Slashdot Mirror
Your Privacy and Offshore Outsourcing
An anonymous reader sends in a link to this story about medical transcription work and patient privacy. You probably recall the original story (from around October 2003), but the Chronicle here does a great job of tracing the entire chain of sub-sub-sub-sub-sub-contracting.
All docters should have their computers transcribe their dictations like my father does.
Simon's Rock College
if some indian knows i have genital herpes..... i mean, the whole of slashdot knows!
I'd rather have some person in India or where ever know I've got some embarrassing disease than the gossippy old cow that lives over the road.
Engineering is the art of compromise.
Does anyone have a free-market solution to this? I would hate to see Democrats legislate this to hell. IMHO overlegislation will solve 1 problem but cause another...
But while the above point is interesting, it's somewhat irrelevant to this case: the breach of contract occured in the US:
Basically, while the article brings up the interesting concept of what offshoring information can do, this particular case of offshoring is really not the greatest example, since the breach of contract occured in the US. And yet we have sensationalist newspapers like the Chronicle and opportunistic politicians who call themselves privacy advocates; the current state of affairs is fucked. The comment leads me to believe that he didn't even RTFA:
Most transciption services are now computer-transcription now anyway.
You speak. Human transcribes. Computer learns. Human error checks... eventually the computer is good enough that the human is not needed at all.
We are using this system now. It, of course, sucks compared to a real transciptionist... but it is 10 times cheaper.
Davak
HIPPA = Health Insurance Privacy and Portability Act, is a VERY big deal for pateint privacy. I wonder if this was a violation ?
HIPPA carries some hefty fines is this was in fact a violation.
Save a Life. Donate Blood. Please.
American law sets out very tight restrictions on what our doctors can do with our private records, and there are stiff penalties for any individual who violates trust with this data. Could sending these tasks overseas cause there to be less-strict laws regulating the handling of private medical info?
since I stole someone's identity a while back.
And no I was never a football tight end.
Help end the use of Sigs. Tomorrow
She said she e-mailed him at what she assumed was his important U.S. company, Tutranscribe, although the firm didn't have its own Web site, only an AOL account.
"You've got (black)mail!"
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I work in a similar industry, handling patient claims information. This story has been circulating around for a while. What really grabbed my attention from this article was the statement of Transcribe Stat's owner.
"After 23 years in business, it took just one little e-mail to ruin me."
And there it is. These are the things that keep me up at night, watching firewalls logs and everything else that keeps me from getting a good night's sleep.
The truly scary part is that the US government is trying to outsource everything as well. This includes the IRS, which means that your personal tax information is going to be in hands of some work-at-home person making $1 per transaction filed, stored on the computers on some half-assed system administrator. The original contractors will have no responsibility as the contracts will be written to require minimal due diligence and almost no penalties for infractions.
This of course has been defended as completely consistent with all current privacy laws. In addition, the somewhat friendly people at the IRS, a result of new regulations that resulted from the friends-or-Reagan audits, will be replace with the same people who call during diner asking you to buy their product, or yelling at your children because their parents did not pay a bill.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
If people perceive the offshoring to give some privacy risk then they will perhaps be prepared to pay an extra $5 or $10 or whatever each month to a service that guarantees your case will be handled by an American. Alternatively, a company that advertises that they guarantee American processing will get a competitive advantage over their offshoring competition.
It seems hypocracy to me that those that bitch about losing their jobs to India don't seem to mind wearing Nikes made in Philipines and having Korean RAM in their PCs.
Free market means paying for things you value, not just bitching about things.
Engineering is the art of compromise.
http://www.hipaadvisory.com/action/LegalQA/law/Leg al44.htm
QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?
ANSWER: Contractors and subcontractors, whether foreign or domestic, are generally not directly covered by the Privacy Rule. However, the business associate agreement requirements imposed on covered entities with respect to their business associates will usually apply. The Privacy Rule (as we all know by now) applies to covered entities, i.e., health plans, clearinghouses, and providers who transmit health information in electronic form in connection with a HIPAA covered transaction. A covered entity is permitted to disclose PHI to a business associate if the covered entity obtains satisfactory assurances in the form of a written contract or agreement that the business associate will "appropriately safeguard" the information.
