OFFICE OF INSPECTOR GENERAL ‘TEXAS HEALTH & HUMAN SERVICES COMMISSION STUART W. BOWEN, JR. INSPECTOR GENERAL October 22, 2015 Planned Parenthood Spring Health Center 4747 Loretta Road Spring, Texas 77388 Request for Client Records - Planned Parenthood Spring Health Center Dear Custodian of Records: The Texas Health and Human Services Commission (Commission), Office of Inspector General (OIG), Inspections and Evaluations Division is conducting an inspection related to certain claims Paid by the Medicaid program and filed by or on behalf of Planned Parenthood Spring Health Center. As provided by section 531.102 of the Texas Government Code, OIG is authorized to evaluate the need for, the quality and the timeliness of all Medicaid services. OIG ensures compliance with all Medicaid statutes, rules, regulations, policies and procedures on the behalf of the Commission. We have selected for inspection services billed under your provider number(s) to the Medicaid program. This letter is a request for records pursuant to 1 Texas Administrative Code (TAC) § 371.1667. Consistent with the requirements of 42 CFR § 431,107(6)(1) and (2), you entered into a provider agreement with the Medicaid program under which you agreed to both retain and make records available as requested by the single state Medicaid agency. This requirement to retain records, and to produce the records upon request, is also included in the October 2015 Texas Medicaid Provider Procedures Manual at Section 1.6.3 Retention of Records and Access to Records and Premises. Section 1.6.3 of the Manual requires that “[rlequested records must be provided promptly and at no cost to the state.” For dates of service from November 1, 2010 through September 30, 2015, please provide a complete copy of the entire original client revord for each of the clients who are named on the attached list. The attached records request list is made a part of and is incorporated by reference into this request. Once you have made a complete copy of the entire original client record (please do not use staples or paper clips on the copies), you must place each copied client record into a labeled manila folder. OIG will provide you with manila folders and pre-printed labels for your convenience, P.O.Box 13247 Austin, Texas 78711 # 1150) Bumet Rd, Building 902, Austin, Texas 78758 © (S12)491-2000Planned Parenthood Spring Health Center October 22, 2015 Page 2 If the records are available in electronic searchable format, please provide the records in that format and on encrypted password protected CD dise(s), USB flash drive(s), or an external hard drive. The passwords must be sent by secured email to David, Holmeren@hhse.state.tx.us In this ‘e-mail, please make sure to also include the name of any software needed to access the tecords and the software manufacturer’s contact information. Please note the copies of the client records must be complete, exact duplicates of the original records as they exist at the time you are notified of this request. Please also note that, while OIG is presently requesting medical records only relating to the clients on the attached list, OIG may expand this request to include additional clients within these same dates of service at a later time. Therefore, pursuant to the requirements of the October 2015 Texas Medicaid Provider Procedures Manual at Section 1.6.3 (titled “Retention of Records and Access to Records and Premises”) you are notified of your continuing obligation to retain all records for any client with dates of service between November 1. 2010 through September 30, 2015 until all audit questions, appeal hearings, inspections, or court cases are resolved. ‘The responsive client records being sought must include all documents held by Planned Parenthood Spring Health Center that relate to items or services this entity has billed to the Medicaid Program. The client records must include all documentation to ‘support that the services billed to Medicaid were medically necessary, provided in a quality manner and billed appropriately. Accordingly, the client records that are responsive to this request include, but are not limited to, the following: physician orders; progress notes; personal clinical notes; nurses’ notes; procedure reports: Iaboratory and/or diagnostic testing and results; radiology testing and results/interpretations; charts; graphs; super-bills; and any other document(s) made by or on behalf of Planned Parenthood Spring Health Center, as part of normal business practices for each of the clients for the dates specified, and that support or document the services billed to the Medicaid program by or on behalf of Planned Parenthood Spring Health Center. For the same period of time, please provide the following business records:Planned Parenthood Spring Health Center October 22, 2015 Page 3 ‘* acomplete roster of all owners and employees (current and former), their credentials, job titles, functions/duties, dates of hire and/or termination, professional license numbers (if applicable), home address, home phone number, salary, and any bonuses ot incentives ‘any owner or employee received for the same time period noted above; + 4 copy of all contractual agreements, including the names, addresses and phone numbers of individuals, subcontractors or business entities that perform billing services, laboratory testing, or any diagnostic testing that produces interpretations or visual results, or that electronically transmits patient health information; ‘+ 2 signature sheet for any person providing services to clients at a facility owned or operated by one of the above entities during the time period noted above; * copies of your patient appointment books, schedules, and