Conference: March 2-4, 2026
Expo: March 3-4, 2026
Phoenix Convention Center  •  Phoenix, AZ

REGISTER EXHIBIT
POPULAR SEARCHES
Metrade Workshop
Industry News
Special Events
Q

News:
Manufacturer/Provider
December 30, 2025

Guidelines for Subcontracting

If the latest version of competitive bidding allows subcontracting, the parties to subcontract arrangements must adhere to the proper requirements.

Words by: Jeffrey S. Baird, Esq.

News:
Manufacturer/Provider
December 30, 2025

Guidelines for Subcontracting

If the latest version of competitive bidding allows subcontracting, the parties to subcontract arrangements must adhere to the proper requirements.

Words by: Jeffrey S. Baird, Esq.

AMARILLO, TX – A subcontract arrangement arises when (i) one company (the “subcontractor”) performs services for another company (the “contractor”) and (ii) the contractor compensates the subcontractor for its services. For example, when a DME supplier contracts with a billing company to perform billing services for the supplier, a subcontract arrangement arises. The same is true when a DME supplier contracts with an IT company…or with a fulfillment company that “picks, packs and ships” on behalf of the DME supplier…or with a software/IT company.

A subcontract arrangement will arise in the context of third-party payors (“TPPs”) such as Medicare Advantage Plans (“MAPs”) and Medicaid Managed Care Plans (“MMCPs”). ABC Medical Equipment, Inc. (“ABC”) may have an ongoing stream of patients covered by e.g., a UHC MAP contract. However, ABC is not on the UHC contract’s provider panel. On the other hand, XYZ Medical Equipment, Inc. (“XYZ”) is on the UHC contract’s provider panel.

ABC and XYZ can enter into a subcontract agreement in which (i) ABC refers its UHC patients to XYZ, (ii) XYZ handles the intake, assessment and coordination of care for the patients, (iii) XYZ (the “contractor”) subcontracts out the “pick, pack and ship” responsibilities to ABC (the “subcontractor”), and (iv) XYZ pays fair market value (“FMV”) compensation to ABC for its services. The “devil is in the details” regarding how such a subcontract arrangement must be legally set up. For example, because ABC is a referral source of Medicare patients to XYZ, the subcontract arrangement must comply with (or substantially comply with) the Personal Services and Management Contracts (“PSMC”) safe harbor to the federal anti-kickback statute (“AKS”).

This brings us to the latest challenge facing DME suppliers: competitive bidding (“CB”). There will be “winning bidders” and there will be “losing bidders.” Let us look at a variation of the example set out in the preceding paragraph. Assume that ABC submits a bid, but is not awarded a CB contract for a particular product line.

On the other hand, assume that XYZ is awarded a CB contract for the product line. ABC and XYZ can enter into a subcontract agreement in which (i) ABC refers its CB patients to XYZ, (ii) XYZ handles the intake, assessment and coordination of care for the CB patients, (iii) XYZ (the “contractor”) subcontracts out the “pick, pack and ship” responsibilities to ABC (the “subcontractor”), and (iv) XYZ pays FMV compensation to ABC for its services. What I just said is based on the assumption that the latest version of CB will allow subcontracting. If it does, the parties to subcontract arrangements will need to adhere to the requirements the CB program lays down for subcontracting.

The DME supplier needs to be aware that most TPP contracts include one or more provisions addressing the utilization by the supplier of subcontractors. The subcontract provisions are normally generic; they apply to offshore subcontractors and to subcontractors located in the U.S. The subcontract provisions in a TPP contract will normally say one or more of the following:

  • If the DME supplier subcontracts to another entity one or more of the supplier’s obligations under the TPP contract, the supplier will notify the TPP in advance of the subcontract arrangement.
  • If the DME supplier subcontracts to another entity one or more of the supplier’s obligations under the TPP contract, (i) the supplier will notify the TPP in advance of the subcontract arrangement and (ii) the supplier will obtain the TPP’s consent for the supplier to utilize the subcontractor.
  • The DME supplier is permitted to utilize a subcontractor only for the following specified services: [the contractual provision then specifies the services that can be subcontracted out]
  • The DME supplier may only subcontract out __% or less of its obligations under the TPP contract.
  • If the DME supplier enters into a Subcontract Agreement, such agreement must obligate the subcontractor to comply with the TPP’s policies and procedures.
  • If the DME supplier utilizes a subcontractor located outside the United States, (i) the supplier and subcontractor must enter into a HIPAA-compliant Business Associate Agreement and (ii) the subcontractor must maintain protected health information (“PHI”) the same way that the supplier maintains PHI.

It is important that the DME supplier (i) understands what each TPP contract says regarding subcontracting and (ii) complies with the requirements of the TPP contract. Virtually all TPP contracts allow the TPP to terminate the TPP contract without cause upon “x” days prior written notice. If the supplier inadvertently fails to comply with the subcontract provisions in the TPP contract, such noncompliance may give the TPP an excuse to terminate the TPP contract.

