Loading
 

 

Oregon Bulletin

August 1, 2012

Oregon Health Authority, Chapter 943

Rule Caption: Abuse or Mistreatment Reporting and Protective Services in Community Programs for Adults with Mental Illness.

Adm. Order No.: OHA 3-2012

Filed with Sec. of State: 6-28-2012

Certified to be Effective: 6-28-12

Notice Publication Date: 11-1-2011

Rules Adopted: 943-045-0250, 943-045-0260, 943-045-0280, 943-045-0290, 943-045-0300, 943-045-0310, 943-045-0320, 943-045-0330, 943-045-0340, 943-045-0350, 943-045-0360, 943-045-0370

Rules Repealed: 943-045-0250(T), 943-045-0260(T), 943-045-0280(T), 943-045-0290(T), 943-045-0300(T), 943-045-0310(T), 943-045-0320(T), 943-045-0330(T), 943-045-0340(T), 943-045-0350(T), 943-045-0360(T), 943-045-0370(T)

Subject: HB 2009 created the Oregon Health Authority and transferred to the Authority the Department of Human Services’ Divisions responsible for health and health care. With the creation of a new agency, the community programs and community facilities serving adults with mental illness moved to the Authority. Community programs and facilities serving adults with developmental disabilities will continue to be governed by the Department of Human Services’ rule found at OAR 407-045-0250 to 0370. The Authority needs to adopt these rules to reflect the separation of the Department of Human Services and Oregon Health Authority.

 These rules also include the definition of mistreatment and an effective date of December 5, 2011.

 These rules are being re-filed to correct a filing error and to comply with ORS 183.715, which requires an agency to submit a copy of the adopted rules to Legislative Counsel within ten days after the agency files the certificate and order with the Secretary of State. The agency submitted the adopted rules by mail on November 29, 2011 to the Secretary of State and Legislative Counsel. Secretary of State received the certificate and order on December 1, 2011. Legislative Counsel received the submitted documentation on November 30, 2011.

Rules Coordinator: Evonne Alderete—(503) 932-9663

943-045-0250

Purpose

These rules, OAR 943-045-0250 to 943-045-0370, shall be effective December 5, 2011. these rules prescribe standards and procedures for the investigation of, assessment for, and provision of protective services in community programs and community facilities, and the nature and content of the abuse or mistreatment investigation and protective services report.

Stat. Authority: ORS 179.040 & 413.042, 414.715 & 430.731
Stats. Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460, 443.705 – 443.825
Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f. 12-1-11, cert. ef. 12-5-11; OHA 3-2012, f. & cert. ef. 6-28-12

943-045-0260

Definitions

As used in OAR 943-045-0250 to 943-045-0370, the following definitions apply:

(1) “Abuse of an adult with mental illness” means:

(a) Death of an adult caused by other than accidental or natural means or occurring in unusual circumstances.

(b) “Neglect” means the active or passive withholding of services necessary to maintain the health and well-being of an adult, which leads to physical harm of an adult. “Services” include but are not limited to the provision of food, clothing, medicine, housing, medical services, assistance with bathing or personal hygiene, or any other services essential to the well-being of the adult.

(c) “Physical abuse” means:

(A) Any physical injury by other than accidental means or that appears to be at variance with the explanation given for the injury.

(B) Willful infliction of physical pain or injury.

(C) Physical abuse is presumed to cause physical injury, including pain, to adults otherwise incapable of expressing pain.

(D) Physical abuse does not include physical emergency restraint to prevent immediate injury to an adult who is in danger of physically harming himself or herself or others, provided only that the degree of force reasonably necessary for protection is used for the least amount of time necessary.

(d) “Sexual abuse” including:

(A) An act that constitutes a crime under ORS 163.375 (rape in the first degree), 163.405 (sodomy in the first degree), 163.411 (unlawful penetration in the first degree), 164.415 (sexual abuse in the third degree), 163.425 (sexual abuse in the second degree, (163.427 (sexual abuse in the first degree), 163.456 (public indecency) or 163.467 (private indecency).

(B) Sexual contact with a nonconsenting adult or with an adult considered incapable of consenting to a sexual act under ORS 163.315.

(C) Sexual harassment, sexual exploitation, or inappropriate exposure to sexually explicit material or language including requests for sexual favors. Sexual harassment or exploitation includes but is not limited to any sexual contact or failure to discourage sexual contact between an employee of a community facility or community program, provider, or other caregiver and an adult. For situations other than those involving an employee, provider, or other caregiver and an adult, sexual harassment or exploitation means unwelcome physical sexual contact including requests for sexual favors and other physical conduct directed toward an adult.

(D) Any sexual contact between an employee of a facility or paid caregiver and an adult served by the facility or caregiver. Sexual abuse does not mean consensual sexual contact between an adult and a paid caregiver who is the spouse or partner of the adult.

(E) Any sexual contact that is achieved through force, trickery, threat, or coercion.

(F) As defined in ORS 163.305, “sexual contact” means any touching of sexual or other intimate parts of a person or causing such person to touch sexual or other intimate parts of the actor for the purpose of arousing or gratifying the sexual desire of either party.

(G) An adult who in good faith is voluntarily under treatment solely by spiritual means through prayer in accordance with the tenets and practices of a recognized church or religious denomination by a duly accredited practitioner shall for this reason alone not be considered subjected to mistreatment.

(2) “Abuse or Mistreatment Investigation and Protective Services Report” means a completed report.

(3) “Adult” means an individual who is 18 years of age or older who:

(a) Has a mental illness and is receiving services from a community program or facility;

(b) Receives services in a residential treatment home, residential care facility, adult foster home, or is in a facility approved by the Addictions and Mental Health Division (Division) for acute care services or crisis respite when the adult is in custody in the facility pursuant to ORS 426.072, and;

(c) Is the alleged abuse or mistreatment victim.

(4) “Adult Foster Home” means any home licensed by the Authority’s Addictions and Mental Health Division pursuant to OAR 309-040-0300 et.seq., in which residential care is provided to five or fewer adults who are not related to the provider by blood or marriage as described in ORS 443.705 through 443.825.

(5) “Adult protective services” means the necessary actions taken to prevent abuse or mistreatment or exploitation of an adult, to prevent self-destructive acts, and to safeguard an allegedly abused or mistreated adult’s person, property, or funds.

(6) “Authority” means the Oregon Health Authority.

(7) “Caregiver” means an individual or facility that has assumed responsibility for all or a portion of the care of an adult as a result of a contract or agreement.

(8) “Community facility” means a community residential treatment home, residential care facility, adult foster home. “Community facility” also means a facility approved by the Division for acute care services or crisis respite when the adult is in custody in the facility pursuant to ORS 426.072.

(9) “Community program” means the community mental health program as established in ORS 430.610 to 430.695.

(10) “Designee” means the community program.

(11) “Department” means the Department of Human Services.

(12) “Inconclusive” means there is insufficient evidence to conclude the alleged abuse or mistreatment occurred or did not occur by a preponderance of the evidence. The inconclusive determination may be used only in the following circumstances:

(a) After diligent efforts have been made, the protective services investigator is unable to locate the person alleged to have committed the abuse or mistreatment, or cannot locate the alleged victim or another individual who might have information critical to the investigation; or

(b) Relevant records or documents are unavailable, or there is conflicting or inconsistent information from witnesses, documents, or records with the result that after the investigation is complete, there is insufficient evidence to support a substantiated or not substantiated conclusion.

(13) “Law enforcement agency” means any city or municipal police department, county sheriff’s office, the Oregon State Police, or any district attorney.

