Secretary of State home | State Archives home

800 Summer St NE Salem OR 97310
503 373 0701 | Mon-Fri: 8am-4:45pm

Oregon State Archives

The Oregon Administrative Rules contain OARs filed through April 13, 2012

OREGON HEALTH AUTHORITY

DIVISION 120

PROVIDER RULES

Electronic Data Transmission

943-120-0100

Definitions

The following definitions apply to OAR 943-120-0100 through 943-120-0200:

(1) "Access" means the ability or means necessary to read, write, modify, or communicate data or information or otherwise use any information system resource.

(2) "Agent" means a third party or organization that contracts with a provider, allied agency, or prepaid health plan (PHP) to perform designated services in order to facilitate a transaction or conduct other business functions on its behalf. Agents include billing agents, claims clearinghouses, vendors, billing services, service bureaus, and accounts receivable management firms. Agents may also be clinics, group practices, and facilities that submit billings on behalf of providers but the payment is made to a provider, including the following: an employer of a provider, if a provider is required as a condition of employment to turn over his fees to the employer; the facility in which the service is provided, if a provider has a contract under which the facility submits the claim; or a foundation, plan, or similar organization operating an organized health care delivery system, if a provider has a contract under which the organization submits the claim. Agents may also include electronic data transmission submitters.

(3) "Allied Agency" means local and regional allied agencies and includes local mental health authority, community mental health programs, Oregon Youth Authority, Department of Corrections, local health departments, schools, education service districts, developmental disability service programs, area agencies on aging, federally recognized American Indian tribes, and other governmental agencies or regional authorities that have a contract (including an interagency, intergovernmental, or grant agreement, or an agreement with an American Indian tribe pursuant to ORS 190.110) with the Oregon Health Authority to provide for the delivery of services to covered individuals and that request to conduct electronic data transactions in relation to the contract.

(4) “Authority” means the Oregon Health Authority.

(5) "Authority Network and Information Systems" means the Authority's computer infrastructure that provides personal communications, confidential information, regional, wide area and local networks, and the internetworking of various types of networks on behalf of the Authority.

(6) "Clinic" means a group practice, facility, or organization that is an employer of a provider, if a provider is required as a condition of employment to turn over his fees to the employer; the facility in which the service is provided, if a provider has a contract under which the facility submits the claim; or a foundation, plan, or similar organization operating an organized health care delivery system, if a provider has a contract under which the organization submits the claim; and the group practice, facility, or organization is enrolled with the Authority, and payments are made to the group practice, facility, or organization. If the entity solely submits billings on behalf of providers and payments are made to each provider, then the entity is an agent.

(7) "Confidential Information" means information relating to covered individuals which is exchanged by and between the Authority, a provider, PHP, clinic, allied agency, or agents for various business purposes, but which is protected from disclosure to unauthorized individuals or entities by applicable state and federal statutes such as ORS 344.600, 410.150, 411.320, 418.130, or the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and its implementing regulations. These statutes and regulations are collectively referred to as "Privacy Statutes and Regulations."

(8) "Contract" means a specific written agreement between the Authority and a provider, PHP, clinic, or allied agency that provides or manages the provision of services, goods, or supplies to covered individuals and where the Authority and a provider, PHP, clinic, or allied agency may exchange data. A contract specifically includes, without limitation, an Authority provider enrollment agreement, fully capitated heath plan managed care contract, dental care organization managed care contract, mental health organization managed care contract, chemical dependency organization managed care contract, physician care organization managed care contract, a county financial assistance agreement, or any other applicable written agreement, interagency agreement, intergovernmental agreement, or grant agreement between the Authority and a provider, PHP, clinic, or allied agency.

(9) "Covered Entity" means a health plan, health care clearing house, health care provider who transmits any health information in electronic form in connection with a transaction covered by 45 CFR 162.100 through 162.1902, or allied agency that transmits any health information in electronic form in connection with a transaction, including direct data entry (DDE), and who must comply with the National Provider Identifier (NPI) requirements of 45 CFR 162.402 through 162.414.

(10) "Covered Individual" means individuals who are eligible for payment of certain services or supplies provided to them or their eligible dependents by or through a provider, PHP, clinic, or allied agency under the terms of a contract applicable to a governmental program for which the Authority processes or administers data transmissions.

(11) "Data" means a formalized representation of specific facts or concepts suitable for communication, interpretation, or processing by individuals or by automatic means.

(12) "Data Transmission" means the transfer or exchange of data between the Authority and a web portal or electronic data interchange (EDI) submitter by means of an information system which is compatible for that purpose and includes without limitation, web portal, EDI, electronic remittance advice (ERA), or electronic media claims (EMC) transmissions.

(13) "Department" means the Department of Human Services.

(14) "Direct Data Entry (DDE)" means the process using dumb terminals or computer browser screens where data is directly keyed into a health plan's computer by a provider or its agent, such as through the use of a web portal.

(15) "Electronic Data Interchange (EDI)" means the exchange of business documents from application to application in a federally mandated format or, if no federal standard has been promulgated, using bulk transmission processes and other formats as the Authority designates for EDI transactions. For purposes of these rules (OAR 943-120-0100 through 943-120-0200), EDI does not include electronic transmission by web portal.

(16) "Electronic Data Interchange Submitter" means an individual or entity authorized to establish the electronic media connection with the Authority to conduct an EDI transaction. An EDI submitter may be a trading partner or an agent of a trading partner.

(17) "Electronic Media" means electronic storage media including memory devices in computers or computer hard drives; any removable or transportable digital memory medium such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media. Transmission media includes but is not limited to the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable or transportable electronic storage media. Certain transmissions, including paper via facsimile and voice via telephone, are not considered transmissions by electronic media because the information being exchanged did not exist in electronic form before transmission.

(18) "Electronic Media Claims (EMC)" means an electronic media means of submitting claims or encounters for payment of services or supplies provided by a provider, PHP, clinic, or allied agency to a covered individual.

(19) "Electronic Remittance Advice (ERA)" means an electronic file in X12 format containing information pertaining to the disposition of a specific claim for payment of services or supplies rendered to covered individuals which are filed with the Authority on behalf of covered individuals by providers, clinics, or allied agencies. The documents include, without limitation, the provider name and address, individual name, date of service, amount billed, amount paid, whether the claim was approved or denied, and if denied, the specific reason for the denial. For PHPs, the remittance advice file contains information on the adjudication status of encounter claims submitted.

(20) "Electronic Data Transaction (EDT)" means a transaction governed by the Health Insurance Portability and Accountability Act (HIPAA) transaction rule, conducted by either web portal or EDI.

(21) "Envelope" means a control structure in a mutually agreed upon format for the electronic interchange of one or more encoded data transmissions either sent or received by an EDI submitter or the Authority.

(22) "HIPAA Transaction Rule" means the standards for electronic transactions at 45 CFR Part 160 and 162 as revised effective January 16, 2009 (from version in effect on January 1, 2008) adopted by the Department of Health and Human Services (DHHS) to implement the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d et. seq.

(23) "Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of an information system or information asset including but not limited to unauthorized disclosure of information, failure to protect user IDs, and theft of computer equipment using or storing Authority information assets or confidential information.

(24) "Individual User Profile (IUP)" means Authority forms used to authorize a user, identify their job assignment, and the required access to the Authority's network and information system. It generates a unique security access code used to access the Authority's network and information system.

(25) "Information Asset" means all information, also known as data, provided through the Authority, regardless of the source, which requires measures for security and privacy of the information.

(26) "Information System" means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and trained personnel necessary for successful data transmission.

(27) "Lost or Indecipherable Transmission" means a data transmission which is never received by or cannot be processed to completion by the receiving party in the format or composition received because it is garbled or incomplete, regardless of how or why the message was rendered garbled or incomplete.

(28) "Mailbox" means the term used by the Authority to indicate trading partner-specific locations on the Authority's secure file transfer protocol (SFTP) server to deposit and retrieve electronic data identified by a unique Authority assigned trading partner number.

(29) "Password" means the alpha-numeric codes and special characters assigned to an EDI submitter by the Authority for the purpose of allowing access to the Authority's information system, including the web portal, for the purpose of successfully executing data transmissions or otherwise carrying out the express terms of a trading partner agreement or provider enrollment agreement and these rules.

(30) "Personal Identification Number (PIN)" means the alpha-numeric codes assigned to web portal submitters by the Authority for the purpose of allowing access to the Authority's information system, including the web portal, for the purpose of successfully executing DDE, data transmissions, or otherwise carrying out the express terms of a trading partner agreement, provider enrollment agreement, and these rules.

(31) "Prepaid Health Plan (PHP) or Plan" means a managed health care, dental care, chemical dependency, physician care organization, or mental health care organization that contracts with the Authority on a case managed, prepaid, capitated basis under the Oregon Health Plan (OHP).

(32) "Provider" means an individual, facility, institution, corporate entity, or other organization which supplies or provides for the supply of services, goods or supplies to covered individuals pursuant to a contract, including but not limited to a provider enrollment agreement with the Authority. A provider does not include billing providers as used in the Division of Medical Assistance (DMAP) general rules but does include non healthcare providers such as foster care homes. DMAP billing providers are defined in these rules as agents, except for DMAP billing providers that are clinics.

(33) "Provider Enrollment Agreement" means an agreement between the Authority and a provider for payment for the provision of covered services to covered individuals.

(34) "Registered Transaction" means each type of EDI transaction applicable to a trading partner that must be registered with the Authority before it can be tested or approved for EDI transmission.

(35) "Security Access Codes" means the access code assigned by the Authority to the web portal submitter or EDI submitter for the purpose of allowing access to the Authority's information system, including the web portal, to execute data transmissions or otherwise carry out the express terms of a trading partner agreement, provider enrollment agreement, and these rules. Security access codes may include passwords, PINs, or other codes. For password standards, refer to the Authority’s ISPO best practice: http://www.dhs.state.or.us/policy/admin/security/090_002.htm.

(36) "Source Documents" means documents or electronic files containing underlying data which is or may be required as part of a data transmission with respect to a claim for payment of charges for medical services or supplies provided to a covered individual, or with respect to any other transaction. Examples of data contained within a specific source document include but are not limited to an individual's name and identification number, claim number, diagnosis code for the services provided, dates of service, service procedure description, applicable charges for the services provided, and a provider's, PHP's, clinic's, or allied agency's name, identification number, and signature.

(37) "Standard" means a rule, condition, or requirement describing the following information for products, systems, or practices:

(a) Classification of components;

(b) Specification of materials, performance, or operations; or

(38) "Standards for Electronic Transactions" mean a transaction that complies with the applicable standard adopted by DHHS to implement standards for electronic transactions.

(39) “Submitter” means a provider, PHP, clinic, or allied agency that may or may not have entered into a Trading Partner Agreement depending upon whether the need is to exchange Electronic Data Transactions or access the Authority’s Web Portal.

(40) "Transaction" means the exchange of data between the Authority and a provider using web portal access or a trading partner using electronic media to carry out financial or administrative activities.

(41) "Trade Data Log" means the complete written summary of data and data transmissions exchanged between the Authority and an EDI submitter during the period of time a trading partner agreement is in effect and includes but is not limited to sender and receiver information, date and time of transmission, and the general nature of the transmission.

(42) "Trading Partner" means a provider, PHP, clinic, or allied agency that has entered into a trading partner agreement with the Authority in order to satisfy all or part of its obligations under a contract by means of EDI, ERA, or EMC, or any other mutually agreed means of electronic exchange or transfer of data.

(43) "Trading Partner Agreement (TPA)" means a specific written request by a provider, PHP, clinic, or allied agency to conduct EDI transactions that governs the terms and conditions for EDI transactions in the performance of obligations under a contract. A provider, PHP, clinic, or allied agency that has executed a TPA will be referred to as a trading partner in relation to those functions.

(44) "User" means any individual or entity authorized by the Authority to access network and information systems or information assets.

(45) "User Identification Security (UIS)" means a control method required by the Authority to ensure that only authorized users gain access to specified information assets. One method of control is the use of passwords and PINs with unique user identifications.

(46) "Web Portal" means a site on the World Wide Web that provides secure access with personalized capabilities to its visitors and a pathway to other content designed for use with the Authority specific DDE applications.(47) "Web Portal Submitter" means an individual or entity authorized to establish an electronic media connection with the Authority to conduct a DDE transaction. A web portal submitter may be a provider or a provider's agent.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0110

Purpose

(1) These rules establish requirements applicable to providers, PHPs, and allied agencies that want to conduct electronic data transactions with the Authority. These rules govern the conduct of all web portal or EDI transactions with the Authority. These rules only apply to services or items that are paid for by the Authority. If the service or item is paid for by a plan or an allied agency, these rules do not apply.

(2) These rules establish the Authority's electronic data transaction requirements for purposes of the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d–1320d-8, Public Law 104-191, sec. 262 and sec. 264, and the implementing standards for electronic transactions rules. Where a federal HIPAA standard has been adopted for an electronic data transaction, this rule implements and does not alter the federal standard.

(3) These rules establish procedures that must be followed by any provider, PHP, or allied agency in the event of a security or privacy incident, regardless of whether the incident is related to the use of an electronic data transaction.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0112

Scope and Sequence of Electronic Data Transmission Rules

(1) The Authority communicates with and receives communications from its providers, PHPs, and allied agencies using a variety of methods appropriate to the services being provided, the nature of the entity providing the services, and constantly changing technology. These rules describe some of the basic ways that the Authority will exchange data electronically. Additional details may be provided in the Authority's access control rules, provider-specific rules, or the applicable contract documents.

(2) Access to eligibility information about covered individuals may occur using one or more of the following methods:

(a) Automated voice response, via a telephone;

(b) Web portal access;

(d) Point of sale (POS) for pharmacy providers.

(3) Claims for which the Authority is responsible for payment or encounter submissions made to the Authority may occur using one or more of the following methods:

(a) Paper, using the form specified in the provider specific rules and supplemental billing guidance. Providers may submit paper claims, except that pharmacy providers are required to use the POS process for claims submission and PHPs are required to use the 837 electronic formats;

(b) Web portal access;

(d) POS for pharmacy providers.

(4) Authority informational updates, provider record updates, depository for PHP reports, or EDT as specified by the Authority for contract compliance.

(5) Other Authority network and information system access is governed by specific program requirements, which may include but is not limited to IUP access. Affected providers, PHPs, and allied agencies will be separately instructed about the access and requirements. Incidents are subject to these rules.

(6) Providers and allied agencies that continue to use only paper formats for claims transactions are only subject to the confidentiality and security rule, OAR 943-120-0170.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0114

Provider Enrollment Agreement

((1) When a provider applies to enroll, the application form will include information about how to participate in the web portal for use of DDE and automated voice response (AVR) inquiries. The enrollment agreement will include a section describing the process that will permit the provider, once enrolled, to participate in DDE over the Internet using the secure Authority web portal. This does not include providers enrolled through the use of the DMAP 3108 Managed Care Plan and FFS Non Paid Provider Application.

(2) When the provider number is issued by the Authority, the provider will also receive two PINs: one that may be used to access the web portal and one that may be used for AVR.

(a) If the PINs are not activated within 60 days of issuance, the Authority will initiate a process to inactivate the PIN. If the provider wants to use PIN-based access to the web portal or AVR after deactivation, the provider must submit an update form to obtain another PIN.

(b) Activating the PIN will require Internet access and the provider must supply security data that will be associated with the use of the PIN.

(c) Providers using the PIN are responsible for protecting the confidentiality and security of the PIN pursuant to OAR 943-120-0170.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0116

Web Portal Submitter

(1) Any provider activating their web portal access for web portal submission may be a web portal submitter. The provider will be referred to as the web portal submitter when functioning in that capacity, and shall be required to comply with these rules governing web portal submitters.

(2) The authorized signer of the provider enrollment agreement shall be the individual who is responsible for the provider's DDE claims submission process.

(a) If a provider submits their own claims directly, the provider will be referred to as the web portal submitter when functioning in that capacity and shall be required to comply with these rules governing web portal submitters.

(b) If a provider uses an agent or clinic to submit DDE claims using the Authority's web portal, the agent or clinic will be referred to as the web portal submitter when functioning in that capacity and shall be required to comply with these rules governing web portal submitters.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0118

Conduct of Direct Data Entry Using Web Portal

(1) The web portal submitter is responsible for the conduct of the DDE transactions submitted on behalf of the provider, as follows:

(a) Accuracy of Web Portal Submissions. The web portal submitter must take reasonable care to ensure that data and DDE transmissions are timely, complete, accurate, and secure, and must take reasonable precautions to prevent unauthorized access to the information system or the DDE transmission. The Authority will not correct or modify an incorrect DDE transaction prior to processing. The transactions may be rejected and the web portal submitter will be notified of the rejection.

