With technology rapidly evolving and jurisdictions appearing blurred, it is increasingly important to be mindful of data flow and use. This is particularly true where patient data is being accessed by offshore subcontractors.

Simply put, offshoring occurs where a party contracts for services to be rendered, in whole or in part, by another party located outside of the United States and its territories. Within the healthcare industry, offshore contractors are commonly used for claims processing, call center staffing, and technical support, as offshoring contractors generally provide cost savings. These activities inherently involve mass amounts of patient data.

As healthcare businesses contract with third parties to provide support services, software, and other offerings, particularly where offshore resources will be utilized, it is vital that the parties carefully navigate the interplay of laws, regulations, and guidance, which are complex and often inconsistent, to ensure compliance. This Blog provides a high level summary of some material considerations applicable to offshoring activities.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations are ordinarily at the forefront of most conversations about the privacy and security of patient data. Interestingly, however, HIPAA does not explicitly prohibit offshoring of patient data. HIPAA does, however, require that regulated entities implement reasonable and appropriate administrative, physical, and technical safeguards to ensure the privacy and security of protected health information,[1] that business associate agreements are executed where appropriate,[2] among a number of other compliance measures. As a result, regulated parties must take steps to ensure compliance with HIPAA, particularly when using offshore resources which may present unique privacy and security considerations. Further, offshore companies may not be versed in HIPAA or have a HIPAA compliant infrastructure in place. HIPAA specifically prohibits a covered entity from engaging with a business associate or subcontractor that it knows is not in compliance with HIPAA.[3]

Medicare Authorities

On July 23, 2007, the Centers for Medicare and Medicaid Services (“CMS”) issued guidance (the “Medicare Guidance”) to Medicare Advantage Organizations and Prescription Drug Plan Sponsors specifically addressing activities performed offshore. In particular, the Medicare Guidance noted that offshoring presents “unique risks” and encouraged Medicare Advantage Organizations and Prescription Drug Plan Sponsors to take “extraordinary measures” to ensure that offshore relationships appropriately safeguard patient data. In particular, the Medicare Guidance provides that:

CMS is asking all organizations using offshore subcontractors to submit specific subcontract information and an attestation that they have taken appropriate steps to address the risks associated with the use of subcontractors operating outside the U.S. Organizations must submit one attestation for each offshore subcontractor they have engaged to perform Medicare-related work.

The attestation generally must address: (1) the identity and function of the offshore subcontractor; (2) a description of any protected health information that will be accessible by the offshore subcontractor; and (3) the safeguards adopted by the offshore subcontractor to safeguard protected health information. In addition to the attestation, the regulated parties must take steps to audit the offshore subcontractor.[4]

It is important to note that the foregoing Medicare Guidance does not prohibit offshoring of patient data, but rather imposes a number of hurdles which are intended to ensure that appropriate measures are in place to safeguard the privacy and security of protected health information.

Medicaid Authorities

From a federal perspective, Section 6505 of the Affordable Care Act (the “ACA”) amended Section 1902(a) of the Social Security Act to prohibit states from making payments for items or services provided under a State Plan (or a corresponding waiver) to a financial institution or entity located outside of the United States. CMS issued guidance (the “Medicaid Guidance”) in December of 2010 which clarified that “[t]asks that support the administration of the Medicaid State plan that may require payments to financial institutions or entities located outside of the United States are not prohibited under this statute.” In addition, the Medicaid Guidance further clarifies that “payments for outsourcing information processing related to plan administration or outsourcing call centers related to enrollment or claims adjudication are not prohibited under this statute.”

In light of the foregoing, although Medicaid agencies cannot pay for healthcare benefits or services to any entity located outside of the United States or furnished by offshore providers, payments for administrative functions performed by offshore subcontractors are permitted. The latter would include services which involve access to and use of patient data.