(14) “Mandatory reporter” means any public or private official who, while acting in an official capacity, comes in contact with and has reasonable cause to believe that an adult has suffered abuse, or that any individual with whom the official comes in contact while acting in an official capacity has abused an adult. Pursuant to ORS 430.765(2), psychiatrists, psychologists, clergy, and attorneys are not mandatory reporters with regard to information received through communications that are privileged under ORS 40.225 to 295.

(15) “Mistreatment” means mistreatment as defined in OAR 309-035-0105, 309-035-0260 and 309-040-0305.

(16) “Not substantiated” means the preponderance of evidence establishes the alleged abuse or mistreatment did not occur.

(17) “Office of Investigations and Training” (OIT) means the Department’s Shared Services Division responsible for the investigation of allegations of abuse or mistreatment made in community programs and community facilities for adults with mental illness

(18) “Provider agency” means an entity licensed or certified to provide services to adults in Adult Foster Homes (AFH), Residential Treatment Homes (RTH) or Residential Care Facilities (RCF). “Provider agency” also means a facility approved by the Division for acute care services or crisis respite when the adult is in custody in the facility pursuant to ORS 426.072.

(19) “Public or private official” means:

(a) Physician, naturopathic physician, osteopathic physician, psychologist, chiropractor, or podiatrist, including any intern or resident;

(b) Licensed practical nurse, registered nurse, nurse’s aide, home health aide, or employee of an in-home health services organization;

(c) Employee of the Authority, Department, county health department, community mental health or developmental disabilities program, or private agency contracting with a public body to provide any community services;

(d) Peace officer;

(e) Member of the clergy;

(f) Licensed clinical social worker;

(g) Physical, speech, or occupational therapist;

(h) Information and referral, outreach, or crisis worker;

(i) Attorney;

(j) Licensed professional counselor or licensed marriage and family therapist;

(k) Firefighter or emergency medical technician; or

(l) Any public official who comes in contact with adults in the performance of the official’s duties.

(20) “Residential Care Facility (RCF)” means a facility licensed by the Division that is operated to provide services on a 24-hour basis for six or more residents pursuant to OAR 309-035-0100 et.seq..

(21) “Residential Treatment Home (RTH)” means a home licensed by the Division that is operated to provide services on a 24-hour basis for five or fewer residents pursuant to OAR 309-035-0250 et.seq..

(22) “Substantiated” means that the preponderance of evidence establishes the abuse or mistreatment occurred.

(23) “Unbiased investigation” means an investigation that is conducted by a community program that does not have an actual or potential conflict of interest with the outcome of the investigation.

Stat. Authority: ORS 179.040 & 413.042, 414.715 & 430.731
Stats. Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460, 443.705 – 443.825
Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f. 12-1-11, cert. ef. 12-5-11; OHA 3-2012, f. & cert. ef. 6-28-12

943-045-0280

Training for Individuals Investigating Reports of Alleged Abuse or Mistreatment

(1) The Authority shall provide sufficient and timely training and consultation to community programs to ensure that the community program is able to conduct a thorough and unbiased investigation and reach a conclusion about the abuse or mistreatment. Training shall include initial and continuing education of any individual designated to conduct protective services investigations.

(2) The training shall address the cultural and social diversity of the State of Oregon.

Stat. Authority: ORS 179.040 & 413.042, 414.715 & 430.731
Stats. Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460, 443.705 – 443.825
Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f. 12-1-11, cert. ef. 12-5-11; OHA 3-2012, f. & cert. ef. 6-28-12

943-045-0290

General Duties of the Community Program and Initial Action on Report of Alleged Abuse or Mistreatment

(1) For the purpose of carrying out these rules, community programs are Authority designees.

(2) If mandatory reporters have reasonable cause to believe abuse of an adult has occurred, the reporter must report the abuse to the community program, to a local law enforcement agency, or to the Authority when the reporter believes a crime may have been committed.

(3) Each community program shall designate at least one employee to conduct protective services investigations. Community programs shall require their designated protective services investigators to participate in training and to demonstrate an understanding of investigative core competencies.

(4) If the Authority or community program has reasonable cause to believe abuse or mistreatment occurred, it must immediately notify the appropriate public licensing or certifying agency and provide a copy of the abuse investigation and completed protective services report.

(5) If the Authority or community program has reasonable cause to believe that an individual licensed or certified by any state agency to provide care has committed abuse or mistreatment, it must immediately notify the appropriate state licensing or certifying agency and provide that agency with a copy of the abuse or mistreatment investigation and completed protective services report.

(6) The Authority or community program may share information prior to the completion of the abuse or mistreatment investigation and protective services report if the information is necessary for:

(a) The provision of protective services; or

(b) The function of licensing and certifying agencies or law enforcement agencies.

(7) Each community program must establish an after hours reporting system.

(8) Upon receipt of any report of alleged abuse or mistreatment or upon receipt of a report of a death that may have been caused by other than accidental or natural means, the community program must begin:

(a) Investigation into the nature and cause of the alleged abuse or mistreatment within one working day of receipt of the report to determine if abuse or mistreatment occurred or whether a death was caused by abuse or mistreatment;

(b) Assessment of the need for protective services; and

(c) Provision of protective services, if protective services are needed.

(9) The community program receiving a report alleging abuse or mistreatment must document the information required by ORS 430.743(1) and any additional reported information. The community program must attempt to elicit the following information from the individual making a report:

(a) The name, age, and present location of the adult;

(b) The names and addresses of the adult’s programs or facilities responsible for the adult’s care;

(c) The nature and extent of the alleged abuse or mistreatment, including any evidence of previous abuse or mistreatment of the adult or evidence of previous abuse or mistreatment by the person alleged to have committed the abuse or mistreatment;

(d) Any information that led the individual making the report to suspect abuse or mistreatment had occurred;

(e) Any information that the individual believes might be helpful in establishing the cause of the abuse or mistreatment and the identity of the person alleged to have committed the abuse or mistreatment; and

(f) The date of the incident.

(10) The community program shall maintain all reports of abuse or mistreatment in a confidential location.

(11) If there is reason to believe a crime has been committed, the community program must contact the law enforcement agency with jurisdiction in the county where the report is made.

(12) Upon receipt of a report of abuse or mistreatment, the community program must notify the case manager providing primary case management services to the adult. The community program must also notify the guardian of the adult unless doing so would undermine the integrity of the abuse or mistreatment investigation or a criminal investigation because the guardian or case manager is suspected of committing abuse or mistreatment.

(13) If there is reasonable cause to believe that abuse or mistreatment has occurred, the community program must determine if the adult is in danger or in need of immediate protective services and shall provide those services immediately. Under these circumstances, the community program must also advise the provider agency or guardian about the allegation, and must include any information appropriate or necessary for the health, safety, and best interests of the adult in need of protection.

(14) The community program shall immediately, but no later than one working day, notify the Authority it has received a report of abuse or mistreatment, in the format provided by the Authority.

(15) In addition to the notification required by section (12) of these rules, if the community program determines that a report will be assigned for investigation, the community program must notify the provider agency, guardian, and any other individual with responsibility for providing services and protection, unless doing so would compromise the safety, health, or best interests of the adult in need of protection, or would compromise the integrity of the abuse or mistreatment investigation or a criminal investigation. The notice shall include information that the case shall be assigned for investigation, identify the investigator, and provide information regarding how the assigned investigator may be contacted. The notice must be provided within five working days from the date the report was received.