(b) Cost of Equipment. The web portal submitter and the Authority must bear their own information system costs. The web portal submitter must, at their own expense, obtain access to Internet service that is compatible with and has the capacity for secure access to the Authority's web portal. Web portal submitters must pay their own costs for all charges, including but not limited to charges for equipment, software and services, Internet connection and use time, terminals, connections, telephones, and modems. The Authority is not responsible for providing technical assistance for access to or use of Internet web portal services or the processing of a DDE transaction.

(c) Format of DDE Transactions. The web portal submitter must send and receive all data transactions in the Authority's approved format. Any attempt to modify or alter the DDE transaction format may result in denial of web portal access.

(d) Re-submissions. The web portal submitter must maintain source documents and back-up files or other means sufficient to re-create a data transmission in the event that re-creation becomes necessary for any purpose, within timeframes required by federal or state law, or by contractual agreement. Back ups, archives, or related files are subject to the terms of these rules to the same extent as the original data transmission.

(2) Security and Confidentiality. To protect security and confidentiality, web portal submitters must comply with the following:

(a) Refrain from copying, reverse engineering, disclosing, publishing, distributing, or altering any data or data transmissions, except as permitted by these rules or the contract, or use the same for any purpose other than that which the web portal submitter was specifically given access and authorization by the Authority or the provider.

(b) Refrain from obtaining access by any means to any data or the Authority's network and information system for any purpose other than that which the web portal submitter has received express authorization to receive access. If the web portal submitter receives data or data transmissions from the Authority which are clearly not intended for the receipt of web portal submitter, the web portal submitter will immediately notify the Authority and make arrangements to return or re-transmit the data or data transmission to the Authority. After re-transmission, the web portal submitter must immediately delete the data contained in the data transmission from its information system.

(c) Install necessary security precautions to ensure the security of the DDE transmission or records relating to the information system of either the Authority or the web portal submitter when the information system is not in active use by the web portal submitter.

(d) Protect and maintain, at all times, the confidentiality of security access codes issued by the Authority. Security access codes are strictly confidential and specifically subject, without limitation, to all of the restrictions in OAR 943-120-0170. The Authority may change the designated security access codes at any time and in any manner as the Authority in its sole discretion considers necessary.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0120

Registration Process — EDI Transactions

(1) The EDI transaction process is preferred by providers, PHPs, and allied agencies for conducting batch or real time transactions, rather than the individual data entry process used for DDE. EDI registration is an administrative process governed by these rules. The EDI registration process begins with the submission of a TPA by a provider, PHP, clinic, or allied agency, including all requirements and documentation required by these rules.

(2) Trading partners must be Authority providers, PHPs, clinics, or allied agencies with a current Authority contract. The Authority will not accept a TPA from individuals or entities who do not have a current contract with the Authority.

(a) The Authority may receive and hold the TPA for individuals or entities that have submitted a provider enrollment agreement or other pending contract, subject to the satisfactory execution of the pending document.

(b) Termination, revocation, suspension, or expiration of the contract will result in the concurrent termination, revocation, suspension, or expiration of the TPA without any additional notice; except that the TPA will remain in effect to the extent necessary for a trading partner or the Authority to complete obligations involving EDI under the contract for dates of service when the contract was in effect. Contracts that are periodically renewed or extended do not require renewal or extension of the TPA unless there is a lapse of time between contracts.

(c) Failure to identify a current Authority contract during the registration process will result in a rejection of the TPA. The Authority will verify that the contract numbers identified by a provider, PHP, clinic, or allied agency are current contracts.

(d) If contract number or contract status changes, the trading partner must provide the Authority with updated information within five business days of the change in contract status. If the Authority determines that a valid contract no longer exists, the Authority shall discontinue EDI transactions applicable for any time period in which the contract no longer exists; except that the TPA will remain in effect to the extent necessary for the trading partner or the Authority to complete obligations involving EDI under the contract for dates of service when the contract was in effect.

(3) Trading Partner Agreement. To register as a trading partner with the Authority, a provider, PHP, clinic, or allied agency must submit a signed TPA to the Authority.

(4) Application for Authorization. In addition to the requirements of section (3) of this rule, a trading partner must submit an application for authorization to the Authority. The application provides specific identification and legal authorization from the trading partner for an EDI submitter to conduct EDI transactions on behalf of a trading partner.

(5) Trading Partner Agents. A trading partner may use agents to facilitate the electronic transmission of data. If a trading partner will be using an agent as an EDI submitter, the application for authorization required under section (4) of this rule must identify and authorize an EDI submitter and must include the EDI certification signed by an EDI submitter before the Authority may accept electronic submission from or send electronic transmission to an EDI submitter.

(6) EDI Registration. In addition to the requirements of section (3) of this rule, a trading partner must also submit its EDI registration form. This form requires the trading partner or its authorized EDI submitter to register an EDI submitter and the name and type of EDI transaction they are prepared to conduct. Signature of the trading partner or authorized EDI submitter is required on the EDI registration form. The registration form will also permit the trading partner to identify the individuals or EDI submitters who are authorized to submit or receive EDI registered transactions.

(7) Review and Acceptance Process. The Authority will review the documentation provided to determine compliance with sections (1) through (6) of this rule. The information provided may be subject to verification by the Authority. When the Authority determines that the information complies with these rules, the Authority will notify the trading partner and EDI submitter by email about any testing or other requirements applicable to place the registered transaction into a production environment.

Stat. Auth.: ORS 413.042 & 414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0130

Trading Partner as EDI Submitter — EDI Transactions

(1) A trading partner may be an EDI submitter. Registered trading partners that also qualify as an EDI submitter may submit their own EDI transactions directly to the Authority. A trading partner will be referred to as an EDI submitter when functioning in that capacity and will be required to comply with applicable EDI submitter rules, except as provided in section (3) of this rule.

(2) Authorization and Registration Designating Trading Partner as EDI Submitter. Before acting as an EDI submitter, a trading partner must designate in the application for application that they are an EDI submitter who is authorized to send and receive data transmissions in the performance of EDI transactions. A trading partner must complete the "Trading Partner Application for Authorization to Submit EDI Transactions" and the "EDI Submitter Information" required in the application. A trading partner must also submit the EDI registration form identifying them as an EDI submitter. A trading partner must notify the Authority of any material changes in the information no less than ten days prior to the effective date of the change.

(3) EDI Submitter Certification Conditions. Where a trading partner is acting as its own EDI submitter, the trading partner is not required to submit the EDI submitter certification conditions in the application for authorization applicable to agents.

Stat. Auth.: ORS 413.042 & 414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0140

Trading Partner Agents as EDI Submitters — EDI Transactions

(1) Responsibility for Agents. If a trading partner uses the services of an agent, including but not limited to an EDI submitter in any capacity in order to receive, transmit, store, or otherwise process data or data transmissions or perform related activities, a trading partner shall be fully responsible to the Authority for the agent's acts.

(2) Notices Regarding EDI Submitter. Prior to the commencement of an EDI submitter's services, a trading partner must designate in the application for authorization the specific EDI submitters that are authorized to send and receive data transmissions in the performance of EDI transactions of a trading partner. A trading partner must complete the "Trading partner Authorization of EDI Submitter" and the "EDI Submitter Information" required in the application. A trading partner must also submit the EDI registration form identifying and providing information about an EDI submitter. A trading partner or authorized EDI submitter must notify the Authority of any material changes in the EDI submitter authorization or information no less than five days prior to the effective date of the changes.

(3) EDI Submitter Authority. A trading partner must authorize the actions that an EDI submitter may take on behalf of a trading partner. The application for authorization permits a trading partner to authorize which decisions may only be made by a trading partner and which decisions are authorized to be made by an EDI submitter. The EDI submitter information authorized in the application for authorization will be recorded by the Authority in an EDI submitter profile. The Authority may reject EDI transactions from an EDI submitter acting without authorization from a trading partner.

(4) EDI Submitter Certification Conditions. Each authorized EDI submitter acting as an agent of a trading partner must execute and comply with the EDI submitter certification conditions that are incorporated into the application for authorization. Failure to include the signed EDI submitter certification conditions with the application shall result in a denial of EDI submitter authorization by the Authority. Failure of an EDI submitter to comply with the EDI submitter certification conditions may result in termination of EDI submitter registration for EDI transactions with the Authority.

(5) EDI Submitters Responsibilities. In addition to the requirements of section (1) of this rule, a trading partner is responsible for ensuring that an EDI submitter makes no unauthorized changes in the data content of all data transmissions or the contents of an envelope, and that an EDI submitter will take all appropriate measures to maintain the timeliness, accuracy, truthfulness, confidentiality, security, and completeness of each data transmission. A trading partner is responsible for ensuring that its EDI submitters are specifically advised of, and will comply with, the terms of these rules and any TPA.

Stat. Auth.: ORS 413.042 & 414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0150

Testing — EDI Transactions

((1) When a trading partner or authorized EDI submitter registers an EDI transaction with the Authority, the Authority may require testing before authorizing the transaction. Testing may include third party and business-to-business testing. An EDI submitter must be able to demonstrate its capacity to send and receive each transaction type for which it has registered. The Authority will reject any EDI transaction if an EDI submitter either refuses or fails to comply with the Authority testing requirements.

(2) The Authority may require EDI submitters to complete compliance testing at an EDI submitter's expense for each transaction type if either the Authority or an EDI submitter has experienced a change to hardware or software applications by entering into business-to-business testing.

(3) When third party and/or business-to-business testing is completed to the Authority's satisfaction, the Authority will notify an EDI submitter that it will register and accept the transactions in the production environment. This notification authorizes an EDI submitter to submit the registered EDI transactions to the Authority for processing and response, as applicable. If there are any changes in the trading partner or EDI submitter authorization, profile data or EDI registration information on file with the Authority, updated information must be submitted to the Authority as required in OAR 943-120-0190.

(4) Testing will be conducted using secure electronic media communications methods.

(5) An EDI submitter may be required to re-test with the Authority if the Authority format changes or if the EDI submitter format changes.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0160

Conduct of Transactions — EDI Transactions

(1) EDI Submitter Obligations. An EDI submitter is responsible for the conduct of the EDI transactions registered on behalf of a trading partner, including the following:

(a) EDI Transmission Accuracy. An EDI submitter shall take reasonable care to ensure that data and data transmissions are timely, complete, accurate, and secure; and shall take reasonable precautions to prevent unauthorized access to the information system, the data transmission, or the contents of an envelope which is transmitted either to or from the Authority. The Authority will not correct or modify an incorrect transaction prior to processing. The transaction may be rejected and an EDI submitter notified of the rejection.

(b) Re-transmission of Indecipherable Transmissions. Where there is evidence that a data transmission is lost or indecipherable, the sending party must make best efforts to trace and re-transmit the original data transmission in a manner which allows it to be processed by the receiving party as soon as practicable.

(c) Cost of Equipment. An EDI submitter and the Authority will pay for their own information system costs. An EDI submitter shall, at its own expense, obtain and maintain its own information system. An EDI submitter shall pay its own costs for all charges related to data transmission including, without limitation, charges for information system equipment, software and services, electronic mailbox maintenance, connect time, terminals, connections, telephones, modems, any applicable minimum use charges, and for translating, formatting, sending, and receiving communications over the electronic network to the electronic mailbox, if any, of the Authority. The Authority is not responsible for providing technical assistance in the processing of an EDI transaction.

(d) Back-up Files. EDI submitters must maintain adequate data archives and back-up files or other means sufficient to re-create a data transmission in the event that re-creation becomes necessary for any purpose, within timeframes required by state and federal law, or by contractual agreement. Data archives or back-up files shall be subject to these rules to the same extent as the original data transmission.

(e) Transmissions Format. Except as otherwise provided herein, EDI submitters must send and receive all data transmissions in the federally mandated format, or (if no federal standard has been promulgated) other formats as the Authority designates.

(f) Testing. EDI submitters must, prior to the initial data transmission and throughout the term of a TPA, test and cooperate with the Authority in the testing of information systems as the Authority considers reasonably necessary to ensure the accuracy, timeliness, completeness, and confidentiality of each data transmission.

(2) Security and Confidentiality. To protect security and confidentiality of transmitted data, EDI submitters must comply with the following:

(a) Refrain from copying, reverse engineering, disclosing, publishing, distributing, or altering any data, data transmissions, or the contents of an envelope, except as necessary to comply with the terms of these rules or the TPA, or use the same for any purpose other than that which an EDI submitter was specifically given access and authorization by the Authority or a trading partner;

(b) Refrain from obtaining access by any means to any data, data transmission, envelope, mailbox, or the Authority's information system for any purpose other than that which an EDI submitter has received express authorization. If an EDI submitter receives data or data transmissions from the Authority which clearly are not intended for an EDI submitter, an EDI submitter shall immediately notify the Authority and make arrangements to return or re-transmit the data or data transmission to the Authority. After re-transmission, an EDI submitter shall immediately delete the data contained in the data transmission from its information system;

(c) Install necessary security precautions to ensure the security of the information systems or records relating to the information systems of either the Authority or an EDI submitter when the information system is not in active use by an EDI submitter;

(d) Protect and maintain the confidentiality of security access codes issued by the Authority to an EDI submitter; and

(e) Provide special protection for security and other purposes, where appropriate, by means of authentication, encryption, the use of passwords, or other means. Unless otherwise provided in these rules, the recipient of a protected data transmission must at least use the same level of protection for any subsequent transmission of the original data transmission.

(3) Authority Obligations. The Authority shall:

(a) Make available to an EDI submitter, by electronic media, those types of data and data transmissions which an EDI submitter is authorized to receive.

(b) Inform an EDI submitter of acceptable formats in which data transmissions may be made and provide notification to an EDI submitter within reasonable time periods consistent with HIPAA transaction standards, if applicable, or at least 30 days prior by electronic notice of other changes in formats.

(c) Provide an EDI submitter with security access codes that will allow an EDI submitter access to the Authority's information system. Security access codes are strictly confidential and EDI submitters must comply with all of the requirements of OAR 943-120-0170. The Authority may change the designated security access codes at any time and manner as the Authority, in its sole discretion, deems necessary. The release of security access codes shall be limited to authorized electronic data personnel of an EDI submitter and the Authority with a need to know.

(4) Department of Consumer and Business Services (DCBS) submission standards Health insurers and health care entities in Oregon shall make all necessary actions required by the DCBS Oregon Companion Guides to comply with the Health Insurance Reform Administrative Streamlining and Simplification as specified in OAR 836-100-0100 to 836-100-0120.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0165

Pharmacy Point of Sale Access

Pharmacy providers who electronically bill pharmaceutical claims must participate in and submit claims using the POS system, except as provided in OAR 410-121-0150.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0170

Security

(1) Individually Identifiable Health Information. All providers, PHPs, and allied agencies are responsible for ensuring the security of individually identifiable health information, consistent with the requirements of the privacy statutes and regulations, and shall take reasonable action to prevent any unauthorized disclosure of confidential information by a provider, PHP, allied agency, or other agent. A provider, web portal submitter, trading partner, EDI submitter, or other agent must comply with any and all applicable privacy statutes and regulations relating to confidential information.

(2) General Requirements for Electronic Submitters. A provider (web portal submitter), trading partner (EDI submitter), or other agent must maintain adequate security procedures to prevent unauthorized access to data, data transmissions, security access codes, or the Authority's information system, and must immediately notify the Authority of all unauthorized attempts by any individual or entity to obtain access to or otherwise tamper with the data, data transmissions, security access codes, or the Authority's information system.

(3) Notice of Unauthorized Disclosures. All providers, PHPs, and allied agencies must promptly notify the Authority of all unlawful or unauthorized disclosures of confidential information that come to its agents' attention pursuant to the Authority’s ISPO policy: http://www.dhs.state.or.us/policy/admin/security/090_005.pdf, and shall cooperate with the Authority if corrective action is required by the Authority. The Authority shall promptly notify a provider, PHP, or allied agency of all unlawful or unauthorized disclosures of confidential information in relation to a provider, PHP, or allied agency that come to the Authority's or its agents' attention, and will cooperate with a provider, PHP, or allied agency if corrective action is required.

(4) Wrongful use of the web portal, EDI systems, or the Authority's network and information system, or wrongful use or disclosure of confidential information by a provider, allied agency, electronic submitters, or their agents may result in the immediate suspension or revocation of any access granted under these rules or other Authority rules, at the sole discretion of the Authority.

(5) A provider, allied agency, PHP, or electronic submitter must report to the Authority's Information Security Office at dhsinfo.security@state.or.us and to the Authority program contact individual, any privacy or security incidents that compromise, damage, or cause a loss of protection to confidential information, information assets, or the Authority's network and security system. Reports must be made in the following manner:

(a) No later than five business days from the date on which a provider, allied agency, PHP, or electronic submitter becomes aware of the incident; and

(b) Provide the results of the incident assessment findings and resolution strategies no later than 30 business days after the report is due under section (4)(a).

(6) A provider, allied agency, PHP, or electronic submitter must comply with the Authority's requests for corrective action concerning a privacy or security incident and with applicable laws requiring mitigation of harm caused by the unauthorized use or disclosure of confidential information.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0180

Record Retention and Audit

(1) Records Retention. A provider, web portal submitter, trading partner, and EDI submitter shall maintain, for a period of no less than seven years from the date of service, complete, accurate, and unaltered copies of all source documents associated with all data transmissions.

