Subcontractor put VA health records at risk: IG

Management controls by the Veterans Health Administration over the acquisition of medical transcription services, and the privacy and security of patient information are deficient and need improvement, according to VA's inspector general.

The VA Office of Inspector General has been investigating allegations that an offshore medical transcription subcontractor threatened last year to expose 30,000 veterans' electronic health records on the Internet in a payment dispute with another subcontractor over $28,000.

VHA, an agency of VA, needs to develop the ability to perform its medical transcription in-house, because there is no practical way to ensure that contractors safeguard patients' protected health information, said Michael Staley, VA assistant inspector general for auditing, in a report released late this afternoon.

'These allegations suggested that contract transcription services, which are widely used by VHA to perform a vital administrative function, are carried out in a high-risk environment that lacks reliable security and regulatory controls,' Staley said.

The incident occurred because VHA lost control over its patient information once the information traveled outside the VA system firewall, he said. The inability to control confidential information in an era of global outsourcing leaves protected health information unprotected and patients subject to identity theft. The payment dispute has been settled, but VA and the Justice Department are still investigating.

Use of speech recognition technology to transcribe medical reports in-house would resolve the contract and security issues. Medical transcription is the translation of patient health assessments recorded by physicians into text reports for documentation in the patients' medical records.

Some VA medical transcription contractors used offshore subcontractors in India and Pakistan without VA's approval and without adequate controls to ensure veterans' health information was secure under the Health Insurance Portability and Accountability Act.

The U.S. contractor paid the subcontractor the amount in dispute, and the offshore subcontractor certified that all VHA records were destroyed.

'However, VHA has no way of validating whether the subcontractor actually destroyed the information or whether other VHA patient records are in the possession of offshore subcontractors, or individuals and groups hostile to U.S. interests,' Staley said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected