Overseas Outsourcing of Private Information & Individual Remedies for Breach of Privacy

Article excerpt

I. INTRODUCTION

Using personal medical and financial information to blackmail unsuspecting individuals may sound like the plotline to a conspiracy theory movie. In reality, it may also be a consequence of the practice of outsourcing electronic data to foreign countries for business processing. Since the fall of 2003, major newspapers have reported at least two instances of threats by foreign medical record transcriptionists to release patients' medical information via the Internet. (1) On October 7, 2003, a medical transcriptionist in Karachi, Pakistan, sent an email message to the University of California San Francisco Medical Center ("UCSF"), demanding payment for her work, with patient files attached. (2) In a similar incident only a few weeks later, Heartland Information Services ("Heartland"), an Ohio-based company, received an email message from its own employees in Bangalore, India, who attempted to extort money by threatening to reveal confidential material. (3)

The average patient would not normally know if her medical information was transmitted abroad following a hospital visit. Transcription of medical records generally is classified as one of the operations for which health care providers can disclose individuals' information without meeting the statutory requirement of obtaining consent. (4) Sometimes medical records awaiting transcription are forwarded, without the knowledge of the health care provider, to several different individuals through subcontracted relationships. For example, in the UCSF incident, the medical center had outsourced its medical record transcription to a California-based company, which in turn had subcontracted with an individual in Florida. (5) Against the terms of her original contract with the California-based firm, the subcontractor in Florida had subcontracted work to an individual in Texas, who, unbeknownst to her, had solicited work from the freelance transcriptionist in Karachi. (6)

On the other hand, some health care providers knowingly outsource their records transcription to companies that use overseas employees to complete the work. (7) Heartland's extortion threat is perhaps more alarming than the UCSF incident because, while its clients knew their work was being sent overseas, the company never informed them of this incident. (8) Moreover, the company's representative failed to mention the incident during his appearance at a hearing before state legislators in California on the subject of industry safeguards to protect outsourced information. (9)

Although the Supreme Court has implied that it might recognize a right to privacy of personal information, (10) the current legal environment provides limited remedies to those whose privacy rights are transgressed. (11) In the face of a technological world advancing at a rapid rate, legislative action is the only way to guarantee individuals protection of their private information. However, legislators fear that adequate privacy protections will only be implemented as a result of some future scandal. (12) Privacy rights experts warn that just such a scandal is on the horizon. (13)

This article addresses the threat of disclosure to consumers' private, personal information due to the increasing practice of outsourcing business processes to foreign companies. By way of introduction, it examines the trend of outsourcing: what jobs are commonly outsourced, in which industries, and the reasons why the practice has become increasingly common in the global economy. The article continues by describing the kinds of personal information that are commonly shared in outsourcing practices and examines two industries in depth: Internet-based loan processing and medical record transcription.

To analyze consumer rights and remedies in this context, the article considers the notion of a right to privacy in one's personal information, and then discusses federal statutes and case law which may enable such a right, in particular, the Health Insurance Portability and Accountability Act of 1996 (14) and the Gramm Leach-Bliley Act. …