Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

Your Privacy and Offshore Outsourcing 236

An anonymous reader sends in a link to this story about medical transcription work and patient privacy. You probably recall the original story (from around October 2003), but the Chronicle here does a great job of tracing the entire chain of sub-sub-sub-sub-sub-contracting.
This discussion has been archived. No new comments can be posted.

Your Privacy and Offshore Outsourcing

Comments Filter:
  • if some indian knows i have genital herpes..... i mean, the whole of slashdot knows!
  • by EmbeddedJanitor ( 597831 ) on Sunday March 28, 2004 @07:29PM (#8698994)
    I'd rather have some person in India or where ever know I've got some embarrassing disease than the gossippy old cow that lives over the road.
    • by robbyjo ( 315601 ) on Sunday March 28, 2004 @07:35PM (#8699027) Homepage

      Well, if this person decided to publish the record on the web and do Google bombing to crank up the search on certain keywords, it would come worse than your gossipy old cow....

      • Well, if this person decided to publish the record on the web and do Google bombing to crank up the search on certain keywords, it would come worse than your gossipy old cow....

        This is some guy overseas. No one knows who he is. Not even the hospital hiring him to do the work. That's not exactly what I would call credible.

        He could post his data right now, but who is going to believe him? Not me.

  • by mandalayx ( 674042 ) * on Sunday March 28, 2004 @07:31PM (#8698999) Journal
    Before we get to all the anti-India comments, here is the crux of the problem:
    "The problem is not that they're in India," said Chris Hoofnagle, associate director of the Electronic Privacy Information Center in Washington. "The problem is that American laws are not going to be enforced in India."


    Does anyone have a free-market solution to this? I would hate to see Democrats legislate this to hell. IMHO overlegislation will solve 1 problem but cause another...

    But while the above point is interesting, it's somewhat irrelevant to this case: the breach of contract occured in the US:

    A Transcription Stat worker, Dennis Centore, quickly traced the files to a batch of notes that had been subcontracted to a woman in Florida named Sonya Newburn, who typically handled as many as 30 files on individual UCSF patients every day.

    "She was quiet until I mentioned Tom Spires," Centore recalled. "Then she said, 'Oh my God,' and said that she had contracted for Tom to do the work."

    Neither Transcription Stat nor UCSF knew that Newburn was subcontracting. The outsourcing chain was supposed to end with her, as per Newburn's contract with the Sausalito firm.


    Basically, while the article brings up the interesting concept of what offshoring information can do, this particular case of offshoring is really not the greatest example, since the breach of contract occured in the US. And yet we have sensationalist newspapers like the Chronicle and opportunistic politicians who call themselves privacy advocates; the current state of affairs is fucked. The comment leads me to believe that he didn't even RTFA:

    "We've reached the point where American companies ship personal information outside the country and tell customers to check their privacy at the shore," said Rep. Edward Markey, D-Mass., one of the leading privacy advocates on Capitol Hill.
    • Before we get to all the anti-India comments

      Can we bash Pakistan instead?
      • Can we bash Pakistan instead?

        Go a little bit farther north and we can say that the terrorists did it in their Afghan training camps.

        No doubt Katz (were he still with us) would tell us about Abdul Komodor who uploads full length movies of patients' records to the internet from his Commodore 64. :)
    • by Anonymous Coward on Sunday March 28, 2004 @07:44PM (#8699095)
      That's true of course, but the information was still held hostage by someone who didn't own it, in fact had no right to have it, in another country.

      Which is the real point of outsourcing I think. The advantage of cheaper labor is something of a smokescreen. I think it's popularity stems from the diffusion of responsability, and the complications of getting information, and enforcing practices in other countries.

      She can go in an say, but I didn't know. I was swamped with work, people deserve to have this thing done, Tom was highly recommended and trustworthy, I can't be blamed for holding information hostage! I'm a good person I never have and never would do that. This other sort of innocuous thing is my fault, and I am SOOOO SORRY.

      If we put in a type of liability where the ends don't justify the means, but the means are responsible for the whole end, at every point of failure that by passed the normal protections like bankruptcy and incorporation, it would probably stop, with all business in the US.
      • She can go in an say, but I didn't know. I was swamped with work, people deserve to have this thing done, Tom was highly recommended and trustworthy, I can't be blamed for holding information hostage! I'm a good person I never have and never would do that. This other sort of innocuous thing is my fault, and I am SOOOO SORRY.