(2) EDI Trade Data Log. An EDI submitter must establish and maintain a trade data log that must record all data transmissions taking place between an EDI submitter and the Authority during the term of a TPA. A trading partner and EDI submitter must take necessary and reasonable steps to ensure that the trade data log constitutes a current, truthful, accurate, complete, and unaltered record of all data transmissions between the parties and must be retained by each party for no less than 24 months following the date of the data transmission. The trade data log may be maintained on electronic media or other suitable means provided that, if necessary, the information may be timely retrieved and presented in readable form.

(3) Right to Audit. A provider must allow and require any web portal submitter to allow, and a trading partner must allow and require an EDI submitter or other agent to allow access to the Authority, the Oregon Secretary of State, the Oregon Department of Justice Medicaid Fraud Unit, or its designees, and DHHS or its designees to audit relevant business records, source documents, data, data transmissions, trade data logs, or information systems of a provider and its web portal submitter, and a trading partner, and its agents, as necessary, to ensure compliance with these rules. A provider must allow and require its web portal submitter to allow, and a trading partner must allow and require an EDI submitter or other agent to allow the Authority, or its designee, access to ensure that adequate security precautions have been made and are implemented to prevent unauthorized disclosure of any data, data transmissions, or other information.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0190

Material Changes

(1) Changes in Any Material Information — EDT Process. A trading partner must submit an updated TPA, application for authorization, or EDI registration form to the Authority within ten business days of any material change in information. A material change includes but is not limited to mailing or email address change, contract number or contract status (termination, expiration, extension), identification of authorized individuals of a trading partner or EDI submitter, the addition or deletion of authorized transactions, or any other change that may affect the accuracy of or authority for an EDI transaction. The Authority may act on data transmissions submitted by a trading partner and its EDI submitter based on information on file in the application for authorization and EDI registration forms until an updated form has been received and approved by the Authority. A trading partner's signature or the signature of an authorized EDI submitter is required to ensure that an updated TPA, authorization, or EDI registration form is valid and authorized.

(2) Changes in Any Material Information — Web Portal Access. Providers must submit an updated web portal registration form to the Authority within ten business days of any material changes in information. A material change includes but is not limited to mailing or email address change, contract number or contract status (termination, suspension, expiration), identification of web portal submitter contact information, or any other change that may affect the accuracy of or authority for a DDE transaction. The Authority is authorized to act on data transmissions submitted by a provider and its web portal submitter based on information on file in the web portal registration form until an updated form has been received and approved by the Authority. A provider's signature or the signature of an authorized business representative is required to ensure that an updated web portal registration form is valid and authorized.

(3) Failure to submit a timely updated form may impact the ability of a data transaction to be processed without errors. Failure to submit a signed, updated form may result in the rejection of a data transmission.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

943-120-0200

Authority System Administration

(1) No individual or entity shall be registered to conduct a web portal or an EDI transaction with the Authority except as authorized under these the rules. Eligibility and continued participation as a provider, PHP, allied agency or web portal submitter in the conduct of DDE transactions, or as a trading partner or EDI submitter in the conduct of registered transactions, is conditioned on the execution and delivery of the documents required in these rules, the continued accuracy of that information consistent with OAR 943-120-0190, and compliance with a requirements of these rules. Data, including confidential information, governed by these rules may be used for purposes related to treatment, payment, and health care operations and for the administration of programs or services by the Authority.

(2) In addition to the requirements of section (1) of this rule, in order to qualify as a trading partner:

(a) An individual or entity must be a Authority provider, PHP, clinic, or allied agency pursuant to a current valid contract; and

(b) A provider, PHP, clinic, or allied agency must have submitted an executed TPA and all related documentation, including the application for authorization, that identifies and authorizes an EDI submitter.

(3) In addition to the requirements of section (1) of this rule, in order to qualify as an EDI submitter:

(a) A trading partner must have identified the individual or entity as an authorized EDI submitter in the application for authorization;

(b) If a trading partner identifies itself as an EDI submitter, the application for authorization must include the information required in the "Trading Partner Authorization of EDI Submitter" and the "EDI Submitter Information"; and

(c) If a trading partner uses an agent as an EDI submitter, the application for authorization must include the information described in section (3)(b) and the signed EDI submitter certification.

(4) The EDI registration process described in these rules provides the Authority with essential profile information that the Authority may use to confirm that a trading partner or EDI submitter is not otherwise excluded or disqualified from submitting EDI transactions to the Authority.

(5) Nothing in these rules or a TPA prevents the Authority from requesting additional information from a trading partner or an EDI submitter to determine their qualifications or eligibility for registration as a trading partner or EDI submitter.

(6) The Authority shall deny a request for registration as a trading partner or for authorization of an EDI submitter or an EDI registration if it finds any of the following:

(a) A trading partner or EDI submitter has substantially failed to comply with the applicable administrative rules or laws;

(b) A trading partner or EDI submitter has been convicted of (or entered a plea of nolo contendre) a felony or misdemeanor related to a crime or violation of federal or state public assistance laws or privacy statutes or regulations;

(c) A trading partner or EDI submitter is excluded from participation in the Medicare program, as determined by the DHHS secretary; or

(d) A trading partner or EDI submitter fails to meet the qualifications as a trading partner or EDI submitter.

(7) Failure to comply with these rules, trading partner agreement, or EDI submitter certification or failure to provide accurate information on an application or certification may also result in sanctions and payment recovery pursuant to applicable Authority program contracts or rules.

(8) For providers using the DDE submission system by the Authority web portal, failure to comply with the terms of these rules, a web portal registration form, or failure to provide accurate information on the registration form may result in sanctions or payment recovery pursuant to the applicable Authority program contracts or rules.

Stat. Auth.: ORS 413.042 &414.065
Stats. Implemented: ORS 413.042 & 414.065
Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 26-2011, f. 10-31-11, cert. ef. 11-1-11

Provider Enrollment and Claiming

943-120-0300

Definitions

The following definitions apply to OAR 943-120-0300 to 943-120-0400:

(1) "Abuse" means provider practices that are inconsistent with sound fiscal, business, or medical practices resulting in an unnecessary cost to the Oregon Health Authority, or in reimbursement for services that are not medically necessary or that fail to meet professionally recognized standards for health care. It also includes actions by clients or recipients that result in unnecessary cost to the Oregon Health Authority.

(2) "Advance Directive" means a form that allows an individual to have another individual make health care decisions when he or she cannot make decisions and informs a doctor if the individual does not want any life sustaining help if he or she is near death.

(3) “Authority” means the Oregon Health Authority.

(4) "Benefit Package" means the package of covered health care services for which the client is eligible.

(4) "Billing Agent or Billing Service" means a third party or organization that contracts with a provider to perform designated services in order to facilitate claim submission or electronic transactions on behalf of the provider.

(5) "Billing Provider" means an individual, agent, business, corporation, clinic, group, institution, or other entity who, in connection with submission of claims to the Authority, receives or directs payment from the Authority on behalf of a performing provider and has been delegated the authority to obligate or act on behalf of the performing provider.

(6) "Children's Health Insurance Program (CHIP)" means a federal and state funded portion of the Oregon Health Plan (OHP) established by Title XXI of the Social Security Act and administered by the Division of Medical Assistance Programs.

(7) "Claim" means a bill for services, a line item of a service, or all services for one client within a bill. Claim includes a bill or an encounter associated with requesting reimbursement, whether submitted on paper or electronically. Claim also includes any other methodology for requesting reimbursement that may be established in contract or program-specific rules.

(8) "Client or Recipient" means an individual found eligible by the Authority to receive services under the OHP demonstration, medical assistance program, or other public assistance programs administered by the Authority. The following OHP categories are eligible for enrollment:

(a) Temporary Assistance to Needy Families (TANF) are categorically eligible families with income levels under current TANF eligibility rules;

(b) CHIP children under one year of age whose household has income under 185% Federal Poverty Level (FPL) and do not meet one of the other eligibility classifications;

(c) Poverty Level Medical (PLM) adults under 100% of the FPL and clients who are pregnant women with income under 100% of FPL;

(d) PLM adults over 100% of the FPL are clients who are pregnant women with income between 100% and 185% of the FPL;

(e) PLM children under one year of age who have family income under 133% of the FPL or were born to mothers who were eligible as PLM adults at the time of the child's birth;

(f) PLM or CHIP children one through five years of age who have family income under 185% of the FPL and do not meet one of the other eligibility classifications;

(g) PLM or CHIP children six through 18 years of age who have family income under 185% of the FPL and do not meet one of the other eligibility classifications;

(h) OHP adults and couples are clients age 19 or over and not Medicare eligible, with income below 100% of the FPL who do not meet one of the other eligibility classifications, and do not have an unborn child or a child under age 19 in the household;

(i) OHP families are clients, age 19 or over and not Medicare eligible, with income below 100% of the FPL who do not meet one of the other eligibility classifications, and have an unborn child or a child under the age of 19 in the household;

(j) General Assistance (GA) recipients are clients who are eligible by virtue of their eligibility under the GA program, ORS 411.710 et seq.;

(k) Assistance to Blind and Disabled (AB/AD) with Medicare eligibles are clients with concurrent Medicare eligibility with income levels under current eligibility rules;

(l) AB/AD without Medicare eligibles are clients without Medicare with income levels under current eligibility rules;

(m) Old Age Assistance (OAA) with Medicare eligibles are clients with concurrent Medicare Part A or Medicare Parts A and B eligibility with income levels under current eligibility rules;

(n) OAA with Medicare Part B only are OAA eligibles with concurrent Medicare Part B only income under current eligibility rules;

(o) OAA without Medicare eligibles are clients without Medicare with income levels under current eligibility rules; or

(p) Children, Adults and Families (CAF) children are clients with medical eligibility determined by CAF or Oregon Youth Authority (OYA) receiving OHP under ORS 414.025, 418.034, and 418.189 to 418.970. These individuals are generally in placement outside of their homes and in the care or custody of CAF or OYA.

(9) "Client Representative" means an individual who can make decisions for clients who are not able to make such decisions themselves. For purposes of medical assistance, a client representative may be, in the following order of priority, an individual who is designated as the client's health care representative under ORS 127.505(12), a court-appointed guardian, a spouse or other family member as designated by the client, the individual service plan team (for developmentally disabled clients), an Authority case manager, or other Authority designee. To the extent that other Authority programs recognize other individuals who may act as a client representative, that individual may be considered the client representative.

(10) "Clinical Records" means the medical, dental, or mental health records of a client. These records include the Primary Care Provider (PCP) records, the inpatient and outpatient hospital records and the Exceptional Needs Care Coordinator (ENCC), complaint and disenrollment for cause records which may be located in the Prepaid Health Plan (PHP) administrative offices.

(11) "Conviction or Convicted" means that a judgment of conviction has been entered by a federal, state, or local court, regardless of whether an appeal from that judgment is pending.

(12) "Covered Services" means medically appropriate health services or items that are funded by the legislature and described in ORS Chapter 414, including OHP authorized under ORS 414.705 to 414.750, and applicable Authority rules describing the benefit packages of covered services except as excluded or limited under OAR 410-141-0500 or such other public assistance services provided to eligible clients under program-specific requirements or contracts by providers required to enroll with the Authority under OAR 943-120-0300 to 943-120-0400.

(13) "Date of Service" means the date on which the client receives medical services or items, unless otherwise specified in the appropriate provider rules.

(14) "Authority" means the Oregon Health Authority.

(15) "Diagnosis Code" means the code as identified in the International Classification of Diseases, 9th Revision, Clinical Modification (ICD-9-CM). The primary diagnosis code is shown in all billing claims and PHP encounters, unless specifically excluded in individual provider rules. Where they exist, diagnosis codes must be shown to the degree of specificity outlined in OAR 943-120-0340 (claim and PHP encounter submission).

(16) "Electronic Data Transaction (EDT)" means the electronic exchange of business documents from application to application in a federally mandated format or, if no federal standard has been promulgated, conducted by either web portal or electronic data interchange pursuant to the Authority’s electronic data transaction rule (OAR 943-120-0100 to 943-120-0200).

(17) "Exclusion" means the Authority may not reimburse a specific provider who has defrauded or abused the Authority for items or services that a provider furnished.

(18) "False Claim" means a claim or PHP encounter that a provider knowingly submits or causes to be submitted that contains inaccurate or misleading information, and that information would result, or has resulted, in an overpayment or improper use for per capita cost calculations.

(19) "Fraud" means an intentional deception or misrepresentation made by an individual with the knowledge that the deception could result in some unauthorized benefit to himself or herself, or some other individual. It includes any act that constitutes fraud or false claim under applicable federal or state law.

(20) "Healthcare Common Procedure Coding System (HCPCS)" means a method for reporting health care professional services, procedures and supplies. HCPCS consists of the Level 1 — American Medical Association's Physicians' Current Procedural Terminology (CPT), Level II — National Codes and Level III — Local Codes.

(21) "Health Insurance Portability and Accountability Act (HIPAA)" means a federal law (Public Law 104-191, August 21, 1996) with the legislative objective to assure health insurance portability, reduce health care fraud and abuse, enforce standards for health information and guarantee security and privacy of health information.

(22) "Hospice" means a public agency or private organization or subdivision of either that is primarily engaged in providing care to terminally ill individuals, is certified for Medicare, accredited by the Oregon Hospice Association, and is listed in the Hospice Program Registry.

(23) "Individual Adjustment Request" means a form (DMAP 1036) used to resolve an incorrect payment on a previously paid claim, including underpayments or overpayments.

(24) "Medicaid" means a federal and state funded portion of the medical assistance program established by Title XIX of the Social Security Act, as amended, and administered in Oregon by the Authority.

(25) "Medicaid Management Information System (MMIS)" means the automated claims processing and information retrieval system for handling all Medicaid transactions. The objectives of the system include verifying provider enrollment and client eligibility, managing health care provider claims and benefit package maintenance, and addressing a variety of Medicaid business needs.

(26) "Medical Assistance Program" means a program for payment of health care provided to eligible Oregonians. Oregon's medical assistance program includes Medicaid services including the OHP Medicaid Demonstration, and CHIP. The medical assistance program is administered and coordinated by DMAP, a division of the Authority.

(27) "Medically Appropriate" means services and medical supplies that are required for prevention, diagnosis, or treatment of a health condition that encompasses physical or mental conditions, or injuries and which are:

(a) Consistent with the symptoms or treatment of a health condition;

(b) Appropriate with regard to standards of good health practice and generally recognized by the relevant scientific community, evidence based medicine, and professional standards of care as effective;

(d) The most cost effective of the alternative levels of medical services or medical supplies that can be safely provided to a client in the provider's judgment.

(28) "Medicare" means the federal health insurance program for the aged and disabled administered by the Centers for Medicare and Medicaid Services (CMS) under Title XVIII of the Social Security Act.

(29) "National Provider Identification (NPI)" means a federally directed provider number mandated for use on HIPAA covered transactions by individuals, provider organizations, and subparts of provider organizations that meet the definition of health care provider (45 Code of Federal Regulations (CFR) 160.103) and who conduct HIPAA covered transactions electronically.

(30) "Non-Covered Services" means services or items for which the Authority is not responsible for payment. Non-covered services are identified in:

(a) OAR 410-120-1200, Excluded Services and Limitations;

(b) OAR 410-120-1210, Medical Assistance Benefit Packages and Delivery System;

(d) OAR 410-141-0520, Prioritized List of Health Services; and

(e) The individual Authority provider rules, program-specific rules, and contracts.

(31) "Non-Participating Provider" means a provider who does not have a contractual relationship with the PHP.

(32) "Nursing Facility" means a facility licensed and certified by the Department of Human Services Seniors and People with Disabilities Division (SPD) defined in OAR 411-070-0005.

(33) "Oregon Health Plan (OHP)" means the Medicaid demonstration project that expands Medicaid eligibility to eligible clients. The OHP relies substantially upon prioritization of health services and managed care to achieve the public policy objectives of access, cost containment, efficacy, and cost effectiveness in the allocation of health resources.

(34) "Out-of-State Providers" means any provider located outside the borders of Oregon:

(a) Contiguous area providers are those located no more than 75 miles from the border of Oregon;

(b) Non-contiguous area providers are those located more than 75 miles from the borders of Oregon.

(35) "Post-Payment Review" means review of billings or other medical information for accuracy, medical appropriateness, level of service, or for other reasons subsequent to payment of the claim.

(36) "Prepaid Health Plan (PHP)" means a managed health, dental, chemical dependency, physician care organization, or mental health care organization that contracts with DMAP or Addictions and Mental Health Division (AMH) on a case managed, prepaid, capitated basis under the OHP. PHP's may be a Dental Care Organization (DCO), Fully Capitated Health Plan (FCHP), Mental Health Organization (MHO), Primary Care Organization (PCO) or Chemical Dependency Organization (CDO).

