Slashdot Mirror
Transcriber Threatens Release of Medical Records
talboito writes "David Lazarus of the San Francisco Chronicle reports on problems subcontracting sensitive data to outside firms. An unpaid Pakistani transcriber threatened to release medical records of patients at UCSF Medical Center on the internet. The article notes: 'U.S. laws maintain strict standards to protect patients' medical data. But those laws are virtually unenforceable overseas, where much of the labor-intensive transcribing of dictated medical notes to written form is being exported.' Most frightening, UCSF was unaware that its records were being sent overseas. The article traces their path backward through a chain of three different subcontractors."
Isn't HIPPA supposed to protect us from this type of thing?
Don't blame me, I voted for Kodos
I can hear the conversation in the board room now....
"Who thought that outsourcing this was a good idea?"
How long until the IT outsourcing start's biting companies in the arse?
remember our laws are NOT their laws.
Do not look at laser with remaining good eye.
This is why certain aspects of business will always cause privacy problems such as this. The goal of many businesses is not to provide the best possible service or the best possible products. Rather it is simply to make money. This is why HMO's never made sense to me and why they were a con foisted upon the American public. They have not made the practice of medicine any cheaper, rather they have simply moved profits from the physicians, nurses and technicians and moved it to a new middle layer of management who makes decisions such as exporting transcription overseas to markets with no concern for privacy.
Visit Jonesblog and say hello.
My dad is a hospital administrator, and at the hospital he runs (in rural Louisiana, none the less), they just invested in a voice recognition package specific to medical transcription. They never outsourced their transcription needs overseas, but they were having trouble meeting their needs with the staff on hand. So far he says it works far better than he expected, and has generated any serious errors (it tends to be better at picking out the appropriate medical words than at transcribing normal english. because the doctors tend to use rather obscure words). They still proofread the transcriptions as an error checking, but over all, it has been more accurate than even human transcription and cheaper too.
====
Crudely Drawn Games
Everything is then electronic and retrievable from the get-go. Good for the economy, efficiency, morale---everything but the bottom line on healthcare costs in the short run ;)
William
(who just finished a nightmarish rush project which became so 'cause the boss tried to outsource it and the overseash shop mangled the nice LaTeX job using Quark XPress)
Sphinx of black quartz, judge my vow.
The problem is not overseas workers. The real issue here is sensitive information being processed by networks of subcontractors without the knowledge of the information owner.
Can anyone else see large software companies having this problem? Company sends the project overseas to be developed, employees return the finished source, and then toss their NDA in the trash by holding the source ransom over the internet.
We've all seen what source in the wild can do (whether you believe some of the rumors about how HL2 source was released, it's _still_ delayed), and a group trying to profit off of source code could even be worse. Of course, no manager is going to listen to little old me.. Mainly because I'm not crawling down their throats for this quarters profit margin. =T
This statement is false.
Any time you pass on potentially sensitive data onto a third party there is the opening for abuse of this nature. When you outsource you are at the mercy of the contracted party and their security measures (if any) become your security measures. Add to that sub-contractors... Big freakin' mess.
Certain information should remain in the USA and not be contracted out. Ever. Looks to me that this whole fad of out-sourcing overseas has just come back to bite people in the ass. Maybe now some of the fools will learn that the old addage "Charity begins at home" is a good idea: keep those jobs here; the costs aren't in just dollars saved or wages paid.
No doubt this is a 'bad thing' since medical record confidentiality is a widely accepted thing in our society. But having known several people who have worked for large hospitals, medical offices, and such, this is simply payback for thos ehospitals who clear millions of dollars in profits AFTER they've already payed everyone in the building.
Business will always be business, and every manager wants a fatter check for gettings things done cheaply, but they simply got what they paid for. They wanted it cheap, now they got the quality that comes with that.
Pay your employees, people! Create some value in your business by doing it yourself. I'm not saying that a medical transcriptionist should be making 75K/yr, but the money they saved by offshoring this, they just lost 10 times over in the lawsuits that will be flowing into that hospital now for violating doctor-patient confiditiality.
A middle manager/upper manager should be fired, publicly, for this.
"See, we plan ahead! That way, we never have to do anything now."
Step 2) ....
Step 3) Profit!
It only took a few hundred dollars to pay her off.
Even extortion is cheaper when done overseas.
Companies are setting themselves up for a big hurt when they outsource overseas. This intance shows just some of the dangers and downfalls. Eventually, it's going to come around and bite them in the arse. What happened to all the forward thinkers? The over-zealous drive for profits and cost savings for today without thinking about tomorrow hurts us all - from the executives, to the workers, to the consumers, and, yes, even the shareholders. For example, America's technological edge is dying all because of overseas outsourcing. Why would any kid want to go to college for CS/IT when the job prospects are so miserable?