(16) If the community program determines from the report that there is no reasonable cause to believe abuse or mistreatment occurred, the community program shall notify the provider agency within five working days that a protective services investigation shall not commence and explain the reasons for that decision. The community program shall document the notice and maintain a record of all notices.

(17) The community program or law enforcement agency shall notify the appropriate medical examiner in cases where the community program or law enforcement agency finds reasonable cause to believe that an adult has died as a result of abuse or mistreatment or where the death occurred under suspicious or unknown circumstances.

Stat. Authority: ORS 179.040 & 413.042, 414.715 & 430.731
Stats. Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460, 443.705 – 443.825
Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f. 12-1-11, cert. ef. 12-5-11; OHA 3-2012, f. & cert. ef. 6-28-12

943-045-0300

Investigation of Alleged Abuse or Mistreatment

(1) Investigation of abuse or mistreatment shall be thorough and unbiased. Community programs may not investigate allegations of abuse or mistreatment made against employees of the community program. Investigations of community program staff shall be conducted by the Authority or other community programs not subject to an actual or potential conflict of interest.

(2) In conducting an abuse or mistreatment investigation, the investigator must:

(a) Make in-person contact with the adult;

(b) Interview the adult, witnesses, the person alleged to have committed the abuse or mistreatment, and other individuals who may have knowledge of the facts of the abuse or mistreatment allegation or related circumstances. Interviews must be conducted in-person where practicable. The investigator must attempt to elicit the date of birth for each individual interviewed and shall obtain the date of birth of any person alleged to have committed the alleged abuse or mistreatment;

(c) Review all evidence relevant and material to the complaint; and

(d) Photograph the adult consistent with forensic guidelines, or arrange for the adult to be photographed, to preserve evidence of the alleged abuse or mistreatment and of the adult’s physical condition at the time of investigation, unless the adult knowingly refuses.

(3) All records necessary for the investigation shall be available to the community program for inspection and copying. A community facility shall provide community programs access to employees, the adult, and the premises for investigation purposes.

(4) When a law enforcement agency is conducting a criminal investigation of the alleged abuse or mistreatment, the community program shall also perform its own investigation as long as it does not interfere with the law enforcement agency investigation under the following circumstances:

(a) There is potential for action by a licensing or certifying agency;

(b) Timely investigation by law enforcement is not probable; or

(c) The law enforcement agency does not complete a criminal investigation.

(5) When a law enforcement agency is conducting an investigation of the alleged abuse or mistreatment, the community program must communicate and cooperate with the law enforcement agency.

Stat. Authority: ORS 179.040 & 413.042, 414.715 & 430.731
Stats. Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460, 443.705 – 443.825
Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f. 12-1-11, cert. ef. 12-5-11; OHA 3-2012, f. & cert. ef. 6-28-12

943-045-0310

Assessment for and Provision of Protective Services to the Adult

The community program shall ensure that appropriate and necessary protective services are provided to the adult to prevent further abuse or mistreatment and must be undertaken in a manner that is least intrusive to the adult and provide for the greatest degree of independence available within existing resources. Assessment for the provision of protective services may include:

(1) Arranging for the immediate protection of the adult;

(2) Contacting the adult to assess his or her ability to protect his or her own interest or give informed consent;

(3) Determining the ability of the adult to understand the nature of the protective service and his or her willingness to accept services;

(4) Coordinating evaluations to determine or verify the adult’s physical and mental status, if necessary;

(5) Assisting in and arranging for appropriate services and alternative living arrangements;

(6) Assisting in or arranging the medical, legal, financial, or other necessary services to prevent further abuse or mistreatment;

(7) Providing advocacy to assure the adult’s rights and entitlements are protected; and

(8) Consulting with the community facility, program, or others as appropriate in developing recommendations or requirements to prevent further abuse or mistreatment.

Stat. Authority: ORS 179.040 & 413.042, 414.715 & 430.731
Stats. Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460, 443.705 – 443.825
Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f. 12-1-11, cert. ef. 12-5-11; OHA 3-2012, f. & cert. ef. 6-28-12

943-045-0320

Abuse or Mistreatment Investigation and Protective Services Report

(1) The Authority shall provide abuse or mistreatment investigation and protective services report formats.

(2) Upon completion of the investigation and within 45 calendar days of the date the community program has assigned a report alleging abuse or mistreatment for investigation, the community programs shall prepare an abuse or mistreatment investigation and protective services report. This 45-day time period does not include an additional five-working day period allowing OIT to review and approve the report. The protective services report shall include:

(a) A statement of the allegations being investigated, including the date, location, and time;

(b) A list of protective services provided to the adult;

(c) An outline of steps taken in the investigation, a list of all witnesses interviewed, and a summary of the information provided by each witness;

(d) A summary of findings and conclusion concerning the allegation of abuse or mistreatment;

(e) A specific finding of “substantiated,” “inconclusive,” or “not substantiated”;

(f) A plan of action necessary to prevent further abuse or mistreatment of the adult;

(g) Any additional corrective action required by the community program and deadlines for completing these actions;

(h) A list of any notices made to licensing or certifying agencies;

(i) The name and title of the individual completing the report; and

(j) The date the report is written.

(3) In cases where, for good cause shown, the protective services investigator cannot complete the report within 45 days, the investigator shall submit a request for time extension to OIT.

(a) An extension may be granted for good cause shown which includes but is not limited to:

(A) When law enforcement is conducting an investigation;

(B) A material party or witness is temporarily unavailable;

(C) New evidence is discovered;

(D) The investigation is complex (e.g. large numbers of witnesses need to be interviewed taking into account scheduling difficulties and limitations, consultation with experts, or a detailed review of records over an extended period of time is required); or

(E) For some other mitigating reason.

(b) When granting an extension, OIT shall consult with the program about the need for an extension and determine the length of the extension as necessary.

(c) The community program shall notify the provider agency and guardian when an extension is granted and advise them of the new report due date.

(4) A copy of the final abuse or mistreatment investigation and protective services report shall be provided to the Authority within five working days of the report’s completion and approval by OIT.

(5) The community program must provide notice of the outcome of the investigation, or assure that notice is provided to the alleged victim, guardian, provider agency, accused person, and to any law enforcement agency which previously received notice of the initial report. Notice of outcome shall be provided to a reporter upon the reporter’s request. Notice of outcome must be made within five working days after the date the case is completed and approved by OIT. The community program must document how the notice was provided.

(6) A centralized record of all abuse or mistreatment investigation and protective services reports shall be maintained by community programs for all abuse or mistreatment investigations conducted in their county, and by the Authority for all abuse or mistreatment investigations in the state.

Stat. Authority: ORS 179.040 & 413.042, 414.715 & 430.731
Stats. Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460, 443.705 – 443.825
Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f. 12-1-11, cert. ef. 12-5-11; OHA 3-2012, f. & cert. ef. 6-28-12

943-045-0330

Disclosure of the Abuse or Mistreatment Investigation and Protective Services Report and Related Documents

(1) Portions of the abuse or mistreatment investigation and protective services report and underlying investigatory documents are confidential and are not available for public inspection. Pursuant to ORS 430.763, names of abuse or mistreatment reporters, witnesses, and the alleged abuse or mistreatment victim are confidential and shall not be available for public inspection. Investigatory documents, including portions of the abuse or mistreatment investigation and protective services report that contains “individually identifiable health information,” as that term is defined under ORS 192.519 and 45 CFR160.103, are confidential under federal Health Insurance Portability and Accountability Act (HIPAA) privacy rules, 45 CFR Parts 160 and 164, and ORS 192.520 and 179.505-179.509.

