Conference: March 2-4, 2026
Expo: March 3-4, 2026
Phoenix Convention Center  •  Phoenix, AZ

REGISTER EXHIBIT
POPULAR SEARCHES
Metrade Workshop
Industry News
Special Events
Q

News:
Billing/Reimbursement
November 20, 2025

Offshore Subcontracting: State Restrictions

Offshore subcontracting means outsourcing administrative or data tasks to entities outside the United States. Where and how is it allowed?

Words by: Jeffrey S. Baird, Esq. and Jacque K. Steelman, Esq.

News:
Billing/Reimbursement
November 20, 2025

Offshore Subcontracting: State Restrictions

Offshore subcontracting means outsourcing administrative or data tasks to entities outside the United States. Where and how is it allowed?

Words by: Jeffrey S. Baird, Esq. and Jacque K. Steelman, Esq.

AMARILLO, TX – Offshore subcontracting means outsourcing administrative or data tasks to entities outside the United States. Common use of offshore functions include:

  • Medical Billing and Coding;
  • Claims Processing;
  • Call Center Operations;
  • IT Support and Software Development; and
  • Data Analytics and Transcription Services.

State by state restrictions vary. Such restrictions can be found in the following places:

  • Executive Orders;
  • Medicaid Provider Manuals;
  • Medicaid Provider Agreements;
  • Managed Care Organization Manuals;
  • Managed Care Agreements;
  • Business Associate Agreements;
  • State Statutes; and
  • State Administrative Codes.

The following states do not have restrictions: Alabama, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Hawaii, Idaho, Illinois, Indiana, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nebraska, New Hampshire, New Mexico[2], New York, North Carolina, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah, Vermont, Virginia, West Virginia, and Wisconsin.

The following states do have restrictions: Arizona, Florida, Georgia, Mississippi, Missouri, New Jersey, Ohio, Tennessee, and Texas.

Examples of State Specific Restrictions

Arizona
The Arizona Medicaid Provider Participation Agreement requires providers to comply with Minimum Subcontract Provisions (“MSPs”). The MSPs state, in part, that “[a]ny services that are described in the specifications or scope of work that directly serve the State of Arizona or its clients and involve access to secure or sensitive data or personal client data shall be performed within the defined territories within the borders of the United States.” Data is defined in the MSPs as any recorded information, regardless of the form or media on which it may be recorded, but expressly excludes “information incidental to contract administration, such as financial, administrative, cost or pricing, or management information.” This restriction appears to be placed directly on providers.

California
California MCOs do not prohibit the utilization of Offshore Contractors, but there is at least one MCO that places certain requirements on contracted providers with respect to Offshore Contracting.

Health Net of California, Inc. requires contracted providers to complete an Offshore Subcontracting Attestation (“Attestation”). The Attestation includes questions about the utilization of Offshore Contractors, the precautions taken for PHI, and the safeguards used to protect beneficiary information in the offshore contract. The Attestation requires the contracted provider to conduct annual audits of the offshore contractor.

Florida
Florida’s Electronic Health Records Exchange Act (the “Act”) applies to patient information that is stored in an offsite physical or virtual environment. The Act applies to all qualified electronic health records that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted. The language of the Act will apply to billing software if it stores enough information about patients to qualify as an electronic health record, and it meets the other elements of the definition.

For records to meet the definition of an electronic health record they must contain electronic health-related information that: (1) includes patient demographics and clinical health information and (2) has the capacity to (a) provide clinical decision support; (b) support physician order entry; (c) capture and query information relevant to health care quality; and (d) exchange electronic health information with, and integrate such information from, other sources. Software that only has the capability to hold data relevant to claims submission would not likely meet every element.

Georgia
The Georgia Department of Community Health Contract for Provision of Services to Georgia states that a supplier is prohibited from providing services from any offshore locations.

Mississippi
Providers that contract with Mississippi Medicaid are required to sign Business Associate Agreements (“BAA”). The BAA prohibits the provider from accessing, storing, sharing, maintaining, transmitting, using, or disclosing protected health information with any third party “beyond the boundaries and jurisdiction of the United States” without express authorization from the Department of Medicaid.

Missouri
The Governor of Missouri issued an Executive Order in 2004 that requires all vendors submitting bids for contracts with the State of Missouri to disclose whether any work under the contract will be performed outside of the United States and prohibits state agencies from awarding contracts to such vendors, unless the arrangement meets one of a few narrow exceptions.

In addition to this Executive Order, the Missouri Managed Care Contract between the state and health plans prohibit health plans from storing and/or transmitting any data related to the Managed Care Program outside of the United States. While this restriction appears to apply to managed care plans, it is likely that restrictions would be placed on providers that contract with managed care plans.

New Jersey
New Jersey has a state law that requires every state contract that is primarily for the performance of services to include provisions that services performed under the contract or any subcontract be performed within the United States. “State contract” is defined to include any contract entered into by “the Governor, the head of any of the principal departments in the Executive Branch of the State Government, and the head of any division, board, bureau, office, commission or other instrumentality within or created by such department … ” This could include agreements between providers and state Medicaid programs. This restriction would likely carry over into MCO agreements, but we were unable to readily identify specific examples.

Oklahoma
Oklahoma Health Care Authority (“OHCA”) Policies and Rules state that a Contracted Entity (“CE”) is prohibited from entering into any subcontract “for the performance of any duty under the Contract in which such services are to be transmitted or performed outside of the United States.” A CE is defined as any organization or entity that enters into a capitated contract with the OHCA for the delivery of services to Medicaid members, including health plans or “any other entity as determined by the OHCA.” This restriction appears to only apply to managed care plans, however similar restrictions would likely be placed on providers by the plans.

Tennessee
Providers contracted with Tennessee Medicaid are required to sign Business Associate Agreements (“BAAs”). The BAA states that the provider must obtain express written consent from Tennessee Medicaid in order to view, share, use, or disclose protected health information with any third party beyond the boundaries of the United States.

Texas
The Texas Medicaid Uniform Managed Care Contract prohibits MCOs and all subcontractors and vendors from moving any Confidential Information received from or on behalf of the state to be moved outside of the United States “at any time, for any period of time, for any reason.” Again, while only strictly applicable to managed care plans, it’s likely that the plans would impose similar restrictions on contracted providers.

Jeffrey S. Baird, Esq., is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Texas with a national healthcare practice. He represents pharmacies, infusion companies, HME companies, manufacturers, and other healthcare providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or [email protected].

Jacque K. Steelman, Esq., is a member of the Health Care Group at Brown & Fortunato, PC, a law firm with a national healthcare practice based in Texas. She represents pharmacies, infusion companies, HME companies, manufacturers, and other healthcare providers throughout the United States. Ms. Steelman can be reached at (972) 684-5789 or [email protected].

[1] This article does not contain legal advice. The reader needs to seek advice, regarding state restrictions, from his/her health care attorney.

[2] New Mexico is not entirely clear. The New Mexico Health Authority Program Rules and the New Mexico Administrative Code do not contain restrictions. However, a 2014 OIG Memorandum identifies New Mexico as a state that has restrictions.

Related Articles

News Legislative/Advocacy

AAHomecare Editorial: Unified Efforts are Shaping HME’s Future

November 20, 2025

As the HME community awaits the release of the Final Rule that could re-start the Competitive Bidding Program, AAHomecare continues to engage.

News Legislative/Advocacy

U.S. Rep. Marc Veasey Visits Texas DME Provider

November 20, 2025

A visit from a member of Congress buoyed spirits, but Laurie Bachorek, director of Rehab at Baxter Management, is anxious about the return of competitive bidding.