Lisa Hart, MPA, RHIA | HIM Briefings | March 15, 2017

When it comes to using offshore resources, there are several important compliance requirements HIM professionals need to know. These requirements were created by the Centers for Medicare & Medicaid Services (CMS) a decade ago and apply to the use of offshore contractors for all Medicaid, Medicare, and TRICARE patients.

The primary concern with the 2006 CMS requirements is that the original language created industry confusion, erroneously indicating the requirements pertained only to Medicare Advantage (MA) plans (Part C) and Medicare drug plans (Part D), when they actually apply to all CMS programs. This article clarifies the CMS requirements for HIM professionals using offshore vendors for coding, transcription, and other HIM services for their Medicaid, Medicare, and TRICARE encounters.


In September 2006, the U.S. Government Accountability Office (GAO) published a Report to Congressional Committees: PRIVACY—Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and TRICARE. The report highlights that 90% of Medicare and Medicaid contractors and 63% of TRICARE used offshore vendors, which raised concerns regarding the privacy of protected health information (PHI). This was especially worrisome since 47% of MA contractors, 44% of Medicaid agencies, 42% of Medicare FFS contractors, and 38% of TRICARE contractors reported privacy breaches in the two years prior to the GAO report.

A recent infographic published in Modern Healthcare also shows the increase in data/privacy breaches since 2005. It is obvious that as PHI has shifted from paper to electronic records and portals, the number of data breaches has also increased exponentially.

The report makes the recommendation that anyone who contracts or subcontracts with a Medicare, Medicaid, or TRICARE plan must ensure PHI is protected. Subsequent to the report, CMS implemented a two-step attestation process that requires MA health plans to annually attest to any subcontractor’s use of offshore providers. If an MA plan or its subcontractors use offshore contractors, CMS requires the MA plan to provide information about the offshore contractor and attest that safeguards are in place to protect PHI.

To accomplish this, MA plans now require the following annual attestation of providers with whom they contract:

  • Sign an attestation so the plan can accurately report to CMS the use of offshore contractors
  • Provide notice to CMS—30 days prior to beginning the contractual relationship—that offshore contractors will be used through the contracted MA plan, providing CMS an opportunity to review and raise an objection if warranted

For example, if a hospital wants to use a coding or billing company with personnel located in India, it must submit the initial notification, receive no objections from CMS, and then annually attest that protections are in place with the offshore vendor. For HIM professionals, this applies to outsourced coding, transcription, release of information, and other HIM services that include any type of PHI.

The following six states took it a step further, prohibiting Medicaid members from sending any PHI offshore:

  • Arizona
  • Ohio
  • Missouri
  • Arkansas
  • Wisconsin
  • New Jersey


As mentioned above, the language of the guidance provided by CMS implies that the requirements apply only to health plans offering MA or drug plans. However, the definition of “entities” below indicates that the 2006 rules apply to the majority of healthcare covered entities (CEs) in professional and/or business relationships with health plans. As you navigate the finer details of your offshore vendor contracts, there are three important terms to know.

First tier means any party that enters into a written arrangement with the health plan to provide administrative services or healthcare services for a member. Does the hospital, physician practice, clinic, or other provider contract with an MA plan or Arizona Health Care Cost Containment System (AHCCCS)? If the answer is yes, then it applies to your organization. If your organization sends any beneficiary’s PHI offshore, then you need to submit an attestation. If you send any AHCCCS information offshore, stop and call your legal counsel.

Downstream means any party that enters into a written arrangement with the health plan below the level of the arrangement between the health plan and a first-tier entity. These written arrangements continue down to the level of provider of both health and administrative services—such as mail-order pharmacies, firms providing agent/broker services, agents, brokers, marketing firms, and call-center firms.

Related entities may fall into one of the following categories: 1) performs some of the health plan’s management functions under contract or delegation; 2) furnishes services to members under an oral or written agreement; or 3) leases property or sells materials to the health plan at a cost of more than $2,500 during a contract period.


If your organization has its own Medicare Advantage Organization (MAO) or drug plan, either can serve as a good resource to guide you through the attestation process. Here are five steps to take with your outsourced HIM services vendors:

  • Discuss any offshore contracts with your legal counsel and the vendor prior to signing
  • Insert language to indicate that onshore vendors will not subcontract with offshore vendors without your written authorization of such a change in the arrangement
  • Make sure your vendors are aware of this rule and take precautions to safeguard PHI
  • Obtain cybersecurity insurance that includes coverage for potential breaches of offshore data
  • Identify any type of clinical service that may be provided offshore and consult your legal counsel to determine if that service would also need to be identified in the Medicare attestation

Protecting PHI is everyone’s responsibility. By taking a deeper dive into offshore vendor contracts, policies, and practices, HIM professionals do their part in reducing PHI breaches in healthcare.


  1. CMS Center for Beneficiary Choices HPMS memos 07/23/2007, 09/20/2007, and 08/26/2008.
  2. Government Accountability Office (GAO). (2016). Privacy: Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and TRICARE GA0-06-676, September 2006.
  3. AHCCCS Contract, Section E, Paragraph 33, Off-Shore Performance of Work Prohibited.

Editor’s note: Hart has been in the Health Information Management (HIM) field for 30 years and has a wealth of knowledge and experience in leading HIM departments, managing HIM services for clients, revenue cycle consulting, and managed care. In the past 15 years she has successfully led coding operations and education for both facility and professional coding at several acute care and academic facilities such as the Cleveland Clinic Health System and Banner Health. She has also been actively involved with AHIMA at the state level, most recently serving as a second­ year delegate on the Arizona Health Information Management Association Board.