Or. Admin. R. 410-141-3520 - Record Keeping and Use of Health Information Technology

Current through Register Vol. 60, No. 12, December 1, 2021

(1) MCEs shall have written policies and procedures that ensure maintenance of a record keeping system that includes maintaining the security of records as required by the Health Insurance Portability and Accountability Act (HIPAA), 42 USC ยง 1320 -d et seq., the federal regulations implementing the Act, and complete clinical records that document the coordinated care services received by the members. MCEs shall communicate these policies and procedures to subcontractors. MCEs shall regularly monitor its subcontractors' compliance and take any corrective action necessary. MCEs shall document all monitoring and corrective action activities. These policies and procedures shall ensure that records are secured, safeguarded, and stored in accordance with applicable Oregon Revised Statutes and Oregon Administrative Rules. A member must have access to the member's personal health information in the manner provided in 45 C.F.R. 164.524 and ORS 179.505(9) so the member may share the information with others involved in the member's care and make better health care and lifestyle choices.
(2) MCE's participating providers may charge the member for reasonable duplication costs, as set forth in OAR 943-014-0030, when the member requests copies of their records.
(3) Notwithstanding ORS 179.505, an MCE, its provider network, and programs administered by the Department's Aging and People with Disabilities shall use and disclose member information for purposes of service and care delivery, coordination, service planning, transitional services, and reimbursement in order to improve the safety and quality of care, lower the cost of care, and improve the health and well-being of the members.
(4) An MCE and its provider network shall use and disclose sensitive diagnosis information including HIV and other health and behavioral health diagnoses within the MCE for the purpose of providing whole-person care. Individually identifiable health information must be treated as confidential and privileged information subject to ORS 192.553 to 192.581 and applicable federal privacy requirements. Re-disclosure of individually identifiable information outside of the MCE and the MCE's providers for purposes unrelated to this section or the requirements of ORS 414.625, 414.632, 414.635, 414.638, 414.653 and 414.655 remains subject to any applicable federal or state privacy requirements including the Authority's rules established in OAR 943-014-0000 through 0070 for matters that involve privacy and confidentiality and privacy of members protected information.
(5) The MCE must document its methods and findings to ensure across the organization and the network of providers there is documentation of the coordinated care services and supports, including transitions of care and access to preventive and wellness services.
(6) MCEs shall support the adoption and use of electronic health records (EHRs) by its provider network, including physical, behavioral, and oral health providers. To achieve EHR adoption, MCEs shall:
(a) Identify EHR adoption rates, divided by provider type (at a minimum, divided by physical, behavioral, and oral health) and geographic region if applicable;
(b) Develop and implement strategies to increase adoption rates of EHRs among all provider types; and
(c) Support EHR adoption.
(7) MCEs shall support access to electronic health information exchange (HIE) for care coordination and hospital event notifications for contracted physical, behavioral, and oral health providers. To achieve improved HIE access rates, MCEs shall:
(a) Identify current and monitor ongoing HIE adoption rates, divided by provider type (at a minimum, divided by physical, behavioral, and oral health) and geographic region if applicable;
(b) Develop and implement strategies to increase access to HIE among all provider types;
(c) Support access to HIE; and
(d) Ensure that providers have access to hospital event notifications. The MCE shall itself use hospital event notifications as appropriate to support care coordination and population health efforts.
(8) MCEs shall maintain health information systems that collect, analyze, integrate, and report data at an individualized member level concerning the provision of covered services and CCO administrative functions, such as enrolment/disenrollment and resolution of grievances and appeals. Based on written policies and procedures, the record keeping system developed and maintained by MCEs and their participating providers shall include sufficient detail and clarity to permit internal and external review to validate encounter submissions and to assure medically appropriate services are provided consistent with the documented needs of the member.
(9) MCEs and their provider network shall cooperate with the Authority, the Department of Justice Medicaid Fraud Control Unit (MFCU), and CMS or other authorized state or federal reviewers for purposes of audits, inspection, and examination of members' clinical records, whether those records are maintained electronically or in physical files. Documentation must be sufficiently complete and accurate to permit evaluation and confirmation that coordinated care services are authorized and provided, referrals are made, and outcomes of coordinated care and referrals are sufficient to meet professional standards applicable to the health care professional and meet the requirements for health oversight and outcome reporting in these rules.
(10) Across the MCE's provider network, all clinical records shall be retained for a minimum of 10 years after the date of services for which claims are made. MCEs shall maintain any other records, books, documents, papers, plans, records of shipments, and payments and writings, whether in paper, electronic, or other form that are pertinent in a manner that clearly documents the MCE's performance. All clinical records, financial records, other records, books, documents, papers, plans, records of shipments, and payments and writings of the MCE whether in paper, electronic, or other form are collectively referred to as "Records." If an audit, litigation, research and evaluation, or other action involving the records is started before the end of the ten-year period, the clinical records must be retained until all issues arising out of the action are resolved.
(11) MCEs shall allow access to the agencies listed in section (9) of all audit records and its subcontractors and participating provider's records to allow the listed agencies to perform examinations and audits and make excerpts and transcripts and to evaluate the quality, appropriateness, and timeliness of services.
(12) MCEs shall allow access to the entities listed in section (9) at any time to inspect the premises, physical facilities, and equipment where Medicaid-related activities or work is conducted. MCEs subject to an audit under this section shall retain records for 10 years from the final date of the contract period or from the date of completion of the most recent state audit, whichever is later. MCEs shall retain and keep accessible all records for a minimum of 10 years. County agencies participating in the Medicaid program are subject to whichever record retention requirement is longer between this rule and OAR chapter 166, division 150 County and Special District Retention Schedule.
(13) MCEs must maintain yearly logs of all appeals and grievances for 10 years following requirements specified in OAR 410-141-3915.


Or. Admin. R. 410-141-3520
DMAP 55-2019, adopt filed 12/17/2019, effective 1/1/2020

Statutory/Other Authority: ORS 413.042, 414.615, 414.625, 414.635 & 414.651

Statutes/Other Implemented: ORS 414.610 - 414.685

The following state regulations pages link to this page.

State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.