(2) Notwithstanding section (1) of this rule, the Authority shall make confidential information available, including any photographs if appropriate, to any law enforcement agency, public agency that licenses or certifies facilities or licenses or certifies the individuals practicing therein, and any public agency providing protective services for the adult. The Authority shall make the protective services report and underlying investigatory materials available to any private agency providing protective services for the adult and to the protection and advocacy system designated pursuant to ORS 192.517(1).

(3) Individuals or entities receiving confidential information pursuant to this rule shall maintain the confidentiality of the information and shall not redisclose the confidential information to unauthorized individuals or entities, as required by state or federal law.

(4) The community program shall prepare a redacted version of the final completed abuse or mistreatment investigation report within 10 days after the date of the final report. The redacted report shall not contain any confidential information which is prohibited from disclosure pursuant to state or federal law. The redacted report shall be submitted to the provider agency.

(5) The community program shall provide a redacted version of the written report to the public for inspection upon written request.

(6) When the abuse or mistreatment investigation and protective services report is conducted by a community program as the Authority’s designee, the protective services investigation may be disclosed pursuant to this rule either by the community program or the Authority.

Stat. Authority: ORS 179.040 & 413.042, 414.715 & 430.731
Stats. Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460, 443.705 – 443.825
Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f. 12-1-11, cert. ef. 12-5-11; OHA 3-2012, f. & cert. ef. 6-28-12

943-045-0340

Prohibition Against Retaliation

(1) A community facility, community program, or individual shall not retaliate against any individual who reports suspected abuse or mistreatment in good faith, including the adult.

(2) Any community facility, community program, or individual that retaliates against any individual because of a report of suspected abuse or mistreatment shall be liable, according to ORS 430.755, in a private action to that individual for actual damages and, in addition, a civil penalty up to $1,000, notwithstanding any other remedy provided by law.

(3) Any adverse action creates a presumption of retaliation if taken within 90 days of a report of abuse or mistreatment. For purposes of this sub-section, “adverse action” means any action taken by a community facility, community program, or individual involved in a report against the individual making the report or against the adult because of the report and includes but is not limited to:

(a) Discharge or transfer from the community facility, except for clinical reasons;

(b) Termination of employment;

(c) Demotion or reduction in remuneration for services; or

(d) Restriction or prohibition of access to the community facility or its residents.

(4) Adverse action may also be evidence of retaliation after 90 days even though the presumption no longer applies.

Stat. Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats. Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460, 443.705 – 443.825
Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f. 12-1-11, cert. ef. 12-5-11; OHA 3-2012, f. & cert. ef. 6-28-12

943-045-0350

Immunity of Individuals Making Reports in Good Faith

(1) Any individual who makes a good faith report and who had reasonable grounds for making the report shall have immunity from civil liability with respect to having made the report.

(2) The reporter shall have the same immunity in any judicial proceeding resulting from the report as may be available in that proceeding.

(3) An individual who has personal knowledge that an employee or former employee of the adult was found to have committed abuse is immune from civil liability for the disclosure to a prospective employer of the employee of known facts concerning the abuse.

Stat. Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats. Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460, 443.705 – 443.825
Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f. 12-1-11, cert. ef. 12-5-11; OHA 3-2012, f. & cert. ef. 6-28-12

943-045-0360

Authority Investigation of Alleged Abuse or Mistreatment

(1) If determined necessary or appropriate, the Authority may conduct an investigation rather than allow the community program to investigate the alleged abuse or mistreatment or in addition to the investigation by the community program. Under such circumstances, the community program must receive authorization from the Authority before conducting any separate investigation.

(2) The community program shall make all records necessary for the investigation available to the Authority for inspection and copying. The community facilities and community programs must provide the Authority access to employees, the adult, and the premises for investigation purposes.

Stat. Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats. Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460, 443.705 – 443.825
Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f. 12-1-11, cert. ef. 12-5-11; OHA 3-2012, f. & cert. ef. 6-28-12

943-045-0370

County Multidisciplinary Teams

(1) The community program must participate in its county Multidisciplinary Team (MDT) to coordinate and collaborate on protective services for the abuse or mistreatment of adults with developmental disabilities or mental illness or both.

(2) All confidential information protected by state and federal law that is shared or obtained by MDT members in the exercise of their duties on the MDT is confidential and may not be further disclosed except as permitted by law.

(3) The community program or OIT shall provide an annual report to the MDT reporting the number of investigated and substantiated allegations of abuse or mistreatment of adults and the number referred to law enforcement in the county.

Stat. Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats. Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460, 443.705 – 443.825
Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f. 12-1-11, cert. ef. 12-5-11; OHA 3-2012, f. & cert. ef. 6-28-12


 

Rule Caption: Amend Electronic Data Transmission rules to include Coordinated Care Organizations.

Adm. Order No.: OHA 4-2012(Temp)

Filed with Sec. of State: 7-12-2012

Certified to be Effective: 7-12-12 thru 1-6-13

Notice Publication Date:

Rules Amended: 943-120-0100, 943-120-0110, 943-120-0112, 943-120-0114, 943-120-0116, 943-120-0118, 943-120-0120, 943-120-0170, 943-120-0180, 943-120-0200

Subject: The Authority needs to amend these rules to ensure the Authority’s EDT rules include Coordinated Care Organization related to the functionality of the Oregon Replacement Medicaid Management Information System (MMIS) in conjunction with the Health Insurance Portability and Accountability Act (HIPAA) transactions and codes set standards for the exchange of electronic data.

Rules Coordinator: Evonne Alderete—(503) 932-9663

943-120-0100

Definitions

The following definitions apply to OAR 943-120-0100 through 943-120-0200:

(1) “Access” means the ability or means necessary to read, write, modify, or communicate data or information or otherwise use any information system resource.

(2) “Agent” means a third party or organization that contracts with a provider, allied agency, coordinated care organization (CCO) or prepaid health plan (PHP), to perform designated services in order to facilitate a transaction or conduct other business functions on its behalf. Agents include billing agents, claims clearinghouses, vendors, billing services, service bureaus, and accounts receivable management firms. Agents may also be clinics, group practices, and facilities that submit billings on behalf of providers but the payment is made to a provider, including the following: an employer of a provider, if a provider is required as a condition of employment to turn over his fees to the employer; the facility in which the service is provided, if a provider has a contract under which the facility submits the claim; or a foundation, plan, or similar organization operating an organized health care delivery system, if a provider has a contract under which the organization submits the claim. Agents may also include electronic data transmission submitters.

(3) “Allied Agency” means local and regional allied agencies and includes local mental health authority, community mental health programs, Oregon Youth Authority, Department of Corrections, local health departments, schools, education service districts, developmental disability service programs, area agencies on aging, federally recognized American Indian tribes, and other governmental agencies or regional authorities that have a contract (including an interagency, intergovernmental, or grant agreement, or an agreement with an American Indian tribe pursuant to ORS 190.110) with the Oregon Health Authority to provide for the delivery of services to covered individuals and that request to conduct electronic data transactions in relation to the contract.

(4) “Authority” or “Oregon Health Authority” means the agency established in ORS Chapter 413 that administers the funds for Titles XIX and XXI of the Social Security Act. It is the single state agency for the administration of the medical assistance program under ORS chapter 414. For purposes of these rules, the agencies under the authority of the Authority are the Public Health Division, the Addictions and Mental Health Division, and the Division of Medical Assistance Programs.