        If we put in a type of liability where the ends don't justify the means, but the means are responsible for the whole end, at every point of failure that by passed the normal protection

    • by pavon ( 30274 ) on Sunday March 28, 2004 @07:49PM (#8699129)
      Does anyone have a free-market solution to this?
      Yes, simply make the US companies (and government departments) truely responsible (ie their ass is on the line) for protecting this information. If the cost of failure is higher than other savings, then they themselves will implement strict requirements, and will only want to contract out to groups who have proven themselves to be trustworthy.
      • Yes, simply make the US companies (and government departments) truely responsible (ie their ass is on the line) for protecting this information. If the cost of failure is higher than other savings, then they themselves will implement strict requirements, and will only want to contract out to groups who have proven themselves to be trustworthy.

        I do believe that HIPAA [hhs.gov] is already in place to provide for this "cost of failure." And I do think that UCSF and its immediate contractor handled the situation profe

        • by DAldredge ( 2353 ) <SlashdotEmail@GMail.Com> on Sunday March 28, 2004 @07:54PM (#8699160) Journal
          From http://www.hipaadvisory.com/action/LegalQA/law/Leg al44.htm

          QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?

          ANSWER: Contractors and subcontractors, whether foreign or domestic, are generally not directly covered by the Privacy Rule. However, the business associate agreement requirements imposed on covered entities with respect to their business associates will usually apply. The Privacy Rule (as we all know by now) applies to covered entities, i.e., health plans, clearinghouses, and providers who transmit health information in electronic form in connection with a HIPAA covered transaction. A covered entity is permitted to disclose PHI to a business associate if the covered entity obtains satisfactory assurances in the form of a written contract or agreement that the business associate will "appropriately safeguard" the information.

          The Privacy Rule describes two different scenarios in which a HIPAA-related business association may arise. First, when the right to use, disclose, create, or obtain PHI is delegated to a third party for use on behalf of the covered entity. Second, where a third party provides certain specified services to a covered entity and the provision of those services involves the disclosure of PHI by the covered entity to such third party. The specified services are legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation, and financial services. It is important to note that each and every relationship between a covered entity and a third party does not constitute a business association that gives rise to the requirement for a business associate agreement as set forth under the Privacy Rule.

          By executing a business associate agreement, a business associate contractually obligates itself to protect the PHI and to not use or further disclose the PHI other than as permitted or required under the agreement or as required by law (American). The Privacy Rule includes required components for a business associate agreement. One of these provisions is the requirement that any agents or subcontractors of the business associate must agree to the same restrictions and conditions agreed to by the business associate.

          Enforcement of such agreements is a frequently voiced concern when the business associate or subcontractor is in a foreign country. Under the Privacy Rule, the US Department of Health and Human Services only has enforcement authority over covered entities (unless a business associate happens to also be a covered entity). Furthermore, while a business associate or subcontractor must contractually agree to protect PHI and comply with the Privacy Rule to the same extent as the covered entity, the problem with these types of arrangements arises if the foreign business associate breaches the agreement. Depending on the legal system of the foreign country, which may range from comparable to that of the United States to non-existent, the covered entity may well have difficulty enforcing such an agreement in foreign courts. Even if the business associate agreement requires US law to apply and provides that all disputes be settled in US courts, if the contractor is situated in another country and has no property or contacts in the US, such a provision will offer small comfort.

          Under the Privacy Rule, covered entities are required to mitigate any harmful effects of a wrongful use or disclosure of PHI by the covered entity or its business associates. And although covered entities must terminate business associate agreements when they "know" of a pattern of activity which is a material violation of the agreement and are unable to cure it, the Privacy Rule does not require covered entities to monitor the activities of their business associates. In spite of this seeming protection, as a practical matter, it is likely that patients who have been damaged by a business associate's breach of an agreement will seek compe
      • I'm sorry, your present legislative representatives are busy making it harder to sue and capping awards under the guise of so-called tort reform; they're not interested in making it easier for you to sue an insurance company for fucking you over.

        Nor will they be, until you can ante up a few million in bribes. Sorry, donations.
    • by EmbeddedJanitor ( 597831 ) on Sunday March 28, 2004 @07:53PM (#8699151)
      According to free market theory, if there is a perceived value for a service, then it will come into existence and people will pay for it.

      If people perceive the offshoring to give some privacy risk then they will perhaps be prepared to pay an extra $5 or $10 or whatever each month to a service that guarantees your case will be handled by an American. Alternatively, a company that advertises that they guarantee American processing will get a competitive advantage over their offshoring competition.

      It seems hypocracy to me that those that bitch about losing their jobs to India don't seem to mind wearing Nikes made in Philipines and having Korean RAM in their PCs.

      Free market means paying for things you value, not just bitching about things.

      • by mandalayx ( 674042 ) * on Sunday March 28, 2004 @07:57PM (#8699178) Journal
        According to free market theory, if there is a perceived value for a service, then it will come into existence and people will pay for it.

