Loading
The Oregon Administrative Rules contain OARs filed through July 15, 2014
 
QUESTIONS ABOUT THE CONTENT OR MEANING OF THIS AGENCY'S RULES?
CLICK HERE TO ACCESS RULES COORDINATOR CONTACT INFORMATION

 

DEPARTMENT OF HUMAN SERVICES,
ADMINISTRATIVE SERVICES DIVISION AND DIRECTOR'S OFFICE

 

DIVISION 120

PROVIDER RULES

Electronic Data Transmission

407-120-0100

Definitions

The following definitions apply to OAR 407-120-0100 through 407-120-0200:

(1) "Access" means the ability or means necessary to read, write, modify, or communicate data or information or otherwise use any information system resource.

(2) "Agent" means a third party or organization that contracts with a provider, allied agency, or prepaid health plan (PHP) to perform designated services in order to facilitate a transaction or conduct other business functions on its behalf. Agents include billing agents, claims clearinghouses, vendors, billing services, service bureaus, and accounts receivable management firms. Agents may also be clinics, group practices, and facilities that submit billings on behalf of providers but the payment is made to a provider, including the following: an employer of a provider, if a provider is required as a condition of employment to turn over his fees to the employer; the facility in which the service is provided, if a provider has a contract under which the facility submits the claim; or a foundation, plan, or similar organization operating an organized health care delivery system, if a provider has a contract under which the organization submits the claim. Agents may also include electronic data transmission submitters.

(3) "Allied Agency" means local and regional allied agencies and includes local mental health authority, community mental health programs, Oregon Youth Authority, Department of Corrections, local health departments, schools, education service districts, developmental disability service programs, area agencies on aging, federally recognized American Indian tribes, and other governmental agencies or regional authorities that have a contract (including an interagency, intergovernmental, or grant agreement, or an agreement with an American Indian tribe pursuant to ORS 190.110) with the Department to provide for the delivery of services to covered individuals and that request to conduct electronic data transactions in relation to the contract.

(4) "Clinic" means a group practice, facility, or organization that is an employer of a provider, if a provider is required as a condition of employment to turn over his fees to the employer; the facility in which the service is provided, if a provider has a contract under which the facility submits the claim; or a foundation, plan, or similar organization operating an organized health care delivery system, if a provider has a contract under which the organization submits the claim; and the group practice, facility, or organization is enrolled with the Department, and payments are made to the group practice, facility, or organization. If the entity solely submits billings on behalf of providers and payments are made to each provider, then the entity is an agent.

(5) "Confidential Information" means information relating to covered individuals which is exchanged by and between the Department, a provider, PHP, clinic, allied agency, or agents for various business purposes, but which is protected from disclosure to unauthorized individuals or entities by applicable state and federal statutes such as ORS 344.600, 410.150, 411.320, 418.130, or the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and its implementing regulations. These statutes and regulations are collectively referred to as "Privacy Statutes and Regulations."

(6) "Contract" means a specific written agreement between the Department and a provider, PHP, clinic, or allied agency that provides or manages the provision of services, goods, or supplies to covered individuals and where the Department and a provider, PHP, clinic, or allied agency may exchange data. A contract specifically includes, without limitation, a Department provider enrollment agreement, fully capitated heath plan managed care contract, dental care organization managed care contract, mental health organization managed care contract, chemical dependency organization managed care contract, physician care organization managed care contract, a county financial assistance agreement, or any other applicable written agreement, interagency agreement, intergovernmental agreement, or grant agreement between the Department and a provider, PHP, clinic, or allied agency.

(7) "Covered Entity" means a health plan, health care clearing house, health care provider, or allied agency that transmits any health information in electronic form in connection with a transaction, including direct data entry (DDE), and who must comply with the National Provider Identifier (NPI) requirements of 45 CFR 162.402 through 162.414.

(8) "Covered Individual" means individuals who are eligible for payment of certain services or supplies provided to them or their eligible dependents by or through a provider, PHP, clinic, or allied agency under the terms of a contract applicable to a governmental program for which the Department processes or administers data transmissions.

(9) "Data" means a formalized representation of specific facts or concepts suitable for communication, interpretation, or processing by individuals or by automatic means.

(10) Data Transmission" means the transfer or exchange of data between the Department and a web portal or electronic data interchange (EDI) submitter by means of an information system which is compatible for that purpose and includes without limitation, web portal, EDI, electronic remittance advice (ERA), or electronic media claims (EMC) transmissions.

(11) "Department" means the Department of Human Services.

(12) "Department Network and Information Systems" means the Department's computer infrastructure that provides personal communications, confidential information, regional, wide area and local networks, and the internetworking of various types of networks on behalf of the Department.

(13) "Direct Data Entry (DDE)" means the process using dumb terminals or computer browser screens where data is directly keyed into a health plan's computer by a provider or its agent, such as through the use of a web portal.

(14) "Electronic Data Interchange (EDI)" means the exchange of business documents from application to application in a federally mandated format or, if no federal standard has been promulgated, using bulk transmission processes and other formats as the Department designates for EDI transactions. For purposes of these rules (OAR 407-120-0100 through 407-120-0200), EDI does not include electronic transmission by web portal.

(15) "Electronic Data Interchange Submitter" means an individual or entity authorized to establish the electronic media connection with the Department to conduct an EDI transaction. An EDI submitter may be a trading partner or an agent of a trading partner.

(16) "Electronic Media" means electronic storage media including memory devices in computers or computer hard drives; any removable or transportable digital memory medium such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media. Transmission media includes but is not limited to the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable or transportable electronic storage media. Certain transmissions, including paper via facsimile and voice via telephone, are not considered transmissions by electronic media because the information being exchanged did not exist in electronic form before transmission.

(17) "Electronic Media Claims (EMC)" means an electronic media means of submitting claims or encounters for payment of services or supplies provided by a provider, PHP, clinic, or allied agency to a covered individual.

(18) "Electronic Remittance Advice (ERA)" means an electronic file in X12 format containing information pertaining to the disposition of a specific claim for payment of services or supplies rendered to covered individuals which are filed with the Department on behalf of covered individuals by providers, clinics, or allied agencies. The documents include, without limitation, the provider name and address, individual name, date of service, amount billed, amount paid, whether the claim was approved or denied, and if denied, the specific reason for the denial. For PHPs, the remittance advice file contains information on the adjudication status of encounter claims submitted.

(19) "Electronic Data Transaction (EDT)" means a transaction governed by the Health Insurance Portability and Accountability Act (HIPAA) transaction rule, conducted by either web portal or EDI.

(20) "Envelope" means a control structure in a mutually agreed upon format for the electronic interchange of one or more encoded data transmissions either sent or received by an EDI submitter or the Department.

(21) "HIPAA Transaction Rule" means the standards for electronic transactions at 45 CFR Part 160 and 162 (version in effect on January 1, 2008) adopted by the Department of Health and Human Services (DHHS) to implement the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d et. seq.

(22) "Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of an information system or information asset including but not limited to unauthorized disclosure of information, failure to protect user IDs, and theft of computer equipment using or storing Department information assets or confidential information.

(23) "Individual User Profile (IUP)" means Department forms used to authorize a user, identify their job assignment, and the required access to the Department's network and information system. It generates a unique security access code used to access the Department's network and information system.

(24) "Information Asset" means all information, also known as data, provided through the Department, regardless of the source, which requires measures for security and privacy of the information.

(25) "Information System" means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and trained personnel necessary for successful data transmission.

(26) "Lost or Indecipherable Transmission" means a data transmission which is never received by or cannot be processed to completion by the receiving party in the format or composition received because it is garbled or incomplete, regardless of how or why the message was rendered garbled or incomplete.

(27) "Mailbox" means the term used by the Department to indicate trading partner-specific locations on the Department's secure file transfer protocol (SFTP) server to deposit and retrieve electronic data identified by a unique Department assigned trading partner number.

(28) "Password" means the alpha-numeric codes assigned to an EDI submitter by the Department for the purpose of allowing access to the Department's information system, including the web portal, for the purpose of successfully executing data transmissions or otherwise carrying out the express terms of a trading partner agreement or provider enrollment agreement and these rules.

(29) "Personal Identification Number (PIN)" means the alpha-numeric codes assigned to web portal submitters by the Department for the purpose of allowing access to the Department's information system, including the web portal, for the purpose of successfully executing DDE, data transmissions, or otherwise carrying out the express terms of a trading partner agreement, provider enrollment agreement, and these rules.

(30) "Prepaid Health Plan (PHP) or Plan" means a managed health care, dental care, chemical dependency, physician care organization, or mental health care organization that contracts with the Department on a case managed, prepaid, capitated basis under the Oregon Health Plan (OHP).

(31) "Provider" means an individual, facility, institution, corporate entity, or other organization which supplies or provides for the supply of services, goods or supplies to covered individuals pursuant to a contract, including but not limited to a provider enrollment agreement with the Department. A provider does not include billing providers as used in the Division of Medical Assistance (DMAP) general rules. DMAP billing providers are defined in these rules as agents, except for DMAP billing providers that are clinics.

(32) "Provider Enrollment Agreement" means an agreement between the Department and a provider for payment for the provision of covered services to covered individuals.

(33) "Registered Transaction" means each type of EDI transaction applicable to a trading partner that must be registered with the Department before it can be tested or approved for EDI transmission.

(34) "Security Access Codes" means the alpha-numeric codes assigned by the Department to the web portal submitter or EDI submitter for the purpose of allowing access to the Department's information system, including the web portal, to execute data transmissions or otherwise carry out the express terms of a trading partner agreement, provider enrollment agreement, and these rules. Security access codes may include passwords, PINs, or other codes.

(35) "Source Documents" means documents or electronic files containing underlying data which is or may be required as part of a data transmission with respect to a claim for payment of charges for medical services or supplies provided to a covered individual, or with respect to any other transaction. Examples of data contained within a specific source document include but are not limited to an individual's name and identification number, claim number, diagnosis code for the services provided, dates of service, service procedure description, applicable charges for the services provided, and a provider's, PHP's, clinic's, or allied agency's name, identification number, and signature.

(36) "Standard" means a rule, condition, or requirement describing the following information for products, systems, or practices:

(a) Classification of components;

(b) Specification of materials, performance, or operations; or

(c) Delineation of procedures.

(37) "Standards for Electronic Transactions" mean a transaction that complies with the applicable standard adopted by DHHS to implement standards for electronic transactions.

(38) “Submitter” means a provider, PHP, clinic, or allied agency that may or may not have entered into a trading partner agreement depending upon whether the need is to exchange electronic data transactions or access the Department’s web portal.

(39) "Transaction" means the exchange of data between the Department and a provider using web portal access or a trading partner using electronic media to carry out financial or administrative activities.

(40) "Trade Data Log" means the complete written summary of data and data transmissions exchanged between the Department and an EDI submitter during the period of time a trading partner agreement is in effect and includes but is not limited to sender and receiver information, date and time of transmission, and the general nature of the transmission.

(41) "Trading Partner" means a provider, PHP, clinic, or allied agency that has entered into a trading partner agreement with the Department in order to satisfy all or part of its obligations under a contract by means of EDI, ERA, or EMC, or any other mutually agreed means of electronic exchange or transfer of data.

(42) "Trading Partner Agreement (TPA)" means a specific written request by a provider, PHP, clinic, or allied agency to conduct EDI transactions that governs the terms and conditions for EDI transactions in the performance of obligations under a contract. A provider, PHP, clinic, or allied agency that has executed a TPA will be referred to as a trading partner in relation to those functions.

(43) "User" means any individual or entity authorized by the Department to access network and information systems or information assets.

(44) "User Identification Security (UIS)" means a control method required by the Department to ensure that only authorized users gain access to specified information assets. One method of control is the use of passwords and PINs with unique user identifications.

(45) "Web Portal" means a site on the World Wide Web that typically provides secure access with personalized capabilities to its visitors and a pathway to other content designed for use with the Department’s specific DDE applications.

(46) "Web Portal Submitter" means an individual or entity authorized to establish an electronic media connection with the Department to conduct a DDE transaction. A web portal submitter may be a provider or a provider's agent.

Stat. Auth.: ORS 409.050 & 414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f. & cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03; DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from 410-001-0100, DHSD 1-2008, f. & cert. ef. 2-1-08; DHSD 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD 13-2011, f. & cert. ef. 12-27-11

407-120-0110

Purpose

(1) These rules establish requirements applicable to providers, PHPs, and allied agencies that want to conduct electronic data transactions with the Department. These rules govern the conduct of all web portal or EDI transactions with the Department. These rules only apply to services or items that are paid for by the Department. If the service or item is paid for by a plan or an allied agency, these rules do not apply.

(2) These rules establish the Department's electronic data transaction requirements for purposes of the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d -- 1320d-8, Public Law 104-191, sec. 262 and sec. 264, and the implementing standards for electronic transactions rules. Where a federal HIPAA standard has been adopted for an electronic data transaction, this rule implements and does not alter the federal standard.

(3) These rules establish procedures that must be followed by any provider, PHP, or allied agency in the event of a security or privacy incident, regardless of whether the incident is related to the use of an electronic data transaction.

Stat. Auth.: ORS 409.050, 414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f. & cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03; DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from 410-001-0110, DHSD 1-2008, f. & cert. ef. 2-1-08

407-120-0112

Scope and Sequence of Electronic Data Transmission Rules

(1) The Department communicates with and receives communications from its providers, PHPs, and allied agencies using a variety of methods appropriate to the services being provided, the nature of the entity providing the services, and constantly changing technology. These rules describe some of the basic ways that the Department will exchange data electronically. Additional details may be provided in the Department's access control rules, provider-specific rules, or the applicable contract documents.

(2) Access to eligibility information about covered individuals may occur using one or more of the following methods:

(a) Automated voice response, via a telephone;

(b) Web portal access;

(c) EDI submitter access; or

(d) Point of sale (POS) for pharmacy providers.

(3) Claims for which the Department is responsible for payment or encounter submissions made to the Department may occur using one or more of the following methods:

(a) Paper, using the form specified in the provider specific rules and supplemental billing guidance. Providers may submit paper claims, except that pharmacy providers are required to use the POS process for claims submission and PHPs are required to use the 837 electronic formats;

(b) Web portal access;

(c) EDI submitter access; or

(d) POS for pharmacy providers.

(4) Department informational updates, provider record updates, depository for PHP reports, or EDT as specified by the Department for contract compliance.

(5) Other Department network and information system access is governed by specific program requirements, which may include but is not limited to IUP access. Affected providers, PHPs, and allied agencies will be separately instructed about the access and requirements. Incidents are subject to these rules.

(6) Providers and allied agencies that continue to use only paper formats for claims transactions are only subject to the confidentiality and security rule, OAR 407-120-0170.

Stat. Auth.: ORS 409.050 & 414.065
Stats. Implemented: ORS 414.065
Hist.: DHSD 13-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; DHSD 1-2008, f. & cert. ef. 2-1-08; DHSD 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD 13-2011, f. & cert. ef. 12-27-11

407-120-0114

Provider Enrollment Agreement

(1) When a provider applies to enroll, the application form will include information about how to participate in the web portal for use of DDE and automated voice response (AVR) inquiries. The enrollment agreement will include a section describing the process that will permit the provider, once enrolled, to participate in DDE over the Internet using the secure Department web portal. This does not include providers enrolled through the use of the DMAP 3108 Managed Care Plan and FFS Non Paid Provider Application.

(2) When the provider number is issued by the Department, the provider will also receive two PINs: one that may be used to access the web portal and one that may be used for AVR.

(a) If the PINs are not activated within 60 days of issuance, the Department will initiate a process to inactivate the PIN. If the provider wants to use PIN-based access to the web portal or AVR after deactivation, the provider must submit an update form to obtain another PIN.

(b) Activating the PIN will require Internet access and the provider must supply security data that will be associated with the use of the PIN.

(c) Providers using the PIN are responsible for protecting the confidentiality and security of the PIN pursuant to OAR 407-120-0170.

Stat. Auth.: ORS 409.050 & 414.065
Stats. Implemented: ORS 414.065
Hist.: DHSD 13-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; DHSD 1-2008, f. & cert. ef. 2-1-08; DHSD 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD 13-2011, f. & cert. ef. 12-27-11

407-120-0116

Web Portal Submitter

(1) Any provider activating their web portal access for web portal submission may be a web portal submitter. The provider will be referred to as the web portal submitter when functioning in that capacity, and shall be required to comply with these rules governing web portal submitters.

(2) The authorized signer of the provider enrollment agreement shall be the individual who is responsible for the provider's DDE claims submission process.

(a) If a provider submits their own claims directly, the provider will be referred to as the web portal submitter when functioning in that capacity and shall be required to comply with these rules governing web portal submitters.

(b) If a provider uses an agent or clinic to submit DDE claims using the Department's web portal, the agent or clinic will be referred to as the web portal submitter when functioning in that capacity and shall be required to comply with these rules governing web portal submitters.

Stat. Auth.: ORS 409.050, 414.065
Stats. Implemented: ORS 414.065
Hist.: DHSD 13-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; DHSD 1-2008, f. & cert. ef. 2-1-08

407-120-0118

Conduct of Direct Data Entry Using Web Portal

(1) The web portal submitter is responsible for the conduct of the DDE transactions submitted on behalf of the provider, as follows:

(a) Accuracy of Web Portal Submissions. The web portal submitter must take reasonable care to ensure that data and DDE transmissions are timely, complete, accurate, and secure, and must take reasonable precautions to prevent unauthorized access to the information system or the DDE transmission. The Department will not correct or modify an incorrect DDE transaction prior to processing. The transactions may be rejected and the web portal submitter will be notified of the rejection.

(b) Cost of Equipment. The web portal submitter and the Department must bear their own information system costs. The web portal submitter must, at their own expense, obtain access to Internet service that is compatible with and has the capacity for secure access to the Department's web portal. Web portal submitters must pay their own costs for all charges, including but not limited to charges for equipment, software and services, Internet connection and use time, terminals, connections, telephones, and modems. The Department is not responsible for providing technical assistance for access to or use of Internet web portal services or the processing of a DDE transaction.

(c) Format of DDE Transactions. The web portal submitter must send and receive all data transactions in the Department's approved format. Any attempt to modify or alter the DDE transaction format may result in denial of web portal access.

(d) Re-submissions. The web portal submitter must maintain source documents and back-up files or other means sufficient to re-create a data transmission in the event that re-creation becomes necessary for any purpose, within timeframes required by federal or state law, or by contractual agreement. Back ups, archives, or related files are subject to the terms of these rules to the same extent as the original data transmission.

(2) Security and Confidentiality. To protect security and confidentiality, web portal submitters must comply with the following:

(a) Refrain from copying, reverse engineering, disclosing, publishing, distributing, or altering any data or data transmissions, except as permitted by these rules or the contract, or use the same for any purpose other than that which the web portal submitter was specifically given access and authorization by the Department or the provider.

(b) Refrain from obtaining access by any means to any data or the Department's network and information system for any purpose other than that which the web portal submitter has received express authorization to receive access. If the web portal submitter receives data or data transmissions from the Department which are clearly not intended for the receipt of web portal submitter, the web portal submitter will immediately notify the Department and make arrangements to return or re-transmit the data or data transmission to the Department. After re-transmission, the web portal submitter must immediately delete the data contained in the data transmission from its information system.

(c) Install necessary security precautions to ensure the security of the DDE transmission or records relating to the information system of either the Department or the web portal submitter when the information system is not in active use by the web portal submitter.

(d) Protect and maintain, at all times, the confidentiality of security access codes issued by the Department. Security access codes are strictly confidential and specifically subject, without limitation, to all of the restrictions in OAR 407-120-0170. The Department may change the designated security access codes at any time and in any manner as the Department in its sole discretion considers necessary.

