Transcriber Threatens Release of Medical Records

talboito writes "David Lazarus of the San Francisco Chronicle reports on problems subcontracting sensitive data to outside firms. An unpaid Pakistani transcriber threatened to release medical records of patients at UCSF Medical Center on the internet. The article notes: 'U.S. laws maintain strict standards to protect patients' medical data. But those laws are virtually unenforceable overseas, where much of the labor-intensive transcribing of dictated medical notes to written form is being exported.' Most frightening, UCSF was unaware that its records were being sent overseas. The article traces their path backward through a chain of three different subcontractors."

Re:HIPPA?

[radulovich]

It already does. Subcontractors are covered under the "Business Associate" definition. The text of the law is located here in PDF format ( http://www.hhs.gov/ocr/combinedregtext.pdf)

The law specifically states that any work that a healthcare organizations subcontracts out is to be held to the same standard. If the hospital did not insure that, then they are liable for both civil and criminal damages.

This is actually one of the great things about the law. If an organization tries to escape any clause by subcontracting out the work, they are still liable. In this case, it seems that they did not even have an agreement with the contractors, which would be even larger penalties.

As a final note, the hospital is already liable, because the woman sent patient records to the hospital via email. Unless the email was encrypted and only opened by the doctors giving care to the patients in record, then the hospital is liable. I expect the government will begin an investigation shortly, and the hospital will be fined within a year.

Mark Radulovich, CISSP, NSA/IAM