Slashdot Mirror
Transcriber Threatens Release of Medical Records
talboito writes "David Lazarus of the San Francisco Chronicle reports on problems subcontracting sensitive data to outside firms. An unpaid Pakistani transcriber threatened to release medical records of patients at UCSF Medical Center on the internet. The article notes: 'U.S. laws maintain strict standards to protect patients' medical data. But those laws are virtually unenforceable overseas, where much of the labor-intensive transcribing of dictated medical notes to written form is being exported.' Most frightening, UCSF was unaware that its records were being sent overseas. The article traces their path backward through a chain of three different subcontractors."
My dad is a hospital administrator, and at the hospital he runs (in rural Louisiana, none the less), they just invested in a voice recognition package specific to medical transcription. They never outsourced their transcription needs overseas, but they were having trouble meeting their needs with the staff on hand. So far he says it works far better than he expected, and has generated any serious errors (it tends to be better at picking out the appropriate medical words than at transcribing normal english. because the doctors tend to use rather obscure words). They still proofread the transcriptions as an error checking, but over all, it has been more accurate than even human transcription and cheaper too.
====
Crudely Drawn Games
The problem here is with the newness of the law and the size of the company. It looks like the subcontractors being used are all "home-office" type deals that don't know the laws, which say that if you've signed a contract to handle PHI (and not disclose it) and you want to subcontract, you need to get the subcontracting firm to sign a similar document. The people mentioned in the article obviously haven't done that. Also, the article made it sound like the Pakistani woman was pretty much working on her own. When dealing with a larger (or real) company, you can have them sign a contract which would be enforceable in their own country (this is why we have lawyers).
It is not a problem of laws not being enforcable as the article indicates, it is more of understanding the requirements of our laws and getting the right contracts into place that would be enforcable in other countries.
It covers specifically these kinds of cases, and the hospital clearly didn't place the necessary safeguards, as far as I understand the law, '"We'll have to live with this risk on a daily basis," Ryba said' is simply not good enough.
http://www.gnu.org/philosophy/words-to-avoid.html
The law specifically states that any work that a healthcare organizations subcontracts out is to be held to the same standard. If the hospital did not insure that, then they are liable for both civil and criminal damages.
This is actually one of the great things about the law. If an organization tries to escape any clause by subcontracting out the work, they are still liable. In this case, it seems that they did not even have an agreement with the contractors, which would be even larger penalties.
As a final note, the hospital is already liable, because the woman sent patient records to the hospital via email. Unless the email was encrypted and only opened by the doctors giving care to the patients in record, then the hospital is liable. I expect the government will begin an investigation shortly, and the hospital will be fined within a year.
Mark Radulovich, CISSP, NSA/IAM
Yes it is. Someone is getting a huge fine or even jail out of this. There is supposed to be a Business Associate Agreement between all Chain of Trust partners that stipulates both parties are following HIPAA just to be able to pass PHI between each other. Someone didn't follow the law and allowed PHI to be handed off to a non-compliant company. I do HIPAA audits for a living...
Maybe we DID take the blue pill. You wouldn't remember anyway.