Slashdot Mirror
Transcriber Threatens Release of Medical Records
talboito writes "David Lazarus of the San Francisco Chronicle reports on problems subcontracting sensitive data to outside firms. An unpaid Pakistani transcriber threatened to release medical records of patients at UCSF Medical Center on the internet. The article notes: 'U.S. laws maintain strict standards to protect patients' medical data. But those laws are virtually unenforceable overseas, where much of the labor-intensive transcribing of dictated medical notes to written form is being exported.' Most frightening, UCSF was unaware that its records were being sent overseas. The article traces their path backward through a chain of three different subcontractors."
Isn't HIPPA supposed to protect us from this type of thing?
Don't blame me, I voted for Kodos
Everything is then electronic and retrievable from the get-go. Good for the economy, efficiency, morale---everything but the bottom line on healthcare costs in the short run ;)
William
(who just finished a nightmarish rush project which became so 'cause the boss tried to outsource it and the overseash shop mangled the nice LaTeX job using Quark XPress)
Sphinx of black quartz, judge my vow.
Any time you pass on potentially sensitive data onto a third party there is the opening for abuse of this nature. When you outsource you are at the mercy of the contracted party and their security measures (if any) become your security measures. Add to that sub-contractors... Big freakin' mess.
Certain information should remain in the USA and not be contracted out. Ever. Looks to me that this whole fad of out-sourcing overseas has just come back to bite people in the ass. Maybe now some of the fools will learn that the old addage "Charity begins at home" is a good idea: keep those jobs here; the costs aren't in just dollars saved or wages paid.
The article describes what amounts to a chain of subcontractors handling the medical transcriptions. The top of the chain is a firm in Sausalito handling medical transcriptions, which hired a subcontractor in Texas, who then farms out work to a network of subcontractors -- which led to the woman in Pakistan.
I think the guy in Texas should be held liable, no? He's the one playing fast and loose with patient privacy, and I can't imagine he has no legal culpability here.
Anyone out there have an understanding of the legal framework for something like this?
quiquid id est, timeo puellas et oscula dantes.
Disclosure: I've worked in hospital administration so I've seen this stuff first hand.
Medical service providers are under a lot of pressure to reduce costs. So outsourcing isn't surprising and can work really well. Outside of medicine, hospitals tend to be pretty technically unsophisticated. But there also is the fact that medical organizations tend to be very rigidly heirarchical. Once data or a patient leaves the department, no one cares what happens to it. It's not right, but it is reality. Once you combine the two we have problems. Stuff gets outsourced and no one follows up to find out where to.
There has been a big stink about medical privacy (and rightly so) but in real terms it is not as private as it should be. HIPPA? Please. HIPPA just codifies what medical personnel were supposed to be be doing anyway. And if you think your charts don't get discussed and shared you're kidding yourself. Medical people are some of the most gossipy folks I've ever met.
We checked into this too, but the cost of the proofreader(s) was still too high in a high volume situation. Lower volumes could probably work, especially if the Dr were consistent in their 'dictation' voice.
Even worse! They SELL the info to drug companies!
I once mentioned a certain problem (side effect of a drug) to a doctor. 7 years ago or so. I was not being treated for it, but he wrote in in his notes. Lo and behold, a month later, I start getting ads in my mail from drug companies for this problem. Not something common. I told the doctor and he was in shock. He agreed that the transcription company must have sold the info. He refused to follow up on it, as did I. In retrospect, I could have caused a stink, but I'm not at all convinced I would have gotten any satisfaction.
I strongly suggest taking your lawyer with you on all doctor's visits. I now review doctor's notes completely (after transcription) and force them to make corrections. It is amazing what sorts of errors the transcription companies make in the notes. And this is what insurance companies look at when you apply for insurance.
