Secretary of State home | State Archives home

800 Summer St NE Salem OR 97310
503 373 0701 | Mon-Fri: 8am-4:45pm

Oregon State Archives

Oregon Bulletin

October 1, 2011

Oregon Health Authority
Chapter 943

Rule Caption: Authority Employees, Volunteers and Contractors Background Checks and Contesting Fitness Determinations

Adm. Order No.: OHA 17-2011(Temp)

Filed with Sec. of State: 8-30-2011

Certified to be Effective: 9-1-11 thru 12-27-11

Notice Publication Date:

Rules Amended: 943-007-0000

Rules Suspended: 943-007-0000(T)

Subject: HB 2009 (2009) created the Oregon Health Authority and transferred to the Authority the Department of Human Services’ (Department) Divisions with respect to health and health care. Effective July 1, 2011 the Authority adopted and incorporate by reference the Department’s rules chapter 407-007-000 to 0075; 407-007-0090 to 0100; 407-0200 to 0325; and 407-007-0340 to 0370 for matters that involve employees, volunteers, providers or contractors of the Authority are subject to background checks before the individual may work, volunteer be employed, hold the position, or provide services.

HB 2100(2011) was signed by the Governor on August 5, 2011, with an emergency clause. HB 2100 allows the Authority to use reports of abuse or neglect when conducting background checks on individuals who are employed, seek employment, volunteer, or seek to be a volunteer, provide care, or seek to be a care provider on behalf of the Authority for clients of the Authority.

This rule is being amended to adopt and incorporate by reference the Department of Human Services’ Background Check Unit rules chapter 407-007-0400 to 0460 for matters that involve abuse and neglect checks for employees, volunteers, providers or contractors of the Authority who are subject to background checks before the individual may work, volunteer be employed, hold the position, or provide services.

The Authority needs to amend OAR 943-007-0000 which allows the Authority to use reports of abuse and neglect when conducting background checks on subject individuals.

Rules Coordinator: Evonne Alderete—(503) 932-9663

943-007-0000

Criminal History Checks

Employees, volunteers, providers and contractors for the Oregon Health Authority (Authority) are subject to background checks and screening to determine if they have a history of criminal behavior such that they should not be allowed to work, volunteer, be employed, or otherwise perform in positions covered by these rules.

(1) The Authority adopts and incorporates by reference the rules established in: OAR 407-007-0000 to 0075 and 407-007-0090 to 0100 (Employees, Volunteers and Contractors); for those matters that involve employees, volunteers, or contractors of the Authority, except as otherwise provided in this rule.

(2) The Authority adopts and incorporates by reference the rules established in: OAR 407-007-0200 to 0325; and 407-007-0335 to 0370 (Providers) for those matters that involve any entity or agency licensed, certified, registered, or otherwise regulated by the Authority, except as otherwise provided in this rule.

(3) The Authority adopts and incorporates by reference the rules established in OAR 407-007-0400 to 0460 for those matters that involve abuse checks for Authority employees, volunteers, and applicants for employment or volunteer positions, except as otherwise provided in this rule.

(4) Any reference to any rule from OAR 407-007-0000 to 407-007-0100 in rules or contracts of the Authority are deemed to be references to the requirements of this rule, and shall be construed to apply to employees, volunteers, providers, or contractors of the Authority.

(5) References in OAR 407-007-0000 to 407-007-00400 to the Department of Human Services (Department) or to the Oregon Health Authority shall be construed to be references to either or both agencies.

(6) The Authority authorizes the Department to act on its behalf in carrying out background checks and screening associated with the administration of programs or activities administered by the Authority.

(7) Appeals shall be conducted by the Authority pursuant to OAR 943-007-0500.

Stat. Auth.: ORS 181.534, 181.537, 413.042

Stats. Implemented: ORS 181.534, 181.537, 183.341

Hist.: OHA 6-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 17-2011(Temp), f. 8-30-11, cert. ef. 9-1-11 thru 12-27-11

Rule Caption: Establishment of process for restricting an individual’s access to Authority premises, employees, and visitors

Adm. Order No.: OHA 18-2011

Filed with Sec. of State: 8-30-2011

Certified to be Effective: 9-1-11

Notice Publication Date: 8-1-2011

Rules Adopted: 943-012-0005, 943-012-0010, 943-012-0015, 943-012-0020, 943-012-0025

Subject: Allows the Authority to protect Authority employees, visitors, and its premises from threats or acts of violence. Defines prohibited conduct and establishes criteria for restricting an individual’s access to Authority employees, visitors, and its premises when an individual has engaged in prohibited conduct.

Rules Coordinator: Evonne Alderete—(503) 932-9663

943-012-0005

Definitions

The following definitions apply to OAR 943-012-0005 through 943-012-0025:

(1) “Authority” means the Oregon Health Authority.

(2) “Division” means every individual organizational unit within the Authority.

(3) “Employee” means individuals acting in the course and scope of their duties who are on the State of Oregon payroll, contract employees, employees of temporary service agencies, and volunteers. It also includes employees of other government or social service agencies who, at the time they are accompanying an Authority employee on Authority business, are the target of conduct described in OAR 943-012-0010.

(4) “Premises” means any land, building, facility, and other property owned, leased, or in the possession of, and used or controlled by the Authority. When the Authority occupies space in a building occupied by multiple tenants, the definition includes the common areas of the building used by all tenants such as, but not limited to, restrooms, hallways, and food service areas.

(5) “Restriction of Access” means the Authority has limited an individual’s access to specific Authority premises, employees, or methods of communication.

(6) “Weapon” includes, but is not limited to:

(a) A dangerous or deadly weapon as defined in ORS 161.015;

(b) Any other object or substance used in a manner that compromises the safety of Authority employees or visitors on Authority premises;

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042, 654.010

Hist.: OHA 7-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 18-2011, f. 8-30-11, cert. ef. 9-1-11

943-012-0010

Prohibited Conduct

(1) Conduct that may result in restriction of access includes, but is not limited to the following:

(a) Causing or threatening to cause physical injury to Authority employees or visitors;

(b) Engaging in actions which compromise the safety or health of Authority employees or visitors;

(c) Causing or threatening to cause harm to the family or property of an employee or visitors through written, electronic, or verbal communication;

(d) Causing or threatening to cause damage to Authority premises;

(e) Bringing a deadly or dangerous weapon onto the Authority’s premises, unless authorized by ORS chapter 166 to carry a handgun;

(f) Displaying, attempting, or threatening to use any weapon, on or off Authority premises, that compromises the safety of Authority employees or visitors;

(g) Engaging in harassing conduct as defined in ORS 166.065.

(h) Engaging in telephonic harassment as defined in ORS 166.090.

(2) The conduct listed in section (1) is also prohibited if it occurs during employees’ off-work hours and off Authority premises and the prohibited conduct is related to the employee’s work with the Authority.

(3) Prior to issuing a restriction of access notice, the Authority shall make an individualized assessment as to whether the conduct listed in section (1) of this rule is a result of a disability of which the Authority has knowledge and whether the conduct is a “direct threat” to others as described in OAR 943-005-0000 through 943-005-0030. If the Authority determines the disabled individual’s conduct is not a direct threat, the Authority shall explore the possibility of a reasonable accommodation to mitigate the safety risk.

(4) The prohibitions on conduct in this rule do not apply to individuals who are residents of an Authority-operated residential facility.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042, 654.010

Hist.: OHA 7-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 18-2011, f. 8-30-11, cert. ef. 9-1-11

943-012-0015

Continuation of Eligible Services

(1) An individual whose access has been restricted by the Authority shall continue to be provided services for which the individual meets program eligibility requirements by an alternate and effective method of communication as determined by the Authority.

(2) Alternate methods may include telephone, electronic mail, written communication, meeting at a designated secure site, or through the individual’s representative.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042, 654.010

Hist.: OHA 7-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 18-2011, f. 8-30-11, cert. ef. 9-1-11

943-012-0020

Notification

(1) If the Authority determines that it is necessary to restrict access or the methods of communication because of prohibited conduct, the individual will be provided written notification, signed by the assistant director or deputy assistant director of the affected division, and sent by certified mail or other traceable means. The notice shall describe the following:

(a) Conduct giving rise to the restrictions;

(b) The specific premises or parts of premises from which the individual is excluded; or the forms of communication which are restricted;

(d) Contact information for services or appointment scheduling;

(e) The availability of the review process, including notification that individuals with disabilities are entitled to request modification;

(f) The potential criminal consequences for violating the notice of restriction of access; and

(g) The law enforcement agency being notified.

(2) The notice shall be effective upon issuance.

(3) Restrictions on access to Authority premises or methods of communication shall remain in place until the Authority determines the individual no longer poses a threat and issues an official notification of removal.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042, 654.010

Hist.: OHA 7-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 18-2011, f. 8-30-11, cert. ef. 9-1-11

943-012-0025

Authority Review

(1) The Authority shall establish an internal review process to ensure that a notice of restriction of access is warranted prior to issuing a written notice of restriction of access.

(2) Following the Authority’s issuance of a notice of restriction of access, the recipient of the notice may request review of the Authority’s determination. The request must be submitted to the office of the Director of the Authority. The request must be in writing and submitted, by mail or personal delivery, within 15 business days of the date of issuance of the notice of restriction of access. If the request is submitted by mail, it must be postmarked within 15 business days. No particular format is required for the request for review; however, the individual should include specific grounds for requesting the review.

(3) Upon receipt of a request for review, the Director or an assistant director shall review the request and issue a written decision. The review may include an informal conference. The decision shall be issued within ten days of receipt of the request for review.

(4) The Authority’s decision is final.

(5) If the Authority’s decision rules in favor of the individual, the restricted individual’s access restriction shall be immediately lifted. If the decision is unfavorable to the restricted individual, the restricted individual may seek further review after six months have lapsed since the date of issuance by following the process described in this rule.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042, 654.010

Hist.: OHA 7-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 18-2011, f. 8-30-11, cert. ef. 9-1-11

Rule Caption: Establish policy of non-discrimination against individuals with disabilities

Adm. Order No.: OHA 19-2011

Filed with Sec. of State: 8-30-2011

Certified to be Effective: 9-1-11

Notice Publication Date: 8-1-2011

Rules Adopted: 943-005-0000, 943-005-0005, 943-005-0010, 943-005-0015, 943-005-0020, 943-005-0025, 943-005-0030

Rules Repealed: 943-005-0000(T), 943-005-0005(T), 943-005-0010(T), 943-005-0015(T), 943-005-0020(T), 943-005-0025(T), 943-005-0030(T)

Subject: These rules establish the Authority policy of non-discrimination on the basis of disability in accordance with the Americans with Disabilities Act of 1990 (ADA) and Section 504 of the Rehabilitation Act of 1973. The rules establish Authority policy for communication and accessibility for clients, client applicants and the public. The intent and content of the rules is to mirror existing Federal civil rights laws and to strengthen the Authority practice of these laws.

Rules Coordinator: Evonne Alderete—(503) 932-9663

943-005-0000

Purpose

These rules (OAR 943-005-0000 through 943-005-0030) establish an Oregon Health Authority policy of non-discrimination on the basis of disability in accordance with the Americans with Disabilities Act of 1990 (ADA) and Section 504 of the Rehabilitation Act of 1973.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 19-2011, f. 8-30-11, cert. ef. 9-1-11

943-005-0005

Definitions

The following definitions apply to OAR 943-005-0000 through 943-005-0030:

(1) “Alternate Format Communication” means printed material converted to a communication style that meets the accessibility needs of individuals with disabilities to achieve “effective communication.” The types of alternate format that the Oregon Health Authority offers include but are not limited to: large print, Braille, audiotape, electronic format (E-mail attachment, diskette, or CD-ROM) and oral presentation.

(2) “Americans with Disabilities Act” is a comprehensive federal law passed in 1990, which prohibits discrimination on the basis of disability in employment, programs and services provided by state and local governments; goods and services provided by private companies; commercial facilities; telecommunications and transportation. The ADA was crafted upon a body of existing legislation, particularly the Rehabilitation Act of 1973 (Section 504), which states that no recipient of federal financial assistance may discriminate against qualified individuals with disabilities solely because of a disability. (Public Law 101-336)

(3) “An Individual with a Disability” means an individual who:

(a) Has a physical or mental impairment that substantially limits one or more major life activities; or

(b) Has a record or history of such an impairment; or

(4) “Authority” means the Oregon Health Authority.

(5) “Auxiliary Aids or Services” mean devices or services that meet the accessibility needs of individuals with hearing, cognitive or speech impairments to achieve “effective communication.” The types of auxiliary aids and services that the Authority offers include but are not limited to: qualified sign language interpreters, text telephone (TTYs), oral presentation, note takers and communication through computer keyboarding.

(6) “Direct threat” means a significant risk to the health or safety of others that cannot be eliminated or reduced to an accepted level through the provision of auxiliary aids and services or through reasonably modifying policies, practices or procedures, that person is not considered a qualified individual with a disability and may be excluded from Authority programs services or activities.

(7) “Federal Discrimination Complaint” means a complaint by a client, client applicant or specific class of individuals or their representative filed with a federal agency alleging an act of discrimination by a public entity.

(8) “Qualified Individual with a Disability” means an individual who can meet the essential eligibility requirements for the program, service or activity with or without reasonable modification of rules, policies or procedures, or the provision of auxiliary aids and services.

(9) “Reasonable Modifications” means a modification of policies, practices or procedures made to a program or service that allows an individual with a disability to participate equally in the program or benefit from the service.

(10) “Report of Discrimination” means a report filed with the Authority by a client, client applicant or specific class of individuals or their representative alleging an act of discrimination by the Authority or an Authority contractor, their agents or subcontractors, or a governmental entity under intergovernmental agreement with the Authority, regarding delivery of Authority services, programs or activities that are subject to Title II of the ADA or Section 504 of the Rehabilitation Act.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 19-2011, f. 8-30-11, cert. ef. 9-1-11

943-005-0010

Non-discrimination

(1) No qualified individual with a disability shall, on the basis of disability, be discriminated against, be excluded from participation in, or be denied the benefits of the services, programs or activities of the Authority. In providing any benefit or service, the Authority may not, directly or through contractual or other arrangements, on the basis of a disability deny a qualified individual the opportunity to participate in a service, program or activity or to receive the benefit or services offered. The Authority may not discriminate against a qualified individual with a disability, on the basis of disability in the granting of licenses and certificates.

(2) The Authority shall provide services, programs and activities in the most integrated setting appropriate to the needs of qualified individuals with disabilities within the context of the program being administered. For purposes of this section, “Integrated Setting” means a setting that enables individuals with disabilities to interact with non-disabled persons to the fullest extent possible.

(3) The Authority may not require a qualified individual with a disability to participate in services, programs, or activities that are separate or different, despite the existence of permissibly separate or different programs or activities.

(4) The Authority may not apply eligibility criteria or standards that screen out or tend to screen out an individual with a disability from fully and equally enjoying any goods or services, unless such criteria can be shown to be necessary for the provision of those goods and services or is determined by the Authority to be a legitimate safety requirement.

(5) The Authority shall ensure each program, service, or activity, including public meetings, hearings and events, when viewed in the entirety, is readily accessible to and usable by individuals with disabilities. For purposes of this section, accessible means the ability to approach, enter, operate, participate in, or to use safely and with dignity by a person with a disability.

(6) Nothing in these rules prohibits the Authority from providing benefits or services to individuals with disabilities, or to a particular class of individuals with disabilities, beyond those required by law.

(7) Nothing in these rules requires an individual with a disability to accept a modification, service, opportunity, or benefit provided under these rules that the individual decides not to accept.

(8) The Authority shall provide auxiliary aids and services or alternate format communication to individuals with disabilities where necessary to ensure an equal opportunity to participate in, and enjoy the benefits of, a service, program or activity, unless it would result in a fundamental alteration of the program or an undue financial or administrative burden. Although the Authority shall determine which aid or format, if any, can be provided without fundamental alteration or undue burden, primary consideration should be given to the choice of the requestor.

(9) Except as authorized under specific programs, the Authority is not required to provide personal devices, individually prescribed devices, readers for personal use or study, or services of a personal nature.

(10) The Authority may not assess a charge or fee to an individual with a disability or any group of individuals with disabilities to cover the costs of measures required to provide the individual with the non-discriminatory treatment required by this policy.

(11) The Authority may not deny individuals the opportunity to participate on planning or advisory boards based on their disability.

(12) The Authority may not discriminate against individuals that do not have disabilities themselves, but have a known relationship or association with one or more individuals with disabilities.

(13) The Authority’s determination of direct threat to the health and safety of others must be based on an individualized assessment relying on current medical evidence, or the best available objective evidence that shows:

(a) The nature, duration and severity of the risk,

(b) The probability that a potential injury will actually occur; and

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 19-2011, f. 8-30-11, cert. ef. 9-1-11

943-005-0015

Illegal Drug Use

(1) Except as provided in section (2) of this rule, OAR 943-005-0000 through 943-005-0030 does not prohibit discrimination against an individual based on that individual’s current illegal use of drugs.

(2) The Authority may not deny health services or services provided in connection with drug rehabilitation to an individual on the basis of that individual’s current use of drugs, if the individual is otherwise entitled to such services. However, a drug rehabilitation or treatment program may deny participation to individuals who engage in illegal use of drugs while they are in the program.

(3) A program may adopt reasonable policies related to drug testing that are designed to ensure that an individual who formerly engaged in the illegal use of drugs is not now engaging in the current illegal use of drugs.

(4) A client with a psychoactive substance use disorder resulting from current illegal use of drugs is not considered to have a disability under OAR 943-005-0000 through 943-005-0030 unless the client has a disability due to another condition.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 19-2011, f. 8-30-11, cert. ef. 9-1-11

943-005-0020

Reasonable Modifications

(1) The Authority shall make reasonable modifications to policies, practices or procedures of a program, services or activity when the modifications are necessary to avoid discrimination based on disability unless the modification would fundamentally alter the nature of the program, service or activity or create an undue administrative or financial burden.

(2) When providing program access to a qualified individual with a disability would cause a fundamental alteration of the program, service or activity or undue financial or administrative burden, the Authority shall, to the extent the benefit of the program, service or activity can be achieved, provide program access to the point at which the program becomes fundamentally altered or experiences an undue burden.

(3) Alternate format communication is considered to be within the scope of reasonable modifications.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 19-2011, f. 8-30-11, cert. ef. 9-1-11

943-005-0025

Requesting a Reasonable Modification

(1) To request a reasonable modification to an Authority program, service, or activity a client applicant, client or public member must submit to program staff a request for a reasonable modification to the applicable program. Requests may be made verbally or by completing the Request for Reasonable Modification form.

(2) Upon receipt of a request for modification the Authority shall:

(a) Determine whether additional documentation regarding the claimed disability is needed and request such documentation;

(b) Within 15 working days of the request or the receipt of additional medical documentation, whichever is later, provide to the requestor notification of approval, approval with alternative modifications or denial of the request for reasonable modification. All denials and approvals with alternative modifications that were not requested shall be clearly labeled a “Preliminary Notification Subject to Review.”; and

(3) A “Reasonable Modification Team” (Team) means a two person team appointed by program managers that meet to evaluate a Request for Reasonable Modification decision that either denied the request or approved the request but with modifications other than those requested.

(4) This process may include additional communication with the individual requesting the reasonable modifications.

(5) Preliminary Notifications shall be reviewed by a Reasonable Modification Team, which shall notify the requestor of the final result of the review within 15 working days of the preliminary notification or within 15 working days following receipt of medical or other supporting documentation requested by the Team, whichever is later.

(6) An individual whose request for reasonable modification has been denied or approved with alternative modifications which the individual believes to be inadequate may file a Report of Discrimination with the Authority within 60 days of the final result or file a complaint with the appropriate federal regulatory agency within 180 days of the final result.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 19-2011, f. 8-30-11, cert. ef. 9-1-11

943-005-0030

Report of Discrimination and Other Remedies Available for Alleged Discrimination

(1) A client or client applicant or specific class of individuals or their representative may file with the Authority a Report of Discrimination based on disability in the following circumstances:

(a) The final result under OAR 943-005-0025 for a Reasonable Modification Request was denied or was approved with an alternative to the requested modification which is believed to be inadequate;

(b) A request for auxiliary aids and services was denied or was approved with an alternative to the request which is believed to be inadequate;

(c) A request for an alternate format communication was denied or was approved with an alternative to the request which is believed to be inadequate;

(d) Inability to access facilities used for Authority programs;

(e) Denial of participation in Authority programs and services.

(2) A Report of Discrimination must be filed within 60 calendar days of the date of the alleged discrimination unless otherwise set forth in these rules

(3) A Report of Discrimination may be submitted verbally or on a Report of Discrimination Form available at any Authority office or by calling any Authority office.