(e) Install, maintain, and use security measures for confidential information transmitted between a provider and the web portal submitter if a provider uses an agent or clinic as the web portal submitter.

Stat. Auth.: ORS 409.050, 414.065
Stats. Implemented: ORS 414.065
Hist.: DHSD 13-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; DHSD 1-2008, f. & cert. ef. 2-1-08

407-120-0120

Registration Process EDI Transactions

(1) The EDI transaction process is preferred by providers, PHPs, and allied agencies for conducting batch or real time transactions, rather than the individual data entry process used for DDE. EDI registration is an administrative process governed by these rules. The EDI registration process begins with the submission of a TPA by a provider, PHP, clinic, or allied agency, including all requirements and documentation required by these rules.

(2) Trading partners must be Department providers, PHPs, clinics, or allied agencies with a current Department contract. The Department will not accept a TPA from individuals or entities who do not have a current contract with the Department.

(a) The Department may receive and hold the TPA for individuals or entities that have submitted a provider enrollment agreement or other pending contract, subject to the satisfactory execution of the pending document.

(b) Termination, revocation, suspension, or expiration of the contract will result in the concurrent termination, revocation, suspension, or expiration of the TPA without any additional notice; except that the TPA will remain in effect to the extent necessary for a trading partner or the Department to complete obligations involving EDI under the contract for dates of service when the contract was in effect. Contracts that are periodically renewed or extended do not require renewal or extension of the TPA unless there is a lapse of time between contracts.

(c) Failure to identify a current Department contract during the registration process will result in a rejection of the TPA. The Department will verify that the contract numbers identified by a provider, PHP, clinic, or allied agency are current contracts.

(d) If contract number or contract status changes, the trading partner must provide the Department with updated information within five business days of the change in contract status. If the Department determines that a valid contract no longer exists, the Department shall discontinue EDI transactions applicable for any time period in which the contract no longer exists; except that the TPA will remain in effect to the extent necessary for the trading partner or the Department to complete obligations involving EDI under the contract for dates of service when the contract was in effect.

(3) Trading Partner Agreement. To register as a trading partner with the Department, a provider, PHP, clinic, or allied agency must submit a signed TPA to the Department.

(4) Application for Authorization. In addition to the requirements of section (3) of this rule, a trading partner must submit an application for authorization to the Department. The application provides specific identification and legal authorization from the trading partner for an EDI submitter to conduct EDI transactions on behalf of a trading partner.

(5) Trading Partner Agents. A trading partner may use agents to facilitate the electronic transmission of data. If a trading partner will be using an agent as an EDI submitter, the application for authorization required under section (4) of this rule must identify and authorize an EDI submitter and must include the EDI certification signed by an EDI submitter before the Department may accept electronic submission from or send electronic transmission to an EDI submitter.

(6) EDI Registration. In addition to the requirements of section (3) of this rule, a trading partner must also submit its EDI registration form. This form requires the trading partner or its authorized EDI submitter to register an EDI submitter and the name and type of EDI transaction they are prepared to conduct. Signature of the trading partner or authorized EDI submitter is required on the EDI registration form. The registration form will also permit the trading partner to identify the individuals or EDI submitters who are authorized to submit or receive EDI registered transactions.

(7) Review and Acceptance Process. The Department will review the documentation provided to determine compliance with sections (1) through (6) of this rule. The information provided may be subject to verification by the Department. When the Department determines that the information complies with these rules, the Department will notify the trading partner and EDI submitter by email about any testing or other requirements applicable to place the registered transaction into a production environment.

Stat. Auth.: ORS 409.050, 414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f. & cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03; DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from 410-001-0120, DHSD 1-2008, f. & cert. ef. 2-1-08

407-120-0130

Trading Partner as EDI Submitter EDI Transactions

(1) A trading partner may be an EDI submitter. Registered trading partners that also qualify as an EDI submitter may submit their own EDI transactions directly to the Department. A trading partner will be referred to as an EDI submitter when functioning in that capacity and will be required to comply with applicable EDI submitter rules, except as provided in section (3) of this rule.

(2) Authorization and Registration Designating Trading Partner as EDI Submitter. Before acting as an EDI submitter, a trading partner must designate in the application for application that they are an EDI submitter who is authorized to send and receive data transmissions in the performance of EDI transactions. A trading partner must complete the "Trading Partner Application for Authorization to Submit EDI Transactions" and the "EDI Submitter Information" required in the application. A trading partner must also submit the EDI registration form identifying them as an EDI submitter. A trading partner must notify the Department of any material changes in the information no less than ten days prior to the effective date of the change.

(3) EDI Submitter Certification Conditions. Where a trading partner is acting as its own EDI submitter, the trading partner is not required to submit the EDI submitter certification conditions in the application for authorization applicable to agents.

Stat. Auth.: ORS 409.050, 414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f. & cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03; DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from 410-001-0130, DHSD 1-2008, f. & cert. ef. 2-1-08

407-120-0140

Trading Partner Agents as EDI Submitters EDI Transactions

(1) Responsibility for Agents. If a trading partner uses the services of an agent, including but not limited to an EDI submitter in any capacity in order to receive, transmit, store, or otherwise process data or data transmissions or perform related activities, a trading partner shall be fully responsible to the Department for the agent's acts.

(2) Notices Regarding EDI Submitter. Prior to the commencement of an EDI submitter's services, a trading partner must designate in the application for authorization the specific EDI submitters that are authorized to send and receive data transmissions in the performance of EDI transactions of a trading partner. A trading partner must complete the "Trading partner Authorization of EDI Submitter" and the "EDI Submitter Information" required in the application. A trading partner must also submit the EDI registration form identifying and providing information about an EDI submitter. A trading partner or authorized EDI submitter must notify the Department of any material changes in the EDI submitter authorization or information no less than five days prior to the effective date of the changes.

(3) EDI Submitter Authority. A trading partner must authorize the actions that an EDI submitter may take on behalf of a trading partner. The application for authorization permits a trading partner to authorize which decisions may only be made by a trading partner and which decisions are authorized to be made by an EDI submitter. The EDI submitter information authorized in the application for authorization will be recorded by the Department in an EDI submitter profile. The Department may reject EDI transactions from an EDI submitter acting without authorization from a trading partner.

(4) EDI Submitter Certification Conditions. Each authorized EDI submitter acting as an agent of a trading partner must execute and comply with the EDI submitter certification conditions that are incorporated into the application for authorization. Failure to include the signed EDI submitter certification conditions with the application shall result in a denial of EDI submitter authorization by the Department. Failure of an EDI submitter to comply with the EDI submitter certification conditions may result in termination of EDI submitter registration for EDI transactions with the Department.

(5) EDI Submitters Responsibilities. In addition to the requirements of section (1) of this rule, a trading partner is responsible for ensuring that an EDI submitter makes no unauthorized changes in the data content of all data transmissions or the contents of an envelope, and that an EDI submitter will take all appropriate measures to maintain the timeliness, accuracy, truthfulness, confidentiality, security, and completeness of each data transmission. A trading partner is responsible for ensuring that its EDI submitters are specifically advised of, and will comply with, the terms of these rules and any TPA.

Stat. Auth.: ORS 409.050, 414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f. & cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03; DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from 410-001-0140, DHSD 1-2008, f. & cert. ef. 2-1-08

407-120-0150

Testing — EDI Transactions

(1) When a trading partner or authorized EDI submitter registers an EDI transaction with the Department, the Department may require testing before authorizing the transaction. Testing may include third party and business-to-business testing. An EDI submitter must be able to demonstrate its capacity to send and receive each transaction type for which it has registered. The Department will reject any EDI transaction if an EDI submitter either refuses or fails to comply with the Department testing requirements.

(2) The Department may require EDI submitters to complete compliance testing at an EDI submitter's expense for each transaction type if either the Department or an EDI submitter has experienced a change to hardware or software applications by entering into business-to-business testing.

(3) When third party or business-to-business testing is completed to the Department's satisfaction, the Department will notify an EDI submitter that it will register and accept the transactions in the production environment. This notification authorizes an EDI submitter to submit the registered EDI transactions to the Department for processing and response, as applicable. If there are any changes in the trading partner or EDI submitter authorization, profile data or EDI registration information on file with the Department, updated information must be submitted to the Department as required in OAR 407-120-0190.

(4) Testing will be conducted using secure electronic media communications methods.

(5) An EDI submitter may be required to re-test with the Department if the Department format changes or if the EDI submitter format changes.

Stat. Auth.: ORS 409.050 & 414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f. & cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03; DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from 410-001-0150, DHSD 1-2008, f. & cert. ef. 2-1-08; DHSD 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD 13-2011, f. & cert. ef. 12-27-11

407-120-0160

Conduct of Transactions EDI Transactions

(1) EDI Submitter Obligations. An EDI submitter is responsible for the conduct of the EDI transactions registered on behalf of a trading partner, including the following:

(a) EDI Transmission Accuracy. An EDI submitter shall take reasonable care to ensure that data and data transmissions are timely, complete, accurate, and secure; and shall take reasonable precautions to prevent unauthorized access to the information system, the data transmission, or the contents of an envelope which is transmitted either to or from the Department. The Department will not correct or modify an incorrect transaction prior to processing. The transaction may be rejected and an EDI submitter notified of the rejection.

(b) Re-transmission of Indecipherable Transmissions. Where there is evidence that a data transmission is lost or indecipherable, the sending party must make best efforts to trace and re-transmit the original data transmission in a manner which allows it to be processed by the receiving party as soon as practicable.

(c) Cost of Equipment. An EDI submitter and the Department will pay for their own information system costs. An EDI submitter shall, at its own expense, obtain and maintain its own information system. An EDI submitter shall pay its own costs for all charges related to data transmission including, without limitation, charges for information system equipment, software and services, electronic mailbox maintenance, connect time, terminals, connections, telephones, modems, any applicable minimum use charges, and for translating, formatting, sending, and receiving communications over the electronic network to the electronic mailbox, if any, of the Department. The Department is not responsible for providing technical assistance in the processing of an EDI transaction.

(d) Back-up Files. EDI submitters must maintain adequate data archives and back-up files or other means sufficient to re-create a data transmission in the event that re-creation becomes necessary for any purpose, within timeframes required by state and federal law, or by contractual agreement. Data archives or back-up files shall be subject to these rules to the same extent as the original data transmission.

(e) Transmissions Format. Except as otherwise provided herein, EDI submitters must send and receive all data transmissions in the federally mandated format, or (if no federal standard has been promulgated) other formats as the Department designates.

(f) Testing. EDI submitters must, prior to the initial data transmission and throughout the term of a TPA, test and cooperate with the Department in the testing of information systems as the Department considers reasonably necessary to ensure the accuracy, timeliness, completeness, and confidentiality of each data transmission.

(2) Security and Confidentiality. To protect security and confidentiality of transmitted data, EDI submitters must comply with the following:

(a) Refrain from copying, reverse engineering, disclosing, publishing, distributing, or altering any data, data transmissions, or the contents of an envelope, except as necessary to comply with the terms of these rules or the TPA, or use the same for any purpose other than that which an EDI submitter was specifically given access and authorization by the Department or a trading partner;

(b) Refrain from obtaining access by any means to any data, data transmission, envelope, mailbox, or the Department's information system for any purpose other than that which an EDI submitter has received express authorization. If an EDI submitter receives data or data transmissions from the Department which clearly are not intended for an EDI submitter, an EDI submitter shall immediately notify the Department and make arrangements to return or re-transmit the data or data transmission to the Department. After re-transmission, an EDI submitter shall immediately delete the data contained in the data transmission from its information system;

(c) Install necessary security precautions to ensure the security of the information systems or records relating to the information systems of either the Department or an EDI submitter when the information system is not in active use by an EDI submitter;

(d) Protect and maintain the confidentiality of security access codes issued by the Department to an EDI submitter; and

(e) Provide special protection for security and other purposes, where appropriate, by means of authentication, encryption, the use of passwords, or other means. Unless otherwise provided in these rules, the recipient of a protected data transmission must at least use the same level of protection for any subsequent transmission of the original data transmission.

(3) Department Obligations. The Department shall:

(a) Make available to an EDI submitter, by electronic media, those types of data and data transmissions which an EDI submitter is authorized to receive.

(b) Inform an EDI submitter of acceptable formats in which data transmissions may be made and provide notification to an EDI submitter within reasonable time periods consistent with HIPAA transaction standards, if applicable, or at least 30 days prior by electronic notice of other changes in formats.

(c) Provide an EDI submitter with security access codes that will allow an EDI submitter access to the Department's information system. Security access codes are strictly confidential and EDI submitters must comply with all of the requirements of OAR 407-120-0170. The Department may change the designated security access codes at any time and manner as the Department, in its sole discretion, deems necessary. The release of security access codes shall be limited to authorized electronic data personnel of an EDI submitter and the Department with a need to know.

Stat. Auth.: ORS 409.050, 414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f. & cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03; DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from 410-001-0160, DHSD 1-2008, f. & cert. ef. 2-1-08

407-120-0165

Pharmacy Point of Sale Access

Pharmacy providers who electronically bill pharmaceutical claims must participate in and submit claims using the POS system, except as provided in OAR 410-121-0150.

Stat. Auth.: ORS 409.050, 414.065
Stats. Implemented: ORS 414.065
Hist.: DHSD 13-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; DHSD 1-2008, f. & cert. ef. 2-1-08

407-120-0170

Confidentiality and Security

(1) Individually Identifiable Health Information. All providers, PHPs, and allied agencies are responsible for ensuring the confidentiality of individually identifiable health information, consistent with the requirements of the privacy statutes and regulations, and shall take reasonable action to prevent any unauthorized disclosure of confidential information by a provider, PHP, allied agency, or other agent. A provider, web portal submitter, trading partner, EDI submitter, or other agent must comply with any and all applicable privacy statutes and regulations relating to confidential information.

(2) General Requirements for Electronic Submitters. A provider (web portal submitter), trading partner (EDI submitter), or other agent must maintain adequate security procedures to prevent unauthorized access to data, data transmissions, security access codes, or the Department's information system, and must immediately notify the Department of all unauthorized attempts by any individual or entity to obtain access to or otherwise tamper with the data, data transmissions, security access codes, or the Department's information system.

(3) Notice of Unauthorized Disclosures. All providers, PHPs, and allied agencies must promptly notify the Department of all unlawful or unauthorized disclosures of confidential information that come to its agents' attention, and shall cooperate with the Department if corrective action is required by the Department. The Department will promptly notify a provider, PHP, or allied agency of all unlawful or unauthorized disclosures of confidential information in relation to a provider, PHP, or allied agency that come to the Department's or its agents' attention, and will cooperate with a provider, PHP, or allied agency if corrective action is required.

(4) Wrongful use of the web portal, EDI systems, or the Department's network and information system, or wrongful use or disclosure of confidential information by a provider, allied agency, electronic submitters, or their agents may result in the immediate suspension or revocation of any access granted under these rules or other Department rules, at the sole discretion of the Department.

(5) A provider, allied agency, PHP, or electronic submitter must report to the Department's Information Security Office at dhsinfo.security@state.or.us and to the Department program contact individual, any privacy or security incidents that compromise, damage, or cause a loss of protection to confidential information, information assets, or the Department's network and security system. Reports must be made in the following manner:

(a) No later than five business days from the date on which a provider, allied agency, PHP, or electronic submitter becomes aware of the incident; and

(b) Provide the results of the incident assessment findings and resolution strategies no later than 30 business days after the report is due under section (4)(a).

(6) A provider, allied agency, PHP, or electronic submitter must comply with the Department's requests for corrective action concerning a privacy or security incident and with applicable laws requiring mitigation of harm caused by the unauthorized use or disclosure of confidential information.

Stat. Auth.: ORS 409.050, 414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f. & cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03; DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from 410-001-0170, DHSD 1-2008, f. & cert. ef. 2-1-08

407-120-0180

Record Retention and Audit

(1) Records Retention. A provider, web portal submitter, trading partner, and EDI submitter shall maintain, for a period of no less than seven years from the date of service, complete, accurate, and unaltered copies of all source documents associated with all data transmissions.

(2) EDI Trade Data Log. An EDI submitter must establish and maintain a trade data log that must record all data transmissions taking place between an EDI submitter and the Department during the term of a TPA. A trading partner and EDI submitter must take necessary and reasonable steps to ensure that the trade data log constitutes a current, truthful, accurate, complete, and unaltered record of all data transmissions between the parties and must be retained by each party for no less than 24 months following the date of the data transmission. The trade data log may be maintained on electronic media or other suitable means provided that, if necessary, the information may be timely retrieved and presented in readable form.

(3) Right to Audit. A provider must allow and require any web portal submitter to allow, and a trading partner must allow and require an EDI submitter or other agent to allow access to the Department, the Oregon Secretary of State, the Oregon Department of Justice Medicaid Fraud Unit, or its designees, and DHHS or its designees to audit relevant business records, source documents, data, data transmissions, trade data logs, or information systems of a provider and its web portal submitter, and a trading partner, and its agents, as necessary, to ensure compliance with these rules. A provider must allow and require its web portal submitter to allow, and a trading partner must allow and require an EDI submitter or other agent to allow the Department, or its designee, access to ensure that adequate security precautions have been made and are implemented to prevent unauthorized disclosure of any data, data transmissions, or other information.

Stat. Auth.: ORS 409.050, 414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f. & cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03; DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from 410-001-0180, DHSD 1-2008, f. & cert. ef. 2-1-08

407-120-0190

Material Changes

(1) Changes in Any Material Information - EDT Process. A trading partner must submit an updated TPA, application for authorization, or EDI registration form to the Department within ten business days of any material change in information. A material change includes but is not limited to mailing or email address change, contract number or contract status (termination, expiration, extension), identification of authorized individuals of a trading partner or EDI submitter, the addition or deletion of authorized transactions, or any other change that may affect the accuracy of or authority for an EDI transaction. The Department may act on data transmissions submitted by a trading partner and its EDI submitter based on information on file in the application for authorization and EDI registration forms until an updated form has been received and approved by the Department. A trading partner's signature or the signature of an authorized EDI submitter is required to ensure that an updated TPA, authorization, or EDI registration form is valid and authorized.

(2) Changes in Any Material Information - Web Portal Access. Providers must submit an updated web portal registration form to the Department within ten business days of any material changes in information. A material change includes but is not limited to mailing or email address change, contract number or contract status (termination, suspension, expiration), identification of web portal submitter contact information, or any other change that may affect the accuracy of or authority for a DDE transaction. The Department is authorized to act on data transmissions submitted by a provider and its web portal submitter based on information on file in the web portal registration form until an updated form has been received and approved by the Department. A provider's signature or the signature of an authorized business representative is required to ensure that an updated web portal registration form is valid and authorized.

(3) Failure to submit a timely updated form may impact the ability of a data transaction to be processed without errors. Failure to submit a signed, updated form may result in the rejection of a data transmission.

Stat. Auth.: ORS 409.050, 414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f. & cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03; DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from 410-001-0190, DHSD 1-2008, f. & cert. ef. 2-1-08

407-120-0200

Department System Administration

(1) No individual or entity shall be registered to conduct a web portal or an EDI transaction with the Department except as authorized under these the rules. Eligibility and continued participation as a provider, PHP, allied agency, or web portal submitter in the conduct of DDE transactions, or as a trading partner or EDI submitter in the conduct of registered transactions, is conditioned on the execution and delivery of the documents required in these rules, the continued accuracy of that information consistent with OAR 407-120-0190, and compliance with a requirements of these rules. Data, including confidential information, governed by these rules may be used for purposes related to treatment, payment, and health care operations and for the administration of programs or services by the Department.

(2) In addition to the requirements of section (1) of this rule, in order to qualify as a trading partner:

(a) An individual or entity must be a Department provider, PHP, clinic, or allied agency pursuant to a current valid contract; and

(b) A provider, PHP, clinic, or allied agency must have submitted an executed TPA and all related documentation, including the application for authorization, that identifies and authorizes an EDI submitter.

