Menu
Requirements How to Comply

Medicare plan sponsors that work with offshore subcontractors to perform Medicare-related work that uses beneficiary protected health information (PHI) are required to provide CMS with specific offshore subcontractor information and complete an attestation regarding protection of beneficiary PHI.

The term “offshore” refers to any country that is not one of the fifty United States or one of the United States Territories (American Samoa, Guam, Northern Marianas, Puerto Rico, and Virgin Islands). Examples of countries that meet the definition of “offshore” include Mexico, Canada, India, and Philippines.  Subcontractors that are considered offshore can either be American-owned companies with certain portions of their operations performed outside of the United States or foreign-owned companies with their operations performed outside of the United States.  Offshore subcontractors provide services that are performed by workers located in offshore countries, regardless of whether the workers are employees of American or foreign companies.

“Medicare-related work” encompasses what offshore contractors do when they receive, process, transfer, handle, store, or access beneficiary PHI while helping organizations such as Navitus and our pharmacies and vendors fulfill their Medicare Part D contract requirements. Examples of Medicare-related work includes claims processing, claims data entry services, scanning, software enhancement and troubleshooting, and any other situation where the offshore subcontractor may have access to beneficiary PHI. (CMS Memo dated August 28, 2008: Offshore Subcontractor Data Module in HPMS)

  • You must ensure that you do not engage in offshore subcontracts for any of Navitus’ Medicare-related work without first having received expressed consent from the Navitus Chief Compliance Officer.  CMS requires Medicare Part D Plan Sponsors to provide attestation to CMS within 30 calendar days after an offshore contract is signed.  In the event Navitus approves an offshore subcontract and to ensure that the required attestations are provided to CMS timely, Navitus will request the information necessary to complete the Offshore Subcontractor Data Module in HPMS. We require that this information be provided to us within 15 calendar days after an offshore subcontract is signed so we can provide the information to our Plan Sponsors.
  • Verify that any vendor maintains contractual agreements with those entities that include all required Medicare D language and HIPAA privacy and security regulations as the vendor’s Business Associate.
  • Ensure the offshore subcontractor maintains policies and procedures that protect beneficiary PHI.
  • Conduct annual audits of offshore subcontractors and make audit results available upon request from CMS.