Banner
  • Utilizing Medical Malpractice Data to Mitigate Risks and Reduce Claims
  • Industry News
  • Access and Reimbursement
  • Law & Malpractice
  • Coding & Documentation
  • Practice Management
  • Finance
  • Technology
  • Patient Engagement & Communications
  • Billing & Collections
  • Staffing & Salary

Medicaid Outsourcing Patient Data Potential HIPAA Violation

Article

Many states subcontract with business associates that outsource administrative functions offshore; creating potential HIPAA violations in data security.

In April, the U.S. Department of Health and Human Services, Office of the Inspector General (HHS-OIG), issued a Memorandum Report addressing which states outsource administrative functions offshore and the potential vulnerabilities in creating, receiving, maintaining, or transmitting protected health information (PHI). (DHHS-OIG, "Memorandum Report: Offshore Outsourcing of Administrative Functions by State Medicaid Agencies," OEI-09-12-00530, Apr. 11, 2014). Here are the statistics:

15 of 56 Medicaid agencies have a state-specific requirement that addresses the outsourcing of offshore administrative functions.  Among them:

• Four Medicaid agencies prohibit administrative function outsourcing;

• 11 Medicaid agencies allow it;

• No additional state requirements specifically address safeguarding PHI overseas; and

• 41 Medicaid agencies did not outsource and do not have outsourcing requirements.

Of the Medicaid agencies that do outsource, some utilize contractors or subcontractors. "Direct offshore outsourcing occurs when a Medicaid agency contracts with an offshore contractor. Indirect offshore outsourcing occurs when a Medicaid agency's contractor subcontracts to an offshore contractor," according to HHS report. One related concern is the ability to enforce Business Associate Agreement (BAA) provisions. A 2006 Government Accounting Office report on 45 state Medicaid agencies, while not assessing states' compliance with HIPAA regulations, did indicate that inadequate due diligence had been performed by federal contractors and agencies to discern whether or not their subcontractors transferred PHI oversees. (GAO, "Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and TRICARE," GAO-06-676, Sept. 2006).

The OIG emphasized the following in relation to BAAs and HIPAA compliance, "HIPAA requires that BAAs specify the contractor's responsibilities for safeguarding PHI, the circumstances under which PHI may be used and disclosed, and the requirements for reporting PHI violations or breaches." Hence, underscoring the importance of compliance and obtaining adequate assurances from both contractors and subcontractors before executing a BAA.

Recent Videos
Stephen A. Dickens
Ashkan Nikou
Jennifer Wiggins
Stephen A. Dickens
Ashkan Nikou
Jennifer Wiggins
What are you looking forward to at the 2024 Tri-State Healthcare Leaders Conference?
Stephen A. Dickens
Ashkan Nikou
© 2024 MJH Life Sciences

All rights reserved.