(5) “Authority Network and Information Systems” means the Authority’s computer infrastructure that provides personal communications, confidential information, regional, wide area and local networks, and the internetworking of various types of networks on behalf of the Authority.

(6) “Clinic” means a group practice, facility, or organization that is an employer of a provider, if a provider is required as a condition of employment to turn over his fees to the employer; the facility in which the service is provided, if a provider has a contract under which the facility submits the claim; or a foundation, plan, or similar organization operating an organized health care delivery system, if a provider has a contract under which the organization submits the claim; and the group practice, facility, or organization is enrolled with the Authority, and payments are made to the group practice, facility, or organization. If the entity solely submits billings on behalf of providers and payments are made to each provider, then the entity is an agent.

(7) “Confidential Information” means information relating to covered individuals which is exchanged by and between the Authority, a provider, CCO, PHP, clinic, allied agency, or agents for various business purposes, but which is protected from disclosure to unauthorized individuals or entities by applicable state and federal statutes such as ORS 414.679, 344.600, 410.150, 411.320, 418.130, or the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and its implementing regulations. These statutes and regulations are collectively referred to as “Privacy Statutes and Regulations.”

(8) “Contract” means a specific written agreement between the Authority and a provider, CCO, PHP, clinic, or allied agency that provides or manages the provision of services, goods, or supplies to covered individuals and where the Authority and a provider, CCO, PHP, clinic, or allied agency may exchange data. A contract specifically includes, without limitation, an Authority provider enrollment agreement, fully capitated heath plan managed care contract, dental care organization managed care contract, mental health organization managed care contract, chemical dependency organization managed care contract, physician care organization managed care contract, coordinated care organization contract, a county financial assistance agreement, or any other applicable written agreement, interagency agreement, intergovernmental agreement, or grant agreement between the Authority and a provider, CCO, PHP, clinic, or allied agency.

(9) “Coordinated Care Organization” (CCO) means an entity that has been certified by the Authority to provide coordinated and integrated health services.

(10) “Covered Entity” means a health plan, health care clearing house, health care provider who transmits any health information in electronic form in connection with a transaction covered by 45 CFR 162.100 through 162.1902, or allied agency that transmits any health information in electronic form in connection with a transaction, including direct data entry (DDE), and who must comply with the National Provider Identifier (NPI) requirements of 45 CFR 162.402 through 162.414.

(11) “Covered Individual” means individuals who are eligible for payment of certain services or supplies provided to them or their eligible dependents by or through a provider, CCO, PHP, clinic, or allied agency under the terms of a contract applicable to a governmental program for which the Authority processes or administers data transmissions.

(12) “Data” means a formalized representation of specific facts or concepts suitable for communication, interpretation, or processing by individuals or by automatic means.

(13) “Data Transmission” means the transfer or exchange of data between the Authority and a web portal or electronic data interchange (EDI) submitter by means of an information system which is compatible for that purpose and includes without limitation, web portal, EDI, electronic remittance advice (ERA), or electronic media claims (EMC) transmissions.

(14) “Department” means the Department of Human Services.

(15) “Direct Data Entry (DDE)” means the process using dumb terminals or computer browser screens where data is directly keyed into a health plan’s computer by a provider or its agent, such as through the use of a web portal.

(16) “Electronic Data Interchange (EDI)” means the exchange of business documents from application to application in a federally mandated format or, if no federal standard has been promulgated, using bulk transmission processes and other formats as the Authority designates for EDI transactions. For purposes of these rules (OAR 943-120-0100 through 943-120-0200), EDI does not include electronic transmission by web portal.

(17) “Electronic Data Interchange Submitter” means an individual or entity authorized to establish the electronic media connection with the Authority to conduct an EDI transaction. An EDI submitter may be a trading partner or an agent of a trading partner.

(18) “Electronic Media” means electronic storage media including memory devices in computers or computer hard drives; any removable or transportable digital memory medium such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media. Transmission media includes but is not limited to the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable or transportable electronic storage media. Certain transmissions, including paper via facsimile and voice via telephone, are not considered transmissions by electronic media because the information being exchanged did not exist in electronic form before transmission.

(19) “Electronic Media Claims (EMC)” means an electronic media means of submitting claims or encounters for payment of services or supplies provided by a provider, CCO, PHP, clinic, or allied agency to a covered individual.

(20) “Electronic Remittance Advice (ERA)” means an electronic file in X12 format containing information pertaining to the disposition of a specific claim for payment of services or supplies rendered to covered individuals which are filed with the Authority on behalf of covered individuals by providers, clinics, or allied agencies. The documents include, without limitation, the provider name and address, individual name, date of service, amount billed, amount paid, whether the claim was approved or denied, and if denied, the specific reason for the denial. For CCOs or PHPs, the remittance advice file contains information on the adjudication status of encounter claims submitted.

(21) “Electronic Data Transaction (EDT)” means a transaction governed by the Health Insurance Portability and Accountability Act (HIPAA) transaction rule, conducted by either web portal or EDI.

(22) “Envelope” means a control structure in a mutually agreed upon format for the electronic interchange of one or more encoded data transmissions either sent or received by an EDI submitter or the Authority.

(23) “HIPAA Transaction Rule” means the standards for electronic transactions at 45 CFR Part 160 and 162 as revised effective January 16, 2009 (from version in effect on January 1, 2008) adopted by the Department of Health and Human Services (DHHS) to implement the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d et. seq.

(24) “Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of an information system or information asset including but not limited to unauthorized disclosure of information, failure to protect user IDs, and theft of computer equipment using or storing Authority information assets or confidential information.

(25) “Individual User Profile (IUP)” means Authority forms used to authorize a user, identify their job assignment, and the required access to the Authority’s network and information system. It generates a unique security access code used to access the Authority’s network and information system.

(26) “Information Asset” means all information, also known as data, provided through the Authority, regardless of the source, which requires measures for security and privacy of the information.

(27) “Information System” means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and trained personnel necessary for successful data transmission.

(28) “Lost or Indecipherable Transmission” means a data transmission which is never received by or cannot be processed to completion by the receiving party in the format or composition received because it is garbled or incomplete, regardless of how or why the message was rendered garbled or incomplete.

(29) “Mailbox” means the term used by the Authority to indicate trading partner-specific locations on the Authority’s secure file transfer protocol (SFTP) server to deposit and retrieve electronic data identified by a unique Authority assigned trading partner number.

(30) “Password” means the alpha-numeric codes and special characters assigned to an EDI submitter by the Authority for the purpose of allowing access to the Authority’s information system, including the web portal, for the purpose of successfully executing data transmissions or otherwise carrying out the express terms of a trading partner agreement or provider enrollment agreement and these rules.

(31) “Personal Identification Number (PIN)” means the alpha-numeric codes assigned to web portal submitters by the Authority for the purpose of allowing access to the Authority’s information system, including the web portal, for the purpose of successfully executing DDE, data transmissions, or otherwise carrying out the express terms of a trading partner agreement, provider enrollment agreement, and these rules.

(32) “Prepaid Health Plan (PHP) or Plan” means a managed health care, dental care, chemical dependency, physician care organization, or mental health care organization that contracts with the Authority on a case managed, prepaid, capitated basis under the Oregon Health Plan (OHP).

(33) “Provider” means an individual, facility, institution, corporate entity, or other organization which supplies or provides for the supply of services, goods or supplies to covered individuals pursuant to a contract, including but not limited to a provider enrollment agreement with the Authority. A provider does not include billing providers as used in the Division of Medical Assistance (DMAP) general rules but does include non -healthcare providers such as foster care homes. DMAP billing providers are defined in these rules as agents, except for DMAP billing providers that are clinics.

