more on Med record privacy and offshore workers..

[Dave Farber <dave () farber net>]

From: Peter Swire <peter () peterswire net>

Dave:

        The story shows the risks of sub-contracting in any industry --
the company loses some control over how its work is done.  There's
nothing special here about medical privacy.  A different out-sourcer
might have access to the passwords or encryption keys of people in the
company and try blackmail that way.

        Under the HIPAA privacy rules, the University hospital is
required to have a "business associate contract" with these
out-sourcers.  There are various enforcement terms built into the
contract, including canceling the contract for violations known by the
hospital.

        Some people have criticized these contracts as needless
paperwork and burden on the health system.  The story to me suggests the
contracts may be appropriate -- they have set a standard of good
practice in the industry, and there are sanctions on an overseas company
that violates the contract.  The main sanction, in practice, is loss of
the hospital's business.

        Peter

Prof. Peter P. Swire
Moritz College of Law of the Ohio State University
Consultant, Morrison & Foerster LLP
Formerly, Chief Counselor for Privacy in the U.S.
     Office of Management and Budget
(240) 994-4142, www.peterswire.net 

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/