AMARILLO, TX – Increasingly, DME suppliers are entering into Subcontract Agreements (SAs) with other companies (subcontractors). For example:

• The supplies can enter into a Fulfillment Agreement with a distributor in which the distributor ships products, on behalf of the supplier, to the supplier’s patient.
• The DME supplier can enter into a Billing Services Agreement with a billing company.
• The supplier can sign a contract with an offshore company that assists the supplier with patient intake and collection of documents.

When the DME supplier enters into an SA, the supplier needs to be aware of the requirements of third-party payor (“TPP”) agreements the supplier has entered into, including Medicare Advantage Plans (MAPs) and Medicaid Managed care plans (MMCPs)

The DME supplier needs to be aware that most TPP contracts include one or more provisions addressing the utilization by the supplier of subcontractors. The subcontract provisions are normally generic; they apply to offshore subcontractors and to subcontractors located in the U.S. The subcontract provisions in a TPP contract will normally say one or more of the following:

• If the DME supplier subcontracts to another entity one or more of the supplier’s obligations under the TPP contract, the supplier will notify the TPP in advance of the subcontract arrangement.
• If the DME supplier subcontracts to another entity one or more of the supplier’s obligations under the TPP contract, (i) the supplier will notify the TPP in advance of the subcontract arrangement and (ii) the supplier will obtain the TPP’s consent for the supplier to utilize the subcontractor.
• The DME supplier is permitted to utilize a subcontractor only for the following specified services: [the contractual provision then specifies the services that can be subcontracted out]
• The DME supplier may only subcontract out __% or less of its obligations under the TPP contract.
• If the DME supplier enters into an SA, such agreement must obligate the subcontractor to comply with the TPP’s policies and procedures.
• If the DME supplier utilizes a subcontractor located outside the United States, (i) the supplier and subcontractor must enter into a HIPAA-compliant Business Associate Agreement and (ii) the subcontractor must maintain protected health information (“PHI”) the same way that the supplier maintains PHI.

It is important that the DME supplier (i) understands what each TPP contract says regarding subcontracting and (ii) complies with the requirements of the TPP contract. Virtually all TPP contracts allow the TPP to terminate the TPP contract without cause upon “x” days prior written notice. If the supplier inadvertently fails to comply with the subcontract provisions in the TPP contract, such noncompliance may give the TPP an excuse to terminate the TPP contract.

In addition, there are legal guidelines the DME supplier needs to be aware of when it uses offshore subcontractors. Set out below is a discussion of such guidelines.

HIPAA
HIPAA allows covered entities to disclose PHI to business associates if the covered entity obtains satisfactory assurances that the business associate (i) will use the information only for the purpose for which it was engaged by the covered entity, (ii) will safeguard the information from misuse, and (iii) will help the covered entity comply with the covered entity’s duties under the HIPAA Privacy Rule. The DME supplier will need to enter into a Business Associate Agreement (“BAA”) with the offshore subcontractor that clarifies and limits the permissible uses and disclosures of PHI.

Although a business associate is directly liable under the HIPAA rules and is subject to civil and, in some cases, criminal penalties for improper disclosures and uses, and for failing to safeguard PHI under the HIPAA Security Rule, the covered entity (i.e., the DME supplier) is not relieved of its responsibilities. The covered entity is required to conduct a thorough assessment of the potential risk and vulnerabilities of the PHI held by the covered entity. The covered entity is required to implement security measures sufficient to reduce risks and vulnerabilities. Because the offshore subcontractor is located in another country, the Department of Health and Human Services may not have jurisdiction to take enforcement action directly against the subcontractor business associate for a breach. The result may be that the DME supplier’s own HIPAA risk management and risk analysis practices may be scrutinized. Therefore, it is up to the DME supplier to ensure that the offshore business associate has sufficient security, privacy and vendor management practices to meet the HIPAA requirements.

Medicare
Federal law does not prohibit subcontract arrangements with offshore companies. However, there are CMS rules pertaining to reporting offshore subcontractors. CMS requires MA Organizations (“MAOs”) and Part D Prescription Drug Plans (“PDPs”) to (i) submit certain information regarding their offshore subcontractors and (ii) attest that they have taken measures to mitigate risks associated with sharing beneficiary information with such subcontractors. The term “offshore” refers to any country that is not one of the 50 states or U.S. territories.

The CMS requirements are not imputed to individual entities, but to PDPs and MAOs only. However, the DME supplier may have a duty under one or more contracts with these types of entities to report use of an offshore subcontractor. The attestation for each offshore subcontractor includes, in part:

• Offshore subcontractor’s name and functions.
• Description of PHI provided to the offshore subcontractor.
• Offshore subcontracting arrangement safeguards adopted to protect beneficiary information.
• Offshore subcontractor audit requirements.

Attestations are only required for offshore entities that receive, process, transfer, handle, store, or access PHI in oral, written, or electronic form.  Examples of PHI include beneficiary name, birth date, address, social security number, health insurance claim number, patient identifiers, medical diagnosis, medical history, treatment records, type of provider visited, use of health care services, payment information, evidence of insurance coverage, or any information that could reasonably lead to the identification of a beneficiary.

State Medicaid Programs
In 2010, CMS issued guidance to state Medicaid programs prohibiting the programs from paying for products/services to a financial entity located offshore. The guidance prohibits the state Medicaid program from making payments to (i) provider/supplier bank accounts located offshore, (ii) telemedicine companies located offshore and (iii) pharmacies located offshore. On the other hand, the guidance does not prohibit paying an offshore subcontractor for (i) claims adjudication, (ii) call center services for enrollment and (iii) MAP administration.

Four years later, the OIG issued a report to CMS regarding the use of offshore subcontractors. In preparing the report, the OIG (i) issued a questionnaire to all state Medicaid programs regarding the use of offshore subcontractors and (ii) disclosed to CMS the information obtained from the questionnaires. The questionnaire focused on the protections the Medicaid programs had in place to protect PHI when providers/suppliers used offshore subcontractors. To date, only a few state Medicaid programs prohibit the use of offshore subcontractors.

Jeffrey S. Baird, JD, is Chairman of the Health Care Group at Brown & Fortunato, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers, and other health care providers throughout the United States. Mr. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or [email protected].