Slashdot Mirror
Your Privacy and Offshore Outsourcing
An anonymous reader sends in a link to this story about medical transcription work and patient privacy. You probably recall the original story (from around October 2003), but the Chronicle here does a great job of tracing the entire chain of sub-sub-sub-sub-sub-contracting.
I'd rather have some person in India or where ever know I've got some embarrassing disease than the gossippy old cow that lives over the road.
Engineering is the art of compromise.
Does anyone have a free-market solution to this? I would hate to see Democrats legislate this to hell. IMHO overlegislation will solve 1 problem but cause another...
But while the above point is interesting, it's somewhat irrelevant to this case: the breach of contract occured in the US:
Basically, while the article brings up the interesting concept of what offshoring information can do, this particular case of offshoring is really not the greatest example, since the breach of contract occured in the US. And yet we have sensationalist newspapers like the Chronicle and opportunistic politicians who call themselves privacy advocates; the current state of affairs is fucked. The comment leads me to believe that he didn't even RTFA:
Most transciption services are now computer-transcription now anyway.
You speak. Human transcribes. Computer learns. Human error checks... eventually the computer is good enough that the human is not needed at all.
We are using this system now. It, of course, sucks compared to a real transciptionist... but it is 10 times cheaper.
Davak
She said she e-mailed him at what she assumed was his important U.S. company, Tutranscribe, although the firm didn't have its own Web site, only an AOL account.
"You've got (black)mail!"
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
All docters should have their computers transcribe their dictations like my father does.
Well, hope God helps you when you get "an a cute case of men in vaginas".
Seriously, I haven't seen any natural-language software reach the point where I would trust it with medical information. I would rather get the right treatment than someone fucking up my patient records...
Not to mention the cost of a doctor having to sit down and error-check afterwards, etc. If you look at a doctor making $100/hr (hey, they went to 7+ years of school, residency, internship, etc) that would add even more to the current cost of health care.
On an unrelated note, my uncle (who is a doctor), works in the ER. He says that because persons on Medicare don't pay for amublance rides, he sees people in the ER who have cuts on their fingers, minor abrasions, etc, who have their ambulance rides paid for by us, the public. And considering one of my friends got billed $1000+ for a recent ambulance ride, I think we're getting screwed.
From your comment, I hope your father does as well... a few letters can make a huge difference in what drug is given/how much drug is given. Especially if the pharmacist just blindly fills the perscription. (For more info please see: "High Malpractice Insurance")
"The truth suffers from too much analysis"
Sadly, this is a perfect example of a gaping loophole in the law. It doesn't apply to contractors outside the hospital, it only applies to the hospital.
"To those who are overly cautious, everything is impossible. "
If I had such an affliction, I would argue that god had helped me.
I work in a similar industry, handling patient claims information. This story has been circulating around for a while. What really grabbed my attention from this article was the statement of Transcribe Stat's owner.
"After 23 years in business, it took just one little e-mail to ruin me."
And there it is. These are the things that keep me up at night, watching firewalls logs and everything else that keeps me from getting a good night's sleep.
The truly scary part is that the US government is trying to outsource everything as well. This includes the IRS, which means that your personal tax information is going to be in hands of some work-at-home person making $1 per transaction filed, stored on the computers on some half-assed system administrator. The original contractors will have no responsibility as the contracts will be written to require minimal due diligence and almost no penalties for infractions.
This of course has been defended as completely consistent with all current privacy laws. In addition, the somewhat friendly people at the IRS, a result of new regulations that resulted from the friends-or-Reagan audits, will be replace with the same people who call during diner asking you to buy their product, or yelling at your children because their parents did not pay a bill.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
If people perceive the offshoring to give some privacy risk then they will perhaps be prepared to pay an extra $5 or $10 or whatever each month to a service that guarantees your case will be handled by an American. Alternatively, a company that advertises that they guarantee American processing will get a competitive advantage over their offshoring competition.
It seems hypocracy to me that those that bitch about losing their jobs to India don't seem to mind wearing Nikes made in Philipines and having Korean RAM in their PCs.
Free market means paying for things you value, not just bitching about things.
Engineering is the art of compromise.
http://www.hipaadvisory.com/action/LegalQA/law/Leg al44.htm
QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?
