(A) Each managed care plan (MCP) must have administrative and management arrangements or procedures, including a mandatory compliance plan, to guard against fraud and abuse.
(1) These arrangements or procedures must include the implementation of sound business practices which support appropriate access to and appropriate payment for quality services and must include the following:
(a) Written policies, procedures, and standards of conduct that articulate the MCP's commitment to comply with all applicable federal and state standards, including the prevention, identification, investigation, correction, and reporting of fraud and abuse;
(b) Designation of a compliance officer and a compliance committee that are accountable to senior management;
(c) Effective training and education for the compliance officer and the MCP's employees;
(d) Effective lines of communication between the compliance officer and the MCP's employees. To ensure effective communication, the MCP must organize resources to respond to complaints of fraud and abuse and have established procedures to process these complaints;
(e) Education of providers and delegated entities about fraud and abuse;
(f) Enforcement of MCP standards through well-publicized disciplinary guidelines;
(g) Provision for internal monitoring and auditing, including procedures to monitor service patterns of providers and subcontractors;
(h) Establishment and/or modification of internal MCP controls to ensure the proper submission and payment of claims;
(i) Provision for prompt response to detected offenses, and for development of corrective action initiatives relating to the MCP's contract; and
(j) Prompt reporting of all instances of suspected provider fraud and abuse to the Ohio department of medicaid (ODM) and suspected member fraud and abuse to ODM's bureau of program integrity.
(2) These arrangements or procedures must be made available to ODM upon request.
(3) The MCP must annually submit to ODM a report that summarizes the MCP's fraud and abuse activities for the previous year and identifies any proposed changes to the MCP's fraud and abuse program for the coming year.
(B) ODM or its designee, the state auditor's office, the state attorney general's office, and the U.S. department of health and human services may evaluate or audit a contracting MCP's performance for the purpose of determining compliance with the requirements of Chapter 5160-26 of the Administrative Code, fraud and abuse statutes, applicable state and federal regulations or requirements under federal waiver authority.
(C) ODM or its designee may conduct on-site audits and reviews as deemed necessary based on periodic analysis of financial, utilization, provider panel, and other information.
(D) The MCP must submit required reports and additional information, as requested by ODM, as related to its duties and obligations and where needed to ensure operation in accordance with all state and federal regulations or requirements.
(E) If the MCP fails to submit any ODM-requested materials, as specified in paragraph (D) of this rule, without cause as determined by ODM, on or before the due date, ODM may impose any or all of the sanctions listed in rule 5160-26-10 of the Administrative Code.
(F) Record retention.
The MCP and its subcontractors shall retain and safeguard all hard copy or electronic records originated or prepared in connection with the MCP's performance of its obligations under the provider agreement, including but not limited to working papers or information related to the preparation of reports, medical records, progress notes, charges, journals, ledgers, and fiscal reports, in accordance with applicable sections of the federal regulations, the Revised Code, and the Administrative Code. Records stored electronically must be produced at the MCP's expense, upon request, in the format specified by state or federal authorities. All such records must be maintained for a minimum of eight years from the renewal, amendment or termination date of the provider agreement. As specified in 42 C.F.R. 438.3 (October 1, 2016), beginning January 1, 2018 such records must be maintained for a minimum of ten years from the renewal, amendment or termination date of the provider agreement. In the event the MCP has been notified that state or federal authorities have commenced an audit or investigation of the provider agreement, records must be maintained until such time as the matter under audit or investigation has been resolved. For the initial three years of the retention period, the MCP and its subcontractors must store the records in a manner and place that provides readily available access.
Five Year Review (FYR) Dates: 04/14/2017 and 07/01/2022
Promulgated Under: 119.03
Statutory Authority: 5167.02
Rule Amplifies: 5162.03, 5164.02, 5164.70, 5167.03, 5167.10
Prior Effective Dates: 4/1/85, 2/15/89 (Emer), 5/8/89, 5/1/92, 5/1/93, 11/1/94, 7/1/96, 7/1/97 (Emer), 9/27/97, 12/10/99, 7/1/00, 7/1/01, 7/1/03, 7/1/04, 10/31/05, 6/1/06, 7/1/13, 2/1/15