Your Privacy and Offshore Outsourcing

An anonymous reader sends in a link to this story about medical transcription work and patient privacy. You probably recall the original story (from around October 2003), but the Chronicle here does a great job of tracing the entire chain of sub-sub-sub-sub-sub-contracting.

Rather have it offshore

[EmbeddedJanitor]

I'd rather have some person in India or where ever know I've got some embarrassing disease than the gossippy old cow that lives over the road.

Re:HIPPA Violation ?

[stox]

Sadly, this is a perfect example of a gaping loophole in the law. It doesn't apply to contractors outside the hospital, it only applies to the hospital.

Re:the point to be made here

[DAldredge]

From http://www.hipaadvisory.com/action/LegalQA/law/Leg al44.htm

QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?

ANSWER: Contractors and subcontractors, whether foreign or domestic, are generally not directly covered by the Privacy Rule. However, the business associate agreement requirements imposed on covered entities with respect to their business associates will usually apply. The Privacy Rule (as we all know by now) applies to covered entities, i.e., health plans, clearinghouses, and providers who transmit health information in electronic form in connection with a HIPAA covered transaction. A covered entity is permitted to disclose PHI to a business associate if the covered entity obtains satisfactory assurances in the form of a written contract or agreement that the business associate will "appropriately safeguard" the information.

The Privacy Rule describes two different scenarios in which a HIPAA-related business association may arise. First, when the right to use, disclose, create, or obtain PHI is delegated to a third party for use on behalf of the covered entity. Second, where a third party provides certain specified services to a covered entity and the provision of those services involves the disclosure of PHI by the covered entity to such third party. The specified services are legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation, and financial services. It is important to note that each and every relationship between a covered entity and a third party does not constitute a business association that gives rise to the requirement for a business associate agreement as set forth under the Privacy Rule.

By executing a business associate agreement, a business associate contractually obligates itself to protect the PHI and to not use or further disclose the PHI other than as permitted or required under the agreement or as required by law (American). The Privacy Rule includes required components for a business associate agreement. One of these provisions is the requirement that any agents or subcontractors of the business associate must agree to the same restrictions and conditions agreed to by the business associate.

Enforcement of such agreements is a frequently voiced concern when the business associate or subcontractor is in a foreign country. Under the Privacy Rule, the US Department of Health and Human Services only has enforcement authority over covered entities (unless a business associate happens to also be a covered entity). Furthermore, while a business associate or subcontractor must contractually agree to protect PHI and comply with the Privacy Rule to the same extent as the covered entity, the problem with these types of arrangements arises if the foreign business associate breaches the agreement. Depending on the legal system of the foreign country, which may range from comparable to that of the United States to non-existent, the covered entity may well have difficulty enforcing such an agreement in foreign courts. Even if the business associate agreement requires US law to apply and provides that all disputes be settled in US courts, if the contractor is situated in another country and has no property or contacts in the US, such a provision will offer small comfort.

Under the Privacy Rule, covered entities are required to mitigate any harmful effects of a wrongful use or disclosure of PHI by the covered entity or its business associates. And although covered entities must terminate business associate agreements when they "know" of a pattern of activity which is a material violation of the agreement and are unable to cure it, the Privacy Rule does not require covered entities to monitor the activities of their business associates. In spite of this seeming protection, as a practical matter, it is likely that patients who have been damaged by a business associate's breach of an agreement will seek compe

HIPAA

[DAldredge]

http://www.hipaadvisory.com/action/LegalQA/law/Leg al44.htm
QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?

ANSWER: Contractors and subcontractors, whether foreign or domestic, are generally not directly covered by the Privacy Rule. However, the business associate agreement requirements imposed on covered entities with respect to their business associates will usually apply. The Privacy Rule (as we all know by now) applies to covered entities, i.e., health plans, clearinghouses, and providers who transmit health information in electronic form in connection with a HIPAA covered transaction. A covered entity is permitted to disclose PHI to a business associate if the covered entity obtains satisfactory assurances in the form of a written contract or agreement that the business associate will "appropriately safeguard" the information.