(37) "Prohibited Kickback Relationships" means remuneration or payment practices that may result in federal civil penalties or exclusion for violation of 42 CFR 1001.951.

(38) "PHP Encounter" means encounter data submitted by a PHP or by a provider in connection with services or items reimbursed by a PHP.

(39) "Prior Authorization" means payment authorization for specified covered services or items given by Authority staff, or its contracted agencies, or a county if required by the county, prior to provision of the service. A physician or other referral is not a prior authorization.

(40) "Provider" means an individual, facility, institution, corporate entity, or other organization which supplies health care or other covered services or items, also termed a performing provider, that must be enrolled with the Authority pursuant to OAR 943-120-0300 to 943-120-0400 to seek reimbursement from the Authority, including services provided, under program-specific rules or contracts with the Authority or with a county or PHP.

(41) "Quality Improvement" means the effort to improve the level of performance of key processes in health services or health care. A quality improvement program measures the level of current performance of the processes, finds ways to improve the performance and implements new and better methods for the processes. Quality improvement includes the goals of quality assurance, quality control, quality planning, and quality management in health care where "quality of care is the degree to which health services for individuals and populations increase the likelihood of desired health outcomes and are consistent with current professional knowledge."

(42) "Quality Improvement Organization (QIO)" means an entity which has a contract with CMS under Part B of Title XI to perform utilization and quality control review of the health care furnished, or to be furnished, to Medicare and Medicaid clients; formerly known as a "Peer Review Organization."

(43) "Remittance Advice" means the automated notice a provider receives explaining payments or other claim actions.

(44) "Subrogation" means the right of the state to stand in place of the client in the collection of third party resources, including Medicare.

(45) "Suspension" means a sanction prohibiting a provider's participation in the Authority's medical assistance or other programs by deactivation of the assigned provider number for a specified period of time or until the occurrence of a specified event.

(46) "Termination" means a sanction prohibiting a provider's participation in the Authority's programs by canceling the assigned provider number and agreement unless:

(a) The exceptions cited in 42 CFR 1001.221 are met; or

(b) Otherwise stated by the Authority at the time of termination.

(47) "Third Party Resource (TPR)" means a medical or financial resource, including Medicare, which, by law, is available and applicable to pay for covered services and items for a medical assistance client.

(48) "Usual Charge" means when program-specific or contract reimbursement is based on usual charge, and is the lesser of the following, unless prohibited from billing by federal statute or regulation:

(a) The provider's charge per unit of service for the majority of non-medical assistance users of the same service based on the preceding month's charges;

(b) The provider's lowest charge per unit of service on the same date that is advertised, quoted, or posted. The lesser of these applies regardless of the payment source or means of payment; or

(c) Where the provider has established a written sliding fee scale based upon income for individuals and families with income equal to or less than 200% of the FPL, the fees paid by these individuals and families are not considered in determining the usual charge. Any amounts charged to TPR must be considered.

(49) "Visit Data" means program-specific or contract data collection requirements associated with the delivery of service to clients on the basis of an event such as a visit.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 414.065
Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0310

Provider Requirements

(1) All providers seeking reimbursement from the Authority, a PHP, or a county pursuant to a county agreement with the Authority for the provision of covered services or items to eligible recipients, must comply with these rules, OAR 943-120-0300 to 943-120-0400, and the applicable rules or contracts of the specific programs described below:

(a) Programs administered by DMAP including the OHP and the medical assistance program that reimburses providers for services or items provided to eligible recipients, including but not limited to chapter 410, division 120; chapter 410, division 141; and provider rules in chapter 410 applicable to the provider’s service category;

(b) Programs administered by AMH that reimburse providers for services or items provided to eligible AMH recipients; or

(2) Authority programs use visit data to monitor service delivery, planning, and quality improvement activities. Visit data must be submitted by a program-specific rule or contract. A provider shall make accurate, complete, and timely submission of visit data. Visit data is not a HIPAA transaction and does not constitute a claim for reimbursement.

(3) CHIP and Medicaid-Funded Covered Services and Items.

(a) Covered services or items paid for with Medicaid (Title XIX) and CHIP (Title XXI) funds (referred to as the medical assistance program) are also subject to federal and state Medicaid rules and requirements. In interpreting these rules and program-specific rules or contracts, the Authority shall construe them as much as possible in a manner that shall comply with federal and state medical assistance program laws and regulations, and the terms and conditions of federal waivers and the state plans

(b) If a provider is reimbursed with medical assistance program funds, the provider must comply with all applicable federal and state laws and regulations pertaining to the provision of Medicaid services under the Medicaid Act, Title XIX, 42 United States Code (USC) 1396 et. seq., and CHIP services under Title XXI, including without limitation:

(A) Maintaining all records necessary to fully disclose the extent of the services provided to individuals receiving medical assistance and furnish such information to any state or federal agency responsible for administration or oversight of the medical assistance program regarding any payments claimed by an individual or institution for providing Medicaid services as the state or federal agency may from time to time request;

(B) Complying with all disclosure requirements of 42 CFR 1002.3(a) and 42 CFR 455 subpart (B);

(C) Maintaining written notices and procedures respecting advance directives in compliance with 42 USC 1396(a)(57) and (w), 42 CFR 431.107(b)(4), and 42 CFR 489 subpart I;

(D) Certifying that the information is true, accurate and complete when submitting claims or PHP encounters for the provision of medical assistance services or items. Submission of a claim or PHP encounter constitutes a representation of the provider's understanding that payment of the claim shall be from federal or state funds, or both and that any falsification or concealment of a material fact may result in prosecution under federal or state laws.

(c) Hospitals, nursing facilities, home health agencies (including those providing personal care), hospices, and HMOs must comply with the Patient Self-Determination Act as set forth in Section 4751 of OBRA 1991. To comply with the obligation under the above-listed laws to deliver information on the rights of the individual under Oregon law to make health care decisions, the named providers and organizations must give capable individuals over the age of 18 a copy of "Your Right to Make Health Care Decisions in Oregon," copyright 1993, by the Oregon State Bar Health Law Section. Out-of-state providers of these services must comply with Medicare and Medicaid regulations in their state. Submittal to the Authority of the appropriate claim form requesting payment for medical services provided to a Medicaid eligible shall be considered representation to the Authority of the medical provider's compliance with the above-listed laws.

(d) Payment for any service or item furnished by a provider of CHIP or Medicaid-funded services or items may not be made by or through (directly or by power of attorney) any individual or organization, such as a collection agency or service bureau, that advances money to a provider for accounts receivable that the provider has assigned, sold, or transferred to the individual or organization for an added fee or a deduction of a portion of the accounts receivable.

(e) The Authority shall make medical assistance provider payments only to the following:

(A) The provider who actually performed the service or provided the item;

(B) In accordance with a reassignment from the provider to a government agency or reassignment by a court order;

(C) To the employer of the provider, if the provider is required as a condition of employment to turn over his or her fees to the employer, and the employer is enrolled with the Authority as a billing provider;

(D) To the facility in which the service is provided, if the provider has a contract under which the facility submits the claim, and the facility is enrolled with the Authority as a billing provider;

(E) To a foundation, PHP, clinic, or similar organization operating as an organized health care delivery system, if the provider has a contract under which the organization submits the claim, and the organization is enrolled with the Authority as a billing provider; or

(F) To an enrolled billing provider, such as a billing service or an accounting firm that, in connection with the submission of claims, receives or directs payments in the name of the provider, if the billing provider's compensation for this service is:

(i) Related to the cost of processing the billing;

(ii) Not related on percentage or other basis to the amount that is billed or collected and not dependent upon the collection of the payment.

(f) Providers must comply with TPR requirements in program-specific rules or contracts.

(4) The Authority uses several approaches to promote program integrity. These rules describe program integrity actions related to provider payments, including provider reimbursement under program-specific rules, county agreements, and contracts. The program integrity goal is to pay the correct amount to a properly enrolled provider for covered services provided to an eligible client according to the program-specific coverage criteria in effect on the date of service.

(a) Program integrity activities include but are not limited to the following:

(A) Medical or professional review including but not limited to following the evaluation of care in accordance with evidence-based principles, medical error identification, and prior authorization processes, including all actions taken to determine the coverage and appropriateness of services or items;

(B) Provider obligations to submit correct claims and PHP encounters;

(D) Implementation of HIPAA electronic transaction standards to improve accuracy and timeliness of claims processing and encounter reporting;

(E) Provider credentialing activities;

(F) Accessing federal Department of Health and Human Services (DHHS) database (exclusions);

(G) Quality improvement activities;

(H) Cost report settlement processes;

(I) Audits;

(J) Investigation of false claims, fraud or prohibited kickback relationships; and

(K) Coordination with the Department of Justice Medicaid Fraud Control Unit (MFCU) and other health oversight authorities.

(b) The following individuals may review a request for services or items, or audit a claim or PHP encounter for care, services, or items, before or after payment, for assurance that the specific care, item, or service was provided pursuant to the program-specific and the generally accepted standards of a provider's field of practice or specialty:

(A) Authority staff or designee;

(B) Medical utilization and professional review contractor;

(D) Federal or state oversight authority.

(c) Payment may be denied or subject to recovery if the review or audit determines the care, service, or item was not provided pursuant to provider rules or does not meet the criteria for quality or medical appropriateness of the care, service, or item or payment. Related provider and hospital billings shall also be denied or subject to recovery.

(d) If the Authority determines that an overpayment has been made to a provider, the amount of overpayment is subject to recovery.

(e) The Authority may communicate with and coordinate any program integrity actions with the MFCU, DHHS, and other federal and state oversight authorities.

[Publications: Publications referenced are available from the agency.]

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 414.065, 414.115; 414.125; 414.135; & 414.145
Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0320

Provider Enrollment

(1) In some Authority program areas, being an enrolled Authority provider is a condition of eligibility for an Authority contract for certain services or activities. The Authority requires billing providers to be enrolled as providers consistent with the provider enrollment processes set forth in this rule. If reimbursement for covered services will be made under a contract with the Authority, the provider must also meet the Authority's contract requirements. Contract requirements are separate from the requirements of these provider enrollment rules. Enrollment as a provider with the Authority is not a promise that the enrolled provider will receive any amount of work from the Authority, a PHP, or a county.

(2) Provider enrollment establishes essential Authority provider participation requirements for becoming an enrolled Authority provider. The details of provider qualification requirements, client eligibility, covered services, how to obtain prior authorization or review (if required), documentation requirements, claims submission, and available electronic access instructions, and other pertinent instructions and requirements are contained in the program-specific rules or contract.

(3) Prior to enrollment, providers must:

(a) Meet all program-specific or contract requirements identified in program-specific rules or contracts in addition to those requirements identified in these rules;

(b) Meet Authority contracting requirements, as specified by the Authority's Office of Contracts and Procurement (OC&P);

(d) Meet Authority and federal certification requirements for the type of service for which the provider is enrolling; and

(e) Obtain a provider number from the Authority for the specific service for which the provider is enrolling.

(4) Participation with the Authority as an enrolled provider is open to qualified providers that:

(a) Meet the qualification requirements established in these rules and program-specific rules or contracts;

(b) Enroll as an Authority provider pursuant to these rules;

(c) Provide a covered service or item within their scope of practice and licensure to an eligible Authority recipient pursuant to program-specific rules or contracts; and

(d) Accept the reimbursement amounts established pursuant to the Authority's program-specific fee structures or contracts for the service or item.

(5) To be enrolled as an Authority provider, an individual or organization must submit a complete and accurate provider enrollment form, available from the Authority, including all required documentation, and a signed provider enrollment agreement.

(a) The provider enrollment form requests basic demographic information about the provider that will be permanently associated with the provider or organization until changed on an update form.

(b) Each Authority program establishes provider-specific qualifications and program criteria that must be provided as part of the provider enrollment form.

(A) The provider must meet applicable licensing and regulatory requirements set forth by federal and state statutes, regulations, and rules, and must comply with all Oregon statutes and regulations applicable to the provider's scope of service as well as the program-specific rules or contract applicable to the provision of covered services. The provider and program addendum shall specify the required documentation of professional qualifications that must be provided with the provider enrollment form.

(B) All providers of services within Oregon must have a valid Oregon business license if such a license is a requirement of the state, federal, county, or city government to operate a business or to provide services. In addition providers must be registered to do business in Oregon by registering with the Oregon Secretary of State, Corporation Division, if registration is required.

(c) All individuals and entities shall disclose information used by the Authority to determine whether an exclusion applies that would prevent the Authority from enrolling the provider. Individual performing providers must submit a disclosure statement. All providers that are enrolling as an entity (corporation, non-profit, partnership, sole proprietorship, governmental) must submit a disclosure of ownership and control interest statement. Payment may not be made to any individual or entity that has been excluded from participation in federal or state programs or that employs or is managed by excluded individuals or entities.

(A) Entities must disclose all the information required on the disclosure of ownership and control interest statement. Information that must be disclosed includes the name, address, and taxpayer identification number of each individual with an ownership or control interest in the disclosing entity or in any subcontractor in which the disclosing entity has a direct or indirect ownership of five percent or more; whether any of the named individuals are related as spouse, parent, child, sibling, or other family member by marriage or otherwise; and the name and taxpayer identification number of any other disclosing entity in which an individual with an ownership or control interest in the disclosing entity also has an ownership or control interest.

(B) A provider must submit, within 35 days of the date of a request by DHHS or the Authority, full and complete information about the ownership of any subcontractor with whom the provider had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the five-year period ending on the date of the request.

(C) Before the Authority enters into a provider enrollment agreement with a provider, or renews a provider agreement, or at any time upon written request of the Authority, the provider must disclose to the Authority the identity and taxpayer identification number of any individual who has an ownership or control interest in the provider; or is an agent or managing employee of the provider; or the individual performing provider that has been convicted of a criminal offense related to that individual's involvement in any program under Medicare, Medicaid, or Title XX services program, since the inception of those programs.

(D) The Authority may refuse to enter into or may suspend or terminate a provider enrollment agreement if the individual performing provider or any individual who has an ownership or control interest in the entity, or who is an agent or managing employee of the provider, has been sanctioned or convicted of a criminal offense related to that individual's involvement in any program established under Medicare, Medicaid, Children's Health Insurance, Title XX services, or other public assistance program.

(E) The Authority may refuse to enter into or may suspend or terminate a provider enrollment agreement, or contract for provider services, if it determines that the provider did not fully and accurately make any disclosure required under section (5)(c) of this rule.

(F) Taxpayer identification numbers, including social security numbers (SSN) and employer identification numbers (EIN), must be provided where indicated on the Disclosure Statement or the Disclosure of Ownership and Control Interest Statement. The taxpayer identification number will be used to confirm whether the individual or entity is subject to exclusion from participation in the Oregon Medicaid program.

(6) The provider must sign the provider enrollment agreement, and submit it for review to the Authority at the time the provider submits the provider enrollment form and related documentation. Signing the provider enrollment agreement constitutes agreement by a provider to comply with all applicable Authority provider and program rules, and applicable federal and state laws and regulations in effect on the date of service.

(7) A provider may request to conduct electronic transactions with the Authority by enrolling and completing the appropriate authorization forms pursuant to the electronic data transaction rules (OAR 943-120-0100 to 943-120-0200).

(8) A provider shall be enrolled, assigned, and issued a provider number for use in specific payment or business operations upon the following criteria:

(a) Provider submission of a complete and signed (when applicable), provider enrollment form, provider enrollment agreement, provider certification and all required documents to the Authority program responsible for enrolling the provider. Provider signature must be the provider or an individual with actual authority from the provider to legally bind the provider to attest and certify to the accuracy and completeness of the information submitted;

(b) The Authority's verification of licensing or certification or other authority to perform the service or provide the item within the lawful scope of practice recognized under Oregon law. The Authority may confirm any information on the provider enrollment form or documentation submitted with the provider enrollment form, and may request additional information; and

(c) The Authority's acceptance of the provider enrollment form, provider enrollment agreement, and provider certification by the Authority unit responsible for approving the enrollment of the provider.

(9) Submission of a claim or encounter or other reimbursement document constitutes the enrolled provider's agreement that:

(a) The service or item was provided in compliance with all applicable rules and requirements in effect on the date of service;

(b) The provider has created and maintained all records necessary to disclose the extent of services or items provided and provider's compliance with applicable program and financial requirements, and that the provider agrees to make such information available upon request to the Authority, the MFCU (for Medicaid-funded services or items), the Oregon Secretary of State, and (for federally-funded services or items) the federal funding authority and the Comptroller General of the United States, or their designees;

(c) The information on the claim or encounter, regardless of the format or other reimbursement document is true, accurate and complete; and

(d) The provider understands that payment of the claim or encounter or other reimbursement document will be from federal or state funds, or a combination of federal and state funds, and that any falsification, or concealment of a material fact, may result in prosecution under federal and state laws.

