Slashdot Mirror
Your Privacy and Offshore Outsourcing
An anonymous reader sends in a link to this story about medical transcription work and patient privacy. You probably recall the original story (from around October 2003), but the Chronicle here does a great job of tracing the entire chain of sub-sub-sub-sub-sub-contracting.
if some indian knows i have genital herpes..... i mean, the whole of slashdot knows!
I'd rather have some person in India or where ever know I've got some embarrassing disease than the gossippy old cow that lives over the road.
Engineering is the art of compromise.
Does anyone have a free-market solution to this? I would hate to see Democrats legislate this to hell. IMHO overlegislation will solve 1 problem but cause another...
But while the above point is interesting, it's somewhat irrelevant to this case: the breach of contract occured in the US:
Basically, while the article brings up the interesting concept of what offshoring information can do, this particular case of offshoring is really not the greatest example, since the breach of contract occured in the US. And yet we have sensationalist newspapers like the Chronicle and opportunistic politicians who call themselves privacy advocates; the current state of affairs is fucked. The comment leads me to believe that he didn't even RTFA:
Most transciption services are now computer-transcription now anyway.
You speak. Human transcribes. Computer learns. Human error checks... eventually the computer is good enough that the human is not needed at all.
We are using this system now. It, of course, sucks compared to a real transciptionist... but it is 10 times cheaper.
Davak
American law sets out very tight restrictions on what our doctors can do with our private records, and there are stiff penalties for any individual who violates trust with this data. Could sending these tasks overseas cause there to be less-strict laws regulating the handling of private medical info?
since I stole someone's identity a while back.
And no I was never a football tight end.
Help end the use of Sigs. Tomorrow
She said she e-mailed him at what she assumed was his important U.S. company, Tutranscribe, although the firm didn't have its own Web site, only an AOL account.
"You've got (black)mail!"
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Its *HIPAA* not, and I repeat, *NOT* HIPPA.
All docters should have their computers transcribe their dictations like my father does.
Well, hope God helps you when you get "an a cute case of men in vaginas".
Seriously, I haven't seen any natural-language software reach the point where I would trust it with medical information. I would rather get the right treatment than someone fucking up my patient records...
Not to mention the cost of a doctor having to sit down and error-check afterwards, etc. If you look at a doctor making $100/hr (hey, they went to 7+ years of school, residency, internship, etc) that would add even more to the current cost of health care.
On an unrelated note, my uncle (who is a doctor), works in the ER. He says that because persons on Medicare don't pay for amublance rides, he sees people in the ER who have cuts on their fingers, minor abrasions, etc, who have their ambulance rides paid for by us, the public. And considering one of my friends got billed $1000+ for a recent ambulance ride, I think we're getting screwed.
From your comment, I hope your father does as well... a few letters can make a huge difference in what drug is given/how much drug is given. Especially if the pharmacist just blindly fills the perscription. (For more info please see: "High Malpractice Insurance")
"The truth suffers from too much analysis"
HIPPA stresses patient privacy--and goes way overboard. But that's a different discussion.
The question is not if this is a HIPPA violation... which it clearly is. But is it a violation of US law at all?
If the presidental candidates want to win over the working class, make companies that send jobs overseas follow the same rules we do. Pay taxes, not pollute, no child labor, and even HIPPA -- why should they get to drop the US rules just because they cross the border?
If I get a ticket in Texas, points still go against my license here at home.
Why should a big company be treated any differently?
Davak
Sadly, this is a perfect example of a gaping loophole in the law. It doesn't apply to contractors outside the hospital, it only applies to the hospital.
"To those who are overly cautious, everything is impossible. "
If I had such an affliction, I would argue that god had helped me.
All docters should have their computers transcribe their dictations like my father does.
;-)
I'm a little incredulous. Yes, voice transcription software is becoming impressively accurate. In a scenario where just one discrepancy can potentially endanger a patient, however, should physicians be applying the current technology?
