HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

QuadMed Discovers PHI of More than 9,850 Patients Was Impermissibly Disclosed to Employees

QuadMed, a Wisconsin-based provider of medical, laboratory, pharmacy, fitness, and physical therapy services, has discovered the protected health information of 9,854 patients has potentially been impermissibly disclosed to certain employees.

In November 2013, QuadMed took over an onsite clinic at Hillenbrand Inc. Occupational health information of employees of the Batesville, IN-based manufacturer was maintained in an electronic medical record system and access to the system was shared with QuadMed.

Certain QuadMed employees required access to the data for the administration of occupational health matters. Take overs of clinics at WI-based Stoughton Trailers and Whirlpool Corporation’s Clyde, OH plant also saw occupational health-related information in EMRs shared with the firm and made accessible to some of its employees.

On December 26, 2017, QuadMed discovered a technical issue affected the PHI stored in the EMRs used at the Hillenbrand and Stoughton Trailers clinics which allowed its employees to access more than the minimum necessary amount of PHI than was permissible. Employees had access to more information than was necessary since May 9, 2016.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

A similar breach affected the Whirlpool clinic, which QuadMed took over in January 2017. In that case, the EMR system should have had additional administrative and technical controls applied that would enable QuadMed to protect the privacy of health information; however, the controls had not been fully implemented. QuadMed discovered the potential issue in February 2017 prompting an investigation, although it took until October 2017 for QuadMed to be given the level of system access necessary to investigate this issue.

At all three locations, the types of protected health information that could potentially have been accessed included patients’ names, onsite clinic service dates, test and evaluation results, diagnoses, medical histories, information on examinations and physicals, vaccinations, travel medicine prescriptions, and workers’ compensation data.

QuadMed reports that the technical issue has now been corrected and new controls have been implemented to ensure protected health information remains confidential and can only be accessed by authorized individuals. Additional staff training has also been provided on the requirements of HIPAA with respect to protecting health information.

All individuals whose PHI was potentially accessed without authorization have now been notified of the privacy breach by mail. The unauthorized access/disclosures have been reported to the Department of Health and Human Services’ Office for Civil Rights as three separate breaches. Two incidents were reported on February 26 which impacted 2,471 and 2,834 individuals, and the third incident was reported on January 29, 2018 that impacted 4,549 individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.