Google is coming for your health records.

Please click on the following link to view the full article. https://www.thestar.com.my/tech/tech-news/2018/11/22/google-taking-over-health-records-raises-patient-privacy-fears/

An interesting article was published by The Tech News division of The Star Online on November 22, 2018 by John Lauerman and Jeremy Kahn.

A short summary;

An artificial intelligence company named DeepMind has access to millions of British medical records. This started out innocently enough, the intent was to monitor and diagnosis diseases and gather data. However DeepMind has partnered with Google. Now, at first blush, this business deal appears to make sense since DeepMind is a research team and Google, being a corporation, is more advantageously positioned to scale and monetize DeepMind’s data analytic efforts.

But for the benefit of whom? What common good is being served? What does it mean for patients? It is their data, it is their lives. Increased access and the ever pervasive monetization of medical records means precious and highly personal data is being more widely disseminated in efforts to “scale and monetize” corporate agendas.

Google wants medical records, and it wants medical records for one reason, profits. This has serious implications and I’m not the only person who thinks so. Deborah Peel, MD, who is one one of the most passionate and enduring patient privacy advocates to emerge since the early 2000’s is quoted in the article;

“Google turns patient data into secret intellectual property that ensures treating future patients will be very, very expensive,” said Deborah Peel, head of Patient Privacy Rights, a US-based advocacy group. “Corporations are governed by profits and Google Health is all about profits.”
— Deborah Peel, MD

For more information about the work of Dr. Deborah Peel please check out her website https://patientprivacyrights.org/patient-privacy-rights/

New Jersey's Not Messing Around.

Just a few days ago The Attorney General of New Jersey brought the hammer down on an off-shore medical transcription vendor that neglected to report a HIPAA breach. Mistakes were made during a software update, the breach was never reported, 1600 patients had their Protected Health Information in the public web domain and The State of New Jersey officially lost it’s garbage (I want to use another word but I’m trying to keep it appropriate, you’re welcome). It’s a lot of info, so I’ve broken this down and made it as easily consumable as possible, please feel free to pause for dramatic effect after each sentence.

Photo by Nastuh Abootalebi on Unsplash

Virtua Medical Group is physician network group based in New Jersey. They operate over 50 medical practices.

Virtua Medical Group engaged the services of an offshore medical transcription company called Best Medical Transcription. Best Medical Transcription is also known as ATA Consulting, LLC. The work force engaged by this company is based in India.

During a routine software update at Best Medical Transcription, a web server was misconfigured which allowed the PHI (Protected Health Information) of over 1,600 patients to be exposed via Google search. In fact, this is how the breach was discovered - a patient’s daughter came across her mothers PHI during a google search.

According to the BAA (Business Associate Agreement), Best Medical Transcription had 20 days to report the breach to Virtua Medical Group.

They didn’t report it.

And that’s not all.

Best Medical Transcription also neglected to inform Virtua Medical Group that they had subcontracted with another firm located in New Delhi, India called Tojo Vikas International.

Photo by arihant daga on Unsplash

This means that PHI was being handled by an additional off-shore workforce that Virtua Medical Group had absolutely no knowledge of. Virtua Medical Group had no Business Associate Agreement With Tojo Vikas International. This is a HIPAA Violation by Virtua Medical Group, and it’s not the only one.

According to this article by Marianne Kolbasuk McGee of Healthcareinfosecurity;

Among HIPAA violations identified included VMG (Virtua Medical Group) failing to conduct an accurate and thorough risk assessment of the potential risks to electronic PHI it held and transmitted to a third party vendor; failure to implement security measures to reduce those risks; and failure to implement a workforce security training program.
— Marianne Kolbasuk McGee of Healthcareinfosecurity.com

Virtua Medical Group also had over $400,000 in fines imposed by The State of New Jersey.

So, all of this occurred almost two years ago (January 2016), why are we talking about it today? Because in a November 2, 2018 statement New Jersey Attorney General, Gurbir Grewal, reached a settlement agreement which says that Mr. Tushar Mathur, the owner of Best Medical Transcription, also known as ATA Consulting LLC, based in Georgia is banned from owning a business in New Jersey. According to an article by Databreachtoday.com, Mathur “shall not manage or own any business in New Jersey, or serve as an officer, director, trustee, member of an executive board or similiar governing body, principal, manager or stockholder owning 10 percent or more of the aggregate outstanding capital stock of all classes of any corporation in New Jersey.”