On the other hand, one could argue that a traditional transcriptionist is also capable of committing mistakes, and that argument is completely valid. However, there exists one difference: The transcriptionist is more likely to be held accountable than a software vendor, even if outsourced.
Do you like German cars?
I work in a similar industry, handling patient claims information. This story has been circulating around for a while. What really grabbed my attention from this article was the statement of Transcribe Stat's owner.
"After 23 years in business, it took just one little e-mail to ruin me."
And there it is. These are the things that keep me up at night, watching firewalls logs and everything else that keeps me from getting a good night's sleep.
The truly scary part is that the US government is trying to outsource everything as well. This includes the IRS, which means that your personal tax information is going to be in hands of some work-at-home person making $1 per transaction filed, stored on the computers on some half-assed system administrator. The original contractors will have no responsibility as the contracts will be written to require minimal due diligence and almost no penalties for infractions.
This of course has been defended as completely consistent with all current privacy laws. In addition, the somewhat friendly people at the IRS, a result of new regulations that resulted from the friends-or-Reagan audits, will be replace with the same people who call during diner asking you to buy their product, or yelling at your children because their parents did not pay a bill.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
If people perceive the offshoring to give some privacy risk then they will perhaps be prepared to pay an extra $5 or $10 or whatever each month to a service that guarantees your case will be handled by an American. Alternatively, a company that advertises that they guarantee American processing will get a competitive advantage over their offshoring competition.
It seems hypocracy to me that those that bitch about losing their jobs to India don't seem to mind wearing Nikes made in Philipines and having Korean RAM in their PCs.
Free market means paying for things you value, not just bitching about things.
Engineering is the art of compromise.
http://www.hipaadvisory.com/action/LegalQA/law/Leg al44.htm
QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?
ANSWER: Contractors and subcontractors, whether foreign or domestic, are generally not directly covered by the Privacy Rule. However, the business associate agreement requirements imposed on covered entities with respect to their business associates will usually apply. The Privacy Rule (as we all know by now) applies to covered entities, i.e., health plans, clearinghouses, and providers who transmit health information in electronic form in connection with a HIPAA covered transaction. A covered entity is permitted to disclose PHI to a business associate if the covered entity obtains satisfactory assurances in the form of a written contract or agreement that the business associate will "appropriately safeguard" the information.
The Privacy Rule describes two different scenarios in which a HIPAA-related business association may arise. First, when the right to use, disclose, create, or obtain PHI is delegated to a third party for use on behalf of the covered entity. Second, where a third party provides certain specified services to a covered entity and the provision of those services involves the disclosure of PHI by the covered entity to such third party. The specified services are legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation, and financial services. It is important to note that each and every relationship between a covered entity and a third party does not constitute a business association that gives rise to the requirement for a business associate agreement as set forth under the Privacy Rule.
By executing a business associate agreement, a business associate contractually obligates itself to protect the PHI and to not use or further disclose the PHI other than as permitted or required under the agreement or as required by law (American). The Privacy Rule includes required components for a business associate agreement. One of these provisions is the requirement that any agents or subcontractors of the business associate must agree to the same restrictions and conditions agreed to by the business associate.
Enforcement of such agreements is a frequently voiced concern when the business associate or subcontractor is in a foreign country. Under the Privacy Rule, the US Department of Health and Human Services only has enforcement authority over covered entities (unless a business associate happens to also be a covered entity). Furthermore, while a business associate or subcontractor must contractually agree to protect PHI and comply with the Privacy Rule to the same extent as the covered entity, the problem with these types of arrangements arises if the foreign business associate breaches the agreement. Depending on the legal system of the foreign country, which may range from comparable to that of the United States to non-existent, the covered entity may well have difficulty enforcing such an agreement in foreign courts. Even if the business associate agreement requires US law to apply and provides that all disputes be settled in US courts, if the contractor is situated in another country and has no property or contacts in the US, such a provision will offer small comfort.