The Privacy Rule describes two different scenarios in which a HIPAA-related business association may arise. First, when the right to use, disclose, create, or obtain PHI is delegated to a third party for use on behalf of the covered entity. Second, where a third party provides certain specified services to a covered entity and the provision of those services involves the disclosure of PHI by the covered entity to such third party. The specified services are legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation, and financial services. It is important to note that each and every relationship between a covered entity and a third party does not constitute a business association that gives rise to the requirement for a business associate agreement as set forth under the Privacy Rule.

By executing a business associate agreement, a business associate contractually obligates itself to protect the PHI and to not use or further disclose the PHI other than as permitted or required under the agreement or as required by law (American). The Privacy Rule includes required components for a business associate agreement. One of these provisions is the requirement that any agents or subcontractors of the business associate must agree to the same restrictions and conditions agreed to by the business associate.

Enforcement of such agreements is a frequently voiced concern when the business associate or subcontractor is in a foreign country. Under the Privacy Rule, the US Department of Health and Human Services only has enforcement authority over covered entities (unless a business associate happens to also be a covered entity). Furthermore, while a business associate or subcontractor must contractually agree to protect PHI and comply with the Privacy Rule to the same extent as the covered entity, the problem with these types of arrangements arises if the foreign business associate breaches the agreement. Depending on the legal system of the foreign country, which may range from comparable to that of the United States to non-existent, the covered entity may well have difficulty enforcing such an agreement in foreign courts. Even if the business associate agreement requires US law to apply and provides that all disputes be settled in US courts, if the contractor is situated in another country and has no property or contacts in the US, such a provision will offer small comfort.

Under the Privacy Rule, covered entities are required to mitigate any harmful effects of a wrongful use or disclosure of PHI by the covered entity or its business associates. And although covered entities must terminate business associate agreements when they "know" of a pattern of activity which is a material violation of the agreement and are unable to cure it, the Privacy Rule does not require covered entities to monitor the activities of their business associates. In spite of this seeming protection, as a practical matter, it is likely that patients who have been damaged by a business associate's breach of an agreement will seek compensation fr

Re:Transcriptionist

[rev_sanchez]

When many doctors do their own transcription they use software with templates for common diagnosies. Pick the ailment and fill in the blanks. Offshore transcription runs about 12 cents/line. Domestic services runs about 17-20 cents/line but you get native english speakers and U.S. privacy laws (HIPAA).

In Europe...

[paugq]

In Europe this would have never ever happened: our laws are very strong regarding to personal data and privacy.

For instance, if a company here in Spain keeps customers data in a database, and the company wants to have that database hosted abroad (for example, for its website), in the USA, France, or any other country in the world, one person -with a name and a surname- of that company has to ask the Director of the Data Protection Agency for a written permission to do so.

Break Privacy Laws and you'll face a monetary penalty from $600 to $600000

Condoms for Data.

[t_allardyce]

Just pimping out our nice little Data Protection Act we've had in the UK for 16 years (i think its European too):

-You have the right to access any personal data any company/organisation holds on you, including the police (the police can be exempt in certain situations), government agencies, your school, shops etc and this can include video and internal memos about you and non-electronically stored data AFAIK

-You have the right to know who is holding what and what they intend to do with it

-It cant be taken outside the European Economic Area without your consent

-Security measures must be taken to ensure its safe

uhuh uhuh you know you want it yeah! come on! pah in-your-face like a can-of-mace!

Capital one

[bl968]

Capital one has outsourced your credit card account customer service personnel to India. I called up with a question and hearing a distinctive accent I asked the young woman where she was located. To her credit she answered me honestly and I had no real problems with her. However I do feel that any information sent to outsourced personnel overseas should be subject to all US legal protections and the company should have to treat that data with the same responsibilities as if it was here in the USA.