Okla. Admin. Code § 340:100-3-40 - Community records

(a) Purpose. Oklahoma Administrative Code (OAC) 340:100-3-40 sets forth requirements for:

(1) contract provider records maintenance;

(2) document transfer to a history file for service recipient records the contract provider maintains;

(3) information transfer when a service recipient changes contract providers;

(4) maintenance of an official electronic record for each service recipient receiving services through a Home and Community Based Services waiver.

(A) All service recipient information and records are confidential and released only to individuals or provider agencies who have proper authorization from the service recipient or his or her legal representative.

(B) It is the legal responsibility of Oklahoma Human Services (OKDHS) employees and contract providers to protect clients' privacy and to ensure the protection of confidential information.

(C) Developmental Disabilities Services (DDS) ensures service-recipient records are protected from loss, defacement, tampering, destruction, and violation of confidentiality.

(D) DDS personnel obtain individualized, time-limited, informed consent, prior to securing service recipient information or records from provider agencies who do not have a current OKDHS contract; and

(5) formatting, use, and retention of electronic records and signatures generated, sent, communicated, received, or stored by DDS, in conformity with the Uniform Electronic Transaction Act, found at Section 15-101 et seq. of Title 12A of the Oklahoma Statutes (12A O.S. §§ 15-101 et seq.).

(A) Only individual providers or employees designated by the provider's agency may make entries in the member's record. All entries in the member's record must be dated and authenticated with a method established to identify the author. The identification method may include computer keys, Private/Public Key Infrastructure (PKIs), voice authentication systems that use a personal identification number (PIN) and voice authentication, or other codes. Providers must have a process in place to deactivate within one working day an employee's access to records upon termination of employment of the designated employee.

(B) When PKIs, computer key codes, voice authentication systems, or other codes are used, the provider agency's employee completes a signed statement documenting that the chosen method is under the sole control of the person using it and further demonstrate that:

(i) a list of PKIs, computer key codes, voice authentication systems or other codes can be verified;

(ii) all adequate safeguards are maintained to protect against improper or unauthorized use of PKIs, computer keys, or other codes for electronic signatures; and

(iii) sanctions are in place for improper or unauthorized use of computer key codes, PKIs, voice authentication systems or other code types of electronic signatures.

(C) There must be a specific action by the author to indicate that the entry is verified and accurate. Systems requiring an authentication process include, but are not limited to:

(i) computerized systems that require the provider's employee to review the document online and indicate that it has been approved by entering a unique computer key code capable of verification;

(ii) a system in which the provider's employee signs off against a list of entries that must be verified in the member's records;

(iii) a mail system that sends transcripts to the provider's employee for review;

(iv) a postcard identifying and verifying the accuracy of the record(s) signed and returned by the provider's employee; or

(v) a voice authentication system that clearly identifies the author by a designated PIN or security code.

(D) Auto-authentication systems that authenticate a report prior to the transcription process do not meet the stated requirements and are not an acceptable method for the authentication process.

(E) The signature and date entry are the authentication of an electronic record and are expected on the day the record is completed.

(F) The individual provider or designated administrators within the provider agency may edit records. Edits must be in the form of a correcting entry which preserves entries from the original record. Edits must be completed prior to claims submission or no later than 45-calendar days after the date of service, whichever occurs first.

(G) Use of the electronic signature for documentation constitutes a signature and has the same effect as a written signature on the documentation. The section of the electronic record documenting the service provided must be authenticated by the employee or individual who provided the described service

(H) Any authentication method for electronic signatures must:

(i) be unique to the person using it;

(ii) identify the individual signing the document by name and title;

(iii) be capable of verification, assuring that the documentation cannot be altered after the signature has been affixed;

(iv) be under the sole control of the person using it;

(v) be linked to the data in such a manner that if the data is changed, the signature is invalidated; and

(vi) provide strong and substantial evidence that make it difficult for the signer to claim that the electronic representation is not valid.

(I) Failure to properly maintain or authenticate records with the signature and date entry may result in the denial or recoupment of payments.

(J) Providers must retain electronic records and have access to the records per guidelines found at OAC 317:30-3-15.

(K) The provisions of the Electronic Transaction Act apply to the time and place of sending and receipt. When a power failure, internet interruption, or internet virus occur, confirmation by the receiving party is required to establish receipt.

(L) Any person who fraudulently represents facts in an electronic transaction, acts without authority, or exceeds his or her authority to perform an electronic transaction may be prosecuted under all applicable criminal and civil laws.

(b) General requirements. Records, electronic or paper, the contract provider maintains are indexed, orderly, well-maintained, readily accessible, and current. Records contain adequate documentation of services rendered.