Under the Privacy Rule, covered entities are required to mitigate any harmful effects of a wrongful use or disclosure of PHI by the covered entity or its business associates. And although covered entities must terminate business associate agreements when they "know" of a pattern of activity which is a material violation of the agreement and are unable to cure it, the Privacy Rule does not require covered entities to monitor the activities of their business associates. In spite of this seeming protection, as a practical matter, it is likely that patients who have been damaged by a business associate's breach of an agreement will seek compensation fr
When many doctors do their own transcription they use software with templates for common diagnosies. Pick the ailment and fill in the blanks. Offshore transcription runs about 12 cents/line. Domestic services runs about 17-20 cents/line but you get native english speakers and U.S. privacy laws (HIPAA).
If you didn't come to party don't bother knocking on my door. Prince '1999'
Well at least the majority of Americans are not raising the issue to either companies or their representatives. For the past few months, e-loan has been giving it's customers a choice of where their loan applications are processed (India vs US). Even though these customers knew their private info was going to be shipped overseas, 86% chose India because the processing time was 2 days shorter. Bottom line, American's have a fast food mentality ... ie the cheapest, quickest way will always win.
As for the story, I work as a consultant in the Health IT arena, and have all too often seen private data mishandled. However standards are greatly improving in the US, but this is only due to the threat imposed by legislation and civil lawsuits. Will 3rd party companies overseas have the same incentive if they are outside of US jurisdiction? Probably not
In Europe this would have never ever happened: our laws are very strong regarding to personal data and privacy.
For instance, if a company here in Spain keeps customers data in a database, and the company wants to have that database hosted abroad (for example, for its website), in the USA, France, or any other country in the world, one person -with a name and a surname- of that company has to ask the Director of the Data Protection Agency for a written permission to do so.
Break Privacy Laws and you'll face a monetary penalty from $600 to $600000
My brother owns a dental office, part of being HIPPA compliant is getting anyplace you subcontract with to agree to the HIPPA privacy laws. I set up an offsite backup system for them but before they could upload any of their patient data they had to get the company to agree to their privacy statment.
--I swear, it was a case of isolated idiopathic hemibalissmus
I have been doing technical support for IBMs dictation software for a while in 1996-97 and a substantial part of our customers back then were doctors and lawyers. Both used special purpose dictionaries and reported that it worked quite well. I would be really surprised if this has gotten worse in the last few years.
Things like medical transcriptions are a lot easier then general purpose transcriptions for a computer and can be a lot more accurate due to more specialized and limited dictionaries.
Meditalk is the name of the software used for the dictation system. It's real time, so the doctor can check for errors while he talks. The buigest problem with it was the support contractor (Not Quincy Systems) who forged a singnature on a document.
Simon's Rock College
Seriously, I haven't seen any natural-language software reach the point where I would trust it with medical information. I would rather get the right treatment than someone fucking up my patient records...
Actually, I used to write medical software that had an autotranscription component using Dragon's software, and given a medical dictionary to select from and a proper training cycle, it was incredibly effective. The physician or a designated individual still had to approve the report, but very rarely were there any problems with transcription (we tracked corrections through the system so we'd know how effective it was, and after a proper training cycle it was better than 96% effective.)
on the subject of the cost of healthcare, doctors using our system loved it specifically because it allowed them to accomplish more work (for a lot of reasons, not just the Dragon software) in the same period of time, which helped the hospital keep costs down. Did that drive down medical costs for everyone? of course not--but not because things were more expensive. Face it, people are greedy. Insurance companies never cut rates, nor do doctors start working for less money. hospitals won't start charging appropriate costs back to the patients until they're forced to through legislation (which should be accompanied by a national healthcare system or a system to provide insurance coverage to the 40 million of us without it, to keep hospitals in business.)
I'm trying to decide if Ms. Newburn is an out-and-out hypocrite, or just spectacularly inept at fraud. She apparently sends the work to Pakistan, ignoring any concerns about professional ethics, and creates "Tom Spires" to cover her posterior; then cries about how awful it is that American jobs are going overseas, once her house of cards comes crashing down. This situation really calls for the old question: "What the hell were you thinking?!"