What about Tojo Vikas International based in New Delhi, India? Well, they don’t have a US presence whatsoever and their website is vague, in addition to medical transcription it appears they also do flood management and hydraulics. It’s an odd business structure. Whoever they are, they had/have access to the data of over 1600 New Jersey healthcare consumers. I would say this lack of transparency is frustrating ,and it is but it’s actually very consistent with the vagueness and confusion that is part of doing business with off-shore corporations.

In conclusion:

This is the first time a ban has been imposed at the state level as part of a breach settlement, Mr. Mathur is banned from owning a business in New Jersey. In a country and culture such as The US, one that prizes itself on opportunity and economic growth, this is huge, and now it’s case law and sets a legal precedent moving forward.

Not too shabby, New Jersey, not too shabby at all.

tyler-nix-608481-unsplash.jpg

The GDPR. Europe's New Privacy Law Is Ambitious But That Might Not Mean Anything.

Europe passed some impressive legislation in May of 2018. It’s called The General Data Protection Regulations (GDPR) and it applies to any organization that deals with data provided by citizens of The European Union. This includes Great Britian, despite Brexit, the British government has stated a clear intention to adopt and emulate this large scale legislation.

The GDPR is a complex monster, just as HIPAA was when it was first passed in The United States. Throughout my research there is something I’ve learned about broad, sweeping legislation. In the beginning there is a lot of celebration, legislators congratulate each other, legislators congratulate themselves and the general public feels that their data is safe.

But while the common folk is busy with their lives, taking kids to soccer, reading up on the latest Kardashian to go to rehab and trying to make a living wage so they can support their families, there are entities who are hiring lawyers and trying to find ways around these laws.

finger-2056030__340.jpg

They are called corporations and here is the thing - 99.9% of regular people are not thinking about them, but 100% of corporations are thinking about regular people. Why are corporations thinking about hoi polloi? Why is the mass populous so enticing?

Because that’s where the money is.

And here is the thing, a consumer doesn’t have to spend a dime in order to be seen as incredibly lucrative by corporations. In a modern, digital age we are constantly outputting data, it happens when we buy things on Amazon, when we use our debit cards to buy groceries, when we go to the doctor. We become data subjects and the data we generate is incredibly valuable.

 Getty Images

Getty Images

Let’s look back at the Facebook debacle. In early 2018 87 million Facebook users had their data harvested and sold to a company called Cambridge Analytica. The data was sold, which is very important. THIS DATA HAS VALUE - A LOT VALUE. People think they’re engaging with Facebook so they can post pictures of their cat eating pizza and start passive aggressive political fights with relatives. Corporations are absolutely watching this data, they want this data very badly and Facebook got called to the carpet for selling it.

So, while I admire what Europe has done and I’m impressed with the scope and depth of the legislation, this legislation is very new and hasn’t been battle tested yet. Powerful corporations and private entities are already finding ways to work around these laws and make sure increased regulation doesn’t cut into their profit margins. In some cases, the laws will be re-written or exemptions will be adopted into law in order to remove regulation. HIPAA’s corporate “regulations” is the swiss cheese of privacy and data protection laws in order to better serve corporations and private businesses. Time will tell if the GDPR goes the same way.

The Issues Surrounding Morality and the Insufficiency of Laws when Off-shoring US Medical Records

There's a great quote by the french sociologist David Emile Durkheim about mores (another word for morality) and laws. Before I present this quote for your consideration, I'll give you the crash course intro; David Emile Durkheim was one of the founding fathers of the science of modern sociology as we know it.  Durkheim was born in France on April 15, 1858 I highly recommend that you read up on him because thinkers of great thoughts are fascinating people, alive or dead.

Emile_Durkheim.jpg

 Durkheim spent his life analyzing how societies can successfully maintain their integrity and coherence in an evolving world and one of his most important quotes is;    

 "When mores are sufficient, laws are unnecessary; when mores are insufficient, laws are unenforceable."

