Trios Health has confirmed that an employee accessed multiple patient medical records without authorization; a thorough investigation is underway and affected patients are being notified as a precaution. The records accessed may have included information pertaining to Trios Health visits (not including to outpatient Trios Medical Group providers), diagnoses, and demographic information including addresses, phone numbers, driver’s license numbers, and Social Security Numbers. The staff member, who was initially placed on administrative leave pending an investigation of the breach, has been terminated.
“Thoroughly examining and tightening up potential compliance issues is one of the major action items outlined in the operational improvement plan Trios Health is diligently working through right now,” said Craig Cudworth, chief restructuring officer and interim CEO. “In March, we named Elizabeth Rice as director of Health Information Management and compliance officer for the organization, to lend her experience and precision to providing full-time oversight to patient information and compliance. The breach was discovered shortly after she and her team began a planned review process.”
“This significant issue came to light as part of a thorough and systematic examination that is still underway,” said Rice. “We took immediate action to investigate it, notify the appropriate parties, and begin putting additional protections in place to prevent it from happening again.”
Thus far, investigation of the breach has revealed that the electronic health records (EHRs) of approximately 600 patients were accessed by a single employee outside of normal job functions between October 2013 and March 2017. The employee had access the EHR system to perform job responsibilities; however, Rice’s review confirmed the employee looked up additional patient records where there was no direct correlation to job function.
“Each impermissible access of a patient record constitutes a violation of the Health Insurance Portability and Accountability Act, or HIPAA, violation,” said Rice. “We cannot and do not take this lightly.”
As a result of these violations, the State Attorney General and Office of Civil Rights (OCR)—the agency within the U.S. Department of Health and Human Services that enforces privacy and security rules—are likely to impose fines per violation based on their assessment of all factors involved. It is not yet known what the total fines will be or what other corrective actions may entail.
“We are operating under full disclosure to the OCR and the Washington State Attorney General’s office as our investigation continues,” said Cudworth. “Compliance and accountability are non-negotiable in healthcare, as it should be in any industry, and we will continue to uphold this standard as we work through this matter and going into the future. We cannot succeed as an organization without holding ourselves and others responsible for mistakes and taking decisive action to address them.”
Patients whose medical records were accessed without authorization are being notified by mail during the week of May 29, and will have the option to enroll in free identity theft protection and credit monitoring services for one year at Trios Health’s expense.
“Based on our investigation thus far, this appears to be an isolated case in which the gathering and use of patient information for purposes of identity theft was not a motivation,” said Rice. “But as an added precaution, we believe offering additional protections to those patients whose information was impermissibly accessed is the right thing to do.”
Healthcare employees receive extensive training and annual refreshers about compliance issues including the protection of patient health information and properly accessing patient EHRs. In response to the recent breach, Trios Health is deploying additional patient privacy training to staff as well as implementing standard auditing processes to further protect patient health information.
Patients concerned about their health records, but who do not receive a notification by mail during the week of May 29 or do not have a current mailing address on file with Trios Health, may call the Health Information Management department at 509-221-5720 (option 2), Monday through Friday, between 7 a.m. and 4 p.m. Pacific Standard Time. They may also consult the Trios website for a list of Frequently Asked Questions at www.trioshealth.org/privacy or submit questions not answered there to Privacy@trioshealth.org for response.