(4) The claim of discrimination shall be investigated and shall include an interview with the complainant. At the conclusion of the investigation, a Letter of Determination shall be issued within 40 calendar days from the receipt of the Discrimination Report.

(5) An individual may appeal the Letter of Determination to the Civil Rights Review Board (CRRB) within 30 calendar days of receiving the Letter of Determination. CRRB means a panel of Authority employees appointed by the Director that reviews the decisions made by the Authority ADA Coordinator or the Civil Rights Investigator on discrimination complaints filed with the Authority.

(6) At the discretion of CRRB, this may include additional communication with the client.

(7) The remedies available under OAR 943-005-0000 through 943-005-0030 are available in addition to other remedies available under state or federal law or Oregon Administrative Rules, except that these remedies must be exhausted where exhaustion is a requirement of seeking remedies in another forum.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 19-2011, f. 8-30-11, cert. ef. 9-1-11

Rule Caption: Provider Enrollment and Claiming using Medicaid Management Information System

Adm. Order No.: OHA 20-2011

Filed with Sec. of State: 8-30-2011

Certified to be Effective: 9-1-11

Notice Publication Date: 8-1-2011

Rules Adopted: 943-120-0300, 943-120-0310, 943-120-0320, 943-120-0325, 943-120-0330, 943-120-0340, 943-120-0350, 943-120-0360, 943-120-0370, 943-120-0380, 943-120-0400

Rules Repealed: 943-120-0300(T), 943-120-0310(T), 943-120-0320(T), 943-120-0325(T), 943-120-0330(T), 943-120-0340(T), 943-120-0350(T), 943-120-0360(T), 943-120-0370(T), 943-120-0380(T), 943-120-0400(T)

Subject: The Authority is adopting Authority-wide provider rules (OAR 943-120-0300 to 943-120-0380) which govern provider enrollment and claiming using the Medicaid Management Information System (MMIS). These rules ensure that Oregon Medicaid clients will be able to receive consistent and uninterrupted service and that providers are assured their correct and appropriate reimbursement at times that necessitate exceptions to normal, ongoing communications.

Rules Coordinator: Evonne Alderete—(503) 932-9663

943-120-0300

Definitions

The following definitions apply to OAR 943-120-0300 to 943-120-0400:

(1) “Abuse” means provider practices that are inconsistent with sound fiscal, business, or medical practices resulting in an unnecessary cost to the Oregon Health Authority, or in reimbursement for services that are not medically necessary or that fail to meet professionally recognized standards for health care. It also includes actions by clients or recipients that result in unnecessary cost to the Oregon Health Authority.

(2) “Advance Directive” means a form that allows an individual to have another individual make health care decisions when he or she cannot make decisions and informs a doctor if the individual does not want any life sustaining help if he or she is near death.

(3) “Authority” means the Oregon Health Authority.

(4) “Benefit Package” means the package of covered health care services for which the client is eligible.

(4) “Billing Agent or Billing Service” means a third party or organization that contracts with a provider to perform designated services in order to facilitate claim submission or electronic transactions on behalf of the provider.

(5) “Billing Provider” means an individual, agent, business, corporation, clinic, group, institution, or other entity who, in connection with submission of claims to the Authority, receives or directs payment from the Authority on behalf of a performing provider and has been delegated the authority to obligate or act on behalf of the performing provider.

(6) “Children’s Health Insurance Program (CHIP)” means a federal and state funded portion of the Oregon Health Plan (OHP) established by Title XXI of the Social Security Act and administered by the Division of Medical Assistance Programs.

(7) “Claim” means a bill for services, a line item of a service, or all services for one client within a bill. Claim includes a bill or an encounter associated with requesting reimbursement, whether submitted on paper or electronically. Claim also includes any other methodology for requesting reimbursement that may be established in contract or program-specific rules.

(8) “Client or Recipient” means an individual found eligible by the Authority to receive services under the OHP demonstration, medical assistance program, or other public assistance programs administered by the Authority. The following OHP categories are eligible for enrollment:

(a) Temporary Assistance to Needy Families (TANF) are categorically eligible families with income levels under current TANF eligibility rules;

(b) CHIP children under one year of age whose household has income under 185% Federal Poverty Level (FPL) and do not meet one of the other eligibility classifications;

(c) Poverty Level Medical (PLM) adults under 100% of the FPL and clients who are pregnant women with income under 100% of FPL;

(d) PLM adults over 100% of the FPL are clients who are pregnant women with income between 100% and 185% of the FPL;

(e) PLM children under one year of age who have family income under 133% of the FPL or were born to mothers who were eligible as PLM adults at the time of the child’s birth;

(f) PLM or CHIP children one through five years of age who have family income under 185% of the FPL and do not meet one of the other eligibility classifications;

(g) PLM or CHIP children six through 18 years of age who have family income under 185% of the FPL and do not meet one of the other eligibility classifications;

(h) OHP adults and couples are clients age 19 or over and not Medicare eligible, with income below 100% of the FPL who do not meet one of the other eligibility classifications, and do not have an unborn child or a child under age 19 in the household;

(i) OHP families are clients, age 19 or over and not Medicare eligible, with income below 100% of the FPL who do not meet one of the other eligibility classifications, and have an unborn child or a child under the age of 19 in the household;

(j) General Assistance (GA) recipients are clients who are eligible by virtue of their eligibility under the GA program, ORS 411.710 et seq.;

(k) Assistance to Blind and Disabled (AB/AD) with Medicare eligibles are clients with concurrent Medicare eligibility with income levels under current eligibility rules;

(l) AB/AD without Medicare eligibles are clients without Medicare with income levels under current eligibility rules;

(m) Old Age Assistance (OAA) with Medicare eligibles are clients with concurrent Medicare Part A or Medicare Parts A and B eligibility with income levels under current eligibility rules;

(n) OAA with Medicare Part B only are OAA eligibles with concurrent Medicare Part B only income under current eligibility rules;

(o) OAA without Medicare eligibles are clients without Medicare with income levels under current eligibility rules; or

(p) Children, Adults and Families (CAF) children are clients with medical eligibility determined by CAF or Oregon Youth Authority (OYA) receiving OHP under ORS 414.025, 418.034, and 418.189 to 418.970. These individuals are generally in placement outside of their homes and in the care or custody of CAF or OYA.

(9) “Client Representative” means an individual who can make decisions for clients who are not able to make such decisions themselves. For purposes of medical assistance, a client representative may be, in the following order of priority, an individual who is designated as the client’s health care representative under ORS 127.505(12), a court-appointed guardian, a spouse or other family member as designated by the client, the individual service plan team (for developmentally disabled clients), an Authority case manager, or other Authority designee. To the extent that other Authority programs recognize other individuals who may act as a client representative, that individual may be considered the client representative.

(10) “Clinical Records” means the medical, dental, or mental health records of a client. These records include the Primary Care Provider (PCP) records, the inpatient and outpatient hospital records and the Exceptional Needs Care Coordinator (ENCC), complaint and disenrollment for cause records which may be located in the Prepaid Health Plan (PHP) administrative offices.

(11) “Conviction or Convicted” means that a judgment of conviction has been entered by a federal, state, or local court, regardless of whether an appeal from that judgment is pending.

(12) “Covered Services” means medically appropriate health services or items that are funded by the legislature and described in ORS Chapter 414, including OHP authorized under ORS 414.705 to 414.750, and applicable Authority rules describing the benefit packages of covered services except as excluded or limited under OAR 410-141-0500 or such other public assistance services provided to eligible clients under program-specific requirements or contracts by providers required to enroll with the Authority under OAR 943-120-0300 to 943-120-0400.

(13) “Date of Service” means the date on which the client receives medical services or items, unless otherwise specified in the appropriate provider rules.

(14) “Authority” means the Oregon Health Authority.

(15) “Diagnosis Code” means the code as identified in the International Classification of Diseases, 9th Revision, Clinical Modification (ICD-9-CM). The primary diagnosis code is shown in all billing claims and PHP encounters, unless specifically excluded in individual provider rules. Where they exist, diagnosis codes must be shown to the degree of specificity outlined in OAR 943-120-0340 (claim and PHP encounter submission).

(16) “Electronic Data Transaction (EDT)” means the electronic exchange of business documents from application to application in a federally mandated format or, if no federal standard has been promulgated, conducted by either web portal or electronic data interchange pursuant to the Authority’s electronic data transaction rule (OAR 943-120-0100 to 943-120-0200).

(17) “Exclusion” means the Authority may not reimburse a specific provider who has defrauded or abused the Authority for items or services that a provider furnished.

(18) “False Claim” means a claim or PHP encounter that a provider knowingly submits or causes to be submitted that contains inaccurate or misleading information, and that information would result, or has resulted, in an overpayment or improper use for per capita cost calculations.

(19) “Fraud” means an intentional deception or misrepresentation made by an individual with the knowledge that the deception could result in some unauthorized benefit to himself or herself, or some other individual. It includes any act that constitutes fraud or false claim under applicable federal or state law.

(20) “Healthcare Common Procedure Coding System (HCPCS)” means a method for reporting health care professional services, procedures and supplies. HCPCS consists of the Level 1 -- American Medical Association’s Physicians’ Current Procedural Terminology (CPT), Level II -- National Codes and Level III -- Local Codes.

(21) “Health Insurance Portability and Accountability Act (HIPAA)” means a federal law (Public Law 104-191, August 21, 1996) with the legislative objective to assure health insurance portability, reduce health care fraud and abuse, enforce standards for health information and guarantee security and privacy of health information.

(22) “Hospice” means a public agency or private organization or subdivision of either that is primarily engaged in providing care to terminally ill individuals, is certified for Medicare, accredited by the Oregon Hospice Association, and is listed in the Hospice Program Registry.

(23) “Individual Adjustment Request” means a form (DMAP 1036) used to resolve an incorrect payment on a previously paid claim, including underpayments or overpayments.

(24) “Medicaid” means a federal and state funded portion of the medical assistance program established by Title XIX of the Social Security Act, as amended, and administered in Oregon by the Authority.

(25) “Medicaid Management Information System (MMIS)” means the automated claims processing and information retrieval system for handling all Medicaid transactions. The objectives of the system include verifying provider enrollment and client eligibility, managing health care provider claims and benefit package maintenance, and addressing a variety of Medicaid business needs.

(26) “Medical Assistance Program” means a program for payment of health care provided to eligible Oregonians. Oregon’s medical assistance program includes Medicaid services including the OHP Medicaid Demonstration, and CHIP. The medical assistance program is administered and coordinated by DMAP, a division of the Authority.

(27) “Medically Appropriate” means services and medical supplies that are required for prevention, diagnosis, or treatment of a health condition that encompasses physical or mental conditions, or injuries and which are:

(a) Consistent with the symptoms or treatment of a health condition;

(b) Appropriate with regard to standards of good health practice and generally recognized by the relevant scientific community, evidence based medicine, and professional standards of care as effective;

(d) The most cost effective of the alternative levels of medical services or medical supplies that can be safely provided to a client in the provider’s judgment.

(28) “Medicare” means the federal health insurance program for the aged and disabled administered by the Centers for Medicare and Medicaid Services (CMS) under Title XVIII of the Social Security Act.

(29) “National Provider Identification (NPI)” means a federally directed provider number mandated for use on HIPAA covered transactions by individuals, provider organizations, and subparts of provider organizations that meet the definition of health care provider (45 Code of Federal Regulations (CFR) 160.103) and who conduct HIPAA covered transactions electronically.

(30) “Non-Covered Services” means services or items for which the Authority is not responsible for payment. Non-covered services are identified in:

(a) OAR 410-120-1200, Excluded Services and Limitations;

(b) OAR 410-120-1210, Medical Assistance Benefit Packages and Delivery System;

(d) OAR 410-141-0520, Prioritized List of Health Services; and

(e) The individual Authority provider rules, program-specific rules, and contracts.

(31) “Non-Participating Provider” means a provider who does not have a contractual relationship with the PHP.

(32) “Nursing Facility” means a facility licensed and certified by the Department of Human Services Seniors and People with Disabilities Division (SPD) defined in OAR 411-070-0005.

(33) “Oregon Health Plan (OHP)” means the Medicaid demonstration project that expands Medicaid eligibility to eligible clients. The OHP relies substantially upon prioritization of health services and managed care to achieve the public policy objectives of access, cost containment, efficacy, and cost effectiveness in the allocation of health resources.

(34) “Out-of-State Providers” means any provider located outside the borders of Oregon:

(a) Contiguous area providers are those located no more than 75 miles from the border of Oregon;

(b) Non-contiguous area providers are those located more than 75 miles from the borders of Oregon.

(35) “Post-Payment Review” means review of billings or other medical information for accuracy, medical appropriateness, level of service, or for other reasons subsequent to payment of the claim.

(36) “Prepaid Health Plan (PHP)” means a managed health, dental, chemical dependency, physician care organization, or mental health care organization that contracts with DMAP or Addictions and Mental Health Division (AMH) on a case managed, prepaid, capitated basis under the OHP. PHP’s may be a Dental Care Organization (DCO), Fully Capitated Health Plan (FCHP), Mental Health Organization (MHO), Primary Care Organization (PCO) or Chemical Dependency Organization (CDO).

(37) “Prohibited Kickback Relationships” means remuneration or payment practices that may result in federal civil penalties or exclusion for violation of 42 CFR 1001.951.

(38) “PHP Encounter” means encounter data submitted by a PHP or by a provider in connection with services or items reimbursed by a PHP.

(39) “Prior Authorization” means payment authorization for specified covered services or items given by Authority staff, or its contracted agencies, or a county if required by the county, prior to provision of the service. A physician or other referral is not a prior authorization.

(40) “Provider” means an individual, facility, institution, corporate entity, or other organization which supplies health care or other covered services or items, also termed a performing provider, that must be enrolled with the Authority pursuant to OAR 943-120-0300 to 943-120-0400 to seek reimbursement from the Authority, including services provided, under program-specific rules or contracts with the Authority or with a county or PHP.

(41) “Quality Improvement” means the effort to improve the level of performance of key processes in health services or health care. A quality improvement program measures the level of current performance of the processes, finds ways to improve the performance and implements new and better methods for the processes. Quality improvement includes the goals of quality assurance, quality control, quality planning, and quality management in health care where “quality of care is the degree to which health services for individuals and populations increase the likelihood of desired health outcomes and are consistent with current professional knowledge.”

(42) “Quality Improvement Organization (QIO)” means an entity which has a contract with CMS under Part B of Title XI to perform utilization and quality control review of the health care furnished, or to be furnished, to Medicare and Medicaid clients; formerly known as a “Peer Review Organization.”

(43) “Remittance Advice” means the automated notice a provider receives explaining payments or other claim actions.

(44) “Subrogation” means the right of the state to stand in place of the client in the collection of third party resources, including Medicare.

(45) “Suspension” means a sanction prohibiting a provider’s participation in the Authority’s medical assistance or other programs by deactivation of the assigned provider number for a specified period of time or until the occurrence of a specified event.

(46) “Termination” means a sanction prohibiting a provider’s participation in the Authority’s programs by canceling the assigned provider number and agreement unless:

(a) The exceptions cited in 42 CFR 1001.221 are met; or

(b) Otherwise stated by the Authority at the time of termination.

(47) “Third Party Resource (TPR)” means a medical or financial resource, including Medicare, which, by law, is available and applicable to pay for covered services and items for a medical assistance client.

(48) “Usual Charge” means when program-specific or contract reimbursement is based on usual charge, and is the lesser of the following, unless prohibited from billing by federal statute or regulation:

(a) The provider’s charge per unit of service for the majority of non-medical assistance users of the same service based on the preceding month’s charges;

(b) The provider’s lowest charge per unit of service on the same date that is advertised, quoted, or posted. The lesser of these applies regardless of the payment source or means of payment; or

(c) Where the provider has established a written sliding fee scale based upon income for individuals and families with income equal to or less than 200% of the FPL, the fees paid by these individuals and families are not considered in determining the usual charge. Any amounts charged to TPR must be considered.

(49) “Visit Data” means program-specific or contract data collection requirements associated with the delivery of service to clients on the basis of an event such as a visit.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0310

Provider Requirements

(1) All providers seeking reimbursement from the Authority, a PHP, or a county pursuant to a county agreement with the Authority for the provision of covered services or items to eligible recipients, must comply with these rules, OAR 943-120-0300 to 943-120-0400, and the applicable rules or contracts of the specific programs described below:

(a) Programs administered by DMAP including the OHP and the medical assistance program that reimburses providers for services or items provided to eligible recipients, including but not limited to chapter 410, division 120; chapter 410, division 141; and provider rules in chapter 410 applicable to the provider’s service category;

(b) Programs administered by AMH that reimburse providers for services or items provided to eligible AMH recipients; or

(2) Authority programs use visit data to monitor service delivery, planning, and quality improvement activities. Visit data must be submitted by a program-specific rule or contract. A provider shall make accurate, complete, and timely submission of visit data. Visit data is not a HIPAA transaction and does not constitute a claim for reimbursement.

(3) CHIP and Medicaid-Funded Covered Services and Items.

(a) Covered services or items paid for with Medicaid (Title XIX) and CHIP (Title XXI) funds (referred to as the medical assistance program) are also subject to federal and state Medicaid rules and requirements. In interpreting these rules and program-specific rules or contracts, the Authority shall construe them as much as possible in a manner that shall comply with federal and state medical assistance program laws and regulations, and the terms and conditions of federal waivers and the state plans

(b) If a provider is reimbursed with medical assistance program funds, the provider must comply with all applicable federal and state laws and regulations pertaining to the provision of Medicaid services under the Medicaid Act, Title XIX, 42 United States Code (USC) 1396 et. seq., and CHIP services under Title XXI, including without limitation:

(A) Maintaining all records necessary to fully disclose the extent of the services provided to individuals receiving medical assistance and furnish such information to any state or federal agency responsible for administration or oversight of the medical assistance program regarding any payments claimed by an individual or institution for providing Medicaid services as the state or federal agency may from time to time request;

(B) Complying with all disclosure requirements of 42 CFR 1002.3(a) and 42 CFR 455 subpart (B);

(C) Maintaining written notices and procedures respecting advance directives in compliance with 42 USC 1396(a)(57) and (w), 42 CFR 431.107(b)(4), and 42 CFR 489 subpart I;

(D) Certifying that the information is true, accurate and complete when submitting claims or PHP encounters for the provision of medical assistance services or items. Submission of a claim or PHP encounter constitutes a representation of the provider’s understanding that payment of the claim shall be from federal or state funds, or both and that any falsification or concealment of a material fact may result in prosecution under federal or state laws.

(c) Hospitals, nursing facilities, home health agencies (including those providing personal care), hospices, and HMOs must comply with the Patient Self-Determination Act as set forth in Section 4751 of OBRA 1991. To comply with the obligation under the above-listed laws to deliver information on the rights of the individual under Oregon law to make health care decisions, the named providers and organizations must give capable individuals over the age of 18 a copy of “Your Right to Make Health Care Decisions in Oregon,” copyright 1993, by the Oregon State Bar Health Law Section. Out-of-state providers of these services must comply with Medicare and Medicaid regulations in their state. Submittal to the Authority of the appropriate claim form requesting payment for medical services provided to a Medicaid eligible shall be considered representation to the Authority of the medical provider’s compliance with the above-listed laws.

(d) Payment for any service or item furnished by a provider of CHIP or Medicaid-funded services or items may not be made by or through (directly or by power of attorney) any individual or organization, such as a collection agency or service bureau, that advances money to a provider for accounts receivable that the provider has assigned, sold, or transferred to the individual or organization for an added fee or a deduction of a portion of the accounts receivable.

(e) The Authority shall make medical assistance provider payments only to the following:

(A) The provider who actually performed the service or provided the item;

(B) In accordance with a reassignment from the provider to a government agency or reassignment by a court order;

(C) To the employer of the provider, if the provider is required as a condition of employment to turn over his or her fees to the employer, and the employer is enrolled with the Authority as a billing provider;

(D) To the facility in which the service is provided, if the provider has a contract under which the facility submits the claim, and the facility is enrolled with the Authority as a billing provider;

(E) To a foundation, PHP, clinic, or similar organization operating as an organized health care delivery system, if the provider has a contract under which the organization submits the claim, and the organization is enrolled with the Authority as a billing provider; or

(F) To an enrolled billing provider, such as a billing service or an accounting firm that, in connection with the submission of claims, receives or directs payments in the name of the provider, if the billing provider’s compensation for this service is:

(i) Related to the cost of processing the billing;

(ii) Not related on percentage or other basis to the amount that is billed or collected and not dependent upon the collection of the payment.

(f) Providers must comply with TPR requirements in program-specific rules or contracts.

(4) The Authority uses several approaches to promote program integrity. These rules describe program integrity actions related to provider payments, including provider reimbursement under program-specific rules, county agreements, and contracts. The program integrity goal is to pay the correct amount to a properly enrolled provider for covered services provided to an eligible client according to the program-specific coverage criteria in effect on the date of service.

