But I thought you locked the doors...

I really like LinkedIn.  Friends of mine who aren't in my industry don't see the appeal, they think it's a dead medium. I have a half decade of doing business successfully on this social media platform and I get to follow content that serves me very well in my professional life.  There are a lot of really talented people sharing their ideas and innovations on LinkedIn.  I'm a big fan of the whole scene.


It goes without saying that social media has changed everything about the way we relate to each other both professionally and personally and someone (I wish I could remember who) once said that having a website or participating in social media is like standing in the middle of a field in a football stadium.  You're standing in the middle of the field and shouting back and forth with ten people in the stands, you're having a nice interaction and feeling good about engagement.  What you don't realize is that the rest of the packed stadium is looking on, just watching.  Countless silent observers, watching everything going on between you and the ten people in the stands.  Don't think about it too long, you'll have an existential crisis.

So, I'm scrolling my feed on LinkedIn and I see an advertisement posted for a coding education program.  Anyone who has been a medical coder in the last twenty years is familiar with the misleading advertising hook for medical coding.  Medical coding and billing used to be advertised as a magic bullet career that was obtainable for very little money and almost no effort. The enticing "work from home" sales tactic has inspired many a misguided soul to part with their money and start "training" only to later discover that medical coding is a highly competitive field with well-qualified professionals who work really hard. There is a huge barrier to entry-level positions and only the strong survive. Medical coding alone has at least twenty different specialty credentials that are shockingly difficult and expensive to earn.  Don't even get me started on continuing education credits that need to be maintained and paid for.  I don't know any medical coders who cake-walked into their career and the fact that back-of-the-magazine ads like this still exist is completely baffling.

But I digress, so there is the post advertising "WORK FROM HOME - BECOME A MEDICAL CODER."  I click on the comments because there are always comments for posts like these, and the comments are always good reading. 


Then I see it.

There is a comment from someone who not only has a couple of coding credentials, but also a doctorate degree in pharmacology.  His post reads, "Good thing is you will have a chance to work from home AND I think this is the beauty of this field."

And my first thought is, "Why is a doctor with this many coding credentials giving testimony about working from home?  That's weird, why isn't he in upper management or running a consulting firm?"

I go to his LinkedIn profile page.  This person lives and works in Pakistan.

I spend some time perusing the personal and professional information he willingly posts on LinkedIn.  I look at the name of his company, I look at his employment history.  He's been with his company for over five years.  I google his employer and the company for whom he claims to work is a foreign BPO (business process outsourcing) with a US-based sales team.

Anyone who is aware of the offshoring of American medical records knows that foreign and domestic companies who employ work-forces in foreign countries are enthusiastic and effusive about their corporate security practices.  There is a lot of talk about locked doors, disabled printers, cameras on all workstations and cell phones remaining off of the production floor.  These steps seem critical because these facilities are located in countries that have widely divergent privacy laws from what we know in the United States.  I'm very vocal about my position that mere corporate privacy practices are not good enough for our patient population. In the event that the corporate privacy practice fails, there is no legal framework in these foreign countries to prosecute foreign HIM professionals who knowingly or unknowingly transgress and compromise PHI (protected health information).

Pakistan, as it just so happens, has absolutely no data privacy laws on the books at the time of this post. 


And because I just cannot keep my mouth shut, like, EVER - I comment, "Are you an offshore medical coder working on US medical records from your home?"


A day later his reply comes in, "Yes."



What about locked doors?  What about the "reassuring" US based sales force and all of their promises?


I respond again, " That's very interesting.  What laws exist in your country (Pakistan) that protects the privacy of the patient population you have access to?  In the US these laws are referred to as HIPAA - if you can give me the specific penal code and the name of the law I'd be most appreciative.  Have a great day!" 

While waiting for his response, I called the sales number on his company's website because I decided I wanted an answer to this question now. Also, the time difference being what it is meant that the person I was engaging with on LinkedIn was asleep on the other side of the world.  Safe in his home.  With a computer that has access to the extremely sensitive data of US patient populations.

After a few rings someone from the sales team answers, identifies himself and then confirms the company name from the website (sorry, I can't share the company name for liability reasons).

"Hi, my name is Elizabeth Burke, I'm patient privacy advocate.  Does your company off-shore US medical records for coding?"

Long pause.  Like, a really long pause.

I continue, "It's ok, I can tell that you do from the website.  I have another question, do you allow your foreign workforce, who is accessing US electronic medical records, to work from their homes?"


His immediate response, "Absolutely not!  Everyone here works in a locked facility and we are fully HIPAA compliant."

Interesting fact, foreign work-forces aren't HIPAA compliant, they can't be.  They are subject to the laws of their country, not the laws of ours.  Their "security measures" are constructs and business practices they've pieced together into a corporate security policy in order to provide reassurance to Covered Entities (hospitals, healthcare providers, government agencies) in the US.

"Right," I said, "I totally hear you.  But the thing is, you have an employee who just publicly disclosed on Linkedin that he works from home in Pakistan, accessing US medical records.  Send me your email address, I took screen shots of our conversation and I'll send them to you."

The salesman's response, "He's lying."

Well, yeah....someone is definitely lying.  But it's really hard to say who.

I got the salesman's email address and sent off the relative screenshots.  Didn't even get a thank you. That's ok.

But my question remains.  Where. Are. These. Medical. Records?

If you'd like to see the conversation thread on LinkedIn, you can't.  It's mysteriously disappeared.  I'm also blocked from this Pakistani HIM employee's profile, which is totally fair when you consider that my intentions were to gather more information. 

I wonder if he still has a job.

And again I ask, "Where are these medical records?"