(3) In addition to the requirements of section (1) of this rule, in order to qualify as an EDI submitter:

(a) A trading partner must have identified the individual or entity as an authorized EDI submitter in the application for authorization;

(b) If a trading partner identifies itself as an EDI submitter, the application for authorization must include the information required in the "Trading Partner Authorization of EDI Submitter" and the "EDI Submitter Information"; and

(c) If a trading partner uses an agent as an EDI submitter, the application for authorization must include the information described in section (3)(b) and the signed EDI submitter certification.

(4) The EDI registration process described in these rules provides the Department with essential profile information that the Department may use to confirm that a trading partner or EDI submitter is not otherwise excluded or disqualified from submitting EDI transactions to the Department.

(5) Nothing in these rules or a TPA prevents the Department from requesting additional information from a trading partner or an EDI submitter to determine their qualifications or eligibility for registration as a trading partner or EDI submitter.

(6) The Department shall deny a request for registration as a trading partner or for authorization of an EDI submitter or an EDI registration if it finds any of the following:

(a) A trading partner or EDI submitter has substantially failed to comply with the applicable administrative rules or laws;

(b) A trading partner or EDI submitter has been convicted of (or entered a plea of nolo contendre) a felony or misdemeanor related to a crime or violation of federal or state public assistance laws or privacy statutes or regulations;

(c) A trading partner or EDI submitter is excluded from participation in the Medicare program, as determined by the DHHS secretary; or

(d) A trading partner or EDI submitter fails to meet the qualifications as a trading partner or EDI submitter.

(7) Failure to comply with these rules, trading partner agreement, or EDI submitter certification or failure to provide accurate information on an application or certification may also result in sanctions and payment recovery pursuant to applicable Department program contracts or rules.

(8) For providers using the DDE submission system by the Department web portal, failure to comply with the terms of these rules, a web portal registration form, or failure to provide accurate information on the registration form may result in sanctions or payment recovery pursuant to the applicable Department program contracts or rules.

Stat. Auth.: ORS 409.050 & 414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f. & cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03; DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from 410-001-0200, DHSD 1-2008, f. & cert. ef. 2-1-08; DHSD 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD 13-2011, f. & cert. ef. 12-27-11

MMIS Provider Enrollment and Claiming

407-120-0300

Definitions

The following definitions apply to OAR 407-120-0300 to 407-120-0400:

(1) "Abuse" means provider practices that are inconsistent with sound fiscal, business, or medical practices resulting in an unnecessary cost to the Department, or in reimbursement for services that are not medically necessary or that fail to meet professionally recognized standards for health care. It also includes actions by clients or recipients that result in unnecessary cost to the Department.

(2) "Advance Directive" means a form that allows an individual to have another individual make health care decisions when he or she cannot make decisions and informs a doctor if the individual does not want any life sustaining help if he or she is near death.

(3) "Benefit Package" means the package of covered health care services for which the client is eligible.

(4) "Billing Agent or Billing Service" means a third party or organization that contracts with a provider to perform designated services in order to facilitate claim submission or electronic transactions on behalf of the provider.

(5) "Billing Provider" means an individual, agent, business, corporation, clinic, group, institution, or other entity who, in connection with submission of claims to the Department, receives or directs payment from the Department on behalf of a performing provider and has been delegated the authority to obligate or act on behalf of the performing provider.

(6) "Children's Health Insurance Program (CHIP)" means a federal and state funded portion of the Oregon Health Plan (OHP) established by Title XXI of the Social Security Act and administered by the Division of Medical Assistance Programs (DMAP).

(7) "Claim" means a bill for services, a line item of a service, or all services for one client within a bill. Claim includes a bill or an encounter associated with requesting reimbursement, whether submitted on paper or electronically. Claim also includes any other methodology for requesting reimbursement that may be established in contract or program-specific rules.

(8) "Client or Recipient" means an individual found eligible by the Department to receive services under the OHP demonstration, medical assistance program, or other public assistance programs administered by the Department. The following OHP categories are eligible for enrollment:

(a) Temporary Assistance to Needy Families (TANF) are categorically eligible families with income levels under current TANF eligibility rules;

(b) CHIP children under one year of age whose household has income under 185% Federal Poverty Level (FPL) and do not meet one of the other eligibility classifications;

(c) Poverty Level Medical (PLM) adults under 100% of the FPL are clients who are pregnant women with income under 100% of FPL;

(d) PLM adults over 100% of the FPL are clients who are pregnant women with income between 100% and 185% of the FPL;

(e) PLM children under one year of age who have family income under 133% of the FPL or were born to mothers who were eligible as PLM adults at the time of the child's birth;

(f) PLM or CHIP children one through five years of age who have family income under 185% of the FPL and do not meet one of the other eligibility classifications;

(g) PLM or CHIP children six through 18 years of age who have family income under 185% of the FPL and do not meet one of the other eligibility classifications;

(h) OHP adults and couples are clients age 19 or over and not Medicare eligible, with income below 100% of the FPL who do not meet one of the other eligibility classifications, and do not have an unborn child or a child under age 19 in the household;

(i) OHP families are clients, age 19 or over and not Medicare eligible, with income below 100% of the FPL who do not meet one of the other eligibility classifications, and have an unborn child or a child under the age of 19 in the household;

(j) General Assistance (GA) recipients are clients who are eligible by virtue of their eligibility under the GA program, ORS 411.710 et seq.;

(k) Assistance to Blind and Disabled (AB/AD) with Medicare eligibles are clients with concurrent Medicare eligibility with income levels under current eligibility rules;

(l) AB/AD without Medicare eligibles are clients without Medicare with income levels under current eligibility rules;

(m) Old Age Assistance (OAA) with Medicare eligibles are clients with concurrent Medicare Part A or Medicare Parts A and B eligibility with income levels under current eligibility rules;

(n) OAA with Medicare Part B only are OAA eligibles with concurrent Medicare Part B only income under current eligibility rules;

(o) OAA without Medicare eligibles are clients without Medicare with income levels under current eligibility rules; or

(p) Children, Adults and Families (CAF) children are clients with medical eligibility determined by CAF or Oregon Youth Authority (OYA) receiving OHP under ORS 414.025, 418.034, and 418.187 to 418.970. These individuals are generally in placement outside of their homes and in the care or custody of CAF or OYA.

(9) "Client Representative" means an individual who can make decisions for clients who are not able to make such decisions themselves. For purposes of medical assistance, a client representative may be, in the following order of priority, an individual who is designated as the client's health care representative under ORS 127.505(12), a court-appointed guardian, a spouse or other family member as designated by the client, the individual service plan team (for developmentally disabled clients), a Department case manager, or other Department designee. To the extent that other Department programs recognize other individuals who may act as a client representative, that individual may be considered the client representative in accordance with program-specific rules or applicable contracts.

(10) "Clinical Records" means the medical, dental, or mental health records of a client. These records include the Primary Care Provider (PCP) records, the inpatient and outpatient hospital records and the Exceptional Needs Care Coordinator (ENCC), complaint and disenrollment for cause records which may be located in the Prepaid Health Plan (PHP) administrative offices.

(11) "Conviction or Convicted" means that a judgment of conviction has been entered by a federal, state, or local court, regardless of whether an appeal from that judgment is pending.

(12) "Covered Services" means medically appropriate health services or items that are funded by the legislature and described in ORS Chapter 414, including OHP authorized under ORS 414.705 to 414.750, and applicable Department rules describing the benefit packages of covered services except as excluded or limited under OAR 410-141-0500 or such other public assistance services provided to eligible clients under program-specific requirements or contracts by providers required to enroll with the Department under OAR 407-120-0300 to 407-120-0400.

(13) "Date of Service" means the date on which the client receives medical services or items, unless otherwise specified in the appropriate provider rules.

(14) "Department" means the Department of Human Services.

(15) "Diagnosis Code" means the code as identified in the International Classification of Diseases, 9th Revision, Clinical Modification (ICD-9-CM). The primary diagnosis code is shown in all billing claims and PHP encounters, unless specifically excluded in individual provider rules. Where they exist, diagnosis codes must be shown to the degree of specificity outlined in OAR 407-120-0340 (claim and PHP encounter submission).

(16) "Electronic Data Transaction (EDT)" means the electronic exchange of business documents from application to application in a federally mandated format or, if no federal standard has been promulgated, conducted by either web portal or electronic data interchange in accordance with the Department's electronic data transaction rule (OAR 407-120-0100 to 407-120-0200).

(17) "Exclusion" means the Department shall not reimburse a specific provider who has defrauded or abused the Department for items or services that a provider furnished.

(18) "False Claim" means a claim or PHP encounter that a provider knowingly submits or causes to be submitted that contains inaccurate or misleading information, and that information would result, or has resulted, in an overpayment or improper use for per capita cost calculations.

(19) "Fraud" means an intentional deception or misrepresentation made by an individual with the knowledge that the deception could result in some unauthorized benefit to himself or herself, or some other individual. It includes any act that constitutes fraud or false claim under applicable federal or state law.

(20) "Healthcare Common Procedure Coding System (HCPCS)" means a method for reporting health care professional services, procedures and supplies. HCPCS consists of the Level 1 -- American Medical Association's Physicians' Current Procedural Terminology (CPT), Level II -- National Codes and Level III -- Local Codes.

(21) "Health Insurance Portability and Accountability Act (HIPAA)" means a federal law (Public Law 104-191, August 21, 1996) with the legislative objective to assure health insurance portability, reduce health care fraud and abuse, enforce standards for health information and guarantee security and privacy of health information.

(22) "Hospice" means a public agency or private organization or subdivision of either that is primarily engaged in providing care to terminally ill individuals, is certified for Medicare, accredited by the Oregon Hospice Association, and is listed in the Hospice Program Registry.

(23) "Individual Adjustment Request" means a form (DMAP 1036) used to resolve an incorrect payment on a previously paid claim, including underpayments or overpayments.

(24) "Medicaid" means a federal and state funded portion of the medical assistance program established by Title XIX of the Social Security Act, as amended, and administered in Oregon by the Department.

(25) "Medicaid Management Information System (MMIS)" means the automated claims processing and information retrieval system for handling all Medicaid transactions. The objectives of the system include verifying provider enrollment and client eligibility, managing health care provider claims and benefit package maintenance, and addressing a variety of Medicaid business needs.

(26) "Medical Assistance Program" means a program for payment of health care provided to eligible Oregonians. Oregon's medical assistance program includes Medicaid services including the OHP Medicaid Demonstration, and CHIP. The medical assistance program is administered and coordinated by DMAP, a division of the Department.

(27) "Medically Appropriate" means services and medical supplies that are required for prevention, diagnosis, or treatment of a health condition that encompasses physical or mental conditions, or injuries and which are:

(a) Consistent with the symptoms or treatment of a health condition;

(b) Appropriate with regard to standards of good health practice and generally recognized by the relevant scientific community, evidence based medicine, and professional standards of care as effective;

(c) Not solely for the convenience of a client or a provider of the service or medical supplies; and

(d) The most cost effective of the alternative levels of medical services or medical supplies that can be safely provided to a client in the provider's judgment.

(28) "Medicare" means the federal health insurance program for the aged and disabled administered by the Centers for Medicare and Medicaid Services (CMS) under Title XVIII of the Social Security Act.

(29) "National Provider Identification (NPI)" means a federally directed provider number mandated for use on HIPAA covered transactions by individuals, provider organizations, and subparts of provider organizations that meet the definition of health care provider (45 Code of Federal Regulations (CFR) 160.103) and who conduct HIPAA covered transactions electronically.

(30) "Non-Covered Services" means services or items for which the Department is not responsible for payment. Non-covered services are identified in:

(a) OAR 410-120-1200, Excluded Services and Limitations;

(b) OAR 410-120-1210, Medical Assistance Benefit Packages and Delivery System;

(c) OAR 410-141-0480, OHP Benefit Package of Covered Services;

(d) OAR 410-141-0520, Prioritized List of Health Services; and

(e) The individual Department provider rules, program-specific rules, and contracts.

(31) "Non-Participating Provider" means a provider who does not have a contractual relationship with the PHP.

(32) "Nursing Facility" means a facility licensed and certified by the Department's Seniors and People with Disabilities Division (SPD) defined in OAR 411-070-0005.

(33) "Oregon Health Plan (OHP)" means the Medicaid demonstration project that expands Medicaid eligibility to eligible clients. The OHP relies substantially upon prioritization of health services and managed care to achieve the public policy objectives of access, cost containment, efficacy, and cost effectiveness in the allocation of health resources.

(34) "Out-of-State Providers" means any provider located outside the borders of Oregon:

(a) Contiguous area providers are those located no more than 75 miles from the border of Oregon;

(b) Non-contiguous area providers are those located more than 75 miles from the borders of Oregon.

(35) "Post-Payment Review" means review of billings or other medical information for accuracy, medical appropriateness, level of service, or for other reasons subsequent to payment of the claim.

(36) "Prepaid Health Plan (PHP)" means a managed health, dental, chemical dependency, physician care organization, or mental health care organization that contracts with DMAP or Addictions and Mental Health Division (AMH) on a case managed, prepaid, capitated basis under the OHP. PHP's may be a Dental Care Organization (DCO), Fully Capitated Health Plan (FCHP), Mental Health Organization (MHO), Primary Care Organization (PCO) or Chemical Dependency Organization (CDO).

(37) "Prohibited Kickback Relationships" means remuneration or payment practices that may result in federal civil penalties or exclusion for violation of 42 CFR 1001.951.

(38) "PHP Encounter" means encounter data submitted by a PHP or by a provider in connection with services or items reimbursed by a PHP.

(39) "Prior Authorization" means payment authorization for specified covered services or items given by Department staff, or its contracted agencies, or a county if required by the county, prior to provision of the service. A physician or other referral is not a prior authorization.

(40) "Provider" means an individual, facility, institution, corporate entity, or other organization which supplies health care or other covered services or items, also termed a performing provider, that must be enrolled with the Department in accordance with OAR 407-120-0300 to 407-120-0400 to seek reimbursement from the Department, including services provided, under program-specific rules or contracts with the Department or with a county or PHP.

(41) "Quality Improvement" means the effort to improve the level of performance of key processes in health services or health care. A quality improvement program measures the level of current performance of the processes, finds ways to improve the performance and implements new and better methods for the processes. Quality improvement includes the goals of quality assurance, quality control, quality planning, and quality management in health care where "quality of care is the degree to which health services for individuals and populations increase the likelihood of desired health outcomes and are consistent with current professional knowledge."

(42) "Quality Improvement Organization (QIO)" means an entity which has a contract with CMS under Part B of Title XI to perform utilization and quality control review of the health care furnished, or to be furnished, to Medicare and Medicaid clients; formerly known as a "Peer Review Organization."

(43) "Remittance Advice" means the automated notice a provider receives explaining payments or other claim actions.

(44) "Subrogation" means the right of the state to stand in place of the client in the collection of third party resources, including Medicare.

(45) "Suspension" means a sanction prohibiting a provider's participation in the Department's medical assistance or other programs by deactivation of the assigned provider number for a specified period of time or until the occurrence of a specified event.

(46) "Termination" means a sanction prohibiting a provider's participation in the Department's programs by canceling the assigned provider number and agreement unless:

(a) The exceptions cited in 42 CFR 1001.221 are met; or

(b) Otherwise stated by the Department at the time of termination.

(47) "Third Party Resource (TPR)" means a medical or financial resource, including Medicare, which, by law, is available and applicable to pay for covered services and items for a medical assistance client.

(48) "Usual Charge" means when program-specific or contract reimbursement is based on usual charge, and is the lesser of the following, unless prohibited from billing by federal statute or regulation:

(a) The provider's charge per unit of service for the majority of non-medical assistance users of the same service based on the preceding month's charges;

(b) The provider's lowest charge per unit of service on the same date that is advertised, quoted, or posted. The lesser of these applies regardless of the payment source or means of payment; or

(c) Where the provider has established a written sliding fee scale based upon income for individuals and families with income equal to or less than 200% of the FPL, the fees paid by these individuals and families are not considered in determining the usual charge. Any amounts charged to TPR must be considered.

(49) "Visit Data" means program-specific or contract data collection requirements associated with the delivery of service to clients on the basis of an event such as a visit.

Stat. Auth.: ORS 409.050, 411.060
Stats. Implemented: ORS 414.115, 414.125, 414.135, 414.145
Hist.: DHSD 15-2007, f. 12-31-07, cert. ef. 1-1-08; DHSD 6-2008(Temp), f. & cert. ef. 7-1-08 thru 12-27-08; DHSD 11-2008, f. 12-26-08, cert. ef. 12-27-08

407-120-0310

Provider Requirements

(1) Scope of Rule. All providers seeking reimbursement from the Department, a PHP, or a county pursuant to a county agreement with the Department for the provision of covered services or items to eligible recipients, must comply with these rules, OAR 407-120-0300 to 407-120-0400, and the applicable rules or contracts of the specific programs described below:

(a) Programs administered by DMAP including the OHP and the medical assistance program that reimburses providers for services or items provided to eligible recipients, including but not limited to chapter 410, division 120; chapter 410, division 141; and provider rules in chapter 410 applicable to the provider’s service category;

(b) Programs administered by AMH that reimburse providers for services or items provided to eligible AMH recipients; or

(c) Programs administered by SPD that reimburse providers for services or items provided to eligible SPD recipients.

(2) Visit Data. Department programs use visit data to monitor service delivery, planning, and quality improvement activities. Visit data is required to be submitted by a program-specific rule or contract. A provider is required to make accurate, complete, and timely submission of visit data. Visit data is not a HIPAA transaction and does not constitute a claim for reimbursement.

(3) CHIP and Medicaid-Funded Covered Services and Items.

(a) Covered services or items paid for with Medicaid (Title XIX) and CHIP (Title XXI) funds (referred to as the medical assistance program) are also subject to federal and state Medicaid rules and requirements. In interpreting these rules and program-specific rules or contracts, the Department shall construe them as much as possible in a manner that shall comply with federal and state medical assistance program laws and regulations, and the terms and conditions of federal waivers and the state plans

(b) If a provider is reimbursed with medical assistance program funds, the provider must comply with all applicable federal and state laws and regulations pertaining to the provision of Medicaid services under the Medicaid Act, Title XIX, 42 United States Code (USC) 1396 et. seq., and CHIP services under Title XXI, including without limitation:

(A) Maintaining all records necessary to fully disclose the extent of the services provided to individuals receiving medical assistance and furnish such information to any state or federal agency responsible for administration or oversight of the medical assistance program regarding any payments claimed by an individual or institution for providing Medicaid services as the state or federal agency may from time to time request;

(B) Complying with all disclosure requirements of 42 CFR 1002.3(a) and 42 CFR 455 subpart (B);

(C) Maintaining written notices and procedures respecting advance directives in compliance with 42 USC 1396(a)(57) and (w), 42 CFR 431.107(b)(4), and 42 CFR 489 subpart I;

(D) Certifying that the information is true, accurate and complete when submitting claims or PHP encounters for the provision of medical assistance services or items. Submission of a claim or PHP encounter constitutes a representation of the provider's understanding that payment of the claim shall be from federal or state funds, or both, and that any falsification or concealment of a material fact may result in prosecution under federal or state laws.

(c) Hospitals, nursing facilities, home health agencies (including those providing personal care), hospices, and HMOs must comply with the Patient Self-Determination Act as set forth in Section 4751 of OBRA 1991. To comply with the obligation under the above-listed laws to deliver information on the rights of the individual under Oregon law to make health care decisions, the named providers and organizations must give capable individuals over the age of 18 a copy of "Your Right to Make Health Care Decisions in Oregon," copyright 1993, by the Oregon State Bar Health Law Section. Out-of-state providers of these services should comply with Medicare and Medicaid regulations in their state. Submittal to the Department of the appropriate claim form requesting payment for medical services provided to a Medicaid eligible shall be considered representation to the Department of the medical provider's compliance with the above-listed laws.

