HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Pedes Orange County Discovers Physician Accessed and Disclosed PHI Without Authorization

Pedes Orange County Inc., a California healthcare provider specializing in treatments for vascular disease, is alerting some of its patients that a physician accessed their medical records, without authorization, and provided some of that information to an attorney.

Pedes shares its facilities with another medical group, which conducts surgical procedures at the facility during the week. A scheduling tool is also shared with other physicians that use the same facility.

On November 14, 2017, Pedes became aware that a physician employed by a different medical group had accessed its electronic medical records database and viewed the records of some of its patients. Pedes did not provide authorization for the EMR to be accessed.

Pedes reports that the physician subsequently shared some of the information in the database with an attorney. After discovering the breach, the physician was contacted and Pedes has been working to ensure all copies of patients’ PHI that were obtained from its EMR system are securely destroyed and that no copies remain.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The types of information potentially compromised includes names, diagnoses, treatments, dates of service, and other treatment related data. No financial information or Social Security numbers were stored in the database and remained secure at all times.

While information was taken from the database, Pedes has no reason to believe any PHI has been misused. However, since the incident is classed as a security breach under HIPAA Rules, notifications about the breach must be sent to patients.

Although data misuse is not suspected, patients have been advised to take precautions and examine their Explanation of Benefits statements and other information from their health insurers for any medical treatments listed by not provided.

The incident has prompted Pedes to conduct a review of its security protocols, which will be updated to ensure that this type of security breach does not happen again.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the PHI of up to 917 patients was accessed and potentially disclosed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.