The article describes what amounts to a chain of subcontractors handling the medical transcriptions. The top of the chain is a firm in Sausalito handling medical transcriptions, which hired a subcontractor in Texas, who then farms out work to a network of subcontractors -- which led to the woman in Pakistan.
I think the guy in Texas should be held liable, no? He's the one playing fast and loose with patient privacy, and I can't imagine he has no legal culpability here.
Anyone out there have an understanding of the legal framework for something like this?
quiquid id est, timeo puellas et oscula dantes.
Disclosure: I've worked in hospital administration so I've seen this stuff first hand.
Medical service providers are under a lot of pressure to reduce costs. So outsourcing isn't surprising and can work really well. Outside of medicine, hospitals tend to be pretty technically unsophisticated. But there also is the fact that medical organizations tend to be very rigidly heirarchical. Once data or a patient leaves the department, no one cares what happens to it. It's not right, but it is reality. Once you combine the two we have problems. Stuff gets outsourced and no one follows up to find out where to.
There has been a big stink about medical privacy (and rightly so) but in real terms it is not as private as it should be. HIPPA? Please. HIPPA just codifies what medical personnel were supposed to be be doing anyway. And if you think your charts don't get discussed and shared you're kidding yourself. Medical people are some of the most gossipy folks I've ever met.
The title says it all.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
Even worse! They SELL the info to drug companies!
I once mentioned a certain problem (side effect of a drug) to a doctor. 7 years ago or so. I was not being treated for it, but he wrote in in his notes. Lo and behold, a month later, I start getting ads in my mail from drug companies for this problem. Not something common. I told the doctor and he was in shock. He agreed that the transcription company must have sold the info. He refused to follow up on it, as did I. In retrospect, I could have caused a stink, but I'm not at all convinced I would have gotten any satisfaction.
I strongly suggest taking your lawyer with you on all doctor's visits. I now review doctor's notes completely (after transcription) and force them to make corrections. It is amazing what sorts of errors the transcription companies make in the notes. And this is what insurance companies look at when you apply for insurance.
In all, I'm pretty frightened of the medical system after a couple of incidents. I avoid the system at all costs. The funny thing is that it is this fear of the system, not of disease, that has actually prompted my very healthy lifestyle. I don't ever want to have to depend on that system for anything. Even the "nice good" doctors who are a part of it are to blame for idly sitting by and letting it all happen. They like to pretend that they are just pawns in a bigger game. Not!
"If you want to improve, be content to be thought foolish and stupid." - Epictetus
This is why the US needs a strong data protection act. In Europe there are strong laws to prevent release of personal information without the direct agreement of the person. And to make this law at all useful it would be illegal for a company to release that information, or transfer it to another country which does not have similar strong laws which are enforcible. So this situation would never have happened.
Indeed, this caused all sorts of hassles with transatlantic companies. They could not transfer data to the US because it didn't have an equivalent law. In the end the "Safe Harbour" agreement came up, which means that personal data about me, gather in Europe, but exported to the US
has stronger data protection, than personal data gathered about US citizens and kept in the US.
It's a strange world.
Phil
With tablet PC's and the like, doctors down here in Houston (at least at my wife's 20 doctor clinic) are starting to enter their own records.
This sort of problem only happens at the huge hospital systems, not your regional health system.
Remember this:
"A group of American companies is attempting this week to persuade the European Union to relax its rules governing data protection, claiming they are bad for business.
[...]
The EU passed the Data Protection Directive in 1998, and this has subsequently been implemented into national law by all but two--Ireland and Luxemburg--of the EU's member states.
As well as regulating the buying and selling of personal data about European citizens and forcing Web sites to tell users when data about them is collected and allow users to refuse disclosure, the Data Protection Directive also restricts the flow of information about Europeans to companies based in countries with--in the view of the EU--more lax privacy standards.
The Global Privacy Alliance says that this directive makes it hard for companies to engage in the kind of data flow that they claim is vital for modern e-enabled businesses."
That would be the kind of data flow where they take your medical data, and farm it out to a country with no effective privacy laws, then?
Its interesting that the EU law would not only have prevented your medical data going to Pakistan, it would have prevented it going to the US - because far from having "strict standards to protect patients' medical data", the US laws allow moving private data to countries with lower privacy standards!
Rember how pissed-off these made US businesses, who resented being pressured to comply with EU laws regarding data outsourced from the EU (or otherwise concerning EU citizenry?) Now it seems that this model is not such a bad thing. Interested US parties (some hospitals, at least) now seem to be pushing for a model whereby they can enforce US data-protection laws on data concerning US citizens when it goes overseas.
My dad is a doctor and I used to always be amazed how fast he could dictate his notes at the end of the day. He'd fly through a pile of 100 folders in about 45 minutes or less.
Even more amazing is the girl who comes in to type all this stuff up - she does 120 words a minute with no errors!
