Wednesday, 22 October 2003
Outsourced medical transcription causes privacy snafu
It is common practice for doctors to dictate notes that are later transcribed by clerical staff. This makes healthcare delivery more efficient because it frees doctors to spend more time with patients and less time with paperwork. With the advent of portable tape recorders and, more recently, personal digital recorders, healthcare organizations have found it even more efficient to "outsource" this transcription — to hire someone on a contract basis to record the oral notes in written form. Over time, a network of contractors and subcontractors developed to serve what became a $20 billion dollar medical transcription industry. Naturally, not all of these subcontractors are in the United States.
The Chronicle reports that Lubna Baloch, a medical transcription subcontractor in Pakistan, sent an email to the UCSF Medical Center which complained about her low wages and threatened to post patients' records on the Internet if she was not paid hundreds of dollars. To back up her threat, Ms. Baloch attached two patients' records to the email. "Your patient records are out in the open to be exposed," she wrote, "so you better track that person and make him pay my dues or otherwise I will expose all the voice files and patient records of UCSF Parnassus and Mt. Zion campuses on the Internet."
The records have apparently not been posted to the Internet — yet. A subcontractor between her and the Medical Center paid her $500 on the condition that she withdraw her threat. Shortly thereafter, she sent another email to the medical center, writing, "I verify that I do not have any intent to distribute/release any patient health information out and I have destroyed the said information. I am retracting any statements made by me earlier." A spokesman for the Medical Center points out, however, that "We do not have any evidence that the person has destroyed the files."
The United States has a law known as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under this law, the Department of Health & Human Services has issued detailed regulations that govern how medical information must be kept confidential. Those rules are difficult or impossible to enforce abroad, however. While Ms. Baloch is at least three subcontracts removed from the UCSF Medical Center, it is not clear whether the hospitals or doctors could be held responsible in the event of a breach of its patients' privacy. The Medical Center claims that it was aware of only two levels of subcontracting and had no idea that its medical files were being sent offshore. The current regulations permit subcontracting of work like transcription, so long as the contracts have provisions requiring confidentiality. Details are still sketchy as to the content of the contract involved in this case. Time will tell if the law has been violated.
Even if the Medical Center did not break the law, this story should send shivers down the spines of all Americans who have ever been treated by a doctor. Economic globalization and digital communications technology have made outsourcing and "offshoring" routine, and no one knows how much of this work is being done outside the United States. Most of the work is going to countries where wages are low — otherwise, there would be no cost savings, and the medical staff would transcribe the notes in-house. Developing countries do not have privacy laws as comprehensive and sophisticated as those in the U.S. and Europe.
Ms. Baloch has come up with the idea for this extortion and it has become public, so it is only a matter of time before someone else tries it. The next person may demand much more than $500, and the next hospital may not be willing to pay. (Note that in this case a subcontractor paid the bribe, not the hospital.) Who loses in this situation? The patients. The most intimate details of our lives will be exposed to everyone with a computer and a telephone line.
How should we respond? Amend HIPAA? Possibly. Perhaps we need more stringent requirements for contracting and subcontracting. Maybe we should bar outsourcing to offshore companies, or at least restrict the countries where outsourcing is permitted to those having strong privacy laws. Maybe we need to do something else. But these problems will not go away — they will only become more pervasive.