AMARILLO, TX – A managed care contract is essentially the same thing as a commercial insurance contract…which is essentially the same thing as a third-party payor (TPP) contract. For the purposes of this article, I will collectively refer to these contracts as “third-party payor contracts” or “TPP contracts.”
While hospitals, physicians, and pharmacies (formerly known as “apothecaries”) have been part of our country since our country’s inception, the DME industry has been in existence since the 1970s. This makes sense because Medicare came into existence in the mid-1960s … Medicare is primarily for the elderly…and DME suppliers primarily serve the elderly. And so beginning in the 1960s, and continuing to date, Medicare has paid for DME provided to Medicare beneficiaries.
Until about 12 years ago, most DME suppliers did not have to deal with TPP contracts. This is because most Medicare beneficiaries were covered by traditional Medicare. Until about 12 years ago, Medicare Advantage (“MA”) and Medicaid Managed Care (“MMC”) had not become a big part of the health care landscape. And so DME suppliers had to master the challenge of (i) obtaining and maintaining Medicare-required documents and (ii) billing and collecting from traditional Medicare.
Over the last 12 years, all of this has changed. MA and MMC were supposed to provide cost savings over traditional Medicare and traditional Medicaid. This has proven to not be the case. In fact, MA and MMC are more expensive to CMS and state Medicaid agencies than traditional Medicare and Medicaid. Nevertheless, TPP contracts, including MA Plans (MAPs) and Medicaid Managed Care Plans (MMCPs) are here to stay…and DME suppliers must learn how to deal with them.
Today, approximately 50% of all Medicare beneficiaries are covered by MAPs and approximately 70% of all Medicaid patients are covered by MMCPs. Today’s DME supplier must not only master the nuances of fulfilling the requirements of traditional Medicare and traditional Medicaid, but the supplier must be able to fulfill the requirements of multiple TPP contracts.
This brings us to the topic of subcontracting. A subcontract arrangement is relatively simple. A DME supplier will enter into a 1099 independent contractor relationship with a person or entity in which the person/entity provides specified services to the supplier. Subcontractors can take many forms: an outside billing company, an outside document retention company, an outside HR…or IT service…etc. And increasingly, DME suppliers are using “offshore” subcontractors (e.g., Manila, Mumbai, Cairo).
The DME supplier needs to be aware that most TPP contracts include one or more provisions addressing the utilization by the supplier of subcontractors. The subcontract provisions are normally generic; they apply to offshore subcontractors and to subcontractors located in the U.S. The subcontract provisions in a TPP contract will say one or more of the following:
- If the supplier subcontracts to another entity one or more of the supplier’s obligations under the TPP contract, the supplier will notify the TPP in advance of the subcontract arrangement.
- If the supplier subcontracts to another entity one or more of the supplier’s obligations under the TPP contract, (i) the supplier will notify the TPP in advance of the subcontract arrangement and (ii) the supplier will obtain the TPP’s consent for the supplier to utilize the subcontractor.
- The supplier is permitted to utilize a subcontractor only for the following specified services: [the contractual provision then specifies the services that can be subcontracted out]
- The supplier may only subcontract out __% or less of its obligations under the TPP contract.
- If the supplier enters into a Subcontract Agreement, such agreement must obligate the subcontractor to comply with the TPP’s policies and procedures.
- If the supplier utilizes a subcontractor located outside the United States, (i) the supplier and subcontractor must enter into a HIPAA-compliant Business Associate Agreement and (ii) the subcontractor must maintain protected health information (“PHI”) the same way that the supplier maintains PHI.
It is important that the DME supplier (i) understands what each TPP contract says regarding subcontracting and (ii) complies with the requirements of the TPP contract. Virtually all TPP contracts allow the TPP to terminate the TPP contract without cause upon “x” days prior written notice. If the supplier inadvertently fails to comply with the subcontract provisions in the TPP contract, such noncompliance may give the TPP an excuse to terminate the TPP contract.
Separate and apart from the above notice requirements, there are legal guidelines the supplier needs to be aware of when it uses offshore subcontractors. Set out below is a synopsis of such requirements.
Federal law does not prohibit subcontract arrangements with offshore companies. However, there are CMS rules around reporting offshore subcontractors. CMS requires Medicare Advantage Organizations (“MAOs”) and Part D Prescription Drug Plans (“PDPs”) to (i) submit certain information regarding their offshore subcontractors and (ii) attest that they have taken measures to mitigate risks associated with sharing beneficiary information with such subcontractors. The term “subcontractor” refers to any entity that an organization or sponsor contracts with to fulfill or help fulfill requirements in its Part C and/or Part D contracts. Subcontractors include all first tier, downstream, and/or related entities. The term “offshore” refers to any country that is not one of the 50 states or U.S. territories. CMS clarifies that offshore subcontractors provide services that are performed by workers located in offshore countries, regardless of whether the workers are employees of American or foreign companies.