In any case there are certain things which should never be outsourced overseas, one of them being sensitive medical records.
I know of a particular BIG insurance company here in Texas that outsources a LOT of their core work overseas. This company happens to cater to members of the US armed forces and civil service employees. When people get deployed or move, they have to call this company to have all their addresses changed.
To think... now India and Pakistan probably now have a good listing of where a lot of our US service members are located. It's glad that India and Pakistan are our "aliies" or we'd really be in the shit now...
Perhaps medical transcription companies should take the SETI@Home approach: digitize all the data to be transcribed, slice it into overlapping chunks of about 20 seconds each, and distribute the work as widely and randomly as possible. In the process of transcription, workers mark fragments as partially or completely unintelligible/incomprehensible so that new larger fragments can be sent out for only those sections which really need more context or the same fragments can be sent to workers who are more likely to understand a heavily accented speaker. Unlike SETI@Home, however, this is a money-making enterprise, so some sort of micro-payment scheme would need to be established.
No one person would likely have enough information to be dangerous, as long as the (automated) process of assembling the results is done in a trusted (and prosecutable) environment.
Of course, this is just an automater's dream... it would in the end be vastly more expensive than simply managing the subcontractor problem as-is.
What do you mean they cut the power? How can they cut the power, man? They're animals!
In fact, it is!
http://images.netmojo.ca/randomimgs/Dilbert_one_of _the_best_ever
Well that cheap ass company got exactly what they deserve. When will companies learn that pretty much anything goes once you leave the aegis of American Law system? Sure you'll save a few bucks but how can you trust private data with a company in the third world?
Here is an article on Wired which panders the need for 3rd world workers.
A Case for Coolie Labor
Just wait until this thing gets a bit wider publicity. You can be sure that holding individuals for ransom from the developing country for a developed product will get more and more common due to the copycat factor. I have a funny feeling that this is only the beginning of a large landslide.
Even worse, wait until outsourced hardware design starts showing how faulty it can be. Where engineers can be held responsible for products that overheat and kill over here, imagine if someone in a third-world country decides to be lazy and not put overcurrent protection on a device in a certain mode that UL safety guidelines happen to not specifically cover. People could end up having their houses burn down. Now, while the company can be held liable, what about the engineer? He can just disappear into the background noise, never be held responsible, and never become an example to others in his community of what happens when a product is shoddily engineered to meet a raw cost objective.
I think there is some optimism that comes from this story, however. It may yet prove that outsourcing is an enormous mistake for many companies. Particularly when the spectre of massive lawsuits is involved, I think that insurance companies will get increasingly involved in these situations. The cost advantages of outsourcing never factored in the increased liability risks presented to the company from the antics and poor quality of work of their outsourced workers in the first place. I don't like insurance companies any more than the next person, but neither do I think insurance companies have discovered to what degree their insured could be subjected to precisely these types of scenarios. Maybe what the geek community could do is start a campaign to inform insurance companies and their actuaries of these situations in order to raise the rates of companies who outsource. Maybe - just maybe - they could once again swing the balance of favor towards workers here.
This is a *HUGE* issue. Even joe consumer can get concerned when his personal info is bouncing around third-world countries.
What does it tell you that this is not being reported in the mainstream press? Is the issue too complicated? Are people not interested?
I think that there would be a strong reaction from the populace if this was reported in the national media. This might cause the goverment to step in on the off-shore outsourcing issue.
Congress, the White House, and many state legislatures are far more serious about privacy and security than ever before. Expect more privacy laws to be passed by state legislatures.
Every CIO should be concerned about willful violations (willful intent to skirt the privacy regulations) as well as negligent violations when considering moving data offshore, even if only for software development.
Tell your CIO: Regulated data should stay local.
vb
Two comments:
First of all, I guarantee that UCSF had a contract protecting PHI with that sub-contractor. The UC system had several thousand subcontractors with whom they had to rewrite agreements before the deadline in April. Any with whom they did not have a contract were terminated.
Secondly, the hospital is not liable because they were sent unencrypted email of PHI. That doesn't even make common sense, if that could happen then I could email my doctor my last x-ray result, then sue him for breaking my confidentiality. Unless her medical records show up somewhere, she can claim no damages, and therefore have no suit, although IANAL (look at my username). The gov't, however, is another matter entirely...
It seems we were selling personal information to marketing firms. I found that the firms we serviced had no knowledge of that, so I refused to write the code. Of course I got fired ,had a company officer watch me pack my things, and escort me to the door, all the while trying to convince me they were doing nothing wrong, and I shouldn't mention this to anyone, blah blah blah.
They were in the wrong to do this and to fire you for it. You could sue.
But regardless of whether you sue or not, how about providing us with the name of the Business, the type of violations they were making and the businesses that they were doing business with that were not made aware that their private customer data was being shared for profit.
