But I thought you locked the doors...

I really like LinkedIn.  Friends of mine who aren't in my industry don't see the appeal, they think it's a dead medium. I have a half decade of doing business successfully on this social media platform and I get to follow content that serves me very well in my professional life.  There are a lot of really talented people sharing their ideas and innovations on LinkedIn.  I'm a big fan of the whole scene.


It goes without saying that social media has changed everything about the way we relate to each other both professionally and personally and someone (I wish I could remember who) once said that having a website or participating in social media is like standing in the middle of a field in a football stadium.  You're standing in the middle of the field and shouting back and forth with ten people in the stands, you're having a nice interaction and feeling good about engagement.  What you don't realize is that the rest of the packed stadium is looking on, just watching.  Countless silent observers, watching everything going on between you and the ten people in the stands.  Don't think about it too long, you'll have an existential crisis.

So, I'm scrolling my feed on LinkedIn and I see an advertisement posted for a coding education program.  Anyone who has been a medical coder in the last twenty years is familiar with the misleading advertising hook for medical coding.  Medical coding and billing used to be advertised as a magic bullet career that was obtainable for very little money and almost no effort. The enticing "work from home" sales tactic has inspired many a misguided soul to part with their money and start "training" only to later discover that medical coding is a highly competitive field with well-qualified professionals who work really hard. There is a huge barrier to entry-level positions and only the strong survive. Medical coding alone has at least twenty different specialty credentials that are shockingly difficult and expensive to earn.  Don't even get me started on continuing education credits that need to be maintained and paid for.  I don't know any medical coders who cake-walked into their career and the fact that back-of-the-magazine ads like this still exist is completely baffling.

But I digress, so there is the post advertising "WORK FROM HOME - BECOME A MEDICAL CODER."  I click on the comments because there are always comments for posts like these, and the comments are always good reading. 


Then I see it.

There is a comment from someone who not only has a couple of coding credentials, but also a doctorate degree in pharmacology.  His post reads, "Good thing is you will have a chance to work from home AND I think this is the beauty of this field."

And my first thought is, "Why is a doctor with this many coding credentials giving testimony about working from home?  That's weird, why isn't he in upper management or running a consulting firm?"

I go to his LinkedIn profile page.  This person lives and works in Pakistan.

I spend some time perusing the personal and professional information he willingly posts on LinkedIn.  I look at the name of his company, I look at his employment history.  He's been with his company for over five years.  I google his employer and the company for whom he claims to work is a foreign BPO (business process outsourcing) with a US-based sales team.

Anyone who is aware of the offshoring of American medical records knows that foreign and domestic companies who employ work-forces in foreign countries are enthusiastic and effusive about their corporate security practices.  There is a lot of talk about locked doors, disabled printers, cameras on all workstations and cell phones remaining off of the production floor.  These steps seem critical because these facilities are located in countries that have widely divergent privacy laws from what we know in the United States.  I'm very vocal about my position that mere corporate privacy practices are not good enough for our patient population. In the event that the corporate privacy practice fails, there is no legal framework in these foreign countries to prosecute foreign HIM professionals who knowingly or unknowingly transgress and compromise PHI (protected health information).

Pakistan, as it just so happens, has absolutely no data privacy laws on the books at the time of this post. 


And because I just cannot keep my mouth shut, like, EVER - I comment, "Are you an offshore medical coder working on US medical records from your home?"


A day later his reply comes in, "Yes."



What about locked doors?  What about the "reassuring" US based sales force and all of their promises?


I respond again, " That's very interesting.  What laws exist in your country (Pakistan) that protects the privacy of the patient population you have access to?  In the US these laws are referred to as HIPAA - if you can give me the specific penal code and the name of the law I'd be most appreciative.  Have a great day!" 

While waiting for his response, I called the sales number on his company's website because I decided I wanted an answer to this question now. Also, the time difference being what it is meant that the person I was engaging with on LinkedIn was asleep on the other side of the world.  Safe in his home.  With a computer that has access to the extremely sensitive data of US patient populations.

After a few rings someone from the sales team answers, identifies himself and then confirms the company name from the website (sorry, I can't share the company name for liability reasons).

"Hi, my name is Elizabeth Burke, I'm patient privacy advocate.  Does your company off-shore US medical records for coding?"