(d) Payment for any service or item furnished by a provider of CHIP or Medicaid-funded services or items may not be made by or through (directly or by power of attorney) any individual or organization, such as a collection agency or service bureau, that advances money to a provider for accounts receivable that the provider has assigned, sold, or transferred to the individual or organization for an added fee or a deduction of a portion of the accounts receivable.

(e) The Department shall make medical assistance provider payments only to the following:

(A) The provider who actually performed the service or provided the item;

(B) In accordance with a reassignment from the provider to a government agency or reassignment by a court order;

(C) To the employer of the provider, if the provider is required as a condition of employment to turn over his or her fees to the employer, and the employer is enrolled with the Department as a billing provider;

(D) To the facility in which the service is provided, if the provider has a contract under which the facility submits the claim, and the facility is enrolled with the Department as a billing provider;

(E) To a foundation, PHP, clinic, or similar organization operating as an organized health care delivery system, if the provider has a contract under which the organization submits the claim, and the organization is enrolled with the Department as a billing provider; or

(F) To an enrolled billing provider, such as a billing service or an accounting firm that, in connection with the submission of claims, receives or directs payments in the name of the provider, if the billing provider's compensation for this service is:

(i) Related to the cost of processing the billing;

(ii) Not related on percentage or other basis to the amount that is billed or collected and not dependent upon the collection of the payment.

(f) Providers must comply with TPR requirements in program-specific rules or contracts.

(4) Program Integrity. The Department uses several approaches to promote program integrity. These rules describe program integrity actions related to provider payments, including provider reimbursement under program-specific rules, county agreements, and contracts. The program integrity goal is to pay the correct amount to a properly enrolled provider for covered services provided to an eligible client according to the program-specific coverage criteria in effect on the date of service.

(a) Program integrity activities include but are not limited to the following:

(A) Medical or professional review including but not limited to following the evaluation of care in accordance with evidence-based principles, medical error identification, and prior authorization processes, including all actions taken to determine the coverage and appropriateness of services or items in accordance with program-specific rules or contract;

(B) Provider obligations to submit correct claims and PHP encounters;

(C) Onsite visits to verify compliance with standards;

(D) Implementation of HIPAA electronic transaction standards to improve accuracy and timeliness of claims processing and encounter reporting;

(E) Provider credentialing activities;

(F) Accessing federal Department of Health and Human Services (DHHS) database (exclusions);

(G) Quality improvement activities;

(H) Cost report settlement processes;

(I) Audits;

(J) Investigation of false claims, fraud or prohibited kickback relationships; and

(K) Coordination with the Department of Justice Medicaid Fraud Control Unit (MFCU) and other health oversight authorities.

(b) The following individuals may review a request for services or items, or audit a claim or PHP encounter for care, services, or items, before or after payment, for assurance that the specific care, item, or service was provided in accordance with the program-specific and the generally accepted standards of a provider's field of practice or specialty:

(A) Department staff or designee;

(B) Medical utilization and professional review contractor;

(C) Dental utilization and professional review contractor; or

(D) Federal or state oversight authority.

(c) Payment may be denied or subject to recovery if the review or audit determines the care, service, or item was not provided in accordance with provider rules or does not meet the criteria for quality or medical appropriateness of the care, service, or item or payment. Related provider and hospital billings shall also be denied or subject to recovery.

(d) If the Department determines that an overpayment has been made to a provider, the amount of overpayment is subject to recovery.

(e) The Department may communicate with and coordinate any program integrity actions with the MFCU, DHHS, and other federal and state oversight authorities.

[Publications: Publications referenced are available from the agency.]

Stat. Auth.: ORS 409.050, 411.060
Stats. Implemented: ORS 414.115, 414.125, 414.135, 414.1455
Hist.: DHSD 15-2007, f. 12-31-07, cert. ef. 1-1-08; DHSD 6-2008(Temp), f. & cert. ef. 7-1-08 thru 12-27-08; DHSD 11-2008, f. 12-26-08, cert. ef. 12-27-08

407-120-0320

Provider Enrollment

(1) In some Department program areas, being an enrolled Department provider is a condition of eligibility for a Department contract for certain services or activities. The Department requires billing providers to be enrolled as providers consistent with the provider enrollment processes set forth in this rule. If reimbursement for covered services will be made under a contract with the Department, the provider must also meet the Department's contract requirements. Contract requirements are separate from the requirements of these provider enrollment rules. Enrollment as a provider with the Department is not a promise that the enrolled provider will receive any amount of work from the Department, a PHP, or a county.

(2) Relation to Program-Specific or Contract Requirements. Provider enrollment establishes essential Department provider participation requirements for becoming an enrolled Department provider. The details of provider qualification requirements, client eligibility, covered services, how to obtain prior authorization or review (if required), documentation requirements, claims submission, and available electronic access instructions, and other pertinent instructions and requirements are contained in the program-specific rules or contract.

(3) Criteria for Enrollment. Prior to enrollment, providers must:

(a) Meet all program-specific or contract requirements identified in program-specific rules or contracts in addition to those requirements identified in these rules;

(b) Meet Department contracting requirements, as specified by the Department's Office of Contracts and Procurement (OC&P);

(c) Meet Department and federal licensing requirements for the type of service for which the provider is enrolling;

(d) Meet Department and federal certification requirements for the type of service for which the provider is enrolling; and

(e) Obtain a provider number from the Department for the specific service for which the provider is enrolling.

(4) Participation as an Enrolled Provider. Participation with the Department as an enrolled provider is open to qualified providers that:

(a) Meet the qualification requirements established in these rules and program-specific rules or contracts;

(b) Enroll as a Department provider in accordance with these rules;

(c) Provide a covered service or item within their scope of practice and licensure to an eligible Department recipient in accordance with program-specific rules or contracts; and

(d) Accept the reimbursement amounts established in accordance with the Department's program-specific fee structures or contracts for the service or item.

(5) Enrollment Process. To be enrolled as a Department provider, an individual or organization must submit a complete and accurate provider enrollment form, available from the Department, including all required documentation, and a signed provider enrollment agreement.

(a) Provider Enrollment Form. The provider enrollment form requests basic demographic information about the provider that will be permanently associated with the provider or organization until changed on an update form.

(b) Provider and Program Addendum. Each Department program establishes provider-specific qualifications and program criteria that must be provided as part of the provider enrollment form.

(A) The provider must meet applicable licensing and regulatory requirements set forth by federal and state statutes, regulations, and rules, and must comply with all Oregon statutes and regulations applicable to the provider's scope of service as well as the program-specific rules or contract applicable to the provision of covered services. The provider and program addendum will specify the required documentation of professional qualifications that must be provided with the provider enrollment form.

(B) All providers of services within Oregon must have a valid Oregon business license if such a license is a requirement of the state, federal, county, or city government to operate a business or to provide services. In addition providers must be registered to do business in Oregon by registering with the Oregon Secretary of State, Corporation Division, if registration is required.

(c) Provider Disclosure Form. All individuals and entities are required to disclose information used by the Department to determine whether an exclusion applies that would prevent the Department from enrolling the provider. Individual performing providers must submit a disclosure statement. All providers that are enrolling as an entity (corporation, non-profit, partnership, sole proprietorship, governmental) must submit a disclosure of ownership and control interest statemente. Payment cannot be made to any individual or entity that has been excluded from participation in federal or state programs or that employs or is managed by excluded individuals or entities.

(A) Entities must disclose all the information required on the disclosure of ownership and control interest statement. Information that must be disclosed includes the name, address, and taxpayer identification number of each individual with an ownership or control interest in the disclosing entity or in any subcontractor in which the disclosing entity has a direct or indirect ownership of five percent or more; whether any of the named individuals are related as spouse, parent, child, sibling, or other family member by marriage or otherwise; and the name and taxpayer identification number of any other disclosing entity in which an individual with an ownership or control interest in the disclosing entity also has an ownership or control interest.

(B) A provider must submit, within 35 days of the date of a request by DHHS or the Department, full and complete information about the ownership of any subcontractor with whom the provider had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the five-year period ending on the date of the request.

(C) Before the Department enters into a provider enrollment agreement with a provider, or renews a provider agreement, or at any time upon written request of the Department, the provider must disclose to the Department the identity and taxpayer identification number of any individual who has an ownership or control interest in the provider; or is an agent or managing employee of the provider; or the individual performing provider that has been convicted of a criminal offense related to that individual's involvement in any program under Medicare, Medicaid, or Title XX services program, since the inception of those programs.

(D) The Department may refuse to enter into or may suspend or terminate a provider enrollment agreement if the individual performing provider or any individual who has an ownership or control interest in the entity, or who is an agent or managing employee of the provider, has been sanctioned or convicted of a criminal offense related to that individual's involvement in any program established under Medicare, Medicaid, Children's Health Insurance, Title XX services, or other public assistance program.

(E) The Department may refuse to enter into or may suspend or terminate a provider enrollment agreement, or contract for provider services, if it determines that the provider did not fully and accurately make any disclosure required under section (5)(c) of this rule.

(F) Taxpayer identification numbers, including social security numbers (SSN) and employer identification numbers (EIN), must be provided where indicated on the Disclosure Statement or the Disclosure of Ownership and Control Interest Statement. The taxpayer identification number will be used to confirm whether the individual or entity is subject to exclusion from participation in the Oregon Medicaid program.

(6) Provider Enrollment Agreement. The provider must sign the provider enrollment agreement, and submit it for review to the Department at the time the provider submits the provider enrollment form and related documentation. Signing the provider enrollment agreement constitutes agreement by a provider to comply with all applicable Department provider and program rules, and applicable federal and state laws and regulations in effect on the date of service.

(7) Request to Conduct Electronic Transactions. A provider may request to conduct electronic transactions with the Department by enrolling and completing the appropriate authorization forms in accordance with the electronic data transaction rules (OAR 407-120-0100 to 407-120-0200).

(8) Enrollment of Providers. A provider will be enrolled, assigned, and issued a provider number for use in specific payment or business operations upon the following criteria:

(a) Provider submission of a complete and signed (when applicable), provider enrollment form, provider enrollment agreement, provider certification and all required documents to the Department program responsible for enrolling the provider. Provider signature must be the provider or an individual with actual authority from the provider to legally bind the provider to attest and certify to the accuracy and completeness of the information submitted;

(b) The Department's verification of licensing or certification or other authority to perform the service or provide the item within the lawful scope of practice recognized under Oregon law. The Department may confirm any information on the provider enrollment form or documentation submitted with the provider enrollment form, and may request additional information; and

(c) The Department's acceptance of the provider enrollment form, provider enrollment agreement, and provider certification by the Department unit responsible for approving the enrollment of the provider.

(9) Claim or Encounter Submission. Submission of a claim or encounter or other reimbursement document constitutes the enrolled provider's agreement that:

(a) The service or item was provided in compliance with all applicable rules and requirements in effect on the date of service;

(b) The provider has created and maintained all records necessary to disclose the extent of services or items provided and provider's compliance with applicable program and financial requirements, and that the provider agrees to make such information available upon request to the Department, the MFCU (for Medicaid-funded services or items), the Oregon Secretary of State, and (for federally-funded services or items) the federal funding authority and the Comptroller General of the United States, or their designees;

(c) The information on the claim or encounter, regardless of the format or other reimbursement document is true, accurate and complete; and

(d) The provider understands that payment of the claim or encounter or other reimbursement document will be from federal or state funds, or a combination of federal and state funds, and that any falsification, or concealment of a material fact, may result in prosecution under federal and state laws.

(10) Providers Required to Use an NPI. The Department has taken action to ensure compliance with the NPI requirements pursuant to 45 CFR Part 162 when those requirements became effective on May 23, 2007. In the event of a transition period approved by CMS beyond May 23, 2008, the following requirements for contractors, providers, and provider-applicants will apply:

(a) Providers and contractors that obtain an NPI are required to use their NPI where indicated. In situations where a taxonomy code may be used in conjunction with the NPI, providers must update their records as specified with the Department's provider enrollment unit. Providers applying for enrollment with the Department that have been issued an NPI must include that NPI and any associated taxonomy codes with the provider enrollment form;

(b) A provider enrolled with the Department must bill using the NPI pursuant to 45 CFR part 162.410, in addition to the Department-assigned provider number, where applicable, and continue to bill using the Department assigned provider number until the Department informs the provider that the Department assigned provider number is no longer allowed, or the NPI transition period has ended, whichever occurs first. Failure to use the NPI and Department-assigned provider number as indicated during this transition period may result in delay or rejection of claims and other transactions;

(c) The NPI and applicable taxonomy code combinations will be cross-referenced to the Department assigned provider number for purposes of processing all applicable electronic transactions as specified in OAR 407-120-0100;

(d) The provider and PHP must cooperate with the Department with reasonable consultation and testing procedures, if any, related to implementation of the use of NPI's; and

(e) Certain provider types are not eligible for an NPI based on federal criteria for obtaining an NPI. Providers not eligible for an NPI must always use their Department provider number on claims, encounters, or other reimbursement documents for that specific provider type.

(11) The effective date of provider enrollment is the date the provider's request is received by the Department if on that date the provider has met all applicable requirements. The effective date may be retroactive for up to one year to encompass dates on which the provider furnished covered services to a medical assistance recipient for which it has not been paid, if on the retroactive effective date the provider has met all applicable requirements.

(12) Provider numbers are specific to the category of service or items authorized by the Department. Issuance of a Department-assigned provider number establishes enrollment of an individual or organization as a provider for the specific category of services covered by the provider and program addendum submitted with the provider enrollment form and enrollment agreement.

(13) Provides must provide the following updates:

(a) An enrolled provider must notify the Department in writing of a material change in any status or condition on any element of their provider enrollment form. Providers must notify the Department of changes in any of this information in writing within 30 calendar days of any of the following changes:

(A) Business affiliation;

(B) Ownership;

(C) NPI;

(D) Associated taxonomy codes;

(E) Federal Tax Identification number;

(F) Ownership and control information; or

(G) Criminal convictions.

(b) These changes may require the submission of a provider enrollment form, provider enrollment agreement, provider certification, or other related documentation.

(c) Claims submitted by, or payments made to, providers who have not timely furnished the notification of changes or have not submitted any of the items that are required due to a change may be denied or recovered.

(d) Notice of bankruptcy proceedings must be immediately provided to the Department in writing.

(14) Tax Reporting and Withholding.

(a) Providers must submit the provider's SSN for individuals or a federal EIN for entities, whichever is required for tax reporting purposes on IRS Form 1099. Billing providers must submit the SSN or EIN of all performing providers in connection with claims or payments made to or on behalf of the performing provider, in addition to the billing provider’s SSN or EIN. Providing this number is mandatory to be eligible to enroll as a provider. The provider's SSN or EIN is required pursuant to 42 CFR 433.37 federal tax laws at 26 USC 6041. SSN's and EIN's provided pursuant to this authority are used for the administration of state, federal, and local tax laws and the administration of this program for internal verification and administrative purposes including but not limited to identifying the provider for payment and collection activities.

(b) The Department must comply with the tax information reporting requirements of section 6041 of the Internal Revenue Code (26 USC 6041). Section 6041 requires the filing of annual information returns showing amounts paid to providers, who are identified by name, address, and SSN or EIN. The Department files its information returns with the Internal Revenue Service (IRS) using Form 1099MISC.

(c) The IRS Code section 3406(a)(1)(B) requires the Department to begin backup withholding when notified by the IRS that a taxpayer identification number reported on an information return is incorrect. If a provider receives notice of backup withholding from the Department, the provider is responsible for timely complying with the notice and providing the Department with accurate information. The Department will comply with IRS requirements for backup withholding.

(d) Failure to notify the Department of a change in federal tax identification number (SSN or EIN) may result in the Department imposing a sanction as specified in OAR 407-120-0360.

(e) If the Department notifies a provider about an error in federal tax identification number, the provider must supply a valid federal tax identification number within 30 calendar days of the date of the Department's notice. Failure to comply with this requirement may result in the Department imposing a sanction as specified in OAR 407-120-0360, for each time the provider submits an inaccurate federal tax identification number, and may require back-up withholding. Federal tax identification number requirements described in this rule refer to any requirements established by the IRS.

(15) Providers of services to clients outside the State of Oregon will be enrolled as a provider under section (8) of this rule if they comply with the requirements of section (8) and meet the following conditions:

(a) The provider is appropriately licensed or certified and is enrolled in the provider's home state for participation in that state's Medicaid program or, for non-Medicaid services, enrolled or contracted with the state agency in the provider's state to provide the same program-specific service in the provider's state. Disenrollment or sanction from the other state's Medicaid program, or exclusion from any other federal or state health care program or comparable program-specific service delivery system is a basis for denial of enrollment, termination, or suspension from participation as a Department provider;

(b) The Oregon Board of Pharmacy issued a license to provide pharmacy services to a noncontiguous out-of-state pharmacy provider;

(c) The services must be authorized in the manner required for out-of-state services under the program-specific rules or contract for an eligible client;

(d) The services for which the provider bills are covered services under the OHP or other Department program for which covered services are authorized to be provided to the client;

(e) A facility, including but not limited to a hospital, rehabilitative facility, institution for care of individuals with mental retardation, psychiatric hospital, or residential care facility, is enrolled or contracted by the state agency in the state in which the facility is located or is licensed as a facility provider of services by Oregon; or

(f) If the provider is not domiciled in or registered to do business in Oregon, the provider must promptly provide to the Oregon Department of Revenue and the Oregon Secretary of State, Corporation Division all information required by those agencies relative to the provider enrollment form and provider enrollment agreement. The Department will withhold enrollment and payments until the out-of-state provider has provided documentation of compliance with this requirement to the Department unit responsible for enrollment.

(16) The provider enrollment agreement may be terminated as follows:

(a) Provider Termination Request. The provider may ask the Department to terminate the provider enrollment agreement at any time, subject to any specific provider termination requirements in program-specific rules or contracts.

(A) The request must be in writing, signed by the provider, and mailed or delivered to the Department provider enrollment unit. The notice must specify the Department-assigned provider number, if known.

(B) When accepted, the Department will assign the provider number a termination status and the effective date of the termination status.

(C) Termination of the provider enrollment agreement does not relieve the provider of any obligations for covered services or items provided under these rules, program-specific rules or contracts in effect for dates of services during which the provider enrollment agreement was in effect.

(b) Department Termination. The Department may terminate the provider enrollment agreement immediately upon notice to the provider, or a later date as the Department may establish in the notice, upon the occurrence of any of the following events:

(A) The Department fails to receive funding, appropriations, limitations, or other expenditure authority at levels that the Department or the specific program determines to be sufficient to pay for the services or items covered under the agreement;

(B) Federal or state laws, regulations, or guidelines are modified or interpreted by the Department in a manner that either providing the services or items under the agreement is prohibited or the Department is prohibited from paying for such services or items from the planned funding source;

(C) The Department has issued a final order revoking the Department-assigned provider number based on a sanction under termination terms and conditions established in program-specific rules or contract;

(D) The provider no longer holds a required license, certificate or other authority to qualify as a provider. The termination will be effective on the date the license, certificate, or other authority is no longer valid; or

(E) The provider fails to submit any claims for reimbursement for an 18-month period. The provider may reapply for enrollment.

(c) In the event of any dispute arising out of the termination of the provider enrollment agreement, the provider's sole monetary remedy is limited to covered services or items the Department determines to be compensable under the provider agreement, a claim for unpaid invoices, hours worked within any limits set forth in the agreement but not yet billed, and Department-authorized expenses incurred prior to termination. Providers are not entitled to recover indirect or consequential damages. Providers are not entitled to attorney fees, costs, or expenses of any kind.