In all, I'm pretty frightened of the medical system after a couple of incidents. I avoid the system at all costs. The funny thing is that it is this fear of the system, not of disease, that has actually prompted my very healthy lifestyle. I don't ever want to have to depend on that system for anything. Even the "nice good" doctors who are a part of it are to blame for idly sitting by and letting it all happen. They like to pretend that they are just pawns in a bigger game. Not!
"If you want to improve, be content to be thought foolish and stupid." - Epictetus
The problem with voice recognition is that almost 70% of the physicians who are dictating are foreign with thick accents. On standard english voices without accents, voice recognition has a 40% success rate without training. With training, it can get as high as 90%. Add a thick foreign accent, and these rates drop bigtime.
I know of a particular BIG insurance company here in Texas that outsources a LOT of their core work overseas. This company happens to cater to members of the US armed forces and civil service employees. When people get deployed or move, they have to call this company to have all their addresses changed.
To think... now India and Pakistan probably now have a good listing of where a lot of our US service members are located. It's glad that India and Pakistan are our "aliies" or we'd really be in the shit now...
Perhaps medical transcription companies should take the SETI@Home approach: digitize all the data to be transcribed, slice it into overlapping chunks of about 20 seconds each, and distribute the work as widely and randomly as possible. In the process of transcription, workers mark fragments as partially or completely unintelligible/incomprehensible so that new larger fragments can be sent out for only those sections which really need more context or the same fragments can be sent to workers who are more likely to understand a heavily accented speaker. Unlike SETI@Home, however, this is a money-making enterprise, so some sort of micro-payment scheme would need to be established.
No one person would likely have enough information to be dangerous, as long as the (automated) process of assembling the results is done in a trusted (and prosecutable) environment.
Of course, this is just an automater's dream... it would in the end be vastly more expensive than simply managing the subcontractor problem as-is.
What do you mean they cut the power? How can they cut the power, man? They're animals!
Many moons ago, I did not hesitate to destroy all the accounting data of a company that wanted me to violate the election financing laws. The servers were thorougly wiped and they were made very aware that any contrary action would result in a disclosure of their plans (which would actually have embarrassed the government).
They subsequently got in trouble with the revenue department for not having suitable records; all in for all, the owner was sufficiently fined by the revenue department to lose his house over it.
Just wait until this thing gets a bit wider publicity. You can be sure that holding individuals for ransom from the developing country for a developed product will get more and more common due to the copycat factor. I have a funny feeling that this is only the beginning of a large landslide.
Even worse, wait until outsourced hardware design starts showing how faulty it can be. Where engineers can be held responsible for products that overheat and kill over here, imagine if someone in a third-world country decides to be lazy and not put overcurrent protection on a device in a certain mode that UL safety guidelines happen to not specifically cover. People could end up having their houses burn down. Now, while the company can be held liable, what about the engineer? He can just disappear into the background noise, never be held responsible, and never become an example to others in his community of what happens when a product is shoddily engineered to meet a raw cost objective.
I think there is some optimism that comes from this story, however. It may yet prove that outsourcing is an enormous mistake for many companies. Particularly when the spectre of massive lawsuits is involved, I think that insurance companies will get increasingly involved in these situations. The cost advantages of outsourcing never factored in the increased liability risks presented to the company from the antics and poor quality of work of their outsourced workers in the first place. I don't like insurance companies any more than the next person, but neither do I think insurance companies have discovered to what degree their insured could be subjected to precisely these types of scenarios. Maybe what the geek community could do is start a campaign to inform insurance companies and their actuaries of these situations in order to raise the rates of companies who outsource. Maybe - just maybe - they could once again swing the balance of favor towards workers here.
Two comments:
First of all, I guarantee that UCSF had a contract protecting PHI with that sub-contractor. The UC system had several thousand subcontractors with whom they had to rewrite agreements before the deadline in April. Any with whom they did not have a contract were terminated.