        If people perceive the offshoring to give some privacy risk then they will perhaps be prepared to pay an extra $5 or $10 or whatever each month to a service that guarantees your case will be handled by an American. Alternatively, a company that advertises that they guarantee American processing will get a competitive advantage over their offshoring competition.

        Interesting. I see a business opportunity.

        Perhaps the next time you go to UCSF Medical Center, you can fill out a check box saying:

        [ ] I want all my medical transcription done in the US, certified by blahblah for $5 extra. Disclaimer: Transcription in the US has not been shown to be better or worse than offshored transcription.


        I think that would be kind of cool. simple and elegant.
      • Hate to say it, I bitch about losing jobs to other countries, don't wear Nikes,and use RAM made in Boise, Idaho. It's about putting your money where your mouth is, as much as is possible.

        Oh well, I am sure there some people out there that match the stereotype you gave, but I wanted to make sure people knew there were also some who don't.
      • if there is a perceived value for a service, then it will come into existence and people will pay for it

        I think the theory says that if there is a perceived profit to be made in providing a service then it will come into existence. A small but telling difference.

        Services exist because someone offers them in the hope of making a profit. Advertising exists to ensure people understand they have a need for the service.

        If people perceive the offshoring to give some privacy risk then they will perhaps be

    • I would hate to see Democrats legislate this to hell. IMHO overlegislation will solve 1 problem but cause another...

      Couldn't agree more. The whole "outsourcing to India" debate is a straw man. Protectionist legislation has a history, and it's not pretty [slashdot.org].

      The real issue is that the US economy has been in decline for a number of years, particularly in the overheated IT sector. This seems to be changing now but that does not seem to stop otherwise intelligent /.ters making incredibly xenophibic and poorly re
    • I would hate to see anybody overlegislate this. Remember, the Republican's in power aren't exactly free-marketer's themselves. They'll do stupid stuff, anti-conservative, stuff like support a steel tarrif just to pander to voters.

      Now, there is a very good free-market solution to this: Do nothing. If people care about their privacy, they will make sure to deal only with companies that put measures in place to protect it. If people do not care about their privacy (and it appears to be the case that they do n
      • Now, there is a very good free-market solution to this: Do nothing. If people care about their privacy, they will make sure to deal only with companies that put measures in place to protect it. If people do not care about their privacy (and it appears to be the case that they do not) then they won't. However, just because other people would rather save $5 than keep their privacy does not mean that you have to.
        Unfortunately, people can not be trusted to always look out for their privacy, just like an AOL use
        • The question is: do you believe it is legitimate to protect people from themselves? I don't believe that it is. Could you imagine if the government passed legislation forcing people to install anti-virus software?

          There are situations where the government should intervene to protect the population. The vast majority of these cases are:

          - Where one person's failure affects everyone. For example, automotive regulations exist because if you crash your car, you could hurt other people. Laws against smoking in c
    • But while the above point is interesting, it's somewhat irrelevant to this case: the breach of contract occured in the US:

      Exactly. In fact India does have a well developed legal system. I am sure that, like all legal systems, it has its flaws, corruption, etc. but it does exist and can be used.

      So perhaps if the outsourcing had been done properly, with the appropriate contracts and to someone in India (where, as a long-standing democracy I would put more faith in the judicial system than in Pakistan), th

  • No news (Score:5, Interesting)

    by Davak ( 526912 ) on Sunday March 28, 2004 @07:31PM (#8699002) Homepage
    Most transciption services are now computer-transcription now anyway.

    You speak. Human transcribes. Computer learns. Human error checks... eventually the computer is good enough that the human is not needed at all.

    We are using this system now. It, of course, sucks compared to a real transciptionist... but it is 10 times cheaper.

    Davak
    • Most transciption services are now computer-transcription now anyway.

      You speak. Human transcribes. Computer learns. Human error checks... eventually the computer is good enough that the human is not needed at all.

      We are using this system now. It, of course, sucks compared to a real transciptionist... but it is 10 times cheaper.

      Are you sure it's cheaper than a real, trained transcriptionist--in California or India?

      Consider the cost of labor to get the doctor to look over all of his transcriptions. Si

      • Ever heard about human error?

        A special purpose dictation system can do as well as a human who has no direct interest in the result, overlooked by someone who has a direct interest in correct results is going to do a lot better. The inmediate availability and very little administration efford often outweight the little extra time spent on reading and correcting on the fly.
    • Re:No news (Score:3, Informative)

      by DraconPern ( 521756 )
      We just tried a computer transcription product from the largest medical transcription equipment company for a month, and let me tell you, it doesn't work. It was too hard to use, produced too many errors (95% accurate), and in the end still needed a transcriptionist to correct the errors. So why bother?

