On September 23, the Atlanta Journal-Constitution reported that the medical records of patients of Grady Memorial Hospital in Atlanta were made public on the Internet. This security lapse demonstrates the dangers of outsourcing functions involving medical information. Grady outsourced the job of transcribing doctors' notes to a firm in Marietta, Georgia, which in turn outsourced the work to an individual in Nevada, who in turn assigned the work to a firm in India, Primetech Systems.
The India transcription firm inadvertently allowed the medical information of 45 patients to slip onto the Internet. The security breach was discovered by one of Grady's doctors who performed a Google search of this name and found the information on his patients.
For those of you who follow these sorts of things, the Grady Hospital incident may sound alarmingly familiar. In 2003, University of California San Francisco Medical Center suffered a similar sort of security breach that attracted headlines and spurred brief interest in legislation limiting outsourcing of medical information. The UCSF incident involved a medical transcriptionist in Pakistan, far down a chain of subcontractors from the hospital's primary transcription services vendor, who threatened to post patients' records online unless UCSF paid the wages owed to her by one of UCSF's subcontractors.
How do you keep your organization from becoming one of these unpleasant headlines? Start by reviewing the contracts that you enter into with vendors that access or process your medical information. These sorts of concerns can be mitigated with contractual clauses providing that:
(1) The vendor will not provide medical information to subcontractors;
(2) The vendor will obtain your consent to the use of a subcontractor involving medical information; or
(3) The vendor will not utilize any subcontractor or transfer your medical information outside of the United States unless you expressly agree to it.