It goes without saying that this quote is super old.  These words were said before Penicillin was discovered, before traffic lights were invented, before women had the right to vote in the US.  I'm not going to beat a dead horse, you get it.  But this quote, this noble idea that closely ties applied ethics and morality to laws, is as relevant as it ever was.

My mission as a patient privacy advocate, and the body of work on this website is dedicated to the ongoing discussion of the off-shoring of medical records.  To briefly summarize the issue for those of you new to the conversation; electronic medical records are documents stored in a digital format that house very sensitive personal and demographic information about healthcare consumers in The united states.  Some business entities choose to engage a foreign workforce to perform healthcare back office functions due to decreased regulation and cost savings.  If you're interested in learning more about this business practice click here.  

What I'd like to do is take Durkheim's quote apart and use it to illustrate a point that seems to be lost on corporate culture in The United States - especially as it applies to corporate and healthcare entities who are taking great liberties with the privacy of US patient populations.

"When mores are sufficient, laws are unnecessary...."

What this means is that a legal framework is redundant in the presence of morality.  I believe that most people alive and walking on the earth today are moral.  We're all flawed and self-serving to a degree, I mean, we are human after all. But, I have the optimistic world-view that most of us, regardless of what country we live in or what we do for a living, want to behave in a way that honors the common good.

However, The united states and our legislators aren't ignorant about people who who wish to harm us by compromising the integrity of our data.  So while we hope that people with access to confidential information act with morality, we also acknowledge that some people are without morals, that there are bad actors out there who would love to sell the social security number of a child (which can absolutely be found in an electronic medical record) for personal gain.  So, our collective realization and our response to this as a nation manifested in 1996 when HIPAA reshaped the landscape of the healthcare industry. Regulations were put in place, we established a legal structure that holds the workforce accountable for their actions.  So, just in case someone's mores were insufficient, there was the possibility of jail time and hefty fines on the books.

antique-ball-shaped-continent-209154.jpg

But what about the decision to send patient data, or grant full access credentials to a foreign workforce?  

Is it an act of morality to strip the patient of a layer of privacy protection that can only be offered by a US based workforce who is fully, individually accountable to HIPAA?

Is it an act of morality to have certain patient populations more vulnerable than others, solely because someone in a position of power decided it was worth paying a (supposedly) lower bill rate offered by corporations who are leveraging foreign labor?

 "...when mores are insufficient; laws are unenforceable."

The last three words of this quote really drive my point home.  Morality is lost when corporations and healthcare providers make the choice to over-expose their patient populations with the knowledge that there are no laws in these foreign countries which offer a reassuring level of protection.  There are no laws to protect those who have the most to lose in this business arrangement because the patient is not protected.  The legislation that we rely on in the United States ceases to exist for the person on the other side of the globe who is handling this sensitive data.

Ignoring that inconvenient fact is exactly what I would describe as having "insufficient mores" and, in the words of someone who died over 100 years ago, it makes our laws unenforceable.

For more information about the off-shoring of medical records please click here. And if you'd like to write a letter to your legislators to let them know you're concerned about this business practice click here.

When mores are sufficient, laws are unnecessary; when mores are insufficient, laws are unenforceable.
— David Emile Durkheim

But I thought you locked the doors...

I really like LinkedIn.  Friends of mine who aren't in my industry don't see the appeal, they think it's a dead medium. I have a half decade of doing business successfully on this social media platform and I get to follow content that serves me very well in my professional life.  There are a lot of really talented people sharing their ideas and innovations on LinkedIn.  I'm a big fan of the whole scene.

board-game-business-challenge-277052.jpg

It goes without saying that social media has changed everything about the way we relate to each other both professionally and personally and someone (I wish I could remember who) once said that having a website or participating in social media is like standing in the middle of a field in a football stadium.  You're standing in the middle of the field and shouting back and forth with ten people in the stands, you're having a nice interaction and feeling good about engagement.  What you don't realize is that the rest of the packed stadium is looking on, just watching.  Countless silent observers, watching everything going on between you and the ten people in the stands.  Don't think about it too long, you'll have an existential crisis.