The Privacy Rule describes two different scenarios in which a HIPAA-related business association may arise. First, when the right to use, disclose, create, or obtain PHI is delegated to a third party for use on behalf of the covered entity. Second, where a third party provides certain specified services to a covered entity and the provision of those services involves the disclosure of PHI by the covered entity to such third party. The specified services are legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation, and financial services. It is important to note that each and every relationship between a covered entity and a third party does not constitute a business association that gives rise to the requirement for a business associate agreement as set forth under the Privacy Rule.
By executing a business associate agreement, a business associate contractually obligates itself to protect the PHI and to not use or further disclose the PHI other than as permitted or required under the agreement or as required by law (American). The Privacy Rule includes required components for a business associate agreement. One of these provisions is the requirement that any agents or subcontractors of the business associate must agree to the same restrictions and conditions agreed to by the business associate.
Enforcement of such agreements is a frequently voiced concern when the business associate or subcontractor is in a foreign country. Under the Privacy Rule, the US Department of Health and Human Services only has enforcement authority over covered entities (unless a business associate happens to also be a covered entity). Furthermore, while a business associate or subcontractor must contractually agree to protect PHI and comply with the Privacy Rule to the same extent as the covered entity, the problem with these types of arrangements arises if the foreign business associate breaches the agreement. Depending on the legal system of the foreign country, which may range from comparable to that of the United States to non-existent, the covered entity may well have difficulty enforcing such an agreement in foreign courts. Even if the business associate agreement requires US law to apply and provides that all disputes be settled in US courts, if the contractor is situated in another country and has no property or contacts in the US, such a provision will offer small comfort.
Under the Privacy Rule, covered entities are required to mitigate any harmful effects of a wrongful use or disclosure of PHI by the covered entity or its business associates. And although covered entities must terminate business associate agreements when they "know" of a pattern of activity which is a material violation of the agreement and are unable to cure it, the Privacy Rule does not require covered entities to monitor the activities of their business associates. In spite of this seeming protection, as a practical matter, it is likely that patients who have been damaged by a business associate's breach of an agreement will seek compensation fr
Well at least the majority of Americans are not raising the issue to either companies or their representatives. For the past few months, e-loan has been giving it's customers a choice of where their loan applications are processed (India vs US). Even though these customers knew their private info was going to be shipped overseas, 86% chose India because the processing time was 2 days shorter. Bottom line, American's have a fast food mentality ... ie the cheapest, quickest way will always win.
As for the story, I work as a consultant in the Health IT arena, and have all too often seen private data mishandled. However standards are greatly improving in the US, but this is only due to the threat imposed by legislation and civil lawsuits. Will 3rd party companies overseas have the same incentive if they are outside of US jurisdiction? Probably not
Yes, I did mean voice recognition, which none of the other people who replied seem to have noticed. It is highly reliable, but it does make the occasional mistake. Even when it does make a mistake, the doctor is there reading the transcription as he speaks, so he can fix it.
There's a regular competition in the office among the doctor's asistants where they attempt to decrypt errors caught by the doctors.
The reason my father and his partners switched to the automated system was that the transcriptionist they had was falling way behind on her typing. She was even outsourcing it to Virginia!
Some doctors, of course, have the worst possible problem; They don't bother to do their dictations at all. One doctor in my community was a year behind on dictations when he was arrested for selling prescription drug samples. He's also been acused of conspiracy to comit arson, among other things. Right now, he's in house arrest. (Soft sentance, in my openion, for defrauding large amounts of money from drug companies).
Now, don't let me get started on the local vote buying politicians: "I didn't know there was nothing wrong with a little moonshine..." - arested for selling illegal alchohol and possesion of a weapon of mass distrution.
Simon's Rock College
In Europe this would have never ever happened: our laws are very strong regarding to personal data and privacy.
