Wisconsin-based provider of medical, laboratory, pharmacy, fitness, and physical therapy services QuadMed has discovered that PHI 5,305 clients may have been impermissibly disclosed to certain members of staff.
In November 2013, QuadMed took over management of an onsite clinic at Hillenbrand Inc. Occupational health information of staff members at the Batesville, IN-based manufacturer was stored in an electronic medical record system and access to the system was shared with QuadMed.
Certain QuadMed staff members required access to the data for the administration of occupational health matters. Take overs of health centers at WI-based Stoughton Trailers and Whirlpool Corporation’s Clyde, OH plant also saw occupational health-related data in EMRs shared with the firm and made accessible to some of its staff members.
On December 26, 2017, QuadMed found a technical issue affected the PHI saved in the EMRs used at the Hillenbrand and Stoughton Trailers clinics which permitted its employees to view more than the minimum necessary amount of PHI than was allowed. Staff members had access to more sata than was necessary since May 9, 2016.
A similar breach impacted the Whirlpool clinic, which QuadMed took over in January 2017. In that instance, the EMR system should have had morel administrative and technical controls applied that would allow QuadMed to safeguard the privacy of health data; however, the controls had not been fully adapted. QuadMed discovered the potential problem in February 2017 leading to an investigation, although it took until October 2017 for QuadMed to be allocated the level of system access necessary to look into this issue.
At all three centers, the types of protected health information that could possibly have been accessed included patients’ names, onsite clinic service dates, test and evaluation outcomes, diagnoses, medical histories, data on examinations and physicals, vaccinations, travel medicine prescriptions, and workers’ compensation information.
QuadMed reports that the technical problem has now been amended and new controls have been put in place to ensure protected health information remains confidential and can only be accessed by authorized people. Additional employee training has also been provided on the requirements of HIPAA with respect to protecting health data.
All people whose PHI was possibly accessed without authorization have now been made aware of the privacy breach by mail. The unauthorized access/disclosures have been submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR) as two separate breaches affecting 2,471 and 2,834 people.