      We ended up getting the portable digital transcription system (4 recorders, foot pedal, and software) from the same company. It was cheaper to pay the transcriptionist than the software, and we now have a
  • HIPPA = Health Insurance Privacy and Portability Act, is a VERY big deal for pateint privacy. I wonder if this was a violation ?
    HIPPA [hhs.gov] carries some hefty fines is this was in fact a violation.
    • Re:HIPPA Violation ? (Score:2, Informative)

      by Anonymous Coward
      Its *HIPAA* not, and I repeat, *NOT* HIPPA.
    • Re:HIPPA Violation ? (Score:3, Interesting)

      by Davak ( 526912 )
      HIPPA stresses patient privacy--and goes way overboard. But that's a different discussion.

      The question is not if this is a HIPPA violation... which it clearly is. But is it a violation of US law at all?

      If the presidental candidates want to win over the working class, make companies that send jobs overseas follow the same rules we do. Pay taxes, not pollute, no child labor, and even HIPPA -- why should they get to drop the US rules just because they cross the border?

      If I get a ticket in Texas, points s
    • Re:HIPPA Violation ? (Score:5, Informative)

      by stox ( 131684 ) on Sunday March 28, 2004 @07:42PM (#8699077) Homepage
      Sadly, this is a perfect example of a gaping loophole in the law. It doesn't apply to contractors outside the hospital, it only applies to the hospital.
      • Sadly, this is a perfect example of a gaping loophole in the law. It doesn't apply to contractors outside the hospital, it only applies to the hospital.

        IANAL, but surely the hospital is responsible for the privacy of patients regardless of which party leaked the information?

        this lawyer [slashdot.org] seems to have it down in plain English:

        Under the Privacy Rule, covered entities [ed: hospitals, HMOs, etc] are required to mitigate any harmful effects of a wrongful use or disclosure of PHI by the covered entity or

        • It depends.. From my understanding of HIPAA, if the hospital makes you sign a waiver before receiving treatment, that waiver saying "Well, we may outsource some records to our subcontractors" or even "We may outsource some records to SubContractor Spanky McSpanksalot", then the hospital is A-OK. You, as a patient, have been duly informed of the privacy you will receive at the institution. You may then choose whether or not you wish to do business there.
      • Yes it is.. (Score:3, Informative)

        by zedpol ( 765479 )
        My brother owns a dental office, part of being HIPPA compliant is getting anyplace you subcontract with to agree to the HIPPA privacy laws. I set up an offsite backup system for them but before they could upload any of their patient data they had to get the company to agree to their privacy statment.
  • Weaker standards? (Score:4, Insightful)

    by LostCluster ( 625375 ) * on Sunday March 28, 2004 @07:32PM (#8699007)
    American law sets out very tight restrictions on what our doctors can do with our private records, and there are stiff penalties for any individual who violates trust with this data. Could sending these tasks overseas cause there to be less-strict laws regulating the handling of private medical info?
  • since I stole someone's identity a while back.

    And no I was never a football tight end.
  • Blackmail (Score:5, Funny)

    by Rosco P. Coltrane ( 209368 ) on Sunday March 28, 2004 @07:35PM (#8699030)
    She said she e-mailed him at what she assumed was his important U.S. company, Tutranscribe, although the firm didn't have its own Web site, only an AOL account.

    "You've got (black)mail!"
  • *sigh* (Score:5, Insightful)

    by TheCabal ( 215908 ) on Sunday March 28, 2004 @07:50PM (#8699135) Journal
    I work in a similar industry, handling patient claims information. This story has been circulating around for a while. What really grabbed my attention from this article was the statement of Transcribe Stat's owner.

    "After 23 years in business, it took just one little e-mail to ruin me."

    And there it is. These are the things that keep me up at night, watching firewalls logs and everything else that keeps me from getting a good night's sleep.
    • Re:*sigh* (Score:3, Insightful)

      by mandalayx ( 674042 ) *

      I work in a similar industry, handling patient claims information. This story has been circulating around for a while. What really grabbed my attention from this article was the statement of Transcribe Stat's owner.

      "After 23 years in business, it took just one little e-mail to ruin me."

      And there it is. These are the things that keep me up at night, watching firewalls logs and everything else that keeps me from getting a good night's sleep.

      Interesting. Looks like we just found the free market solution

      • Why? (Score:5, Insightful)

        by SmallFurryCreature ( 593017 ) on Sunday March 28, 2004 @09:57PM (#8699856) Journal
        She was payed to transcribe. Instead she outsourced. She got paid to keep records confidential, she didn't instead going with the lowest bidder to maximize her profits. No doubt offering the lowest bid herself making other respectable companies loose out on the contract.