So, I'm scrolling my feed on LinkedIn and I see an advertisement posted for a coding education program.  Anyone who has been a medical coder in the last twenty years is familiar with the misleading advertising hook for medical coding.  Medical coding and billing used to be advertised as a magic bullet career that was obtainable for very little money and almost no effort. The enticing "work from home" sales tactic has inspired many a misguided soul to part with their money and start "training" only to later discover that medical coding is a highly competitive field with well-qualified professionals who work really hard. There is a huge barrier to entry-level positions and only the strong survive. Medical coding alone has at least twenty different specialty credentials that are shockingly difficult and expensive to earn.  Don't even get me started on continuing education credits that need to be maintained and paid for.  I don't know any medical coders who cake-walked into their career and the fact that back-of-the-magazine ads like this still exist is completely baffling.

But I digress, so there is the post advertising "WORK FROM HOME - BECOME A MEDICAL CODER."  I click on the comments because there are always comments for posts like these, and the comments are always good reading. 

IMG_2946.PNG

Then I see it.

There is a comment from someone who not only has a couple of coding credentials, but also a doctorate degree in pharmacology.  His post reads, "Good thing is you will have a chance to work from home AND I think this is the beauty of this field."

And my first thought is, "Why is a doctor with this many coding credentials giving testimony about working from home?  That's weird, why isn't he in upper management or running a consulting firm?"

I go to his LinkedIn profile page.  This person lives and works in Pakistan.

I spend some time perusing the personal and professional information he willingly posts on LinkedIn.  I look at the name of his company, I look at his employment history.  He's been with his company for over five years.  I google his employer and the company for whom he claims to work is a foreign BPO (business process outsourcing) with a US-based sales team.

Anyone who is aware of the offshoring of American medical records knows that foreign and domestic companies who employ work-forces in foreign countries are enthusiastic and effusive about their corporate security practices.  There is a lot of talk about locked doors, disabled printers, cameras on all workstations and cell phones remaining off of the production floor.  These steps seem critical because these facilities are located in countries that have widely divergent privacy laws from what we know in the United States.  I'm very vocal about my position that mere corporate privacy practices are not good enough for our patient population. In the event that the corporate privacy practice fails, there is no legal framework in these foreign countries to prosecute foreign HIM professionals who knowingly or unknowingly transgress and compromise PHI (protected health information).

Pakistan, as it just so happens, has absolutely no data privacy laws on the books at the time of this post. 

IMG_2946.PNG

And because I just cannot keep my mouth shut, like, EVER - I comment, "Are you an offshore medical coder working on US medical records from your home?"

IMG_2946.PNG

A day later his reply comes in, "Yes."

What?

Wait.....what?

What about locked doors?  What about the "reassuring" US based sales force and all of their promises?

IMG_2945.PNG

I respond again, " That's very interesting.  What laws exist in your country (Pakistan) that protects the privacy of the patient population you have access to?  In the US these laws are referred to as HIPAA - if you can give me the specific penal code and the name of the law I'd be most appreciative.  Have a great day!" 

While waiting for his response, I called the sales number on his company's website because I decided I wanted an answer to this question now. Also, the time difference being what it is meant that the person I was engaging with on LinkedIn was asleep on the other side of the world.  Safe in his home.  With a computer that has access to the extremely sensitive data of US patient populations.

After a few rings someone from the sales team answers, identifies himself and then confirms the company name from the website (sorry, I can't share the company name for liability reasons).

"Hi, my name is Elizabeth Burke, I'm patient privacy advocate.  Does your company off-shore US medical records for coding?"

Long pause.  Like, a really long pause.

I continue, "It's ok, I can tell that you do from the website.  I have another question, do you allow your foreign workforce, who is accessing US electronic medical records, to work from their homes?"

close-up-door-golden-67537.jpg

His immediate response, "Absolutely not!  Everyone here works in a locked facility and we are fully HIPAA compliant."