This type of personal information peddling is illegal, imoral and can cause very significant damage to innocent people (e.g. Insurance companies dropping people, loss of jobs, etc..).. Whenever anyone discovers this type of thing, it is VERY IMPORTANT to get it out in the open so that it can be dealt with.
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
Forest for the trees, kids. Yes, your medical records may be over seas, but that is the small prize. Financial services companies have off-shored a lot of work to India, work that involves financial records. Think about: your name, address, social security number and account information may be sitting in India as I type this.
Someone in another posting made a joke about extortion being cheaper becaue of reduced labor costs. Not much of a joke, really. Someone based in the US will most likely turn down an offer of US$5,000 for complete information -- including SS# -- for accounts with at least US$1 million in net assets. But that US$5,000 looks very attractive to a person based in India, a country where the average annual income is US$4,000, and US$30,000 is salary for a top notch programer.
It is only a matter of time.
thx,
Eric
The welfare of the people has always been the alibi of tyrants. - Albert Camus
You're funny. The US is one of the few western countries where you can (and people often do) get convicted based on circumstantial evidence.
Umm, have you ever heard of the Bill of Rights? It is not possible to be convicted of a crime on circumstantial evidence alone. There must be a witness to the crime or there is no conviction. This is why traffic tickets are thrown out if a police officer doesn't show up for trial. No witness, no case.
Here is the Sixth Amendment:
"In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the state and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense."
Furthermore, this would be civil court, where the requirements for a conviction is much lower -- to the point where you can get a judgment against you because of a belief of likelihood.
It is not "much lower". There is also no such thing as "conviction" in civil court. You pay money, nothing more. The reason the standard of proof is lower is that you are not losing life or freedom in civil court, you are resolving a dispute.
Its nothing more than "beyond a resonable doubt" versus "clear and convincing". It is a matter of degree nothing more.
Yes, justice is blind, especially after she got a blanket thrown over her head by Mr. Ashcroft...
How does a cabinet member have the power to alter common law practices again? Is he personally bribing all the jury members?
This isn't a dictatorship... one man has far less influence than you think.
I don't read or respond to AC posts
I've noticed a lot of posts wailing that is a problem inherent in Outsourcing.
I think that quite clearly isn't the case, the problem is that US Data Protection laws allow companies to pass personal data to other countries which do not have any requirement to protect that data.
There's no reason why India or Pakistan or wherever that lady lived would have any laws governing the protection of data belonging to US Citizens but US Law should realise that and make it illegal to pass data which is protected in the US to these countries.
I totally agree that disclosure of medical data is a bad thing but it's important to realise how the law has failed to guard against this happening rather than whinge about something totally unrelated to the problem in hand
Buying a car last year, the saleswoman had a question on some of the forms.
She asked a more senior salesperson...
I overheard:
"Yes, we have to fill that in very carefully, so the transcribers in Mexico can enter it in the computer properly."
This, with a technically US-based bank loaning the money.
Now...nothing against Mexico, per se, but shipping *my* info over the border for processing just to save a buck or two is ridiculous.
You are completely wrong. There must be witnesses? That's absolutely ludicrous. Do you have any idea how many crimes have no witnesses?
Brief Google just for a couple examples of statements relating to circumstantial evidence:
The Supreme Court of Pennsylvania
"Moreover, this Court has established that circumstantial evidence alone can be sufficient to convict a person of a crime."
The Supreme Court of New Hampshire upholding a conviction based solely on circumstantial evidence.
"When the evidence presented is circumstantial, it must exclude all rational conclusions except guilt in order to be sufficient to convict."
The Tennessee Appeals Court
"However, a conviction may be based entirely on circumstantial evidence where the facts are 'so clearly interwoven and connected that the finger of guilt is pointed unerringly at the Defendant and the Defendant alone.'"
The Louisana Appeals Court
"The rule as to circumstantial evidence is that, assuming every fact to be proved that the evidence tends to prove, in order to convict, it must exclude every reasonable hypothesis of innocence."
ok, hindsight is 20/20 and it's easy to say that someone should have done something differently without having to be in that person's shoes, but i don't see your answer as better.
it started off right, with "you should have blown the whistle." i'd agree with that, and i'd suggest anyone in that position right now --and debating what to do-- take that route. there are whistleblower laws, depending on the circumstances, that will protect someone who turns in an employer for illegal activity.
what you did was illegal. you could have been fined and gone to jail for it, and were counting on your employer's fear of your blackmail to insure they would not prosecute you. the fact that you got away with it does not mean you should advise other people to do the same (and if the statute of limitations hasn't run out you probably shouldn't be posting on slashdot about it, either).
"Mister Potato-head --MISTER POTATO-HEAD! Backdoors are not secrets!" (War Games, 1983)