        No this whole story is one of greed and it starts right at the patients. After all they want low low insurance and medical bills. So the hospital saves by outsourcing instead of doing it in house. The outsourced company outsources again instead of doing it in house and so on.

        Feeling sympathy here is misplaced. Each and everyone involved, including the patients, is a victim of their greed.

        Maybe I am just a cynical bastard.

    • A medical transcription company outsourced its core business of transcription and lost control over the details. Now they pay the price.
    • It did not take one little e-mail to ruin her. It took one little email for her to get caught. She was doing something illegal, knew it and had gotten away with it for a while. That email did not ruin her, she did it to herself.
      • Transcribe Stat was doing something illegal? Were you reading the same article that everyone else was reading?
      • Not exactly. That company sub-contracted to the woman in florida, who either sub contracted to a guy in texas or PRETENDED to sub contract to a guy in texas, who then sub contracted to india.

        The real lesson here is that maybe she shouldn't outsource at all. They lost control of the data and it came back to bite her on the ass.
    • She is lying. (Score:5, Insightful)

      by SmallFurryCreature ( 593017 ) on Sunday March 28, 2004 @09:52PM (#8699821) Journal
      What it took to ruin her was her own greed. She was hired to do the transcribing. But instead of hiring her own people, checking those people, checking their work she outsourced it to a lower bidder.

      This has nothing to do with countries and law this has to do with your privacy being handled by the lowest bidder.

      Each step in the chain shows someone wanting lots of money for not doing anything. If hospitals and others were serious they would do the transcribing in house. But of course that is no longer allowed. Focus on your core capabilities has become the watch word. So that a place like a hospital is now really a meeting hall for outsourcing companies. From temp nurses to cleaners, from caterers to office staff. No one works for the hospital, they all work for the lowest bidder.

      Neat eh? And the funny thing is? Medical bills only seem to go up. Why am I paying more insurance when all this cost saving is going on?

  • by fermion ( 181285 ) on Sunday March 28, 2004 @07:51PM (#8699141) Homepage Journal
    The problem really is that subcontracting is meant to pass responsibility to another party. The person who contracts the work, as is the case woth, for example, Walmart or Nike, is allowed to feign ignorance and tends to be resolved of all responsibility. This situation, of course, gets worse as you move down the chain of subcontractors. It is a situation in which contractors are taking money for doing little more than taking a cut for mailing some paper.

    The truly scary part is that the US government is trying to outsource everything as well. This includes the IRS, which means that your personal tax information is going to be in hands of some work-at-home person making $1 per transaction filed, stored on the computers on some half-assed system administrator. The original contractors will have no responsibility as the contracts will be written to require minimal due diligence and almost no penalties for infractions.

    This of course has been defended as completely consistent with all current privacy laws. In addition, the somewhat friendly people at the IRS, a result of new regulations that resulted from the friends-or-Reagan audits, will be replace with the same people who call during diner asking you to buy their product, or yelling at your children because their parents did not pay a bill.

    • Just because you are using a contractor does not absolve you of the responbility. A company that has a contractor do something illegal, as a representative of the company, is liable for the acts of that contractor. Using this story, The hopital could have been sued if patient records were placed on the internet and the hospital would have sued "Transcript Stat." Sonya Newburn herself might even be held personally responsible depending on the type of company she had and even then that might not protect he
  • HIPAA (Score:5, Informative)

    by DAldredge ( 2353 ) * <SlashdotEmail@GMail.Com> on Sunday March 28, 2004 @07:57PM (#8699175) Journal
    http://www.hipaadvisory.com/action/LegalQA/law/Leg al44.htm
    QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?

    ANSWER: Contractors and subcontractors, whether foreign or domestic, are generally not directly covered by the Privacy Rule. However, the business associate agreement requirements imposed on covered entities with respect to their business associates will usually apply. The Privacy Rule (as we all know by now) applies to covered entities, i.e., health plans, clearinghouses, and providers who transmit health information in electronic form in connection with a HIPAA covered transaction. A covered entity is permitted to disclose PHI to a business associate if the covered entity obtains satisfactory assurances in the form of a written contract or agreement that the business associate will "appropriately safeguard" the information.

    The Privacy Rule describes two different scenarios in which a HIPAA-related business association may arise. First, when the right to use, disclose, create, or obtain PHI is delegated to a third party for use on behalf of the covered entity. Second, where a third party provides certain specified services to a covered entity and the provision of those services involves the disclosure of PHI by the covered entity to such third party. The specified services are legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation, and financial services. It is important to note that each and every relationship between a covered entity and a third party does not constitute a business association that gives rise to the requirement for a business associate agreement as set forth under the Privacy Rule.