Secondly, the hospital is not liable because they were sent unencrypted email of PHI. That doesn't even make common sense, if that could happen then I could email my doctor my last x-ray result, then sue him for breaking my confidentiality. Unless her medical records show up somewhere, she can claim no damages, and therefore have no suit, although IANAL (look at my username). The gov't, however, is another matter entirely...
Bingo! We have a winner!
I couldn't possibly afford to pay out-of-pocket for medical care. The rates listed on the invoice are just foolishly high. When I get my insurance statement, though, the rates are a bit more in line with what's affordable. Actually, some reimbursements are, IMHO, too low for the services rendered. There are lots of costs involved in servicing a patient (record keeping, billing, expendables, rent, receptionist, taxes, nurse time) that add up to far more than the physician's time.
Nonetheless, if I could get the insurance-negotiated rates up front from my physician and dentist, I would happily pay the day I received service and there would be no need for claim forms and 60-90 day payment delays. At negotited rates, I could get away with a high deductible major medical policy and a medical savings account, paying most routine costs out-of-pocket.
On a side topic, the dramatic rise in malpractice insurance premiums (actually, most premiums) over the last few years has very little to do with (1) 9/11 losses or (2) malpractice lawsuits. You can see the malpractice effects in different states with varying laws, but that's not the driving factor.
The financial markets - bonds in particular - are the problem. Don't believe me? Where do insurance companies make their money? Sure, they get capital from their premiums, but that money nees to be invested or their reserves will slowly erode to the inevitable march of inflation. They must invest in safe securities, and bonds are where a majority of the money goes.
When the bond market is doing well, insurance companies, like all for-profit ventures, seek to expand. They do this, in part, by offering to undercut the competition on price. During the boom years in the 90s, indurance premiums in some industries didn't even cover the losses. It didn't matter because the ins. companies were making so much in the securities market that they tured a tidy profit. Now the boom is over and the insurance companies have to cover payouts with premiums again.
FWIW, I have a bit of first hand experience with liability insurance. I pay over 12% of _gross billables_ to insure my small structural engineering firm. I've never had a claim, and very little history to add cost to my "claims made" policy.
Is it just my observation, or are there way too many stupid people in the world?
After a fairly minor motorcycle accident, I ended up with a $3500 hospital bill because they didn't correctly copy my information and determined I didn't have insurance. When I finally straigtened all of that up, the bill was for $1100 because of better negotiated rates, 80% of which my HMO paid. If the hospitals are getting so much less for HMO treated people, where do they make money? By raising the prices for the uninsured.
Hopefully at this point the reader goes, "WTF, the uninsured are the ones who need the best pricing!" And the reader would be right; it's a fucked up system where the rich get better treatment for less because the hospital's sign deals because if they don't, and a major HMO walks away, that hospital has just lost a large portion of its non-emergency business. And with the hospitals (maybe not the doctors themselves, but definately with the hospitals), it really is just business; not people.
Buying a car last year, the saleswoman had a question on some of the forms.
She asked a more senior salesperson...
I overheard:
"Yes, we have to fill that in very carefully, so the transcribers in Mexico can enter it in the computer properly."
This, with a technically US-based bank loaning the money.
Now...nothing against Mexico, per se, but shipping *my* info over the border for processing just to save a buck or two is ridiculous.
ok, hindsight is 20/20 and it's easy to say that someone should have done something differently without having to be in that person's shoes, but i don't see your answer as better.
it started off right, with "you should have blown the whistle." i'd agree with that, and i'd suggest anyone in that position right now --and debating what to do-- take that route. there are whistleblower laws, depending on the circumstances, that will protect someone who turns in an employer for illegal activity.
what you did was illegal. you could have been fined and gone to jail for it, and were counting on your employer's fear of your blackmail to insure they would not prosecute you. the fact that you got away with it does not mean you should advise other people to do the same (and if the statute of limitations hasn't run out you probably shouldn't be posting on slashdot about it, either).
"Mister Potato-head --MISTER POTATO-HEAD! Backdoors are not secrets!" (War Games, 1983)