Medicaid Outsourcing Patient Data Potential HIPAA Violation

May 1, 2014

Many states subcontract with business associates that outsource administrative functions offshore; creating potential HIPAA violations in data security.

In April, the U.S. Department of Health and Human Services, Office of the Inspector General (HHS-OIG), issued a Memorandum Report addressing which states outsource administrative functions offshore and the potential vulnerabilities in creating, receiving, maintaining, or transmitting protected health information (PHI). (DHHS-OIG, "Memorandum Report: Offshore Outsourcing of Administrative Functions by State Medicaid Agencies," OEI-09-12-00530, Apr. 11, 2014). Here are the statistics:

15 of 56 Medicaid agencies have a state-specific requirement that addresses the outsourcing of offshore administrative functions.  Among them:

• Four Medicaid agencies prohibit administrative function outsourcing;

• 11 Medicaid agencies allow it;

• No additional state requirements specifically address safeguarding PHI overseas; and

• 41 Medicaid agencies did not outsource and do not have outsourcing requirements.

Of the Medicaid agencies that do outsource, some utilize contractors or subcontractors. "Direct offshore outsourcing occurs when a Medicaid agency contracts with an offshore contractor. Indirect offshore outsourcing occurs when a Medicaid agency's contractor subcontracts to an offshore contractor," according to HHS report. One related concern is the ability to enforce Business Associate Agreement (BAA) provisions. A 2006 Government Accounting Office report on 45 state Medicaid agencies, while not assessing states' compliance with HIPAA regulations, did indicate that inadequate due diligence had been performed by federal contractors and agencies to discern whether or not their subcontractors transferred PHI oversees. (GAO, "Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and TRICARE," GAO-06-676, Sept. 2006).

The OIG emphasized the following in relation to BAAs and HIPAA compliance, "HIPAA requires that BAAs specify the contractor's responsibilities for safeguarding PHI, the circumstances under which PHI may be used and disclosed, and the requirements for reporting PHI violations or breaches." Hence, underscoring the importance of compliance and obtaining adequate assurances from both contractors and subcontractors before executing a BAA.