    By executing a business associate agreement, a business associate contractually obligates itself to protect the PHI and to not use or further disclose the PHI other than as permitted or required under the agreement or as required by law (American). The Privacy Rule includes required components for a business associate agreement. One of these provisions is the requirement that any agents or subcontractors of the business associate must agree to the same restrictions and conditions agreed to by the business associate.

    Enforcement of such agreements is a frequently voiced concern when the business associate or subcontractor is in a foreign country. Under the Privacy Rule, the US Department of Health and Human Services only has enforcement authority over covered entities (unless a business associate happens to also be a covered entity). Furthermore, while a business associate or subcontractor must contractually agree to protect PHI and comply with the Privacy Rule to the same extent as the covered entity, the problem with these types of arrangements arises if the foreign business associate breaches the agreement. Depending on the legal system of the foreign country, which may range from comparable to that of the United States to non-existent, the covered entity may well have difficulty enforcing such an agreement in foreign courts. Even if the business associate agreement requires US law to apply and provides that all disputes be settled in US courts, if the contractor is situated in another country and has no property or contacts in the US, such a provision will offer small comfort.

    Under the Privacy Rule, covered entities are required to mitigate any harmful effects of a wrongful use or disclosure of PHI by the covered entity or its business associates. And although covered entities must terminate business associate agreements when they "know" of a pattern of activity which is a material violation of the agreement and are unable to cure it, the Privacy Rule does not require covered entities to monitor the activities of their business associates. In spite of this seeming protection, as a practical matter, it is likely that patients who have been damaged by a business associate's breach of an agreement will seek compensation fr
  • by Average_Joe_Sixpack ( 534373 ) on Sunday March 28, 2004 @07:57PM (#8699179)
    Well at least the majority of Americans are not raising the issue to either companies or their representatives. For the past few months, e-loan has been giving it's customers a choice of where their loan applications are processed (India vs US). Even though these customers knew their private info was going to be shipped overseas, 86% chose India [yahoo.com] because the processing time was 2 days shorter. Bottom line, American's have a fast food mentality ... ie the cheapest, quickest way will always win.

    As for the story, I work as a consultant in the Health IT arena, and have all too often seen private data mishandled. However standards are greatly improving in the US, but this is only due to the threat imposed by legislation and civil lawsuits. Will 3rd party companies overseas have the same incentive if they are outside of US jurisdiction? Probably not
  • In Europe... (Score:5, Informative)

    by paugq ( 443696 ) <pgquiles@nosPAm.elpauer.org> on Sunday March 28, 2004 @08:04PM (#8699218) Homepage

    In Europe this would have never ever happened: our laws are very strong regarding to personal data and privacy.

    For instance, if a company here in Spain keeps customers data in a database, and the company wants to have that database hosted abroad (for example, for its website), in the USA, France, or any other country in the world, one person -with a name and a surname- of that company has to ask the Director of the Data Protection Agency [www.agpd.es] for a written permission to do so.

    Break Privacy Laws and you'll face a monetary penalty from $600 to $600000

    • Re:In Europe... (Score:3, Interesting)

      by Kris_J ( 10111 ) *

      In Europe this would have never ever happened:

      Because, of course, there aren't any greedy, immoral people in Europe.

      This information didn't go out in boxes that customs can search, it was sent down a wire at the speed of light. It went off-shore against the law because someone decided to charge local rates then pay for some under-protected borderline-slave labour person to do it at a fraction of the cost.

      The companies involved are dead, destroyed by this act of stupidity. Short of jail time (costly to s

    • Re:In Europe... (Score:3, Interesting)

      by Brandybuck ( 704397 )
      In Europe this would have never ever happened: our laws are very strong regarding to personal data and privacy.

      I work for a German company where the personal data of German customers is 100% available to the customer support center in Singapore. There's nothing stopping a similar privacy leak happening to this European company.
    • "Break Privacy Laws and you'll face a monetary penalty from $600 to $600000"

      All that's good to hear, but it's the enforcement that counts.

      $600? That's a common speeding ticket in the U.S. and would deter no one from doing anything here. Heck, it's almost like granting permission.

      --Richard
      • An example of the amounts:

        An ISP (I won't say the name, this is an actual case) kept backup tapes in a cabinet. A good practice, isnt it?

        One day, an employee forgot to keep some tapes inside the cabinet. Tapes were available to the employees, nobody else. Bad luck, that day was the inspection day (not announced, of course). Their punishment was $1000 per tape

  • by geekwench ( 644364 ) on Sunday March 28, 2004 @08:34PM (#8699382)
    The story was first posted back in October, before the investigation was completed. The facts that have since come to light add a whole new dimension to this outsourcing fiasco. (You can read the original Slashdot article here [slashdot.org].)