For instance, if a company here in Spain keeps customers data in a database, and the company wants to have that database hosted abroad (for example, for its website), in the USA, France, or any other country in the world, one person -with a name and a surname- of that company has to ask the Director of the Data Protection Agency for a written permission to do so.
Break Privacy Laws and you'll face a monetary penalty from $600 to $600000
I was trying to get second post - and go to dinner. If you think my spelling is bad, you should just see the average doctor's hand writing. That's why they have their work printed by a machine. As I clarified in another post, the transcription is voice recognition, not typing or check boxes, and he speaks directly into the computer's microphone, so it's in real time.
Simon's Rock College
My brother owns a dental office, part of being HIPPA compliant is getting anyplace you subcontract with to agree to the HIPPA privacy laws. I set up an offsite backup system for them but before they could upload any of their patient data they had to get the company to agree to their privacy statment.
--I swear, it was a case of isolated idiopathic hemibalissmus
Meditalk is the name of the software used for the dictation system. It's real time, so the doctor can check for errors while he talks. The buigest problem with it was the support contractor (Not Quincy Systems) who forged a singnature on a document.
Simon's Rock College
American Express outsources certain departments to India. There is a good chance your American Express info could be stolen by someone. From talking to people in the call centers over there it appears Bank of America is over there too.
Man this is scary stuff - not just with this but other outsourcing too, just imagine if one of those little runts at the nike $1 a month trainer factory started noting the most popular shoe sizes!? why they could build up a database of americas average foot size and use that information for competative advantage, not to mention the privacy violations that could result if they found out i had slightly flat feet!
This comment does not represent the views or opinions of the user.
I'm trying to decide if Ms. Newburn is an out-and-out hypocrite, or just spectacularly inept at fraud. She apparently sends the work to Pakistan, ignoring any concerns about professional ethics, and creates "Tom Spires" to cover her posterior; then cries about how awful it is that American jobs are going overseas, once her house of cards comes crashing down. This situation really calls for the old question: "What the hell were you thinking?!"
Doing my level best to piss off the religious right wing...
Usually these stories involve corporations trying to outsource storage of personal data from other western nations to the US, to take advantage of the US's almost-nonexistant privacy laws. So it's ironic that in the one industry (Health) in which the US has any real privacy laws, the US is suffering the same problem.
Odd that no libertarians have posted yet saying that the govts should just butt out and stop trying to impose privacy laws.
Sean
Well I'm not worried about the whole thing. Nor should most of the US. Why? Well with jobs going elsewere, the majority will be either out of work or working a job with no health benifits. No benifits==no doctor==no medical records. Isn't it nice how it all works out?
People sound surprise that their data end up in some third world country facilities. To be honest, big companies have had terabytes of data stored in other countries for years. Usually it's the historical data beyond a 1 year full backup that ends up in some other countries.
Granted yes, it takes efforts to dig it up. But still, the data is theorectically outsourced.
Let's see them prosecute identity theft in Bangladore. It's only a matter of time before people who make 3 dollars an hour start figuring out how to turn your financial data and credit card numbers into $$$$$.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Is there a large enough difference in costs from America to India that it will sustain this big chain of sub-sub contractors? Or are these middle men not making any money?
I think you`re entirely correct about using this to shift responsibility. That the middle-men are in different jurisdictions, and the ultimate worker is over-seas might be seen as an added bonus.
Just pimping out our nice little Data Protection Act we've had in the UK for 16 years (i think its European too):
-You have the right to access any personal data any company/organisation holds on you, including the police (the police can be exempt in certain situations), government agencies, your school, shops etc and this can include video and internal memos about you and non-electronically stored data AFAIK
-You have the right to know who is holding what and what they intend to do with it
-It cant be taken outside the European Economic Area without your consent
-Security measures must be taken to ensure its safe
uhuh uhuh you know you want it yeah! come on! pah in-your-face like a can-of-mace!
This comment does not represent the views or opinions of the user.
A medical transcription company outsourced its core business of transcription and lost control over the details. Now they pay the price.