(10) The Authority has taken action to ensure compliance with the NPI requirements pursuant to 45 CFR Part 162 when those requirements became effective on May 23, 2007. In the event of a transition period approved by CMS beyond May 23, 2008, the following requirements for contractors, providers, and provider-applicants shall apply:

(a) Providers and contractors that obtain an NPI must use their NPI where indicated. In situations where a taxonomy code may be used in conjunction with the NPI, providers must update their records as specified with the Authority's provider enrollment unit. Providers applying for enrollment with the Authority that have been issued an NPI must include that NPI and any associated taxonomy codes with the provider enrollment form;

(b) A provider enrolled with the Authority must bill using the NPI pursuant to 45 CFR part 162.410, in addition to the Authority-assigned provider number, where applicable, and continue to bill using the Authority assigned provider number until the Authority informs the provider that the Authority assigned provider number is no longer allowed, or the NPI transition period has ended, whichever occurs first. Failure to use the NPI and Authority-assigned provider number as indicated during this transition period may result in delay or rejection of claims and other transactions;

(c) The NPI and applicable taxonomy code combinations will be cross-referenced to the Authority assigned provider number for purposes of processing all applicable electronic transactions as specified in OAR 943-120-0100;

(d) The provider and PHP must cooperate with the Authority with reasonable consultation and testing procedures, if any, related to implementation of the use of NPI's; and

(e) Certain provider types are not eligible for an NPI based on federal criteria for obtaining an NPI. Providers not eligible for an NPI must always use their Authority provider number on claims, encounters, or other reimbursement documents for that specific provider type.

(11) The effective date of provider enrollment is the date the provider's request is received by the Authority if on that date the provider has met all applicable requirements. The effective date may be retroactive for up to one year to encompass dates on which the provider furnished covered services to a medical assistance recipient for which it has not been paid, if on the retroactive effective date the provider has met all applicable requirements.

(12) Provider numbers are specific to the category of service or items authorized by the Authority. Issuance of an Authority-assigned provider number establishes enrollment of an individual or organization as a provider for the specific category of services covered by the provider and program addendum submitted with the provider enrollment form and enrollment agreement.

(13) Providers must provide the following updates:

(a) An enrolled provider must notify the Authority in writing of a material change in any status or condition on any element of their provider enrollment form. Providers must notify the Authority of changes in any of this information in writing within 30 calendar days of any of the following changes:

(A) Business affiliation;

(B) Ownership;

(D) Associated taxonomy codes;

(E) Federal Tax Identification number;

(F) Ownership and control information; or

(G) Criminal convictions.

(b) These changes may require the submission of a provider enrollment form, provider enrollment agreement, provider certification, or other related documentation.

(c) Claims submitted by, or payments made to, providers who have not timely furnished the notification of changes or have not submitted any of the items that are required due to a change may be denied or recovered.

(d) Notice of bankruptcy proceedings must be immediately provided to the Authority in writing.

(14) Tax Reporting and Withholding.

(a) Providers must submit the provider's SSN for individuals or a federal EIN for entities, whichever is required for tax reporting purposes on IRS Form 1099. Billing providers must submit the SSN or EIN of all performing providers in connection with claims or payments made to or on behalf of the performing provider, in addition to the billing provider’s SSN or EIN. Providing this number is mandatory to be eligible to enroll as a provider. The provider's SSN or EIN is required pursuant to 42 CFR 433.37 federal tax laws at 26 USC 6041. SSN's and EIN's provided pursuant to this authority are used for the administration of state, federal, and local tax laws and the administration of this program for internal verification and administrative purposes including but not limited to identifying the provider for payment and collection activities.

(b) The Authority must comply with the tax information reporting requirements of section 6041 of the Internal Revenue Code (26 USC 6041). Section 6041 requires the filing of annual information returns showing amounts paid to providers, who are identified by name, address, and SSN or EIN. The Authority files its information returns with the Internal Revenue Service (IRS) using Form 1099MISC.

(c) The IRS Code section 3406(a)(1)(B) requires the Authority to begin backup withholding when notified by the IRS that a taxpayer identification number reported on an information return is incorrect. If a provider receives notice of backup withholding from the Authority, the provider must timely comply with the notice and provide the Authority with accurate information. The Authority shall comply with IRS requirements for backup withholding.

(d) Failure to notify the Authority of a change in federal tax identification number (SSN or EIN) may result in the Authority imposing a sanction as specified in OAR 943-120-0360.

(e) If the Authority notifies a provider about an error in federal tax identification number, the provider must supply a valid federal tax identification number within 30 calendar days of the date of the Authority's notice. Failure to comply with this requirement may result in the Authority imposing a sanction as specified in OAR 943-120-0360, for each time the provider submits an inaccurate federal tax identification number, and may require back-up withholding. Federal tax identification number requirements described in this rule refer to any requirements established by the IRS.

(15) Providers of services to clients outside the State of Oregon must be enrolled as a provider under section (8) of this rule if they comply with the requirements of section (8) and meet the following conditions:

(a) The provider is appropriately licensed or certified and is enrolled in the provider's home state for participation in that state's Medicaid program or, for non-Medicaid services, enrolled or contracted with the state agency in the provider's state to provide the same program-specific service in the provider's state. Disenrollment or sanction from the other state's Medicaid program, or exclusion from any other federal or state health care program or comparable program-specific service delivery system is a basis for denial of enrollment, termination, or suspension from participation as an Authority provider;

(b) The Oregon Board of Pharmacy issued a license to provide pharmacy services to a noncontiguous out-of-state pharmacy provider;

(c) The services must be authorized in the manner required for out-of-state services under the program-specific rules or contract for an eligible client;

(d) The services for which the provider bills are covered services under the OHP or other Authority program for which covered services are authorized to be provided to the client;

(e) A facility, including but not limited to a hospital, rehabilitative facility, institution for care of individuals with mental retardation, psychiatric hospital, or residential care facility, is enrolled or contracted by the state agency in the state in which the facility is located or is licensed as a facility provider of services by Oregon; or

(f) If the provider is not domiciled in or registered to do business in Oregon, the provider must promptly provide to the Oregon Department of Revenue and the Oregon Secretary of State, Corporation Division all information required by those agencies relative to the provider enrollment form and provider enrollment agreement. The Authority shall withhold enrollment and payments until the out-of-state provider has provided documentation of compliance with this requirement to the Authority unit responsible for enrollment.

(16) The provider enrollment agreement may be terminated as follows:

(a) The provider may ask the Authority to terminate the provider enrollment agreement at any time, subject to any specific provider termination requirements in program-specific rules or contracts.

(A) The request must be in writing, signed by the provider, and mailed or delivered to the Authority provider enrollment unit. The notice must specify the Authority-assigned provider number, if known.

(B) When accepted, the Authority shall assign the provider number a termination status and the effective date of the termination status.

(C) Termination of the provider enrollment agreement does not relieve the provider of any obligations for covered services or items provided under these rules, program-specific rules or contracts in effect for dates of services during which the provider enrollment agreement was in effect.

(b) The Authority may terminate the provider enrollment agreement immediately upon notice to the provider, or a later date as the Authority may establish in the notice, upon the occurrence of any of the following events:

(A) The Authority fails to receive funding, appropriations, limitations, or other expenditure authority at levels that the Authority or the specific program determines to be sufficient to pay for the services or items covered under the agreement;

(B) Federal or state laws, regulations, or guidelines are modified or interpreted by the Authority in a manner that either providing the services or items under the agreement is prohibited or the Authority is prohibited from paying for such services or items from the planned funding source;

(C) The Authority has issued a final order revoking the Authority-assigned provider number based on a sanction under termination terms and conditions established in program-specific rules or contract;

(D) The provider no longer holds a required license, certificate or other authority to qualify as a provider. The termination shall be effective on the date the license, certificate, or other authority is no longer valid; or

(E) The provider fails to submit any claims for reimbursement for an 18-month period. The provider may reapply for enrollment.

(c) In the event of any dispute arising out of the termination of the provider enrollment agreement, the provider's sole monetary remedy is limited to covered services or items the Authority determines to be compensable under the provider agreement, a claim for unpaid invoices, hours worked within any limits set forth in the agreement but not yet billed, and Authority-authorized expenses incurred prior to termination. Providers may not recover indirect or consequential damages. Providers are not entitled to attorney fees, costs, or expenses of any kind.

(17) When a provider fails to meet one or more of the requirements governing participation as an Authority enrolled provider, the provider's Authority- assigned provider number may be immediately suspended, pursuant to OAR 943-120-0360. The provider may not provide services or items to clients during a period of suspension. The Authority shall deny claims for payment or other reimbursement requests for dates of service during a period of suspension.

(18) The provision of program-specific or contract covered services or items to eligible clients is voluntary on the part of the provider. Providers are not required to serve all clients seeking service. If a provider undertakes to provide a covered service or item to an eligible client, the provider must comply with these rules, program-specific rules or contract.

(a) The provider performs all services, or provides all items, as an independent contractor. The provider is not an officer, employee, or agent of the Authority.

(b) The provider is responsible for its employees, and for providing employment-related benefits and deductions that are required by law. The provider is solely responsible for its acts or omissions, including the acts or omissions of its own officers, employees or agents. The Authority’s responsibility is limited to its authorization and payment obligations for covered services or items provided pursuant to these rules.

(19) For Medicaid services, a provider may not deny services to any eligible client because of the client's inability to pay the cost sharing amount imposed by the applicable program-specific or provider-specific rules or contract. A client's inability to pay does not eliminate the client's liability for the cost sharing charge.

[Publications: Publications referenced are available from the agency.]

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 414.065
Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0325

Compliance with Federal and State Statutes

(1) When a provider submits a claim for services or supplies provided to an Authority client, the Authority shall consider the submission as the provider’s representation of the provider's compliance with the applicable sections of the federal and state statutes and rules referenced in this rule, and other program rules or contract requirements of the specific program under which the claim is submitted:

(a) 45 CFR Part 84 which implements Title V, Section 504 of the Rehabilitation Act of 1973;

(b) 42 CFR Part 493 Laboratory Requirements and ORS chapter 438 (Clinical Laboratories).

(c) The provider must comply and, as indicated, require all subcontractors to comply with the following federal and state requirements to the extent that they are applicable to the items and services governed by these rules, unless exempt under 45 CFR Part 87 for Faith-Based Organizations (Federal Register, July 16, 2004, Volume 69, #136), or other federal provisions. For purposes of these rules, all references to federal and state laws are references to federal and state laws as they may be amended from time to time that are in effect on the date of provider’s service:

(A) The provider must comply and require all subcontractors to comply with all federal laws, regulations, executive orders applicable to the items and services provided under these rules. Without limiting the generality of the foregoing, the provider must comply and require all subcontractors to comply with the following laws, regulations and executive orders to the extent they are applicable to the items and services provided under these rules:

(i) Title VI and VII of the Civil Rights Act of 1964, as amended;

(ii) Sections 503 and 504 of the Rehabilitation Act of 1973, as amended;

(iii) The Americans with Disabilities Act of 1990, as amended;

(iv) Executive Order 11246, as amended;

(v) The Health Insurance Portability and Accountability Act of 1996;

(vi) The Age Discrimination in Employment Act of 1967, as amended, and the Age Discrimination Act of 1975, as amended;

(vii) The Vietnam Era Veterans’ Readjustment Assistance Act of 1974, as amended,

(viii) all regulations and administrative rules established pursuant to the foregoing laws;

(viii) All other applicable requirements of federal civil rights and rehabilitation statutes, rules, and regulations;

(ix) All federal laws governing operation of community mental health programs, including without limitation, all federal laws requiring reporting of client abuse. These laws, regulations and executive orders are incorporated by reference herein to the extent that they are applicable to the items and services governed by these rules and required by law to be so incorporated. No federal funds may be used to provide services in violation of 42 USC 14402.

(B) Any provider that receives or makes annual payments under Medicaid of at least $5,000,000, as a condition of receiving such payments, shall:

(i) Establish written policies for all employees of the entity (including management), and of any contractor, subcontractor, or agent of the entity, that provide detailed information about the False Claims Act established under 31 USC 3729 through 3733, administrative remedies for false claims and statements established under 31 USC 38, any Oregon state laws pertaining to civil or criminal penalties for false claims and statements, and whistle blowing protections under such laws, with respect to the role of such laws in preventing and detecting fraud, waste, and abuse in Federal health care programs (as defined in 42 USC 1320a-7b(f));

(ii) Include as part of written policies, detailed provisions regarding the entity’s policies and procedures for detecting and preventing fraud, waste, and abuse; and

(iii) Include in any employee handbook for the entity, a specific discussion of the laws described in sub-paragraph (i), the rights of the employees to be protected as whistleblowers.

(C) If the items and services governed under these rules exceed $10,000, the provider must comply and require all subcontractors to comply with Executive Order 11246, entitled “Equal Employment Opportunity,” as amended by Executive Order 11375, and as supplemented in U.S Authority of Labor regulations (41 CFR part 60);

(D) If the items and services governed under these rules exceed $100,000, and are paid in any part with federal funds, the provider must comply and require all subcontractors to comply with all applicable standards, orders, or requirements issued under Section 306 of the Clean Air Act (42 U.S.C. 7606), the Federal Water Pollution Control Act as amended (commonly known as the Clean Water Act — 33 U.S.C. 1251 to 1387), specifically including, but not limited to, Section 508 (33 U.S.C. 1368). Executive Order 11738, and Environmental Protection Agency regulations (40 CFR Part 32), which prohibit the use under non-exempt Federal contracts, grants or loans of facilities included on the EPA List of Violating Facilities. Violations must be reported to the Authority, DHHS, and the appropriate Regional Office of the Environmental Protection Agency. The provider must include and require all subcontractors to include in all contracts with subcontractors receiving more than $100,000, language requiring the subcontractor to comply with the federal laws identified in this section;

(E) The provider must comply and require all subcontractors to comply with applicable mandatory standards and policies relating to energy efficiency that are contained in the Oregon energy conservation plan issued in compliance with the Energy Policy and Conservation Act, 42 U.S.C. 6201 et seq. (Pub. L. 94-163);

(F) The provider must provide written certification indicating that:

(i) No federal appropriated funds have been paid or shall be paid, by or on behalf of the provider, to any person for influencing or attempting to influence an officer or employee of an agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection with the awarding of any federal contract, the making of any federal grant, the making of any federal loan, the entering into of any cooperative agreement, and the extension, continuation, renewal, amendment or modification of any federal contract, grant, loan or cooperative agreement;

(ii) If any funds other than federal appropriated funds have been paid or shall be paid to any person for influencing or attempting to influence an officer or employee of any agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection with this federal contract, grant, loan or cooperative agreement, the provider must complete and submit Standard Form LLL, “Disclosure Form to Report Lobbying” in accordance with its instructions;

(iii) The provider must require that the language of this certification be included in the award documents for all sub-awards at all tiers (including subcontracts, sub-grants, and contracts under grants, loans, and cooperative agreements) and that all sub-recipients and subcontractors must certify and disclose accordingly;

(iv) This certification is a material representation of fact upon which reliance was placed when this provider agreement was made or entered into. Submission of this certification is a prerequisite for making or entering into this provider agreement imposed by 31 USC 1352. Any person who fails to file the required certification shall be subject to a civil penalty of not less than $10,000 and not more than $100,000 for each such failure.

(G) If the items and services funded in whole or in part with financial assistance provided under these rules are covered by HIPAA or the federal regulations implementing HIPAA, the provider must deliver the goods and services in compliance with HIPAA. The provider must comply and require all subcontractors to comply with the following:

(i) Individually identifiable health information about specific individuals is confidential. Individually identifiable health information relating to specific individuals may be exchanged between the provider and the Authority for purposes directly related to the provision to clients of services that are funded in whole or in part under these rules. The provider must not use or disclose any individually identifiable health information about specific individuals in a manner that would violate Authority privacy rules, (OAR 943-014-0000 to 0070.), or the Authority’s Notice of Privacy Practices, if done by the Authority;

(ii) Providers who engage in EDI transactions with the Authority in connection with claims or encounter data, eligibility or enrollment information, authorizations or other electronic transactions must execute an EDI trading partner agreement with the Authority and must comply with the Authority’s electronic data transmission rules (OAR 943-120-0100 to 943-120-0200);

(iii) If a provider reasonably believes that the provider’s or the Authority’s data transactions system or other application of HIPAA privacy or security compliance policy may result in a violation of HIPAA requirements, the provider must promptly consult the Authority’s privacy officer. The provider or the Authority may initiate a request to test HIPAA transactions, subject to available resources and the Authority’s testing schedule.