Doing my level best to piss off the religious right wing...
Would you rather have it outsourced to someone overseas who your doctor met on the Internet? That more-or-less happened here. The person can't be held responsible.
US authorities would have a hell of a time finding them, and, if they did, there's not much they could do anyway. Do you still think this person is more reliabile than computer software? I don't think either is reliable enough.
So basically, what you are saying, is that if you want to do business in the US, you have to follow US laws all over the world? That smacks of cultural imperialism if you ask me! The US can keep its laws in its own damn country. Certainly, I'd hate to see anything like PATRIOT or DMCA get spread any further than it already has!
A deep unwavering belief is a sure sign you're missing something...
HIPAA requires that all subcontractors are also HIPAA compliant. If the cheap foreign labor isn't, your doctor is liable. If your data gets published, sue your doctor's ass off. In the end, his insurance company will foot the bill. It won't be long before they figure out a solution that limits their exposure to liability.
People sound surprise that their data end up in some third world country facilities. To be honest, big companies have had terabytes of data stored in other countries for years. Usually it's the historical data beyond a 1 year full backup that ends up in some other countries.
Granted yes, it takes efforts to dig it up. But still, the data is theorectically outsourced.
Let's see them prosecute identity theft in Bangladore. It's only a matter of time before people who make 3 dollars an hour start figuring out how to turn your financial data and credit card numbers into $$$$$.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Just pimping out our nice little Data Protection Act we've had in the UK for 16 years (i think its European too):
-You have the right to access any personal data any company/organisation holds on you, including the police (the police can be exempt in certain situations), government agencies, your school, shops etc and this can include video and internal memos about you and non-electronically stored data AFAIK
-You have the right to know who is holding what and what they intend to do with it
-It cant be taken outside the European Economic Area without your consent
-Security measures must be taken to ensure its safe
uhuh uhuh you know you want it yeah! come on! pah in-your-face like a can-of-mace!
This comment does not represent the views or opinions of the user.
A medical transcription company outsourced its core business of transcription and lost control over the details. Now they pay the price.
Wouldn't it make sense to separate data from patients? This is like Database Design 101.
So patient medical records can be transcribed by anyone without leaking the identities, and the patient details are held in another database.
So if someone wants to post a medical record, it can only go as far as "Patient DFA12435 has xxx, HA! HA!".
Rock that crushes, Paper & Scissors that don't matter.
I know many of you work in the heatlh care business, and take HIPPA pretty seriously. I work in it myself, although in a tangential relationship and don't have to abide by HIPPA due to the nature of my facility.
However, my wife works in the insurance business; specifically, she evaluates claims made against her company for legitimacy. She has the ability to draw upon resources that will tell her any individual's medical history, public and private; she can relatively easily flaunt the protections of HIPPA, although she can't reveal that she knows more about your medical condition than you do. She's not clear on how her resources can determine the things that they do, but it just shows the lie that to how much these protetctions provide.
--
$tar -xvf
Capital one has outsourced your credit card account customer service personnel to India. I called up with a question and hearing a distinctive accent I asked the young woman where she was located. To her credit she answered me honestly and I had no real problems with her. However I do feel that any information sent to outsourced personnel overseas should be subject to all US legal protections and the company should have to treat that data with the same responsibilities as if it was here in the USA.
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
I do! :)
A medical wiki
Allowing diagnosis treatment charts to be followed, and a place to enter new symptoms and conditions effecting the decision.
Get the doctors insterested in a scheme and build up a huge medical database.
Peer review then sorts out the crappy answers from the useful.
liqbase
It's funny that the US is getting upset about data processing "beyond the reach of U.S. authorities", because already some years back, it used to be the other way round.
For several years now, some larger German companies used to offshore their customer data processing to the USA. Some claim this is also done because of the USA's less strict privacy laws that allow for far more data profiling than allowed in Germany. There is also growing concern in German media that it will be impossible to control such outsourced data and that there is no way to ensure that customer data will not be used by the American procesing company for other purposes or sold to third parties.
