The webinar "I Have Questions, You Need Answers" runs for about 28 minutes. Webinars aren't for everyone and we respect the fact that you're busy, what we've done is included information from the webinar slides here on this page in an easily digestible format. It's not quite as comprehensive as attending the webinar, but we think you'll find it helpful. Please see the media and articles page on this website for sources and bibliography.
What does the term offshore mean?
Made, situated or conducting business abroad, especially in order to take advantage of lower costs or less stringent regulation.
What does PHI mean?
✤According to the US Department of Health and Human Services, protected health information (PHI) is individually identifiable information that is
1.Transmitted by electronic media
2.Maintained in electronic media; or
3.Transmitted or maintained in any other form or medium (includes paper and oral communication)
What is an electronic medical record?
According to Wikipedia an electronic health record, or electronic medical record, is the systematized collection of patient and population electronically-stored health information in a digit format. These records can be shared across different health care settings.
What's in my electronic medical record?
Just some of the things included in your medical record are;
Social Security number
Insurance coverage number and information/Medicare number
Home phone number
Place of work or school
Household member information
Potentially sensitive photographs
Physical and mental health history
How prevalent is the offshoring of PHI?
This is difficult to answer because there's not a lot of transparency about this. Data gathered from companies who offshore medical records as part of their business practice self-disclose about 20,000 foreign HIM employees.
To which countries does the United States offshore medical records?
India, Pakistan and The Phillipines, among others.
What job functions are being sent offshore?
Release of Information
What legal structure exists to hold US based HIM professionals responsible who violate HIPAA?
Citizens of the United States who are accessing PHI as part of their job function will be prosecuted criminally and be personally liable if they violate HIPAA
Criminal penalties include, but are not limited to;
✤Tier 1 - reasonable cause or no knowledge of violation - up to 1 year in jail
✤Tier 2 - obtaining PHI under false pretenses - up to 5 years in jail
✤Tier 3 - obtaining PHI for personal gain or with malicious intent - up to 10 years in jail.
Additionally, there are aggressive fines imposed for US based HIM professionals who violate HIPAA;
✤Category 1 - minimum fine of $100 per violation, up to $50,000
✤Category 2 - minimum fine of $1,000 per violation up to $50,000
✤Category 3 - minimum fine of $10,000 per violation up to $50,000
What about the individual who has full access to my medical records yet lives in another country?
Information for India
India passed The information Technology Act in 2000 and it’s true that this legislation is more comprehensive than security laws in the US
However this is not true for healthcare!
Healthcare is a separate sector and industry in The US with it’s own set of extremely stringent laws, referred to as HIPAA, The Security Rule and Hitech.
India has no laws in place to protect their own patient data and has no industry-relevant laws on the books comparable to HIPAA.
The Original Act contained 94 Sections divided into 13 chapters and four schedules.
However, in 2011 a loophole emerged as a result of a clarification issued by India’s Ministry of Communications and Information Technology.
This clarification falls under 43A of the ITT Act of 2000
This clarifications states, “Body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India” is exempt from the requirement to obtain consent.
This means that the stringent protection that could have been offered by this law has been neutralized by the 2011 clarification.
It is worth noting that India is on the verge of adopting their own version of HIPAA, at the time of this webinar it is in being deliberated in The Parliament of India, however this proposed law does not address US medical records being processed in India so no protection of US patient data can be inferred.
The Philippines does have a robust data privacy law called The Data Privacy Act of 2012 which protects sensitive information of nationals, however this law doesn’t appear to specifically address sensitive personal data or information of data subjects located outside The Philippines.
Just like India, the privacy laws in the Philippines appear to leave Americans unprotected
At the date of this webinar there is no legislation that regulates the protection of data in Pakistan.
Why is it important that medical records and access credentials remain with a workforce located in the United States?
The United States is the birthplace of privacy and security laws and Security Breach Notifications are a US invention.
A US-based workforce is held responsible both criminally and civilly for abuse, negligence and mis-use of patient data, there is no foreign workforce that is as accountable to the patient population as a US-based workforce.
Who are the regulatory bodies in the United States to whom a US based workforce is accountable to?
State and Federal Attorney General’s Offices
The Federal Trade Commission
US Department of Justice
State laws (for example, California has over 25 privacy laws)
The United States Department of Health and Human Services
What's the take-away from this public awareness campaign?
Americans are becoming increasingly aware of their vulnerabilities when it comes to privacy and security. The time has come for transparency about the offshoring of unredacted medical records. Empowering the public with the information they need for self-advocacy and awareness is the first step.
What are potential steps forward from here?
It's hard to say what the solution for this is. Ideally, your medical records stay in the United States where PHI is heavily regulated and the workforce is held to a high standard of accountability. At the very least the following potential solutions are a step in the right direction;
✤mandatory disclosure laws at both the state and federal levels.
✤Patient’s should be able to “opt out” of this business practice and their medical records shall be stored on a separate medical record platform that is processed domestically
✤It should be illegal for the unredacted medical records of anyone under the age of 18 to be sent offshore for processing.