(a) Program integrity activities include but are not limited to the following:

(A) Medical or professional review including but not limited to following the evaluation of care in accordance with evidence-based principles, medical error identification, and prior authorization processes, including all actions taken to determine the coverage and appropriateness of services or items;

(B) Provider obligations to submit correct claims and PHP encounters;

(D) Implementation of HIPAA electronic transaction standards to improve accuracy and timeliness of claims processing and encounter reporting;

(E) Provider credentialing activities;

(F) Accessing federal Department of Health and Human Services (DHHS) database (exclusions);

(G) Quality improvement activities;

(H) Cost report settlement processes;

(I) Audits;

(J) Investigation of false claims, fraud or prohibited kickback relationships; and

(K) Coordination with the Department of Justice Medicaid Fraud Control Unit (MFCU) and other health oversight authorities.

(b) The following individuals may review a request for services or items, or audit a claim or PHP encounter for care, services, or items, before or after payment, for assurance that the specific care, item, or service was provided pursuant to the program-specific and the generally accepted standards of a provider’s field of practice or specialty:

(A) Authority staff or designee;

(B) Medical utilization and professional review contractor;

(D) Federal or state oversight authority.

(c) Payment may be denied or subject to recovery if the review or audit determines the care, service, or item was not provided pursuant to provider rules or does not meet the criteria for quality or medical appropriateness of the care, service, or item or payment. Related provider and hospital billings shall also be denied or subject to recovery.

(d) If the Authority determines that an overpayment has been made to a provider, the amount of overpayment is subject to recovery.

(e) The Authority may communicate with and coordinate any program integrity actions with the MFCU, DHHS, and other federal and state oversight authorities.

[Publications: Publications referenced are available from the agency.]

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065, 414.115; 414.125; 414.135; & 414.145

Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0320

Provider Enrollment

(1) In some Authority program areas, being an enrolled Authority provider is a condition of eligibility for an Authority contract for certain services or activities. The Authority requires billing providers to be enrolled as providers consistent with the provider enrollment processes set forth in this rule. If reimbursement for covered services will be made under a contract with the Authority, the provider must also meet the Authority’s contract requirements. Contract requirements are separate from the requirements of these provider enrollment rules. Enrollment as a provider with the Authority is not a promise that the enrolled provider will receive any amount of work from the Authority, a PHP, or a county.

(2). Provider enrollment establishes essential Authority provider participation requirements for becoming an enrolled Authority provider. The details of provider qualification requirements, client eligibility, covered services, how to obtain prior authorization or review (if required), documentation requirements, claims submission, and available electronic access instructions, and other pertinent instructions and requirements are contained in the program-specific rules or contract.

(3) Prior to enrollment, providers must:

(a) Meet all program-specific or contract requirements identified in program-specific rules or contracts in addition to those requirements identified in these rules;

(b) Meet Authority contracting requirements, as specified by the Authority’s Office of Contracts and Procurement (OC&P);

(d) Meet Authority and federal certification requirements for the type of service for which the provider is enrolling; and

(e) Obtain a provider number from the Authority for the specific service for which the provider is enrolling.

(4) Participation with the Authority as an enrolled provider is open to qualified providers that:

(a) Meet the qualification requirements established in these rules and program-specific rules or contracts;

(b) Enroll as an Authority provider pursuant to these rules;

(c) Provide a covered service or item within their scope of practice and licensure to an eligible Authority recipient pursuant to program-specific rules or contracts; and

(d) Accept the reimbursement amounts established pursuant to the Authority’s program-specific fee structures or contracts for the service or item.

(5) To be enrolled as an Authority provider, an individual or organization must submit a complete and accurate provider enrollment form, available from the Authority, including all required documentation, and a signed provider enrollment agreement.

(a) The provider enrollment form requests basic demographic information about the provider that will be permanently associated with the provider or organization until changed on an update form.

(b) Each Authority program establishes provider-specific qualifications and program criteria that must be provided as part of the provider enrollment form.

(A) The provider must meet applicable licensing and regulatory requirements set forth by federal and state statutes, regulations, and rules, and must comply with all Oregon statutes and regulations applicable to the provider’s scope of service as well as the program-specific rules or contract applicable to the provision of covered services. The provider and program addendum shall specify the required documentation of professional qualifications that must be provided with the provider enrollment form.

(B) All providers of services within Oregon must have a valid Oregon business license if such a license is a requirement of the state, federal, county, or city government to operate a business or to provide services. In addition providers must be registered to do business in Oregon by registering with the Oregon Secretary of State, Corporation Division, if registration is required.

(c) All individuals and entities shall disclose information used by the Authority to determine whether an exclusion applies that would prevent the Authority from enrolling the provider. Individual performing providers must submit a disclosure statement. All providers that are enrolling as an entity (corporation, non-profit, partnership, sole proprietorship, governmental) must submit a disclosure of ownership and control interest statement. Payment may not be made to any individual or entity that has been excluded from participation in federal or state programs or that employs or is managed by excluded individuals or entities.

(A) Entities must disclose all the information required on the disclosure of ownership and control interest statement. Information that must be disclosed includes the name, address, and taxpayer identification number of each individual with an ownership or control interest in the disclosing entity or in any subcontractor in which the disclosing entity has a direct or indirect ownership of five percent or more; whether any of the named individuals are related as spouse, parent, child, sibling, or other family member by marriage or otherwise; and the name and taxpayer identification number of any other disclosing entity in which an individual with an ownership or control interest in the disclosing entity also has an ownership or control interest.

(B) A provider must submit, within 35 days of the date of a request by DHHS or the Authority, full and complete information about the ownership of any subcontractor with whom the provider had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the five-year period ending on the date of the request.

(C) Before the Authority enters into a provider enrollment agreement with a provider, or renews a provider agreement, or at any time upon written request of the Authority, the provider must disclose to the Authority the identity and taxpayer identification number of any individual who has an ownership or control interest in the provider; or is an agent or managing employee of the provider; or the individual performing provider that has been convicted of a criminal offense related to that individual’s involvement in any program under Medicare, Medicaid, or Title XX services program, since the inception of those programs.

(D) The Authority may refuse to enter into or may suspend or terminate a provider enrollment agreement if the individual performing provider or any individual who has an ownership or control interest in the entity, or who is an agent or managing employee of the provider, has been sanctioned or convicted of a criminal offense related to that individual’s involvement in any program established under Medicare, Medicaid, Children’s Health Insurance, Title XX services, or other public assistance program.

(E) The Authority may refuse to enter into or may suspend or terminate a provider enrollment agreement, or contract for provider services, if it determines that the provider did not fully and accurately make any disclosure required under section (5)(c) of this rule.

(F) Taxpayer identification numbers, including social security numbers (SSN) and employer identification numbers (EIN), must be provided where indicated on the Disclosure Statement or the Disclosure of Ownership and Control Interest Statement. The taxpayer identification number will be used to confirm whether the individual or entity is subject to exclusion from participation in the Oregon Medicaid program.

(6) The provider must sign the provider enrollment agreement, and submit it for review to the Authority at the time the provider submits the provider enrollment form and related documentation. Signing the provider enrollment agreement constitutes agreement by a provider to comply with all applicable Authority provider and program rules, and applicable federal and state laws and regulations in effect on the date of service.

(7) A provider may request to conduct electronic transactions with the Authority by enrolling and completing the appropriate authorization forms pursuant to the electronic data transaction rules (OAR 943-120-0100 to 943-120-0200).

(8). A provider shall be enrolled, assigned, and issued a provider number for use in specific payment or business operations upon the following criteria:

(a) Provider submission of a complete and signed (when applicable), provider enrollment form, provider enrollment agreement, provider certification and all required documents to the Authority program responsible for enrolling the provider. Provider signature must be the provider or an individual with actual authority from the provider to legally bind the provider to attest and certify to the accuracy and completeness of the information submitted;

(b) The Authority’s verification of licensing or certification or other authority to perform the service or provide the item within the lawful scope of practice recognized under Oregon law. The Authority may confirm any information on the provider enrollment form or documentation submitted with the provider enrollment form, and may request additional information; and

(c) The Authority’s acceptance of the provider enrollment form, provider enrollment agreement, and provider certification by the Authority unit responsible for approving the enrollment of the provider.

(9) Submission of a claim or encounter or other reimbursement document constitutes the enrolled provider’s agreement that:

(a) The service or item was provided in compliance with all applicable rules and requirements in effect on the date of service;

(b) The provider has created and maintained all records necessary to disclose the extent of services or items provided and provider’s compliance with applicable program and financial requirements, and that the provider agrees to make such information available upon request to the Authority, the MFCU (for Medicaid-funded services or items), the Oregon Secretary of State, and (for federally-funded services or items) the federal funding authority and the Comptroller General of the United States, or their designees;

(c) The information on the claim or encounter, regardless of the format or other reimbursement document is true, accurate and complete; and

(d) The provider understands that payment of the claim or encounter or other reimbursement document will be from federal or state funds, or a combination of federal and state funds, and that any falsification, or concealment of a material fact, may result in prosecution under federal and state laws.

(10) The Authority has taken action to ensure compliance with the NPI requirements pursuant to 45 CFR Part 162 when those requirements became effective on May 23, 2007. In the event of a transition period approved by CMS beyond May 23, 2008, the following requirements for contractors, providers, and provider-applicants shall apply:

(a) Providers and contractors that obtain an NPI must use their NPI where indicated. In situations where a taxonomy code may be used in conjunction with the NPI, providers must update their records as specified with the Authority’s provider enrollment unit. Providers applying for enrollment with the Authority that have been issued an NPI must include that NPI and any associated taxonomy codes with the provider enrollment form;

(b) A provider enrolled with the Authority must bill using the NPI pursuant to 45 CFR part 162.410, in addition to the Authority-assigned provider number, where applicable, and continue to bill using the Authority assigned provider number until the Authority informs the provider that the Authority assigned provider number is no longer allowed, or the NPI transition period has ended, whichever occurs first. Failure to use the NPI and Authority-assigned provider number as indicated during this transition period may result in delay or rejection of claims and other transactions;

(c) The NPI and applicable taxonomy code combinations will be cross-referenced to the Authority assigned provider number for purposes of processing all applicable electronic transactions as specified in OAR 943-120-0100;

(d) The provider and PHP must cooperate with the Authority with reasonable consultation and testing procedures, if any, related to implementation of the use of NPI’s; and

(e) Certain provider types are not eligible for an NPI based on federal criteria for obtaining an NPI. Providers not eligible for an NPI must always use their Authority provider number on claims, encounters, or other reimbursement documents for that specific provider type.

(11) The effective date of provider enrollment is the date the provider’s request is received by the Authority if on that date the provider has met all applicable requirements. The effective date may be retroactive for up to one year to encompass dates on which the provider furnished covered services to a medical assistance recipient for which it has not been paid, if on the retroactive effective date the provider has met all applicable requirements.

(12) Provider numbers are specific to the category of service or items authorized by the Authority. Issuance of an Authority-assigned provider number establishes enrollment of an individual or organization as a provider for the specific category of services covered by the provider and program addendum submitted with the provider enrollment form and enrollment agreement.

(13) Providers must provide the following updates:

(a) An enrolled provider must notify the Authority in writing of a material change in any status or condition on any element of their provider enrollment form. Providers must notify the Authority of changes in any of this information in writing within 30 calendar days of any of the following changes:

(A) Business affiliation;

(B) Ownership;

(D) Associated taxonomy codes;

(E) Federal Tax Identification number;

(F) Ownership and control information; or

(G) Criminal convictions.

(b) These changes may require the submission of a provider enrollment form, provider enrollment agreement, provider certification, or other related documentation.

(c) Claims submitted by, or payments made to, providers who have not timely furnished the notification of changes or have not submitted any of the items that are required due to a change may be denied or recovered.

(d) Notice of bankruptcy proceedings must be immediately provided to the Authority in writing.

(14) Tax Reporting and Withholding.

(a) Providers must submit the provider’s SSN for individuals or a federal EIN for entities, whichever is required for tax reporting purposes on IRS Form 1099. Billing providers must submit the SSN or EIN of all performing providers in connection with claims or payments made to or on behalf of the performing provider, in addition to the billing provider’s SSN or EIN. Providing this number is mandatory to be eligible to enroll as a provider. The provider’s SSN or EIN is required pursuant to 42 CFR 433.37 federal tax laws at 26 USC 6041. SSN’s and EIN’s provided pursuant to this authority are used for the administration of state, federal, and local tax laws and the administration of this program for internal verification and administrative purposes including but not limited to identifying the provider for payment and collection activities.

(b) The Authority must comply with the tax information reporting requirements of section 6041 of the Internal Revenue Code (26 USC 6041). Section 6041 requires the filing of annual information returns showing amounts paid to providers, who are identified by name, address, and SSN or EIN. The Authority files its information returns with the Internal Revenue Service (IRS) using Form 1099MISC.

(c) The IRS Code section 3406(a)(1)(B) requires the Authority to begin backup withholding when notified by the IRS that a taxpayer identification number reported on an information return is incorrect. If a provider receives notice of backup withholding from the Authority, the provider must timely comply with the notice and provide the Authority with accurate information. The Authority shall comply with IRS requirements for backup withholding.

(d) Failure to notify the Authority of a change in federal tax identification number (SSN or EIN) may result in the Authority imposing a sanction as specified in OAR 943-120-0360.

(e) If the Authority notifies a provider about an error in federal tax identification number, the provider must supply a valid federal tax identification number within 30 calendar days of the date of the Authority’s notice. Failure to comply with this requirement may result in the Authority imposing a sanction as specified in OAR 943-120-0360, for each time the provider submits an inaccurate federal tax identification number, and may require back-up withholding. Federal tax identification number requirements described in this rule refer to any requirements established by the IRS.

(15) Providers of services to clients outside the State of Oregon must be enrolled as a provider under section (8) of this rule if they comply with the requirements of section (8) and meet the following conditions:

(a) The provider is appropriately licensed or certified and is enrolled in the provider’s home state for participation in that state’s Medicaid program or, for non-Medicaid services, enrolled or contracted with the state agency in the provider’s state to provide the same program-specific service in the provider’s state. Disenrollment or sanction from the other state’s Medicaid program, or exclusion from any other federal or state health care program or comparable program-specific service delivery system is a basis for denial of enrollment, termination, or suspension from participation as an Authority provider;

(b) The Oregon Board of Pharmacy issued a license to provide pharmacy services to a noncontiguous out-of-state pharmacy provider;

(c) The services must be authorized in the manner required for out-of-state services under the program-specific rules or contract for an eligible client;

(d) The services for which the provider bills are covered services under the OHP or other Authority program for which covered services are authorized to be provided to the client;

(e) A facility, including but not limited to a hospital, rehabilitative facility, institution for care of individuals with mental retardation, psychiatric hospital, or residential care facility, is enrolled or contracted by the state agency in the state in which the facility is located or is licensed as a facility provider of services by Oregon; or

(f) If the provider is not domiciled in or registered to do business in Oregon, the provider must promptly provide to the Oregon Department of Revenue and the Oregon Secretary of State, Corporation Division all information required by those agencies relative to the provider enrollment form and provider enrollment agreement. The Authority shall withhold enrollment and payments until the out-of-state provider has provided documentation of compliance with this requirement to the Authority unit responsible for enrollment.

(16) The provider enrollment agreement may be terminated as follows:

(a) The provider may ask the Authority to terminate the provider enrollment agreement at any time, subject to any specific provider termination requirements in program-specific rules or contracts.

(A) The request must be in writing, signed by the provider, and mailed or delivered to the Authority provider enrollment unit. The notice must specify the Authority-assigned provider number, if known.

(B) When accepted, the Authority shall assign the provider number a termination status and the effective date of the termination status.

(C) Termination of the provider enrollment agreement does not relieve the provider of any obligations for covered services or items provided under these rules, program-specific rules or contracts in effect for dates of services during which the provider enrollment agreement was in effect.

(b) The Authority may terminate the provider enrollment agreement immediately upon notice to the provider, or a later date as the Authority may establish in the notice, upon the occurrence of any of the following events:

(A) The Authority fails to receive funding, appropriations, limitations, or other expenditure authority at levels that the Authority or the specific program determines to be sufficient to pay for the services or items covered under the agreement;

(B) Federal or state laws, regulations, or guidelines are modified or interpreted by the Authority in a manner that either providing the services or items under the agreement is prohibited or the Authority is prohibited from paying for such services or items from the planned funding source;

(C) The Authority has issued a final order revoking the Authority-assigned provider number based on a sanction under termination terms and conditions established in program-specific rules or contract;

(D) The provider no longer holds a required license, certificate or other authority to qualify as a provider. The termination shall be effective on the date the license, certificate, or other authority is no longer valid; or

(E) The provider fails to submit any claims for reimbursement for an 18-month period. The provider may reapply for enrollment.

(c) In the event of any dispute arising out of the termination of the provider enrollment agreement, the provider’s sole monetary remedy is limited to covered services or items the Authority determines to be compensable under the provider agreement, a claim for unpaid invoices, hours worked within any limits set forth in the agreement but not yet billed, and Authority-authorized expenses incurred prior to termination. Providers may not recover indirect or consequential damages. Providers are not entitled to attorney fees, costs, or expenses of any kind.

(17) When a provider fails to meet one or more of the requirements governing participation as an Authority enrolled provider, the provider’s Authority- assigned provider number may be immediately suspended, pursuant to OAR 943-120-0360. The provider may not provide services or items to clients during a period of suspension. The Authority shall deny claims for payment or other reimbursement requests for dates of service during a period of suspension.

(18) The provision of program-specific or contract covered services or items to eligible clients is voluntary on the part of the provider. Providers are not required to serve all clients seeking service. If a provider undertakes to provide a covered service or item to an eligible client, the provider must comply with these rules, program-specific rules or contract.

(a) The provider performs all services, or provides all items, as an independent contractor. The provider is not an officer, employee, or agent of the Authority.

(b) The provider is responsible for its employees, and for providing employment-related benefits and deductions that are required by law. The provider is solely responsible for its acts or omissions, including the acts or omissions of its own officers, employees or agents. The Authority’s responsibility is limited to its authorization and payment obligations for covered services or items provided pursuant to these rules.

(19) For Medicaid services, a provider may not deny services to any eligible client because of the client’s inability to pay the cost sharing amount imposed by the applicable program-specific or provider-specific rules or contract. A client’s inability to pay does not eliminate the client’s liability for the cost sharing charge.

[Publications: Publications referenced are available from the agency.]

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0325

Compliance with Federal and State Statutes

(1) When a provider submits a claim for services or supplies provided to an Authority client, the Authority shall consider the submission as the provider’s representation of the provider’s compliance with the applicable sections of the federal and state statutes and rules referenced in this rule, and other program rules or contract requirements of the specific program under which the claim is submitted:

(a) 45 CFR Part 84 which implements Title V, Section 504 of the Rehabilitation Act of 1973;

(b) 42 CFR Part 493 Laboratory Requirements and ORS chapter 438 (Clinical Laboratories).

(c) The provider must comply and, as indicated, require all subcontractors to comply with the following federal and state requirements to the extent that they are applicable to the items and services governed by these rules, unless exempt under 45 CFR Part 87 for Faith-Based Organizations (Federal Register, July 16, 2004, Volume 69, #136), or other federal provisions. For purposes of these rules, all references to federal and state laws are references to federal and state laws as they may be amended from time to time that are in effect on the date of provider’s service:

(A) The provider must comply and require all subcontractors to comply with all federal laws, regulations, executive orders applicable to the items and services provided under these rules. Without limiting the generality of the foregoing, the provider must comply and require all subcontractors to comply with the following laws, regulations and executive orders to the extent they are applicable to the items and services provided under these rules:

(i) Title VI and VII of the Civil Rights Act of 1964, as amended;

(ii) Sections 503 and 504 of the Rehabilitation Act of 1973, as amended;

(iii) The Americans with Disabilities Act of 1990, as amended;

(iv) Executive Order 11246, as amended;

(v) The Health Insurance Portability and Accountability Act of 1996;

(vi) The Age Discrimination in Employment Act of 1967, as amended, and the Age Discrimination Act of 1975, as amended;

(vii) The Vietnam Era Veterans’ Readjustment Assistance Act of 1974, as amended,

(viii) all regulations and administrative rules established pursuant to the foregoing laws;

(viii) All other applicable requirements of federal civil rights and rehabilitation statutes, rules, and regulations;

(ix) All federal laws governing operation of community mental health programs, including without limitation, all federal laws requiring reporting of client abuse. These laws, regulations and executive orders are incorporated by reference herein to the extent that they are applicable to the items and services governed by these rules and required by law to be so incorporated. No federal funds may be used to provide services in violation of 42 USC 14402.