    I'm trying to decide if Ms. Newburn is an out-and-out hypocrite, or just spectacularly inept at fraud. She apparently sends the work to Pakistan, ignoring any concerns about professional ethics, and creates "Tom Spires" to cover her posterior; then cries about how awful it is that American jobs are going overseas, once her house of cards comes crashing down. This situation really calls for the old question: "What the hell were you thinking?!"

  • Tape Storage (Score:3, Informative)

    by superpulpsicle ( 533373 ) on Sunday March 28, 2004 @08:46PM (#8699445)
    People sound surprise that their data end up in some third world country facilities. To be honest, big companies have had terabytes of data stored in other countries for years. Usually it's the historical data beyond a 1 year full backup that ends up in some other countries.

    Granted yes, it takes efforts to dig it up. But still, the data is theorectically outsourced.
  • by HangingChad ( 677530 ) on Sunday March 28, 2004 @08:48PM (#8699456) Homepage
    This is only the beginning. Do you think foreign governments are going to respect your privacy? Imagine going to a meeting and the person on the other side of the table knows all the meds you might be taking and all your credit card transactions for the last six months. Sure, sign with us and we can keep your little secret about that apartment across town out of the news.

    Let's see them prosecute identity theft in Bangladore. It's only a matter of time before people who make 3 dollars an hour start figuring out how to turn your financial data and credit card numbers into $$$$$.

    • by Anonymous Coward
      I don't understand why some blackmailing being done in a terrorist country is being stereotyped to a different culture altogether.
      Pakistanis are known as backstabbers everywhere and if they don't change their habbits, that doesn't mean that all civilized nations India, Canada, Philippines, Mexico are like that.
      From experience, Indian and Canadian governments, in particular, have very strict laws to protect any kind of security leaks.
  • Condoms for Data. (Score:5, Informative)

    by t_allardyce ( 48447 ) on Sunday March 28, 2004 @08:52PM (#8699483) Journal
    Just pimping out our nice little Data Protection Act we've had in the UK for 16 years (i think its European too):

    -You have the right to access any personal data any company/organisation holds on you, including the police (the police can be exempt in certain situations), government agencies, your school, shops etc and this can include video and internal memos about you and non-electronically stored data AFAIK

    -You have the right to know who is holding what and what they intend to do with it

    -It cant be taken outside the European Economic Area without your consent

    -Security measures must be taken to ensure its safe

    uhuh uhuh you know you want it yeah! come on! pah in-your-face like a can-of-mace!
    • Unfortunately... (Score:4, Informative)

      by tuxette ( 731067 ) * <tuxette AT gmail DOT com> on Monday March 29, 2004 @12:56AM (#8700816) Homepage Journal
      It cant be taken outside the European Economic Area without your consent

      Personal data may be taken out of the EU/EEA only if without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection. (EU Personal Data Directive 95/46/EC, Article 25). See here [dataprivacy.ie] for whole Directive.

      The United States is not a third country that the EU has determined to provide an adequate level of protection of personal data. However, if the individual companies or organizations in the US adhere to the Safe Harbor [export.gov] agreement, personal data may be transferred.

      Unfortunately, it can ultimately be difficult to control that data once it gets to the US. A in Europe may determine that B in the US provides adequate protection via Safe Harbor. All is well, right? Not necessarily. What happens when B subcontracts to C, who subcontracts to D, who subcontracts to E, who subcontracts to F in country G where privacy laws don't exist? Yeah sure, there are rules, but if something were to happen, there would be more finger-pointing and "you weren't supposed to..." and the such, as opposed to taking on responsibility. But nonetheless, your personal data has been compromised. All the bickering in the world won't resolve that matter.

  • by fembots ( 753724 ) on Sunday March 28, 2004 @09:20PM (#8699605) Homepage
    Wouldn't it make sense to separate data from patients? This is like Database Design 101.

    So patient medical records can be transcribed by anyone without leaking the identities, and the patient details are held in another database.

    So if someone wants to post a medical record, it can only go as far as "Patient DFA12435 has xxx, HA! HA!".
    • by SmallFurryCreature ( 593017 ) on Sunday March 28, 2004 @10:04PM (#8699902) Journal
      This story is about doctors SPOKEN notes being put in writing. The doctor is supposed to do database abstraction while doing surgery? I know doctors are not the dumbest people, although their blunder kill thousands each year, but that might just be a little bit diffiult.

      Seperarting database records like you suggest is indeed possible. You could easily seperate a patients credit history from their medical history. Doctor don't need to know payment details and the collectors don't need to know medical details.

      But in this case that is impossible. Medical details do belong with the name.

