HIPAA-Friendly Guide to Picking a Secure Outsourcing Company
By Elizabeth Hipp
All reported instances of medical data breaches put practices and patients on high alert, but the recent M2ComSys breach is especially troubling.
In August 2013, Cogent Healthcare and Genesis Health Systems announced the breach, which disclosed more than 32,000 patient records due to a reported firewall error. And in this instance, Google indexed some patient health records that were left unprotected on servers, which means it will be hard to remove the disclosed content.
Why is this troubling? The company that handled the outsourced transcription work, M2ComSys, said it was based in Las Vegas, but it actually was a branch of M-Squared, a company based in Kottayam, India. Health and Human Services has yet to figure out how to penalize overseas vendors that violate HIPAA regulations, meaning the company can continue to do business with other unaware practices without any repercussions.
What is the lesson to be learned from all of this? Any company to which you outsource functions such as transcription needs to be fully vetted. In industries that outsource, including medical transcription, billing, and coding, overseas companies often pretend they are based in the United States to get work and charge higher rates. However, clients unfamiliar with outsourcing won’t know what to look for in a legitimate company. To help, here are some suggestions for researching an outsourced vendor.
1. Does the vendor have a local phone number or is only a toll-free number listed on its website? If a vendor claims it is based in New York or Las Vegas yet has no local phone number, that’s a red flag. Also, you should be wary if the company lists only an e-mail address for contact and no phone number.
2. Does the vendor list a physical address on its website? Again, no address is another big red flag. In addition, do a little research on the address. Put it into Google Maps. Does it pull up an office building or a neighborhood? If it is an office building, go to that building’s website and look at the tenant list. Is the company listed? Once, when my company was researching a competitor, we found that the address listed on its website actually was a Subway sandwich shop location.
3. Is the company on Facebook, Twitter, Google+, or LinkedIn? If so, look at its profiles. Do posts appear to be written by a native English speaker or are spelling and grammatical mistakes present? Do the listed company members live in the United States? Is there a shell company listed? With M2ComSys, its Facebook page indicates the company is doing business as M-Squared. A simple Google search of M-Squared reveals that it is an Indian company.
4. Does the company offer services in a variety of unrelated fields? This is another red flag. Again, with M2ComSys, its website says the company provides transcription services, app and software development, a call center, and computer-aided design engineering. Most legitimate American transcription companies offer services that are closely related—for instance, medical transcription and EHR interfaces, legal and law enforcement transcription, or transcription and translation.
5. Is the company listed with the Better Business Bureau or the Yellow Pages? Does it belong to any professional associations based in the United States, such as the Association for Healthcare Documentation Integrity or the American Association of Electronic Reporters and Transcribers? Most American companies can be found using these resources or belong to at least one professional association.
6. When in doubt, ask for a free trial—and really test the company. Give the company a difficult file with a lot of similar-sounding words (eg, access and excess, ceased and seized) and American slang (eg, raining cats and dogs, airhead, bonkers) or brands (eg, Crocs shoes, Chick-fil-A). Chances are foreign companies will spell or type some of these wrong or leave blanks because they don’t understand.
With just a bit of basic research, companies and facilities can ensure their patient data are being handled appropriately and with the care that HIPAA mandates.
— Elizabeth Hipp is the social media director at Transcription Outsourcing.