(H) The provider must comply and require all subcontractors to comply with all mandatory standards and policies that relate to resource conservation and recovery pursuant to the Resource Conservation and Recovery Act (codified at 42 USC 6901 et. seq.). Section 6002 of that Act (codified at 42 USC 6962) requires that preference be given in procurement programs to the purchase of specific products containing recycled materials identified in guidelines developed by the Environmental Protection Agency. Current guidelines are set forth in 40 CFR Parts 247;

(I) The provider must comply and require all subcontractors to comply with the applicable audit requirements and responsibilities set forth in the Office of Management and Budget Circular A-133 entitled “Audits of States, Local Governments and Non-Profit Organizations;”

(J) The provider may not permit any person or entity to be a subcontractor if the person or entity is listed on the non-procurement portion of the General Service Administration’s “List of Parties Excluded from Federal Procurement or Nonprocurement Programs” pursuant to Executive Orders No. 12,549 and No. 12,689, “Debarment and Suspension”. (See 45 CFR part 76). This list contains the names of parties debarred, suspended, or otherwise excluded by agencies, and providers and subcontractors declared ineligible under statutory authority other than Executive Order No. 12549. Subcontractors with awards that exceed the simplified acquisition threshold must provide the required certification regarding their exclusion status and that of their principals prior to award;

(K) The provider must comply and require all subcontractors to comply with the following provisions to maintain a drug-free workplace:

(i) Certify that it shall provide a drug-free workplace by publishing a statement notifying its employees that the unlawful manufacture, distribution, dispensation, possession, or use of a controlled substance, except as may be present in lawfully prescribed or over-the-counter medications, is prohibited in the provider's workplace or while providing services to Authority clients. The provider's notice must specify the actions that shall be taken by the provider against its employees for violation of such prohibitions;

(ii) Establish a drug-free awareness program to inform its employees about the dangers of drug abuse in the workplace, the provider's policy of maintaining a drug-free workplace, any available drug counseling, rehabilitation, and employee assistance programs, and the penalties that may be imposed upon employees for drug abuse violations;

(iii) Provide each employee to be engaged in the performance of services under these rules a copy of the statement required in paragraph (J)(i) above;

(iv) Notify each employee in the statement required by paragraph (J)(i) that, as a condition of employment to provide services under these rules, the employee shall abide by the terms of the statement and notify the employer of any criminal drug statute conviction for a violation occurring in the workplace no later than five days after the conviction;

(v) Notify the Authority within ten days after receiving notice under paragraph (J)(iv) from an employee or otherwise receiving actual notice of the conviction;

(vi) Impose a sanction on, or require the satisfactory participation in a drug abuse assistance or rehabilitation program by any employee who is convicted as required by Section 5154 of the Drug-Free Workplace Act of 1988;

(vii) Make a good-faith effort to continue a drug-free workplace through implementation of paragraphs (J)(i) through (J)(vi);

(viii) Require any subcontractor to comply with paragraphs (J)(i) through (J)(vii);

(ix) The provider, the provider's employees, officers, agents, or subcontractors may not provide any service required under these rules while under the influence of drugs. For purposes of this provision, "under the influence" means observed abnormal behavior or impairments in mental or physical performance leading a reasonable person to believe the provider or provider's employee, officer, agent, or subcontractor has used a controlled substance, prescription, or non-prescription medication that impairs the provider or provider's employee, officer, agent, or subcontractor's performance of essential job function or creates a direct threat to Authority clients or others. Examples of abnormal behavior include but are not limited to hallucinations, paranoia or violent outbursts. Examples of impairments in physical or mental performance include but are not limited to slurred speech, difficulty walking or performing job activities;

(x) Violation of any provision of this subsection may result in termination of the provider agreement.

(L) The provider must comply and require all sub-contractors to comply with the Pro-Children Act of 1994 (codified at 20 USC section 6081 et. seq.);

(M) A provider reimbursed or seeking reimbursement with Medicaid funds must comply with all applicable federal and state laws and regulations pertaining to the provision of Medicaid services under the Medicaid Act, Title XIX, 42 USC Section 1396 et. seq., including without limitation:

(i) Maintain necessary records to fully disclose the extent of the services provided to individuals receiving Medicaid assistance and must furnish the information to any state or federal agency responsible for administering the Medicaid program regarding any payments claimed by the provider or institution for providing Medicaid services as the state or federal agency may from time to time request. 42 USC Section 1396a(a)(27); 42 CFR 431.107(b)(1) & (2);

(ii) Comply with all disclosure requirements of 42 CFR 1002.3(a) and 42 CFR 455 Subpart (B);

(iii) Maintain written notices and procedures respecting advance directives in compliance with 42 USC Section 1396(a)(57) and (w), 42 CFR 431.107(b)(4), and 42 CFR 489 subpart I;

(iv) Certify when submitting any claim for the provision of Medicaid services that the information submitted is true, accurate and complete. The provider must acknowledge provider’s understanding that payment of the claim shall be from federal and state funds and that any falsification or concealment of a material fact may be prosecuted under federal and state laws.

(N) Providers must comply with the obligations intended for contractors under ORS 279B.220, 279B.225, 279B.230 and 279B.235 (if applicable), Providers shall, to the maximum extent economically feasible in the performance of covered services, use recycled paper (as defined in ORS 279A.010(1)(ee)), recycled PETE products (as defined in 279A.010(1)(ff)), and other recycled plastic resin products and recycled products (as “recycled product” is defined in 279A.010(1)(gg)).

(O) Providers must comply with all federal, state and local tax laws, including Social Security payment requirements, applicable to payments made by the Authority to the provider.

(2) Hospitals, nursing facilities, home health agencies (including those providing personal care), hospices, and health maintenance organizations shall comply with the Patient Self-Determination Act as set forth in Section 4751 of OBRA 1991. To comply with the obligation under the above listed laws to deliver information on the rights of the individual under Oregon law to make health care decisions, the named providers and organizations must provide capable individuals over the age of 18 a copy of "Your Right to Make Health Care Decisions in Oregon," copyright 1993, by the Oregon State Bar Health Law Section. Out-of-state providers of these services must comply with Medicare and Medicaid regulations in their state. Submittal to the Authority of the appropriate billing form requesting payment for medical services provided to a Medicaid eligible client shall be deemed representation to the Authority of the medical provider's compliance with the above-listed laws.

(3) Providers described in ORS chapter 419B must report suspected child abuse to their local Children, Adults and Families Division office or police, in the manner described in ORS chapter 419.

(4) The Clinical Laboratory Improvement Act (CLIA), requires all entities that perform even one laboratory test, including waived tests, on "materials derived from the human body for the purpose of providing information for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of, human beings" to meet certain federal requirements. If an entity performs tests for these purposes, it is considered, under CLIA, to be a laboratory.

[Publication: Publications referenced are available from the agency.]

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 414.065
Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0330

Billing Procedures

(1) These rules only apply to covered services and items provided to clients that are paid for by the Authority based on an Authority fee schedule or other reimbursement method (often referred to as fee-for-service), or for services that are paid for by the Authority at the request of a county for county-authorized services.

(a) If a client's service or item is paid for by a PHP, the provider must comply with the billing and procedures related to claim submission established under contract with that PHP, or the rules applicable to non-participating providers if the provider is not under contract with that PHP.

(b) If the client is enrolled in a PHP, but the client is permitted by a contract or program-specific rules to obtain covered services reimbursed by the Authority (such as family planning services that may be obtained from any provider), the provider must comply with the billing and claim procedures established under these rules.

(2) All Authority-assigned provider numbers are issued at enrollment and are directly associated with the provider as defined in OAR 943-120-0320(12) and have the following uses:

(a) Log-on identification for the Authority web portal;

(b) Claim submission in the approved paper formats; and

(c) For electronic claims submission including the web portal for atypical providers pursuant to 45 CFR 160 and 162 where an NPI is not mandated. Use of the Authority-assigned provider number shall be considered authorized by the provider and the provider shall be accountable for its use.

(3) Except as provided in section (4) below, an enrolled provider may not seek payment for any covered services from:

(a) A client for covered benefits; or

(b) A financially responsible relative or representative of that client.

(4) Providers may seek payment from an eligible client or client representative as follows:

(a) From any applicable coinsurance, co-payments, deductibles, or other client financial obligation to the extent and as expressly authorized by program-specific rules or contract;

(b) From a client who failed to inform the provider of Authority program eligibility, of OHP or PHP enrollment, or of other third party insurance coverage at the time the service was provided or subsequent to the provision of the service or item. In this case, the provider may not bill the Authority, the PHP, or third party payer for any reason, including but not limited to timeliness of claims and lack of prior authorization. The provider must document attempts to obtain information on eligibility or enrollment;

(c) The client became eligible for Authority benefits retroactively but did not meet other established criteria described in the applicable program-specific rules or contracts.

(d) The provider may document that a TPR made payments directly to the client for services provided that are subject to recovery by the provider.;

(e) The service or item is not covered under the client's benefit package. The provider must document that prior to the delivery of services or items, the provider informed the client the service or item would not be covered by the Authority;

(f) The client requested continuation of benefits during the administrative hearing process and the final decision was not in favor of the client. The client shall be responsible for any charges since the effective date of the initial notice of denial; or

(g) In exceptional circumstances, a client may request continuation of a covered service while asserting the right to privately pay for that service. Under this circumstance, a provider may bill the client for a covered service only if the client is informed in advance of receiving the specific service of all of the following:

(A) The requested service is a covered service and the provider would be paid in full for the covered service if the claim is submitted to the Authority or the client's PHP;

(B) The estimated cost of the covered service, including all related charges, that the Authority or PHP would pay, and for which the client is billed cannot be an amount greater than the maximum Authority or PHP reimbursable rate or PHP rate;

(C) The provider may not require the client to enter into a voluntary payment agreement for any amount for the covered service; and

(D) The provider must be able to document, in writing, signed by the client or the client's representative, that the client was provided the information described above; was provided an opportunity to ask questions, obtain additional information, and consult with the client's caseworker or client representative; and the client agreed to be responsible for payment by signing an agreement incorporating all of the information described above. The provider must provide a copy of the signed agreement to the client. The provider may not submit a claim for payment for the service or item to the Authority or to the client's PHP that is subject to such an agreement.

(5) Reimbursement for Non-Covered Services.

(a) A provider may bill a client for services that are not covered by the Authority or a PHP, except as provided in these rules. The client must be informed in advance of receiving the specific service that it is not covered, the estimated cost of the service, and that the client or client's representative is financially responsible for payment for the specific service. Providers must provide written documentation, signed by the client, or the client's representative, dated prior to the delivery of services or item indicating that the client was provided this information and that the client knowingly and voluntarily agreed to be responsible for payment.

(b) Providers may not bill or accept payment from the Authority or a PHP for a covered service when a non-covered service has been provided and additional payment is sought or accepted from the client. Examples include but are not limited to charging the client an additional payment to obtain a gold crown (not covered) instead of the stainless steel crown (covered) or charging an additional client payment to obtain eyeglass frames not on the covered list of frames. This practice is called buying-up, which is prohibited , and a provider may be sanctioned for this practice regardless of whether a client waiver is documented.

(d) Providers may not bill clients or the Authority for services or items provided free of charge. This limitation does not apply to established sliding fee schedules where the client is subject to the same standards as other members of the public or clients of the provider.

(e) Providers may not bill clients for services or items that have been denied due to provider error such as required documentation not submitted or prior authorization not obtained.

(6) Providers must verify that the individual receiving covered services is, in fact, an eligible client on the date of service for the service provided and that the services is covered in the client's benefit package.

(a) Providers shall pay for costs incurred for failing to confirm eligibility or that services are covered.

(b) Providers must confirm the Authority's client eligibility and benefit package coverage using the web portal, or the Authority telephone eligibility system, and by other methods specified in program-specific or contract instructions.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 414.065
Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0340

Claim and PHP Encounter Submission

(1) All claims must be submitted using one of the following methods:

(a) Paper forms, using the appropriate form as described in the program-specific rules or contract;

(b) Electronically, using the web portal accessed by provider-specific PIN and password. Initial activation by provider of Authority-assigned provider number and PIN for web portal access invokes provider's agreement to meet all of the standards for HIPAA privacy, security, and transactions and codes sets standards as defined in 45 CFR 162;

(d) Electronically, for PHP encounters, in the manner required by the PHP contract with the Authority and authorized by the Authority's EDT rules.

(2) Claims may not be submitted prior to delivery of service unless otherwise authorized by program-specific rules or contracts. A claim for an item may not be submitted prior to dispensing, shipping, or mailing the item unless otherwise specified in the Authority's program-specific rules or contracts.

(3) Claims and PHP encounters must be submitted in compliance HIPAA transaction and code set rules. The HIPAA transaction and code set rules, 45 CFR 162, apply to all electronic transactions for which DHHS has adopted a standard.

(a) The Authority may deny or reject electronic transactions that fail to comply with the federal standard.

(b) The Authority shall comply with the HIPAA code set requirements in 45 CFR 162.1000 through 162.1011, regardless of whether a request is made verbally, or a claim is submitted on paper or electronically, and with regard to the electronic claims and encounter remittance advice information, including the web portal. Compliance with the code set requirements includes the codes and the descriptors of the codes established by the official entity that maintains the code set. These federal code set requirements are mandatory and the Authority may not delay or alter their application or effective dates established by DHHS.

(A) The issuance of a federal code does not mean that the Authority covers the item or service described by the federal code. When there is a variation between an Authority-listed code and a national code, the provider may seek clarification from the Authority program. The Authority shall apply the national code in effect on the date of request or date of service and the Authority-listed code may be used for the limited purpose of describing the Authority's intent in identifying whether the applicable national code represents an Authority covered service or item.

(B) For purposes of maintaining HIPAA code set compliance, the Authority adopts by reference the required use of the version of all national code set revisions, deletions, and additions pursuant to the HIPAA transaction and code set rules in effect on the date of this rule. This code set adoption may not be construed as Authority coverage or that the existence of a particular national code constitutes a determination by the Authority that the particular code is a covered service or item. If the provider is unable to identify an appropriate procedure code to use on the claim or PHP encounter, the provider may contact the Authority for assistance in identifying an appropriate procedure code reference in but not limited to the following:

(i) Current Procedural Terminology, Fourth Edition (CPT-4), (American Medical Association);

(ii) Current Dental Terminology (CDT), (American Dental Association);

(iii) Diagnosis Related Group (DRG), (DHHS);

(iv) Health Care Financing Administration Common Procedural Coding System (HCPCS), (DHHS);

(v) National Drug Codes (NDC), (DHHS); or

(vi) HIPAA related codes, DHHS, claims adjustment reason, claim status, taxonomy codes, and decision reason available at the Washington Publishing Company web site: http://www.wpc.edi.com/content/view/180/223.

(C) For electronic claims and PHP encounters, the appropriate HIPAA claim adjustment reason code for third party payer, including Medicare, explanation of payment must be used.

(A) For claims and PHP encounters that require the listing of a diagnosis code as the basis for the service provided, the code listed on the claim must be the code that most accurately describes the client's condition and the service or item provided.

(B) A primary diagnosis code is required on all claims, using the HIPAA nationally required diagnosis code set including the code and the descriptor of the code by the official entity that maintains the code set, unless the requirement for a primary diagnosis code is specifically excluded in the Authority's program-specific rules or contract. All diagnosis codes must be provided to the highest degree of specificity. Providers must use the ICD-9-CM diagnosis coding system when a diagnosis is required unless otherwise specified in the appropriate program-specific rules or contract.

(C) Hospitals must follow national coding guidelines and must bill using the 5th digit, in accordance with methodology used in the Medicare Diagnosis Related Groups.

(d) Providers must provide and identify the following procedures codes.

(A) The appropriate procedure code on claims and PHP encounters as instructed in the appropriate Authority program-specific rules or contract and must use the appropriate HIPAA procedure code set, set forth in 45 CFR 162.1000 through 162.1011, which best describes the specific service or item provided.

(B) Where there is one CPT, CDT, or HCPCS code that according to those coding guidelines or standards, describes an array of services, the provider must use that code rather than itemizing the services under multiple codes. Providers must not "unbundle" services in order to increase payment or to mischaracterize the service.

(4) No provider or its contracted agent (including billing service or billing agent) shall submit or cause to be submitted to the Authority:

(a) Any false claim for payment or false PHP encounter;

(b) Any claim or PHP encounter altered in such a way as to result in a duplicate payment for a service that has already been paid;

(c) Any claim or PHP encounter upon which payment has been made or is expected to be made by another source unless the amount paid or to be paid by the other party is clearly entered on the claim form or PHP encounter format; or

(d) Any claim or PHP encounter for providing services or items that have not been provided.

(5) Third Party Resources.

(a) A provider may not refuse to furnish covered services or items to an eligible client because of a third party's potential liability for the service or item.

(b) Providers must take all reasonable measures to ensure that the Authority shall be the payer of last resort. If available, private insurance, Medicare, or worker's compensation must be billed before the provider submits a claim for payment to the Authority, county, or PHP. For services provided to a Medicare and Medicaid dual eligible client, Medicare is the primary payer and the provider must first pursue Medicare payment (including appeals) prior to submitting a claim for payment to the Authority, county, or PHP. For services not covered by Medicare or other third party resource, the provider must follow the program-specific rules or contracts for appropriate billing procedures.