patient sign in sheets for the time period noted above; * documentation which demonstrates financial ownership of Planned Parenthood Spring Health Center for the time period noted above; + copies of all contracts of sale for Planned Parenthood Spring Health Center (specifically, a signed agreement that includes the identification of both previous and current owners), ifapplicable; and * at my discretion, any additional documentation that is requested verbally while you are in the process of complying with this written request. In accordance with 1 TAC § 371.1667, OIG may impose sanctions if you fail or refuse to provide the documents that are responsive to this request. Possible sanction actions include vendor hold and exclusion from participation as a provider in the Texas Medicaid and other federally-funded health care programs until the matter is resolved. In the event of any such sanction action, separate notice will be provided as required by the cited authorities. The copies of all documents being tured over to me must be accompanied by a completed and notarized Records Affidavit. I will assist you with the completion of this affidavit, Additionally, for your protection you will sign an Evidence Receipt(s) that describes in detail the items that you are providing to me. Absent a subsequent written agreement between OIG and Planned Parenthood Spring Health Center that states otherwise, the deadline for providing the requested client records and business documents is Friday, October 23, 2015 at 10:00 a.m. This deadline also applies to any additional records and/or documentation I request verbally and deem necessary to assist in this inspection.Planned Parenthood Spring Health Center October 22, 2015 Page 4 Please contact the undersigned in the event of any questions or concems. Your assistance is greatly appreciated. Sincerely, R. David > Hoban Deputy Inspector General for Inspections and Evaluations Office of Inspector General Telephone: 512-491-4000 Attachmentitructions for Recor rds Request from OIG-MPI Retrieve all pationt/client and business records ‘dentiied on the: + Patient/Client Record Inventory Form; + Business Records Inventory Form; and + Miscellaneous Items Form Rettieve any adltional documents that were verbally requested by the MPI 5 lovestigator }) copy of all of these documents, ensuring they are an exact duplicate of I (no staples or paper clips). Place the copies of patient/client records. in separate manila folders which will be Brovided to you. Use the pre-printed labels provided to properly identiy each patienV/client record, Put the les in order according the patient number. Verity transfer of the requested records with the MPI Investigator for consensus by both parties, Complete the Records Affidavit and Evidence Receipt form with the guidance provided by the MPI Investigator. Turn over requested records to the MPI Investigator. For electronic records or images, please provide the data on compact disc(s) or flash drive(s). On the electronic media, please place the electronic records for each patient in a separate file folder that is identified by LAST NAME, FIRST NAME, Ml (if necessary to determine similar names). Please make certain that the electronic images are saved in commonly recognized formats such as pdt, tif, or rpg: DO NOT CREATE A SEPARATE CD FOR EACH PATIENT. For radiographs, please make certain that the radiographic images exported or transferred to digital media for storage can be identified by the PATIENT NAME, DOB AND DATE OF SERVICE (DOS). Each radiograph provided must be identifiable in this manner. Most dental imaging software allows for this data to be captured directly ‘on the image. If your system does not, then you must identify and save the FILE NAME for the image in the following format: LAST NAME_FIRST NAME_XR_DOS. Consult your software help desk, if necessary. If your software system does not allow you to export or transfer this information with the tadiograph, you may copy the radiographs onto photo-quality paper. As above, the photo-quality copy of each radiograph must be identified by Patient Name and DOS. if you have any questions or concerns about whether your data is in an acceptable format, please contact the investigator prior to beginning this process, You may contact the fevsstoater at (719) 210-9293,OFFICE OF INSPECTOR GENERAL ‘Texas HEALTH & HUMAN SERVICES COMMISSION Stung W, Bowen, Ja INSPECTOR GENERAL March 12, 2015 To: All Texas Medicaid Providers Ret Access to Clinical Records by Investigators of the Texas Health and Human Services ‘Commission’s Office of Inspector General ‘The purpose of this letter is to clarify the issue of access to clinical records by investigators of the Texas Health. ‘and Human Services Commission's (HHSC) Office of Inspector General. Providers must release Medicaid Patient information promptly on request to HHSC investigators as directed by their provider agreements with the Medicaid program, and as required under State and Federal law. HHSC is required by both federal and state law to investigate potential fraud and abuse in the Medicaid Program, See 42 CFR § 455.13, and Texas Govt Code § 531.102. As @ Medicaid provider, you are required to ‘cooperate with HFISC in such investigations by providing, upon request, records necessary to disclose the extent of services provided to Medicaid recipients. See 42 CFR § 431.107, Texas Gov't Code § 531.102(2), HHSC Medicaid Provider Agreement §§ 1.1 and 1.2.3, and 2015 Texas Medicaid Provider Procedure Manual §§ 1.6.3. The Medicaid recipient's consent or authorization for the release of such information to HHSC investigators is ‘not required. See 2015 Texas Medicaid Provider Procedure Manual § 1.6.4 ‘The Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not require the consent or authorization of Medicaid recipients forthe release of protected health information (PHD to HHSC investigators. See 45 CFR $§ 164.512(a) (disclosures required by law), 45 CFR §§ 164.512(4) (disclosures for health oversight activities), and 45 CFR §§ 164.512(f (disclosures for law enforcement purposes). [have attached the Centers for Medicare & Medicaid Services’ leter S&C-03-15. This etter provides additional information explaining the appropriateness of providing PHI to HSC investigators upon request and without the consent or authorization ofthe Medicaid recipient, in full compliance with and as authorized by HIPAA. If you have any questions regarding the content of this leter, please contact HHSC HIPAA Privacy Office, at 512-491-1408, Sipoerty, ie gq ; ‘Stuart W. Bowén, Jr. BO. Box 85200, Austin, Texas 78708 + (512) 401-2000DEPARTMENT OP HEALTH te HUMAN SERVICES. Centers for Medicare & Medicatd Services 7300 Security Boulevard, Mail Stop 32-26-12 Baltimore, Maryland 2124-1850 Center for Medicaid and State Operations, Ref: S&C-O3-15 DATE: Marcht4, 2603 FROM: Director ‘Survey and Certification Group SUBJECT: Review of Protected Health Information and Applicability of Business Associate Agreements Under the Health Insurance Portability and Accountability Act (HIPAA) for the Purposes of Survey and Certification TO: Survey and Certification Regional Office Management (G-5) State Survey Agency Directors ‘The purpose of this letter is to provide guidance regarding the appropriateness of executing business associate agreements between the state survey agencies (SAs) and providers, and the provision of individually identifiable health care information during surveys under the HIPAA. Privacy Rule, Several SAs have received requests fom providers to enter into business associate agreements, which were addressed in the “Standards for Privacy of Individually Identifiable Health Information” (HIPAA Privacy Rule) published December 28, 2000, and most recently amended August 14, 2002 (65 Fed. Reg. 82462, as modified by 67 Fed. Reg. $3182). Additionally, several providers have expressed concer over the release of protected health information (PHT) to surveyors under the HIPAA Privacy Rule. ‘The Administrative Simplification provisions of HIPAA apply to health plans, health care clearinghouses, and health care providers that transmit individually identifiable health information in electronic form. ‘While the HIPAA Privacy Rule provides for certain privacy rights for the subjects of PHI, those rights have fimitations. For example, the HIPAA Privacy Rule provides that PHI may be used and disclosed without the authorization of the subject of that information to the extent a law requires the production of that information. (See 45 CFR 164.512(a)). The HIPAA Privacy Rule also provides that PHI may be used and disclosed without the authorization of the subject of that information for health oversight activities that are authorized by law. Examples are inspection, icensure and other activities necessary for the appropriate oversight of entities subject to government regulatory programs for which health information is necessary for determining, compliance with program standards. (See 45 CFR 164.512(4)Page 2- Survey and Ceificaton Regional Office Management (G-5); State Survey Agency Directors To the extent that the information sought is PHI for survey and certification work that is ‘esponsive to a law that requires the production of that information, or ta the extent the information sought is for health oversight activities authorized by law, the surveyed entity does ‘tot need to receive an authorization prior to releasing the necessary PHL to the SA under the HIPAA Privacy Rule, Government regulatory programs that function as health oversight agencies that need PHI to determine a facility's compliance with program standards do not need to obtain an individual's authorization to use that individual’s health records forthe appropriate oversight of entities, Subject to that program's regulation, The health oversight agency must limit its uses and ‘iselosures of this PHI to the minitnum necessary to accomplish the program's regulatory Purpose, and it may not use records obtained under this exception to investigate the individual \whase records they have obtained. Disclosures made pursuant to a law that mandates the production of information are not subject to any limitations under the HIPAA Privacy Rule so tong as the diselosure complies with and is limited to the relevant requirements of such law. {1 summary, to the extent that the information sought by an SA is PHI for survey and certification work that is either 1) required by law or 2) for health care oversight activities, the Surveyed entity does not need to receive an authorization prior to releasing the necessary PHit to the SA- Furthermore, surveyed entities do not need to execute a business associate agreement With SAs prior to releasing PHI as SAs are not business associates of the surveyed entities under the HIPAA Privacy Rule definition of “business associate.” SAs do not conduct a function or activity ofthe surveyed entity on the surveyed entity's behalf. (See 45 CFR 160.103). ‘We have atached a suggested template for use by the SAS in response to requests to take part in business associate agreements with providers, and to address provider's concerns over the release of PHI for oversight activities. Effective Date: April 14,2003 Tralnings The information contained in this announcement should be shared with all survey and certification staff, their managers and the state/RO training coordinator. ty Steven A. Pelovitz ‘Attachment