(1) All service recipient records are available for the service recipient, his or her legal guardian, contract provider staff, and OKDHS authorized agents to review upon request.

(2) The service recipient record is maintained with:

(A) an index;

(B) the service recipient's name on the record and on each page;

(C) discernable section tabs; and

(D) documents secured in the record.

(3) All entries in the record:

(A) are made per OAC 317:30-3-15

(B) are in chronological order;

(C) are legible;

(D) include the date and time of each entry, with legible identification of the person making the entry; and

(E) include, when the entry is health-related:

(i) a description of the concern; and

(ii) action taken.

(4) The provider ensures compliance, per OAC 340:2-8-1 through OAC 340:2-8-13 and OAC 340:100-3-2, pertaining to personal information protection, use, and release. The provider holds personal information regarding service recipients, including names, addresses, photographs, evaluation records, and all other records confidential. Information is not disclosed, directly or indirectly, unless the adult service recipient or legal guardian consent in writing.

(c) Home record for service recipients receiving community residential supports, group home services, or non-residential habilitation training specialist (HTS) services. The in-home contract provider maintains a current service record for each service recipient receiving community residential supports, per OAC 340:100-5-22.1; group home service, per OAC 340:100-6; or non-residential HTS services, per OAC 340:100-5-35.

(1) Documents contained in each home record are not removed and include:

(A) guardianship documents and other legal documents;

(B) current Individual Plan packet and addendum copies;

(C) applicable health-related documents including, but not limited to:

(i) Form 06HM005E, Referral Form for Examination or Treatment, physician orders, discharge summaries, and emergency room reports;

(ii) special instructions or the Health Care Plan;

(iii) individually-identified data forms relevant to the service recipient's current health status;

(iv) a Dyskinesia Identification System: Condensed User Scale or Abnormal Involuntary Movement Scale, when required, per OAC 340:100-5-29;

(v) current immunization record;

(vi) current medication administration records;

(vii) the most recent lab, x-ray, and consultation reports, and pharmacological evaluation, when applicable;

(viii) miscellaneous health-related consultations and correspondence; and

(ix) Form 06HM073E, Referral Form for Psychiatric Treatment or Examination;

(D) miscellaneous documents relating to the service recipient including, but not limited to:

(i) observation notes;

(ii) Form 06CB035E, Site Visit Report, completed by all professional contract providers;

(iii) standing medical orders and protocols;

(iv) applicable data collection sheets; and

(v) documentation of program coordination staff home visits;

(E) quarterly residential progress reports; and

(F) Form 06MP070E, Access to Home Record and Verification of Monitoring Requirement, certifying that all authorized persons accessing the service recipient information contained within the home record were informed and understand the penalties for misuse of confidential and protected information, per 21 O.S. § 1533.1.

(2) In unusual circumstances, at the Personal Support Team's (Team) request, and with DDS field administrator's written approval, a service recipient's home record or specified document types from the record may be maintained at a location other than the service recipient's home.

(d) Retention. Each contract provider retains a record for each service recipient receiving services from the provider.

(1) There is a yearly transfer of all documents more than three months old from the provider agency's records to a history file, unless otherwise specified, per OAC 340:10-3-40.

(2) The provider agency retains original records for a six-year period or until any pending litigation involving the service recipient is completed, whichever occurs last.

(e) Transfers between agencies. When a service recipient changes provider agencies, within seven-calendar days of the transfer, the agency provides the new agency with a paper or electronic copy of the current home record and any health documents the Team requests.

(f) Other provider records. The provider maintains service records that substantiate service provision, service recipient eligibility, and outcome of services.

(1) Records are maintained for a six-year period after OKDHS makes the final payment and all pending matters are closed.

(2) The provider maintains copies of all claims, substantiating documents, and records regarding agency fiscal status within corporate offices in Oklahoma.

Notes

Okla. Admin. Code § 340:100-3-40

Added at 17 Ok Reg 3102, eff 6-7-00 (emergency); Added at 18 Ok Reg 1254, eff 5-11-01; Amended at 25 Ok Reg 986, eff 5-15-08; Amended at 28 Ok Reg 897, eff 6-1-11; Amended at 29 Ok Reg 822, eff 7-1-12

Amended by Oklahoma Register, Volume 36, Issue 24, September 3, 2019, eff. 9/16/2019 Amended by Oklahoma Register, Volume 39, Issue 24, September 1, 2022, eff. 9/15/2022 Amended by Oklahoma Register, Volume 40, Issue 22, August 1, 2023, eff. 9/15/2023