Long pause.  Like, a really long pause.

I continue, "It's ok, I can tell that you do from the website.  I have another question, do you allow your foreign workforce, who is accessing US electronic medical records, to work from their homes?"


His immediate response, "Absolutely not!  Everyone here works in a locked facility and we are fully HIPAA compliant."

Interesting fact, foreign work-forces aren't HIPAA compliant, they can't be.  They are subject to the laws of their country, not the laws of ours.  Their "security measures" are constructs and business practices they've pieced together into a corporate security policy in order to provide reassurance to Covered Entities (hospitals, healthcare providers, government agencies) in the US.

"Right," I said, "I totally hear you.  But the thing is, you have an employee who just publicly disclosed on Linkedin that he works from home in Pakistan, accessing US medical records.  Send me your email address, I took screen shots of our conversation and I'll send them to you."

The salesman's response, "He's lying."

Well, yeah....someone is definitely lying.  But it's really hard to say who.

I got the salesman's email address and sent off the relative screenshots.  Didn't even get a thank you. That's ok.

But my question remains.  Where. Are. These. Medical. Records?

If you'd like to see the conversation thread on LinkedIn, you can't.  It's mysteriously disappeared.  I'm also blocked from this Pakistani HIM employee's profile, which is totally fair when you consider that my intentions were to gather more information. 

I wonder if he still has a job.

And again I ask, "Where are these medical records?"

Advocating for Patient Privacy in the Workplace Part II : Go Forth and Seek Like-Minded Professionals.


In part one of this post series I talked about the precarious and sensitive nature of patient privacy advocacy in the workplace and why advocates face hurdles when going against the grain within their organization and voicing concerns about the business practice of off-shoring medical records. We've established that there are layers of complexity and opposing values that must co-exist peacefully in order for the team to remain intact. 

But sometimes the team doesn't remain intact.  Sometimes the decision to off-shore a portion of an organization's HIM functions means that hard-working team members are laid off and departments are downsized.  Sometimes it means people left standing spend their work day under crippling tension and fear.


This is scary.  We're not living in Valhalla here in the United States and the loss of a job is absolutely devastating.  The emotional toll is considerable and I'm sure there is a type of PTSD that comes with not only being laid off, but watching peers get pink slips and then waiting around to see who's number comes up next.  The pain is real and you can read more about it here and here.

In situations like this, emotions run high, fear is instilled within the remaining members of the organization and everyone's fight or flight instinct kick in.  It's hard to think straight and it's practically impossible to maintain perspective. Especially when you know for a fact that, ultimately, the medical records of your patient population are safest in the hands of a workforce that is fully accountable to HIPAA.

So I hope you'll allow me to say (as someone who has been there) that this is a great opportunity to shift your gaze outside of your organization and leverage the information and expertise of leaders in the field who have been generous enough to share their findings and opinions on the internet.  For one thing, it's going to give you some much needed distance and take you out of the never-ending feedback loop of fear and doom, which in and of itself is damaging to your mental well-being.

There's just something about reading someone else's perspective that echoes your own value system that heals you.  You can gain some distance and say to yourself, "Oh thank God, I'm not crazy. At least not about this." 


Your thoughts become clearer.

You feel like you can breath.

You feel validated.

You get just enough distance from your own emotions to engage your critical thinking skills and start problem solving. Which is what needs to happen if you're going to continue to advocate for the privacy of your patient population and protect your job.

So, take some time and step outside of your immediate surroundings (your "workplace bubble" if you will) and realize that there are a lot of well-respected people in the field who feel the same way that you do. For example, there's an awesome White Paper and webinar by KiwiTek COO, Bill Wagner which details exactly why off-shoring medical records may not actually be saving your organization money. Or you can connect with US workforce advocates like Coders Direct, which is run by managing partners Mark Sluyter and Rich Simon (who also happen to be friends of mine, these guys are the best!)  Mark and Rich have been long-time advocates of medical records being processed domestically and are currently undertaking legislative efforts on behalf of a US-based workforce.

It doesn't matter if another advocate's mission statement doesn't mirror your own.  Some people advocate for US employees, some people are passionate about patient privacy, others work towards preserving fiscal health of an organization.  These differences are microscopic and they don't matter because, at the end of the day, we all believe in the one fundamental ideal: Electronic Medical Records should not be leaving this country. Period.