(17) Immediate Suspension. When a provider fails to meet one or more of the requirements governing participation as a Department enrolled provider, the provider's Department- assigned provider number may be immediately suspended, in accordance with OAR 407-120-0360. The provider shall not provide services or items to clients during a period of suspension. The Department shall deny claims for payment or other reimbursement requests for dates of service during a period of suspension.

(18) The provision of program-specific or contract covered services or items to eligible clients is voluntary on the part of the provider. Providers are not required to serve all clients seeking service. If a provider undertakes to provide a covered service or item to an eligible client, the provider must comply with these rules, program-specific rules or contract.

(a) The provider performs all services, or provides all items, as an independent contractor. The provider is not an officer, employee, or agent of the Department.

(b) The provider is responsible for its employees, and for providing employment-related benefits and deductions that are required by law. The provider is solely responsible for its acts or omissions, including the acts or omissions of its own officers, employees or agents. The Department’s responsibility is limited to its authorization and payment obligations for covered services or items provided in accordance with these rules.

(19) For Medicaid services, a provider may not deny services to any eligible client because of the client's inability to pay the cost sharing amount imposed by the applicable program-specific or provider-specific rules or contract. A client's inability to pay does not eliminate the client's liability for the cost sharing charge.

[Publications: Publications referenced are available from the agency.]

Stat. Auth.: ORS 409.050, 411.060
Stats. Implemented: ORS 414.115, 414.125, 414.135, 414.145
Hist.: DHSD 15-2007, f. 12-31-07, cert. ef. 1-1-08; DHSD 6-2008(Temp), f. & cert. ef. 7-1-08 thru 12-27-08

407-120-0325

Compliance with Federal and State Statutes

(1) When a provider submits a claim for services or supplies provided to a Department client, the Department shall consider the submission as the provider’s representation to the Department of the provider's compliance with the applicable sections of the federal and state statutes and rules referenced in this rule, and other program rules or contract requirements of the specific program under which the claim is submitted:

(a) 45 CFR Part 84 which implements Title V, Section 504 of the Rehabilitation Act of 1973;

(b) 42 CFR Part 493 Laboratory Requirements and ORS chapter 438 (Clinical Laboratories).

(c) The provider must comply and, as indicated, require all subcontractors to comply with the following federal and state requirements to the extent that they are applicable to the items and services governed by these rules, unless exempt under 45 CFR Part 87 for Faith-Based Organizations (Federal Register, July 16, 2004, Volume 69, #136), or other federal provisions. For purposes of these rules, all references to federal and state laws are references to federal and state laws as they may be amended from time to time that are in effect on the date of provider’s service:

(A) The provider must comply and require all subcontractors to comply with all federal laws, regulations, executive orders applicable to the items and services provided under these rules. Without limiting the generality of the foregoing, the provider expressly agrees to comply and require all subcontractors to comply with the following laws, regulations and executive orders to the extent they are applicable to the items and services provided under these rules:

(i) Title VI and VII of the Civil Rights Act of 1964, as amended;

(ii) Sections 503 and 504 of the Rehabilitation Act of 1973, as amended;

(iii) The Americans with Disabilities Act of 1990, as amended;

(iv) Executive Order 11246, as amended;

(v) The Health Insurance Portability and Accountability Act of 1996;

(vi) The Age Discrimination in Employment Act of 1967, as amended, and the Age Discrimination Act of 1975, as amended;

(vii) The Vietnam Era Veterans’ Readjustment Assistance Act of 1974, as amended, (viii) all regulations and administrative rules established pursuant to the foregoing laws;

(viii) All other applicable requirements of federal civil rights and rehabilitation statutes, rules, and regulations;

(ix) All federal law governing operation of community mental health programs, including without limitation, all federal laws requiring reporting of client abuse. These laws, regulations and executive orders are incorporated by reference herein to the extent that they are applicable to the items and services governed by these rules and required by law to be so incorporated. No federal funds may be used to provide services in violation of 42 USC 14402.

(B) Any provider that receives or makes annual payments under Medicaid of at least $5,000,000, as a condition of receiving such payments, shall:

(i) Establish written policies for all employees of the entity (including management), and of any contractor, subcontractor, or agent of the entity, that provide detailed information about the False Claims Act established under 31 USC 3729 through 3733, administrative remedies for false claims and statements established under 31 USC 38, any Oregon state laws pertaining to civil or criminal penalties for false claims and statements, and whistle blowing protections under such laws, with respect to the role of such laws in preventing and detecting fraud, waste, and abuse in Federal health care programs (as defined in 42 USC 1320a-7b(f));

(ii) Include as part of written policies, detailed provisions regarding the entity’s policies and procedures for detecting and preventing fraud, waste, and abuse; and

(iii) Include in any employee handbook for the entity, a specific discussion of the laws described in sub-paragraph (i), the rights of the employees to be protected as whistleblowers.

(C) If the items and services governed under these rules exceed $10,000, the provider must comply and require all subcontractors to comply with Executive Order 11246, entitled “Equal Employment Opportunity,” as amended by Executive Order 11375, and as supplemented in U.S Department of Labor regulations (41 CFR part 60);

(D) If the items and services governed under these rules exceed $100,000, and are paid in any part with federal funds, the provider must comply and require all subcontractors to comply with all applicable standards, orders, or requirements issued under Section 306 of the Clean Air Act (42 U.S.C. 7606), the Federal Water Pollution Control Act as amended (commonly known as the Clean Water Act -- 33 U.S.C. 1251 to 1387), specifically including, but not limited to, Section 508 (33 U.S.C. 1368). Executive Order 11738, and Environmental Protection Agency regulations (40 CFR Part 32), which prohibit the use under non-exempt Federal contracts, grants or loans of facilities included on the EPA List of Violating Facilities. Violations must be reported to the Department, DHHS, and the appropriate Regional Office of the Environmental Protection Agency. The provider must include and require all subcontractors to include in all contracts with subcontractors receiving more than $100,000, language requiring the subcontractor to comply with the federal laws identified in this section;

(E) The provider must comply and require all subcontractors to comply with applicable mandatory standards and policies relating to energy efficiency that are contained in the Oregon energy conservation plan issued in compliance with the Energy Policy and Conservation Act, 42 U.S.C. 6201 et seq. (Pub. L. 94-163);

(F) The provider must provide written certification indicating that:

(i) No federal appropriated funds have been paid or shall be paid, by or on behalf of the provider, to any person for influencing or attempting to influence an officer or employee of an agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection with the awarding of any federal contract, the making of any federal grant, the making of any federal loan, the entering into of any cooperative agreement, and the extension, continuation, renewal, amendment or modification of any federal contract, grant, loan or cooperative agreement;

(ii) If any funds other than federal appropriated funds have been paid or shall be paid to any person for influencing or attempting to influence an officer or employee of any agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection with this federal contract, grant, loan or cooperative agreement, the provider must complete and submit Standard Form LLL, “Disclosure Form to Report Lobbying” in accordance with its instructions;

(iii) The provider must require that the language of this certification be included in the award documents for all sub-awards at all tiers (including subcontracts, sub-grants, and contracts under grants, loans, and cooperative agreements) and that all sub-recipients and subcontractors must certify and disclose accordingly;

(iv) This certification is a material representation of fact upon which reliance was placed when this provider agreement was made or entered into. Submission of this certification is a prerequisite for making or entering into this provider agreement imposed by 31 USC 1352. Any person who fails to file the required certification shall be subject to a civil penalty of not less than $10,000 and not more than $100,000 for each such failure.

(G) If the items and services funded in whole or in part with financial assistance provided under these rules are covered by HIPAA or the federal regulations implementing HIPAA, the provider agrees to deliver the goods and services in compliance with HIPAA. The provider must comply and require all subcontractors to comply with the following:

(i) Individually identifiable health information about specific individuals is confidential. Individually identifiable health information relating to specific individuals may be exchanged between the provider and the Department for purposes directly related to the provision to clients of services that are funded in whole or in part under these rules. The provider must not use or disclose any individually identifiable health information about specific individuals in a manner that would violate Department privacy rules, (OAR 410-014-0000 et. seq.), or the Department’s Notice of Privacy Practices, if done by the Department;

(ii) Providers who engage in EDI transactions with the Department in connection with claims or encounter data, eligibility or enrollment information, authorizations or other electronic transactions must execute an EDI trading partner agreement with the Department and must comply with the Department’s electronic data transmission rules (OAR 407-120-0100 to 407-120-0200);

(iii) If a provider reasonably believes that the provider’s or the Department’s data transactions system or other application of HIPAA privacy or security compliance policy may result in a violation of HIPAA requirements, the provider must promptly consult the Department’s privacy officer. The provider or the Department may initiate a request to test HIPAA transactions, subject to available resources and the Department’s testing schedule.

(H) The provider must comply and require all subcontractors to comply with all mandatory standards and policies that relate to resource conservation and recovery pursuant to the Resource Conservation and Recovery Act (codified at 42 USC 6901 et. seq.). Section 6002 of that Act (codified at 42 USC 6962) requires that preference be given in procurement programs to the purchase of specific products containing recycled materials identified in guidelines developed by the Environmental Protection Agency. Current guidelines are set forth in 40 CFR Parts 247;

(I) The provider must comply and require all subcontractors to comply with the applicable audit requirements and responsibilities set forth in the Office of Management and Budget Circular A-133 entitled “Audits of States, Local Governments and Non-Profit Organizations;”

(J) The provider must not permit any person or entity to be a subcontractor if the person or entity is listed on the non-procurement portion of the General Service Administration’s “List of Parties Excluded from Federal Procurement or Nonprocurement Programs” in accordance with Executive Orders No. 12,549 and No. 12,689, “Debarment and Suspension”. (See 45 CFR part 76). This list contains the names of parties debarred, suspended, or otherwise excluded by agencies, and providers and subcontractors declared ineligible under statutory authority other than Executive Order No. 12549. Subcontractors with awards that exceed the simplified acquisition threshold must provide the required certification regarding their exclusion status and that of their principals prior to award;

(K) The provider must comply and require all subcontractors to comply with the following provisions to maintain a drug-free workplace:

(i) Certify that it shall provide a drug-free workplace by publishing a statement notifying its employees that the unlawful manufacture, distribution, dispensation, possession, or use of a controlled substance, except as may be present in lawfully prescribed or over-the-counter medications, is prohibited in the provider's workplace or while providing services to Department clients. The provider's notice must specify the actions that shall be taken by the provider against its employees for violation of such prohibitions;

(ii) Establish a drug-free awareness program to inform its employees about the dangers of drug abuse in the workplace, the provider's policy of maintaining a drug-free workplace, any available drug counseling, rehabilitation, and employee assistance programs, and the penalties that may be imposed upon employees for drug abuse violations;

(iii) Provide each employee to be engaged in the performance of services under these rules a copy of the statement required in paragraph (J)(i) above;

(iv) Notify each employee in the statement required by paragraph (J)(i) that, as a condition of employment to provide services under these rules, the employee shall abide by the terms of the statement and notify the employer of any criminal drug statute conviction for a violation occurring in the workplace no later than five days after such conviction;

(v) Notify the Department within ten days after receiving notice under subparagraph (J)(iv) from an employee or otherwise receiving actual notice of such conviction;

(vi) Impose a sanction on, or require the satisfactory participation in a drug abuse assistance or rehabilitation program by any employee who is convicted as required by Section 5154 of the Drug-Free Workplace Act of 1988;

(vii) Make a good-faith effort to continue a drug-free workplace through implementation of subparagraphs (J)(i) through (J)(vi);

(viii) Require any subcontractor to comply with subparagraphs (J)(i) through (J)(vii);

(ix) The provider, the provider's employees, officers, agents, or subcontractors shall not provide any service required under these rules while under the influence of drugs. For purposes of this provision, "under the influence" means observed abnormal behavior or impairments in mental or physical performance leading a reasonable person to believe the provider or provider's employee, officer, agent, or subcontractor has used a controlled substance, prescription, or non-prescription medication that impairs the provider or provider's employee, officer, agent, or subcontractor's performance of essential job function or creates a direct threat to Department clients or others. Examples of abnormal behavior include but are not limited to hallucinations, paranoia or violent outbursts. Examples of impairments in physical or mental performance include but are not limited to slurred speech, difficulty walking or performing job activities;

(x) Violation of any provision of this subsection may result in termination of the provider agreement.

(L) The provider must comply and require all sub-contractors to comply with the Pro-Children Act of 1994 (codified at 20 USC section 6081 et. seq.);

(M) A provider reimbursed or seeking reimbursement with Medicaid funds must comply with all applicable federal and state laws and regulations pertaining to the provision of Medicaid services under the Medicaid Act, Title XIX, 42 USC Section 1396 et. seq., including without limitation:

(i) Maintain necessary records to fully disclose the extent of the services provided to individuals receiving Medicaid assistance and must furnish the information to any state or federal agency responsible for administering the Medicaid program regarding any payments claimed by the provider or institution for providing Medicaid services as the state or federal agency may from time to time request. 42 USC Section 1396a(a)(27); 42 CFR 431.107(b)(1) & (2);

(ii) Comply with all disclosure requirements of 42 CFR 1002.3(a) and 42 CFR 455 Subpart (B);

(iii) Maintain written notices and procedures respecting advance directives in compliance with 42 USC Section 1396(a)(57) and (w), 42 CFR 431.107(b)(4), and 42 CFR 489 subpart I;

(iv) Certify when submitting any claim for the provision of Medicaid services that the information submitted is true, accurate and complete. The provider must acknowledge provider’s understanding that payment of the claim shall be from federal and state funds and that any falsification or concealment of a material fact may be prosecuted under federal and state laws.

(N) Providers must comply with the obligations intended for contractors under ORS 279B.220, 279B.225, 279B.230 and 279B.235 (if applicable), Providers shall, to the maximum extent economically feasible in the performance of covered services, use recycled paper (as defined in ORS 279A.010(1)(ee)), recycled PETE products (as defined in 279A.010(1)(ff)), and other recycled plastic resin products and recycled products (as “recycled product” is defined in 279A.010(1)(gg)).

(O) Providers must comply with all federal, state and local tax laws, including Social Security payment requirements, applicable to payments made by the Department to the provider.

(2) Hospitals, nursing facilities, home health agencies (including those providing personal care), hospices, and health maintenance organizations shall comply with the Patient Self-Determination Act as set forth in Section 4751 of OBRA 1991. To comply with the obligation under the above listed laws to deliver information on the rights of the individual under Oregon law to make health care decisions, the named providers and organizations must provide capable individuals over the age of 18 a copy of "Your Right to Make Health Care Decisions in Oregon," copyright 1993, by the Oregon State Bar Health Law Section. Out-of-state providers of these services must comply with Medicare and Medicaid regulations in their state. Submittal to the Department of the appropriate billing form requesting payment for medical services provided to a Medicaid eligible client shall be deemed representation to the Department of the medical provider's compliance with the above-listed laws.

(3) Providers described in ORS chapter 419B are required to report suspected child abuse to their local Children, Adults and Families Division office or police, in the manner described in ORS chapter 419.

(4) The Clinical Laboratory Improvement Act (CLIA), requires all entities that perform even one laboratory test, including waived tests, on "materials derived from the human body for the purpose of providing information for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of, human beings" to meet certain federal requirements. If an entity performs tests for these purposes, it is considered, under CLIA, to be a laboratory.

[Publication: Publication referenced are available from the agency.]

Stat. Auth.: ORS 409.050, 411.060
Stats. Implemented: ORS 414.115, 414.125, 414.135, 414.145
Hist.: DHSD 6-2008(Temp), f. & cert. ef. 7-1-08 thru 12-27-08; DHSD 11-2008, f. 12-26-08, cert. ef. 12-27-08

407-120-0330

Billing Procedures

(1) These rules only apply to covered services and items provided to clients that are paid for by the Department based on a Department fee schedule or other reimbursement method (often referred to as fee-for-service), or for services that are paid for by the Department at the request of a county for county-authorized services, in accordance with program-specific rules or contract.

(a) If a client's service or item is paid for by a PHP, the provider must comply with the billing and procedures related to claim submission established under contract with that PHP, or the rules applicable to non-participating providers if the provider is not under contract with that PHP.

(b) If the client is enrolled in a PHP, but the client is permitted by a contract or program-specific rules to obtain covered services reimbursed by the Department (such as family planning services that may be obtained from any provider), the provider must comply with the billing and claim procedures established under these rules.

(2) All Department-assigned provider numbers are issued at enrollment and are directly associated with the provider as defined in OAR 407-120-0320(12) and have the following uses:

(a) Log-on identification for the Department web portal;

(b) Claim submission in the approved paper formats; and

(c) For electronic claims submission including the web portal for atypical providers pursuant to 45 CFR 160 and 162 where an NPI is not mandated. Use of the Department-assigned provider number shall be considered authorized by the provider and the Department shall hold the provider accountable for its use.

(3) Except as provided in section (4) below, an enrolled provider may not seek payment for any covered services from:

(a) A client for covered benefits; or

(b) A financially responsible relative or representative of that client.

(4) Providers may seek payment from an eligible client or client representative as follows:

(a) From any applicable coinsurance, co-payments, deductibles, or other client financial obligation to the extent and as expressly authorized by program-specific rules or contract;

(b) From a client who failed to inform the provider of Department program eligibility, of OHP or PHP enrollment, or of other third party insurance coverage at the time the service was provided or subsequent to the provision of the service or item. In this case, the provider could not bill the Department, the PHP, or third party payer for any reason, including but not limited to timeliness of claims and lack of prior authorization. The provider must document attempts to obtain information on eligibility or enrollment;

(c) The client became eligible for Department benefits retroactively but did not meet other established criteria described in the applicable program-specific rules or contracts.

(d) The provider can document that a TPR made payments directly to the client for services provided that are subject to recovery by the provider in accordance with program-specific rules or contract;

(e) The service or item is not covered under the client's benefit package. The provider must document that prior to the delivery of services or items, the provider informed the client the service or item would not be covered by the Department;

(f) The client requested continuation of benefits during the administrative hearing process and the final decision was not in favor of the client. The client shall be responsible for any charges since the effective date of the initial notice of denial; or

(g) In exceptional circumstances, a client may request continuation of a covered service while asserting the right to privately pay for that service. Under this circumstance, a provider may bill the client for a covered service only if the client is informed in advance of receiving the specific service of all of the following:

(A) The requested service is a covered service and the provider would be paid in full for the covered service if the claim is submitted to the Department or the client's PHP;

(B) The estimated cost of the covered service, including all related charges, that the Department or PHP would pay, and for which the client is billed cannot be an amount greater than the maximum Department or PHP reimbursable rate or PHP rate;

(C) The provider cannot require the client to enter into a voluntary payment agreement for any amount for the covered service; and

(D) The provider must be able to document, in writing, signed by the client or the client's representative, that the client was provided the information described above; was provided an opportunity to ask questions, obtain additional information, and consult with the client's caseworker or client representative; and the client agreed to be responsible for payment by signing an agreement incorporating all of the information described above. The provider must provide a copy of the signed agreement to the client. The provider must not submit a claim for payment for the service or item to the Department or to the client's PHP that is subject to such an agreement.

(5) Reimbursement for Non-Covered Services.

(a) A provider may bill a client for services that are not covered by the Department or a PHP, except as provided in these rules. The client must be informed in advance of receiving the specific service that it is not covered, the estimated cost of the service, and that the client or client's representative is financially responsible for payment for the specific service. Providers must provide written documentation, signed by the client, or the client's representative, dated prior to the delivery of services or item indicating that the client was provided this information and that the client knowingly and voluntarily agreed to be responsible for payment.