(c) When another party may be liable for paying the expenses of a client's injury or illness, the provider must follow program-specific rules or contract addressing billing procedures.

(6) Full Use of Alternate Community Resources.

(a) The Authority shall generally make payment only when other resources are not available for the client's needs. Full use must be made of reasonable alternate resources in the local community; and

(b) Providers must not accept reimbursement from more than one resource for the same service or item, except as allowed in program-specific or contract TPR requirements.

(7) Timely Submission of Claim or Encounter Data.

(a) Subsection (a) through (c) below apply only to the submission of claims data or other reimbursement document to the Authority, including provider reimbursement by the Authority pursuant to an agreement with a county. Unless requirements for timely filing provided for in program-specific rules or applicable contracts are more specific than the timely filing standard established in this rule, all claims for services or items must be submitted no later than 12 months from the date of service.

(b) A denied claim submitted within 12 months of the date of service may be resubmitted (with resubmission documentation, as indicated within the program-specific rules or contracts) within 18 months of the date of service. These claims must be submitted to the Authority in writing. The provider must present documentation acceptable to the Authority verifying the claim was originally submitted within 12 months of the date of service, unless otherwise stated in program-specific rules or contracts. Acceptable documentation is:

(A) A remittance advice or other claim denial documentation from the Authority to the provider showing the claim was submitted before the claim was one year old; or

(B) A copy of a billing record or ledger showing dates of submission to the Authority.

(A) When the Authority confirms the Authority or the client's branch office has made an error that caused the provider not to be able to bill within 12 months of the date of service;

(B) When a court or an administrative law judge in a final order has ordered the Authority to make payment;

(C) When the Authority determines a client is retroactively eligible for Authority program coverage and more than 12 months have passed between the date of service and the determination of the client's eligibility, to the extent authorized in the program-specific rules or contracts.

(d) PHP encounter data must be submitted pursuant to 45 CFR part 162.1001 and 162.1102 and the time periods established in the PHP contract with the Authority.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 414.065
Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0350

Payments and Overpayments

(1) Payment Authorization.

(a) Some services or items covered by the Authority require authorization before a service, item, or level of care can be provided or before payment shall be made. Providers must check the appropriate program-specific rules or contracts for information on services or items requiring prior authorization and the process to follow to obtain authorization.

(b) Documentation submitted when requesting authorization must support the program-specific or contract justification for the service, item, or level of care. A request is considered complete if it contains all necessary documentation and meets any other requirements as described in the appropriate program-specific rules or contract.

(c) The authorizing program shall authorize the covered level of care, type of service, or item that meets the client's program-eligible need. The authorizing program shall only authorize services which meet the program-specific or contract coverage criteria and for which the required documentation has been submitted. The authorizing program may request additional information from the provider to determine the appropriateness of authorizing the service, item, or level of care within the scope of program coverage.

(d) Authorizing programs may not authorize services or make payment for authorized services when:

(A) The client was not eligible at the time services were provided. The provider must check the client's eligibility each time services are provided;

(B) The provider cannot produce appropriate documentation to support that the level of care, type of service, or item meets the program-specific or contract criteria, or the appropriate documentation was not submitted to the authorizing program;

(C) The delivery of the service, item, or level of care has not been adequately documented as described in OAR 943-120-0370. Requirements for financial, clinical and other records, and the documentation in the provider's files is not adequate to determine the type, medical appropriateness, or quantity of services, or items provided or the required documentation is not in the provider's files;

(D) The services or items identified in the claim are not consistent with the information submitted when authorization was requested or the services or items provided are retrospectively determined not to be authorized under the program-specific or contract criteria;

(E) The services or items identified in the claim are not consistent with those which were provided;

(F) The services or items were not provided within the timeframe specified on the authorization of services document; or

(G) The services or items were not authorized or provided in compliance with the program-specific rules or contracts.

(e) Payment made for services or items described in subsections (d)(A) through (G) of this rule shall be recovered.

(f) Retroactive Authority Client Eligibility.

(A) When a client is determined to be retroactively eligible for an Authority program, or is retroactively disenrolled from a PHP or services provided after the client was disenrolled from a PHP, authorization for payment may be given if the following conditions are met:

(i) The client was eligible on the date of service and the program-specific rules or contract authorize the Authority to reimburse the provider for services provided to clients made retroactively eligible;

(ii) The services or items provided to the client meet all other program-specific or contract criteria and Oregon Administrative Rules;

(iii) The request for authorization is received by the appropriate Authority branch or program office within 90 days of the date of service; and

(iv) The provider is enrolled with the Authority on the date of service, or becomes enrolled with the Authority no later than the date of service as provided in OAR 943-120-0320(11).

(B) Requests for authorization received after 90 days from date of service require all the documentation required in subsection (f)(A)(i), (ii) and (iv) and documentation from the provider stating why the authorization could not have been obtained within 90 days of the date of service.

(g) Service authorization is valid for the time period specified on the authorization notice, but shall not exceed 12 months, unless the client's benefit package no longer covers the service, in which case the authorization terminates on the date coverage ended.

(h) Service authorization for clients with other insurance or for Medicare beneficiaries is governed by program-specific rules or contracts.

(2) Payments.

(a) This rule only applies to covered services and items provided to eligible clients within the program-specific or contract covered services or items in effect on the date of service that are paid for by the Authority based on program-specific or contract fee schedules or other reimbursement methods, or for services that are paid for by the Authority at the request of a county for county-authorized services.

(b) If the client's service or item is paid for by a PHP, the provider must comply with the payment requirements established under contract with that PHP, and pursuant to OAR 410-120 and 410-141, applicable to non-participating providers.

(c) The Authority shall pay for services or items based on the reimbursement rates and methods specified in the applicable program-specific rules or contract. Provider reimbursement on behalf of a county must include county service authorization information.

(d) Providers must accept, as payment in full, the amounts paid by the Authority pursuant to the fee schedule or reimbursement method specified in the program-specific rules or contract, plus any deductible, co-payment, or coinsurance required to be paid by the client. Payment in full includes:

(A) Zero payments for claims where a third party or other resource has paid an amount equivalent to or exceeding the Authority's allowable payment; or

(B) Denials of payment for failure to submit a claim in a timely manner, failure to obtain payment authorization in a timely and appropriate manner, or failure to follow other required procedures identified in the program-specific rules or contracts.

(e) The Authority may not make payments for duplicate services or items. The Authority may not make a separate payment or co-payment to a provider for services included in the provider's all-inclusive rate if the provider has been or shall be reimbursed by other resources for the service or item.

(f) Payment by the Authority does not limit the Authority or any state or federal oversight entity from reviewing or auditing a claim before or after the payment. Payment may be denied or subject to recovery if medical, clinical, program-specific or contract review, audit, or other post-payment review determines the service or item was not provided in accordance with applicable rules or contracts or does not meet the program-specific or contract criteria for quality of care, or appropriateness of the care, or authorized basis for payment.

(3) Recovery of Overpayments to Providers — Recoupments and Refunds

(a) The Authority may deny payment or may deem payments subject to recovery as an overpayment if a review or audit determines the item or service was not provided pursuant to the Authority's rules, terms of contract, or does not meet the criteria for quality of care, or appropriateness of the care or payment. Related provider billings shall also be denied or subject to recovery.

(b) If a provider determines that a submitted claim or encounter is incorrect, the provider must submit an individual adjustment request and refund the amount of the overpayment, if any, or adjust the claim or encounter.

(c) The Authority may determine, as a result of review or other information, that a payment should be denied or that an overpayment has been made to a provider, which indicates that a provider may have submitted claims or encounters, or received payment to which the provider is not properly entitled. The payment denial or overpayment determinations may be based on but not limited to the following:

(A) The Authority paid the provider an amount in excess of the amount authorized under a contract, state plan or Authority rule;

(B) A third party paid the provider for services, or portion thereof, previously paid by the Authority;

(D) The Authority paid for claims submitted by a data processing agent for whom a written provider or billing agent or billing service agreement was not on file at the time of submission;

(E) The Authority paid for services and later determined they were not part of the client's program-specific or contract-covered services;

(F) Coding, data processing submission, or data entry errors;

(G) Medical, dental, or professional review determines the service or item was not provided pursuant to the Authority's rules or contract or does not meet the program-specific or contract criteria for coverage, quality of care, or appropriateness of the care or payment;

(H) The Authority paid the provider for services, items, or drugs when the provider did not comply with the Authority's rules and requirements for reimbursement; or

(I) The provider submitted inaccurate, incomplete or false encounter data to the Authority.

(d) Prior to identifying an overpayment, the Authority may contact the provider requesting preliminary information and additional documentation. The provider must provide the requested documentation within the specified time frame.

(e) When an overpayment is identified, the Authority shall notify the provider in writing as to the nature of the discrepancy, the method of computing the overpayment, and any further action that the Authority may take on the matter. The notice may require the provider to submit applicable documentation for review prior to requesting an appeal from the Authority, and may impose reasonable time limits for when documentation must be provided for Authority consideration. The notice shall inform the provider of the process for appealing the overpayment determination.

(f) The Authority may recover overpayments made to a provider by direct reimbursement, offset, civil action, or other legal action:

(A) The provider must make a direct reimbursement to the Authority within 30 calendar days from the date of the notice of the overpayment, unless other regulations apply.

(B) The Authority may grant the provider an additional period of time to reimburse the Authority upon written request made within 30 calendar days from the date of the notice of overpayment. The provider must include a statement of the facts and reasons sufficient to show that repayment of the overpayment amount should be delayed pending appeal because:

(i) The provider shall suffer irreparable injury if the overpayment notice is not delayed;

(ii) There is a reason to believe that the overpayment is incorrect or is less than the amount in the notice, and the provider has timely filed an appeal of the overpayment, or that the provider accepts the amount of the overpayment but is requesting to make repayment over a period of time;

(iii) A proposed method for assuring that the amount of the overpayment can be repaid when due with interest including but not limited to a bond, irrevocable letter of credit, or other undertaking, or a repayment plan for making payments, including interest, over a period of time;

(iv) Granting the delay shall not result in substantial public harm; and

(v) Affidavits containing evidence relied upon in support of the request for stay.

(C) The Authority may consider all information in the record of the overpayment determination, including provider cooperation with timely provision of documentation, in addition to the information supplied in provider's request. If provider requests a repayment plan, the Authority may require conditions acceptable to the Authority before agreeing to a repayment plan. The Authority must issue an order granting or denying a repayment delay request within 30 calendar days after receiving it;

(D) A request for hearing or administrative review does not change the date the repayment of the overpayment is due; and

(E) The Authority may withhold payment on pending claims and on subsequently received claims for the amount of the overpayment when overpayments are not paid as a result of paragraph (B)(i);

(f) In addition to any overpayment, the Authority may impose a sanction on the provider in connection with the actions that resulted in the overpayment. The Authority may, at its discretion, combine a notice of sanction with a notice of overpayment.

(g) Voluntary submission of an adjustment claim or encounter transaction or an individual adjustment request or overpayment amount after notice from the Authority does not prevent the Authority from issuing a notice of sanction The Authority may take such voluntary payment into account in determining the sanction.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 414.065
Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0360

Consequences of Non-Compliance and Provider Sanctions

(1) There are two classes of provider sanctions, mandatory and discretionary, that may be imposed for non-compliance with the provider enrollment agreement.

(2) Except as otherwise provided, the Authority shall impose provider sanctions at the direction of the Authority's division director or designee, whose budget includes payment for the services involved.

(3) Mandatory Sanctions. The Authority shall impose mandatory sanctions and suspend the provider from participation in the Authority's programs:

(a) When a provider has been convicted (as that term is defined in 42 CFR part 1001.2) of a felony or misdemeanor related to a crime, or violation of Title XVIII, XIX, or XX of the Social Security Act or related state laws, or other disqualifying criminal conviction pursuant to program-specific rules or contract;

(b) When a provider is excluded from participation in federal or state health care programs by the Office of the Inspector General of DHHS or from the Medicare (Title XVIII) program of the Social Security Act as determined by the Secretary of DHHS. The provider shall be excluded and suspended from participation with the Authority for the duration of exclusion or suspension from the Medicare program or by the Office of the Inspector General; or

(c) If the provider fails to disclose ownership or control information required under 42 CFR part 455.104 that must be reported at the time the provider submits a provider enrollment form or when there is a material change in the information that must be reported, or information related to business transactions required to be provided under 42 CFR part 455.105 upon request of federal or state authorities.

(4) Discretionary Sanctions. When the Authority determines the provider fails to meet one or more of the Authority's requirements governing participation in its programs the Authority may impose discretionary sanctions. Conditions that may result in a discretionary sanction include, but are not limited to when a provider has:

(a) Been convicted of fraud related to any federal, state, or locally financed health care program or committed fraud, received kickbacks, or committed other acts that are subject to criminal or civil penalties under the Medicare or Medicaid statutes;

(b) Been convicted of interfering with the investigation of health care fraud;

(c) Been convicted of unlawfully manufacturing, distributing, prescribing, or dispensing a controlled substance or other potentially disqualifying crime, as determined under program-specific rules or contracts;

(d) By actions of any state licensing authority for reasons relating to the provider's professional competence, professional conduct, or financial integrity either:

(A) Had the professional license suspended or revoked, or otherwise lost such license; or

(B) Surrendered the license while a formal disciplinary proceeding is pending before the relevant licensing authority.

(e) Been suspended or excluded from participation in any federal or state program for reasons related to professional competence, professional performance, or other reason;

(f) Billed excessive charges including but not limited to charging in excess of the usual charge, furnished items or services in excess of the client's needs or in excess of those services ordered by a provider, or in excess of generally accepted standards or quality that fail to meet professionally recognized standards;

(g) Failed to furnish necessary covered services as required by law or contract with the Authority if the failure has adversely affected or has a substantial likelihood of adversely affecting the client;

(h) Failed to disclose required ownership information;

(i) Failed to supply requested information on subcontractors and suppliers of goods or services;

(j) Failed to supply requested payment information;

(k) Failed to grant access or to furnish as requested, records, or grant access to facilities upon request of the Authority or the MFCU conducting their regulatory or statutory functions;

(l) In the case of a hospital, failed to take corrective action as required by the Authority, based on information supplied by the QIO to prevent or correct inappropriate admissions or practice patterns, within the time specified by the Authority;

(m) In the case of a licensed facility, failed to take corrective action under the license as required by the Authority within the time specified by the Authority;

(n) Defaulted on repayment of federal or state government scholarship obligations or loans in connection with the provider's health profession education;

(A) Providers must have made a reasonable effort to secure payment;

(B) The Authority must take into account access of beneficiaries to services; and

(o) Repeatedly submitted a claim with required data missing or incorrect:

(A) When the missing or incorrect data has allowed the provider to:

(i) Obtain greater payment than is appropriate;

(ii) Circumvent prior authorization requirements;

(iii) Charge more than the provider's usual charge to the general public;

(iv) Receive payments for services provided to individuals who were not eligible; or

(v) Establish multiple claims using procedure codes that overstate or misrepresent the level, amount, or type of services or items provided.

(B) Does not comply with the requirements of OAR 410-120-1280.

(p) Failed to develop, maintain, and retain, pursuant to relevant rules and standards, adequate clinical or other records that document the client's eligibility and coverage, authorization (if required by program-specific rules or contracts), appropriateness, nature, and extent of the services or items provided;

(q) Failed to develop, maintain, and retain pursuant to relevant rules and standards, adequate financial records that document charges incurred by a client and payments received from any source;

(r) Failed to develop, maintain, and retain adequate financial or other records that support information submitted on a cost report;

(s) Failed to follow generally accepted accounting principles or accounting standards or cost principles required by federal or state laws, rules, or regulations;

(t) Submitted claims or written orders contrary to generally accepted standards of professional practice;

(u) Submitted claims for services that exceed the requested or agreed upon amount by the OHP client, the client representative, or requested by another qualified provider;

(v) Breached the terms of the provider contract or agreement;

(w) Failed to comply with the terms of the provider certifications on the claim form;

(x) Rebated or accepted a fee or portion of a fee for a client referral; or collected a portion of a service fee from the client and billed the Authority for the same service;

(y) Submitted false or fraudulent information when applying for an Authority-assigned provider number, or failed to disclose information requested on the provider enrollment form;

(z) Failed to correct deficiencies in operations after receiving written notice of the deficiencies from the Authority;

(aa) Submitted any claim for payment for which the Authority has already made payment or any other source unless the amount of the payment from the other source is clearly identified;

(bb) Threatened, intimidated, or harassed clients, client representatives, or client relatives in an attempt to influence payment rates or affect the outcome of disputes between the provider and the Authority;

(cc) Failed to properly account for a client's personal incidental funds including but not limited to using a client's personal incidental funds for payment of services which are included in a medical facility's all-inclusive rates;

(dd) Provided or billed for services provided by ineligible or unsupervised staff;

(ee) Participated in collusion that resulted in an inappropriate money flow between the parties involved;

(ff) Refused or failed to repay, in accordance with an accepted schedule, an overpayment established by the Authority;

(gg) Failed to report to Authority payments received from any other source after the Authority has made payment for the service; or

(hh) Collected or made repeated attempts to collect payment from clients for services covered by the Authority, under OAR 410-120-1280.

