The difference between a recommendation and a requirement resulted in a significantly different outcome for the American Medical Association's stance on patient privacy and the foreign outsourcing of health information technology services.
At the AMA's annual meeting held last June in Chicago, the Illinois delegation in the AMA's House of Delegates introduced a resolution that called on the organization to adopt a policy stipulating that medical data processed by foreign vendors be subject to Health Insurance Portability and Accountability Act regulations, but that resolution was referred back to the board for further study.
Then in November, at the AMA interim meeting held in Dallas, the House of Delegates adopted instead a recommendation encouraging physicians "to be careful" that overseas business associates adequately safeguard patient privacy.
This outcome was about as good as could be expected, considering the legal issues involved, a supporter said, but the matter was not completely settled.
An amendment was added to the measure instructing the AMA to "investigate ways to protect physicians from HIPAA violations when they have contracted for services in good faith, and report back to the House of Delegates at the 2006 annual meeting."
Craig Backs, M.D., a Springfield, Ill.-based internist and president of the Illinois State Medical Society, attended the meeting as an alternate delegate and said he was happy with the way their efforts turned out.
"The sentiment of the Illinois delegation was that the (AMA board's) report addressed the concerns brought up by the resolution," Backs said. "The real issue is that American courts and laws do not have jurisdiction in other countries, so the furthest we can go is to make physicians and others aware of the potential pitfalls. So we were satisfied that they had addressed the issue to the greatest extent that they could."
The Illinois delegation developed the resolution after reading reports in October 2003 about a medical transcriptionist in Pakistan who threatened to post patient records on the Internet after getting embroiled in a payment dispute.
"I do not believe that this is a widespread problem, but this incident raised the level of concern about the potential," Backs said.
Champaign, Ill.-based neonatologist Nestor Ramirez, M.D., was one of the original supporters of the resolution at the AMA annual meeting in June. He didn't attend the interim meeting, so he declined to comment on how the issue was resolved.
But last summer, he asked, "If we don't let stuff in (the country) that we can't guarantee is kosher, why should we let stuff like critical patient information go out?"
He said what he would ultimately like to see is a clearinghouse maintained by hospitals, states or medical specialty societies that certifies foreign vendors that are HIPAA-compliant and says "These people are following the rules."
The AMA declined to comment on the issue and instead let its board of trustees report do the talking.
The report stated that HIPAA requires providers, health plans and others contracting with foreign companies to enter into business agreements that mandate their contractors to protect personal health information and comply with privacy regulations. But even if this agreement stipulates that disputes be settled in U.S. courts, the report notes that "If the contractor is situated in another country and has no property or contacts in the U.S., it is doubtful such a provision will be enforceable against the contractor."
In such cases, the report also notes that U.S. organizations subject to HIPAA regulations would likely be subject to negligence lawsuits from patients whose privacy was violated by foreign IT vendors.
To avoid these circumstances, the report advises physicians and others who may outsource IT services to foreign companies to "closely scrutinize the company, its operations and procedures; its reputation in the industry; and compliance plans for handling protected health information.
"While the goals of Resolution 223 are laudable and its drafter clearly wishes to solve a problem of significance, solutions rely either in the drafting of individual contracts or within the realm of international law," the report concludes. "Hence, any insistence that the protections afforded by HIPAA be adhered to by foreign companies cannot, as a practical matter, be legislatively mandated."
So, in lieu of the requirements set forth in the original resolution, the House of Delegates instead approved the recommendation calling for physicians to be careful and to perform due diligence before entering into contracts with foreign companies.
"The (original) resolution called for legislation to apply to a foreign entity and that was the part that wasn't doable," Backs said, adding that he thought the issue was handled well by the AMA.
"I'm impressed with the process of the (House of Delegates), and I'm impressed with the quality of the debate and the way differences are handled that enable the AMA to speak in one voice," he said.