Slashdot Mirror

← Back to Stories (view on slashdot.org)

Transcriber Threatens Release of Medical Records

Posted by michael on from the it's-10PM-do-you-know-where-your-gall-bladder-is dept.

talboito writes "David Lazarus of the San Francisco Chronicle reports on problems subcontracting sensitive data to outside firms. An unpaid Pakistani transcriber threatened to release medical records of patients at UCSF Medical Center on the internet. The article notes: 'U.S. laws maintain strict standards to protect patients' medical data. But those laws are virtually unenforceable overseas, where much of the labor-intensive transcribing of dictated medical notes to written form is being exported.' Most frightening, UCSF was unaware that its records were being sent overseas. The article traces their path backward through a chain of three different subcontractors."

20 of 377 comments (clear)

  1. Contract out and dream-on obliviously .... by OldHawk777 · · Score: 1, Informative

    SOS, it ain't new ...

    Prescience: Frequently is observing the obvious that will happen while others dream-on obliviously to reality. Examples: Would be the US Congress and Bush Cabinet.

    If you contract out your core business data or processes/applications, then expect to suffer many consequences beyond your control. Yep, it is USA government and business SOP ... old news articles liked on slashdot somewhere.

    Also, if USA law applies in India, China, ... wherever outside the USA, then it must be a USA possession or colony. So, extortion in the USA may not be extortion in Pakistan. Sort of like some corporate and/or political corruption in the USA is only criminal in the minds of many citizens. Breaking a law is criminal, breaking a principle or ethics is profitable [GBA!].

    HAVE FUN - OldHawk777

    --
    Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
  2. Computer-aided transcription by Valar · · Score: 4, Informative

    My dad is a hospital administrator, and at the hospital he runs (in rural Louisiana, none the less), they just invested in a voice recognition package specific to medical transcription. They never outsourced their transcription needs overseas, but they were having trouble meeting their needs with the staff on hand. So far he says it works far better than he expected, and has generated any serious errors (it tends to be better at picking out the appropriate medical words than at transcribing normal english. because the doctors tend to use rather obscure words). They still proofread the transcriptions as an error checking, but over all, it has been more accurate than even human transcription and cheaper too.

    --

    ====
    Crudely Drawn Games
    1. Re:Computer-aided transcription by michael_cain · · Score: 2, Informative

      Interesting. My HMO is one of the Kaisers, and about three years ago they gave up dictated notes and started making the doctors and nurses type the material in directly. Each examination room was equipped with a networked PC and custom software for the notes. The software also included assorted forms/tools so that it was easy to order lab tests, commonly prescribed drugs, etc.

      It was kind of sad to watch my family doctor struggle to put in notes at first, but over time his keyboard skills have improved dramatically. I was a little concerned at first about errors creeping in due to bad typing, but that didn't seem to happen. He (the doctor) now thinks that direct typing is as fast as dictation ever was, and subject to fewer errors. There have been some other informal process changes -- the nurse I see first puts general health and specific symptiom information into the opening page of the notes, and the doctor scans that first, rather than making me repeat the whole story.

      Almost 25 years ago, over the space of about a year, Bell Labs made the transition from typing pools with typewriters to typing pools with UNIX and troff to no typing pool and engineers typing their own material. I had been touch-typing since 6th grade, so was relieved that I could compose at the keyboard. The Labs could have spared themselves a certain amount of pain if they had made touch-typing classes available to the engineering staff.

      Part of me is surprised that the medical professions took so long to get to direct entry by the doctors and nurses, and that it isn't more common.

  3. Welcome to the hidden costs of offshoring! by sydbarrett74 · · Score: 3, Informative

    The title says it all.

    --
    'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
  4. Re:HIPPA? by JJ22 · · Score: 4, Informative
    HIPAA would prevent this from happening in most cases. The law requires that agreements are in place with any companies/contractors with whom you share protected health information (I'm not sure if those transcripts would be PHI, but I believe they would).

    The problem here is with the newness of the law and the size of the company. It looks like the subcontractors being used are all "home-office" type deals that don't know the laws, which say that if you've signed a contract to handle PHI (and not disclose it) and you want to subcontract, you need to get the subcontracting firm to sign a similar document. The people mentioned in the article obviously haven't done that. Also, the article made it sound like the Pakistani woman was pretty much working on her own. When dealing with a larger (or real) company, you can have them sign a contract which would be enforceable in their own country (this is why we have lawyers).

    It is not a problem of laws not being enforcable as the article indicates, it is more of understanding the requirements of our laws and getting the right contracts into place that would be enforcable in other countries.

  5. Re:HIPPA? by mericet · · Score: 4, Informative
    It is, in fact, see for example "Business Associates" of "Covered Entites" , or read the law, as I have (note, IANAL, nor a MD).

    It covers specifically these kinds of cases, and the hospital clearly didn't place the necessary safeguards, as far as I understand the law, '"We'll have to live with this risk on a daily basis," Ryba said' is simply not good enough.

    --
    http://www.gnu.org/philosophy/words-to-avoid.html
  6. Re:This is predictable by wrax · · Score: 2, Informative

    Not really, I think most firms in the US and abroad actually do want to do a good job, just that there are just enough Bad Guys (tm) out there that sometimes companies and people get burned. This was an isolated incident that happened cause a woman didn't get paid by the jerk she was working for. If it was the USA she was working in she could sue the bastard, in Pakistan she didn't have a lot of recourse. I'll just note that in the article she says she didn't have any intention of making the records public and she retracted her threat after she got some money from another contractor.

  7. Small Nit. by Anonymous Coward · · Score: 1, Informative

    It's HIPAA.

    Health Insurance Portability and Accountability Act

  8. Remember EU Data Protection Laws? by Jammer@CMH · · Score: 2, Informative

    Rember how pissed-off these made US businesses, who resented being pressured to comply with EU laws regarding data outsourced from the EU (or otherwise concerning EU citizenry?) Now it seems that this model is not such a bad thing. Interested US parties (some hospitals, at least) now seem to be pushing for a model whereby they can enforce US data-protection laws on data concerning US citizens when it goes overseas.

  9. Transcription by scarolan · · Score: 2, Informative

    My dad is a doctor and I used to always be amazed how fast he could dictate his notes at the end of the day. He'd fly through a pile of 100 folders in about 45 minutes or less.

    Even more amazing is the girl who comes in to type all this stuff up - she does 120 words a minute with no errors!

    In any case there are certain things which should never be outsourced overseas, one of them being sensitive medical records.

  10. Re:HIPPA? by radulovich · · Score: 5, Informative
    It already does. Subcontractors are covered under the "Business Associate" definition. The text of the law is located here in PDF format ( http://www.hhs.gov/ocr/combinedregtext.pdf)

    The law specifically states that any work that a healthcare organizations subcontracts out is to be held to the same standard. If the hospital did not insure that, then they are liable for both civil and criminal damages.

    This is actually one of the great things about the law. If an organization tries to escape any clause by subcontracting out the work, they are still liable. In this case, it seems that they did not even have an agreement with the contractors, which would be even larger penalties.

    As a final note, the hospital is already liable, because the woman sent patient records to the hospital via email. Unless the email was encrypted and only opened by the doctors giving care to the patients in record, then the hospital is liable. I expect the government will begin an investigation shortly, and the hospital will be fined within a year.

    Mark Radulovich, CISSP, NSA/IAM

  11. Re:Simply business by Lumpy · · Score: 3, Informative

    the fully part isthat I have finally discovered real doctors still exist.

    they are small town doctors. not in it for their next Mercedes or that 7000SQ foot second house they want for parties...

    I drive 50 miles now for my regular doctor. he charges decent rates, ACTUALLY SEES YOU instead of only ever seeing a "aide" and is in it to help people and the community.