ANSWER: Contractors and subcontractors, whether foreign or domestic, are generally not directly covered by the Privacy Rule. However, the business associate agreement requirements imposed on covered entities with respect to their business associates will usually apply. The Privacy Rule (as we all know by now) applies to covered entities, i.e., health plans, clearinghouses, and providers who transmit health information in electronic form in connection with a HIPAA covered transaction. A covered entity is permitted to disclose PHI to a business associate if the covered entity obtains satisfactory assurances in the form of a written contract or agreement that the business associate will "appropriately safeguard" the information.
The Privacy Rule describes two different scenarios in which a HIPAA-related business association may arise. First, when the right to use, disclose, create, or obtain PHI is delegated to a third party for use on behalf of the covered entity. Second, where a third party provides certain specified services to a covered entity and the provision of those services involves the disclosure of PHI by the covered entity to such third party. The specified services are legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation, and financial services. It is important to note that each and every relationship between a covered entity and a third party does not constitute a business association that gives rise to the requirement for a business associate agreement as set forth under the Privacy Rule.
By executing a business associate agreement, a business associate contractually obligates itself to protect the PHI and to not use or further disclose the PHI other than as permitted or required under the agreement or as required by law (American). The Privacy Rule includes required components for a business associate agreement. One of these provisions is the requirement that any agents or subcontractors of the business associate must agree to the same restrictions and conditions agreed to by the business associate.
Enforcement of such agreements is a frequently voiced concern when the business associate or subcontractor is in a foreign country. Under the Privacy Rule, the US Department of Health and Human Services only has enforcement authority over covered entities (unless a business associate happens to also be a covered entity). Furthermore, while a business associate or subcontractor must contractually agree to protect PHI and comply with the Privacy Rule to the same extent as the covered entity, the problem with these types of arrangements arises if the foreign business associate breaches the agreement. Depending on the legal system of the foreign country, which may range from comparable to that of the United States to non-existent, the covered entity may well have difficulty enforcing such an agreement in foreign courts. Even if the business associate agreement requires US law to apply and provides that all disputes be settled in US courts, if the contractor is situated in another country and has no property or contacts in the US, such a provision will offer small comfort.
Under the Privacy Rule, covered entities are required to mitigate any harmful effects of a wrongful use or disclosure of PHI by the covered entity or its business associates. And although covered entities must terminate business associate agreements when they "know" of a pattern of activity which is a material violation of the agreement and are unable to cure it, the Privacy Rule does not require covered entities to monitor the activities of their business associates. In spite of this seeming protection, as a practical matter, it is likely that patients who have been damaged by a business associate's breach of an agreement will seek compensation fr
When many doctors do their own transcription they use software with templates for common diagnosies. Pick the ailment and fill in the blanks. Offshore transcription runs about 12 cents/line. Domestic services runs about 17-20 cents/line but you get native english speakers and U.S. privacy laws (HIPAA).
If you didn't come to party don't bother knocking on my door. Prince '1999'
Well at least the majority of Americans are not raising the issue to either companies or their representatives. For the past few months, e-loan has been giving it's customers a choice of where their loan applications are processed (India vs US). Even though these customers knew their private info was going to be shipped overseas, 86% chose India because the processing time was 2 days shorter. Bottom line, American's have a fast food mentality ... ie the cheapest, quickest way will always win.
As for the story, I work as a consultant in the Health IT arena, and have all too often seen private data mishandled. However standards are greatly improving in the US, but this is only due to the threat imposed by legislation and civil lawsuits. Will 3rd party companies overseas have the same incentive if they are outside of US jurisdiction? Probably not
In Europe this would have never ever happened: our laws are very strong regarding to personal data and privacy.
For instance, if a company here in Spain keeps customers data in a database, and the company wants to have that database hosted abroad (for example, for its website), in the USA, France, or any other country in the world, one person -with a name and a surname- of that company has to ask the Director of the Data Protection Agency for a written permission to do so.
Break Privacy Laws and you'll face a monetary penalty from $600 to $600000
I have been doing technical support for IBMs dictation software for a while in 1996-97 and a substantial part of our customers back then were doctors and lawyers. Both used special purpose dictionaries and reported that it worked quite well. I would be really surprised if this has gotten worse in the last few years.
Things like medical transcriptions are a lot easier then general purpose transcriptions for a computer and can be a lot more accurate due to more specialized and limited dictionaries.