The CMS requirements are not imputed to individual entities, but to PDPs and MAOs only. However, the DME supplier may have a duty under one or more contracts with these types of entities to report use of an offshore subcontractor. The attestation for each offshore subcontractor includes, in part:
- Offshore subcontractor’s name and functions.
- Description of protected health information (“PHI”) provided to the offshore subcontractor.
- Offshore subcontracting arrangement safeguards adopted to protect beneficiary information.
- Offshore subcontractor audit requirements.
Attestations are only required for offshore entities that receive, process, transfer, handle, store, or access PHI in oral, written, or electronic form. Examples of PHI include beneficiary name, birth date, address, social security number, health insurance claim number, patient identifiers, medical diagnosis, medical history, treatment records, type of provider visited, use of health care services, payment information, evidence of insurance coverage, or any information that could reasonably lead to the identification of a beneficiary. CMS also requires offshore subcontract attestations whenever there is a change in the functions that a current offshore subcontractor performs.
State Medicaid Programs
In 2010, CMS issued guidance to state Medicaid programs prohibiting the programs from paying for products/services to a financial entity located offshore. The guidance prohibits the state Medicaid program from making payments to (i) provider/supplier bank accounts located offshore, (ii) telemedicine companies located offshore and (iii) pharmacies located offshore. On the other hand, the guidance does not prohibit paying an offshore subcontractor for (i) claims adjudication, (ii) call center services for enrollment and (iii) MAP administration.
Four years later, the OIG issued a report to CMS regarding the use of offshore subcontractors. In preparing the report, the OIG (i) issued a questionnaire to all state Medicaid programs regarding the use of offshore subcontractors and (ii) disclosed to CMS the information obtained from the questionnaires. The questionnaire focused on the protections the Medicaid programs had in place to protect PHI when providers/suppliers used offshore subcontractors. To date, four state Medicaid programs (Wisconsin, Alaska, Ohio and Arizona) prohibit the use of offshore subcontractors.
HIPAA allows covered entities to disclose PHI to business associates if the covered entity obtains satisfactory assurances that the business associate (i) will use the information only for the purpose for which it was engaged by the covered entity, (ii) safeguard the information from misuse, and (iii) help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule. The DME supplier will need to enter into a Business Associate Agreement (“BAA”) with the offshore contractor that clarifies and limits, as appropriate, the permissible uses and disclosures of PHI, based on the relationship between the parties and the activities or services being performed by the offshore subcontractor.
Although a business associate is directly liable under the HIPAA rules and subject to civil and, in some cases, criminal penalties for improper disclosures and uses, and for failing to safeguard PHI under the HIPAA Security Rule, the covered entity (i.e., the DME supplier) is not relieved of its responsibilities. The covered entity is required to conduct an accurate and thorough assessment of the potential risk and vulnerabilities of the PHI held by the covered entity.
The covered entity is required to implement security measures sufficient to reduce risks and vulnerabilities. Because the offshore subcontractor is located in another country, the Department of Health and Human Services (“DHHS”) may not have jurisdiction to take enforcement action directly against the subcontractor business associate for a breach. The result may be that the DME supplier’s own HIPAA risk management and risk analysis practices may be scrutinized. Therefore, it is up to the DME supplier to ensure that the offshore business associate has sufficient security, privacy and vendor management practices to meet the HIPAA requirements.
Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers, and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or firstname.lastname@example.org.
AAHOMECARE’S EDUCATIONAL WEBINAR
Cash-Only Retail: How to Succeed
Presented by: Jeffrey S. Baird, Esq., Brown & Fortunato
Tuesday, October 24, 2023
1:30-2:30 p.m. CENTRAL TIME
The DME industry primarily serves the elderly. This means that most DME suppliers are dependent on traditional Medicare and Medicare Advantage for most of their revenue. But as DME suppliers know from experience, it can be challenging to be so tied to Medicare. This is where retail comes in. There are 78 million Baby Boomers who are retiring at the rate of 10,000 per day. Many Boomers are willing to pay cash for “Cadillac” items rather than being limited to the “Cavalier” items paid for by Medicare. This program will present the legal parameters within which DME suppliers can move into the retail space. The issues to be presented will include the following:
- Whether the retail business should be (i) under the supplier’s existing Tax ID # or (ii) operated by a separate legal entity.
- State DME licensure.
- Selling Medicare-covered items at a discount off the Medicare allowable.
- Obtaining physician prescriptions.
- Collection and payment of sales tax.
- Qualification as a “foreign” corporation.
- Required notification to a Medicare beneficiary even though the supplier does not have a PTAN.