Slashdot Mirror
Transcriber Threatens Release of Medical Records
talboito writes "David Lazarus of the San Francisco Chronicle reports on problems subcontracting sensitive data to outside firms. An unpaid Pakistani transcriber threatened to release medical records of patients at UCSF Medical Center on the internet. The article notes: 'U.S. laws maintain strict standards to protect patients' medical data. But those laws are virtually unenforceable overseas, where much of the labor-intensive transcribing of dictated medical notes to written form is being exported.' Most frightening, UCSF was unaware that its records were being sent overseas. The article traces their path backward through a chain of three different subcontractors."
I can hear the conversation in the board room now....
"Who thought that outsourcing this was a good idea?"
How long until the IT outsourcing start's biting companies in the arse?
remember our laws are NOT their laws.
Do not look at laser with remaining good eye.
This is why certain aspects of business will always cause privacy problems such as this. The goal of many businesses is not to provide the best possible service or the best possible products. Rather it is simply to make money. This is why HMO's never made sense to me and why they were a con foisted upon the American public. They have not made the practice of medicine any cheaper, rather they have simply moved profits from the physicians, nurses and technicians and moved it to a new middle layer of management who makes decisions such as exporting transcription overseas to markets with no concern for privacy.
Visit Jonesblog and say hello.
My dad is a hospital administrator, and at the hospital he runs (in rural Louisiana, none the less), they just invested in a voice recognition package specific to medical transcription. They never outsourced their transcription needs overseas, but they were having trouble meeting their needs with the staff on hand. So far he says it works far better than he expected, and has generated any serious errors (it tends to be better at picking out the appropriate medical words than at transcribing normal english. because the doctors tend to use rather obscure words). They still proofread the transcriptions as an error checking, but over all, it has been more accurate than even human transcription and cheaper too.
====
Crudely Drawn Games
The problem is not overseas workers. The real issue here is sensitive information being processed by networks of subcontractors without the knowledge of the information owner.
Can anyone else see large software companies having this problem? Company sends the project overseas to be developed, employees return the finished source, and then toss their NDA in the trash by holding the source ransom over the internet.
We've all seen what source in the wild can do (whether you believe some of the rumors about how HL2 source was released, it's _still_ delayed), and a group trying to profit off of source code could even be worse. Of course, no manager is going to listen to little old me.. Mainly because I'm not crawling down their throats for this quarters profit margin. =T
This statement is false.
Any time you pass on potentially sensitive data onto a third party there is the opening for abuse of this nature. When you outsource you are at the mercy of the contracted party and their security measures (if any) become your security measures. Add to that sub-contractors... Big freakin' mess.
Certain information should remain in the USA and not be contracted out. Ever. Looks to me that this whole fad of out-sourcing overseas has just come back to bite people in the ass. Maybe now some of the fools will learn that the old addage "Charity begins at home" is a good idea: keep those jobs here; the costs aren't in just dollars saved or wages paid.
It only took a few hundred dollars to pay her off.
Even extortion is cheaper when done overseas.
Companies are setting themselves up for a big hurt when they outsource overseas. This intance shows just some of the dangers and downfalls. Eventually, it's going to come around and bite them in the arse. What happened to all the forward thinkers? The over-zealous drive for profits and cost savings for today without thinking about tomorrow hurts us all - from the executives, to the workers, to the consumers, and, yes, even the shareholders. For example, America's technological edge is dying all because of overseas outsourcing. Why would any kid want to go to college for CS/IT when the job prospects are so miserable?
The problem here is with the newness of the law and the size of the company. It looks like the subcontractors being used are all "home-office" type deals that don't know the laws, which say that if you've signed a contract to handle PHI (and not disclose it) and you want to subcontract, you need to get the subcontracting firm to sign a similar document. The people mentioned in the article obviously haven't done that. Also, the article made it sound like the Pakistani woman was pretty much working on her own. When dealing with a larger (or real) company, you can have them sign a contract which would be enforceable in their own country (this is why we have lawyers).
It is not a problem of laws not being enforcable as the article indicates, it is more of understanding the requirements of our laws and getting the right contracts into place that would be enforcable in other countries.
Even worse! They SELL the info to drug companies!
I once mentioned a certain problem (side effect of a drug) to a doctor. 7 years ago or so. I was not being treated for it, but he wrote in in his notes. Lo and behold, a month later, I start getting ads in my mail from drug companies for this problem. Not something common. I told the doctor and he was in shock. He agreed that the transcription company must have sold the info. He refused to follow up on it, as did I. In retrospect, I could have caused a stink, but I'm not at all convinced I would have gotten any satisfaction.
I strongly suggest taking your lawyer with you on all doctor's visits. I now review doctor's notes completely (after transcription) and force them to make corrections. It is amazing what sorts of errors the transcription companies make in the notes. And this is what insurance companies look at when you apply for insurance.