Interesting fact, foreign work-forces aren't HIPAA compliant, they can't be.  They are subject to the laws of their country, not the laws of ours.  Their "security measures" are constructs and business practices they've pieced together into a corporate security policy in order to provide reassurance to Covered Entities (hospitals, healthcare providers, government agencies) in the US.

"Right," I said, "I totally hear you.  But the thing is, you have an employee who just publicly disclosed on Linkedin that he works from home in Pakistan, accessing US medical records.  Send me your email address, I took screen shots of our conversation and I'll send them to you."

The salesman's response, "He's lying."

Well, yeah....someone is definitely lying.  But it's really hard to say who.

I got the salesman's email address and sent off the relative screenshots.  Didn't even get a thank you. That's ok.

But my question remains.  Where. Are. These. Medical. Records?

If you'd like to see the conversation thread on LinkedIn, you can't.  It's mysteriously disappeared.  I'm also blocked from this Pakistani HIM employee's profile, which is totally fair when you consider that my intentions were to gather more information. 

I wonder if he still has a job.

And again I ask, "Where are these medical records?"

Advocating for Patient Privacy in the Workplace Part II : Go Forth and Seek Like-Minded Professionals.

 

In part one of this post series I talked about the precarious and sensitive nature of patient privacy advocacy in the workplace and why advocates face hurdles when going against the grain within their organization and voicing concerns about the business practice of off-shoring medical records. We've established that there are layers of complexity and opposing values that must co-exist peacefully in order for the team to remain intact. 

But sometimes the team doesn't remain intact.  Sometimes the decision to off-shore a portion of an organization's HIM functions means that hard-working team members are laid off and departments are downsized.  Sometimes it means people left standing spend their work day under crippling tension and fear.

alone-daylight-facial-expression-1136588.jpg

This is scary.  We're not living in Valhalla here in the United States and the loss of a job is absolutely devastating.  The emotional toll is considerable and I'm sure there is a type of PTSD that comes with not only being laid off, but watching peers get pink slips and then waiting around to see who's number comes up next.  The pain is real and you can read more about it here and here.

In situations like this, emotions run high, fear is instilled within the remaining members of the organization and everyone's fight or flight instinct kick in.  It's hard to think straight and it's practically impossible to maintain perspective. Especially when you know for a fact that, ultimately, the medical records of your patient population are safest in the hands of a workforce that is fully accountable to HIPAA.

So I hope you'll allow me to say (as someone who has been there) that this is a great opportunity to shift your gaze outside of your organization and leverage the information and expertise of leaders in the field who have been generous enough to share their findings and opinions on the internet.  For one thing, it's going to give you some much needed distance and take you out of the never-ending feedback loop of fear and doom, which in and of itself is damaging to your mental well-being.

There's just something about reading someone else's perspective that echoes your own value system that heals you.  You can gain some distance and say to yourself, "Oh thank God, I'm not crazy. At least not about this." 

achievement-action-adventure-209209.jpg

Your thoughts become clearer.

You feel like you can breath.

You feel validated.

You get just enough distance from your own emotions to engage your critical thinking skills and start problem solving. Which is what needs to happen if you're going to continue to advocate for the privacy of your patient population and protect your job.

So, take some time and step outside of your immediate surroundings (your "workplace bubble" if you will) and realize that there are a lot of well-respected people in the field who feel the same way that you do. For example, there's an awesome White Paper and webinar by KiwiTek COO, Bill Wagner which details exactly why off-shoring medical records may not actually be saving your organization money. Or you can connect with US workforce advocates like Coders Direct, which is run by managing partners Mark Sluyter and Rich Simon (who also happen to be friends of mine, these guys are the best!)  Mark and Rich have been long-time advocates of medical records being processed domestically and are currently undertaking legislative efforts on behalf of a US-based workforce.

It doesn't matter if another advocate's mission statement doesn't mirror your own.  Some people advocate for US employees, some people are passionate about patient privacy, others work towards preserving fiscal health of an organization.  These differences are microscopic and they don't matter because, at the end of the day, we all believe in the one fundamental ideal: Electronic Medical Records should not be leaving this country. Period.

 

 

Advocating for Patient Privacy in the Workplace; Part I – It’s Complicated!