In addition, there are legal guidelines the DME supplier needs to be aware of when it uses offshore subcontractors. Set out below is a discussion of such guidelines.

Medicare
Federal law does not prohibit subcontract arrangements with offshore companies. However, there are CMS rules pertaining to reporting offshore subcontractors. CMS requires MA Organizations (“MAOs”) and Part D Prescription Drug Plans (“PDPs”) to (i) submit certain information regarding their offshore subcontractors and (ii) attest that they have taken measures to mitigate risks associated with sharing beneficiary information with such subcontractors. The term “offshore” refers to any country that is not one of the 50 states or U.S. territories.

The CMS requirements are not imputed to individual entities, but to PDPs and MAOs only. However, the DME supplier may have a duty under one or more contracts with these types of entities to report use of an offshore subcontractor. The attestation for each offshore subcontractor includes, in part:

  • Offshore subcontractor’s name and functions.
  • Offshore subcontracting arrangement safeguards adopted to protect beneficiary information.
  • Description of protected health information (“PHI”) provided to the offshore subcontractor.
  • Offshore subcontractor audit requirements.

Attestations are only required for offshore entities that receive, process, transfer, handle, store, or access PHI in oral, written, or electronic form.  Examples of PHI include beneficiary name, birth date, address, social security number, health insurance claim number, patient identifiers, medical diagnosis, medical history, treatment records, type of provider visited, use of health care services, payment information, evidence of insurance coverage, or any information that could reasonably lead to the identification of a beneficiary.

State Medicaid Programs
In 2010, CMS issued guidance to state Medicaid programs prohibiting the programs from paying for products/services to a financial entity located offshore. The guidance prohibits the state Medicaid program from making payments to (i) provider/supplier bank accounts located offshore, (ii) telemedicine companies located offshore and (iii) pharmacies located offshore. On the other hand, the guidance does not prohibit paying an offshore subcontractor for (i) claims adjudication, (ii) call center services for enrollment and (iii) MAP administration.

Four years later, the OIG issued a report to CMS regarding the use of offshore subcontractors. In preparing the report, the OIG (i) issued a questionnaire to all state Medicaid programs regarding the use of offshore subcontractors and (ii) disclosed to CMS the information obtained from the questionnaires. The questionnaire focused on the protections the Medicaid programs had in place to protect PHI when providers/suppliers used offshore subcontractors. To date, only a few state Medicaid programs prohibit the use of offshore subcontractors.

Competitive Bidding
The first CB program (the one beginning in 2011) allowed for subcontracting. The first CB program published several requirements that contract suppliers (CB winners) had to adhere to in order to enter into a subcontract arrangement. These requirements included, but were not limited to, (i) notifying the Competitive Bidding Implementation Contractor (“CBIC”) of the identities of the subcontractors and (ii) confirming that the subcontractors had the requisite licenses and expertise to provide the subcontracted services. It is anticipated that the new CB program will allow subcontracting arrangements to exist. If so, the industry will have to wait to see what requirements CMS will impose on such subcontract arrangements.

HIPAA
HIPAA allows covered entities to disclose PHI to business associates if the covered entity obtains satisfactory assurances that the business associate (i) will use the information only for the purpose for which it was engaged by the covered entity, (ii) safeguard the information from misuse, and (iii) help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule. The DME supplier will need to enter into a Business Associate Agreement (“BAA”) with the offshore contractor that clarifies and limits, as appropriate, the permissible uses and disclosures of PHI, based on the relationship between the parties and the activities or services being performed by the offshore subcontractor.

Although a business associate is directly liable under the HIPAA rules and subject to civil and, in some cases, criminal penalties for improper disclosures and uses, and for failing to safeguard PHI under the HIPAA Security Rule, the covered entity (i.e., the DME supplier) is not relieved of its responsibilities. The covered entity is required to conduct a thorough assessment of the potential risk and vulnerabilities of the PHI held by the covered entity.

The covered entity is required to implement security measures sufficient to reduce risks and vulnerabilities. Because the offshore subcontractor is located in another country, the Department of Health and Human Services may not have jurisdiction to take enforcement action directly against the subcontractor business associate for a breach. The result may be that the DME supplier’s own HIPAA risk management and risk analysis practices may be scrutinized. Therefore, it is up to the DME supplier to ensure that the offshore business associate has sufficient security, privacy and vendor management practices to meet the HIPAA requirements.

Jeffrey S. Baird, Esq., is chairman of the Health Care Group at Brown & Fortunato, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers, and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or [email protected].

Related Articles

News Manufacturer/Provider

Safer Sleep Gaining Ground as Care Category

December 30, 2025

Nighttime safety is one of the most overlooked healthcare challenges facing children with complex medical and developmental needs.

News Billing/Reimbursement

AAHomecare: CMS Publishes CPI

December 23, 2025

CMS has published the Consumer Price Index for All Urban Consumers (CPI-U) adjustments for the Calendar Year 2026 DMEPOS fee schedule.