Moving the HME Industry Forward

General Healthcare

Use of Offshore Subcontractors

September 5, 2016

AMARILLO, TX – Increasingly, to reduce expenses, DME suppliers are utilizing subcontractors located in foreign countries.  It is permissible for suppliers to do this; however, there are certain laws they must follow.  This article discusses those laws.

There are CMS rules around reporting offshore subcontractors.  Specifically, CMS requests that Medicare Advantage Organizations (“MAOs”) and Part D Prescription Drug Plans (“PDPs”) submit certain information regarding their offshore subcontractors and attest that they have taken measures to mitigate risks associated with sharing beneficiary information with such subcontractors.  The term “subcontractor” refers to any entity that an organization or sponsor contracts with to fulfill or help fulfill requirements in its Part C and/or Part D contracts.  Subcontractors include all first tier, downstream , and/or related entities.  The term “offshore” refers to any country that is not one of the 50 states or U.S. territories.  CMS also clarifies that offshore subcontractors provide services that are performed by workers located in offshore countries, regardless of whether the workers are employees of American or foreign companies.

The CMS requirements are not imputed to individual entities, but to PDPs and MAOs only.  Therefore, the DME supplier may have a duty under one or more contracts with these types of entities to report any use of an offshore subcontractor.  The attestation for each offshore subcontractor includes, in part:

• Offshore subcontractor’s name and functions.
• Description of protected health information (“PHI”) provided to the offshore subcontractor.
• Offshore subcontracting arrangement safeguards adopted to protect beneficiary information.
• Offshore subcontractor audit requirements.

As part of the attestation, the supplier must conduct an annual audit of the offshore subcontractor.  The results of the audit must be used by the supplier to evaluate the continuation of its relationship with the offshore contractor.  Furthermore, the results of the audit must be shared with the Centers for Medicare and Medicaid Services (“CMS”) upon request.

Attestations and documentation required by CMS must be submitted via the Health Plan Management System Subcontractor Data module within 30 calendar days after the offshore subcontract is signed.  Attestations are only required for offshore entities that receive, process, transfer, handle, store, or access PHI in oral, written, or electronic form.  Examples of PHI include beneficiary name, birth date, address, social security number, health insurance claim number, patient identifiers, medical diagnosis, medical history, treatment records, type of provider visited, use of health care services, payment information, evidence of insurance coverage, or any information that could reasonably lead to the identification of a beneficiary.  CMS also requires offshore subcontract attestations whenever there is a change in the functions that a current offshore subcontractor performs.

The Health Insurance Portability and Accountability Act (“HIPAA”) allows covered entities to disclose PHI to business associates if the covered entity obtains satisfactory assurances that the business associate will use the information only for the purpose for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.  Therefore, the DME supplier will need to enter into a Business Associate Agreement (“BAA”) that clarifies and limits, as appropriate, the permissible uses and disclosures of PHI, based on the relationship between the parties and the activities or services being performed by the offshore subcontractor.  

Although a business associate is directly liable under the HIPAA rules and subject to civil and, in some cases, criminal penalties for improper disclosures and uses, and for failing to safeguard PHI under the Security Rule, the covered entity is not relieved of its responsibilities.  The covered entity is required by 45 C.F.R. § 164.308(a)(1)(ii)(B) to conduct an accurate and thorough assessment of the potential risk and vulnerabilities of the PHI held by the covered entity.  Further, the covered entity is required to implement security measures sufficient to reduce risks and vulnerabilities.  Because the offshore subcontractor is located in another country, the Department of Health and Human Services (“DHHS”) may not have jurisdiction to take enforcement action directly against the subcontractor business associate for a breach.  The result may be that the covered entity’s own HIPAA risk management and risk analysis practices may be scrutinized. Therefore, it is up to the covered entity to ensure that the offshore business associate has sufficient security, privacy and vendor management practices to meet the HIPAA requirements.  

Neither the Department of Defense nor the Department of Veterans Affairs expressly prohibits the use of offshore subcontractors.  However, the HIPAA Privacy and Security Rules apply directly to TRICARE contractors that act as health plans or providers and downstream vendors that receive personal health information.  Further, the Department of Defense’s TRICARE Management Activity (“TMA”) requires all TRICARE contractors to report monthly on privacy breaches, including those experienced by each vendor handling enrollees’ PHI and by health care providers.

Commercial Insurance
Each individual insurance contract needs to be reviewed to determine whether or not the payor prohibits the use of offshore subcontractors.  There does not appear to be a general prohibition on the use of offshore subcontractors by commercial insurance payors.

Currently, only 15 of the 56 Medicaid agencies have some form of state-specific requirements or prohibitions that address the use of offshore subcontractors for administrative functions.  Of these 15 Medicaid agencies, only four state Medicaid agencies expressly prohibit the use of offshore subcontractors.  Of the four Medicaid agencies that prohibit the use of offshore contractors Alaska, Arizona, and Ohio rely on Executive Orders that prohibit such offshore contracting, and the other, Wisconsin, relies on contract provisions to prohibit offshore contracting.   

Of the remaining 11 Medicaid agencies that specifically address offshore contracting, nine Medicaid agencies require contractors and subcontractors to have BAAs complying with HIPAA requirements for protection of PHI.   They also monitor contractors to ensure compliance with the agencies’ requirements on offshore contracting.  The other two Medicaid agencies only allow offshore contracting under limited circumstances.

Although the remaining 41 Medicaid agencies do not have a statute, regulation, or Executive Order directly relating to offshore contracting, it is still necessary to review all contracts closely for such language.  For example, Delaware contains no such statutes or regulations, but a recent Delaware contract states, “The State will not permit project work to be done offshore.”

Jeff Baird will be presenting the following webinar:
Joint Ventures and Other Arrangements with Referral Sources
Presented by: Jeffrey S. Baird, Esq., Brown & Fortunato, P.C.
Tuesday, September 6, 2016
2:30-4:00 p.m. EASTERN TIME
In the real world one business can enter into an arrangement with another business without worrying about pesky government regulations.  Unfortunately, DME suppliers are not in the real world……they are in an alternative universe known as “health care world.”  Unlike auto parts suppliers and widget manufacturers, DME suppliers must be careful in entering into arrangements with other providers.  This is because of federal and state anti-fraud statutes and regulations.  For example, the Medicare anti-kickback statute makes it a crime for a person/entity to receive compensation for referring (or arranging for the referral of) Medicare/Medicaid patients to a health care provider.  All states have anti-kickback statutes that are similar to the federal statute.  The federal Stark physician self-referral statute prohibits a physician from referring Medicare/Medicaid patients to a provider in which the physician has a compensation or ownership interest.  These are but two examples of the many anti-fraud laws that are on the books.  This program will discuss the relevant state and federal anti-fraud statutes and regulations that govern the types of arrangements that a DME supplier can enter into with another provider, such as a physician, home health agency or pharmacy.  The program will discuss the types of arrangements that are clearly legal, the types of arrangements that fall within the proverbial “gray area,” and the types of arrangements that must be clearly avoided.

Register for Joint Ventures and Other Arrangements with Referral Sources on Tuesday, September 6, 2016, 2:30-4:00 pm ET, with Jeffrey S. Baird, Esq., of  Brown & Fortunato, PC.

Please contact Ika Sukh at if you experience any difficulties registering.

FEES: Member: $99.00    
Non-Member: $129.00

Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Amarillo, Tex. He represents pharmacies, infusion companies, HME companies and other health care providers throughout the United States. Mr. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization, and can be reached at (806) 345-6320 or