In all, I'm pretty frightened of the medical system after a couple of incidents. I avoid the system at all costs. The funny thing is that it is this fear of the system, not of disease, that has actually prompted my very healthy lifestyle. I don't ever want to have to depend on that system for anything. Even the "nice good" doctors who are a part of it are to blame for idly sitting by and letting it all happen. They like to pretend that they are just pawns in a bigger game. Not!
"If you want to improve, be content to be thought foolish and stupid." - Epictetus
It covers specifically these kinds of cases, and the hospital clearly didn't place the necessary safeguards, as far as I understand the law, '"We'll have to live with this risk on a daily basis," Ryba said' is simply not good enough.
http://www.gnu.org/philosophy/words-to-avoid.html
Remember this:
"A group of American companies is attempting this week to persuade the European Union to relax its rules governing data protection, claiming they are bad for business.
[...]
The EU passed the Data Protection Directive in 1998, and this has subsequently been implemented into national law by all but two--Ireland and Luxemburg--of the EU's member states.
As well as regulating the buying and selling of personal data about European citizens and forcing Web sites to tell users when data about them is collected and allow users to refuse disclosure, the Data Protection Directive also restricts the flow of information about Europeans to companies based in countries with--in the view of the EU--more lax privacy standards.
The Global Privacy Alliance says that this directive makes it hard for companies to engage in the kind of data flow that they claim is vital for modern e-enabled businesses."
That would be the kind of data flow where they take your medical data, and farm it out to a country with no effective privacy laws, then?
Its interesting that the EU law would not only have prevented your medical data going to Pakistan, it would have prevented it going to the US - because far from having "strict standards to protect patients' medical data", the US laws allow moving private data to countries with lower privacy standards!
The law specifically states that any work that a healthcare organizations subcontracts out is to be held to the same standard. If the hospital did not insure that, then they are liable for both civil and criminal damages.
This is actually one of the great things about the law. If an organization tries to escape any clause by subcontracting out the work, they are still liable. In this case, it seems that they did not even have an agreement with the contractors, which would be even larger penalties.
As a final note, the hospital is already liable, because the woman sent patient records to the hospital via email. Unless the email was encrypted and only opened by the doctors giving care to the patients in record, then the hospital is liable. I expect the government will begin an investigation shortly, and the hospital will be fined within a year.
Mark Radulovich, CISSP, NSA/IAM
I know of a particular BIG insurance company here in Texas that outsources a LOT of their core work overseas. This company happens to cater to members of the US armed forces and civil service employees. When people get deployed or move, they have to call this company to have all their addresses changed.
To think... now India and Pakistan probably now have a good listing of where a lot of our US service members are located. It's glad that India and Pakistan are our "aliies" or we'd really be in the shit now...
Yes it is. Someone is getting a huge fine or even jail out of this. There is supposed to be a Business Associate Agreement between all Chain of Trust partners that stipulates both parties are following HIPAA just to be able to pass PHI between each other. Someone didn't follow the law and allowed PHI to be handed off to a non-compliant company. I do HIPAA audits for a living...
Maybe we DID take the blue pill. You wouldn't remember anyway.
It seems we were selling personal information to marketing firms. I found that the firms we serviced had no knowledge of that, so I refused to write the code. Of course I got fired ,had a company officer watch me pack my things, and escort me to the door, all the while trying to convince me they were doing nothing wrong, and I shouldn't mention this to anyone, blah blah blah.
They were in the wrong to do this and to fire you for it. You could sue.
But regardless of whether you sue or not, how about providing us with the name of the Business, the type of violations they were making and the businesses that they were doing business with that were not made aware that their private customer data was being shared for profit.
This type of personal information peddling is illegal, imoral and can cause very significant damage to innocent people (e.g. Insurance companies dropping people, loss of jobs, etc..).. Whenever anyone discovers this type of thing, it is VERY IMPORTANT to get it out in the open so that it can be dealt with.
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
Forest for the trees, kids. Yes, your medical records may be over seas, but that is the small prize. Financial services companies have off-shored a lot of work to India, work that involves financial records. Think about: your name, address, social security number and account information may be sitting in India as I type this.
Someone in another posting made a joke about extortion being cheaper becaue of reduced labor costs. Not much of a joke, really. Someone based in the US will most likely turn down an offer of US$5,000 for complete information -- including SS# -- for accounts with at least US$1 million in net assets. But that US$5,000 looks very attractive to a person based in India, a country where the average annual income is US$4,000, and US$30,000 is salary for a top notch programer.
It is only a matter of time.
thx,
Eric
The welfare of the people has always been the alibi of tyrants. - Albert Camus