(34) “Provider Enrollment Agreement” means an agreement between the Authority and a provider for payment for the provision of covered services to covered individuals.

(35) “Registered Transaction” means each type of EDI transaction applicable to a trading partner that must be registered with the Authority before it can be tested or approved for EDI transmission.

(36) “Security Access Codes” means the access code assigned by the Authority to the web portal submitter or EDI submitter for the purpose of allowing access to the Authority’s information system, including the web portal, to execute data transmissions or otherwise carry out the express terms of a trading partner agreement, provider enrollment agreement, and these rules. Security access codes may include passwords, PINs, or other codes. For password standards, refer to the Authority’s ISPO best practice: http://www.dhs.state.or.us/policy/admin/security/090_002.htm.

(37) “Source Documents” means documents or electronic files containing underlying data which is or may be required as part of a data transmission with respect to a claim for payment of charges for medical services or supplies provided to a covered individual, or with respect to any other transaction. Examples of data contained within a specific source document include but are not limited to an individual’s name and identification number, claim number, diagnosis code for the services provided, dates of service, service procedure description, applicable charges for the services provided, and a provider’s, CCOs, PHP’s, clinic’s, or allied agency’s name, identification number, and signature.

(38) “Standard” means a rule, condition, or requirement describing the following information for products, systems, or practices:

(a) Classification of components;

(b) Specification of materials, performance, or operations; or

(c) Delineation of procedures.

(39) “Standards for Electronic Transactions” mean a transaction that complies with the applicable standard adopted by DHHS to implement standards for electronic transactions.

(40) “Submitter” means a provider, CCO, PHP, clinic, or allied agency that may or may not have entered into a Trading Partner Agreement depending upon whether the need is to exchange Electronic Data Transactions or access the Authority’s Web Portal.

(41) “Transaction” means the exchange of data between the Authority and a provider using web portal access or a trading partner using electronic media to carry out financial or administrative activities.

(42) “Trade Data Log” means the complete written summary of data and data transmissions exchanged between the Authority and an EDI submitter during the period of time a trading partner agreement is in effect and includes but is not limited to sender and receiver information, date and time of transmission, and the general nature of the transmission.

(43) “Trading Partner” means a provider, CCO, PHP, clinic, or allied agency that has entered into a trading partner agreement with the Authority in order to satisfy all or part of its obligations under a contract by means of EDI, ERA, or EMC, or any other mutually agreed means of electronic exchange or transfer of data.

(44) “Trading Partner Agreement (TPA)” means a specific written request by a provider, CCO, PHP, clinic, or allied agency to conduct EDI transactions that governs the terms and conditions for EDI transactions in the performance of obligations under a contract. A provider, CCO, PHP, clinic, or allied agency that has executed a TPA will be referred to as a trading partner in relation to those functions.

(45) “User” means any individual or entity authorized by the Authority to access network and information systems or information assets.

(46) “User Identification Security (UIS)” means a control method required by the Authority to ensure that only authorized users gain access to specified information assets. One method of control is the use of passwords and PINs with unique user identifications.

(47) “Web Portal” means a site on the World Wide Web that provides secure access with personalized capabilities to its visitors and a pathway to other content designed for use with the Authority specific DDE applications.

(48) “Web Portal Submitter” means an individual or entity authorized to establish an electronic media connection with the Authority to conduct a DDE transaction. A web portal submitter may be a provider or a provider’s agent.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11; OHA 4-2012(Temp), f. & cert. ef. 7-12-12 thru 1-6-13

943-120-0110

Purpose

(1) These rules establish requirements applicable to providers, CCOs, PHPs, and allied agencies that want to conduct electronic data transactions with the Authority. These rules govern the conduct of all web portal or EDI transactions with the Authority. These rules only apply to services or items that are paid for by the Authority. If the service or item is paid for by a plan or an allied agency, these rules do not apply.

(2) These rules establish the Authority’s electronic data transaction requirements for purposes of the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d–1320d-8, Public Law 104-191, sec. 262 and sec. 264, and the implementing standards for electronic transactions rules. Where a federal HIPAA standard has been adopted for an electronic data transaction, this rule implements and does not alter the federal standard.

(3) These rules establish procedures that must be followed by any provider, CCO, PHP, or allied agency in the event of a security or privacy incident, regardless of whether the incident is related to the use of an electronic data transaction.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11; OHA 4-2012(Temp), f. & cert. ef. 7-12-12 thru 1-6-13

943-120-0112

Scope and Sequence of Electronic Data Transmission Rules

(1) The Authority communicates with and receives communications from its providers, CCOs, PHPs, and allied agencies using a variety of methods appropriate to the services being provided, the nature of the entity providing the services, and constantly changing technology. These rules describe some of the basic ways that the Authority will exchange data electronically. Additional details may be provided in the Authority’s access control rules, provider-specific rules, or the applicable contract documents.

(2) Access to eligibility information about covered individuals may occur using one or more of the following methods:

(a) Automated voice response, via a telephone;

(b) Web portal access;

(c) EDI submitter access; or

(d) Point of sale (POS) for pharmacy providers.

(3) Claims for which the Authority is responsible for payment or encounter submissions made to the Authority may occur using one or more of the following methods:

(a) Paper, using the form specified in the provider specific rules and supplemental billing guidance. Providers may submit paper claims, except that pharmacy providers are required to use the POS process for claims submission, and CCOs and PHPs must use the 837 electronic formats;

(b) Web portal access;

(c) EDI submitter access; or

(d) POS for pharmacy providers.

(4) Authority informational updates, provider record updates, depository for CCO or PHP reports, or EDT as specified by the Authority for contract compliance.

(5) Other Authority network and information system access is governed by specific program requirements, which may include but is not limited to IUP access. Affected providers, CCOs, PHPs, and allied agencies shall be separately instructed about the access and requirements. Incidents are subject to these rules.

(6) Providers and allied agencies that continue to use only paper formats for claims transactions are only subject to the confidentiality and security rule, OAR 943-120-0170.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11; OHA 4-2012(Temp), f. & cert. ef. 7-12-12 thru 1-6-13

943-120-0114

Provider Enrollment Agreement

(1) When a provider applies to enroll, the application form will include information about how to participate in the web portal for use of DDE and automated voice response (AVR) inquiries. The enrollment agreement shall include a section describing the process that will permit the provider, once enrolled, to participate in DDE over the Internet using the secure Authority web portal. This does not include providers enrolled through the use of the DMAP 3108 Managed Care Plan and FFS Non Paid Provider Application. CCOs and PHPs shall receive the information described in this rule, along with PINs and other information required for access.

(2) When the provider number is issued by the Authority, the provider will also receive two PINs: one that may be used to access the web portal and one that may be used for AVR.

(a) If the PINs are not activated within 60 days of issuance, the Authority will initiate a process to inactivate the PIN. If the provider wants to use PIN-based access to the web portal or AVR after deactivation, the provider must submit an update form to obtain another PIN.

(b) Activating the PIN will require Internet access and the provider must supply security data that will be associated with the use of the PIN.

(c) Providers, CCOs, and PHPs using the PIN must protect the confidentiality and security of the PIN pursuant to OAR 943-120-0170.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11; OHA 4-2012(Temp), f. & cert. ef. 7-12-12 thru 1-6-13

943-120-0116

Web Portal Submitter

(1) Any provider, CCO, or PHP activating their web portal access for web portal submission may be a web portal submitter. The provider will be referred to as the web portal submitter when functioning in that capacity, and shall be required to comply with these rules governing web portal submitters.