Wouldn't it make sense to separate data from patients? This is like Database Design 101.
So patient medical records can be transcribed by anyone without leaking the identities, and the patient details are held in another database.
So if someone wants to post a medical record, it can only go as far as "Patient DFA12435 has xxx, HA! HA!".
Rock that crushes, Paper & Scissors that don't matter.
I know many of you work in the heatlh care business, and take HIPPA pretty seriously. I work in it myself, although in a tangential relationship and don't have to abide by HIPPA due to the nature of my facility.
However, my wife works in the insurance business; specifically, she evaluates claims made against her company for legitimacy. She has the ability to draw upon resources that will tell her any individual's medical history, public and private; she can relatively easily flaunt the protections of HIPPA, although she can't reveal that she knows more about your medical condition than you do. She's not clear on how her resources can determine the things that they do, but it just shows the lie that to how much these protetctions provide.
--
$tar -xvf
Sorry. Already outsourced to India.
Capital one has outsourced your credit card account customer service personnel to India. I called up with a question and hearing a distinctive accent I asked the young woman where she was located. To her credit she answered me honestly and I had no real problems with her. However I do feel that any information sent to outsourced personnel overseas should be subject to all US legal protections and the company should have to treat that data with the same responsibilities as if it was here in the USA.
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
"Bottom line, American's have a fast food mentality ... ie the cheapest, quickest way will always win."
Ditch marriage, go for the hooker.
Who's in control of the senate and house again? Is it the Democrats?
No. It's the Republicans. If this gets "legislated to hell" it will be because the Republican majority supports it.
It's funny that the US is getting upset about data processing "beyond the reach of U.S. authorities", because already some years back, it used to be the other way round.
For several years now, some larger German companies used to offshore their customer data processing to the USA. Some claim this is also done because of the USA's less strict privacy laws that allow for far more data profiling than allowed in Germany. There is also growing concern in German media that it will be impossible to control such outsourced data and that there is no way to ensure that customer data will not be used by the American procesing company for other purposes or sold to third parties.
One such example was the Bahncard, a price rebate system for the national railway. For a few years, it came combined with a creditcard option and its data would be shared with an external partner of CitiBank US for customer profiling, including a photograph, a full credit history and all payment data of the user.
------------------
You may like my a cappella music
This has nothing to do with countries and law this has to do with your privacy being handled by the lowest bidder.
Each step in the chain shows someone wanting lots of money for not doing anything. If hospitals and others were serious they would do the transcribing in house. But of course that is no longer allowed. Focus on your core capabilities has become the watch word. So that a place like a hospital is now really a meeting hall for outsourcing companies. From temp nurses to cleaners, from caterers to office staff. No one works for the hospital, they all work for the lowest bidder.
Neat eh? And the funny thing is? Medical bills only seem to go up. Why am I paying more insurance when all this cost saving is going on?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Yes, coming from someone deep inside the healthcare system who could grab millions of SSN's in minutes, HIPAA basically means nothing. That cleaning woman in our office? Yes, she could grab SSN's too no problemo!
I think it makes a lot of sense to make the US company subject to liability if anything happens to data they ship offshore. I'd prefer some sort of "strict liability" statute where if something happens, the company at the top of the food chain is definitionally liable no matter what. Otherwise you end up having companies hide behind subcontractors like Wal-Mart does with their illegal immigrant labor.
No this whole story is one of greed and it starts right at the patients. After all they want low low insurance and medical bills. So the hospital saves by outsourcing instead of doing it in house. The outsourced company outsources again instead of doing it in house and so on.
Feeling sympathy here is misplaced. Each and everyone involved, including the patients, is a victim of their greed.
Maybe I am just a cynical bastard.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Seperarting database records like you suggest is indeed possible. You could easily seperate a patients credit history from their medical history. Doctor don't need to know payment details and the collectors don't need to know medical details.