(B) Any provider that receives or makes annual payments under Medicaid of at least $5,000,000, as a condition of receiving such payments, shall:

(i) Establish written policies for all employees of the entity (including management), and of any contractor, subcontractor, or agent of the entity, that provide detailed information about the False Claims Act established under 31 USC 3729 through 3733, administrative remedies for false claims and statements established under 31 USC 38, any Oregon state laws pertaining to civil or criminal penalties for false claims and statements, and whistle blowing protections under such laws, with respect to the role of such laws in preventing and detecting fraud, waste, and abuse in Federal health care programs (as defined in 42 USC 1320a-7b(f));

(ii) Include as part of written policies, detailed provisions regarding the entity’s policies and procedures for detecting and preventing fraud, waste, and abuse; and

(iii) Include in any employee handbook for the entity, a specific discussion of the laws described in sub-paragraph (i), the rights of the employees to be protected as whistleblowers.

(C) If the items and services governed under these rules exceed $10,000, the provider must comply and require all subcontractors to comply with Executive Order 11246, entitled “Equal Employment Opportunity,” as amended by Executive Order 11375, and as supplemented in U.S Authority of Labor regulations (41 CFR part 60);

(D) If the items and services governed under these rules exceed $100,000, and are paid in any part with federal funds, the provider must comply and require all subcontractors to comply with all applicable standards, orders, or requirements issued under Section 306 of the Clean Air Act (42 U.S.C. 7606), the Federal Water Pollution Control Act as amended (commonly known as the Clean Water Act -- 33 U.S.C. 1251 to 1387), specifically including, but not limited to, Section 508 (33 U.S.C. 1368). Executive Order 11738, and Environmental Protection Agency regulations (40 CFR Part 32), which prohibit the use under non-exempt Federal contracts, grants or loans of facilities included on the EPA List of Violating Facilities. Violations must be reported to the Authority, DHHS, and the appropriate Regional Office of the Environmental Protection Agency. The provider must include and require all subcontractors to include in all contracts with subcontractors receiving more than $100,000, language requiring the subcontractor to comply with the federal laws identified in this section;

(E) The provider must comply and require all subcontractors to comply with applicable mandatory standards and policies relating to energy efficiency that are contained in the Oregon energy conservation plan issued in compliance with the Energy Policy and Conservation Act, 42 U.S.C. 6201 et seq. (Pub. L. 94-163);

(F) The provider must provide written certification indicating that:

(i) No federal appropriated funds have been paid or shall be paid, by or on behalf of the provider, to any person for influencing or attempting to influence an officer or employee of an agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection with the awarding of any federal contract, the making of any federal grant, the making of any federal loan, the entering into of any cooperative agreement, and the extension, continuation, renewal, amendment or modification of any federal contract, grant, loan or cooperative agreement;

(ii) If any funds other than federal appropriated funds have been paid or shall be paid to any person for influencing or attempting to influence an officer or employee of any agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection with this federal contract, grant, loan or cooperative agreement, the provider must complete and submit Standard Form LLL, “Disclosure Form to Report Lobbying” in accordance with its instructions;

(iii) The provider must require that the language of this certification be included in the award documents for all sub-awards at all tiers (including subcontracts, sub-grants, and contracts under grants, loans, and cooperative agreements) and that all sub-recipients and subcontractors must certify and disclose accordingly;

(iv) This certification is a material representation of fact upon which reliance was placed when this provider agreement was made or entered into. Submission of this certification is a prerequisite for making or entering into this provider agreement imposed by 31 USC 1352. Any person who fails to file the required certification shall be subject to a civil penalty of not less than $10,000 and not more than $100,000 for each such failure.

(G) If the items and services funded in whole or in part with financial assistance provided under these rules are covered by HIPAA or the federal regulations implementing HIPAA, the provider must deliver the goods and services in compliance with HIPAA. The provider must comply and require all subcontractors to comply with the following:

(i) Individually identifiable health information about specific individuals is confidential. Individually identifiable health information relating to specific individuals may be exchanged between the provider and the Authority for purposes directly related to the provision to clients of services that are funded in whole or in part under these rules. The provider must not use or disclose any individually identifiable health information about specific individuals in a manner that would violate Authority privacy rules, (OAR 943-014-0000 to 0070.), or the Authority’s Notice of Privacy Practices, if done by the Authority;

(ii) Providers who engage in EDI transactions with the Authority in connection with claims or encounter data, eligibility or enrollment information, authorizations or other electronic transactions must execute an EDI trading partner agreement with the Authority and must comply with the Authority’s electronic data transmission rules (OAR 943-120-0100 to 943-120-0200);

(iii) If a provider reasonably believes that the provider’s or the Authority’s data transactions system or other application of HIPAA privacy or security compliance policy may result in a violation of HIPAA requirements, the provider must promptly consult the Authority’s privacy officer. The provider or the Authority may initiate a request to test HIPAA transactions, subject to available resources and the Authority’s testing schedule.

(H) The provider must comply and require all subcontractors to comply with all mandatory standards and policies that relate to resource conservation and recovery pursuant to the Resource Conservation and Recovery Act (codified at 42 USC 6901 et. seq.). Section 6002 of that Act (codified at 42 USC 6962) requires that preference be given in procurement programs to the purchase of specific products containing recycled materials identified in guidelines developed by the Environmental Protection Agency. Current guidelines are set forth in 40 CFR Parts 247;

(I) The provider must comply and require all subcontractors to comply with the applicable audit requirements and responsibilities set forth in the Office of Management and Budget Circular A-133 entitled “Audits of States, Local Governments and Non-Profit Organizations;”

(J) The provider may not permit any person or entity to be a subcontractor if the person or entity is listed on the non-procurement portion of the General Service Administration’s “List of Parties Excluded from Federal Procurement or Nonprocurement Programs” pursuant to Executive Orders No. 12,549 and No. 12,689, “Debarment and Suspension”. (See 45 CFR part 76). This list contains the names of parties debarred, suspended, or otherwise excluded by agencies, and providers and subcontractors declared ineligible under statutory authority other than Executive Order No. 12549. Subcontractors with awards that exceed the simplified acquisition threshold must provide the required certification regarding their exclusion status and that of their principals prior to award;

(K) The provider must comply and require all subcontractors to comply with the following provisions to maintain a drug-free workplace:

(i) Certify that it shall provide a drug-free workplace by publishing a statement notifying its employees that the unlawful manufacture, distribution, dispensation, possession, or use of a controlled substance, except as may be present in lawfully prescribed or over-the-counter medications, is prohibited in the provider’s workplace or while providing services to Authority clients. The provider’s notice must specify the actions that shall be taken by the provider against its employees for violation of such prohibitions;

(ii) Establish a drug-free awareness program to inform its employees about the dangers of drug abuse in the workplace, the provider’s policy of maintaining a drug-free workplace, any available drug counseling, rehabilitation, and employee assistance programs, and the penalties that may be imposed upon employees for drug abuse violations;

(iii) Provide each employee to be engaged in the performance of services under these rules a copy of the statement required in paragraph (J)(i) above;

(iv) Notify each employee in the statement required by paragraph (J)(i) that, as a condition of employment to provide services under these rules, the employee shall abide by the terms of the statement and notify the employer of any criminal drug statute conviction for a violation occurring in the workplace no later than five days after the conviction;

(v) Notify the Authority within ten days after receiving notice under paragraph (J)(iv) from an employee or otherwise receiving actual notice of the conviction;

(vi) Impose a sanction on, or require the satisfactory participation in a drug abuse assistance or rehabilitation program by any employee who is convicted as required by Section 5154 of the Drug-Free Workplace Act of 1988;

(vii) Make a good-faith effort to continue a drug-free workplace through implementation of paragraphs (J)(i) through (J)(vi);

(viii) Require any subcontractor to comply with paragraphs (J)(i) through (J)(vii);

(ix) The provider, the provider’s employees, officers, agents, or subcontractors may not provide any service required under these rules while under the influence of drugs. For purposes of this provision, “under the influence” means observed abnormal behavior or impairments in mental or physical performance leading a reasonable person to believe the provider or provider’s employee, officer, agent, or subcontractor has used a controlled substance, prescription, or non-prescription medication that impairs the provider or provider’s employee, officer, agent, or subcontractor’s performance of essential job function or creates a direct threat to Authority clients or others. Examples of abnormal behavior include but are not limited to hallucinations, paranoia or violent outbursts. Examples of impairments in physical or mental performance include but are not limited to slurred speech, difficulty walking or performing job activities;

(x) Violation of any provision of this subsection may result in termination of the provider agreement.

(L) The provider must comply and require all sub-contractors to comply with the Pro-Children Act of 1994 (codified at 20 USC section 6081 et. seq.);

(M) A provider reimbursed or seeking reimbursement with Medicaid funds must comply with all applicable federal and state laws and regulations pertaining to the provision of Medicaid services under the Medicaid Act, Title XIX, 42 USC Section 1396 et. seq., including without limitation:

(i) Maintain necessary records to fully disclose the extent of the services provided to individuals receiving Medicaid assistance and must furnish the information to any state or federal agency responsible for administering the Medicaid program regarding any payments claimed by the provider or institution for providing Medicaid services as the state or federal agency may from time to time request. 42 USC Section 1396a(a)(27); 42 CFR 431.107(b)(1) & (2);

(ii) Comply with all disclosure requirements of 42 CFR 1002.3(a) and 42 CFR 455 Subpart (B);

(iii) Maintain written notices and procedures respecting advance directives in compliance with 42 USC Section 1396(a)(57) and (w), 42 CFR 431.107(b)(4), and 42 CFR 489 subpart I;

(iv) Certify when submitting any claim for the provision of Medicaid services that the information submitted is true, accurate and complete. The provider must acknowledge provider’s understanding that payment of the claim shall be from federal and state funds and that any falsification or concealment of a material fact may be prosecuted under federal and state laws.

(N) Providers must comply with the obligations intended for contractors under ORS 279B.220, 279B.225, 279B.230 and 279B.235 (if applicable), Providers shall, to the maximum extent economically feasible in the performance of covered services, use recycled paper (as defined in ORS 279A.010(1)(ee)), recycled PETE products (as defined in 279A.010(1)(ff)), and other recycled plastic resin products and recycled products (as “recycled product” is defined in 279A.010(1)(gg)).

(O) Providers must comply with all federal, state and local tax laws, including Social Security payment requirements, applicable to payments made by the Authority to the provider.

(2) Hospitals, nursing facilities, home health agencies (including those providing personal care), hospices, and health maintenance organizations shall comply with the Patient Self-Determination Act as set forth in Section 4751 of OBRA 1991. To comply with the obligation under the above listed laws to deliver information on the rights of the individual under Oregon law to make health care decisions, the named providers and organizations must provide capable individuals over the age of 18 a copy of “Your Right to Make Health Care Decisions in Oregon,” copyright 1993, by the Oregon State Bar Health Law Section. Out-of-state providers of these services must comply with Medicare and Medicaid regulations in their state. Submittal to the Authority of the appropriate billing form requesting payment for medical services provided to a Medicaid eligible client shall be deemed representation to the Authority of the medical provider’s compliance with the above-listed laws.

(3) Providers described in ORS chapter 419B must report suspected child abuse to their local Children, Adults and Families Division office or police, in the manner described in ORS chapter 419.

(4) The Clinical Laboratory Improvement Act (CLIA), requires all entities that perform even one laboratory test, including waived tests, on “materials derived from the human body for the purpose of providing information for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of, human beings” to meet certain federal requirements. If an entity performs tests for these purposes, it is considered, under CLIA, to be a laboratory.

[Publication: Publications referenced are available from the agency.]

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0330

Billing Procedures

(1) These rules only apply to covered services and items provided to clients that are paid for by the Authority based on an Authority fee schedule or other reimbursement method (often referred to as fee-for-service), or for services that are paid for by the Authority at the request of a county for county-authorized services. .

(a) If a client’s service or item is paid for by a PHP, the provider must comply with the billing and procedures related to claim submission established under contract with that PHP, or the rules applicable to non-participating providers if the provider is not under contract with that PHP.

(b) If the client is enrolled in a PHP, but the client is permitted by a contract or program-specific rules to obtain covered services reimbursed by the Authority (such as family planning services that may be obtained from any provider), the provider must comply with the billing and claim procedures established under these rules.

(2) All Authority-assigned provider numbers are issued at enrollment and are directly associated with the provider as defined in OAR 943-120-0320(12) and have the following uses:

(a) Log-on identification for the Authority web portal;

(b) Claim submission in the approved paper formats; and

(c) For electronic claims submission including the web portal for atypical providers pursuant to 45 CFR 160 and 162 where an NPI is not mandated. Use of the Authority-assigned provider number shall be considered authorized by the provider and the provider shall be accountable for its use.

(3) Except as provided in section (4) below, an enrolled provider may not seek payment for any covered services from:

(a) A client for covered benefits; or

(b) A financially responsible relative or representative of that client.

(4) Providers may seek payment from an eligible client or client representative as follows:

(a) From any applicable coinsurance, co-payments, deductibles, or other client financial obligation to the extent and as expressly authorized by program-specific rules or contract;

(b) From a client who failed to inform the provider of Authority program eligibility, of OHP or PHP enrollment, or of other third party insurance coverage at the time the service was provided or subsequent to the provision of the service or item. In this case, the provider may not bill the Authority, the PHP, or third party payer for any reason, including but not limited to timeliness of claims and lack of prior authorization. The provider must document attempts to obtain information on eligibility or enrollment;

(c) The client became eligible for Authority benefits retroactively but did not meet other established criteria described in the applicable program-specific rules or contracts.

(d) The provider may document that a TPR made payments directly to the client for services provided that are subject to recovery by the provider.;

(e) The service or item is not covered under the client’s benefit package. The provider must document that prior to the delivery of services or items, the provider informed the client the service or item would not be covered by the Authority;

(f) The client requested continuation of benefits during the administrative hearing process and the final decision was not in favor of the client. The client shall be responsible for any charges since the effective date of the initial notice of denial; or

(g) In exceptional circumstances, a client may request continuation of a covered service while asserting the right to privately pay for that service. Under this circumstance, a provider may bill the client for a covered service only if the client is informed in advance of receiving the specific service of all of the following:

(A) The requested service is a covered service and the provider would be paid in full for the covered service if the claim is submitted to the Authority or the client’s PHP;

(B) The estimated cost of the covered service, including all related charges, that the Authority or PHP would pay, and for which the client is billed cannot be an amount greater than the maximum Authority or PHP reimbursable rate or PHP rate;

(C) The provider may not require the client to enter into a voluntary payment agreement for any amount for the covered service; and

(D) The provider must be able to document, in writing, signed by the client or the client’s representative, that the client was provided the information described above; was provided an opportunity to ask questions, obtain additional information, and consult with the client’s caseworker or client representative; and the client agreed to be responsible for payment by signing an agreement incorporating all of the information described above. The provider must provide a copy of the signed agreement to the client. The provider may not submit a claim for payment for the service or item to the Authority or to the client’s PHP that is subject to such an agreement.

(5) Reimbursement for Non-Covered Services.

(a) A provider may bill a client for services that are not covered by the Authority or a PHP, except as provided in these rules. The client must be informed in advance of receiving the specific service that it is not covered, the estimated cost of the service, and that the client or client’s representative is financially responsible for payment for the specific service. Providers must provide written documentation, signed by the client, or the client’s representative, dated prior to the delivery of services or item indicating that the client was provided this information and that the client knowingly and voluntarily agreed to be responsible for payment.

(b) Providers may not bill or accept payment from the Authority or a PHP for a covered service when a non-covered service has been provided and additional payment is sought or accepted from the client. Examples include but are not limited to charging the client an additional payment to obtain a gold crown (not covered) instead of the stainless steel crown (covered) or charging an additional client payment to obtain eyeglass frames not on the covered list of frames. This practice is called buying-up, which is prohibited , and a provider may be sanctioned for this practice regardless of whether a client waiver is documented.

(d) Providers may not bill clients or the Authority for services or items provided free of charge. This limitation does not apply to established sliding fee schedules where the client is subject to the same standards as other members of the public or clients of the provider.

(e) Providers may not bill clients for services or items that have been denied due to provider error such as required documentation not submitted or prior authorization not obtained.

(6) Providers must verify that the individual receiving covered services is, in fact, an eligible client on the date of service for the service provided and that the services is covered in the client’s benefit package.

(a) Providers shall pay for costs incurred for failing to confirm eligibility or that services are covered.

(b) Providers must confirm the Authority’s client eligibility and benefit package coverage using the web portal, or the Authority telephone eligibility system, and by other methods specified in program-specific or contract instructions.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0340

Claim and PHP Encounter Submission

(1) All claims must be submitted using one of the following methods:

(a) Paper forms, using the appropriate form as described in the program-specific rules or contract;

(b) Electronically, using the web portal accessed by provider-specific PIN and password. Initial activation by provider of Authority-assigned provider number and PIN for web portal access invokes provider’s agreement to meet all of the standards for HIPAA privacy, security, and transactions and codes sets standards as defined in 45 CFR 162;

(d) Electronically, for PHP encounters, in the manner required by the PHP contract with the Authority and authorized by the Authority’s EDT rules.

(2) Claims may not be submitted prior to delivery of service unless otherwise authorized by program-specific rules or contracts. A claim for an item may not be submitted prior to dispensing, shipping, or mailing the item unless otherwise specified in the Authority’s program-specific rules or contracts.

(3) Claims and PHP encounters must be submitted in compliance HIPAA transaction and code set rules. The HIPAA transaction and code set rules, 45 CFR 162, apply to all electronic transactions for which DHHS has adopted a standard.

(a) The Authority may deny or reject electronic transactions that fail to comply with the federal standard.

(b) The Authority shall comply with the HIPAA code set requirements in 45 CFR 162.1000 through 162.1011, regardless of whether a request is made verbally, or a claim is submitted on paper or electronically, and with regard to the electronic claims and encounter remittance advice information, including the web portal. Compliance with the code set requirements includes the codes and the descriptors of the codes established by the official entity that maintains the code set. These federal code set requirements are mandatory and the Authority may not delay or alter their application or effective dates established by DHHS.

(A) The issuance of a federal code does not mean that the Authority covers the item or service described by the federal code. When there is a variation between an Authority-listed code and a national code, the provider may seek clarification from the Authority program. The Authority shall apply the national code in effect on the date of request or date of service and the Authority-listed code may be used for the limited purpose of describing the Authority’s intent in identifying whether the applicable national code represents an Authority covered service or item.

(B) For purposes of maintaining HIPAA code set compliance, the Authority adopts by reference the required use of the version of all national code set revisions, deletions, and additions pursuant to the HIPAA transaction and code set rules in effect on the date of this rule. This code set adoption may not be construed as Authority coverage or that the existence of a particular national code constitutes a determination by the Authority that the particular code is a covered service or item. If the provider is unable to identify an appropriate procedure code to use on the claim or PHP encounter, the provider may contact the Authority for assistance in identifying an appropriate procedure code reference in but not limited to the following:

(i) Current Procedural Terminology, Fourth Edition (CPT-4), (American Medical Association);

(ii) Current Dental Terminology (CDT), (American Dental Association);

(iii) Diagnosis Related Group (DRG), (DHHS);

(iv) Health Care Financing Administration Common Procedural Coding System (HCPCS), (DHHS);

(v) National Drug Codes (NDC), (DHHS); or

(vi) HIPAA related codes, DHHS, claims adjustment reason, claim status, taxonomy codes, and decision reason available at the Washington Publishing Company web site: http://www.wpc.edi.com/content/view/180/223.

(C) For electronic claims and PHP encounters, the appropriate HIPAA claim adjustment reason code for third party payer, including Medicare, explanation of payment must be used.

(A) For claims and PHP encounters that require the listing of a diagnosis code as the basis for the service provided, the code listed on the claim must be the code that most accurately describes the client’s condition and the service or item provided.

(B) A primary diagnosis code is required on all claims, using the HIPAA nationally required diagnosis code set including the code and the descriptor of the code by the official entity that maintains the code set, unless the requirement for a primary diagnosis code is specifically excluded in the Authority’s program-specific rules or contract. All diagnosis codes must be provided to the highest degree of specificity. Providers must use the ICD-9-CM diagnosis coding system when a diagnosis is required unless otherwise specified in the appropriate program-specific rules or contract.

(C) Hospitals must follow national coding guidelines and must bill using the 5th digit, in accordance with methodology used in the Medicare Diagnosis Related Groups.

(d) Providers must provide and identify the following procedures codes.

(A) The appropriate procedure code on claims and PHP encounters as instructed in the appropriate Authority program-specific rules or contract and must use the appropriate HIPAA procedure code set, set forth in 45 CFR 162.1000 through 162.1011, which best describes the specific service or item provided.