(2) The authorized signer of the provider enrollment agreement shall be the individual who is responsible for the provider’s, CCO’s, or PHP’s DDE claims submission process.

(a) If a provider, CCO, or PHP submits their own claims directly, the provider, CCO, or PHP will be referred to as the web portal submitter when functioning in that capacity and shall be required to comply with these rules.

(b) If a provider, CCO, or PHP uses an agent or clinic to submit DDE claims using the Authority’s web portal, the agent or clinic will be referred to as the web portal submitter when functioning in that capacity and shall be required to comply with these rules.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11; OHA 4-2012(Temp), f. & cert. ef. 7-12-12 thru 1-6-13

943-120-0118

Conduct of Direct Data Entry Using Web Portal

(1) The web portal submitter is responsible for the conduct of the DDE transactions submitted on behalf of the provider, CCO, or PHP, as follows:

(a) The web portal submitter must take reasonable care to ensure that data and DDE transmissions are timely, complete, accurate, and secure, and must take reasonable precautions to prevent unauthorized access to the information system or the DDE transmission. The Authority may not correct or modify an incorrect DDE transaction prior to processing. The transactions may be rejected and the web portal submitter shall be notified of the rejection.

(b) The web portal submitter and the Authority must bear their own information system costs. The web portal submitter must, at their own expense, obtain access to Internet service that is compatible with and has the capacity for secure access to the Authority’s web portal. Web portal submitters must pay their own costs for all charges, including but not limited to charges for equipment, software and services, Internet connection and use time, terminals, connections, telephones, and modems. The Authority is not responsible for providing technical assistance for access to or use of Internet web portal services or the processing of a DDE transaction.

(c) The web portal submitter must send and receive all data transactions in the Authority’s approved format. Any attempt to modify or alter the DDE transaction format may result in denial of web portal access.

(d) Re-submissions. The web portal submitter must maintain source documents and back-up files or other means sufficient to re-create a data transmission in the event that re-creation becomes necessary for any purpose, within timeframes required by federal or state law, or by contractual agreement. Back ups, archives, or related files are subject to the terms of these rules to the same extent as the original data transmission.

(2) To protect security and confidentiality, web portal submitters must comply with the following:

(a) Refrain from copying, reverse engineering, disclosing, publishing, distributing, or altering any data or data transmissions, except as permitted by these rules or the contract, or use the same for any purpose other than that which the web portal submitter was specifically given access and authorization by the Authority or the provider.

(b) Refrain from obtaining access by any means to any data or the Authority’s network and information system for any purpose other than that which the web portal submitter has received express authorization to receive access. If the web portal submitter receives data or data transmissions from the Authority which are clearly not intended for the receipt of web portal submitter, the web portal submitter will immediately notify the Authority and make arrangements to return or re-transmit the data or data transmission to the Authority. After re-transmission, the web portal submitter must immediately delete the data contained in the data transmission from its information system.

(c) Install necessary security precautions to ensure the security of the DDE transmission or records relating to the information system of either the Authority or the web portal submitter when the information system is not in active use by the web portal submitter.

(d) Protect and maintain, at all times, the confidentiality of security access codes issued by the Authority. Security access codes are strictly confidential and specifically subject, without limitation, to all of the restrictions in OAR 943-120-0170. The Authority may change the designated security access codes at any time and in any manner as the Authority in its sole discretion considers necessary.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11; OHA 4-2012(Temp), f. & cert. ef. 7-12-12 thru 1-6-13

943-120-0120

Registration Process — EDI Transactions

(1) The EDI transaction process is preferred by providers, CCOs, PHPs, and allied agencies for conducting batch or real time transactions, rather than the individual data entry process used for DDE. EDI registration is an administrative process governed by these rules. The EDI registration process begins with the submission of a TPA by a provider, CCO, PHP, clinic, or allied agency, including all requirements and documentation required by these rules.

(2) Trading partners must be Authority providers, CCOs, PHPs, clinics, or allied agencies with a current Authority contract. The Authority will not accept a TPA from individuals or entities who do not have a current contract with the Authority; however, the Authority shall accept a TPA from entities that have been provisionally certified to become CCOs in order to facilitate testing, pending contract signing.

(a) The Authority may receive and hold the TPA for individuals or entities that have submitted a provider enrollment agreement or other pending contract, subject to the satisfactory execution of the pending document.

(b) Termination, revocation, suspension, or expiration of the contract will result in the concurrent termination, revocation, suspension, or expiration of the TPA without any additional notice; except that the TPA will remain in effect to the extent necessary for a trading partner or the Authority to complete obligations involving EDI under the contract for dates of service when the contract was in effect. Contracts that are periodically renewed or extended do not require renewal or extension of the TPA unless there is a lapse of time between contracts.

(c) Failure to identify a current Authority contract during the registration process shall result in a rejection of the TPA. The Authority shall verify that the contract numbers identified by a provider, CCO, PHP, clinic, or allied agency are current contracts.

(d) If contract number or contract status changes, the trading partner must provide the Authority with updated information within five business days of the change in contract status. If the Authority determines that a valid contract no longer exists, the Authority shall discontinue EDI transactions applicable for any time period in which the contract no longer exists; except that the TPA will remain in effect to the extent necessary for the trading partner or the Authority to complete obligations involving EDI under the contract for dates of service when the contract was in effect.

(3) To register as a trading partner with the Authority, a provider, CCO, PHP, clinic, or allied agency must submit a signed TPA to the Authority.

(4) In addition to the requirements of section (3) of this rule, a trading partner must submit an application for authorization to the Authority. The application provides specific identification and legal authorization from the trading partner for an EDI submitter to conduct EDI transactions on behalf of a trading partner.

(5) A trading partner may use agents to facilitate the electronic transmission of data. If a trading partner will be using an agent as an EDI submitter, the application for authorization required under section (4) of this rule must identify and authorize an EDI submitter and must include the EDI certification signed by an EDI submitter before the Authority may accept electronic submission from or send electronic transmission to an EDI submitter.

(6) In addition to the requirements of section (3) of this rule, a trading partner must also submit its EDI registration form. This form requires the trading partner or its authorized EDI submitter to register an EDI submitter and the name and type of EDI transaction they are prepared to conduct. Signature of the trading partner or authorized EDI submitter is required on the EDI registration form. The registration form will also permit the trading partner to identify the individuals or EDI submitters who are authorized to submit or receive EDI registered transactions.

(7) The Authority shall review the documentation provided to determine compliance with sections (1) through (6) of this rule. The Authority may verify the documentation. When the Authority determines that the information complies with these rules, the Authority shall notify the trading partner and EDI submitter by email about any testing or other requirements applicable to place the registered transaction into a production environment.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11; OHA 4-2012(Temp), f. & cert. ef. 7-12-12 thru 1-6-13

943-120-0170

Security

(1) Individually Identifiable Health Information. All providers, CCOs, PHPs, and allied agencies are responsible for ensuring the security of individually identifiable health information, consistent with the requirements of the privacy statutes and regulations, and shall take reasonable action to prevent any unauthorized disclosure of confidential information by a provider, CCO, PHP, allied agency, or other agent. A provider, web portal submitter, trading partner, EDI submitter, or other agent must comply with any and all applicable privacy statutes and regulations relating to confidential information.

