There is a renewed focus on the 2007 requirement for offshore outsource reporting  due to significant concern for potential vulnerability of PHI  (See Table 5). The 2014 OIG memorandum to CMS and the OCR describes the study conducted on state Medicaid agencies to assess the outsourcing of administrative functions directly and indirectly.   Outsourcing can be domestic or offshore. Offshore is defined as a location in any country that is not one of the 50 states or US territories whether or not the entity is American or foreign- owned.

There are no Federal regulations prohibiting offshore outsourcing of Medicaid administrative functions, such as:

• enrolling eligible individuals,
• determining what benefits the Medicaid agency will cover
• determining how much the Medicaid agency will pay for covered benefits and from whom it will purchase services (i.e., fee-for-service and managed care plans)
• having a system for processing claims from fee-for-service providers and making capitation payments to managed care plans
• monitoring the quality of the services that the Medicaid agency purchases
• ensuring that State and Federal health care funds are not spent improperly or fraudulently
• collecting program information and reporting it to CMS
• resolving grievances from applicants, beneficiaries, providers, and health plans.For Medicare contractors and subcontractors, CMS requires that written approval be obtained before performing any offshore functions.    Several state Medicaid agencies prohibit or limit offshore outsourcing (ex. Missouri, New Jersey, Montana, New Mexico).

Adequate safeguarding of PHI from onshore vulnerability is a significant challenge but there is even more concern for protection when sending PHI offshore. Unfortunately, the standards of privacy protections in other countries may not be equivalent to those in the US. The enforcement of Business Associate Agreements under HIPAA may be very limited offshore.

All First Tier, Downstream and Related Entities (FDRs) are required to be compliant with the Medicare Offshore Subcontracting Attestation. The attestation must be submitted within 20-30 days of a contract signing or if any change occurs in a contract and must contain all of supporting documentation, Business Associate Agreements and policies/procedures.

If you would answer yes to any of the following questions then you need to submit an attestation.

• Does the vendor/entity have access to Protected Health Information (PHI) or Individually Identifiable Information on Medicare beneficiaries in any form?
• Does the vendor/entity fall under Part C or Part D Medicare-related work?
• Does the vendor/entity intend to use offshore employees to complete the contract requirements?