(B) Where there is one CPT, CDT, or HCPCS code that according to those coding guidelines or standards, describes an array of services, the provider must use that code rather than itemizing the services under multiple codes. Providers must not “unbundle” services in order to increase payment or to mischaracterize the service.

(4) No provider or its contracted agent (including billing service or billing agent) shall submit or cause to be submitted to the Authority:

(a) Any false claim for payment or false PHP encounter;

(b) Any claim or PHP encounter altered in such a way as to result in a duplicate payment for a service that has already been paid;

(c) Any claim or PHP encounter upon which payment has been made or is expected to be made by another source unless the amount paid or to be paid by the other party is clearly entered on the claim form or PHP encounter format; or

(d) Any claim or PHP encounter for providing services or items that have not been provided.

(5) Third Party Resources.

(a) A provider may not refuse to furnish covered services or items to an eligible client because of a third party’s potential liability for the service or item.

(b) Providers must take all reasonable measures to ensure that the Authority shall be the payer of last resort. If available, private insurance, Medicare, or worker’s compensation must be billed before the provider submits a claim for payment to the Authority, county, or PHP. For services provided to a Medicare and Medicaid dual eligible client, Medicare is the primary payer and the provider must first pursue Medicare payment (including appeals) prior to submitting a claim for payment to the Authority, county, or PHP. For services not covered by Medicare or other third party resource, the provider must follow the program-specific rules or contracts for appropriate billing procedures.

(c) When another party may be liable for paying the expenses of a client’s injury or illness, the provider must follow program-specific rules or contract addressing billing procedures.

(6) Full Use of Alternate Community Resources.

(a) The Authority shall generally make payment only when other resources are not available for the client’s needs. Full use must be made of reasonable alternate resources in the local community; and

(b) Providers must not accept reimbursement from more than one resource for the same service or item, except as allowed in program-specific or contract TPR requirements.

(7) Timely Submission of Claim or Encounter Data.

(a) Subsection (a) through (c) below apply only to the submission of claims data or other reimbursement document to the Authority, including provider reimbursement by the Authority pursuant to an agreement with a county. Unless requirements for timely filing provided for in program-specific rules or applicable contracts are more specific than the timely filing standard established in this rule, all claims for services or items must be submitted no later than 12 months from the date of service.

(b) A denied claim submitted within 12 months of the date of service may be resubmitted (with resubmission documentation, as indicated within the program-specific rules or contracts) within 18 months of the date of service. These claims must be submitted to the Authority in writing. The provider must present documentation acceptable to the Authority verifying the claim was originally submitted within 12 months of the date of service, unless otherwise stated in program-specific rules or contracts. Acceptable documentation is:

(A) A remittance advice or other claim denial documentation from the Authority to the provider showing the claim was submitted before the claim was one year old; or

(B) A copy of a billing record or ledger showing dates of submission to the Authority.

(A) When the Authority confirms the Authority or the client’s branch office has made an error that caused the provider not to be able to bill within 12 months of the date of service;

(B) When a court or an administrative law judge in a final order has ordered the Authority to make payment;

(C) When the Authority determines a client is retroactively eligible for Authority program coverage and more than 12 months have passed between the date of service and the determination of the client’s eligibility, to the extent authorized in the program-specific rules or contracts.

(d) PHP encounter data must be submitted pursuant to 45 CFR part 162.1001 and 162.1102 and the time periods established in the PHP contract with the Authority.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0350

Payments and Overpayments

(1) Payment Authorization.

(a) Some services or items covered by the Authority require authorization before a service, item, or level of care can be provided or before payment shall be made. Providers must check the appropriate program-specific rules or contracts for information on services or items requiring prior authorization and the process to follow to obtain authorization.

(b) Documentation submitted when requesting authorization must support the program-specific or contract justification for the service, item, or level of care. A request is considered complete if it contains all necessary documentation and meets any other requirements as described in the appropriate program-specific rules or contract.

(c) The authorizing program shall authorize the covered level of care, type of service, or item that meets the client’s program-eligible need. The authorizing program shall only authorize services which meet the program-specific or contract coverage criteria and for which the required documentation has been submitted. The authorizing program may request additional information from the provider to determine the appropriateness of authorizing the service, item, or level of care within the scope of program coverage.

(d) Authorizing programs may not authorize services or make payment for authorized services when:

(A) The client was not eligible at the time services were provided. The provider must check the client’s eligibility each time services are provided;

(B) The provider cannot produce appropriate documentation to support that the level of care, type of service, or item meets the program-specific or contract criteria, or the appropriate documentation was not submitted to the authorizing program;

(C) The delivery of the service, item, or level of care has not been adequately documented as described in OAR 943-120-0370. Requirements for financial, clinical and other records, and the documentation in the provider’s files is not adequate to determine the type, medical appropriateness, or quantity of services, or items provided or the required documentation is not in the provider’s files;

(D) The services or items identified in the claim are not consistent with the information submitted when authorization was requested or the services or items provided are retrospectively determined not to be authorized under the program-specific or contract criteria;

(E) The services or items identified in the claim are not consistent with those which were provided;

(F) The services or items were not provided within the timeframe specified on the authorization of services document; or

(G) The services or items were not authorized or provided in compliance with the program-specific rules or contracts.

(e) Payment made for services or items described in subsections (d)(A) through (G) of this rule shall be recovered.

(f) Retroactive Authority Client Eligibility.

(A) When a client is determined to be retroactively eligible for an Authority program, or is retroactively disenrolled from a PHP or services provided after the client was disenrolled from a PHP, authorization for payment may be given if the following conditions are met:

(i) The client was eligible on the date of service and the program-specific rules or contract authorize the Authority to reimburse the provider for services provided to clients made retroactively eligible;

(ii) The services or items provided to the client meet all other program-specific or contract criteria and Oregon Administrative Rules;

(iii) The request for authorization is received by the appropriate Authority branch or program office within 90 days of the date of service; and

(iv) The provider is enrolled with the Authority on the date of service, or becomes enrolled with the Authority no later than the date of service as provided in OAR 943-120-0320(11).

(B) Requests for authorization received after 90 days from date of service require all the documentation required in subsection (f)(A)(i), (ii) and (iv) and documentation from the provider stating why the authorization could not have been obtained within 90 days of the date of service.

(g) Service authorization is valid for the time period specified on the authorization notice, but shall not exceed 12 months, unless the client’s benefit package no longer covers the service, in which case the authorization terminates on the date coverage ended.

(h) Service authorization for clients with other insurance or for Medicare beneficiaries is governed by program-specific rules or contracts.

(2) Payments.

(a) This rule only applies to covered services and items provided to eligible clients within the program-specific or contract covered services or items in effect on the date of service that are paid for by the Authority based on program-specific or contract fee schedules or other reimbursement methods, or for services that are paid for by the Authority at the request of a county for county-authorized services.

(b) If the client’s service or item is paid for by a PHP, the provider must comply with the payment requirements established under contract with that PHP, and pursuant to OAR 410-120 and 410-141, applicable to non-participating providers.

(c) The Authority shall pay for services or items based on the reimbursement rates and methods specified in the applicable program-specific rules or contract. Provider reimbursement on behalf of a county must include county service authorization information.

(d) Providers must accept, as payment in full, the amounts paid by the Authority pursuant to the fee schedule or reimbursement method specified in the program-specific rules or contract, plus any deductible, co-payment, or coinsurance required to be paid by the client. Payment in full includes:

(A) Zero payments for claims where a third party or other resource has paid an amount equivalent to or exceeding the Authority’s allowable payment; or

(B) Denials of payment for failure to submit a claim in a timely manner, failure to obtain payment authorization in a timely and appropriate manner, or failure to follow other required procedures identified in the program-specific rules or contracts.

(e) The Authority may not make payments for duplicate services or items. The Authority may not make a separate payment or co-payment to a provider for services included in the provider’s all-inclusive rate if the provider has been or shall be reimbursed by other resources for the service or item.

(f) Payment by the Authority does not limit the Authority or any state or federal oversight entity from reviewing or auditing a claim before or after the payment. Payment may be denied or subject to recovery if medical, clinical, program-specific or contract review, audit, or other post-payment review determines the service or item was not provided in accordance with applicable rules or contracts or does not meet the program-specific or contract criteria for quality of care, or appropriateness of the care, or authorized basis for payment.

(3) Recovery of Overpayments to Providers -- Recoupments and Refunds

(a) The Authority may deny payment or may deem payments subject to recovery as an overpayment if a review or audit determines the item or service was not provided pursuant to the Authority’s rules, terms of contract, or does not meet the criteria for quality of care, or appropriateness of the care or payment. Related provider billings shall also be denied or subject to recovery.

(b) If a provider determines that a submitted claim or encounter is incorrect, the provider must submit an individual adjustment request and refund the amount of the overpayment, if any, or adjust the claim or encounter.

(c) The Authority may determine, as a result of review or other information, that a payment should be denied or that an overpayment has been made to a provider, which indicates that a provider may have submitted claims or encounters, or received payment to which the provider is not properly entitled. The payment denial or overpayment determinations may be based on but not limited to the following:

(A) The Authority paid the provider an amount in excess of the amount authorized under a contract, state plan or Authority rule;

(B) A third party paid the provider for services, or portion thereof, previously paid by the Authority;

(D) The Authority paid for claims submitted by a data processing agent for whom a written provider or billing agent or billing service agreement was not on file at the time of submission;

(E) The Authority paid for services and later determined they were not part of the client’s program-specific or contract-covered services;

(F) Coding, data processing submission, or data entry errors;

(G) Medical, dental, or professional review determines the service or item was not provided pursuant to the Authority’s rules or contract or does not meet the program-specific or contract criteria for coverage, quality of care, or appropriateness of the care or payment;

(H) The Authority paid the provider for services, items, or drugs when the provider did not comply with the Authority’s rules and requirements for reimbursement; or

(I) The provider submitted inaccurate, incomplete or false encounter data to the Authority.

(d) Prior to identifying an overpayment, the Authority may contact the provider requesting preliminary information and additional documentation. The provider must provide the requested documentation within the specified time frame.

(e) When an overpayment is identified, the Authority shall notify the provider in writing as to the nature of the discrepancy, the method of computing the overpayment, and any further action that the Authority may take on the matter. The notice may require the provider to submit applicable documentation for review prior to requesting an appeal from the Authority, and may impose reasonable time limits for when documentation must be provided for Authority consideration. The notice shall inform the provider of the process for appealing the overpayment determination.

(f) The Authority may recover overpayments made to a provider by direct reimbursement, offset, civil action, or other legal action:

(A) The provider must make a direct reimbursement to the Authority within 30 calendar days from the date of the notice of the overpayment, unless other regulations apply.

(B) The Authority may grant the provider an additional period of time to reimburse the Authority upon written request made within 30 calendar days from the date of the notice of overpayment. The provider must include a statement of the facts and reasons sufficient to show that repayment of the overpayment amount should be delayed pending appeal because:

(i) The provider shall suffer irreparable injury if the overpayment notice is not delayed;

(ii) There is a reason to believe that the overpayment is incorrect or is less than the amount in the notice, and the provider has timely filed an appeal of the overpayment, or that the provider accepts the amount of the overpayment but is requesting to make repayment over a period of time;

(iii) A proposed method for assuring that the amount of the overpayment can be repaid when due with interest including but not limited to a bond, irrevocable letter of credit, or other undertaking, or a repayment plan for making payments, including interest, over a period of time;

(iv) Granting the delay shall not result in substantial public harm; and

(v) Affidavits containing evidence relied upon in support of the request for stay.

(C) The Authority may consider all information in the record of the overpayment determination, including provider cooperation with timely provision of documentation, in addition to the information supplied in provider’s request. If provider requests a repayment plan, the Authority may require conditions acceptable to the Authority before agreeing to a repayment plan. The Authority must issue an order granting or denying a repayment delay request within 30 calendar days after receiving it;

(D) A request for hearing or administrative review does not change the date the repayment of the overpayment is due; and

(E) The Authority may withhold payment on pending claims and on subsequently received claims for the amount of the overpayment when overpayments are not paid as a result of paragraph (B)(i);

(f) In addition to any overpayment, the Authority may impose a sanction on the provider in connection with the actions that resulted in the overpayment. The Authority may, at its discretion, combine a notice of sanction with a notice of overpayment.

(g) Voluntary submission of an adjustment claim or encounter transaction or an individual adjustment request or overpayment amount after notice from the Authority does not prevent the Authority from issuing a notice of sanction The Authority may take such voluntary payment into account in determining the sanction.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0360

Consequences of Non-Compliance and Provider Sanctions

(1) There are two classes of provider sanctions, mandatory and discretionary, that may be imposed for non-compliance with the provider enrollment agreement.

(2) Except as otherwise provided, the Authority shall impose provider sanctions at the direction of the Authority’s division director or designee, whose budget includes payment for the services involved.

(3) Mandatory Sanctions. The Authority shall impose mandatory sanctions and suspend the provider from participation in the Authority’s programs:

(a) When a provider has been convicted (as that term is defined in 42 CFR part 1001.2) of a felony or misdemeanor related to a crime, or violation of Title XVIII, XIX, or XX of the Social Security Act or related state laws, or other disqualifying criminal conviction pursuant to program-specific rules or contract;

(b) When a provider is excluded from participation in federal or state health care programs by the Office of the Inspector General of DHHS or from the Medicare (Title XVIII) program of the Social Security Act as determined by the Secretary of DHHS. The provider shall be excluded and suspended from participation with the Authority for the duration of exclusion or suspension from the Medicare program or by the Office of the Inspector General; or

(c) If the provider fails to disclose ownership or control information required under 42 CFR part 455.104 that must be reported at the time the provider submits a provider enrollment form or when there is a material change in the information that must be reported, or information related to business transactions required to be provided under 42 CFR part 455.105 upon request of federal or state authorities.

(4) Discretionary Sanctions. When the Authority determines the provider fails to meet one or more of the Authority’s requirements governing participation in its programs the Authority may impose discretionary sanctions. Conditions that may result in a discretionary sanction include, but are not limited to when a provider has:

(a) Been convicted of fraud related to any federal, state, or locally financed health care program or committed fraud, received kickbacks, or committed other acts that are subject to criminal or civil penalties under the Medicare or Medicaid statutes;

(b) Been convicted of interfering with the investigation of health care fraud;

(c) Been convicted of unlawfully manufacturing, distributing, prescribing, or dispensing a controlled substance or other potentially disqualifying crime, as determined under program-specific rules or contracts;

(d) By actions of any state licensing authority for reasons relating to the provider’s professional competence, professional conduct, or financial integrity either:

(A) Had the professional license suspended or revoked, or otherwise lost such license; or

(B) Surrendered the license while a formal disciplinary proceeding is pending before the relevant licensing authority.

(e) Been suspended or excluded from participation in any federal or state program for reasons related to professional competence, professional performance, or other reason;

(f) Billed excessive charges including but not limited to charging in excess of the usual charge, furnished items or services in excess of the client’s needs or in excess of those services ordered by a provider, or in excess of generally accepted standards or quality that fail to meet professionally recognized standards;

(g) Failed to furnish necessary covered services as required by law or contract with the Authority if the failure has adversely affected or has a substantial likelihood of adversely affecting the client;

(h) Failed to disclose required ownership information;

(i) Failed to supply requested information on subcontractors and suppliers of goods or services;

(j) Failed to supply requested payment information;

(k) Failed to grant access or to furnish as requested, records, or grant access to facilities upon request of the Authority or the MFCU conducting their regulatory or statutory functions;

(l) In the case of a hospital, failed to take corrective action as required by the Authority, based on information supplied by the QIO to prevent or correct inappropriate admissions or practice patterns, within the time specified by the Authority;

(m) In the case of a licensed facility, failed to take corrective action under the license as required by the Authority within the time specified by the Authority;

(n) Defaulted on repayment of federal or state government scholarship obligations or loans in connection with the provider’s health profession education;

(A) Providers must have made a reasonable effort to secure payment;

(B) The Authority must take into account access of beneficiaries to services; and

(o) Repeatedly submitted a claim with required data missing or incorrect:

(A) When the missing or incorrect data has allowed the provider to:

(i) Obtain greater payment than is appropriate;

(ii) Circumvent prior authorization requirements;

(iii) Charge more than the provider’s usual charge to the general public;

(iv) Receive payments for services provided to individuals who were not eligible; or

(v) Establish multiple claims using procedure codes that overstate or misrepresent the level, amount, or type of services or items provided.

(B) Does not comply with the requirements of OAR 410-120-1280.

(p) Failed to develop, maintain, and retain, pursuant to relevant rules and standards, adequate clinical or other records that document the client’s eligibility and coverage, authorization (if required by program-specific rules or contracts), appropriateness, nature, and extent of the services or items provided;

(q) Failed to develop, maintain, and retain pursuant to relevant rules and standards, adequate financial records that document charges incurred by a client and payments received from any source;

(r) Failed to develop, maintain, and retain adequate financial or other records that support information submitted on a cost report;

(s) Failed to follow generally accepted accounting principles or accounting standards or cost principles required by federal or state laws, rules, or regulations;

(t) Submitted claims or written orders contrary to generally accepted standards of professional practice;

(u) Submitted claims for services that exceed the requested or agreed upon amount by the OHP client, the client representative, or requested by another qualified provider;

(v) Breached the terms of the provider contract or agreement;

(w) Failed to comply with the terms of the provider certifications on the claim form;

(x) Rebated or accepted a fee or portion of a fee for a client referral; or collected a portion of a service fee from the client and billed the Authority for the same service;

(y) Submitted false or fraudulent information when applying for an Authority-assigned provider number, or failed to disclose information requested on the provider enrollment form;

(z) Failed to correct deficiencies in operations after receiving written notice of the deficiencies from the Authority;

(aa) Submitted any claim for payment for which the Authority has already made payment or any other source unless the amount of the payment from the other source is clearly identified;

(bb) Threatened, intimidated, or harassed clients, client representatives, or client relatives in an attempt to influence payment rates or affect the outcome of disputes between the provider and the Authority;

(cc) Failed to properly account for a client’s personal incidental funds including but not limited to using a client’s personal incidental funds for payment of services which are included in a medical facility’s all-inclusive rates;

(dd) Provided or billed for services provided by ineligible or unsupervised staff;

(ee) Participated in collusion that resulted in an inappropriate money flow between the parties involved;

(ff) Refused or failed to repay, in accordance with an accepted schedule, an overpayment established by the Authority;

(gg) Failed to report to Authority payments received from any other source after the Authority has made payment for the service; or

(hh) Collected or made repeated attempts to collect payment from clients for services covered by the Authority, under OAR 410-120-1280.

(5) A provider who has been excluded, suspended, or terminated from participation in a federal or state medical program, such as Medicare or Medicaid, or whose license to practice has been suspended or revoked by a state licensing board, may not submit claims for payment, either personally or through claims submitted by any billing agent or service, billing provider or other provider, for any services or supplies provided under the medical assistance programs, except those services or supplies provided prior to the date of exclusion, suspension or termination.

(6) Providers may not submit claims for payment to the Authority for any services or supplies provided by an individual or provider entity that has been excluded, suspended, or terminated from participation in a federal or state medical program, such as Medicare or Medicaid, or whose license to practice has been suspended or revoked by a state licensing board, except for those services or supplies provided prior to the date of exclusion, suspension or termination.

(7) When the provisions of sections (5) or (6) are violated, the Authority may suspend or terminate the billing provider or any provider who is responsible for the violation.

(8) Sanction Types and Conditions.

(a) A mandatory sanction imposed by the Authority pursuant to section (3) may result in any of the following:

(A) The provider shall either be terminated or suspended from participation in the Authority’s programs. No payments of Title XIX, Title XXI or other federal or state funds shall be made for services provided after the date of termination. Termination is permanent unless:

(i) The exceptions cited in 42 CFR part 1001.221 are met; or

(ii) Otherwise stated by the Authority at the time of termination.

(B) No payments of Title XIX, Title XXI, or other federal or state funds shall be made for services provided during the suspension. The Authority shall automatically reactivate the provider number y after the suspension period has elapsed if the conditions that caused the suspension have been resolved. The minimum duration of a suspension shall be determined by the DHHS Secretary, under the provisions of 42 CFR parts 420, 455, 1001, or 1002. The Authority may suspend a provider from participation in the medical assistance programs longer than the minimum suspension determined by the DHHS secretary.

(b) The Authority may impose the following discretionary sanctions on a provider pursuant to OAR 410-120-1400(4):

(A) The provider may be terminated from participation in the Authority’s programs. No payments of Title XIX, Title XXI or other federal or state funds shall be made for services provided after the date of termination. Termination is permanent unless:

(i) The exceptions cited in 42 CFR part 1001.221 are met; or

(ii) Otherwise stated by the Authority at the time of termination.