I strongly suspect that a growing number of healthcare organizations are starting to re-shore their HIM functions and I’m very curious about what’s happening behind closed doors.   What would spark this decision when the offshoring of medical records is marketed so aggressively as the ultimate solution to HIM workflow problems.  Who made the decision to bring medical records back to the US for processing? What do these conversations look like?  Did it happen in tandem with a senior management change?  Did the relationship with the vendor go south?

board-game-boss-business-1040157.jpg

I have so many questions about this because I know that the answers are valuable.  They are the pathway to success. 

Getting these answers is difficult, if not impossible, because important decisions are made within the gilded vaults of business offices in hospitals, healthcare organizations and private corporations and these organizations are notoriously secretive, any information gained is merely anecdotal.  It’s all word of mouth, conjecture and rumor.

And almost no high level decision-maker is willing to admit that they took a big financial gamble, over-exposed their patient populations to what experts call “lawless jurisdictions” or found themselves in some other disadvantageous position when it came to the decision to offshore medical records.

How do we, as patient privacy advocates, replicate the re-shoring of medical records in our own organization if we don’t have a template for success?  We know that in many cases these electronic medical records are returning to a fully HIPAA accountable US workforce.  It's great news for our patient populations, but we need to know why and how these decisions are happening so we can reverse engineer it within our own organizations.

 As I see it, the biggest hurdle for those who are trying to initiate change within their business office is The Sunk Cost Fallacy and how it dictates business decisions.  According to Cambridge Dictionary, The Sunk Cost Fallacy means that a company or organization is more likely to continue with a project if they have already invested a lot of money, time or effort in it, even when continuing is not the best thing to do.”  In layman’s terms, it means to throw good money after bad.

We really hate being wrong, it's universal. Mistakes expose our humanity and make us vulnerable to the judgement of others.  Most of us would rather fall on the sword of our own bad decisions than face the fall-out that comes with admitting fault and changing course.  Managers and executive level leadership are routinely fired for implementing erroneous business practices.  Increased culpability is only one of the downsides of rising up through an organizations ranks and being granted decision-making power.  It stands to reason that the person signing the dotted line of the Business Associate Agreement has the most to lose if the decision they make is exposed to be risky and ill-advised. 

There's no doubt an interesting story behind every decision to bring health information management functions back to a domestically-based workforce.

A little bit of compassion will go a long way when initiating conversations within our organization and if we’re the type of person willing to stick our necks out for the best interests of our patient population's privacy, we’re probably not short on compassion.

This also means, as advocates, we’re really swimming against the current when we decide on a cooperative, compassionate approach that makes room for the perspectives of others.  Because business and corporate culture isn't exactly synonymous with compassion and cooperation.

And while it’s tempting to point fingers at decision makers and declare them “wrong” that’s not what’s going to advance our agenda as patient privacy advocates.

boy-child-clouds-346796 (2).jpg

What do we do?

We play the long game. 

We do our jobs to the best of our ability and we stay engaged.

We educate ourselves and we wait for pivotal points to start conversations with the decision-makers of our organization, we learn to identify shifts in direction and when it’s appropriate to speak up, we speak up in the spirit of cooperation.  We speak up in the best interest of our patient populations and we say, “there is some new data regarding the offshoring of medical records, can I email it to you?”  or “I’ve printed some articles from security experts regarding HIPAA limitations when records are offshored, do you have time for a meeting?”

We must also never, ever apologize for bringing this information to a superior’s attention.   It doesn’t matter where you are in any organization’s food chain, you have the inalienable right to express your opinion.  You are also tasked with the responsibility of doing so respectfully if you want to keep your good standing at your job.  It’s a delicate balance, it's really not easy.  But it’s so worth it.

Speaking truth to power is a risk and no one wants to lose their job or be branded as a trouble maker.  Advocacy in the workplace isn’t for everyone, but if you feel the call to speak up on behalf of your patient population and you don’t know where to start, please feel free to contact me. Better yet, suggest that your boss email me and I’ll advocate for your patient population personally, at no cost.  If you have about 27 minutes, watch my webinar or print out the FAQ page.  These resources are free, as is any additional guidance from me.  I hope to hear from you!