Share this article on:
QuadMed, a Wisconsin-based provider of medical, laboratory, pharmacy, fitness, and physical therapy services, has discovered the protected health information of 9,854 patients has potentially been impermissibly disclosed to certain employees.
In November 2013, QuadMed took over an onsite clinic at Hillenbrand Inc. Occupational health information of employees of the Batesville, IN-based manufacturer was maintained in an electronic medical record system and access to the system was shared with QuadMed.
Certain QuadMed employees required access to the data for the administration of occupational health matters. Take overs of clinics at WI-based Stoughton Trailers and Whirlpool Corporation’s Clyde, OH plant also saw occupational health-related information in EMRs shared with the firm and made accessible to some of its employees.
On December 26, 2017, QuadMed discovered a technical issue affected the PHI stored in the EMRs used at the Hillenbrand and Stoughton Trailers clinics which allowed its employees to access more than the minimum necessary amount of PHI than was permissible. Employees had access to more information than was necessary since May 9, 2016.
A similar breach affected the Whirlpool clinic, which QuadMed took over in January 2017. In that case, the EMR system should have had additional administrative and technical controls applied that would enable QuadMed to protect the privacy of health information; however, the controls had not been fully implemented. QuadMed discovered the potential issue in February 2017 prompting an investigation, although it took until October 2017 for QuadMed to be given the level of system access necessary to investigate this issue.
At all three locations, the types of protected health information that could potentially have been accessed included patients’ names, onsite clinic service dates, test and evaluation results, diagnoses, medical histories, information on examinations and physicals, vaccinations, travel medicine prescriptions, and workers’ compensation data.
QuadMed reports that the technical issue has now been corrected and new controls have been implemented to ensure protected health information remains confidential and can only be accessed by authorized individuals. Additional staff training has also been provided on the requirements of HIPAA with respect to protecting health information.
All individuals whose PHI was potentially accessed without authorization have now been notified of the privacy breach by mail. The unauthorized access/disclosures have been reported to the Department of Health and Human Services’ Office for Civil Rights as three separate breaches. Two incidents were reported on February 26 which impacted 2,471 and 2,834 individuals, and the third incident was reported on January 29, 2018 that impacted 4,549 individuals.