But in this case that is impossible. Medical details do belong with the name.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
1. Realize exploitation of 3rd-world labor resources is 10 times cheaper than employing domestic workers
2. Rationalize bypassing 100 years of labor rights progress by saying free market benefits everybody
3. Reap short-term profits at expense of nation
4. Profit!!!
In case people thought that NOTHING was being done abt the matter:s ourcing/story/0,10801,81698,00.htmlp ?liArticleID=122250&liFlavourID=1&sp=1: www.nasscom.org/download/CyberLaw.pdf+privacy&hl=e n&ie=UTF-8
http://www.computerworld.com/managementtopics/out
http://www.computerweekly.com/articles/article.as
http://216.239.51.104/custom?q=cache:aGXMuwaC72YJ
I'm not really familiar with the business, but I get the impression that (many? most?) transcriptionists work as freelancers, so the fact that this Transcription Services company acted more like an agent than a place where full-time employees type away from 9-5 makes sense to me.
I would think that if they had a 20+ year reputation, that would be worth something to future bidders?
A post a day keeps productivity at bay.
Hellooo... RTFA. Transcription Stat had a worker who was apparently handling 30 files a day instead of the more usual 15 per-day and they want to claim it never occurred to them that she might be having someone help her (i.e. have subcontracted the work when her contract said she could not).
: www1.law.umkc.edu/suni/CrimLaw/calendar/Class_19_2 001_Jewell.htm+wilfull+blindness&hl=en&lr=lang_en& ie=UTF-8). Granted that's only from the 9th US Circuit Court of Appeals but it has been applied in enough other circuits that had the behavior been criminal rather than civil (hey if you're going to get all high-n-might about copyright violations being civil rather than criminal you better know that contract violations are only civil issues too!) then Transcription Services would be going to jail along with Sonya.
The legal term is "wilfull blindness" (see U.S. v. Jewell from 1976 http://64.233.167.104/search?q=cache:BM8ga6tb3XMJ
So, yeah, they "knew" (legally) that they were violating their contract with the hospital and were therefore just as guilty and are getting what they deserve for their flagrant contract breach.
If you read the article you will find that the transcription services was contracted to a company at about the 17-20 cent level that you claimed, and then furthe sub contracted to another company etc etc ad nauseum until it all came crashing down.
So i would suggest you check your "local" transcription service to see who they are subcontracting to etc etc. that may just save your gluteus maximus
Suchetha
learn from yesterday, plan for tomorrow, party tonight
or one out of three ain't bad
An example of the amounts:
An ISP (I won't say the name, this is an actual case) kept backup tapes in a cabinet. A good practice, isnt it?
One day, an employee forgot to keep some tapes inside the cabinet. Tapes were available to the employees, nobody else. Bad luck, that day was the inspection day (not announced, of course). Their punishment was $1000 per tape
My dad's company does asbestos removal and reinsulation, and he bid a job some years back on a facility in Virginia owned by some American subsidiary of a German company.
The contract was between two American corporations for work done in America by American citizens. But he had to build in two redundant sets of environmental tests for the exact same contamination, one to adhere to Virginia law and one to adhere to German law.
German laws follow German citizens and corporations whereever they go. American long-arm statutes (most of which deal with bribery of foreign officials) are fairly tame by comparison.
I work for a medical transcription outsourcing company (inhouse devel office).
Company to be fined $60000 to $300000 for sending spam. Would you ever see that in the USA?
From the article:
Nonsense. Plenty of countries have perfectly good laws on privacy -- especially, the privacy of medical records. This is just an attempt to score some points with outsorcing-scared electorate without upsetting the pro-business part of it too much.
Even if so, as long as the original customer (the hospital in this case) is in US, the victims have someone to sue. It should be left up to the hospital to decide, not mandated by law. Sooner or later WTO will demand, California drops this law... And I'll support them.
Plenty of vitally important stuff is being made abroad -- medical equipment, cars, food. By this Senator's logic, we should not be importing any of it because "there is no remedy" in case the manufacturer screws up.
In Soviet Washington the swamp drains you.
Personal data may be taken out of the EU/EEA only if without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection. (EU Personal Data Directive 95/46/EC, Article 25). See here for whole Directive.