(2) General Requirements for Electronic Submitters. A provider (web portal submitter), trading partner (EDI submitter), or other agent must maintain adequate security procedures to prevent unauthorized access to data, data transmissions, security access codes, or the Authority’s information system, and must immediately notify the Authority of all unauthorized attempts by any individual or entity to obtain access to or otherwise tamper with the data, data transmissions, security access codes, or the Authority’s information system.

(3) Notice of Unauthorized Disclosures. All providers, CCOs, PHPs, and allied agencies must promptly notify the Authority of all unlawful or unauthorized disclosures of confidential information that come to its agents’ attention pursuant to the Authority’s ISPO policy: http://www.dhs.state.or.us/policy/admin/security/090_005.pdf, and shall cooperate with the Authority if corrective action is required by the Authority. The Authority shall promptly notify a provider, CCO, PHP, or allied agency of all unlawful or unauthorized disclosures of confidential information in relation to a provider, CCO, PHP, or allied agency that come to the Authority’s or its agents’ attention, and will cooperate with a provider, PHP, or allied agency if corrective action is required.

(4) Wrongful use of the web portal, EDI systems, or the Authority’s network and information system, or wrongful use or disclosure of confidential information by a provider, CCO, PHP, allied agency, electronic submitters, or their agents may result in the immediate suspension or revocation of any access granted under these rules or other Authority rules, at the sole discretion of the Authority.

(5) A provider, allied agency, CCO, PHP, or electronic submitter must report to the Authority’s Information Security Office at dhsinfo.security@state.or.us and to the Authority program contact individual, any privacy or security incidents that compromise, damage, or cause a loss of protection to confidential information, information assets, or the Authority’s network and security system. Reports must be made in the following manner:

(a) No later than five business days from the date on which a provider, allied agency, CCO, PHP, or electronic submitter becomes aware of the incident; and

(b) Provide the results of the incident assessment findings and resolution strategies no later than 30 business days after the report is due under section (4)(a).

(6) A provider, allied agency, CCO, PHP, or electronic submitter must comply with the Authority’s requests for corrective action concerning a privacy or security incident and with applicable laws requiring mitigation of harm caused by the unauthorized use or disclosure of confidential information.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11; OHA 4-2012(Temp), f. & cert. ef. 7-12-12 thru 1-6-13

943-120-0180

Record Retention and Audit

(1) Records Retention. A provider, CCO, PHP, web portal submitter, trading partner, and EDI submitter shall maintain, for a period of no less than seven years from the date of service, complete, accurate, and unaltered copies of all source documents associated with all data transmissions.

(2) EDI Trade Data Log. An EDI submitter must establish and maintain a trade data log that must record all data transmissions taking place between an EDI submitter and the Authority during the term of a TPA. A trading partner and EDI submitter must take necessary and reasonable steps to ensure that the trade data log constitutes a current, truthful, accurate, complete, and unaltered record of all data transmissions between the parties and must be retained by each party for no less than 24 months following the date of the data transmission. The trade data log may be maintained on electronic media or other suitable means provided that, if necessary, the information may be timely retrieved and presented in readable form.

(3) Right to Audit. A provider, CCO or PHP must allow and require any web portal submitter to allow, and a trading partner must allow and require an EDI submitter or other agent to allow access to the Authority, the Oregon Secretary of State, the Oregon Department of Justice Medicaid Fraud Unit, or its designees, and DHHS or its designees to audit relevant business records, source documents, data, data transmissions, trade data logs, or information systems of a provider and its web portal submitter, and a trading partner, and its agents, as necessary, to ensure compliance with these rules. A provider must allow and require its web portal submitter to allow, and a trading partner must allow and require an EDI submitter or other agent to allow the Authority, or its designee, access to ensure that adequate security precautions have been made and are implemented to prevent unauthorized disclosure of any data, data transmissions, or other information.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11; OHA 4-2012(Temp), f. & cert. ef. 7-12-12 thru 1-6-13

943-120-0200

Authority System Administration

(1) No individual or entity shall be registered to conduct a web portal or an EDI transaction with the Authority except as authorized under these the rules. Eligibility and continued participation as a provider, CCO, PHP, allied agency or web portal submitter in the conduct of DDE transactions, or as a trading partner or EDI submitter in the conduct of registered transactions, is conditioned on the execution and delivery of the documents required in these rules, the continued accuracy of that information consistent with OAR 943-120-0190, and compliance with a requirements of these rules. Data, including confidential information, governed by these rules may be used for purposes related to treatment, payment, and health care operations and for the administration of programs or services by the Authority.

(2) In addition to the requirements of section (1) of this rule, in order to qualify as a trading partner:

(a) An individual or entity must be a Authority provider, CCO, PHP, clinic, or allied agency pursuant to a current valid contract; and

(b) A provider, CCO, PHP, clinic, or allied agency must have submitted an executed TPA and all related documentation, including the application for authorization that identifies and authorizes an EDI submitter.

(3) In addition to the requirements of section (1) of this rule, in order to qualify as an EDI submitter:

(a) A trading partner must have identified the individual or entity as an authorized EDI submitter in the application for authorization;

(b) If a trading partner identifies itself as an EDI submitter, the application for authorization must include the information required in the “Trading Partner Authorization of EDI Submitter” and the “EDI Submitter Information”; and

(c) If a trading partner uses an agent as an EDI submitter, the application for authorization must include the information described in section (3)(b) and the signed EDI submitter certification.

(4) The EDI registration process described in these rules provides the Authority with essential profile information that the Authority may use to confirm that a trading partner or EDI submitter is not otherwise excluded or disqualified from submitting EDI transactions to the Authority.

(5) Nothing in these rules or a TPA prevents the Authority from requesting additional information from a trading partner or an EDI submitter to determine their qualifications or eligibility for registration as a trading partner or EDI submitter.

(6) The Authority shall deny a request for registration as a trading partner or for authorization of an EDI submitter or an EDI registration if it finds any of the following:

(a) A trading partner or EDI submitter has substantially failed to comply with the applicable administrative rules or laws;

(b) A trading partner or EDI submitter has been convicted of (or entered a plea of nolo contendre) a felony or misdemeanor related to a crime or violation of federal or state public assistance laws or privacy statutes or regulations;

(c) A trading partner or EDI submitter is excluded from participation in the Medicare program, as determined by the DHHS secretary; or

(d) A trading partner or EDI submitter fails to meet the qualifications as a trading partner or EDI submitter.

(7) Failure to comply with these rules, trading partner agreement, or EDI submitter certification or failure to provide accurate information on an application or certification may also result in sanctions and payment recovery pursuant to applicable Authority program contracts or rules.

(8) For providers using the DDE submission system by the Authority web portal, failure to comply with the terms of these rules, a web portal registration form, or failure to provide accurate information on the registration form may result in sanctions or payment recovery pursuant to the applicable Authority program contracts or rules.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11; OHA 4-2012(Temp), f. & cert. ef. 7-12-12 thru 1-6-13

Notes
1.) This online version of the OREGON BULLETIN is provided for convenience of reference and enhanced access. The official, record copy of this publication is contained in the original Administrative Orders and Rulemaking Notices filed with the Secretary of State, Archives Division. Discrepancies, if any, are satisfied in favor of the original versions. Use the OAR Revision Cumulative Index found in the Oregon Bulletin to access a numerical list of rulemaking actions after November 15, 2011.

2.) Copyright 2012 Oregon Secretary of State: Terms and Conditions of Use

Oregon Secretary of State • 136 State Capitol • Salem, OR 97310-0722
Phone: (503) 986-1523 • Fax: (503) 986-1616 • oregon.sos@state.or.us

© 2013 State of Oregon All Rights Reserved​