One such example was the Bahncard, a price rebate system for the national railway. For a few years, it came combined with a creditcard option and its data would be shared with an external partner of CitiBank US for customer profiling, including a photograph, a full credit history and all payment data of the user.
------------------
You may like my a cappella music
This has nothing to do with countries and law this has to do with your privacy being handled by the lowest bidder.
Each step in the chain shows someone wanting lots of money for not doing anything. If hospitals and others were serious they would do the transcribing in house. But of course that is no longer allowed. Focus on your core capabilities has become the watch word. So that a place like a hospital is now really a meeting hall for outsourcing companies. From temp nurses to cleaners, from caterers to office staff. No one works for the hospital, they all work for the lowest bidder.
Neat eh? And the funny thing is? Medical bills only seem to go up. Why am I paying more insurance when all this cost saving is going on?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
No this whole story is one of greed and it starts right at the patients. After all they want low low insurance and medical bills. So the hospital saves by outsourcing instead of doing it in house. The outsourced company outsources again instead of doing it in house and so on.
Feeling sympathy here is misplaced. Each and everyone involved, including the patients, is a victim of their greed.
Maybe I am just a cynical bastard.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Seperarting database records like you suggest is indeed possible. You could easily seperate a patients credit history from their medical history. Doctor don't need to know payment details and the collectors don't need to know medical details.
But in this case that is impossible. Medical details do belong with the name.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
In case people thought that NOTHING was being done abt the matter:s ourcing/story/0,10801,81698,00.htmlp ?liArticleID=122250&liFlavourID=1&sp=1: www.nasscom.org/download/CyberLaw.pdf+privacy&hl=e n&ie=UTF-8
http://www.computerworld.com/managementtopics/out
http://www.computerweekly.com/articles/article.as
http://216.239.51.104/custom?q=cache:aGXMuwaC72YJ
A big L Libertarian wouldn't have a problem with this as they would argue that the companies involved would suffer when they were sued.
A little l liberarian (such as myself) realizes that the average joe can't afford to go up against a major corporation. Less government is good, no government is bad.
-- Will program for bandwidth
From the article:
Nonsense. Plenty of countries have perfectly good laws on privacy -- especially, the privacy of medical records. This is just an attempt to score some points with outsorcing-scared electorate without upsetting the pro-business part of it too much.
Even if so, as long as the original customer (the hospital in this case) is in US, the victims have someone to sue. It should be left up to the hospital to decide, not mandated by law. Sooner or later WTO will demand, California drops this law... And I'll support them.
Plenty of vitally important stuff is being made abroad -- medical equipment, cars, food. By this Senator's logic, we should not be importing any of it because "there is no remedy" in case the manufacturer screws up.
In Soviet Washington the swamp drains you.
Personal data may be taken out of the EU/EEA only if without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection. (EU Personal Data Directive 95/46/EC, Article 25). See here for whole Directive.
The United States is not a third country that the EU has determined to provide an adequate level of protection of personal data. However, if the individual companies or organizations in the US adhere to the Safe Harbor agreement, personal data may be transferred.
Unfortunately, it can ultimately be difficult to control that data once it gets to the US. A in Europe may determine that B in the US provides adequate protection via Safe Harbor. All is well, right? Not necessarily. What happens when B subcontracts to C, who subcontracts to D, who subcontracts to E, who subcontracts to F in country G where privacy laws don't exist? Yeah sure, there are rules, but if something were to happen, there would be more finger-pointing and "you weren't supposed to..." and the such, as opposed to taking on responsibility. But nonetheless, your personal data has been compromised. All the bickering in the world won't resolve that matter.
People say I'm crazy, I got diamonds on the soles of my shoes...
Is it just me, or is Florida a common link in most of the scams that go on in the US?
AskSlashdot / Your Health Online (http://medical.slashdot.org/)
#!/usr/bin/english