HIPAA: Outsourcing Protected Health Information...

At least in the U.S., the Department of Health and Human Services (HHS) is quite clear about Protected Health Information (PHI). What is personal or protected health information and under what circumstances as a business must you keep this information private?

Now let's introduce the offshoring or outsourcing component of running a data intensive and information centric business model. Healthcare is all about the collection, analysis and historical trending of data about our vital signs, symptoms, habits and test results. Where is all of that data being processed and stored from transcribed audio and visual media?

Most patients who visit the hospital probably do not spend too much time thinking what happens to information in their medical records after they leave, but in the age of outsourcing, the path of a patient's medical record can be a long and precarious one. Medical Data Theft is a growing concern.

Consider a recent case at a university hospital in California, where the doctor's notes from a patient visit were first sent to a transcription service company in Florida, which decided to subcontract to another firm in Texas. The Texas firm subcontracted the work yet again, ending up with a woman in Pakistan. This Pakistani woman became upset because her payments for her services were late, so she decided to send an e-mail to the university hospital, threatening to post the medical records on the Internet if she was not paid immediately. It might sound like a nightmare, but it is the reality of outsourcing today.

Medical records are secured under HIPAA standards, but when they leave the United States, these rules may not necessarily apply.

QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?

Do you know that soon your PHI may be located in a Medical Information Bureau (MIB)? And in this case, it could be a real problem or as this scenario describes, it could kill you:

Here's the scenario. A bad guy steals your identity. He ends up in the hospital and pretends to be you. His medical history becomes a part of your "MIB identity, or Medical Information Bureau identity." You could end up being denied insurance -- or much, much worse. If you show up on the medical bureau as having heart disease or diabetes and then show up at the hospital unconscious, they might kill you trying to save you.