Skip to Main Content

Provider Offshore Subcontracting Attestation

Provider Type

  • Physicians (does not apply to Cal MediConnect)
  • Participating Physician Groups (PPG)
    (does not apply to HSP)
  • Hospitals
  • Ancillary

Counties Covered

  • Fresno
  • Kern  
  • Kings
  • Los Angeles
  • Madera
  • Riverside
  • Sacramento
  • San Bernardino
  • San Diego 
  • San Joaquin
  • Stanislaus
  • Tulare

The plan requires notice of any offshore subcontracting relationship, involving members' protected health information (PHI) to ensure that the appropriate steps have been taken to address the risks involved with the use of subcontractors operating outside the United States.

An example of an offshore subcontracting relationship is a physician, laboratory, medical group, or hospital contracting with an entity to process claims, and that entity uses resources that are not located in the United States to process the provider's claims. The provider is responsible to have processes in place that protect members' PHI.

Participating providers who use offshore subcontractors to process, handle or access member PHI in oral, written or electronic form must submit specific subcontracting information to the plan. Providers may not allow any member data to be transferred or stored offshore. Data may be accessed by an offshore entity through an onshore entity that is located in the United States.

The plan requires that participating providers who have entered into an offshore subcontracting relationship submit the following items to the plan within 20 calendar days of entering into a new offshore agreement or when revising an existing offshore agreement.

  • A completed and signed copy of the attestation form (PDF). This attests that the participating provider has taken appropriate steps to address the risks associated with the use of subcontractors operating outside the United States. Each attestation form includes the contact information for providers to return the completed form and materials.
  • Providers contracting with the plan for the Medicare line of business must provide a copy of the agreement between the provider and offshore subcontractor with proprietary information removed. The plan is required to validate that the necessary contractual provisions are included in the agreement.
  • A policy and procedure for ensuring and maintaining the security of members' PHI.
  • A policy and procedure that documents the process used for immediate termination of the offshore subcontractor upon discovery of a significant security breach.
  • A policy and procedure that documents the process used for conducting annual audits, regular monitoring and tracking results, and resolving any identified deficiencies.

Providers must submit this information for each offshore subcontractor they have engaged to perform work, regardless of whether the information was already completed for a different health plan. 

Last Updated: 08/05/2021