    • AFAIK, that's already happening for largish transcription jobs.
      Even without the patient identities, there are multiple ways to abuse such information, including selling it to drug companies as demographic data ;-)
      The problem, as the article pointed out, is that the US laws cannot be used in most cases to control what people abroad do with the data. The solution there is to send out sensitive data only to established corporations, and not cheapen out to such an extent. Wipro or Infosys (two largest ours
    • by fhic ( 214533 ) on Sunday March 28, 2004 @10:49PM (#8700167)
      Separating the data from the patient makes perfect sense. But consider this: someone has to match the data back up with the patient identification again later on. And that has to be *perfect*. Not pretty close, not five-nines close, *absolutely perfect*. One screwup and you've potentially killed someone. Do you trust your outsourced worker not to alter a digit of the patient identifier? Probably not, which means you're going to have to check the data constantly.

      Where I work, we've looked at outsourcing our pathology transcription business. We decided against it, because we want to keep control of the entire process.

      We keep our costs manageable by a fanatic concentration on efficiency and productivity. The process is as streamlined as it can be, and are constantly vigilant on how we can keep the process running smoothly.

      We manage to stay profitable in a business that's as cutthroat as it gets. And we pay a decent salary (even by San Diego standards!) for good transcriptionists who can meet their accuracy and productivity standards.
  • by Johnny Mnemonic ( 176043 ) <mdinsmoreNO@SPAMgmail.com> on Sunday March 28, 2004 @09:21PM (#8699609) Homepage Journal

    I know many of you work in the heatlh care business, and take HIPPA pretty seriously. I work in it myself, although in a tangential relationship and don't have to abide by HIPPA due to the nature of my facility.

    However, my wife works in the insurance business; specifically, she evaluates claims made against her company for legitimacy. She has the ability to draw upon resources that will tell her any individual's medical history, public and private; she can relatively easily flaunt the protections of HIPPA, although she can't reveal that she knows more about your medical condition than you do. She's not clear on how her resources can determine the things that they do, but it just shows the lie that to how much these protetctions provide.
  • Capital one (Score:5, Informative)

    by bl968 ( 190792 ) on Sunday March 28, 2004 @09:27PM (#8699632) Journal
    Capital one has outsourced your credit card account customer service personnel to India. I called up with a question and hearing a distinctive accent I asked the young woman where she was located. To her credit she answered me honestly and I had no real problems with her. However I do feel that any information sent to outsourced personnel overseas should be subject to all US legal protections and the company should have to treat that data with the same responsibilities as if it was here in the USA.
  • by Hanno ( 11981 ) on Sunday March 28, 2004 @09:45PM (#8699763) Homepage
    It's funny that the US is getting upset about data processing "beyond the reach of U.S. authorities", because already some years back, it used to be the other way round.

    For several years now, some larger German companies used to offshore their customer data processing to the USA. Some claim this is also done because of the USA's less strict privacy laws that allow for far more data profiling than allowed in Germany. There is also growing concern in German media that it will be impossible to control such outsourced data and that there is no way to ensure that customer data will not be used by the American procesing company for other purposes or sold to third parties.

    One such example was the Bahncard, a price rebate system for the national railway. For a few years, it came combined with a creditcard option and its data would be shared with an external partner of CitiBank US [tuwien.ac.at] for customer profiling, including a photograph, a full credit history and all payment data of the user.
  • by civad ( 569109 ) on Sunday March 28, 2004 @10:11PM (#8699951)
    In case people thought that NOTHING was being done abt the matter:
    http://www.computerworld.com/managementtopics/outs ourcing/story/0,10801,81698,00.html
    http://www.computerweekly.com/articles/article.asp ?liArticleID=122250&liFlavourID=1&sp=1
    http://216.239.51.104/custom?q=cache:aGXMuwaC72YJ: www.nasscom.org/download/CyberLaw.pdf+privacy&hl=e n&ie=UTF-8
  • by mi ( 197448 ) <slashdot-2017q4@virtual-estates.net> on Monday March 29, 2004 @12:43AM (#8700759) Homepage Journal

    From the article:

    "There's no remedy for a U.S. citizen if his information is compromised." [California Sen. Joe Dunn, D-Garden Grove]

    Nonsense. Plenty of countries have perfectly good laws on privacy -- especially, the privacy of medical records. This is just an attempt to score some points with outsorcing-scared electorate without upsetting the pro-business part of it too much.

    Even if so, as long as the original customer (the hospital in this case) is in US, the victims have someone to sue. It should be left up to the hospital to decide, not mandated by law. Sooner or later WTO will demand, California drops this law... And I'll support them.

    Plenty of vitally important stuff is being made abroad -- medical equipment, cars, food. By this Senator's logic, we should not be importing any of it because "there is no remedy" in case the manufacturer screws up.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...