Skip to main content

Privacy Incidents

The UNC-Chapel Hill Institutional Privacy Office (IPO) is responsible for investigating and responding to potential privacy incidents to determine if there has been an unauthorized acquisition, access, use or disclosure of protected data that compromises the privacy and security of the data and requires reporting under applicable laws, regulations or contract. Any known or suspected privacy incident must immediately be reported to the UNC-Chapel Hill Institutional Privacy Office. This page contains general information about privacy incidents, the process for reporting a potential privacy incident and responses to frequently asked questions.

A privacy incident is any actual or perceived loss of control, compromise, or unauthorized acquisition, access, use or disclosure of Protected Health Information (PHI), personally identifiable information (PII), or University-defined Sensitive Information (SI) in violation of a privacy or security requirement, including applicable state, federal or international regulatory requirements and/or applicable UNC-Chapel Hill privacy or security policies and procedures.

Examples of a Privacy Incident

  • Suspected loss or theft of an item such as a laptop, phone, paper documents, flash drive, office or cabinet keys, research samples or briefcase
  • Confirmed information security incident including hacking, phishing, or ransomware that impacts PHI, PII or SI
  • Disclosure of PHI, PII or SI to an unauthorized individual such as a verbal disclosure or a misdirected email, fax or other paper document sent to the wrong recipient
  • Unauthorized access to PHI, PII or SI for non-business purposes such as inappropriately accessing medical records
  • Improper disposable of electronic or hard copy PHI, PII or SI
If a potential privacy incident has occurred, whether actual or suspected, it must be reported immediately to the UNC-Chapel Hill Institutional Privacy Office but in no event, no later than 48 hours after discovery. Promptly reporting incidents ensures that the appropriate UNC-Chapel Hill units can investigate and respond to the incident as soon as possible to reduce any harmful impact. Timely reporting also prevents delays in the University’s mandatory reporting, if required, to impacted individuals and applicable federal and/or state agencies.
To report a potential privacy incident, please complete the Privacy Incident Intake Form, providing as much information as is known at the time of discovery. Do not include any PHI, PII or SI on the form. Once completed, a staff member from the UNC-Chapel Hill Institutional Privacy Office will be in contact for additional information and follow-up.

The UNC-Chapel Hill Institutional Privacy Office is responsible for investigating and responding to potential privacy incidents solely from a privacy perspective. Please note that there may be other UNC-Chapel Hill offices with independent authority and responsibility for evaluating whether there are other regulatory reporting obligations that fall outside of the IPO’s purview.

If a potential privacy incident stems from an UNC-Chapel Hill Institutional Review Board clinical research study, it must be reported to the UNC-Chapel Hill Office of Human Research Ethics (OHRE). Investigators must submit a Promptly Reportable Information (PRI) in IRBIS within seven (7) days of discovery of the incident. A PRI submission constitutes sufficient reporting obligations to the UNC-Chapel Hill Institutional Privacy Office. See OHRE SOP 1401 for additional information.

If a potential incident is related to a UNC-Chapel Hill electronic information system and may result in the confidentiality, integrity, or availability of University information systems or data being compromised, it must be reported to the Information Security Office (ISO) in addition to the UNC-Chapel Hill Institutional Privacy Office. Examples of such security incidents include, but are not limited to, hacking, phishing or ransomware attempts. To report a potential security incident to the ISO, please call 919-962-HELP. See the Information Security Incident Management Standard for additional information.

If a potential privacy incident involves a clinical care component of the School of Medicine and/or UNC Health patient information, it must be reported to UNC Health’s Privacy Office as opposed to the UNC-Chapel Hill Institutional Privacy Office. To report a potential privacy incident to UNC Health’s Privacy Office, please email Privacy@unchealth.unc.edu. Alternative means for notifying their office are available on the UNC Health Privacy Office website.

Who can report a privacy incident?
Anyone who discovers a potential privacy incident, including University workforce members and non-University constituents, must report it to the IPO using the Privacy Incident Intake Form, even if the person who discovers the incident is not directly involved.
What information do I need to report a potential privacy incident?
Please provide as much information as is known at the time of discovery, and a UNC-Chapel Hill Institutional Privacy Office staff member will be in contact to gather any additional information needed. Do not include any PHI, PII or SI on the form.

Be prepared to provide the following information on the Privacy Incident Intake Form:

  • Your contact information for follow-up questions
  • The contact information of those allegedly involved
  • A summary of the incident
  • The type of incident and data elements involved
  • The date the incident occurred
  • The date the incident was discovered
  • Any safeguards that were already in place
  • Any mitigation or remediation steps taken following discovery
What happens after I submit a Privacy Incident Intake Form?
Following the UNC-Chapel Hill Institutional Privacy Office’s review of your responses, a member of our staff will contact you to discuss the facts and circumstances surrounding the potential incident. You must comply with the UNC-Chapel Hill Institutional Privacy Office’s investigation and cooperate quickly and fully until the investigation is formally closed from a privacy perspective.
Who is responsible for handling individual notifications and reporting to applicable agencies?
If a privacy incident is determined to be a reportable breach, it is the responsibility of the UNC-Chapel Hill Institutional Privacy Office to notify impacted individuals and to report the breach to applicable federal and/or state agencies. While the UNC-Chapel Hill Institutional Privacy Office may work with the responsible unit during the notification process, it is not the unit’s responsibility to handle required notifications.