The protected health information of 5,305 patients of QuadMed, a Wisconsin-based provider of medical, laboratory, pharmacy, fitness, and physical therapy services, may have been impermissibly shared with some employees.
In November 2013, QuadMed took over management of an onsite clinic at Hillenbrand Inc. Occupational health information of employees based at the Batesville, IN-based manufacturer was held in an electronic medical record system and access to the system was distributed to QuadMed.
Specific QuadMed workers needed access to the data for the management of occupational health matters. Take overs of health clinics at WI-based Stoughton Trailers and Whirlpool Corporation’s Clyde, OH plant also saw occupational health-related information in EMRs distributed with the company and made accessible to some of its workers.
On December 26, 2017, QuadMed found that a technical issue affected the PHI stored in the EMRs utilized at the Hillenbrand and Stoughton Trailers health clinics which allowed its workers to download more than the minimum necessary amount of PHI than was allowed. Worker had access to more information than was necessary from May 9, 2016.
A similar HIPAA breach impacted the Whirlpool health clinic, which QuadMed took over management of January 2017. On that occasion, the EMR system should have had additional administrative and technical security controls applied that would enable QuadMed to secure the privacy of health information; however, the controls had not been fully configured. QuadMed discovered the potential issue in February 2017 resulting in an investigation, although it was not until October 2017 for QuadMed to be given the level of system access necessary to look into this issue.
At all three bases, the sort of protected health information that could have been downloaded included patients’ names, onsite clinic service appointments, test and evaluation results, diagnoses, medical record, information on medical examinations and physicals, vaccinations, travel prescriptions, and details of workers’ compensation data.
QuadMed has revealed that the technical issue has now been fixed and new controls have been established to ensure protected health information remains safe and can only be accessed by authorized persons. Additional worker training has also been given on the requirements of HIPAA in relation to protecting health information.
All persons whose PHI was potentially accessed without permission have now been contacted in relation to the privacy breach by mail. The unauthorized access/disclosures have been filed in a report to the Department of Health and Human Services’ Office for Civil Rights as two different breaches that may have affected 2,471 and 2,834 persons.