Your Privacy and Offshore Outsourcing

An anonymous reader sends in a link to this story about medical transcription work and patient privacy. You probably recall the original story (from around October 2003), but the Chronicle here does a great job of tracing the entire chain of sub-sub-sub-sub-sub-contracting.

the point to be made here

[mandalayx]

Before we get to all the anti-India comments, here is the crux of the problem:

"The problem is not that they're in India," said Chris Hoofnagle, associate director of the Electronic Privacy Information Center in Washington. "The problem is that American laws are not going to be enforced in India."

Does anyone have a free-market solution to this? I would hate to see Democrats legislate this to hell. IMHO overlegislation will solve 1 problem but cause another...

But while the above point is interesting, it's somewhat irrelevant to this case: the breach of contract occured in the US:

A Transcription Stat worker, Dennis Centore, quickly traced the files to a batch of notes that had been subcontracted to a woman in Florida named Sonya Newburn, who typically handled as many as 30 files on individual UCSF patients every day.

"She was quiet until I mentioned Tom Spires," Centore recalled. "Then she said, 'Oh my God,' and said that she had contracted for Tom to do the work."

Neither Transcription Stat nor UCSF knew that Newburn was subcontracting. The outsourcing chain was supposed to end with her, as per Newburn's contract with the Sausalito firm.

Basically, while the article brings up the interesting concept of what offshoring information can do, this particular case of offshoring is really not the greatest example, since the breach of contract occured in the US. And yet we have sensationalist newspapers like the Chronicle and opportunistic politicians who call themselves privacy advocates; the current state of affairs is fucked. The comment leads me to believe that he didn't even RTFA:

"We've reached the point where American companies ship personal information outside the country and tell customers to check their privacy at the shore," said Rep. Edward Markey, D-Mass., one of the leading privacy advocates on Capitol Hill.

Re:the point to be made here

That's true of course, but the information was still held hostage by someone who didn't own it, in fact had no right to have it, in another country.

Which is the real point of outsourcing I think. The advantage of cheaper labor is something of a smokescreen. I think it's popularity stems from the diffusion of responsability, and the complications of getting information, and enforcing practices in other countries.

She can go in an say, but I didn't know. I was swamped with work, people deserve to have this thing done, Tom was highly recommended and trustworthy, I can't be blamed for holding information hostage! I'm a good person I never have and never would do that. This other sort of innocuous thing is my fault, and I am SOOOO SORRY.

If we put in a type of liability where the ends don't justify the means, but the means are responsible for the whole end, at every point of failure that by passed the normal protections like bankruptcy and incorporation, it would probably stop, with all business in the US.

Re:the point to be made here

[pavon]

Does anyone have a free-market solution to this?
Yes, simply make the US companies (and government departments) truely responsible (ie their ass is on the line) for protecting this information. If the cost of failure is higher than other savings, then they themselves will implement strict requirements, and will only want to contract out to groups who have proven themselves to be trustworthy.

Re:the point to be made here

[DAldredge]

From http://www.hipaadvisory.com/action/LegalQA/law/Leg al44.htm

QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?

ANSWER: Contractors and subcontractors, whether foreign or domestic, are generally not directly covered by the Privacy Rule. However, the business associate agreement requirements imposed on covered entities with respect to their business associates will usually apply. The Privacy Rule (as we all know by now) applies to covered entities, i.e., health plans, clearinghouses, and providers who transmit health information in electronic form in connection with a HIPAA covered transaction. A covered entity is permitted to disclose PHI to a business associate if the covered entity obtains satisfactory assurances in the form of a written contract or agreement that the business associate will "appropriately safeguard" the information.

The Privacy Rule describes two different scenarios in which a HIPAA-related business association may arise. First, when the right to use, disclose, create, or obtain PHI is delegated to a third party for use on behalf of the covered entity. Second, where a third party provides certain specified services to a covered entity and the provision of those services involves the disclosure of PHI by the covered entity to such third party. The specified services are legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation, and financial services. It is important to note that each and every relationship between a covered entity and a third party does not constitute a business association that gives rise to the requirement for a business associate agreement as set forth under the Privacy Rule.

By executing a business associate agreement, a business associate contractually obligates itself to protect the PHI and to not use or further disclose the PHI other than as permitted or required under the agreement or as required by law (American). The Privacy Rule includes required components for a business associate agreement. One of these provisions is the requirement that any agents or subcontractors of the business associate must agree to the same restrictions and conditions agreed to by the business associate.