(5) A provider who has been excluded, suspended, or terminated from participation in a federal or state medical program, such as Medicare or Medicaid, or whose license to practice has been suspended or revoked by a state licensing board, may not submit claims for payment, either personally or through claims submitted by any billing agent or service, billing provider or other provider, for any services or supplies provided under the medical assistance programs, except those services or supplies provided prior to the date of exclusion, suspension or termination.

(6) Providers may not submit claims for payment to the Authority for any services or supplies provided by an individual or provider entity that has been excluded, suspended, or terminated from participation in a federal or state medical program, such as Medicare or Medicaid, or whose license to practice has been suspended or revoked by a state licensing board, except for those services or supplies provided prior to the date of exclusion, suspension or termination.

(7) When the provisions of sections (5) or (6) are violated, the Authority may suspend or terminate the billing provider or any provider who is responsible for the violation.

(8) Sanction Types and Conditions.

(a) A mandatory sanction imposed by the Authority pursuant to section (3) may result in any of the following:

(A) The provider shall either be terminated or suspended from participation in the Authority's programs. No payments of Title XIX, Title XXI or other federal or state funds shall be made for services provided after the date of termination. Termination is permanent unless:

(i) The exceptions cited in 42CFR part 1001.221 are met; or

(ii) Otherwise stated by the Authority at the time of termination.

(B) No payments of Title XIX, Title XXI, or other federal or state funds shall be made for services provided during the suspension. The Authority shall automatically reactivate the provider number y after the suspension period has elapsed if the conditions that caused the suspension have been resolved. The minimum duration of a suspension shall be determined by the DHHS Secretary, under the provisions of 42 CFR parts 420, 455, 1001, or 1002. The Authority may suspend a provider from participation in the medical assistance programs longer than the minimum suspension determined by the DHHS secretary.

(b) The Authority may impose the following discretionary sanctions on a provider pursuant to OAR 410-120-1400(4):

(A) The provider may be terminated from participation in the Authority's programs. No payments of Title XIX, Title XXI or other federal or state funds shall be made for services provided after the date of termination. Termination is permanent unless:

(i) The exceptions cited in 42 CFR part 1001.221 are met; or

(ii) Otherwise stated by the Authority at the time of termination.

(B) The provider may be suspended from participation in the Authority's programs for a specified length of time, or until specified conditions for reinstatement are met and approved by the Authority. No payments of Title XIX, Title XXI, or other federal or state funds shall be made for services provided during the suspension. The Authority shall automatically reactivate the provider number after the suspension period has elapsed if the conditions that caused the suspension have been resolved.

(D) The provider may be required to attend provider education sessions at the expense of the sanctioned provider;

(E) The Authority may require that payment for certain services are made only after the Authority has reviewed documentation supporting the services;

(F) The Authority may require repayment of amounts paid or provide for reduction of any amount otherwise due the provider; and

(G) Any other sanctions reasonably designed to remedy or compel future compliances with federal, state, or Authority regulations.

(c) The Authority shall consider the following factors in determining the sanction to be imposed. Factors include but are not limited to:

(A) Seriousness of the offense;

(B) Extent of violations by the provider;

(D) Prior imposition of sanctions;

(E) Prior provider education;

(F) Provider willingness to comply with program rules;

(G) Actions taken or recommended by licensing boards or a QIO;

(H) Adverse impact on the availability of program-specific or contract covered services or the health of clients living in the provider's service area; and

(I) Potential financial sanctions related to the non-compliance may be imposed in an amount that is reasonable in light of the anticipated or actual harm caused by the non-compliance, the difficulties of proof of loss, and the inconvenience or non-feasibility of otherwise obtaining an adequate remedy.

(d) When a provider fails to meet one or more of the requirements identified in OAR 943-120-0300 through 943-120-0400, the Authority, in its sole discretion, may immediately suspend the provider's Authority assigned billing number and any electronic system access code to prevent public harm or inappropriate expenditure of public funds.

(A) The provider subject to immediate suspension is entitled to a contested case hearing pursuant to ORS 183 to determine whether the provider's Authority assigned number and electronic system access code may be revoked; and

(B) The notice requirements described in section (5) of this rule do not preclude immediate suspension, in the Authority's sole discretion, to prevent public harm or inappropriate expenditure of public funds. Suspension may be invoked immediately while the notice and contested case hearing rights are exercised.

(e) If the Authority sanctions a provider, the Authority shall notify the provider by certified mail or personal delivery service of the intent to sanction. The notice of immediate or proposed sanction shall identify:

(A) The factual basis used to determine the alleged deficiencies and a reference to the particular sections of the statutes and rules involved;

(B) Explanation of actions expected of the provider;

(D) The provider's right to dispute the Authority's allegations and submit evidence to support the provider's position;

(E) The provider's right to appeal the Authority's proposed actions pursuant to ORS 183;

(F) A statement of the authority and jurisdiction under which the appeal may be requested and description of the procedure and time to request an appeal; and

(G) A statement indicating whether and under what circumstances an order by default may be entered.

(f) If the Authority decides to sanction a provider, the Authority shall notify the provider in writing at least 15 days before the effective date of action, except in the case of immediate suspension to avoid public harm or inappropriate expenditure of funds.

(g) The provider may appeal the Authority's immediate or proposed sanction or other actions the Authority intends to take. The provider must appeal this action separately from any appeal of audit findings and overpayments. These include but are not limited to the following:

(A) Termination or suspension from participation in the Medicaid-funded medical assistance programs;

(B) Termination or suspension from participation in the Authority's state-funded programs; or

(h) Other provisions:

(A) When a provider has been sanctioned, all other provider entities in which the provider has ownership of five percent or greater, or control of, may also be sanctioned;

(B) When a provider has been sanctioned, the Authority may notify the applicable professional society, board of registration or licensure, federal or state agencies, OHP, PHP's, and the National Practitioner Data Base of the findings and the sanctions imposed;

(C) At the discretion of the Authority, providers who have previously been sanctioned or suspended may or may not be re-enrolled as Authority providers;

(D) Nothing in this rule prevents the Authority from simultaneously seeking monetary recovery and imposing sanctions against the provider;

(E) Following a contested case hearing in which a provider has been found to violate ORS 411.675, the provider shall be liable to the Authority for treble the amount of payments received as a result of each violation.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 414.065
Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0370

Requirements for Financial, Clinical, and Other Records

(1) The Authority shall analyze and monitor the operation of its programs and audit and verify the accuracy and appropriateness of payment, utilization of services, or items.

(2) The Authority shall comply with client coverage criteria and requirements for the level of care or service or item authorized or reimbursed by the Authority and the quality of covered services or items and service or item delivery, and access to covered services or items.

(3) The provider and the provider's designated billing service or other entity responsible for the maintenance of financial, service delivery, and other records must:

(a) Develop and maintain adequate financial and service delivery records and other documentation which supports the specific care, items, or services for which payment has been requested. The Authority may not make payment for services that are not adequately documented. The following documentation must be completed before the service is billed to the Authority:

(A) All records documenting the specific service provided, the number of services or items comprising the service provided, the extent of the service provided, the dates on which the service was provided, and identification of the individual who provided the service. Patient account and financial records must also include documentation of charges, identify other payment resources pursued, indicate the date and amount of all debit or credit billing actions, and support the appropriateness of the amount billed and paid. For cost reimbursed services, the provider must maintain adequate records to thoroughly and accurately explain how the amounts reported on the cost statement were determined.

(B) Service delivery, clinical records, and visit data, including records of all therapeutic services, must document the basis for service delivery and record visit data if required under program-specific rules or contracts. A client's clinical record must be annotated each time a service is provided and signed or initialed by the individual providing the service or must clearly identify the individual providing the service. Information contained in the record must be sufficient in quality and quantity to meet the professional standards applicable to the provider or practitioner and any additional standards for documentation found in this rule, program-specific rules, and any pertinent contracts.

(C) All information about a client obtained by the provider or its officers, employees, or agents in the performance of covered services, including information obtained in the course of determining eligibility, seeking authorization, and providing services, is confidential. The client information must be used and disclosed only to the extent necessary to perform these functions.

(b) Implement policies and procedures to ensure confidentiality and security of the client's information. These procedures must ensure the provider may release such information pursuant to program-specific federal and state statutes or contract, which may include but is not limited to, ORS 179.505 to 179.507, 411.320, 433.045, 42 CFR part 2, 42 CFR part 431 subpart F, 45 CFR 205.50, and ORS 433.045(3) with respect to HIV test information.

(A) A provider's electronic record-keeping system includes electronic transactions governed by HIPAA transaction and code set requirements and records, documents, documentation, and information include all information, whether maintained or stored in electronic media, including electronic record-keeping systems, and information stored or backed up in an electronic medium.

(B) If a provider maintains financial or clinical records electronically, the provider must be able to provide the Authority with hard-copy versions. The provider must also be able to provide an auditable means of demonstrating the date the record was created and the identity of the creator of a record, the date the record was modified, what was changed in the record and the identity of any individual who has modified the record. The provider must supply the information to individuals authorized to review the provider's records under subsection (e) of this rule.

(C) Providers may comply with the documentation review requirements in this rule by providing the electronic record in an electronic format acceptable to an authorized reviewer. The authorized reviewer must agree to receive the documentation electronically.

(d) Retain service delivery, visit, and clinical records for seven years and all other records described in this rule, program-specific rules and contract for at least five years from the date of service.

(e) Furnish requested documentation (including electronically recorded information or information stored or backed up in an electronic medium) immediately or within the time-frame specified in the written request received from the Authority, the Oregon Secretary of State, DHHS or other federal funding agency, Office of Inspector General, the Comptroller General of the United States (for federally funded programs), MFCU (for Medicaid-funded services or items), or the client representative. Copies of the documents may be furnished unless the originals are requested. At their discretion, official representatives of the Authority, Medicaid Fraud Unit, DHHS, or other authorized reviewers may review and copy the original documentation in the provider's place of business. Upon written request of the provider, the program or the unit, may, at its sole discretion, modify or extend the time for provision of such records if, in the opinion of the program or unit good cause for such extension is shown. Factors used in determining if good cause exists include:

(A) Whether the written request was made prior to the deadline for production;

(B) If the written request is made after the deadline for production, the amount of time lapsed since that deadline;

(D) The reasons the deadline cannot be met;

(E) The degree of control that the provider had over its ability to produce the records prior to the deadline; and

(F) Other extenuating factors.

(f) Except as otherwise provided access to records, inclusive of clinical charts and financial records does not require authorization or release from the client, if the purpose of the access is:

(A) To perform billing review activities;

(B) To perform utilization review activities;

(D) To facilitate service authorization and related services;

(E) To investigate a client's hearing request;

(F) To facilitate investigation by the MFCU or DHHS; or

(G) To review records necessary to the operation of the program.

(g) Failure to comply with requests for documents within the specified time-frame means that the records subject to the request may be deemed by the Authority not to exist for purposes of verifying appropriateness of payment, clinical appropriateness, the quality of care, and the access to care in an audit or overpayment determination, and subjects the provider to possible denial or recovery of payments made by the Authority or to sanctions.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 414.065
Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0380

Fraud and Abuse

(1) Providers shall promptly refer all suspected fraud and abuse, including fraud or abuse by its employees or in Authority administration, to the MFCU, or to the Authority's audit unit.

(2) Providers must permit the MFCU and the Authority to inspect, copy, evaluate, or audit books, records, documents, files, accounts, and facilities, without charge, as required to investigate allegations or incidents of fraud or abuse.

(3) Providers aware of suspected fraud or abuse by a client must report the incident to the Authority's fraud unit.

(4) The Authority may share information for health oversight purposes with the MFCU and other federal or state health oversight authorities.

(5) The Authority may take actions necessary to investigate and respond to substantiated allegations of fraud and abuse including but not limited to suspending or terminating the provider from participation in the Authority's programs, withholding payments or seeking recovery of payments made to the provider, or imposing other sanctions provided under state law or regulations. Such actions by the Authority may be reported to CMS or other federal or state entities as appropriate.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 414.065
Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-0400

MMIS Replacement Communication Plan

(1) The purpose of this rule is to describe the Authority’s plan for communicating instructions and guidance related to the Authority’s implementation of the replacement MMIS that began on December 9, 2008. System issues are anticipated to be identified for a period of time during and after implementation. This rule is adopted to be effective retroactively to December 9, 2008 for the purpose of providing continuity of all MMIS communication efforts throughout the transition implementation process and regular operations following the transition. By adopting this communication plan in rule, the Authority seeks to assure that eligible Authority clients receive all necessary and appropriate services, and that Authority providers and PHPs are correctly reimbursed for covered services provided to eligible clients.

(2) To the extent necessary to accomplish the purposes of this rule, the Authority shall provide guidance and instructions related to MMIS for providers and PHPs using its web site and MMIS provider announcements.

(a) In cases of limitations or system errors in the replacement MMIS, the Authority shall provide update information and important action required in concert with, or in place of, normal established procedures.

(b) In other cases, the Authority shall provide instructions and guidance about the use of revised or improved functionality that is available through the replacement MMIS, such as the use of the web portal.

(3) Providers and PHPs must follow all applicable instructions given on the Authority’s web page and any provider announcements for the dates specifically noted in the communications, or if a date is not specified, until further instructions are provided. Authority web site information and links to specific topics may be accessed at: http://www.oregon.gov/DHS/healthplan/tools_prov/main.shtml.

(4) This rule does not amend existing rules or contracts that require providers or PHPs to confirm eligibility, respond to requests for prior authorization, submit claims or encounter data, or comply with any other rule or contract that imposes obligations on a provider or PHP as a condition of receiving reimbursement for services. This rule is intended to provide assurance to providers and PHPs that the MMIS-related processes for meeting those obligations are being addressed by the Authority by providing guidance and instruction related to the provider’s or PHP’s interface with MMIS processes, and by identifying the resources providers and PHPs may use to obtain information during this time of transition to the replacement MMIS and during regular MMIS operations.

(5) The Authority shall work with providers and PHPs by providing instructions and guidance to assure that service delivery and reimbursement disruptions related to transition to the replacement MMIS are minimized. Providers and PHPs must appropriately document all eligibility, services, authorization, claims, and payment information during the transition time, and their efforts to comply with instructions and guidance provided by the Authority, so that reimbursement may be correctly provided.

(6) Providers and PHPs must immediately communicate to the Authority any issues they encounter that are not addressed in the Authority’s instructions or guidance in seeking eligibility information or activities related to reimbursement for services through MMIS, errors discovered in the correct amount of any reimbursement received for those services, or in applying the instruction or guidance to resolve an issue.

(7) After the transition period is complete, the Authority shall continue to implement this communication plan as long as necessary during regular MMIS operations in order to assist providers and PHPs with technical and system requirements of the replacement MMIS.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 414.065
Hist.: OHA 14-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 20-2011, f. 8-30-11, cert. ef. 9-1-11

943-120-1505

Audits and Overpayment Recovery

Providers or contractors receiving payments from or through the Oregon Health Authority are subject to audit or other post payment review procedures for all payments applicable to items or services furnished or supplied by the provider or contractor to or on behalf of the Authority or to its clients.

(1) The Authority adopts and incorporates by reference the rules established in OAR 407-120-1505, for those matters that involve providers or contractors of the Authority, except as otherwise provided in this rule. Audit rules and procedures from 407-120-1505 as incorporated into this rule ensure proper payments were made by the Authority based on requirements applicable to covered services and promote program integrity.

(2) Any reference to OAR 407-120-1505 in rules or contracts of the Authority are deemed to be references to the requirements of this rule, and shall be construed to apply to providers or contractors receiving payments from or through the Authority.

(3) The Authority authorizes the Department to act on its behalf in carrying out audits and establishing overpayment amounts associated with the administration of programs or activities administered by the Authority.

(4) Provider appeals for the Authority shall be handled by the Authority under the procedures set forth in OAR 407-120-1505. References to “the OPAR Administrator” or “the Administrator” are hereby incorporated as references to “the Authority Director.”

[Publication: Publications referenced are available from the agency.]

Stat. Auth.: ORS 413.042 & 2009 OL Ch. 595, § 9–25
Stats. Implemented: ORS 411.010, 413.032, 414.065 & 414.715
Hist.: OHA 15-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 21-2011, f. 8-31-11, cert. ef. 9-1-11

The official copy of an Oregon Administrative Rule is contained in the Administrative Order filed at the Archives Division, 800 Summer St. NE, Salem, Oregon 97310. Any discrepancies with the published version are satisfied in favor of the Administrative Order. The Oregon Administrative Rules and the Oregon Bulletin are copyrighted by the Oregon Secretary of State. Terms and Conditions of Use