The United States is not a third country that the EU has determined to provide an adequate level of protection of personal data. However, if the individual companies or organizations in the US adhere to the Safe Harbor agreement, personal data may be transferred.
Unfortunately, it can ultimately be difficult to control that data once it gets to the US. A in Europe may determine that B in the US provides adequate protection via Safe Harbor. All is well, right? Not necessarily. What happens when B subcontracts to C, who subcontracts to D, who subcontracts to E, who subcontracts to F in country G where privacy laws don't exist? Yeah sure, there are rules, but if something were to happen, there would be more finger-pointing and "you weren't supposed to..." and the such, as opposed to taking on responsibility. But nonetheless, your personal data has been compromised. All the bickering in the world won't resolve that matter.
People say I'm crazy, I got diamonds on the soles of my shoes...
Is it just me, or is Florida a common link in most of the scams that go on in the US?
OUr long-arm statutes are fairly tame for good reason. We're supposed to be the freest country in the world, remember?
A deep unwavering belief is a sure sign you're missing something...
What a non-issue!! Obviously, personnel info is bound to be stolen, here or offshore. Data isnt gonna be useful anywhere else, if its gotta be misused it shud come back here. And well get those rats who do this for a living!!
This thing ended up on Business 2.0's list of "101 dumbest moments in business 2003" (position 77 or so, on the top ten are online.) It also stated that from the $ 0.18 paid by the primary client only $ 0.03 ended up in Pakistan - so even if jobs move overseas in this case, most of the money stays in the country.
My brother is a doctor and all of his transcription is done in India over night. He has his completed transcriptions in his e-mail in box the next morning when he comes in. I ask:
Is the e-mail encrypted? I doubt it.
Does India or any other country really care about U.S. privacy law? No.
What will happen when all of our financial information is "off-shored"? They may own us.
The news story reads :
Lubna Baloch sat in her office in the sprawling Pakistani commercial center of Karachi and gazed at the e-mail she'd composed. She tried to imagine the reaction half a world away when the people at UC San Francisco Medical Center saw what she'd written.
-----------
yeah, that's right. pakistani.
the hub of a thousand madrasas. sponsors of terrorism. home of a lot of fundamendalism.
and also, all because of a very scared general/dictator who bends with pants down whenever uncle sam orders, a non-nato ally to samy.
so, it was in pakistan.
Yet, in any of the comments do I hear a reference to pakis? NO! you guys are obsessed with India.
and India has better privacy laws, and last year passed a law dealing with privacy of offshored information.
oh well. stay on the side of your new best friends the pakis, even when they turn and bite you fast.
Agreed, the real point of outsourcing is to hide the blame. The same is done with migrant farmworkers in Florida, Massachusetts, and California. It's not the "farmers" (or the corporations that own the farms) that are responsible: they hire crew chiefs that do the hiring and provide so little money that it's obvious to even the most casual observor that the only way to get the job done at that price is below market wages with off-the-books workers. The crew chiefs hire the illegal aliens (or even legal aliens) under the table and pay them little and charge them a lot for their meals and lodging. The workers put up with this, if someone gets caught (which doesn't happen because they don't go looking to catch anyone) then they change a crew-boss with another farm and start over or keep going.
How's that for the american dream?
Coz everyone knows that slashdotters hardly get any sex, and so should be at very low risk for STDs unless they really do something near worthy of a Darwin "Honorable Mention" Award and get nasty STDs without sex...
I don't care about my karma... I want to protest the negative moderation done to tealover's post. It was truthful and insightful. Jeez... where's my mod points :(
--- Grow a pair, liberals... stop letting the Republicans bully you!
"I would hate to see Democrats legislate this to hell"
Yeah, the Republicans have done a TERRIFIC job of not regulating how every single piece of your personal and private information can be spread throughout the world. Heaven forbid that someone should draft a law that puts an end to this incredibly bad situation and holds accountable the low-life sleaze-bags who allowed it to happen.