    Small town dentists are the same way... so head to the country if you are after decent healthcare at affordable prices without insurance.

    --
    Do not look at laser with remaining good eye.
  12. 3 subcontractors? Sounds like a Dilbert comic... by Dazhel · · Score: 2, Informative

    In fact, it is!

    http://images.netmojo.ca/randomimgs/Dilbert_one_of _the_best_ever

  13. Re:HIPPA? by mapMonkey · · Score: 2, Informative

    Two things:

    1) HIPAA does not simply say "don't show stuff to people who aren't directly involved in medical treatment". HIPAA does not say anything simply actually; but it is more to the effect of "if you are going to show protected information to people outside of your organization, you need to establish contracts with them stating that they will protect that information".

    2) HIPAA may not apply to the people overseas, but it would apply to whoever was the last American company in the subcontract chain. UCSF must have a HIPAA-based agreement with whomever they have a subcontract, all the way on down the line. The one who breaks the chain would be at fault.

  14. Cheap ass company gets what they deserve by netglen · · Score: 2, Informative

    Well that cheap ass company got exactly what they deserve. When will companies learn that pretty much anything goes once you leave the aegis of American Law system? Sure you'll save a few bucks but how can you trust private data with a company in the third world?

    Here is an article on Wired which panders the need for 3rd world workers.

    A Case for Coolie Labor

  15. Re:HIPPA? by lonesome+phreak · · Score: 4, Informative

    Yes it is. Someone is getting a huge fine or even jail out of this. There is supposed to be a Business Associate Agreement between all Chain of Trust partners that stipulates both parties are following HIPAA just to be able to pass PHI between each other. Someone didn't follow the law and allowed PHI to be handed off to a non-compliant company. I do HIPAA audits for a living...

    --
    Maybe we DID take the blue pill. You wouldn't remember anyway.
  16. Re:Nice... by lonesome+phreak · · Score: 2, Informative

    Report them to CMS, as your manager could go to jail over that. That's the only way to stop this is for some people to get in deep sh*t over it.

    https://htct.hhs.gov/?cms

    Go there and file a complaint right now.

    --
    Maybe we DID take the blue pill. You wouldn't remember anyway.
  17. Re:Nice... by kabocox · · Score: 3, Informative

    You should have gone to the police and to as many of the "business" customers that you could contact if any. What your company was doing was information theft. If their customers found out, each could successfully sue for millions. Information is property. Your company did not have resell rights to it plain and simple. Your company only had the rights to run reports on the data. None of the data ever belonged to your company.

    You should sue for "wrongful" dismissal under whistle blower laws although you really wouldn't want to work there.

  18. Re:Nice... by zin · · Score: 2, Informative

    If your in California your required by law to report this incident as of July 2004.

    --
    -ZiN-
  19. Re: Ever read the Bill of Rights? by damiangerous · · Score: 3, Informative
    It is not possible to be convicted of a crime on circumstantial evidence alone. There must be a witness to the crime or there is no conviction.

    You are completely wrong. There must be witnesses? That's absolutely ludicrous. Do you have any idea how many crimes have no witnesses?

    Brief Google just for a couple examples of statements relating to circumstantial evidence:

    The Supreme Court of Pennsylvania

    "Moreover, this Court has established that circumstantial evidence alone can be sufficient to convict a person of a crime."

    The Supreme Court of New Hampshire upholding a conviction based solely on circumstantial evidence.

    "When the evidence presented is circumstantial, it must exclude all rational conclusions except guilt in order to be sufficient to convict."

    The Tennessee Appeals Court

    "However, a conviction may be based entirely on circumstantial evidence where the facts are 'so clearly interwoven and connected that the finger of guilt is pointed unerringly at the Defendant and the Defendant alone.'"

    The Louisana Appeals Court

    "The rule as to circumstantial evidence is that, assuming every fact to be proved that the evidence tends to prove, in order to convict, it must exclude every reasonable hypothesis of innocence."