Boston Globe reported this April that the Boston Medical Center (BMC) ended ties with a medical transcription service provider once they found that the records of about 15,000 patients in the hospital were posted on the vendor’s website without password protection. According to the hospital staff, the records included patients’ names, addresses and their medical information such as what drugs they had been taking though their Social Security numbers or financial information were not included. Even though there was no evidence that any unauthorized individuals had gained access to the records, BMC sent letters to the patients in order to notify them of the data breach.
As per the Boston Globe report, BMC issued a statement which said that the hospital noticed the breach on March 4 and immediately informed the transcription company and its subcontractors about the error. The website was removed from the Internet on that day itself. The hospital had been associated with that vendor for around 10 years; however, there is no clear evidence regarding how long the physicians’ notes had been left unprotected on the site. The hospital terminated the relationship with the vendor since they were committed to maintaining their patients’ privacy.
This incident marks the importance of ensuring HIPAA compliance during medical transcription outsourcing. The security risks associated with outsourcing transcription work to a third party vendor are as follows.
- The audio files that need to be transcribed include highly sensitive material such as the health information of the patient, information about children, Social Security numbers and other details. Therefore the vendor has to be extremely vigilant from the time the files are received to the final submission of the transcribed files.
- The contractors of the vendor can download the audio files, transcribe them and upload them again. If the vendor does not take appropriate safeguard measures while dealing with the contractors, it may lead to data breach.
- If stringent security measures are not in place for the transcribed files, search engines can pick up the transcripts off their network and index them so that anyone can read them easily.
However, the HIPAA final rule makes business associates and subcontractors of business associates of covered entities directly liable for the violation of certain HIPAA Privacy and Security Rule requirements. Precisely, when you choose a medical transcription service over in-house transcription ensure that the third party service has adopted appropriate safety measures for patient data as required under the HIPAA final rule.