(a) Management information system. Managed care organizations
(MCOs) and comprehensive provider agencies must ensure their management
information systems provide timely, accurate, and accessible information
that supports clinical, administrative, and fiscal decision-making.
(b) Maintenance of medical records. MCOs and comprehensive
provider agencies must ensure:
(1) protection against unauthorized access, disclosure,
modification, or destruction of medical records, whether accidental
or deliberate;
(2) the availability, integrity, utility, authenticity,
and confidentiality of information within the medical record;
(3) a current, organized, legible, and comprehensive
records system that:
(A) conforms to good professional practice;
(B) permits effective clinical review and audit; and
(C) facilitates prompt and systematic retrieval of
information;
(4) a medical records system with sufficient redundancy
to ensure access to individual records; and
(5) a medical records system that ensures compliance
with applicable federal and state laws, rules, and regulations, including
the Health Insurance Portability and Accountability Act and 42 CFR
Part 2.
(c) Documentation retention. A comprehensive provider
agency must maintain all records necessary to fully disclose the services
delivered. These records must be retained for a period of ten years
from the date of the service, or until all audit questions are resolved,
whichever is longer. Records and supporting information regarding
any payment of claims, as well as premises access, must be made available
to HHSC, HHSC OIG, the federal Health and Human Services, the State
Auditor's Office, or any person acting on behalf of such entity, upon
request.
(d) Disaster recovery plan. A comprehensive provider
agency must maintain a written disaster recovery plan for information
resources in order to ensure service continuity, and must implement
the plan as necessary.
|