AMARILLO, TX – With the goal of creating efficiencies and cutting costs, DME suppliers are entering into subcontract agreements with offshore companies. Generally speaking, this is permissible but as is often the case, “the devil is in the details.”
Federal law does not prohibit subcontract arrangements with offshore companies. However, there are CMS rules around reporting offshore subcontractors. CMS requires Medicare Advantage Organizations (“MAOs”) and Part D Prescription Drug Plans (“PDPs”) to (i) submit certain information regarding their offshore subcontractors and (ii) attest that they have taken measures to mitigate risks associated with sharing beneficiary information with such subcontractors. The term “subcontractor” refers to any entity that an organization or sponsor contracts with to fulfill or help fulfill requirements in its Part C and/or Part D contracts. Subcontractors include all first tier, downstream, and/or related entities. The term “offshore” refers to any country that is not one of the 50 states or U.S. territories. CMS clarifies that offshore subcontractors provide services that are performed by workers located in offshore countries, regardless of whether the workers are employees of American or foreign companies.
The CMS requirements are not imputed to individual entities, but to PDPs and MAOs only. However, the DME supplier may have a duty under one or more contracts with these types of entities to report use of an offshore subcontractor. The attestation for each offshore subcontractor includes, in part:
- Offshore subcontractor’s name and functions.
- Description of protected health information (“PHI”) provided to the offshore subcontractor.
- Offshore subcontracting arrangement safeguards adopted to protect beneficiary information.
- Offshore subcontractor audit requirements.
Attestations are only required for offshore entities that receive, process, transfer, handle, store, or access PHI in oral, written, or electronic form. Examples of PHI include beneficiary name, birth date, address, social security number, health insurance claim number, patient identifiers, medical diagnosis, medical history, treatment records, type of provider visited, use of health care services, payment information, evidence of insurance coverage, or any information that could reasonably lead to the identification of a beneficiary. CMS also requires offshore subcontract attestations whenever there is a change in the functions that a current offshore subcontractor performs.
HIPAA allows covered entities to disclose PHI to business associates if the covered entity obtains satisfactory assurances that the business associate (i) will use the information only for the purpose for which it was engaged by the covered entity, (ii) safeguard the information from misuse, and (iii) help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule.
The DME supplier will need to enter into a Business Associate Agreement (“BAA”) with the offshore contractor that clarifies and limits, as appropriate, the permissible uses and disclosures of PHI, based on the relationship between the parties and the activities or services being performed by the offshore subcontractor.
Although a business associate is directly liable under the HIPAA rules and subject to civil and, in some cases, criminal penalties for improper disclosures and uses, and for failing to safeguard PHI under the HIPAA Security Rule, the covered entity (i.e., the DME supplier) is not relieved of its responsibilities. The covered entity is required to conduct an accurate and thorough assessment of the potential risk and vulnerabilities of the PHI held by the covered entity. The covered entity is required to implement security measures sufficient to reduce risks and vulnerabilities. Because the offshore subcontractor is located in another country, the Department of Health and Human Services (“DHHS”) may not have jurisdiction to take enforcement action directly against the subcontractor business associate for a breach. The result may be that the DME supplier’s own HIPAA risk management and risk analysis practices may be scrutinized. Therefore, it is up to the DME supplier to ensure that the offshore business associate has sufficient security, privacy and vendor management practices to meet the HIPAA requirements.
State Medicaid Programs
In 2010, CMS issued guidance to state Medicaid programs prohibiting the programs from paying for products/services to a financial entity located offshore. The guidance prohibits the state Medicaid program from making payments to (i) provider/supplier bank accounts located offshore, (ii) telemedicine companies located offshore and (iii) pharmacies located offshore. On the other hand, the guidance does not prohibit paying an offshore subcontractor for (i) claims adjudication, (ii) call center services for enrollment and (iii) MAP administration.
Four years later, the OIG issued a report to CMS regarding the use of offshore subcontractors. In preparing the report, the OIG (i) issued a questionnaire to all state Medicaid programs regarding the use of offshore subcontractors and (ii) disclosed to CMS the information obtained from the questionnaires. The questionnaire focused on the protections the Medicaid programs had in place to protect PHI when providers/suppliers used offshore subcontractors. To date, four state Medicaid programs (Wisconsin, Alaska, Ohio and Arizona) prohibit the use of offshore subcontractors.
Some commercial payors, including those associated with Medicare Advantage (“MA”) and Medicaid Managed Care (“MMC”), require (i) written notice by the provider/supplier before it contracts with an offshore subcontractor and/or (ii) approval by the commercial payor of the offshore subcontractor. Rules regarding offshore subcontracting can be found in payor policies, provider manuals and network agreements.
Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers and other health care providers throughout the United States. Mr. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or firstname.lastname@example.org.
AAHOMECARE’S EDUCATIONAL WEBINAR
Medicare Advantage Plans: Government Oversight and Industry Advocacy
Presented by: Laura Williard, American Association for Homecare & Jeffrey S. Baird, Esq., Brown & Fortunato
Tuesday, January 31, 2023
1:30-2:30 p.m. CENTRAL TIME
Medicare Advantage Plans (“MAPs”) have had tremendous growth in enrollment in recent years. Almost 50% of Medicare beneficiaries are covered by MAPs and this is expected to continue to grow at a rapid pace. Working with MAPs has proven to be challenging for suppliers in their ability to access networks, negotiate rates, and work through a sometimes-non-existent appeals process. And so DME suppliers quite naturally ask what the federal laws are that govern MAPs. On the one hand, federal laws governing MAPs are quite extensive. However, only a small portion of the federal laws pertain to the relationship between the MAPs and the providers/suppliers that serve the patients covered by the plans. Much of the law is aimed to (i) protect covered lives and (ii) set minimum requirements for coverage, networks, complex reimbursement mechanisms. This program will discuss the current MAP environment and the federal laws that govern them. The program will further discuss how these laws affect DME suppliers as they provide services to patients covered by MAPs. The program will then pivot to discuss the most important issues DME suppliers must face as they work with MAPs. Finally, the program will discuss the work being done to educate Congress, CMS, and the industry and the resources available to help DME suppliers navigate these plans.
Register for Medicare Advantage Plans: Government Oversight and Industry Advocacy on Tuesday, January 31, 2023, 1:30-2:30 p.m. CT, with Laura Williard and Jeffrey S. Baird, Esq.