(B) The provider may be suspended from participation in the Authority’s programs for a specified length of time, or until specified conditions for reinstatement are met and approved by the Authority. No payments of Title XIX, Title XXI, or other federal or state funds shall be made for services provided during the suspension. The Authority shall automatically reactivate the provider number after the suspension period has elapsed if the conditions that caused the suspension have been resolved.

(D) The provider may be required to attend provider education sessions at the expense of the sanctioned provider;

(E) The Authority may require that payment for certain services are made only after the Authority has reviewed documentation supporting the services;

(F) The Authority may require repayment of amounts paid or provide for reduction of any amount otherwise due the provider; and

(G) Any other sanctions reasonably designed to remedy or compel future compliances with federal, state, or Authority regulations.

(c) The Authority shall consider the following factors in determining the sanction to be imposed. Factors include but are not limited to:

(A) Seriousness of the offense;

(B) Extent of violations by the provider;

(D) Prior imposition of sanctions;

(E) Prior provider education;

(F) Provider willingness to comply with program rules;

(G) Actions taken or recommended by licensing boards or a QIO;

(H) Adverse impact on the availability of program-specific or contract covered services or the health of clients living in the provider’s service area; and

(I) Potential financial sanctions related to the non-compliance may be imposed in an amount that is reasonable in light of the anticipated or actual harm caused by the non-compliance, the difficulties of proof of loss, and the inconvenience or non-feasibility of otherwise obtaining an adequate remedy.

(d) When a provider fails to meet one or more of the requirements identified in OAR 943-120-0300 through 943-120-0400, the Authority, in its sole discretion, may immediately suspend the provider’s Authority assigned billing number and any electronic system access code to prevent public harm or inappropriate expenditure of public funds.

(A) The provider subject to immediate suspension is entitled to a contested case hearing pursuant to ORS 183 to determine whether the provider’s Authority assigned number and electronic system access code may be revoked; and

(B) The notice requirements described in section (5) of this rule do not preclude immediate suspension, in the Authority’s sole discretion, to prevent public harm or inappropriate expenditure of public funds. Suspension may be invoked immediately while the notice and contested case hearing rights are exercised.

(e) If the Authority sanctions a provider, the Authority shall notify the provider by certified mail or personal delivery service of the intent to sanction. The notice of immediate or proposed sanction shall identify:

(A) The factual basis used to determine the alleged deficiencies and a reference to the particular sections of the statutes and rules involved;

(B) Explanation of actions expected of the provider;

(D) The provider’s right to dispute the Authority’s allegations and submit evidence to support the provider’s position;

(E) The provider’s right to appeal the Authority’s proposed actions pursuant to ORS 183;

(F) A statement of the authority and jurisdiction under which the appeal may be requested and description of the procedure and time to request an appeal; and

(G) A statement indicating whether and under what circumstances an order by default may be entered.

(f) If the Authority decides to sanction a provider, the Authority shall notify the provider in writing at least 15 days before the effective date of action, except in the case of immediate suspension to avoid public harm or inappropriate expenditure of funds.

(g) The provider may appeal the Authority’s immediate or proposed sanction or other actions the Authority intends to take. The provider must appeal this action separately from any appeal of audit findings and overpayments. These include but are not limited to the following:

(A) Termination or suspension from participation in the Medicaid-funded medical assistance programs;

(B) Termination or suspension from participation in the Authority’s state-funded programs; or

(h) Other provisions:

(A) When a provider has been sanctioned, all other provider entities in which the provider has ownership of five percent or greater, or control of, may also be sanctioned;

(B) When a provider has been sanctioned, the Authority may notify the applicable professional society, board of registration or licensure, federal or state agencies, OHP, PHP’s, and the National Practitioner Data Base of the findings and the sanctions imposed;

(C) At the discretion of the Authority, providers who have previously been sanctioned or suspended may or may not be re-enrolled as Authority providers;

(D) Nothing in this rule prevents the Authority from simultaneously seeking monetary recovery and imposing sanctions against the provider;

(E) Following a contested case hearing in which a provider has been found to violate ORS 411.675, the provider shall be liable to the Authority for treble the amount of payments received as a result of each violation.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0370

Requirements for Financial, Clinical, and Other Records

(1) The Authority shall analyze and monitor the operation of its programs and audit and verify the accuracy and appropriateness of payment, utilization of services, or items.

(2) The Authority shall comply with client coverage criteria and requirements for the level of care or service or item authorized or reimbursed by the Authority and the quality of covered services or items and service or item delivery, and access to covered services or items.

(3) The provider and the provider’s designated billing service or other entity responsible for the maintenance of financial, service delivery, and other records must:

(a) Develop and maintain adequate financial and service delivery records and other documentation which supports the specific care, items, or services for which payment has been requested. The Authority may not make payment for services that are not adequately documented. The following documentation must be completed before the service is billed to the Authority:

(A) All records documenting the specific service provided, the number of services or items comprising the service provided, the extent of the service provided, the dates on which the service was provided, and identification of the individual who provided the service. Patient account and financial records must also include documentation of charges, identify other payment resources pursued, indicate the date and amount of all debit or credit billing actions, and support the appropriateness of the amount billed and paid. For cost reimbursed services, the provider must maintain adequate records to thoroughly and accurately explain how the amounts reported on the cost statement were determined.

(B) Service delivery, clinical records, and visit data, including records of all therapeutic services, must document the basis for service delivery and record visit data if required under program-specific rules or contracts. A client’s clinical record must be annotated each time a service is provided and signed or initialed by the individual providing the service or must clearly identify the individual providing the service. Information contained in the record must be sufficient in quality and quantity to meet the professional standards applicable to the provider or practitioner and any additional standards for documentation found in this rule, program-specific rules, and any pertinent contracts.

(C) All information about a client obtained by the provider or its officers, employees, or agents in the performance of covered services, including information obtained in the course of determining eligibility, seeking authorization, and providing services, is confidential. The client information must be used and disclosed only to the extent necessary to perform these functions.

(b) Implement policies and procedures to ensure confidentiality and security of the client’s information. These procedures must ensure the provider may release such information pursuant to program-specific federal and state statutes or contract, which may include but is not limited to, ORS 179.505 to 179.507, 411.320, 433.045, 42 CFR part 2, 42 CFR part 431 subpart F, 45 CFR 205.50, and ORS 433.045(3) with respect to HIV test information.

(A) A provider’s electronic record-keeping system includes electronic transactions governed by HIPAA transaction and code set requirements and records, documents, documentation, and information include all information, whether maintained or stored in electronic media, including electronic record-keeping systems, and information stored or backed up in an electronic medium.

(B) If a provider maintains financial or clinical records electronically, the provider must be able to provide the Authority with hard-copy versions. The provider must also be able to provide an auditable means of demonstrating the date the record was created and the identity of the creator of a record, the date the record was modified, what was changed in the record and the identity of any individual who has modified the record. The provider must supply the information to individuals authorized to review the provider’s records under subsection (e) of this rule.

(C) Providers may comply with the documentation review requirements in this rule by providing the electronic record in an electronic format acceptable to an authorized reviewer. The authorized reviewer must agree to receive the documentation electronically.

(d) Retain service delivery, visit, and clinical records for seven years and all other records described in this rule, program-specific rules and contract for at least five years from the date of service.

(e) Furnish requested documentation (including electronically recorded information or information stored or backed up in an electronic medium) immediately or within the time-frame specified in the written request received from the Authority, the Oregon Secretary of State, DHHS or other federal funding agency, Office of Inspector General, the Comptroller General of the United States (for federally funded programs), MFCU (for Medicaid-funded services or items), or the client representative. Copies of the documents may be furnished unless the originals are requested. At their discretion, official representatives of the Authority, Medicaid Fraud Unit, DHHS, or other authorized reviewers may review and copy the original documentation in the provider’s place of business. Upon written request of the provider, the program or the unit, may, at its sole discretion, modify or extend the time for provision of such records if, in the opinion of the program or unit good cause for such extension is shown. Factors used in determining if good cause exists include:

(A) Whether the written request was made prior to the deadline for production;

(B) If the written request is made after the deadline for production, the amount of time lapsed since that deadline;

(D) The reasons the deadline cannot be met;

(E) The degree of control that the provider had over its ability to produce the records prior to the deadline; and

(F) Other extenuating factors.

(f) Except as otherwise provided access to records, inclusive of clinical charts and financial records does not require authorization or release from the client, if the purpose of the access is:

(A) To perform billing review activities;

(B) To perform utilization review activities;

(D) To facilitate service authorization and related services;

(E) To investigate a client’s hearing request;

(F) To facilitate investigation by the MFCU or DHHS; or

(G) To review records necessary to the operation of the program.

(g) Failure to comply with requests for documents within the specified time-frame means that the records subject to the request may be deemed by the Authority not to exist for purposes of verifying appropriateness of payment, clinical appropriateness, the quality of care, and the access to care in an audit or overpayment determination, and subjects the provider to possible denial or recovery of payments made by the Authority or to sanctions.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0380

Fraud and Abuse

(1) Providers shall promptly refer all suspected fraud and abuse, including fraud or abuse by its employees or in Authority administration, to the MFCU, or to the Authority’s audit unit.

(2) Providers must permit the MFCU and the Authority to inspect, copy, evaluate, or audit books, records, documents, files, accounts, and facilities, without charge, as required to investigate allegations or incidents of fraud or abuse.

(3) Providers aware of suspected fraud or abuse by a client must report the incident to the Authority’s fraud unit.

(4) The Authority may share information for health oversight purposes with the MFCU and other federal or state health oversight authorities.

(5) The Authority may take actions necessary to investigate and respond to substantiated allegations of fraud and abuse including but not limited to suspending or terminating the provider from participation in the Authority’s programs, withholding payments or seeking recovery of payments made to the provider, or imposing other sanctions provided under state law or regulations. Such actions by the Authority may be reported to CMS or other federal or state entities as appropriate.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0400

MMIS Replacement Communication Plan

(1) The purpose of this rule is to describe the Authority’s plan for communicating instructions and guidance related to the Authority’s implementation of the replacement MMIS that began on December 9, 2008. System issues are anticipated to be identified for a period of time during and after implementation. This rule is adopted to be effective retroactively to December 9, 2008 for the purpose of providing continuity of all MMIS communication efforts throughout the transition implementation process and regular operations following the transition. By adopting this communication plan in rule, the Authority seeks to assure that eligible Authority clients receive all necessary and appropriate services, and that Authority providers and PHPs are correctly reimbursed for covered services provided to eligible clients.

(2) To the extent necessary to accomplish the purposes of this rule, the Authority shall provide guidance and instructions related to MMIS for providers and PHPs using its web site and MMIS provider announcements.

(a) In cases of limitations or system errors in the replacement MMIS, the Authority shall provide update information and important action required in concert with, or in place of, normal established procedures.

(b) In other cases, the Authority shall provide instructions and guidance about the use of revised or improved functionality that is available through the replacement MMIS, such as the use of the web portal.

(3) Providers and PHPs must follow all applicable instructions given on the Authority’s web page and any provider announcements for the dates specifically noted in the communications, or if a date is not specified, until further instructions are provided. Authority web site information and links to specific topics may be accessed at: http://www.oregon.gov/DHS/
healthplan/tools_prov/main.shtml.

(4) This rule does not amend existing rules or contracts that require providers or PHPs to confirm eligibility, respond to requests for prior authorization, submit claims or encounter data, or comply with any other rule or contract that imposes obligations on a provider or PHP as a condition of receiving reimbursement for services. This rule is intended to provide assurance to providers and PHPs that the MMIS-related processes for meeting those obligations are being addressed by the Authority by providing guidance and instruction related to the provider’s or PHP’s interface with MMIS processes, and by identifying the resources providers and PHPs may use to obtain information during this time of transition to the replacement MMIS and during regular MMIS operations.

(5) The Authority shall work with providers and PHPs by providing instructions and guidance to assure that service delivery and reimbursement disruptions related to transition to the replacement MMIS are minimized. Providers and PHPs must appropriately document all eligibility, services, authorization, claims, and payment information during the transition time, and their efforts to comply with instructions and guidance provided by the Authority, so that reimbursement may be correctly provided.

(6) Providers and PHPs must immediately communicate to the Authority any issues they encounter that are not addressed in the Authority’s instructions or guidance in seeking eligibility information or activities related to reimbursement for services through MMIS, errors discovered in the correct amount of any reimbursement received for those services, or in applying the instruction or guidance to resolve an issue.

(7) After the transition period is complete, the Authority shall continue to implement this communication plan as long as necessary during regular MMIS operations in order to assist providers and PHPs with technical and system requirements of the replacement MMIS.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

Rule Caption: Audits and Overpayment Recovery for Providers and Contractors receiving payments from or through the Authority

Adm. Order No.: OHA 21-2011

Filed with Sec. of State: 8-31-2011

Certified to be Effective: 9-1-11

Notice Publication Date: 8-1-2011

Rules Adopted: 943-120-1505

Rules Repealed: 943-120-1505(T)

Subject: These rules adopt and incorporate by reference the Department of Human Services’ Audits and Overpayment Recovery rule: chapter 407-120-1505. Providers or contractors receiving payments from or through the Oregon Health Authority are subject to audit or other post payment review procedures for all payments applicable to items or services furnished or supplied by the provider or contractor to or on behalf of the Authority or to its clients.

HB 2009 created the Oregon Health Authority and transferred to the Authority the Department of Human Services’ Divisions with respect to health and health care. Effective July 1, 2011 the Authority will no longer be able to rely on the Department of Human Services’ general rules found in OAR chapter 407. The Authority is adopting and incorporating by reference the Department’s rule which provide the Authority with the legal authority to conduct audits and overpayment recovery with respect to providers or contractors receiving payments from the Authority.

Rules Coordinator: Evonne Alderete—(503) 932-9663

943-120-1505

Audits and Overpayment Recovery

Providers or contractors receiving payments from or through the Oregon Health Authority are subject to audit or other post payment review procedures for all payments applicable to items or services furnished or supplied by the provider or contractor to or on behalf of the Authority or to its clients.

(1) The Authority adopts and incorporates by reference the rules established in OAR 407-120-1505, for those matters that involve providers or contractors of the Authority, except as otherwise provided in this rule. Audit rules and procedures from OAR 407-120-1505 as incorporated into this rule ensure proper payments were made by the Authority based on requirements applicable to covered services and promote program integrity.

(2) Any reference to OAR 407-120-1505 in rules or contracts of the Authority are deemed to be references to the requirements of this rule, and shall be construed to apply to providers or contractors receiving payments from or through the Authority.

(3) The Authority authorizes the Department to act on its behalf in carrying out audits and establishing overpayment amounts associated with the administration of programs or activities administered by the Authority.

(4) Provider appeals for the Authority shall be handled by the Authority under the procedures set forth in OAR 407-120-1505. References to “the OPAR Administrator” or “the Administrator” are hereby incorporated as references to “the Authority Director.”

[Publication: Publications referenced are available from the agency.]

Stat. Auth.: ORS 413.042 & 2009 OL Ch. 595, § 9–25

Stats. Implemented: ORS 411.010, 413.032, 414.065 & 414.715

Hist.: OHA 15-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 21-2011, f. 8-31-11, cert. ef. 9-1-11

Rule Caption: Privacy OARs setting forth general procedures governing the collection, use and disclosure of protected information.

Adm. Order No.: OHA 22-2011

Filed with Sec. of State: 9-2-2011

Certified to be Effective: 9-2-11

Notice Publication Date: 8-1-2011

Rules Adopted: 943-014-0000, 943-014-0010, 943-014-0015, 943-014-0020, 943-014-0030, 943-014-0040, 943-014-0050, 943-014-0060, 943-014-0070

Rules Repealed: 943-014-0000(T), 943-014-0010(T), 943-014-0015(T), 943-014-0020(T), 943-014-0030(T), 943-014-0040(T), 943-014-0050(T), 943-014-0060(T), 943-014-0070(T)

Subject: These rules govern the collection, use, and disclosure of protected information by the Authority about individuals and to explain the rights and specific actions that individuals may take or request to be taken regarding the uses and disclosures of their protected information. These rules also set forth Authority requirements governing the use and disclosure of protected health information for purposes of HIPAA, 42 USC 1320-d through 1320d-8, Pub L 104-191, sec. 262 and 264, and the implementing HIPAA privacy rules, 45 CFR parts 160 and 164.

Rules Coordinator: Evonne Alderete—(503) 932-9663

943-014-0000

Definitions

The following definitions apply to OAR 943-014-0000 to 943-014-0070:

(1) “Administrative Hearing” means an oral proceeding before an administrative law judge in a contested case hearing.

(2) “Authority” means the Oregon Health Authority.

(3) “Authority Workforce” means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Authority, is under the direction and control of the Authority, whether or not they are paid by the Authority.

(4) “Authorization” means permission from an individual or his or her personal representative giving the Authority , and others named on the form, authorization to obtain, release or use information about the individual from third parties for specified purposes or to disclose information to a third party specified by the individual.

(5) “Business Associate” means an individual or entity performing any function or activity on behalf of the Authority involving the use or disclosure of protected health information (PHI) and is not a member of the Authority’s workforce.

(a) “Function or activity” includes but is not limited to program administration, claims processing or administration, data analysis, utilization review, quality assurance, billing, legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, financial services, and similar services for which the Authority may contract or obtain by interagency agreement, if access to PHI is involved.

(b) Business associates do not include licensees or providers unless the licensee or provider also performs some function or activity on behalf of the Authority.

(6) “Client” means an individual who requests or receives program benefits or direct services from the Authority, including but not limited to services requested in connection with the administration of the medical assistance program, and individuals who apply for or are admitted to a state hospital or who are committed to the custody of the Authority,

(7) “Client Information” means personal information relating to a client that the Authority may maintain in one or more locations and in various forms, reports, or documents, or stored or transmitted by electronic media.

(8) “Collect” or “Collection” means the assembling of personal information through interviews, forms, reports, or other information sources.

(9) “Contract” means a written agreement between the Authority and a person or entity setting forth the rights and obligations of the parties including but not limited to contracts, licenses, agreements, interagency agreements, and intergovernmental agreements.

(10) “Correctional Institution” means any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by contract with the federal government, a state, or an Indian tribe for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. “Other persons held in lawful custody” include juvenile offenders, adjudicated delinquents, aliens detained awaiting deportation, witnesses, or others awaiting charges or trial.

(11) “Corrective Action” means an action that a business associate must take to remedy a breach or violation of the business associate’s obligations under the business associate’s contractual requirement, including but not limited to reasonable steps that must be taken to cure the breach or end the violation.

(12) “Covered Entity” means health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction that is subject to federal Health Insurance Portability and Accountability Act (HIPAA) requirements, as those terms are defined and used in the HIPAA regulations, 45 CFR parts 160 and 164.

(13) “De-identified Data” means client information from which the Authority or other entity has deleted, redacted, or blocked identifiers so the remaining information cannot reasonably be used to identify an individual.

(14) “Department” means the Department of Human Services.

(15) “Disclose” means the release, transfer, relay, provision of access to, or conveying of client information to any individual or entity outside the Authority.

(16) “Health Care” means care, services, or supplies related to the health of an individual. Health care includes but is not limited to preventive, diagnostic, therapeutic, rehabilitative, maintenance, palliative care, counseling services, assessment, or procedures with respect to the physical or mental condition, or functional status of an individual, or that affects the structure or function of the body and the sale or dispensing of a drug, device, equipment, or other prescribed item.

(17) “Health Care Operations” means any activities of the Authority to the extent that the activities are related to health care, Medicaid, or any other health care related programs, services, or activities administered by the Authority and include:

(a) Conducting quality assessment and improvement activities, including income evaluation and development of clinical guidelines;

(b) Population-based activities related to improving health or reducing health care costs, protocol development, case management and care coordination, contacting health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

(c) Reviewing the competence of qualifications of health care professionals, evaluating practitioner, provider, and health plan performance; and conducting training programs in which students and trainees in areas of health care learn under supervision to practice or improve their skills, accreditation, certification, licensing, or credentialing activities;

(d) Underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of a contract for Medicaid or health care related services;

(e) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs, and disclosure to the Medicaid Fraud Unit pursuant to 43 CFR part 455.21;

(f) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the Authority, including administration, development, or improvement of methods of payments or health care coverage; and

(g) Business management and general administrative activities of the Authority, including but not limited to:

(A) Management activities relating to implementation of and compliance with the requirements of HIPAA;

(B) Customer service, including providing data analysis;

(C) Resolution of internal grievances, including administrative hearings and the resolution of disputes from patients or enrollees regarding the quality of care and eligibility for services; and

(D) Creating de-identified data or a limited data set.

(18) “Health Oversight Agency” means an agency or authority of the federal government, a state, territory, political subdivision of a state or territory, Indian tribe, or a person or entity acting under a grant of authority from or by contract with the public agency, including employees or agents of the public agency or its contractors or grantees that is authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. When performing these functions, the Authority acts as a health oversight agency for the purposes of these rules.