(b) Providers must not bill or accept payment from the Department or a PHP for a covered service when a non-covered service has been provided and additional payment is sought or accepted from the client. Examples include but are not limited to charging the client an additional payment to obtain a gold crown (not covered) instead of the stainless steel crown (covered) or charging an additional client payment to obtain eyeglass frames not on the covered list of frames. This practice is called buying-up, which is not permitted, and a provider may be sanctioned for this practice regardless of whether a client waiver is documented.

(c) Providers must not bill clients or the Department for a client's missed appointment.

(d) Providers must not bill clients or the Department for services or items provided free of charge. This limitation does not apply to established sliding fee schedules where the client is subject to the same standards as other members of the public or clients of the provider.

(e) Providers must not bill clients for services or items that have been denied due to provider error such as required documentation not submitted or prior authorization not obtained.

(6) Providers must verify that the individual receiving covered services is, in fact, an eligible client on the date of service for the service provided and that the services is covered in the client's benefit package.

(a) Providers are responsible for costs incurred for failing to confirm eligibility or that services are covered.

(b) Providers must confirm the Department's client eligibility and benefit package coverage using the web portal, or the Department telephone eligibility system, and by other methods specified in program-specific or contract instructions.

Stat. Auth.: ORS 409.050, 411.060
Stats. Implemented: ORS 414.115, 414.125, 414.135, 414.145
Hist.: DHSD 15-2007, f. 12-31-07, cert. ef. 1-1-08; DHSD 6-2008(Temp), f. & cert. ef. 7-1-08 thru 12-27-08; DHSD 11-2008, f. 12-26-08, cert. ef. 12-27-08

407-120-0340

Claim and PHP Encounter Submission

(1) Claim and PHP Encounter Submission. All claims must be submitted using one of the following methods:

(a) Paper forms, using the appropriate form as described in the program-specific rules or contract;

(b) Electronically using the web portal accessed by provider-specific PIN and password. Initial activation by provider of Department-assigned provider number and PIN for web portal access invokes provider's agreement to meet all of the standards for HIPAA privacy, security, and transactions and codes sets standards as defined in 45 CFR 162;

(c) Electronically in a manner authorized by the Department's EDT rules (OAR 407-120-0100 to 407-120-0200); or

(d) Electronically, for PHP encounters, in the manner required by the PHP contract with the Department and authorized by the Department's EDT rules.

(2) Claims must not be submitted prior to delivery of service unless otherwise authorized by program-specific rules or contracts. A claim for an item must not be submitted prior to dispensing, shipping, or mailing the item unless otherwise specified in the Department's program-specific rules or contracts.

(3) Claims and PHP encounters must be submitted in compliance HIPAA transaction and code set rules. The HIPAA transaction and code set rules, 45 CFR 162, apply to all electronic transactions for which DHHS has adopted a standard.

(a) The Department may deny or reject electronic transactions that fail to comply with the federal standard.

(b) The Department is required to comply with the HIPAA code set requirements in 45 CFR 162.1000 through 162.1011, regardless of whether a request is made verbally, or a claim is submitted on paper or electronically, and with regard to the electronic claims and encounter remittance advice information, including the web portal. Compliance with the code set requirements includes the codes and the descriptors of the codes established by the official entity that maintains the code set. These federal code set requirements are mandatory and the Department has no authority to delay or alter their application or effective dates as established by DHHS.

(A) The issuance of a federal code does not mean that the Department covers the item or service described by the federal code. In the event of a variation between a Department-listed code and a national code, the provider should seek clarification from the Department program. The Department shall apply the national code in effect on the date of request or date of service and the Department-listed code may be used for the limited purpose of describing the Department's intent in identifying whether the applicable national code represents a Department covered service or item.

(B) For purposes of maintaining HIPAA code set compliance, the Department adopts by reference the required use of the version of all national code set revisions, deletions, and additions in accordance with the HIPAA transaction and code set rules in effect on the date of this rule. This code set adoption may not be construed as Department coverage or that the existence of a particular national code constitutes a determination by the Department that the particular code is a covered service or item. If the provider is unable to identify an appropriate procedure code to use on the claim or PHP encounter, the provider should contact the Department for assistance in identifying an appropriate procedure code reference in but not limited to the following:

(i) Current Procedural Terminology, Fourth Edition (CPT-4), (American Medical Association);

(ii) Current Dental Terminology (CDT), (American Dental Association);

(iii) Diagnosis Related Group (DRG), (DHHS);

(iv) Health Care Financing Administration Common Procedural Coding System (HCPCS), (DHHS);

(v) National Drug Codes (NDC), (DHHS); or

(vi) HIPAA related codes, DHHS, claims adjustment reason, claim status, taxonomy codes, and decision reason available at the Washington Publishing Company web site: http://www.wpc.edi.com/content/view/180/223.

(C) For electronic claims and PHP encounters, the appropriate HIPAA claim adjustment reason code for third party payer, including Medicare, explanation of payment must be used.

(c) Diagnosis Code Requirement.

(A) For claims and PHP encounters that require the listing of a diagnosis code as the basis for the service provided, the code listed on the claim must be the code that most accurately describes the client's condition and the service or item provided.

(B) A primary diagnosis code is required on all claims, using the HIPAA nationally required diagnosis code set including the code and the descriptor of the code by the official entity that maintains the code set, unless the requirement for a primary diagnosis code is specifically excluded in the Department's program-specific rules or contract. All diagnosis codes are required to the highest degree of specificity. Providers must use the ICD-9-CM diagnosis coding system when a diagnosis is required unless otherwise specified in the appropriate program-specific rules or contract.

(C) Hospitals must follow national coding guidelines and must bill using the 5th digit, in accordance with methodology used in the Medicare Diagnosis Related Groups.

(d) Providers are required to provide and identify the following procedures codes.

(A) The appropriate procedure code on claims and PHP encounters as instructed in the appropriate Department program-specific rules or contract and must use the appropriate HIPAA procedure code set, set forth in 45 CFR 162.1000 through 162.1011, which best describes the specific service or item provided.

(B) Where there is one CPT, CDT, or HCPCS code that according to those coding guidelines or standards, describes an array of services, the provider must use that code rather than itemizing the services under multiple codes. Providers must not "unbundle" services in order to increase payment or to mischaracterize the service.

(4) Prohibition of False Claims. No provider or its contracted agent (including billing service or billing agent) shall submit or cause to be submitted to the Department:

(a) Any false claim for payment or false PHP encounter;

(b) Any claim or PHP encounter altered in such a way as to result in a duplicate payment for a service that has already been paid;

(c) Any claim or PHP encounter upon which payment has been made or is expected to be made by another source unless the amount paid or to be paid by the other party is clearly entered on the claim form or PHP encounter format; or

(d) Any claim or PHP encounter for providing services or items that have not been provided.

(5) Third Party Resources.

(a) A provider shall not refuse to furnish covered services or items to an eligible client because of a third party's potential liability for the service or item.

(b) Providers must take all reasonable measures to ensure that the Department shall be the payer of last resort, consistent with program-specific rules or contracts. If available, private insurance, Medicare, or worker's compensation must be billed before the provider submits a claim for payment to the Department, county, or PHP. For services provided to a Medicare and Medicaid dual eligible client, Medicare is the primary payer and the provider must first pursue Medicare payment (including appeals) prior to submitting a claim for payment to the Department, county, or PHP. For services not covered by Medicare or other third party resource, the provider must follow the program-specific rules or contracts for appropriate billing procedures.

(c) When another party may be liable for paying the expenses of a client's injury or illness, the provider must follow program-specific rules or contract addressing billing procedures.

(6) Full Use of Alternate Community Resources.

(a) The Department shall generally make payment only when other resources are not available for the client's needs. Full use must be made of reasonable alternate resources in the local community; and

(b) Providers must not accept reimbursement from more than one resource for the same service or item, except as allowed in program-specific or contract TPR requirements.

(7) Timely Submission of Claim or Encounter Data.

(a) Subsection (a) through (c) below apply only to the submission of claims data or other reimbursement document to the Department, including provider reimbursement by the Department pursuant to an agreement with a county. Unless requirements for timely filing provided for in program-specific rules or applicable contracts are more specific than the timely filing standard established in this rule, all claims for services or items must be submitted no later than 12 months from the date of service.

(b) A denied claim submitted within 12 months of the date of service may be resubmitted (with resubmission documentation, as indicated within the program-specific rules or contracts) within 18 months of the date of service. These claims must be submitted to the Department in writing. The provider must present documentation acceptable to the Department verifying the claim was originally submitted within 12 months of the date of service, unless otherwise stated in program-specific rules or contracts. Acceptable documentation is:

(A) A remittance advice or other claim denial documentation from the Department to the provider showing the claim was submitted before the claim was one year old; or

(B) A copy of a billing record or ledger showing dates of submission to the Department.

(c) Exceptions to the 12-month requirement that may be submitted to the Department are as follows:

(A) When the Department confirms the Department or the client's branch office has made an error that caused the provider not to be able to bill within 12 months of the date of service;

(B) When a court or an administrative law judge in a final order has ordered the Department to make payment;

(C) When the Department determines a client is retroactively eligible for Department program coverage and more than 12 months have passed between the date of service and the determination of the client's eligibility, to the extent authorized in the program-specific rules or contracts.

(d) PHP encounter data must be submitted in accordance with 45 CFR part 162.1001 and 162.1102 and the time periods established in the PHP contract with the Department.

Stat. Auth.: ORS 409.050, 411.060
Stats. Implemented: ORS 414.115, 414.125, 414.135, 414.145
Hist.: DHSD 15-2007, f. 12-31-07, cert. ef. 1-1-08; DHSD 6-2008(Temp), f. & cert. ef. 7-1-08 thru 12-27-08; DHSD 11-2008, f. 12-26-08, cert. ef. 12-27-08

407-120-0350

Payments and Overpayments

(1) Authorization of Payment.

(a) Some services or items covered by the Department require authorization before a service, item, or level of care can be provided or before payment shall be made. Providers must check the appropriate program-specific rules or contracts for information on services or items requiring prior authorization and the process to follow to obtain authorization.

(b) Documentation submitted when requesting authorization must support the program-specific or contract justification for the service, item, or level of care. A request is considered complete if it contains all necessary documentation and meets any other requirements as described in the appropriate program-specific rules or contract.

(c) The authorizing program shall authorize the covered level of care, type of service, or item that meets the client's program-eligible need. The authorizing program shall only authorize services which meet the program-specific or contract coverage criteria and for which the required documentation has been submitted. The authorizing program may request additional information from the provider to determine the appropriateness of authorizing the service, item, or level of care within the scope of program coverage.

(d) Authorizing programs shall not authorize services or make payment for authorized services under the following circumstances:

(A) The client was not eligible at the time services were provided. The provider must check the client's eligibility each time services are provided;

(B) The provider cannot produce appropriate documentation to support that the level of care, type of service, or item meets the program-specific or contract criteria, or the appropriate documentation was not submitted to the authorizing program;

(C) The delivery of the service, item, or level of care has not been adequately documented as described in OAR 407-120-0370. Requirements for financial, clinical and other records, and the documentation in the provider's files is not adequate to determine the type, medical appropriateness, or quantity of services, or items provided or the required documentation is not in the provider's files;

(D) The services or items identified in the claim are not consistent with the information submitted when authorization was requested or the services or items provided are retrospectively determined not to be authorized under the program-specific or contract criteria;

(E) The services or items identified in the claim are not consistent with those which were provided;

(F) The services or items were not provided within the timeframe specified on the authorization of services document; or

(G) The services or items were not authorized or provided in compliance with the program-specific rules or contracts.

(e) Payment made for services or items described in subsections (d)(A) through (G) of this rule shall be recovered.

(f) Retroactive Department Client Eligibility.

(A) When a client is determined to be retroactively eligible for a Department program, or is retroactively disenrolled from a PHP or services provided after the client was disenrolled from a PHP, authorization for payment may be given if the following conditions are met:

(i) The client was eligible on the date of service and the program-specific rules or contract authorize the Department to reimburse the provider for services provided to clients made retroactively eligible;

(ii) The services or items provided to the client meet all other program-specific or contract criteria and Oregon Administrative Rules;

(iii) The request for authorization is received by the appropriate Department branch or program office within 90 days of the date of service; and

(iv) The provider is enrolled with the Department on the date of service, or becomes enrolled with the Department no later than the date of service as provided in OAR 407-120-0320(11).

(B) Requests for authorization received after 90 days from date of service require all the documentation required in subsection (f)(A)(i), (ii) and (iv) and documentation from the provider stating why the authorization could not have been obtained within 90 days of the date of service.

(g) Service authorization is valid for the time period specified on the authorization notice, but shall not exceed 12 months, unless the client's benefit package no longer covers the service, in which case the authorization terminates on the date coverage ended.

(h) Service authorization for clients with other insurance or for Medicare beneficiaries is governed by program-specific rules or contracts.

(2) Payments.

(a) This rule only applies to covered services and items provided to eligible clients within the program-specific or contract covered services or items in effect on the date of service that are paid for by the Department based on program-specific or contract fee schedules or other reimbursement methods, or for services that are paid for by the Department at the request of a county for county-authorized services in accordance with program-specific or provider-specific rules or contracts.

(b) If the client's service or item is paid for by a PHP, the provider must comply with the payment requirements established under contract with that PHP, and in accordance with OAR 410-120 and 410-141, applicable to non-participating providers.

(c) The Department shall pay for services or items based on the reimbursement rates and methods specified in the applicable program-specific rules or contract. Provider reimbursement on behalf of a county must include county service authorization information.

(d) Providers must accept, as payment in full, the amounts paid by the Department in accordance with the fee schedule or reimbursement method specified in the program-specific rules or contract, plus any deductible, co-payment, or coinsurance required to be paid by the client. Payment in full includes:

(A) Zero payments for claims where a third party or other resource has paid an amount equivalent to or exceeding the Department's allowable payment; or

(B) Denials of payment for failure to submit a claim in a timely manner, failure to obtain payment authorization in a timely and appropriate manner, or failure to follow other required procedures identified in the program-specific rules or contracts.

(e) The Department shall not make payments for duplicate services or items. The Department shall not make a separate payment or co-payment to a provider for services included in the provider's all-inclusive rate if the provider has been or shall be reimbursed by other resources for the service or item.

(f) Prepayment and Post-Payment Review. Payment by the Department does not limit the Department or any state or federal oversight entity from reviewing or auditing a claim before or after the payment. Payment may be denied or subject to recovery if medical, clinical, program-specific or contract review, audit, or other post-payment review determines the service or item was not provided in accordance with applicable rules or contracts or does not meet the program-specific or contract criteria for quality of care, or appropriateness of the care, or authorized basis for payment.

(3) Recovery of Overpayments to Providers -- Recoupments and Refunds

(a) The Department may deny payment or may deem payments subject to recovery as an overpayment if a review or audit determines the item or service was not provided in accordance with the Department's rules, terms of contract, or does not meet the criteria for quality of care, or appropriateness of the care or payment. Related provider billings shall also be denied or subject to recovery.

(b) If a provider determines that a submitted claim or encounter is incorrect, the provider must submit an individual adjustment request and refund the amount of the overpayment, if any, or adjust the claim or encounter, consistent with the requirements in program-specific rules or contracts.

(c) The Department may determine, as a result of review or other information, that a payment should be denied or that an overpayment has been made to a provider, which indicates that a provider may have submitted claims or encounters, or received payment to which the provider is not properly entitled. Such payment denial or overpayment determinations may be based on but not limited to the following:

(A) The Department paid the provider an amount in excess of the amount authorized under a contract, state plan or Department rule;

(B) A third party paid the provider for services, or portion thereof, previously paid by the Department;

(C) The Department paid the provider for services, items, or drugs that the provider did not perform or provide;

(D) The Department paid for claims submitted by a data processing agent for whom a written provider or billing agent or billing service agreement was not on file at the time of submission;

(E) The Department paid for services and later determined they were not part of the client's program-specific or contract-covered services;

(F) Coding, data processing submission, or data entry errors;

(G) Medical, dental, or professional review determines the service or item was not provided in accordance with the Department's rules or contract or does not meet the program-specific or contract criteria for coverage, quality of care, or appropriateness of the care or payment;

(H) The Department paid the provider for services, items, or drugs when the provider did not comply with the Department's rules and requirements for reimbursement; or

(I) The provider submitted inaccurate, incomplete or false encounter data to the Department.

(d) Prior to identifying an overpayment, the Department may contact the provider requesting preliminary information and additional documentation. The provider must provide the requested documentation within the specified time frame.

(e) When an overpayment is identified, the Department shall notify the provider in writing as to the nature of the discrepancy, the method of computing the overpayment, and any further action that the Department may take on the matter. The notice may require the provider to submit applicable documentation for review prior to requesting an appeal from the Department, and may impose reasonable time limits for when documentation must be provided for Department consideration. The notice shall inform the provider of the process for appealing the overpayment determination.

(f) The Department may recover overpayments made to a provider by direct reimbursement, offset, civil action, or other legal action:

(A) The provider must make a direct reimbursement to the Department within 30 calendar days from the date of the notice of the overpayment, unless other regulations apply.

(B) The Department may grant the provider an additional period of time to reimburse the Department upon written request made within 30 calendar days from the date of the notice of overpayment. The provider must include a statement of the facts and reasons sufficient to show that repayment of the overpayment amount should be delayed pending appeal because:

(i) The provider shall suffer irreparable injury if the overpayment notice is not delayed;

(ii) There is a reason to believe that the overpayment is incorrect or is less than the amount in the notice, and the provider has timely filed an appeal of the overpayment, or that the provider accepts the amount of the overpayment but is requesting to make repayment over a period of time;

(iii) A proposed method for assuring that the amount of the overpayment can be repaid when due with interest including but not limited to a bond, irrevocable letter of credit, or other undertaking, or a repayment plan for making payments, including interest, over a period of time;

(iv) Granting the delay shall not result in substantial public harm; and

(v) Affidavits containing evidence relied upon in support of the request for stay.

(C) The Department may consider all information in the record of the overpayment determination, including provider cooperation with timely provision of documentation, in addition to the information supplied in provider's request. If provider requests a repayment plan, the Department may require conditions acceptable to the Department before agreeing to a repayment plan. The Department must issue an order granting or denying a repayment delay request within 30 calendar days after receiving it;

(D) A request for hearing or administrative review does not change the date the repayment of the overpayment is due; and

(E) The Department may withhold payment on pending claims and on subsequently received claims for the amount of the overpayment when overpayments are not paid as a result of subsection (B)(i);

(f) In addition to any overpayment, the Department may impose a sanction on the provider in connection with the actions that resulted in the overpayment. The Department may, at its discretion, combine a notice of sanction with a notice of overpayment.

(g) Voluntary submission of an adjustment claim or encounter transaction or an individual adjustment request or overpayment amount after notice from the Department does not prevent the Department from issuing a notice of sanction The Department may take such voluntary payment into account in determining the sanction.

Stat. Auth.: ORS 409.050, 411.060
Stats. Implemented: ORS 414.115, 414.125, 414.135, 414.145
Hist.: DHSD 15-2007, f. 12-31-07, cert. ef. 1-1-08; DHSD 6-2008(Temp), f. & cert. ef. 7-1-08 thru 12-27-08; DHSD 11-2008, f. 12-26-08, cert. ef. 12-27-08

407-120-0360

Consequences of Non-Compliance and Provider Sanctions

(1) There are two classes of provider sanctions, mandatory and discretionary, that may be imposed for non-compliance with the provider enrollment agreement.

(2) Except as otherwise provided, the Department shall impose provider sanctions at the direction of the assistant director of the Department's division whose budget includes payment for the services involved.