Seriously, I haven't seen any natural-language software reach the point where I would trust it with medical information. I would rather get the right treatment than someone fucking up my patient records...
Actually, I used to write medical software that had an autotranscription component using Dragon's software, and given a medical dictionary to select from and a proper training cycle, it was incredibly effective. The physician or a designated individual still had to approve the report, but very rarely were there any problems with transcription (we tracked corrections through the system so we'd know how effective it was, and after a proper training cycle it was better than 96% effective.)
on the subject of the cost of healthcare, doctors using our system loved it specifically because it allowed them to accomplish more work (for a lot of reasons, not just the Dragon software) in the same period of time, which helped the hospital keep costs down. Did that drive down medical costs for everyone? of course not--but not because things were more expensive. Face it, people are greedy. Insurance companies never cut rates, nor do doctors start working for less money. hospitals won't start charging appropriate costs back to the patients until they're forced to through legislation (which should be accompanied by a national healthcare system or a system to provide insurance coverage to the 40 million of us without it, to keep hospitals in business.)
Would you rather have it outsourced to someone overseas who your doctor met on the Internet? That more-or-less happened here. The person can't be held responsible.
US authorities would have a hell of a time finding them, and, if they did, there's not much they could do anyway. Do you still think this person is more reliabile than computer software? I don't think either is reliable enough.
Just pimping out our nice little Data Protection Act we've had in the UK for 16 years (i think its European too):
-You have the right to access any personal data any company/organisation holds on you, including the police (the police can be exempt in certain situations), government agencies, your school, shops etc and this can include video and internal memos about you and non-electronically stored data AFAIK
-You have the right to know who is holding what and what they intend to do with it
-It cant be taken outside the European Economic Area without your consent
-Security measures must be taken to ensure its safe
uhuh uhuh you know you want it yeah! come on! pah in-your-face like a can-of-mace!
This comment does not represent the views or opinions of the user.
Wouldn't it make sense to separate data from patients? This is like Database Design 101.
So patient medical records can be transcribed by anyone without leaking the identities, and the patient details are held in another database.
So if someone wants to post a medical record, it can only go as far as "Patient DFA12435 has xxx, HA! HA!".
Rock that crushes, Paper & Scissors that don't matter.
Capital one has outsourced your credit card account customer service personnel to India. I called up with a question and hearing a distinctive accent I asked the young woman where she was located. To her credit she answered me honestly and I had no real problems with her. However I do feel that any information sent to outsourced personnel overseas should be subject to all US legal protections and the company should have to treat that data with the same responsibilities as if it was here in the USA.
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
It's funny that the US is getting upset about data processing "beyond the reach of U.S. authorities", because already some years back, it used to be the other way round.
For several years now, some larger German companies used to offshore their customer data processing to the USA. Some claim this is also done because of the USA's less strict privacy laws that allow for far more data profiling than allowed in Germany. There is also growing concern in German media that it will be impossible to control such outsourced data and that there is no way to ensure that customer data will not be used by the American procesing company for other purposes or sold to third parties.
One such example was the Bahncard, a price rebate system for the national railway. For a few years, it came combined with a creditcard option and its data would be shared with an external partner of CitiBank US for customer profiling, including a photograph, a full credit history and all payment data of the user.
------------------
You may like my a cappella music
This has nothing to do with countries and law this has to do with your privacy being handled by the lowest bidder.
Each step in the chain shows someone wanting lots of money for not doing anything. If hospitals and others were serious they would do the transcribing in house. But of course that is no longer allowed. Focus on your core capabilities has become the watch word. So that a place like a hospital is now really a meeting hall for outsourcing companies. From temp nurses to cleaners, from caterers to office staff. No one works for the hospital, they all work for the lowest bidder.
Neat eh? And the funny thing is? Medical bills only seem to go up. Why am I paying more insurance when all this cost saving is going on?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
No this whole story is one of greed and it starts right at the patients. After all they want low low insurance and medical bills. So the hospital saves by outsourcing instead of doing it in house. The outsourced company outsources again instead of doing it in house and so on.
Feeling sympathy here is misplaced. Each and everyone involved, including the patients, is a victim of their greed.
Maybe I am just a cynical bastard.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Seperarting database records like you suggest is indeed possible. You could easily seperate a patients credit history from their medical history. Doctor don't need to know payment details and the collectors don't need to know medical details.
But in this case that is impossible. Medical details do belong with the name.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.