Advocating for Patient Privacy in the Workplace; Part I – It’s Complicated!

I strongly suspect that a growing number of healthcare organizations are starting to re-shore their HIM functions and I’m very curious about what’s happening behind closed doors.   What would spark this decision when the offshoring of medical records is marketed so aggressively as the ultimate solution to HIM workflow problems.  Who made the decision to bring medical records back to the US for processing? What do these conversations look like?  Did it happen in tandem with a senior management change?  Did the relationship with the vendor go south?


I have so many questions about this because I know that the answers are valuable.  They are the pathway to success. 

Getting these answers is difficult, if not impossible, because important decisions are made within the gilded vaults of business offices in hospitals, healthcare organizations and private corporations and these organizations are notoriously secretive, any information gained is merely anecdotal.  It’s all word of mouth, conjecture and rumor.

And almost no high level decision-maker is willing to admit that they took a big financial gamble, over-exposed their patient populations to what experts call “lawless jurisdictions” or found themselves in some other disadvantageous position when it came to the decision to offshore medical records.

How do we, as patient privacy advocates, replicate the re-shoring of medical records in our own organization if we don’t have a template for success?  We know that in many cases these electronic medical records are returning to a fully HIPAA accountable US workforce.  It's great news for our patient populations, but we need to know why and how these decisions are happening so we can reverse engineer it within our own organizations.

 As I see it, the biggest hurdle for those who are trying to initiate change within their business office is The Sunk Cost Fallacy and how it dictates business decisions.  According to Cambridge Dictionary, The Sunk Cost Fallacy means that a company or organization is more likely to continue with a project if they have already invested a lot of money, time or effort in it, even when continuing is not the best thing to do.”  In layman’s terms, it means to throw good money after bad.

We really hate being wrong, it's universal. Mistakes expose our humanity and make us vulnerable to the judgement of others.  Most of us would rather fall on the sword of our own bad decisions than face the fall-out that comes with admitting fault and changing course.  Managers and executive level leadership are routinely fired for implementing erroneous business practices.  Increased culpability is only one of the downsides of rising up through an organizations ranks and being granted decision-making power.  It stands to reason that the person signing the dotted line of the Business Associate Agreement has the most to lose if the decision they make is exposed to be risky and ill-advised. 

There's no doubt an interesting story behind every decision to bring health information management functions back to a domestically-based workforce.

A little bit of compassion will go a long way when initiating conversations within our organization and if we’re the type of person willing to stick our necks out for the best interests of our patient population's privacy, we’re probably not short on compassion.

This also means, as advocates, we’re really swimming against the current when we decide on a cooperative, compassionate approach that makes room for the perspectives of others.  Because business and corporate culture isn't exactly synonymous with compassion and cooperation.

And while it’s tempting to point fingers at decision makers and declare them “wrong” that’s not what’s going to advance our agenda as patient privacy advocates.

boy-child-clouds-346796 (2).jpg

What do we do?

We play the long game. 

We do our jobs to the best of our ability and we stay engaged.

We educate ourselves and we wait for pivotal points to start conversations with the decision-makers of our organization, we learn to identify shifts in direction and when it’s appropriate to speak up, we speak up in the spirit of cooperation.  We speak up in the best interest of our patient populations and we say, “there is some new data regarding the offshoring of medical records, can I email it to you?”  or “I’ve printed some articles from security experts regarding HIPAA limitations when records are offshored, do you have time for a meeting?”

We must also never, ever apologize for bringing this information to a superior’s attention.   It doesn’t matter where you are in any organization’s food chain, you have the inalienable right to express your opinion.  You are also tasked with the responsibility of doing so respectfully if you want to keep your good standing at your job.  It’s a delicate balance, it's really not easy.  But it’s so worth it.

Speaking truth to power is a risk and no one wants to lose their job or be branded as a trouble maker.  Advocacy in the workplace isn’t for everyone, but if you feel the call to speak up on behalf of your patient population and you don’t know where to start, please feel free to contact me. Better yet, suggest that your boss email me and I’ll advocate for your patient population personally, at no cost.  If you have about 27 minutes, watch my webinar or print out the FAQ page.  These resources are free, as is any additional guidance from me.  I hope to hear from you!