(3) Mandatory Sanctions. The Department shall impose mandatory sanctions and suspend the provider from participation in the Department's programs:

(a) When a provider has been convicted (as that term is defined in 42 CFR part 1001.2) of a felony or misdemeanor related to a crime, or violation of Title XVIII, XIX, or XX of the Social Security Act or related state laws, or other disqualifying criminal conviction pursuant to program-specific rules or contract;

(b) When a provider is excluded from participation in federal or state health care programs by the Office of the Inspector General of DHHS or from the Medicare (Title XVIII) program of the Social Security Act as determined by the Secretary of DHHS. The provider shall be excluded and suspended from participation with the Department for the duration of exclusion or suspension from the Medicare program or by the Office of the Inspector General; or

(c) If the provider fails to disclose ownership or control information required under 42 CFR part 455.104 that is required to be reported at the time the provider submits a provider enrollment form or when there is a material change in the information that must be reported, or information related to business transactions required to be provided under 42 CFR part 455.105 upon request of federal or state authorities.

(4) Discretionary Sanctions. When the Department determines the provider fails to meet one or more of the Department's requirements governing participation in its programs the Department may impose discretionary sanctions. Conditions that may result in a discretionary sanction include, but are not limited to when a provider has:

(a) Been convicted of fraud related to any federal, state, or locally financed health care program or committed fraud, received kickbacks, or committed other acts that are subject to criminal or civil penalties under the Medicare or Medicaid statutes;

(b) Been convicted of interfering with the investigation of health care fraud;

(c) Been convicted of unlawfully manufacturing, distributing, prescribing, or dispensing a controlled substance or other potentially disqualifying crime, as determined under program-specific rules or contracts;

(d) By actions of any state licensing authority for reasons relating to the provider's professional competence, professional conduct, or financial integrity either:

(A) Had his or her professional license suspended or revoked, or otherwise lost such license; or

(B) Surrendered his or her license while a formal disciplinary proceeding is pending before the relevant licensing authority.

(e) Been suspended or excluded from participation in any federal or state program for reasons related to professional competence, professional performance, or other reason;

(f) Billed excessive charges including but not limited to charging in excess of the usual charge, furnished items or services in excess of the client's needs or in excess of those services ordered by a provider, or in excess of generally accepted standards or quality that fail to meet professionally recognized standards;

(g) Failed to furnish necessary covered services as required by law or contract with the Department if the failure has adversely affected or has a substantial likelihood of adversely affecting the client;

(h) Failed to disclose required ownership information;

(i) Failed to supply requested information on subcontractors and suppliers of goods or services;

(j) Failed to supply requested payment information;

(k) Failed to grant access or to furnish as requested, records, or grant access to facilities upon request of the Department or the MFCU conducting their regulatory or statutory functions;

(l) In the case of a hospital, failed to take corrective action as required by the Department, based on information supplied by the QIO to prevent or correct inappropriate admissions or practice patterns, within the time specified by the Department;

(m) In the case of a licensed facility, failed to take corrective action under the license as required by the Department within the time specified by the Department;

(n) Defaulted on repayment of federal or state government scholarship obligations or loans in connection with the provider's health profession education;

(A) Providers must have made a reasonable effort to secure payment;

(B) The Department must take into account access of beneficiaries to services; and

(C) Shall not exclude a community's sole physician or source of essential specialized services;

(o) Repeatedly submitted a claim with required data missing or incorrect:

(A) When the missing or incorrect data has allowed the provider to:

(i) Obtain greater payment than is appropriate;

(ii) Circumvent prior authorization requirements;

(iii) Charge more than the provider's usual charge to the general public;

(iv) Receive payments for services provided to individuals who were not eligible; or

(v) Establish multiple claims using procedure codes that overstate or misrepresent the level, amount, or type of services or items provided.

(B) Does not comply with the requirements of OAR 410-120-1280.

(p) Failed to develop, maintain, and retain, in accordance with relevant rules and standards, adequate clinical or other records that document the client's eligibility and coverage, authorization (if required by program-specific rules or contracts), appropriateness, nature, and extent of the services or items provided;

(q) Failed to develop, maintain, and retain in accordance with relevant rules and standards, adequate financial records that document charges incurred by a client and payments received from any source;

(r) Failed to develop, maintain, and retain adequate financial or other records that support information submitted on a cost report;

(s) Failed to follow generally accepted accounting principles or accounting standards or cost principles required by federal or state laws, rules, or regulations;

(t) Submitted claims or written orders contrary to generally accepted standards of professional practice;

(u) Submitted claims for services that exceed the requested or agreed upon amount by the OHP client, the client representative, or requested by another qualified provider;

(v) Breached the terms of the provider contract or agreement;

(w) Failed to comply with the terms of the provider certifications on the claim form;

(x) Rebated or accepted a fee or portion of a fee for a client referral; or collected a portion of a service fee from the client and billed the Department for the same service;

(y) Submitted false or fraudulent information when applying for a Department-assigned provider number, or failed to disclose information requested on the provider enrollment form;

(z) Failed to correct deficiencies in operations after receiving written notice of the deficiencies from the Department;

(aa) Submitted any claim for payment for which the Department has already made payment or any other source unless the amount of the payment from the other source is clearly identified;

(bb) Threatened, intimidated, or harassed clients, client representatives, or client relatives in an attempt to influence payment rates or affect the outcome of disputes between the provider and the Department;

(cc) Failed to properly account for a client's personal incidental funds including but not limited to using a client's personal incidental funds for payment of services which are included in a medical facility's all-inclusive rates;

(dd) Provided or billed for services provided by ineligible or unsupervised staff;

(ee) Participated in collusion that resulted in an inappropriate money flow between the parties involved;

(ff) Refused or failed to repay, in accordance with an accepted schedule, an overpayment established by the Department;

(gg) Failed to report to Department payments received from any other source after the Department has made payment for the service; or

(hh) Collected or made repeated attempts to collect payment from clients for services covered by the Department, under OAR 410-120-1280.

(5) A provider who has been excluded, suspended, or terminated from participation in a federal or state medical program, such as Medicare or Medicaid, or whose license to practice has been suspended or revoked by a state licensing board, must not submit claims for payment, either personally or through claims submitted by any billing agent or service, billing provider or other provider, for any services or supplies provided under the medical assistance programs, except those services or supplies provided prior to the date of exclusion, suspension or termination.

(6) Providers must not submit claims for payment to the Department for any services or supplies provided by an individual or provider entity that has been excluded, suspended, or terminated from participation in a federal or state medical program, such as Medicare or Medicaid, or whose license to practice has been suspended or revoked by a state licensing board, except for those services or supplies provided prior to the date of exclusion, suspension or termination.

(7) When the provisions of sections (5) or (6) are violated, the Department may suspend or terminate the billing provider or any provider who is responsible for the violation.

(8) Sanction Types and Conditions.

(a) A mandatory sanction imposed by the Department pursuant to section (3) may result in any of the following:

(A) The provider shall either be terminated or suspended from participation in the Department's programs. No payments of Title XIX, Title XXI or other federal or state funds shall be made for services provided after the date of termination. Termination is permanent unless:

(i) The exceptions cited in 42CFR part 1001.221 are met; or

(ii) Otherwise stated by the Department at the time of termination.

(B) No payments of Title XIX, Title XXI, or other federal or state funds shall be made for services provided during the suspension. The provider number shall be reactivated automatically after the suspension period has elapsed if the conditions that caused the suspension have been resolved. The minimum duration of a suspension shall be determined by the DHHS Secretary, under the provisions of 42 CFR parts 420, 455, 1001, or 1002. The Department may suspend a provider from participation in the medical assistance programs longer than the minimum suspension determined by the DHHS secretary.

(b) The Department may impose the following discretionary sanctions on a provider pursuant to OAR 410-120-1400(4):

(A) The provider may be terminated from participation in the Department's programs. No payments of Title XIX, Title XXI or other federal or state funds shall be made for services provided after the date of termination. Termination is permanent unless:

(i) The exceptions cited in 42 CFR part 1001.221 are met; or

(ii) Otherwise stated by the Department at the time of termination.

(B) The provider may be suspended from participation in the Department's programs for a specified length of time, or until specified conditions for reinstatement are met and approved by the Department. No payments of Title XIX, Title XXI, or other federal or state funds shall be made for services provided during the suspension. The provider number shall be reactivated automatically after the suspension period has elapsed if the conditions that caused the suspension have been resolved.

(C) The Department may withhold payments to a provider;

(D) The provider may be required to attend provider education sessions at the expense of the sanctioned provider;

(E) The Department may require that payment for certain services are made only after the Department has reviewed documentation supporting the services;

(F) The Department may require repayment of amounts paid or provide for reduction of any amount otherwise due the provider; and

(G) Any other sanctions reasonably designed to remedy or compel future compliances with federal, state, or Department regulations.

(c) The Department shall consider the following factors in determining the sanction to be imposed. Factors include but are not limited to:

(A) Seriousness of the offense;

(B) Extent of violations by the provider;

(C) History of prior violations by the provider;

(D) Prior imposition of sanctions;

(E) Prior provider education;

(F) Provider willingness to comply with program rules;

(G) Actions taken or recommended by licensing boards or a QIO;

(H) Adverse impact on the availability of program-specific or contract covered services or the health of clients living in the provider's service area; and

(I) Potential financial sanctions related to the non-compliance may be imposed in an amount that is reasonable in light of the anticipated or actual harm caused by the non-compliance, the difficulties of proof of loss, and the inconvenience or non-feasibility of otherwise obtaining an adequate remedy.

(d) When a provider fails to meet one or more of the requirements identified in OAR 407-120-0300 through 407-120-0400, the Department, in its sole discretion, may immediately suspend the provider's Department assigned billing number and any electronic system access code to prevent public harm or inappropriate expenditure of public funds.

(A) The provider subject to immediate suspension is entitled to a contested case hearing pursuant to ORS 183 to determine whether the provider's Department assigned number and electronic system access code may be revoked; and

(B) The notice requirements described in section (5) of this rule do not preclude immediate suspension, in the Department's sole discretion, to prevent public harm or inappropriate expenditure of public funds. Suspension may be invoked immediately while the notice and contested case hearing rights are exercised.

(e) If the Department sanctions a provider, the Department shall notify the provider by certified mail or personal delivery service of the intent to sanction. The notice of immediate or proposed sanction shall identify:

(A) The factual basis used to determine the alleged deficiencies and a reference to the particular sections of the statutes and rules involved;

(B) Explanation of actions expected of the provider;

(C) Explanation of the Department's intended action;

(D) The provider's right to dispute the Department's allegations and submit evidence to support the provider's position;

(E) The provider's right to appeal the Department's proposed actions pursuant to ORS 183;

(F) A statement of the authority and jurisdiction under which the appeal may be requested and description of the procedure and time to request an appeal; and

(G) A statement indicating whether and under what circumstances an order by default may be entered.

(f) If the Department decides to sanction a provider, the Department shall notify the provider in writing at least 15 days before the effective date of action, except in the case of immediate suspension to avoid public harm or inappropriate expenditure of funds.

(g) The provider may appeal the Department's immediate or proposed sanction or other actions the Department intends to take. The provider must appeal this action separately from any appeal of audit findings and overpayments. These include but are not limited to the following:

(A) Termination or suspension from participation in the Medicaid-funded medical assistance programs;

(B) Termination or suspension from participation in the Department's state-funded programs; or

(C) Revocation of the provider's Department assigned provider number.

(h) Other provisions:

(A) When a provider has been sanctioned, all other provider entities in which the provider has ownership of five percent or greater, or control of, may also be sanctioned;

(B) When a provider has been sanctioned, the Department may notify the applicable professional society, board of registration or licensure, federal or state agencies, OHP, PHP's and the National Practitioner Data Base of the findings and the sanctions imposed;

(C) At the discretion of the Department, providers who have previously been sanctioned or suspended may or may not be re-enrolled as Department providers;

(D) Nothing in this rule prevents the Department from simultaneously seeking monetary recovery and imposing sanctions against the provider;

(E) Following a contested case hearing in which a provider has been found to violate ORS 411.675, the provider shall be liable to the Department for treble the amount of payments received as a result of each violation.

Stat. Auth.: ORS 409.050, 411.060
Stats. Implemented: ORS 414.115, 414.125, 414.135, 414.145
Hist.: DHSD 15-2007, f. 12-31-07, cert. ef. 1-1-08; DHSD 6-2008(Temp), f. & cert. ef. 7-1-08 thru 12-27-08; DHSD 11-2008, f. 12-26-08, cert. ef. 12-27-08

407-120-0370

Requirements for Financial, Clinical, and Other Records

(1) The Department shall analyze and monitor the operation of its programs and audit and verify the accuracy and appropriateness of payment, utilization of services, or items.

(2) The Department shall comply with client coverage criteria and requirements for the level of care or service or item authorized or reimbursed by the Department and the quality of covered services or items and service or item delivery, and access to covered services or items.

(3) The provider and the provider's designated billing service or other entity responsible for the maintenance of financial, service delivery, and other records must:

(a) Develop and maintain adequate financial and service delivery records and other documentation which supports the specific care, items, or services for which payment has been requested. The Department shall not make payment for services that are not adequately documented. The following documentation must be completed before the service is billed to the Department:

(A) All records documenting the specific service provided, the number of services or items comprising the service provided, the extent of the service provided, the dates on which the service was provided, and identification of the individual who provided the service. Patient account and financial records must also include documentation of charges, identify other payment resources pursued, indicate the date and amount of all debit or credit billing actions, and support the appropriateness of the amount billed and paid. For cost reimbursed services, the provider must maintain adequate records to thoroughly and accurately explain how the amounts reported on the cost statement were determined.

(B) Service delivery, clinical records, and visit data, including records of all therapeutic services, must document the basis for service delivery and record visit data if required under program-specific rules or contracts. A client's clinical record must be annotated each time a service is provided and signed or initialed by the individual providing the service or must clearly identify the individual providing the service. Information contained in the record must be sufficient in quality and quantity to meet the professional standards applicable to the provider or practitioner and any additional standards for documentation found in this rule, program-specific rules, and any pertinent contracts.

(C) All information about a client obtained by the provider or its officers, employees, or agents in the performance of covered services, including information obtained in the course of determining eligibility, seeking authorization, and providing services, is confidential. The client information must be used and disclosed only to the extent necessary to perform these functions.

(b) Implement policies and procedures to ensure confidentiality and security of the client's information. These procedures must ensure the provider may release such information in accordance with program-specific federal and state statutes or contract, which may include but is not limited to, ORS 179.505 to 179.507, 411.320, 433.045, 42 CFR part 2, 42 CFR part 431 subpart F, 45 CFR 205.50, and ORS 433.045(3) with respect to HIV test information.

(c) Ensure the use of electronic record-keeping systems does not alter the requirements of this rule.

(A) A provider's electronic record-keeping system includes electronic transactions governed by HIPAA transaction and code set requirements and records, documents, documentation, and information include all information, whether maintained or stored in electronic media, including electronic record-keeping systems, and information stored or backed up in an electronic medium.

(B) If a provider maintains financial or clinical records electronically, the provider must be able to provide the Department with hard-copy versions. The provider must also be able to provide an auditable means of demonstrating the date the record was created and the identity of the creator of a record, the date the record was modified, what was changed in the record and the identity of any individual who has modified the record. The provider must supply the information to individuals authorized to review the provider's records under subsection (e) of this rule.

(C) Providers may comply with the documentation review requirements in this rule by providing the electronic record in an electronic format acceptable to an authorized reviewer. The authorized reviewer must agree to receive the documentation electronically.

(d) Retain service delivery, visit, and clinical records for seven years and all other records described in this rule, program-specific rules and contract for at least five years from the date of service.

(e) Furnish requested documentation (including electronically recorded information or information stored or backed up in an electronic medium) immediately or within the time-frame specified in the written request received from the Department, the Oregon Secretary of State, DHHS or other federal funding agency, Office of Inspector General, the Comptroller General of the United States (for federally funded programs), MFCU (for Medicaid-funded services or items), or the client representative. Copies of the documents may be furnished unless the originals are requested. At their discretion, official representatives of the Department, Medicaid Fraud Unit, DHHS, or other authorized reviewers may review and copy the original documentation in the provider's place of business. Upon written request of the provider, the program or the unit, may, at its sole discretion, modify or extend the time for provision of such records if, in the opinion of the program or unit good cause for such extension is shown. Factors used in determining if good cause exists include:

(A) Whether the written request was made prior to the deadline for production;

(B) If the written request is made after the deadline for production, the amount of time lapsed since that deadline;

(C) The efforts already made to comply with the request;

(D) The reasons the deadline cannot be met;

(E) The degree of control that the provider had over its ability to produce the records prior to the deadline; and

(F) Other extenuating factors.

(f) Access to records, inclusive of clinical charts and financial records does not require authorization or release from the client, unless otherwise required by more restrictive state and federal regulations if the purpose of such access is:

(A) To perform billing review activities;

(B) To perform utilization review activities;

(C) To review quality, quantity, medical appropriateness of care, items, and services provided;

(D) To facilitate service authorization and related services;

(E) To investigate a client's hearing request;

(F) To facilitate investigation by the MFCU or DHHS; or

(G) To review records necessary to the operation of the program.

(g) Failure to comply with requests for documents within the specified time-frame means that the records subject to the request may be deemed by the Department not to exist for purposes of verifying appropriateness of payment, clinical appropriateness, the quality of care, and the access to care in an audit or overpayment determination, and subjects the provider to possible denial or recovery of payments made by the Department or to sanctions.

Stat. Auth.: ORS 409.050, 411.060
Stats. Implemented: ORS 414.115, 414.125, 414.135, 414.145
Hist.: DHSD 15-2007, f. 12-31-07, cert. ef. 1-1-08; DHSD 6-2008(Temp), f. & cert. ef. 7-1-08 thru 12-27-08; DHSD 11-2008, f. 12-26-08, cert. ef. 12-27-08

407-120-0380

Fraud and Abuse

(1) Providers shall promptly refer all suspected fraud and abuse, including fraud or abuse by its employees or in Department administration, to the MFCU, or to the Department's audit unit.

(2) Providers must permit the MFCU and the Department to inspect, copy, evaluate, or audit books, records, documents, files, accounts, and facilities, without charge, as required to investigate allegations or incidents of fraud or abuse.

(3) Providers aware of suspected fraud or abuse by a client must report the incident to the Department's fraud unit.

(4) The Department may share information for health oversight purposes with the MFCU and other federal or state health oversight authorities.

(5) The Department may take actions necessary to investigate and respond to substantiated allegations of fraud and abuse including but not limited to suspending or terminating the provider from participation in the Department's programs, withholding payments or seeking recovery of payments made to the provider, or imposing other sanctions provided under state law or regulations. Such actions by the Department may be reported to CMS or other federal or state entities as appropriate.

Stat. Auth.: ORS 409.050, 411.060
Stats. Implemented: ORS 414.115, 414.125, 414.135, 414.145
Hist.: DHSD 15-2007, f. 12-31-07, cert. ef. 1-1-08; DHSD 6-2008(Temp), f. & cert. ef. 7-1-08 thru 12-27-08; DHSD 11-2008, f. 12-26-08, cert. ef. 12-27-08

407-120-0400

MMIS Replacement Communication Plan

(1) The purpose of this rule is to describe the Department’s plan for communicating instructions and guidance related to the Department’s implementation of the replacement MMIS that began on December 9, 2008. System issues are anticipated to be identified for a period of time during and after implementation. This rule is adopted to be effective retroactively to December 9, 2008 for the purpose of providing continuity of all MMIS communication efforts throughout the transition implementation process and regular operations following the transition. By adopting this communication plan in rule, the Department seeks to assure that eligible Department clients receive all necessary and appropriate services, and that Department providers and PHPs are correctly reimbursed for covered services provided to eligible clients.

(2) To the extent necessary to accomplish the purposes of this rule, the Department shall provide guidance and instructions related to MMIS for providers and PHPs using its web site and MMIS provider announcements.

