Privacy and Security Rules Extend to Paper Records

When an EHR system experiences an outage, many hospitals fall back on paper charts to maintain continuity of care. While the switch appears innocuous, the Health Insurance Portability and Accountability Act (HIPAA) does not distinguish between electronic and paper formats; any protected health information (PHI) is equally protected. This regulatory nuance means that health entities must treat paper records with the same confidentiality, integrity, and availability standards applied to digital data, from secure storage in locked cabinets to controlled access and documented chain‑of‑custody procedures.

The practical implications are significant. Physical PHI is vulnerable to theft, loss, and unauthorized viewing, especially in high‑traffic areas such as triage stations or temporary record‑keeping rooms. Without encryption, organizations must rely on robust administrative and physical safeguards—restricted access, sign‑in logs, and shredding protocols that meet the National Standards for the Destruction of Confidential Information. Non‑compliance can trigger civil penalties ranging from $100 to $50,000 per violation, with a maximum annual cap of $1.5 million, not to mention the reputational fallout that can erode patient confidence and affect payer relationships.

To mitigate risk, health systems should integrate paper‑PHI considerations into their existing downtime and disaster‑recovery plans. This includes training staff on proper handling, establishing clear retention and disposal timelines, and conducting regular audits that verify adherence to both electronic and paper security controls. Leveraging technology such as barcode‑tracked file cabinets and secure scanning can bridge the gap between paper and electronic workflows, ensuring that even during outages, PHI remains protected and compliance obligations are met.