(19) “HIPAA” means the Title II, Subtitle F of the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d et seq, and the federal regulations adopted to implement the Act.

(20) “Individual” means the person who is the subject of information collected, used, or disclosed by the Authority.

(21) “Individually Identifying Information” means any single item or compilation of information or data that indicates or reveals the identity of an individual, either specifically (such as the individual’s name or social security number), or from which the individual’s identity can be reasonably ascertained.

(22) “Information” means personal information relating to an individual, a participant, or an Authority client.

(23) “Inmate” means a person incarcerated in or otherwise confined in a correctional institution. An individual is no longer an inmate when released on parole, probation, supervised release, or is otherwise no longer in custody.

(24) “Institutional Review Board (IRB)” means a specially constituted review body established or designated by an entity in accordance with 45 CFR part 46 to protect the welfare of human subjects recruited to participate in biomedical or behavioral research. The IRB must be registered with the Office for Human Research Protection.

(25) “Law Enforcement Official” means an officer or employee of any agency or authority of the federal government, a state, territory, political subdivision of a state or territory, or Indian tribe who is empowered by law to:

(a) Investigate and conduct an official inquiry into a potential violation of law; or

(b) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

(26) “Licensee” means a person or entity that applies for or receives a license, certificate, registration, or similar authority from the Authority to perform or conduct a service, activity, or function.

(27) “Minimum Necessary” means the least amount of information, when using or disclosing confidential client information, that is needed to accomplish the intended purpose of the use, disclosure, or request.

(28) “Participant” means individual’s participating in Authority population-based services, programs, and activities that serve the general population, but who do not receive program benefits or direct services received by a client. Examples of participants include but are not limited to an individual whose birth certificate is recorded with Department of Vital Statistics, the subjects of public health studies, immunization or cancer registries, newborn screening, and other public health services, and individuals who contact Authority hotlines or the ombudsman for general public information services.

(29) “Payment” means any activities undertaken by the Authority related to a client to whom health care is provided in order to:

(a) Obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the Medicaid program or other publicly funded health care services; and

(b) Obtain or provide reimbursement for the provision of health care.

(30) Payment activities mean:

(a) Determinations of eligibility or coverage, including coordination of benefits or the determination of cost sharing amounts, and adjudication of health benefit or health care claims;

(b) Risk adjusting amounts due which are based on enrollee health status and demographic characteristics;

(c) Billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care data processing;

(d) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

(e) Utilization review activities, including pre-certification and pre-authorization of services, concurrent and retrospective review of services; and

(f) Disclosure to consumer reporting agencies relating to collection of premiums or reimbursement including name and address, date of birth, payment history, account number, and name and address of the health care provider or health plan.

(31) “Personal Representative” means a person who has authority to act on behalf of an individual in making decisions related to health care.

(32) “Protected Health Information (PHI)” means any individually identifiable health information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Any data transmitted or maintained in any other form or medium by covered entities, including paper records, fax documents, all oral communications, or any other form, such as screen prints of eligibility information, printed e-mails containing identified individual’s health information, claim or billing information, or hard copy birth or death certificates. PHI does not include school records that are subject to the Family Educational Rights and Privacy Act and employment records held in the Authority’s role as an employer.

(33) “Protected Information” means any participant or client information that the Authority may have in its records or files that must be safeguarded pursuant to Authority policy. This includes but is not limited to individually identifying information.

(34) “Provider” means a person or entity that may seek reimbursement from the Authority as a provider of services to Authority clients pursuant to a contract. For purposes of these rules, reimbursement may be requested on the basis of claims or encounters or other means of requesting payment.

(35) “Psychotherapy Notes” mean notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversations during a private counseling session, or group, joint, or family counseling session, when the notes are separated from the rest of the individual’s record. Psychotherapy notes do not include medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of diagnosis, functional status, treatment plan, symptoms, prognosis, or progress to date.

(36) “Public Health Agency” means a public agency, including the Authority, or a person or entity acting under a grant of authority from or by contract with the Authority or public agency that performs or conducts one or more of the following essential functions that characterize public health programs, services, or activities:

(a) Monitor health status to identify community health problems;

(b) Diagnose and investigate health problems and health hazards in the community;

(A) Inform, educate, and empower people about health issues;

(B) Mobilize community partnerships to identify and solve health problems;

(D) Enforce laws and regulations that protect health and ensure safety;

(E) Direct individuals to needed personal health services and assure the provision of health care when otherwise unavailable;

(F) Ensure a competent public health and personal health care workforce;

(G) Evaluate the effectiveness, accessibility, and quality of personal and population-based health services; and

(H) Perform research for new insights and innovative solutions to health problems.

(37) “Public Health Authority” means an agency or authority of the federal government, a state, territory, political subdivision of a state or territory, Indian tribe, or a person or entity acting under a grant of authority from or by contract with the public agency, including the employees or agents of the public agency, or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. When performing functions as a public health agency, the Authority acts as a public health authority for purposes of these rules.

(38) “Re-disclosure” means the disclosure of information to a person, an Authority program, an Authority subcontracted entity, or other entity or person other than what was originally authorized.

(39) “Research” means systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalized knowledge.

(40) “Required by Law” means a duty or responsibility that federal or state law specifies that a person or entity must perform or exercise. Required by law includes but is not limited to court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or rules that require the production of information, including statutes or rules that require such information if payment is sought under a government program providing public benefits.

(41) “Treatment” means the provision, coordination, or management of heath care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.

(42) “Use” means the sharing of individual information within an Authority program or the sharing of individual information between program staff and administrative staff that support or oversee the program.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0010

Purpose

(1) The purpose of these rules (OAR 943-014-000 to 943-014-0070) is to govern the collection, use, and disclosure of protected information by the Authority about individuals and to explain the rights and specific actions that individuals may take or request to be taken regarding the uses and disclosures of their protected information. These rules also set forth the Authority’s requirements governing the use and disclosure of PHI for purposes of HIPAA, 42 USC 1320-d through 1320d-8, Pub L 104-191, sec. 262 and 264, and the implementing HIPAA privacy rules, 45 CFR parts 160 and 164, applicable to the Authority’s health care components.

(2) Except as provided in section (1) of this rule, state and federal statutes, rules, and policies that govern the administration of Authority programs, services, and activities continue to govern the use and disclosure of protected information in those Authority programs, services, and activities.

(3) In the event that it is not possible to comply with the requirements of both sections (1) and (2) of this rule, the Authority shall act in accordance with whichever federal or state law imposes a stricter requirement regarding the privacy or safeguarding of information and which provides the greater protection or access to the individual who is the subject of the information, unless one of the following applies:

(a) Public health. Nothing in these rules shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, birth, or death; public health surveillance; or public health investigation or intervention.

(b) Child abuse. Nothing in these rules shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of child abuse.

(c) State regulatory reporting. Nothing in these rules shall be construed to limit the ability of the State of Oregon or the Authority to require a health plan to report, or to provide access to information for management audits, financial audits, program monitoring, facility licensure or certification, or individual licensure or certification.

(4) The Authority may collect, maintain, use, transmit, share, and disclose information about any individual to the extent authorized by law to administer Authority programs, services, and activities.

(5) The Authority may use and disclose information about licensees or providers consistent with federal and state laws and regulations. Information regarding the qualifications of licensees and providers are public records.

(a) When the Authority obtains information about individuals that relates to determining payment responsibility when a provider submits a request for payment to the Authority, the Authority shall safeguard the information consistent with federal and state laws and regulations and Authority policies.

(b) The Authority may review the performance of licensees and providers in the conduct of its health oversight activities and shall safeguard information obtained about individuals obtained during those activities in accordance with federal and state laws and regulations and Authority policies.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0015

Covered Entity Status for Purposes of the HIPAA Privacy Rules

(1) These rules address information that, among other things, may be Protected Health Information that is protected by the HIPAA Privacy Rules. For purposes of HIPAA Privacy Rules, the Authority is a hybrid entity because the Authority performs functions that are covered by HIPAA (“health care components”) and functions that are not covered by HIPAA. The Authority’s health care components consist of the functions that are included in the definition of a covered entity, as follows:

(a) The Authority in its capacity as the state Medicaid agency for the administration of the Medicaid program under Title XIX of the Social Security Act and the Children’s Health Insurance Program under Title XXI of the Act and the medical assistance program as described in ORS chapter 414.

(b) The Health Care for All Oregon Children program;

(d) Any medical assistance or premium assistance programs reimbursed with Medicaid or the Children’s Health Insurance Program funds operated by the Authority;

(e) The Oregon State Hospital and Blue Mountain Recovery Center;

(f) The high risk pools administered by the Oregon Medical Insurance Pool Board and the Office of Private Health Partnerships;

(g) The Breast and Cervical Cancer Program and the Wise Woman Program;

(h) The Public Health Laboratory;

(i) The Medicaid Management Information system and information technology systems associated with the administration and management of the health care components listed above; and

(j) The ombudsman and other administrative and health care operations functions associated with the administration and management of the health care components listed above.

(2) The Authority administers many aspects of the medical assistance program with the assistance of the Department, including but not limited to eligibility determinations for the medical assistance program and supervising the long-term and community-based services for seniors and people with disabilities. The Department also provides certain health care operations services for the Authority. In doing so, the Department is a business associate of the Authority. As a business associate of the Authority, the Department is authorized to use and disclose protected health information to perform or assist the Authority in the performance of its covered functions.

(3) When these rules of the Authority apply to PHI that is subject to the HIPAA Privacy and Security rules, a reference to the Authority may also include the actions of the Department acting as the Authority’s business associate.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0020

Uses and Disclosures of Client or Participant Protected Information

(1) Uses and disclosures with individual authorization. The Authority must obtain a completed and signed authorization for release of information from the individual, or the individual’s personal representative, before obtaining or using protected information about an individual from a third party or disclosing protected information about the individual to a third party.

(a) Uses and disclosures must be consistent with what the individual has approved on the signed authorization form approved by the Authority.

(b) An individual may revoke an authorization at any time. The revocation must be in writing and signed by the individual, except that substance abuse treatment patients may orally revoke an authorization to disclose information obtained from substance abuse treatment programs. No revocation shall apply to information already released while the authorization was valid and in effect.

(2) Uses and disclosures without authorization. The Authority may use and disclose information without written authorization in the following circumstances:

(a) The Authority may disclose information to individuals who have requested disclosure to themselves of their information, if the individual has the right to access the information under OAR 943-014-0030(6).

(b) If the law requires or permits the disclosure, and the use and disclosure complies with, and is limited to, the relevant requirements of the relevant law.

(A) Activities involving the current treatment of an individual, for the Authority or health care provider;

(B) Payment activities, for the Authority, covered entity, or health care provider;

(D) Substance abuse treatment information, if the recipient has a Qualified Service Organization Agreement with the Authority.

(d) Psychotherapy notes. The Authority may only use and disclose psychotherapy notes in the following circumstances:

(A) In the Authority’s supervised counseling training programs;

(B) In connection with oversight of the originator of the psychotherapy notes; or

(e) Public health activities.

(A) The Authority may disclose an individual’s protected information to appropriate entities or persons for governmental public health activities and for other purposes including but not limited to:

(i) A governmental public health authority that is authorized by law to collect or receive protected information for the purpose of preventing or controlling disease, injury, or disability. This includes but is not limited to reporting disease, injury, and vital events such as birth or death; and the conducting of public health surveillance, investigations, and interventions;

(ii) An official of a foreign government agency that is acting in collaboration with a governmental public health authority;

(iii) A governmental public health authority, or other government authority that is authorized by law to receive reports of child abuse or neglect;

(iv) A person subject to the jurisdiction of the federal Food and Drug Administration (FDA), regarding an FDA-regulated product or activity for which that person is responsible for activities related to the quality, safety, or effectiveness of an FDA-regulated product or activity; or

(v) A person who may have been exposed to a communicable disease, or may be at risk of contracting or spreading a disease or condition, if the Authority or other public health authority is authorized to notify the person as necessary in conducting a public health intervention or investigation.

(B) Where state or federal law prohibits or restricts use and disclosure of information obtained or maintained for public health purposes, the Authority shall deny the use and disclosure.

(f) Child abuse reporting and investigation. If the Authority has reasonable cause to believe that a child is a victim of abuse or neglect, the Authority may disclose protected information to appropriate governmental authorities authorized by law to receive reports of child abuse or neglect.

(g) Adult abuse reporting and investigation. If the Authority has reasonable cause to believe that a vulnerable adult is a victim of abuse or neglect, the Authority may disclose information, as required by law, to a government authority or regulatory agency authorized by law to receive reports of abuse or neglect including but not limited to a social service or protective services agency authorized by law to receive such reports. Vulnerable adults are adults age 65 or older and persons with disabilities.

(h) Health oversight activities. The Authority may disclose information without authorization for health oversight activities, including audits; civil, criminal, or administrative investigations, prosecutions, licensing or disciplinary actions; Medicaid fraud; or other necessary oversight activities.

(i) Administrative and court hearings, grievances, investigations, and appeals.

(A) The Authority may use or disclose information for an investigation, administrative or court hearing, grievance, or appeal about an individual’s eligibility or right to receive Authority benefits or services.

(B) If the Authority has obtained information in performing its duties as a health oversight agency, public health authority, or public benefit program, the Authority may use or disclose that information in an administrative or court hearing consistent with the other privacy requirements applicable to that program, service, or activity.

(j) Court orders. The Authority may disclose information for judicial or administrative proceedings in response to a court order, subpoena, discovery request, or other legal process. If a court orders the Authority to conduct a mental examination pursuant to ORS 161.315, 161.365, 161.370, or orders the Authority to provide any other report or evaluation to the court, the examination, report, or evaluation shall be deemed to be required by law for purposes of HIPAA.

(k) Law enforcement purposes. For limited law enforcement purposes, the Authority may report certain injuries or wounds; provide information to identify or locate a suspect, victim, or witness; alert law enforcement of a death as a result of criminal conduct; and provide information which constitutes evidence of criminal conduct on Authority premises.

(A) The Authority may provide client information to a law enforcement officer in any of the following situations:

(i) The law enforcement officer is involved in carrying out any investigation, criminal, or civil proceedings connected with administering the program from which the information is sought;

(ii) An Authority employee may disclose information from personal knowledge that does not come from the client’s interaction with the Authority;

(iii) The disclosure is authorized by statute or administrative rule;

(iv) The information informs law enforcement of a death as a result of criminal conduct;

(v) The information constitutes evidence of criminal conduct on Authority premises; or

(vi) The disclosure is necessary to protect the client or others, and the client poses a threat to his or her safety or to the safety of others.

(B) Except as provided in section (2)(k)(C) of this rule, the Authority may give a client’s current address, Social Security number, and photo to a law enforcement officer if the law enforcement officer makes the request in the course of official duty, supplies the client’s name, and states that the client:

(i) Is a fugitive felon or is violating parole, probation, or post-prison supervision;

(ii) For all public assistance programs, has information that is necessary for the officer to conduct official duties, and the location or apprehension of the client is within the officer’s official duties; or

(C) If domestic violence has been identified in the household, the Authority may not release information about a victim of domestic violence unless a member of the household is either wanted as a fugitive felon or is violating parole, probation, or post-prison supervision.

(D) For purposes of this subsection, a fugitive felon is a person fleeing to avoid prosecution or custody for a crime, or an attempt to commit a crime, that would be classified as a felony.

(E) For purposes of this section, a law enforcement officer is an employee of the Oregon State Police, a county sheriff’s department, or a municipal police department, whose official duties include arrest authority.

(l) Use and disclosure of information about deceased individuals.

(A) The Authority may disclose individual information to a coroner or medical examiner for the purpose of identifying a deceased individual, determining cause of death, or other duties authorized by law.

(B) The Authority may disclose individual information to funeral directors as needed to carry out their duties regarding the decedent. The Authority may also disclose individual information prior to, and in anticipation of, the death.

(m) Organ or tissue donation. The Authority may disclose individual information to organ procurement organizations or other entities engaged in procuring, banking, or transplanting cadaver organs, eyes, or tissue for the purpose of facilitating transplantation.

(n) Research. The Authority may disclose individual information without authorization for research purposes, as specified in OAR 943-014-0060.

(o) Threat to health or safety. To avert a serious threat to health or safety the Authority may disclose individual information if:

(A) The Authority believes in good faith that the information is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and

(B) The report is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

(p) National security and intelligence. The Authority may disclose information to authorized federal officials for lawful intelligence, counterintelligence, and other national security activities.

(q) Correctional institutions and law enforcement custody situations. The Authority may disclose information to a correctional institution or a law enforcement official having lawful custody of an inmate or other person, for the limited purpose of providing health care or ensuring the health or safety of the person or other inmates.

(r) Emergency treatment. In case of an emergency, the Authority may disclose individual information to the extent needed to provide emergency treatment.

(s) Government entities providing public benefits. The Authority may disclose eligibility and other information to governmental entities administering a government program providing public benefits.

(3) Authorization not required if opportunity to object given. The Authority may use and disclose an individual’s information without authorization if the Authority informs the individual in advance and gives the individual an opportunity to either agree or refuse or restrict the use and disclosure.

(a) These disclosures are limited to disclosure of information to a family member, other relative, close personal friend of the individual, or any other person named by the individual, subject to the following limitations:

(A) The Authority may disclose only the protected information that directly relates to the person’s involvement with the individual’s care or payment for care.

(B) The Authority may use and disclose protected information for notifying, identifying, or locating a family member, personal representative, or other person responsible for care of the individual, regarding the individual’s location, general condition, or death. For individuals who had resided at one time at the state training center, OAR 411-320-0090(6) addresses family reconnection.

(C) If the individual is present for, or available prior to, a use and disclosure, the Authority may disclose the protected information if the Authority:

(i) Obtains the individual’s agreement;

(ii) Provides the individual an opportunity to object to the disclosure, and the individual does not object; or

(iii) Reasonably infers from the circumstances that the individual does not object to the disclosure.

(D) If the individual is not present, or the opportunity to object to the use and disclosure cannot practicably be provided due to the individual’s incapacity or an emergency situation, the Authority may disclose the information if, using professional judgment, the Authority determines that the use and disclosure is in the individual’s best interests.

(b) Exception. For individuals referred to or receiving substance abuse treatment, mental health, or vocational rehabilitation services, the Authority shall not use or disclose information without written authorization, unless disclosure is otherwise permitted under 42 CFR part 2, 34 CFR 361.38, or ORS 179.505.

(c) Personal representative. The Authority must treat a personal representative as the individual for purposes of these rules, except that:

(A) A personal representative must be authorized under state law to act on behalf of the individual with respect to use and disclosure of information. The Authority may require a personal representative to provide a copy of the documentation authorizing the person to act on behalf of the individual.

(B) The Authority may elect not to treat a person as a personal representative of an individual if:

(i) The Authority has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by the person;

(ii) The Authority, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative.

(4) Redisclosure. The Authority must inform the individual that information held by the Authority and authorized by the individual for disclosure may be subject to redisclosure and no longer protected by these rules.

(5) Specific written authorization. If the use or disclosure of information requires an authorization, the authorization must specify that the Authority may use or disclose vocational rehabilitation records, alcohol and drug records, HIV/AIDS records, genetics information, and mental health or developmental disability records held by publicly funded providers.

(a) Pursuant to federal regulations at 42 CFR part 2 and 34 CFR 361.38, the Authority may not make further disclosure of vocational rehabilitation and alcohol and drug rehabilitation information without the specific written authorization of the individual to whom it pertains.

(b) Pursuant to ORS 433.045 and OAR 333-012-0270, the Authority may not make further disclosure of individual information pertaining to HIV/AIDS.

(6) Verification of person or entity requesting information. The Authority may not disclose information about an individual without first verifying the identity of the person or entity requesting the information, unless the Authority workforce member fulfilling the request already knows the person or has already verified identity.

(7) Whistleblowers. The Authority may disclose an individual’s protected health information under the HIPAA privacy rules under the following circumstances:

(a) The Authority workforce member or business associate believes in good faith that the Authority has engaged in conduct that is unlawful or that otherwise violates professional standards or Authority policy, or that the care, services, or conditions provided by the Authority could endanger Authority staff, individuals in Authority care, or the public; and

(b) The disclosure is to a government oversight agency or public health authority, or an attorney of an Authority workforce member or business associate retained for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct alleged under section (7)(a) above; and

(c) Nothing in this rule is intended to interfere with ORS 659A.200 to 659A.224 describing the circumstances applicable to disclosures by Authority workforce or business associates.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0030

Client Privacy Rights

(1) Rights of clients to access their information. Clients may access, inspect, and obtain a copy of information on their own cases in Authority files or records, consistent with federal and state law.

