Skip to content Skip to navigation

Grady Hospital and the Perils of Outsourcing

Printer-friendly version

On September 23, the Atlanta Journal-Constitution reported that the medical records of patients of Grady Memorial Hospital in Atlanta were made public on the Internet. This security lapse demonstrates the dangers of outsourcing functions involving medical information. Grady outsourced the job of transcribing doctors' notes to a firm in Marietta, Georgia, which in turn outsourced the work to an individual in Nevada, who in turn assigned the work to a firm in India, Primetech Systems.

The India transcription firm inadvertently allowed the medical information of 45 patients to slip onto the Internet. The security breach was discovered by one of Grady's doctors who performed a Google search of this name and found the information on his patients.

For those of you who follow these sorts of things, the Grady Hospital incident may sound alarmingly familiar. In 2003, University of California San Francisco Medical Center suffered a similar sort of security breach that attracted headlines and spurred brief interest in legislation limiting outsourcing of medical information. The UCSF incident involved a medical transcriptionist in Pakistan, far down a chain of subcontractors from the hospital's primary transcription services vendor, who threatened to post patients' records online unless UCSF paid the wages owed to her by one of UCSF's subcontractors.

How do you keep your organization from becoming one of these unpleasant headlines? Start by reviewing the contracts that you enter into with vendors that access or process your medical information. These sorts of concerns can be mitigated with contractual clauses providing that:

(1) The vendor will not provide medical information to subcontractors;

(2) The vendor will obtain your consent to the use of a subcontractor involving medical information; or

(3) The vendor will not utilize any subcontractor or transfer your medical information outside of the United States unless you expressly agree to it.

On September 23, the Atlanta Journal-Constitution reported that the medical records of patients of Grady Memorial Hospital in Atlanta were made

Comments

Reece, there's a notion that, if a hospital wants to release a patient's medical record directly to the patient in electronic form (say on a USB stick), the hospital can do this and completely transfer the responsibility to the patient. In effect, by using the patient as an outsourced courier (when going to the next medical facility), they can easily and legally provide for desired transfer of records. Is this correct?

I appreciate that this is a different issue than the one you describe above. That said, it seems hard to believe that a healthcare provider can so easily walk away from the liability/security issue. You'd think that there might be at least a duty to encrypt?

I worked for an outsourcing company that provided medical transcription services to U.S. based companies with transcriptionist in India. The medical transcription business gets paid a few pennies per line of dictation with fast turnaround times and high quality expectations. The reality is that hospitals will not pay the higher salaries for U.S. based work. Organizations are constantly looking at ways to trim the millions per year that they spend on transcription services. Voice recognition only gets you so far, there is always a need for someone to provide QA of the final product. When I visited companies in India I found dedicated employees that were often medical professionals that got paid more for doing transcription than for working in their chosen profession. Contracting accountability should be focused more on security and accountability rather than geographic borders. It is hard to stop the rogue employee peeking into celebrity medical records or disgruntled employees stealing records for monetary gains. Poor judgment has no geographic boundary.