Building on the foundation established by federal law, it is important to consider state laws and regulations specific to Medicaid, as offshoring limitations vary across jurisdictions and are often addressed in frequently-revised manuals. For example, Texas authorities prohibit Managed Care Organizations (“MCOs”) and their subcontractors from allowing Confidential Information they “receive from or on behalf of HHSC to be moved outside of the United States by any means (physical or electronic) at any time, for any period of time, for any reason.”[5] In addition, MCOs and their subcontractors are prohibited from permitting “any person to have remote access to HHSC information, systems, or Deliverables from a location outside of the United States.”[6]

It is important to examine Medicaid-specific authorities adopted by the pertinent states to determine whether they impose independent limitations or requirements on use of offshore resources.

State Authorities

Beyond Medicaid-specific laws, regulations, and guidance, a number of states have taken steps to limit or otherwise outright prohibit offshoring of patient data. For example, the Florida Legislature amended the Florida Electronic Health Records Exchange Act (the “Act”) in May of 2023 to prohibit certain health care providers utilizing certified electronic health record technologies from storing qualified electronic health records[7] outside of the United States, its territories, or Canada.[8] Significantly, the prohibition also extends to qualified electronic health records that are stored through a third-party or subcontracted computing facility or cloud service provider.[9] In effect, qualifying health care providers may not themselves store qualified electronic health records offshore, nor can they rely on third-party vendors who operate offshore to store such records. This concept becomes a concern where a third party contractor outside of the United States, its territories, or Canada, such as an IT support vendor, electronic health records platform, or data entry subcontractor, is able to access qualified electronic health records that are otherwise stored on servers within the United States and uses that access to create or store copies in violation of the Act.

Similarly, some Governors have issued executive orders prohibiting offshoring of certain activities which are paid for by state agencies. For example, Executive Order 2011-12 and Executive Order 2019-12D in Ohio prohibits state agencies from entering into any contract which use any funds within such agency’s control to purchase services outside of the United States. The Executive Order specifically provides that it applies “to all purchases of services made directly by an Executive Agency and services provided by subcontractors of those providing services purchased by an Executive Agency.” The foregoing are particularly noteworthy as they are do not specifically target the healthcare industry or patient data.

It is critical to examine state authorities to determine whether they impose independent limitations or requirements on use of offshore resources.

Contractual Authorities

Contracts with payors, Medicare Advantage Organizations, state Medicaid agencies, and a broad array of other parties may also incorporate restrictions or requirements associated with offshoring. This is significant as contracts may limit or prohibit offshoring even where federal or state laws and regulations would not prohibit it. As a result, it is a best practice that healthcare organizations review their agreements to assess whether there are any specific contractual requirements or limitations associated with offshoring. These issues often come up in due diligence as well. Therefore, prospective buyers and sellers should be mindful of these matters. Finally, it is important to keep offshoring top of mind when negotiating a contract, as the issue is more commonly addressed in contracts as offshoring activities continue to rise.

FOOTNOTES

[1] 45 C.F.R. § 164.306.

[2] 45 C.F.R. § 164.504(e).

[3] 45 C.F.R. § 164.504(e)(1)(ii).

[4] Guidance subsequently issued by CMS on September 20, 2007, clarifies that the attestation requirement only applies where the offshore subcontractors “receive, process, transfer, handle, store, or access beneficiary protected health information (PHI) in oral, written, or electronic form.” Sponsor Activities Performed Outside of the United States (Offshore Subcontracting) Questions & Answers, September 20, 2007.

[5] Uniform Managed Care Terms & Conditions, Texas Health & Human Services Commission, Attachment A, Section 4.11(c)(1).

[6] Id. at Section 4.11(c)(2).

[7] Fla. Stat. § 408.051(3). For purposes of the Act, a “qualified electronic health record” includes “an electronic record of health-related information concerning an individual which includes patient demographic and clinical health information, such as medical history and problem lists, and which has the capacity to provide clinical decision support, to support physician order entry, to capture and query information relevant to health care quality, and to exchange electronic health information with, and integrate such information from, other sources.” Fla. Stat. § 408.051(2)(i).

[8] Fla. Stat. § 408.051(3).

[9] Id.