(a) A client may request access by completing the Access to Records Request form, or by providing sufficient information to accomplish this request.

(b) Clients may request access to their own information that is kept by the Authority by using a personal identifier such as the client’s name or Authority case number.

(c) If the Authority maintains information in a record that includes information about other people, the client may see information only about himself or herself.

(d) If a person identified in the file is a minor child of the client, and the client is authorized under Oregon law to have access to the minor’s information or to act on behalf of the minor for making decisions about the minor’s care, the client may obtain information about the minor.

(e) If the requestor of information is recognized under Oregon law as a the client’s guardian or custodian and is authorized under Oregon law to have access to the client’s information or to act on behalf of the client for making decisions about the client’s services or care, the Authority shall release information to the requestor.

(f) For individuals with disabilities or mental illnesses, the named system in ORS 192.517, to protect and advocate the rights of individuals with developmental disabilities under Part C of the Developmental Disabilities Assistance and Bill of Rights Act (42 U.S.C. 6041 et seq.) and the rights of individuals with mental illness under the Protection and Advocacy for Individuals with Mental Illness Act (42 U.S.C. 10801 et seq.), shall have access to all records defined in ORS 192.515.

(g) The Authority may deny a client’s access to their own PHI if federal law prohibits the disclosure. Clients may access, inspect, and obtain a copy of health information on their own case in Authority files or records except for the following:

(A) Psychotherapy notes;

(B) Information compiled in reasonable anticipation of, or for use in civil, criminal, or administrative proceedings;

(C) Information that is subject to the federal Clinical Labs Improvement Amendments of 1988, or exempt pursuant to 42 CFR 493.3(a)(2);

(D) Information that the Authority believes, in good faith, can cause harm to the client, participant, or to any other person; and

(E) Documents protected by attorney work-product privilege.

(h) The Authority may deny a client access to information that was obtained under a promise of confidentiality from a person other than a health care provider to the extent that access would reveal the source of the information.

(i) The Authority may deny a client access to information, if the Authority gives the client a right to have the denial reviewed when:

(A) A licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that the information requested may endanger the life or physical safety of the client or another person;

(B) The information makes reference to another person, and a licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that the information requested may cause substantial harm to the client or to another person; or

(C) The request for access is made by the client’s personal representative, and a licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that allowing the personal representative access to the information may cause substantial harm to the client or to another person.

(j) If the Authority denies access under section (1)(i) of this rule, the client may have the decision reviewed by a licensed health care professional (for health information) or other designated staff (for other information) not directly involved in making the original denial decision.

(A) The Authority must promptly refer a client’s request for review to the designated reviewer.

(B) The reviewer must determine, within the 30 or 60-day time limits stated in section (1)(k)(A) and (B) of this rule, whether to approve or deny the client’s request for access.

(i) Promptly notify the client in writing of the reviewer’s determination; and

(ii) If approved, take action to carry out the reviewer’s determination.

(k) The Authority must act on a client’s request for access no later than 30 days after receiving the request, except as provided in this section and in the case of written accounts under ORS 179.505, which must be disclosed within five days.

(A) In cases where the information is not maintained or accessible to the Authority on-site, and does not fall under ORS 179.505, the Authority must act on the client’s request no later than 60 days after receiving the request.

(B) If the Authority is unable to act within the 30 or 60-day limits, the Authority may extend this time period a maximum of 30 additional days, subject to the following:

(i) The Authority must notify the client in writing of the reasons for the delay and the date by which the Authority shall act on the request.

(ii) The Authority shall use only one 30-day extension.

(l) If the Authority grants the client’s request, in whole or in part, the Authority must inform the client of the access decision and provide the requested access.

(A) If the Authority maintains the same information in more than one format or at more than one location, the Authority may provide the requested information once.

(B) The Authority must provide the requested information in a form or format requested by the client, if readily producible in that form or format. If not readily producible, the Authority shall provide the information in a readable hard-copy format or other format as agreed to by the Authority and the client.

(C) The Authority may provide the client with a summary of the requested information, in lieu of providing access, or may provide an explanation of the information if access has been provided, if:

(i) The client agrees in advance; and

(ii) The client agrees in advance to pay any fees the Authority may impose, under section (1)(L)(E) of this rule.

(D) The Authority shall arrange with the client for providing the requested access in a time, place, and manner convenient for the client and the Authority.

(E) If a client, or legal guardian or custodian, requests a copy, written summary, or explanation of the requested information, the Authority may impose a reasonable cost-based fee, limited to the following:

(i) Copying the requested information, including the costs of supplies and the labor of copying;

(ii) Postage; and

(iii) Staff time for preparing an explanation or summary of the requested information.

(m) If the Authority denies access, in whole or in part, to the requested information, the Authority must:

(A) Give the client access to any other requested client information, after excluding the information to which access is denied; and

(B) Provide the client with a timely written denial. The denial must:

(i) Be provided within the time limits specified in section (1)(k)(A) and (B) of this rule;

(ii) State the basis of the denial in plain language;

(iii) If the Authority denies access under section (1)(i) of this rule, explain the client’s review rights as specified in section (1)(j) of this rule, including an explanation of how the client may exercise these rights; and

(iv) Provide a description of how the client may file a complaint with the Authority, and if the information is PHI, with the United States Department of Health and Human Services (DHHS), Office for Civil Rights, pursuant to section (7) of this rule.

(n) If the Authority does not maintain the requested information, in whole or in part, and knows where the information is maintained (such as by a medical provider, insurer, other public agency, private business, or other non-Authority entity), the Authority must inform the client where to direct the request for access.

(2) Authority Notice of Privacy Practices. The Authority shall send clients notice about the Authority’s privacy practices as follows:

(a) The Authority shall make available to each client a notice of Authority privacy practices that describes the duty of the Authority to maintain the privacy of PHI and include a description that clearly informs the client of the types of uses and disclosures the Authority is permitted or required to make;

(b) The Authority shall provide all clients in direct care settings a notice of Authority privacy practices and shall request the client’s signature on an acknowledgement of receipt form;

(c) If the Authority revises its privacy practices, the Authority shall make the revised notice available to all clients;

(d) The Authority shall post a copy of the Authority’s Notice of Privacy Practices for public viewing at each Authority worksite and on the Authority website; and

(e) The Authority shall give a paper copy of the Authority’s Notice of Privacy Practices to any individual upon request.

(3) Right to request restrictions on uses or disclosures. Clients may request restrictions on the use or disclosure of their information.

(a) The Authority may deny the client’s request or limit its agreement to a request.

(A) The Authority may not agree to restrict uses or disclosures of information if the restriction would adversely affect the quality of the client’s care or services.

(B) The Authority may not agree to restrict uses or disclosures of information that would limit or prevent the Authority from making or obtaining payment for services.

(b) The Authority may not deny a client’s request to restrict the sharing of records of alcohol and drug treatment or records relating to vocational rehabilitation services with another Authority program.

(c) The Authority shall document the client’s request, and the reasons for granting or denying the request, in the client’s Authority case file.

(d) If the client needs emergency treatment and the restricted protected information is needed to provide the treatment, the Authority may use or disclose the restricted protected information to a provider, for the limited purpose of providing treatment. However, once the emergency situation subsides the Authority shall ask the provider not to redisclose the information.

(e) The Authority may terminate its agreement to a restriction if:

(A) The client agrees to or requests the termination in writing;

(B) The client orally requests or agrees to the termination, and the Authority documents the oral request or agreement in the client’s Authority case file; or

(C) With or without the client’s agreement, the Authority informs the client that the Authority is terminating its agreement to the restriction. Information created or received while the restriction was in place shall remain subject to the restriction.

(4) Rights of clients to request to receive information from the Authority by alternative means or at alternative locations. The Authority must accommodate reasonable requests by clients to receive communications from the Authority by alternative means, such as by mail, e-mail, fax, or telephone, and at an alternative location.

(a) The client must specify the preferred alternative means or location.

(b) The client may submit the request for alternative means or locations either orally or in writing.

(A) If the client makes a request in-person, the Authority shall document the request and ask for the client’s signature.

(B) If the client makes a request by telephone or electronically, the Authority shall document the request and verify the identity of the client.

(A) The client agrees to or requests termination of the alternative location or method of communication in writing or orally. The Authority shall document the oral agreement or request in the client’s Authority case file; or

(B) The Authority informs the client that the Authority is terminating its agreement to the alternative location or method of communication because the alternative location or method of communication is not effective. The Authority may terminate its agreement to communicate at the alternative location or by the alternate method if:

(i) The Authority is unable to contact the client at the location or by the method requested; or

(ii) The client fails to respond to payment requests, if applicable.

(5) Right of clients to request amendment of their information. Clients may request that the Authority amend information about themselves in Authority files.

(a) For all amendment requests, the Authority shall have the client complete the approved Authority form.

(b) The Authority may deny the request or limit its agreement to amend.

(c) The Authority must act on the client’s request no later than 60 days after receiving the request. If the Authority is unable to act within 60 days, the Authority may extend this time limit by a maximum of 30 additional days, subject to the following:

(A) The Authority must notify the client in writing, within 60 days of receiving the request, of the reasons for the delay and the date by which the Authority shall act on the request; and

(B) The Authority shall use only one 30-day extension.

(d) The program’s medical director, a licensed health care professional designated by the program administrator, or an Authority staff person involved in the client’s case must review the request and any related documentation prior to making a decision to amend a health or medical record.

(e) A staff person designated by the Authority shall review the request and any related documentation prior to making a decision to amend any information that is not a health or medical record.

(f) If the Authority grants the request, in whole or in part, the Authority shall:

(A) Make the appropriate amendment to the information or records, and document the amendment in the client’s Authority file or record;

(B) Provide notice to the client that the amendment has been granted, pursuant to the time limits under section (5)(c) of this rule;

(C) Obtain the client’s agreement to notify other relevant persons or entities with whom the Authority has shared or needs to share the amended information; and

(D) Inform and provide the amendment within a reasonable time to:

(i) Persons named by the client who have received the information and who need the amendment; and

(ii) Persons, including business associates of the Authority, that the Authority knows have the information that is the subject of the amendment and who may have relied, or could foreseeably rely, on the information to the client’s detriment.

(g) The Authority may deny the client’s request for amendment if:

(A) The Authority finds the information to be accurate and complete;

(B) The information was not created by the Authority;

(D) The information would not be available for inspection or access by the client, pursuant to section (1)(g) and (h) of this rule.

(h) If the Authority denies the amendment request, in whole or in part, the Authority must provide the client with a written denial. The denial must:

(A) Be sent within the time limits specified in section (5)(c) of this rule;

(B) State the basis for the denial, in plain language; and

(C) Explain the client’s right to submit a written statement disagreeing with the denial and how to file the statement. If the client files a statement:

(i) The Authority shall enter the written statement into the client’s Authority case file;

(ii) The Authority may also enter an Authority written rebuttal of the client’s written statement into the client’s Authority case file. The Authority shall send a copy of any written rebuttal to the client;

(iii) The Authority shall include a copy of the statement and any Authority written rebuttal with any future disclosures of the relevant information;

(iv) If a client does not submit a written statement of disagreement, the client may ask that if the Authority makes any further disclosures of the relevant information that the Authority shall also include a copy of the client’s original request for amendment and a copy of the Authority written denial; and

(v) The Authority shall provide information on how the client may file a complaint with the Authority and, if the information is PHI, with DHHS, Office for Civil Rights.

(6) Rights of clients to request an accounting of disclosures of PHI. Clients may receive an accounting of disclosures of PHI that the Authority has made for any period of time, not to exceed six years, preceding the request date for the accounting.

(a) For all requests for an accounting of disclosures, the client may complete the authorized Authority form “Request for Accounting of Disclosures of Health Records”, or provide sufficient information to accomplish this request.

(b) The right to an accounting of disclosures does not apply when the request is:

(A) Authorized by the client;

(B) Made prior to April 14, 2003;

(C) Made to carry out treatment, payment, or health care operations, unless these disclosures are made from an electronic health record;

(D) Made to the client;

(E) Made to persons involved in the client’s care;

(F) Made as part of a limited data set in accordance with OAR 943-014-0070;

(G) Made for national security or intelligence purposes; or

(H) Made to correctional institutions or law enforcement officials having lawful custody of an inmate.

(A) The date of the disclosure;

(B) The name and address, if known, of the person or entit, who received the disclosed information;

(D) A brief statement of the purpose of the disclosure that reasonably informs the client of the basis for the disclosure, or, in lieu of a statement, a copy of the client’s written request for a disclosure, if any.

(d) If, during the time period covered by the accounting, the Authority has made multiple disclosures to the same person or entity for the same purpose, the Authority may provide the required information for only the first disclosure. The Authority need not list the same identical information for each subsequent disclosure to the same person or entity if the Authority adds the following information:

(A) The frequency or number of disclosures made to the same person or entity; and

(B) The date of the most recent disclosure during the time period for which the accounting is requested.

(e) The Authority must act on the client’s request for an accounting no later than 60 days after receiving the request. If the Authority is unable to act within 60 days, the Authority may extend this time limit by a maximum of 30 additional days, subject to the following:

(A) The Authority must notify the client in writing, within 60 days of receiving the request, of the reasons for the delay and the date by which the Authority shall act on the request; and

(B) The Authority shall use only one 30-day extension.

(f) The Authority shall provide the first requested accounting in any 12-month period without charge. The Authority may charge the client a reasonable cost-based fee for each additional accounting requested by the client within the 12-month period following the first request, if the Authority:

(A) Informs the client of the fee before proceeding with any additional request; and

(B) Allows the client an opportunity to withdraw or modify the request in order to avoid or reduce the fee.

(g) The Authority shall document the information required to be included in an accounting of disclosures, as specified in section (6)(c) of this rule, and retain a copy of the written accounting provided to the client.

(h) The Authority shall temporarily suspend a client’s right to receive an accounting of disclosures that the Authority has made to a health oversight agency or to a law enforcement official, for a length of time specified by the agency or official, if the agency or official provides a written or oral statement to the Authority that the accounting would be reasonably likely to impede their activities. If the agency or official makes an oral request, the Authority shall:

(A) Document the oral request, including the identity of the agency or official making the request.

(B) Temporarily suspend the client’s request to an accounting of disclosures; and

(C) Limit the temporary suspension to no longer than 30 days from the date of the oral request, unless the agency or official submits a written request specifying a longer time period.

(7) Filing a complaint. Clients may file a complaint with the Authority or, if the information is PHI, with DHHS, Office for Civil Rights.

(a) Upon request, the Authority shall give clients the name and address of the specific person or office of where to submit complaints to DHHS.

(b) The Authority may not intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any individual filing a complaint or inquiring about how to file a complaint.

(c) The Authority may not require clients to waive their rights to file a complaint as a condition of providing treatment, payment, enrollment in a health plan, or eligibility for benefits.

(d) The Authority shall designate staff to review and determine action on complaints filed with the Authority.

(e) The Authority shall document, in the client’s Authority case file all complaints, the findings from reviewing each complaint, and the Authority’s actions resulting from the complaint. For each complaint the documentation shall include a description of corrective action that the Authority has taken, if any are necessary, or why corrective action is not needed.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0040

Minimum Necessary Standards

(1) The Authority shall limit the use and disclosure of protected information to that which is reasonably necessary to accomplish the intended purpose of the use or disclosure which is referred to in these rules as the minimum necessary standard.

(2) This minimum necessary standard is not intended to impede the essential Authority activities of treatment, payment, health care operations, or service delivery.

(3) The minimum necessary standard applies:

(a) When using protected information within the Authority;

(b) When disclosing protected information to a third party in response to a request; or

(4) The minimum necessary standard does not apply to:

(a) Disclosures to or requests by a health care provider for treatment;

(b) Disclosures made to the individual, including disclosures made in response to a request for access or an accounting;

(d) Disclosures made to DHHS for the purposes of compliance and enforcement of federal regulations under 45 CFR part 160 and required for compliance with 45 CFR part 164.; or

(e) Uses and disclosures required by law;

(5) When requesting protected information about an individual from another entity, the Authority shall limit requests to those that are reasonably necessary to accomplish the purposes for which the request is made. The Authority shall not request a person’s entire medical record unless the Authority can specifically justify the need for the entire medical record.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0050

Business Associate

(1) The Authority may disclose an individual’s PHI to a business associate, and may allow a business associate to create or receive an individual’s PHI on behalf of the Authority if the Authority and the business associate first enter into a contract that complies with applicable federal and state law. In some limited circumstances, the Authority may determine that the Authority is a business associate of a covered entity. A business associate relationship with the Authority requires additional contractual disclosure and privacy provisions that must be incorporated into the contract pursuant to 45 CFR part 164-504 (e)(1)

(2) A contract with a business associate must comply with OAR 125-055-0100 to 125-055-0130 and the qualified service organization requirements in 42 CFR part 2.11.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0060

Uses and Disclosures of Protected Information for Research Purposes

The Authority may use and disclose an individual’s information for research purposes as specified in this rule.

(1) All research disclosures are subject to applicable requirements of federal and state laws and rules including but not limited to 45 CFR part 46 and 21 CFR part 50.0 to 50.56, relating to the protection of human research subjects.

(2) The Authority may use and disclose de-identified information or a limited data set for research purposes, pursuant to OAR 943-014-0070.

(3) The Authority may use and disclose information regarding an individual for research purposes with the specific written authorization of the individual. The authorization must meet all requirements in OAR 943-014-0030, and may indicate an expiration date with terms such as “end of research study” or similar language. An authorization for use and disclosure for a research study may be combined with other types of written authorization for the same research study. If research includes treatment, the researcher may require an authorization for use and disclosure for the research as a provision of providing research related treatment.

(4) Notwithstanding section (3) of this rule, the Authority may use and disclose an individual’s information for research purposes without the individual’s written authorization, regardless of the source of funding for the research, provided that:

(a) The Authority obtains documentation that a waiver of an individual’s authorization for release of information requirements has been approved by an IRB registered with the Office for Human Research Protection. Documentation required of an IRB when granting approval of a waiver of an individual’s authorization for release of information must include all criteria specified in 45 CFR part 164.512(i)(2).

(b) A researcher may request access to individual information maintained by the Authority in preparation for research or to facilitate the development of a research protocol in anticipation of research. The Authority may determine whether to permit such use or disclosure, without individual authorization or use of an IRB, pursuant to 45 CFR part 164.512(i)(1)(ii).

(c) A researcher may request access to individual information maintained by the Authority about deceased individuals. The Authority may determine whether to permit such use or disclosure of information about decedents, without individual authorization or use of an IRB, pursuant to 45 CFR part 164.512(i)(1)(iii).

(5) The Authority, as a public health authority, may obtain and use individual information without authorization for the purpose of preventing injury or controlling disease and for the conduct of public health surveillance, investigations, and interventions. The Authority may also collect, use, or disclose information, without individual authorization, to the extent that the collection, use, or disclosure is required by law. When the Authority uses information to conduct studies as a public health authority, no additional individual authorization is required nor does this rule require an IRB or privacy board waiver of authorization based on the HIPAA privacy rules.

(6) The Authority may use and disclose information without individual authorization for studies and data analysis conducted for the Authority’s own quality assurance purposes or to comply with reporting requirements applicable to federal or state funding requirements in accordance with the definition of “Health Care Operations” in 45 CFR part 164.501.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0070

De-identification of Client Information and Use of Limited Data Sets under Data Use Agreements

(1) The Authority may use and disclose information as appropriate for the work of the Authority, without further restriction, if the Authority or another entity has taken steps to de-identify the information pursuant to 45 CFR part 164.514(a) and (b).

(2) The Authority may assign a code or other means of record identification to allow the Authority to re-identify the de-identified information provided that:

(a) The code or other means of record identification is not derived from or related to information about the individual and cannot otherwise be translated to identify the individual; and,

(b) The Authority does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

(3) The Authority may use and disclose a limited data set if the Authority enters into a data use agreement with an entity requesting or providing the Authority with a limited data set subject to the requirements of 45 CFR part 164.514(e).

(a) The Authority may use and disclose a limited data set only for the purposes of research, public health, or health care operations. The Authority may use limited data set for its own activities or operations if the Authority has obtained a limited data set that is subject to a data use agreement.

(b) If the Authority knows of a pattern of activity or practice of a limited data set recipient that constitutes a material breach or violation of a data use agreement, the Authority shall take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, the Authority shall discontinue disclosure of information to the recipient and report the problem to the Secretary of DHHS.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

Notes
1.) This online version of the OREGON BULLETIN is provided for convenience of reference and enhanced access. The official, record copy of this publication is contained in the original Administrative Orders and Rulemaking Notices filed with the Secretary of State, Archives Division. Discrepancies, if any, are satisfied in favor of the original versions. Use the OAR Revision Cumulative Index found in the Oregon Bulletin to access a numerical list of rulemaking actions after November 15, 2010.