AMARILLO, TX – Third-party payor (“TPP”) contracts include Medicare Advantage (MA”) contracts, Medicaid Managed Care (“MMC”) contracts, and employer sponsored group health insurance contracts. Until recently, most DME suppliers did not have to deal with TPP contracts. This is because most Medicare beneficiaries were covered by traditional Medicare.
Over the last several years, this has changed. Today, approximately 50% of all Medicare beneficiaries are covered by MA plans and approximately 70% of all Medicaid patients are covered by MMC plans. Today’s DME supplier must not only master the nuances of fulfilling the requirements of traditional Medicare and traditional Medicaid, but the supplier must be able to fulfill the requirements of multiple TPP contracts.
With a subcontract arrangement, a DME supplier will enter into a 1099 independent contractor relationship with a person or entity in which the person/entity provides specified services to the supplier. Subcontractors can take many forms: an outside billing company, an outside document retention company, an outside HR…or IT service…etc. And increasingly, DME suppliers are using “offshore” subcontractors (e.g., Manila, Mumbai, Cairo).
The DME supplier needs to be aware that most TPP contracts include one or more provisions addressing the utilization by the supplier of subcontractors. The subcontract provisions are normally generic; they apply to offshore subcontractors and to subcontractors located in the U.S. The subcontract provisions in a TPP contract will normally say one or more of the following:
- If the DME supplier subcontracts to another entity one or more of the supplier’s obligations under the TPP contract, the supplier will notify the TPP in advance of the subcontract arrangement.
- If the DME supplier subcontracts to another entity one or more of the supplier’s obligations under the TPP contract, (i) the supplier will notify the TPP in advance of the subcontract arrangement and (ii) the supplier will obtain the TPP’s consent for the supplier to utilize the subcontractor.
- The DME supplier is permitted to utilize a subcontractor only for the following specified services: [the contractual provision then specifies the services that can be subcontracted out]
- The DME supplier may only subcontract out __% or less of its obligations under the TPP contract.
- If the DME supplier enters into a Subcontract Agreement, such agreement must obligate the subcontractor to comply with the TPP’s policies and procedures.
- If the DME supplier utilizes a subcontractor located outside the United States, (i) the supplier and subcontractor must enter into a HIPAA-compliant Business Associate Agreement and (ii) the subcontractor must maintain protected health information (“PHI”) the same way that the supplier maintains PHI.
It is important that the DME supplier (i) understands what each TPP contract says regarding subcontracting and (ii) complies with the requirements of the TPP contract. Virtually all TPP contracts allow the TPP to terminate the TPP contract without cause upon “x” days prior written notice. If the supplier inadvertently fails to comply with the subcontract provisions in the TPP contract, such noncompliance may give the TPP an excuse to terminate the TPP contract.
In addition, there are legal guidelines the DME supplier needs to be aware of when it uses offshore subcontractors. Set out below is a discussion of such guidelines.
State Medicaid Programs
In 2010, CMS issued guidance to state Medicaid programs prohibiting the programs from paying for products/services to a financial entity located offshore. The guidance prohibits the state Medicaid program from making payments to (i) provider/supplier bank accounts located offshore, (ii) telemedicine companies located offshore and (iii) pharmacies located offshore. On the other hand, the guidance does not prohibit paying an offshore subcontractor for (i) claims adjudication, (ii) call center services for enrollment and (iii) MAP administration.
Four years later, the OIG issued a report to CMS regarding the use of offshore subcontractors. In preparing the report, the OIG (i) issued a questionnaire to all state Medicaid programs regarding the use of offshore subcontractors and (ii) disclosed to CMS the information obtained from the questionnaires. The questionnaire focused on the protections the Medicaid programs had in place to protect PHI when providers/suppliers used offshore subcontractors. To date, only a few state Medicaid programs prohibit the use of offshore subcontractors.
