Arizona Offshoring Requirements Set to Change
Providers and payers contracting with Arizona’s Medicaid agency, the Arizona Health Care Cost Containment System (“AHCCCS”), and all such AHCCCS contractors’ subcontracts must reference and require compliance with the AHCCCS Minimum Subcontract Provisions (“MSPs”). As of October 1, 2024, the offshoring MSP will change, and providers and payers should be prepared to review offshoring practices and downstream contracts to ensure compliance with the updated language.
Federal law generally requires state Medicaid plans to refrain from providing any payments for items or services to any financial institution or entity located outside of the United States. See 42 U.S.C. § 1396a(80). AHCCCS complies with this federal requirement, in part, via offshoring prohibitions contained in its MSPs. MSPs are incorporated by reference into the AHCCCS Provider Participation Agreement and the AHCCCS Medicaid Contracts, including Intergovernmental Agreements.
Through September 30, 2024 (accessible here), AHCCCS contractors’ subcontracts must comply with the following MSP:
18. OFF-SHORE PERFORMANCE OF WORK PROHIBITED
Any services that are described in the specifications or scope of work that directly serve the State of Arizona or its clients and involve access to secure or sensitive data or personal client data shall be performed within the defined territories within the borders of the United States. Unless specifically stated otherwise in specifications, this definition does not apply to indirect or “overhead” services, redundant back-up services or services that are incidental to the performance of the contract. This provision applies to work performed by Subcontractors at all tiers.
However, effective October 1, 2024 (accessible here), AHCCCS contractors’ subcontracts must comply with this updated offshoring MSP:
27. OFF-SHORE PERFORMANCE OF WORK PROHIBITED
Any services that are described in the specifications or scope of work that directly serve the State of Arizona or its clients and involve access to secure or sensitive data or personal client data shall be performed within the defined territories within the borders of the United States. No claims paid by the Contractor to a network provider, out-of-network provider, Subcontractor, or financial institution located outside of the United States are considered in the development of actuarially sound capitation rates [42 CFR 438.602(i)]. The term “data” as it relates specifically to this paragraph: means recorded information, regardless of form or the media on which it may be recorded. The term may include technical data and computer software. The term does not include information incidental to contract administration, such as financial, administrative, cost or pricing, or management information.
The offshoring prohibition contained in the revised AHCCCS MSPs, to be effective October 1, 2024, is more expansive than in prior MSPs. For example, the current MSP carves-out an exception for “indirect or ‘overhead’ services” which are “incidental to the performance of the contract.” However, the upcoming MSP offshoring prohibition carve-out (the October 1, 2024 MSP standard) relates not to services but to information. Therefore, only information “incidental to contract administration, such as financial, administrative, cost or pricing, or management information” is carved-out.
We also note that the examples of incidental information referenced by AHCCCS in the upcoming MSP do not include patient-related information, which raises the potential that AHCCCS may consider any patient-related information to fall outside that which is “incidental to contract administration” and thus subject to the offshoring prohibition (i.e., even if such information was part of what was previously an “indirect or ‘overhead’ service” under the pre-October 1, 2024 MSP standard).
Entities that contract with AHCCCS or AHCCCS clients should review their existing offshoring practices and consider whether the more limited carve-outs require updates to contract terms with downstream vendors. Reliance on offshore vendors is not new to the health care industry, but regulators (including federal and state regulators beyond Arizona) are starting to take note that existing offshoring prohibitions and limitations are not up to date with current technology and industry data sharing practices. Regulatory interest is in line with developing global privacy laws addressing cross-border data transfer, and the health care industry should be prepared to see more regulatory scrutiny on offshoring.
If you have any questions regarding these MSPs or your offshoring practices generally, please reach out to your Quarles’ health care attorney or:
- John Hintz: (414) 277-5620 / john.hintz@quarles.com
- Meghan O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com