Enforcement of such agreements is a frequently voiced concern when the business associate or subcontractor is in a foreign country. Under the Privacy Rule, the US Department of Health and Human Services only has enforcement authority over covered entities (unless a business associate happens to also be a covered entity). Furthermore, while a business associate or subcontractor must contractually agree to protect PHI and comply with the Privacy Rule to the same extent as the covered entity, the problem with these types of arrangements arises if the foreign business associate breaches the agreement. Depending on the legal system of the foreign country, which may range from comparable to that of the United States to non-existent, the covered entity may well have difficulty enforcing such an agreement in foreign courts. Even if the business associate agreement requires US law to apply and provides that all disputes be settled in US courts, if the contractor is situated in another country and has no property or contacts in the US, such a provision will offer small comfort.

Under the Privacy Rule, covered entities are required to mitigate any harmful effects of a wrongful use or disclosure of PHI by the covered entity or its business associates. And although covered entities must terminate business associate agreements when they "know" of a pattern of activity which is a material violation of the agreement and are unable to cure it, the Privacy Rule does not require covered entities to monitor the activities of their business associates. In spite of this seeming protection, as a practical matter, it is likely that patients who have been damaged by a business associate's breach of an agreement will seek compe

Re:the point to be made here

[YU+Nicks+NE+Way]

Actually, you're wrong. India is going through a huge period of economic growth throughout its economy. In this, it is replaying a pattern very like the other industrializing countries of the world. It appears to you and me that India is a shambles, but that isn't because the economy is doing poorly, but because it started out doing so much worse.

Most countries go through an extended mercantilist period during their early mass industrialization. During that period, wages in the industrializing country are typically quite low becuase the coutry's currency is artificially depressed. During that period, the country's industrial production skyrockets. Since consumers in the country buy their own products with their own currency, the irrational pricing structure of their industry's exports doesn't affect them, and they act as an internal gate which forces the quality of their exports up.

Eventually, however, growth leads to major industries being unable to provide for their own production with local acquired raw materials. At that point, prices of locally produced products start to reflect the relative level of the currency: foreign raw materials must be bought in foreign currency, which raises the prices of the finished goods into which they are made. That triggers a sharp round of inflation, which leads to a more restrictive currency policy. The price difference between finished good produced in country and those produced abroad gradually shrinks, due to this pressure.

To see this pattern in action, you can go back to Japan in the fifties through the eighties, S. Korea since the eighties, and India now. Alternatively, you can go back to the United State in the late nineteenth century, or to the great European powers in the early nineteenth century.

Europe and the United States managed to extend the period during which they could pursue a mercantilist policy somewhat longer by maintaining a captive market to which finished goods could be exported and from which raw materials could be imported in the local currency. The European powers did this by maintaining colonial markets in Asia, Africa, and, to a lesser extent, the Americas. The Americans settled our West, which became a huge source of raw materials for our East coast industries. The captive markets allowed the industrial base to continue to acquire raw materials at a disproportionately low price.

Schumpeterian equilibrium may well apply to an economy which is dependent on a influx of externally produced raw materials balanced by an egress of internally produced finished goods. That's not the case for economies in their earlier stages of industrialization and development. I don't know how long it will take for India to reach that state, but given the combination of destitution and size of her population, I wouldn't be inclined to expect her government to adopt less mercantilist policies any time soon. It's not rational to do so.

Re:Transcriptionist

[mandalayx]

All docters should have their computers transcribe their dictations like my father does.

Well, hope God helps you when you get "an a cute case of men in vaginas".

Seriously, I haven't seen any natural-language software reach the point where I would trust it with medical information. I would rather get the right treatment than someone fucking up my patient records...

Not to mention the cost of a doctor having to sit down and error-check afterwards, etc. If you look at a doctor making $100/hr (hey, they went to 7+ years of school, residency, internship, etc) that would add even more to the current cost of health care.

On an unrelated note, my uncle (who is a doctor), works in the ER. He says that because persons on Medicare don't pay for amublance rides, he sees people in the ER who have cuts on their fingers, minor abrasions, etc, who have their ambulance rides paid for by us, the public. And considering one of my friends got billed $1000+ for a recent ambulance ride, I think we're getting screwed.

Re:HIPPA Violation ?

[stox]

Sadly, this is a perfect example of a gaping loophole in the law. It doesn't apply to contractors outside the hospital, it only applies to the hospital.

Re:Transcriptionist

[jd_esguerra]

Well, hope God helps you when you get "an a cute case of men in vaginas".

If I had such an affliction, I would argue that god had helped me.

contactors must be held responsible

[fermion]

The problem really is that subcontracting is meant to pass responsibility to another party. The person who contracts the work, as is the case woth, for example, Walmart or Nike, is allowed to feign ignorance and tends to be resolved of all responsibility. This situation, of course, gets worse as you move down the chain of subcontractors. It is a situation in which contractors are taking money for doing little more than taking a cut for mailing some paper.