Medicare
Federal law does not prohibit subcontract arrangements with offshore companies. However, there are CMS rules pertaining to reporting offshore subcontractors. CMS requires MA Organizations (“MAOs”) and Part D Prescription Drug Plans (“PDPs”) to (i) submit certain information regarding their offshore subcontractors and (ii) attest that they have taken measures to mitigate risks associated with sharing beneficiary information with such subcontractors. The term “offshore” refers to any country that is not one of the 50 states or U.S. territories.
The CMS requirements are not imputed to individual entities, but to PDPs and MAOs only. However, the DME supplier may have a duty under one or more contracts with these types of entities to report use of an offshore subcontractor. The attestation for each offshore subcontractor includes, in part:
- Offshore subcontractor’s name and functions.
- Offshore subcontracting arrangement safeguards adopted to protect beneficiary information.
- Description of protected health information (“PHI”) provided to the offshore subcontractor.
- Offshore subcontractor audit requirements.
Attestations are only required for offshore entities that receive, process, transfer, handle, store, or access PHI in oral, written, or electronic form. Examples of PHI include beneficiary name, birth date, address, social security number, health insurance claim number, patient identifiers, medical diagnosis, medical history, treatment records, type of provider visited, use of health care services, payment information, evidence of insurance coverage, or any information that could reasonably lead to the identification of a beneficiary.
HIPAA
HIPAA allows covered entities to disclose PHI to business associates if the covered entity obtains satisfactory assurances that the business associate (i) will use the information only for the purpose for which it was engaged by the covered entity, (ii) safeguard the information from misuse, and (iii) help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule.
The DME supplier will need to enter into a Business Associate Agreement (“BAA”) with the offshore contractor that clarifies and limits, as appropriate, the permissible uses and disclosures of PHI, based on the relationship between the parties and the activities or services being performed by the offshore subcontractor.
Although a business associate is directly liable under the HIPAA rules and subject to civil and, in some cases, criminal penalties for improper disclosures and uses, and for failing to safeguard PHI under the HIPAA Security Rule, the covered entity (i.e., the DME supplier) is not relieved of its responsibilities. The covered entity is required to conduct a thorough assessment of the potential risk and vulnerabilities of the PHI held by the covered entity.
The covered entity is required to implement security measures sufficient to reduce risks and vulnerabilities. Because the offshore subcontractor is located in another country, the Department of Health and Human Services may not have jurisdiction to take enforcement action directly against the subcontractor business associate for a breach. The result may be that the DME supplier’s own HIPAA risk management and risk analysis practices may be scrutinized. Therefore, it is up to the DME supplier to ensure that the offshore business associate has sufficient security, privacy and vendor management practices to meet the HIPAA requirements.
Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers, and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or [email protected].
AAHOMECARE’S EDUCATIONAL WEBINAR
Cash-Only Retail: How to Succeed
Presented by: Jeffrey S. Baird, Esq., Brown & Fortunato
Tuesday, April 16, 2024
1:30-2:30 p.m. CENTRAL TIME
The DME industry primarily serves the elderly. This means that most DME suppliers are dependent on traditional Medicare and Medicare Advantage for most of their revenue. But as DME suppliers know from experience, it can be challenging to be so tied to Medicare. This is where retail comes in. There are 78 million Baby Boomers who are retiring at the rate of 10,000 per day. Many Boomers are willing to pay cash for “Cadillac” items rather than being limited to the “Cavalier” items paid for by Medicare. This program will present the legal parameters within which DME suppliers can move into the retail space. The issues to be presented will include the following:
- Whether the retail business should be (i) under the supplier’s existing Tax ID # or (ii) operated by a separate legal entity.
- State DME licensure.
- Selling Medicare-covered items at a discount off the Medicare allowable.
- Obtaining physician prescriptions.
- Collection and payment of sales tax.
- Qualification as a “foreign” corporation.
- Required notification to a Medicare beneficiary even though the supplier does not have a PTAN.
Register for Cash-Only Retail: How to Succeed on Tuesday, April 16, 2024, 1:30-2:30 p.m. CT, with Jeffrey S. Baird, Esq., Brown & Fortunato.
Members: $99
Non-Members: $129