Risks of Offshoring Medical Transcription and Scribe Work During COVID-19

A recent legal precedent set by a New Jersey judge means that medical practices and hospitals nationwide may be held legally responsible for HIPAA breaches incurred by their offshore medical transcription, virtual scribe or IT companies. As a result, the healthcare industry is now realizing that outsourcing tasks to companies with a U.S. based workforce is a far safer solution. 

The New Jersey case involved “Virtua Medical Group, P.C.”, a network of more than fifty New Jersey medical and surgical practices, that outsourced medical transcription work to Cummings, Georgia U.S. based ATA Consulting LLC, doing business as “Best Medical Transcription”.  Business owner Tushar Mathur solely owned, operated and controlled Best Medical Transcription and signed a Business Associate Agreement (BAA ) with Virtua. Mathur outsourced the work to a subcontractor Tojo-Vikas, a New Delhi, India company who then performed the medical transcription services for the group.  A breach occurred due to a security lapse of the subcontractor affecting 1657 patients, and Virtua was held responsible! The NJ Attorney General fined Virtua, a Covered Entity (CE) 418,000 because they had “failed to perform adequate risk assessment.”  Best Medical Transcription was also fined but could not pay a reduced fine and promptly dissolved as a business.

How HIPAA Laws Impact Hospitals and Medical Practices in Regards to Data Breaches

The HIPAA laws hold CEs, i.e. hospitals and medical practices, accountable for data breaches caused by their business associates if they don’t perform adequate risk assessment. Thus, CEs are ultimately responsible for the actions of their business associates, and clearly now can be prosecuted and fined for HIPAA breaches even with a BAA in place.  It is neither difficult nor expensive to perform a security and business risk assessment of any vendor as required by HIPAA but virtually impossible if it is an offshore vendor.  

Contracts and BAA agreements with a small U.S. shell company may not offer protection if the vendor can just close up shop at the first sign of trouble. Size and longevity do not assure that a transcription vendor is perfect.  Nuance, one of the largest transcription vendors in the U.S., shut down their transcription services in June, 2017 due to NotPetya malware affecting many of their hospital clients for weeks making critical patient encounters unaccessible. A backup plan for medical transcription and EHR clinical documentation is required for these critical services.  

Why Offshore Scribe Services Can Be Disastrous to Your Security

Offshore scribe services who directly log into EHRs and have few restrictions can cause inadvertent mistakes that are difficult to detect and correct such as picking the wrong patient with a common name.  Access of your EHR and network through an unsecured PC from a foreign country exponentially increases your risk of a data breach, malware or ransomware.  Office of Civil Rights (OCR) financial penalties for HIPAA violations have totaled over $100,000,000 by 2018,are rapidly increasing and can cause a bankruptcy event with the average HIPAA penalty $1,227,400 in 2019.

How COVID-19 Has Impacted Offshore Medical Transcription Services

To further complicate matters, due to the COVID-19 pandemic, many hospitals are experiencing trouble with their transcription work done in India since that country is currently under a lockdown of the entire population.  Some of the largest transcription companies have centers in India including Nuance, ACuity Solutions (formerly M*Modal) and iMedix and may have all been forced to close their offices due to this mandate.  Some Indian scribes and transcriptionists are now working at home on their personal machines where networks and machines may be unsecured or possibly even shared. This significantly increases the risk of a data breach, ransomware or malware which may not have been conveyed to their clients. Medical records are a prime target for identity theft since they contain extensive Personal Health Information (PHI) which always must be properly protected.

Why You Should Consider a U.S Medical Transcription Company

A safer solution is to choose to use a U.S. medical transcription company employing only U.S. workers who are background checked.  A U.S. company offers advantages of faster turnaround time, higher accuracy and supports the U.S. economy. Despite a 32.5% growth rate in U.S. medical transcription jobs from 2017-2018, transcriptionists are still underemployed by the hundreds of thousands. A growing move back to medical transcription¹² may be attributed to a new solution to the EHR data entry problem which was at the root of physician burnout.  This new documentation method developed by ZyDoc utilizes dictation, transcription, NLP (Natural language processing) and EHR interoperability for section level text insertion.  It was demonstrated to be 61% more efficient than keyboard and mouse in a Landmark NIH sponsored EHR usability study performed at Columbia University Medical Center.

With COVID-19 causing unprecedented unemployment in the U.S., this is the ideal time to institute legislation mandating that healthcare work not leave the U.S. as many European countries have done with GDPR mandates for privacy and confidentiality. Transcription is a critical medical infrastructure service no longer being done by U.S. workers but by offshore workers.  Isn’t it time for the government to protect patients from identity theft and/or public release of their confidential medical information?  

Many government institutions mandate that all transcription work be performed in the U.S. under stringent security controls.  However, Request for Proposal (RFP) awards for government transcription contracts requiring U.S. workers are awarded at rates below minimum wage for U.S. transcriptionists and lack enforcement of numerous regulations so it is questionable if vendors are secretly outsourcing abroad. If minimal diligence was done by reviewing the audit trail of the IP addresses of the typists, it would confirm if the work was done abroad.  

How Can a Medical Practice or Hospital Avoid or Minimize the Risk of Their Vendor Causing a Breach

• Have your vendor provide their latest security assessment or preferably a third party assessment of their HIPAA and HITECH security. 
• Your legal entity should be named as additional insured on their cyber insurance policy.
• Request an audit log on some transcription jobs that will show each and every access along with IP addresses that have geolocation.
• Can they provide I9 verification reports of their U.S.-based employees and valid background-checks? Only these workers should appear on the audit logs.
• Review independent third party evaluations from companies such as Klas, Black Book Research and Capterra that review and rank service companies by several factors such as their customer support.
• Call their support center one evening to test their availability and English skills.
• Ask which transcription platform they utilize for the typing and if the data is always encrypted.  
• Is the data stored in a HITRUST secure U.S.-based cloud datacenter under full HIPAA controls in accordance with your compliance program and U.S. laws.
• Ask what happens to the PHI after the typist is done typing to make sure it never resides on their local machine, even briefly.
• Indications of increased security risks include having to install programs for the transcription services, open up firewall ports, or having to add security exceptions.
• Test if anyone with access to the audio files or documents can save files on their computer or print documents without assignment of privileges to do so.

Warning Signs Suggesting Your Scribing or Medical Transcription is Done by a U.S. Shell Company Using Offshore Workers

• Lack of ability to audit work.
• Audit trail shows foreign IP addresses. 
• Lack of audit trail or numerous touches since India often assigns 3 levels of transcription and management in their workflow.
• Transcription platform permits audio or text export from system by typist, manager, editor, or other staff.
• Dictated jobs are not returned until morning due to overseas time differences.
• Common U.S. places, names, locations, businesses and other U.S. terms wrong.
• Poor grammar, paragraph breaks or incorrect combinations of words are often missed by spell check.
• Data inserted into the wrong sections.
• Mistakes in information or poor wording.
• Support is not live.
• Prices below 10 cents/line.
• Vendor has no government contracts forbidding offshore work.
• No HIPAA security third party assessment or audit. 
• Ask for their disaster preparedness plan. India needs electric generators routinely. 
• Lack of cyber security insurance policy.
• Linkedin, Indeed, Glassdoor, Facebook employee members located abroad.
• Work returned late when sent during Indian holidays or foreign disasters.
• Ask for references.