It found that 11 agencies allow outsourced administrative functions offshore while four agencies have specific bans against it. The remaining 41 Medicaid agencies have no rules against offshore outsourcing, but also do not send any work to other countries. Among the 11 agencies that allow outsourcing, seven are planning to not allow personal health information offshore, the report noted.
States that allow offshoring include Florida, Massachusetts, Mississippi, Missouri, Montana, New Jersey, New Mexico, North Dakota, Rhode Island, Pennsylvania and Tennessee. All claim that they have Business Associate Agreements (BAA) with contractors as required by the Health Insurance Portability and Accountability Act, to ensure patient information is secure.
But Medicaid agencies that send patient health records offshore “may have limited means of enforcing provisions of BAAs that are intended to safeguard (protected health information),” the OIG said. “Other countries may have limited, or no privacy protections.”
There are no federal regulations that prohibit the offshoring of Medicaid administrative functions, although the Medicare program requires agencies to get written government approval before work is sent offshore. In 2010, the CMS issued a notice allowing payments for administrative functions provided by offshore providers.
The OIG report contained no formal recommendations. A CMS spokeswoman did not immediately respond to request for comment.
There are limited instances in which patient data sent overseas has been violated. In 2009, one such case received international attention after it was discovered that the confidential medical records of patients treated at one of Britain's largest hospitals were being illegally sold by two men who claimed to have gained access to the information from information technology companies in India, where thousands of British medical records are sent each year to be digitized.
Follow Virgil Dickson on Twitter: @MHvdickson