(a) In cases of limitations or system errors in the replacement MMIS, the Department shall provide update information and important action required in concert with, or in place of, normal established procedures.

(b) In other cases, the Department shall provide instructions and guidance about the use of revised or improved functionality that is available through the replacement MMIS, such as the use of the web portal.

(3) Providers and PHPs must follow all applicable instructions given on the Department’s web page and any provider announcements for the dates specifically noted in the communications, or if a date is not specified, until further instructions are provided. Department web site information and links to specific topics may be accessed at: http://www.oregon.gov/DHS/healthplan/tools_prov/main.shtml.

(4) This rule does not amend existing rules or contracts that require providers or PHPs to confirm eligibility, respond to requests for prior authorization, submit claims or encounter data, or comply with any other rule or contract that imposes obligations on a provider or PHP as a condition of receiving reimbursement for services. This rule is intended to provide assurance to providers and PHPs that the MMIS-related processes for meeting those obligations are being addressed by the Department by providing guidance and instruction related to the provider’s or PHP’s interface with MMIS processes, and by identifying the resources providers and PHPs may use to obtain information during this time of transition to the replacement MMIS and during regular MMIS operations.

(5) The Department shall work with providers and PHPs by providing instructions and guidance to assure that service delivery and reimbursement disruptions related to transition to the replacement MMIS are minimized. Providers and PHPs must appropriately document all eligibility, services, authorization, claims, and payment information during the transition time, and their efforts to comply with instructions and guidance provided by the Department, so that reimbursement may be correctly provided.

(6) Providers and PHPs must immediately communicate to the Department any issues they encounter that are not addressed in the Department’s instructions or guidance in seeking eligibility information or activities related to reimbursement for services through MMIS, errors discovered in the correct amount of any reimbursement received for those services, or in applying the instruction or guidance to resolve an issue.

(7) After the transition period is complete, the Department shall continue to implement this communication plan as long as necessary during regular MMIS operations in order to assist providers and PHPs with technical and system requirements of the replacement MMIS.

Stat. Auth.: ORS 409.050 & 414.065
Stats. Implemented: ORS 414.065
Hist.: DHSD 1-2009(Temp), f. & cert. ef. 1-12-09 thru 7-10-09; DHSD 4-2009, f. 7-1-09, cert. ef. 7-10-09

Provider and Contractor Audits, Appeals and Post Payment Recoveries

407-120-1505

Provider and Contractor Audits, Appeals, and Post Payment Recoveries

(1) Providers or entities under contract with the Department of Human Services (Department) or the Oregon Healthy Authority (Authority) (hereafter referred to as “provider”) receiving payments from the Department or Authority are subject to audit or other post payment review procedures (hereafter referred to as “audit”) for all payments applicable to items or services furnished or supplied by the provider to or on behalf of Department or Authority clients.

(a) Audit rules and procedures ensure proper payments were made based on requirements applicable to covered services, ensure program integrity of the Department or Authority programs and services as outlined in OAR 407-120-0310, and establish authority for the Office of Payment, Accuracy and Recovery (OPAR), Provider Audit Unit (PAU) to recover overpayments and discover possible instances of fraud, waste, and abuse.

(b) The Department and Authority share duties and functions related to audits and have the authority to determine which of the two agencies is authorized to fulfill a particular function. References in this rule to one agency should be construed to include, as the context requires, either or both agencies.

(2) The Department may employ internal staff, consultants, or contractors, or cooperate with federal or state oversight authorities or other designees to conduct an audit or perform other audit procedures. The Department shall assign a contractor or one or more individuals to conduct the audit (hereafter referred to as “auditor”).

(3) The auditor or PAU management shall determine the scope, time period, objective, and subject matter covered by the audit.

(4) The authority for access to records is found in OAR 407-120-0370 and 410-120-1360 and other terms of agreements or contracts authorizing access to records for audit purposes.

(5) The auditor may conduct an on-site field audit, examine and copy records at the provider’s expense, interview employees, and conduct such field work as the auditor determines shall provide sufficient and competent evidential basis for drawing conclusions about the audit subject matter.

(6) The auditor may conduct a desk audit of records requested by the auditor and supplied by the provider, at the provider’s expense, or other source as necessary for the auditor to determine sufficient and competent evidential basis for drawing conclusions about the audit subject matter.

(7) The auditor may consider other audits of the provider including but not limited to reviews conducted by the appropriate federal authority and the provider's independent audit of the provider's financial statements, which may include those performed by internal auditors, audit organizations, or contractors established by the federal or state government for the auditing of the Department or Authority programs.

(a) The auditor may consider other indicators or issues related to program integrity activities. The auditor may also consider past or present program integrity activities listed in OAR 407-120-0310 that have identified same or similar instances of non-compliance.

(b) The auditor shall determine the scope of other audit work and evaluate the reliability of its relationship to the scope and objective of the audit being conducted in determining the weight to be given to the other audit work.

(8) PAU may use a random sampling method such as that detailed in the paper entitled "Development of a Sample Design for the Post-Payment Review of Medical Assistance Payments," written by Lyle Calvin, Ph.D., (Calvin Paper). The Department adopts by reference but is not limited to following the method of random sampling and calculation of overpayment described in the Calvin Paper:

(a) In determining whether to use an overpayment calculation method set forth in section (8) of this rule, the auditor or PAU management may consider:

(A) The provider's overall error rate identified in the audit;

(B) If past audits have identified the same or similar instances of non-compliance;

(C) The severity of the errors established in the audit; or

(D) Any adverse impact on the health of the Department or Authority’s clients and their access to services in the provider's service area.

(b) If the auditor determines an overpayment amount by a random sampling and overpayment calculation method set forth in section (8) of this rule, the provider may request a 100 percent audit of all billings from the same time period of the audit submitted to the Department or Authority for items or services furnished or supplied to or on behalf of Department or Authority clients. If a 100 percent audit is requested:

(A) Payment and arrangement for a 100 percent audit shall be paid by the provider requesting the audit;

(B) The audit must be conducted by an independent auditor or other individual whose qualifications the Department has determined, in writing, to be acceptable, who is knowledgeable with the Oregon Administrative rules covering the payments in question, who must waive any privilege to PAU in relation to the work papers and work product of the independent auditor;

(C) The 100 percent audit must be completed within 90 calendar days of the provider's request to use such audit in lieu of the Department’s random sample;

(D) The provider must waive all rights to appeal the factual findings of the independent auditor; and

(E) The independent auditor must produce a final audit report or similar document detailing the findings of the 100 percent audit, including the overpayment assessment and recommendations to the provider and PAU. The independent auditor’s work papers must be made available to the Department auditor upon request.

(9) The auditor shall prepare a preliminary audit report or similar document and deliver the preliminary audit report to the provider in person, or by registered or certified mail. The preliminary audit report shall inform the provider of the opportunity to provide additional documentation to the auditor about the information within the scope of the preliminary audit report.

(a) Refusing to accept the registered or certified mail or in-person delivery shall not stop the audit process from proceeding forward.

(b) The provider shall have a 30 calendar day review and comment period from the mailing date of the preliminary audit report to respond to the auditor or request an informal meeting with the auditor. The meeting to review the report shall be held within 45 days from the date of the preliminary audit report.

(c) The provider may request, in writing to the auditor, a 15-day extension from the preliminary audit report response due date for the purpose of submitting additional documentation. The extension must be authorized in writing by the auditor or PAU management. An additional 15-day extension, requested in writing, may be granted at the discretion of PAU management.

(10) The auditor shall prepare a final audit report or similar document which is also the Department or Authority’s final order, and deliver the final audit report in person, or by registered or certified mail. The audit record that forms the basis for the final audit report shall be closed on the date of the final audit report. The final audit report shall include but is not limited to an overpayment assessment, findings, recommendations, and sanctions.

(a) The overpayment assessment stated in the final audit report shall include but is not limited to the amount of overpayment PAU is authorized to recover and:

(A) Is not limited to amounts determined by criminal or civil proceedings;

(B) Shall include interest to be charged at allowable state rates; and

(C) May include triple damages as described in section (18) of this rule.

(b) Refusing to accept the registered or certified mail or in-person delivery shall not stop the audit process from proceeding.

(c) If the provider disagrees with the final audit report or the overpayment amount, the provider must appeal the decision within 30 calendar days from the mailing date of the final audit report by submitting a written request for either an administrative review or a contested case hearing to the OPAR Administrator. The written request for appeal must outline in detail the areas of disagreement.

(A) The OPAR Administrator or designee (hereafter referred to as “Administrator”) shall determine which appeals may be suitable for review as administrative review or contested case hearing, taking into consideration issues presented in the request for review and the purposes served by administrative review in section (12) or contested case hearing in section (13) of this rule.

(B) If the Administrator decides the determinations of the final audit report or the content of appeal is appropriate for a contested case hearing or denies a request for an administrative review on the basis the appeal should be heard as a contested case hearing, the Administrator shall notify the provider and refer the appeal directly to the Office of Administrative Hearings (OAH) for a contested case hearing pursuant to these rules.

(11) If a provider fails to request an appeal within the time frame specified in section (10) of this rule the final audit report, overpayment amount, and all recommendations and sanctions shall become final. Appeal requests submitted to PAU must:

(a) Be in writing to the Administrator.

(A) The appeal request is not required to follow a specific format as long as it provides clear written expression from the provider expressing disagreement with the final audit report findings.

(B) The request must specify issues or decisions being appealed and the specific reason for the appeal on each finding or decision. The request must provide specifics for each claim such as procedure code, diagnosis code, reason for denial, administrative rules, or other authority applicable to the issue, and why the provider disagrees with the decision. If this information is not included in the appeal request in a manner that reasonably permits the Administrator to understand the decision being appealed or the basis for the appeal, the request shall be returned to the provider and the provider shall be required to resubmit the appeal within 10 working days from the date PAU returned the appeal to the provider.

(b) Be received by the Administrator within 30 calendar days from the mailing date of the final audit report.

(A) Late requests require written supporting documentation explaining reason for a late request. The Administrator shall determine whether failure to file a timely request was caused by circumstances beyond the control of the provider and enter an order accordingly. The Administrator may conduct further inquiry as deemed appropriate. In determining timelines of filing a request for review, the amount of time the Administrator determines accounts for circumstances beyond the control of the provider is not counted.

(B) The untimely request may be referred to the OAH for a hearing on the question of timeliness.

(12) Administrative review allows opportunity for the Administrator to review a decision affecting the provider. Appeals are limited to legal or policy issues where there is a stipulation of factual matters to be heard.

(a) Administrative review meetings shall be:

(A) Scheduled within 45 calendar days of receipt of the written request by the Administrator;

(i) The Administrator shall prove written notice to the provider of the date, time, and place of the meeting.

(ii) If the Administrator decides a preliminary meeting between the provider and PAU staff may assist the administrative review, the Administrator shall provide written notice to the provider of the date, time, and place the preliminary meeting is scheduled.

(B) Held in Salem, unless otherwise stipulated to by all parties and PAU;

(C) Conducted by the Administrator;

(D) Department or Authority staff shall not be available for cross-examination;

(E) Department or Authority staff may attend and participate in the meeting; and

(F) The provider is not required to be represented by legal counsel and shall be given ample opportunity to present relevant information from the existing case record.

(b) If a provider fails to appear at the administrative review meeting, the final audit report, all findings including the overpayment, and recommendations and sanctions as specified in the report shall become final. In addition, the provider may not appeal the final audit report.

(c) The results of the meeting shall be sent to the provider, in writing, by registered or certified mail within 30 calendar days of the conclusion of the administrative review proceedings. The result of the administrative review is final.

(d) All administrative review decisions are subject to procedures established in OAR 137-004-0080 to 137-004-0092 and judicial review under ORS 183.484 in the Circuit Court.

(13) The contested case hearing process is conducted in accordance with ORS 183.411 to 183.497 and the Attorney General’s Uniform and Model Rules of Procedure for the Office of Administrative Hearings, OAR 137-003-0501 to 137-003-0700.

(a) If the Administrator decides a contested case pre-hearing conference between the provider and PAU staff shall assist the contested case hearing, the Administrator shall notify the provider of the time and place of contested case pre-hearing conference without the presence of an administrative law judge. The purpose of the pre-hearing conference is to:

(A) Provide an opportunity to settle the matter or discuss Model Rules of Procedure for contested case hearings listed in OAR 137-003-0575. Any agreement reached in a pre-hearing conference shall be submitted to the administrative law judge in writing or presented orally on the record at the contested case hearing;

(B) Provide an opportunity for the provider and PAU to review the information, correct any misunderstanding of facts, and understand the reason for the action that is the subject of the contested case hearing; or

(C) Determine if the parties wish to have witness subpoenas issued when the contested case hearing is conducted.

(b) Prior to the date of the contested case hearing, the provider may request an additional pre-hearing conference with PAU representatives. The request shall be made in writing to the Administrator. An additional pre-hearing conference may be granted at the sole discretion of the Administrator if the additional pre-hearing conference is determined to facilitate the contested case hearing process or resolution of disputed issues.

(c) The contested case hearing shall be held in Salem, unless otherwise stipulated to by all parties and PAU.

(d) The OAH shall serve a proposed order on behalf of PAU unless PAU notifies the parties that PAU shall issue the final order. The proposed order shall become the final order if no exceptions are filed within the time specified in this rule.

(e) The provider may file exceptions or written argument to the proposed order to be considered by PAU. The exceptions must be in writing and received by OPAR within 10 calendar days after the date the proposed order is issued. No additional evidence may be submitted. After receiving the exceptions or argument, PAU may adopt the proposed order as the final order, amend the order, or prepare a new order.

(f) A provider may withdraw a contested case hearing request at any time. The OAH shall send a final order confirming the withdrawal to the provider. 

(14) If neither the provider nor the provider’s legal representative appears at the contested case hearing, PAU may elect one of the following options in its sole discretion:

(a) The contested case hearing request may be dismissed by order. PAU may cancel the dismissal order upon request of the party on a showing that the party was unable to attend the hearing and unable to request a postponement for reasons beyond the provider’s control.

(b) PAU may enter a final order by default. Entry of a final order by default may be made when PAU determines that the issuance of a final order with findings is appropriate as a basis of sanction authority or to establish a basis for future sanction authority or other reason consistent with the administration of the Department or Authority programs. The designated record, for purposes of a default order, shall be the record as designated in the notice issued to the provider. If not so designated, the designated record shall consist of the files and records held by PAU in the contested case hearing packet prepared by PAU.

(15) Final orders are effective immediately upon being signed or as otherwise provided in the order.

(a) Final orders resulting from a provider’s withdrawal of a contested case hearing request is effective the date the provider’s request is received by PAU or the OAH, whichever is sooner.

(b) When the provider fails to appear for the contested case hearing, the effective date of the dismissal order or the final order by default is the date of the scheduled contested case hearing.

(16) The burden of presenting evidence to support a fact or position rests on the proponent of the fact or position. Pursuant to OAR 410-120-1360, payment on a claim shall only be made for services that are adequately documented and billed in accordance with OAR 410-120-1280 and 407-120-0330 and include all applicable administrative rules and applicable contract terms related to covered services for the client’s benefit package, and the establishment of conditions under which services, supplies or items are covered, including but not limited to the Prioritized List, diagnosis and procedure coding, medical appropriateness, and other applicable standards.

(17) The Administrator, in consultation with appropriate Department or Authority authorities, may grant the provider the relief sought at any time.

(18) Overpayments must be paid within 30 calendar days from the mailing date of the final audit report. The provider may submit a request to the auditor or PAU management for a payment plan to satisfy this requirement. The auditor and PAU management may not waive this overpayment requirement.

(a) A request for an administrative review or contested case hearing shall not change the date the overpayment is due or a payment plan is to commence, unless otherwise stipulated in writing by the Administrator.

(b) PAU management may extend the reimbursement period or accept an offer of payment terms. PAU must make any change in the reimbursement period or terms in writing.

(A) The request for a payment plan must be made in writing to PAU management. The auditor or PAU management shall notify the provider, in writing, of the decision regarding acceptance or denial of the request.

(B) If the payment plan is agreeable to all parties, the auditor or PAU management shall ensure the payment plan is in writing and signed by all parties. A payment plan shall include charging interest at the allowable state rate.

(c) If the provider refuses to reimburse the overpayment or does not adhere to an agreed upon payment schedule, PAU may:

(A) Recoup, in any manner available to PAU, future provider payments up to the amount of the overpayment;

(B) Pursue civil action to recover the overpayment; or

(C) Recommend suspension or termination of the provider’s enrollment in the Oregon Medicaid Program.

(d) As a result of a contested case hearing or an administrative review, the amount of the overpayment may be reduced in part or in full.

(e) PAU may at any time change the amount of the overpayment in accordance with this rule. The provider shall be notified of any changes in writing by certified or registered mail. PAU shall refund the provider any monies paid to PAU in excess of the overpayment.

(f) If a provider is terminated from participation in Department or Authority programs or sanctioned for any reason, PAU may pursue civil action to recover any amounts due and payable.

(g) If the auditor, in the course of an audit, discovers the provider has continued in the same or similar improper billing practices as established or upheld if appealed, in a previously published final audit report by PAU, or has been warned in writing by the Department or Authority, PAU, or the Department of Justice about improper billing practices, the provider shall be liable to PAU for up to triple the amount of the current final audit report establishing the overpayment received by the provider as a result of such violation.

(19) Providers who conduct electronic data transactions with the Department or Authority must adhere to requirements of OAR 407-120-0100 to 407-120-0200. This rule only applies to services or items paid for by the Department or Authority. If the provider maintains financial or clinical records electronically, the provider must ensure the use of electronic record keeping systems does not alter the requirements of OAR 407-120-0370.

(a) The provider's electronic record keeping system includes electronic transactions governed by HIPAA transaction and code set requirements and records, documents, and documentation, whether maintained or stored in electronic media, including electronic record-keeping systems and information stored or backed up in an electronic medium.

(b) If the provider maintains financial or clinical records electronically, the provider must be able to provide PAU with hard copy versions, if requested. The provider must also be able to provide an auditable means of demonstrating the date the record was created, the identity of the creator of a record, the date the record was modified, what was modified in the record, and the identity of any individual who has modified the record. The provider must supply the information to individuals authorized to review the provider's records pursuant to OAR 407-120-0370(3)(e).

(c) If the provider maintains records electronically or permits the use of electronic signatures, the provider must document any aspect of the provision of services. The provider must maintain appropriate safeguards to assure the authenticity of the electronic records and signatures. The provider may not challenge the authenticity or admissibility of the electronic signature or documents in any audit, review, hearing, or other legal proceeding.

(d) Providers must comply with the documentation review requirements in OAR 407-120-0370 by providing the electronic record in an electronic format acceptable to an authorized reviewer. The authorized reviewer must agree to receive the documentation electronically.

Stat. Auth.: ORS 409.050, 411.060 & 413.032
Stats. Implemented: ORS 409.010, 409.180, 414.025, & 414.065
Hist.: OMAP 39-2005, f. 9-2-05, cert. ef. 10-1-05; Renumbered from 410-120-1505 by DHSD 9-2010, f. & cert. ef. 9-1-10

The official copy of an Oregon Administrative Rule is contained in the Administrative Order filed at the Archives Division, 800 Summer St. NE, Salem, Oregon 97310. Any discrepancies with the published version are satisfied in favor of the Administrative Order. The Oregon Administrative Rules and the Oregon Bulletin are copyrighted by the Oregon Secretary of State. Terms and Conditions of Use

Oregon Secretary of State • 136 State Capitol • Salem, OR 97310-0722
Phone: (503) 986-1523 • Fax: (503) 986-1616 • oregon.sos@state.or.us

© 2013 State of Oregon All Rights Reserved​