The truly scary part is that the US government is trying to outsource everything as well. This includes the IRS, which means that your personal tax information is going to be in hands of some work-at-home person making $1 per transaction filed, stored on the computers on some half-assed system administrator. The original contractors will have no responsibility as the contracts will be written to require minimal due diligence and almost no penalties for infractions.

This of course has been defended as completely consistent with all current privacy laws. In addition, the somewhat friendly people at the IRS, a result of new regulations that resulted from the friends-or-Reagan audits, will be replace with the same people who call during diner asking you to buy their product, or yelling at your children because their parents did not pay a bill.

Re:Transcriptionist

[rev_sanchez]

When many doctors do their own transcription they use software with templates for common diagnosies. Pick the ailment and fill in the blanks. Offshore transcription runs about 12 cents/line. Domestic services runs about 17-20 cents/line but you get native english speakers and U.S. privacy laws (HIPAA).

Bottom Line ... Americans Don't Care

[Average_Joe_Sixpack]

Well at least the majority of Americans are not raising the issue to either companies or their representatives. For the past few months, e-loan has been giving it's customers a choice of where their loan applications are processed (India vs US). Even though these customers knew their private info was going to be shipped overseas, 86% chose India because the processing time was 2 days shorter. Bottom line, American's have a fast food mentality ... ie the cheapest, quickest way will always win.

As for the story, I work as a consultant in the Health IT arena, and have all too often seen private data mishandled. However standards are greatly improving in the US, but this is only due to the threat imposed by legislation and civil lawsuits. Will 3rd party companies overseas have the same incentive if they are outside of US jurisdiction? Probably not

In Europe...

[paugq]

In Europe this would have never ever happened: our laws are very strong regarding to personal data and privacy.

For instance, if a company here in Spain keeps customers data in a database, and the company wants to have that database hosted abroad (for example, for its website), in the USA, France, or any other country in the world, one person -with a name and a surname- of that company has to ask the Director of the Data Protection Agency for a written permission to do so.

Break Privacy Laws and you'll face a monetary penalty from $600 to $600000

Condoms for Data.

[t_allardyce]

Just pimping out our nice little Data Protection Act we've had in the UK for 16 years (i think its European too):

-You have the right to access any personal data any company/organisation holds on you, including the police (the police can be exempt in certain situations), government agencies, your school, shops etc and this can include video and internal memos about you and non-electronically stored data AFAIK

-You have the right to know who is holding what and what they intend to do with it

-It cant be taken outside the European Economic Area without your consent

-Security measures must be taken to ensure its safe

uhuh uhuh you know you want it yeah! come on! pah in-your-face like a can-of-mace!

Re:Rather have it offshore

[rodgerd]

And you could then have her dealt with under US law. What's the US going to do to get the Indian? Invade? Shit, most of your Army's tied up in a country with 20 million people and no WMDs; the Pentagon isn't going to go after a nuclear power for the sake of your medical records.

Separate medical data from patients?

[fembots]

Wouldn't it make sense to separate data from patients? This is like Database Design 101.

So patient medical records can be transcribed by anyone without leaking the identities, and the patient details are held in another database.

So if someone wants to post a medical record, it can only go as far as "Patient DFA12435 has xxx, HA! HA!".

This isn't new, just new for you Americans...

[Hanno]

It's funny that the US is getting upset about data processing "beyond the reach of U.S. authorities", because already some years back, it used to be the other way round.

For several years now, some larger German companies used to offshore their customer data processing to the USA. Some claim this is also done because of the USA's less strict privacy laws that allow for far more data profiling than allowed in Germany. There is also growing concern in German media that it will be impossible to control such outsourced data and that there is no way to ensure that customer data will not be used by the American procesing company for other purposes or sold to third parties.

One such example was the Bahncard, a price rebate system for the national railway. For a few years, it came combined with a creditcard option and its data would be shared with an external partner of CitiBank US for customer profiling, including a photograph, a full credit history and all payment data of the user.

She is lying.

[SmallFurryCreature]

What it took to ruin her was her own greed. She was hired to do the transcribing. But instead of hiring her own people, checking those people, checking their work she outsourced it to a lower bidder.

This has nothing to do with countries and law this has to do with your privacy being handled by the lowest bidder.

Each step in the chain shows someone wanting lots of money for not doing anything. If hospitals and others were serious they would do the transcribing in house. But of course that is no longer allowed. Focus on your core capabilities has become the watch word. So that a place like a hospital is now really a meeting hall for outsourcing companies. From temp nurses to cleaners, from caterers to office staff. No one works for the hospital, they all work for the lowest bidder.

Neat eh? And the funny thing is? Medical bills only seem to go up. Why am I paying more insurance when all this cost saving is going on?