified technology. Paper records generally cannot be rendered secure through technology. A breach carries considerable exposure for health care entities subject to HIPAA, as such entities are required to notify the affected patients, report the breach to the U.S. Department of Health and Human Services and in cases involving more than 500 individuals, report the breach to the media. Once the breach is reported to HHS, the health care entity could potentially be audited for compliance with the HIPAA privacy and security requirements, and deficiencies can result in significant penalties. For this reason, health care entities should routinely audit their policies and procedures related to the privacy and security of protected health information, both paper and electronic.


Special Thanks to Nesko Radovic.


There are no comments yet for this post.
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.
* indicates a required field


Body *

Date *


Privacy Policy | Terms of Use and Conditions | Statement of Client Rights
This website contains attorney advertising. Prior results do not guarantee a similar outcome. © 2018 Nixon Peabody LLP
Sort by AttachmentsParentCategory