Current through Register Vol. 50, No. 9, September 20, 2024
A. Any
entity wishing to provide F/EA services shall meet all of the standards for
participation contained in this Rule, unless otherwise specifically noted
within these provisions.
B. The
F/EA shall also abide by and adhere to any federal and state law, Rule, policy,
procedure, performance agreement, or other state or federal requirements
pertaining to the provision of F/EA services.
C. Failure to comply with the requirements of
these standards for participation may result in the following actions
including, but not limited to:
1. recoupment
of funds;
2. sanctions for
violations/non-performance as outlined in the performance agreement;
3. citation of deficient practice and plan of
correction submission;
4. removal
from the F/EA freedom of choice list; or
5. decertification as an F/EA and termination
of the F/EA's Medicaid provider enrollment.
D. The F/EA shall make any required
information or records, and any information reasonably related to assessment of
compliance with these requirements, available to LDH.
E. The F/EA shall, upon request by LDH, make
available the legal ownership documents of the F/EA.
F. The F/EA must comply with all of LDH's
systems/software requirements, including the following:
1. The F/EA is required to transmit all
non-proprietary data which is relevant for analytical purposes to LDH on a
regular schedule in XML format.
a. Final
determination of relevant data will be made by LDH based on collaboration
between all parties;
b. The
schedule for transmission of the data will be established by LDH and dependent
on the needs of LDH related to the data being transmitted;
c. XML files for this purpose will be
transmitted via secure file transfer protocol (SFTP) to LDH; and
d. Any other data or method of transmission
used for this purpose must be approved via written agreement by all
parties.
2. The F/EA is
responsible for procuring and maintaining hardware and software resources which
are sufficient for it to successfully perform the services detailed in this
Rule.
3. The F/EA shall adhere to
state and federal regulations and guidelines as well as industry standards and
best practices for systems or functions required to support the requirements of
this Rule.
4. Unless explicitly
stated to the contrary, the F/EA is responsible for all expenses required to
obtain access to LDH systems or resources which are relevant to successful
completion of the requirements of this agreement. The F/EA is also responsible
for expenses required for LDH to obtain access to the F/EA's systems or
resources which are relevant to the successful completion of the requirements
of this agreement. Such expenses are inclusive of hardware, software, network
infrastructure, and any licensing costs.
5. The F/EA, for all confidential or
protected health information, must be encrypted to federal information
processing standards (FIPS) 140-2 standards when at rest or in
transit.
6. The F/EA shall ensure
appropriate protections of shared personally identifiable information (PII), in
accordance with 45 CFR §
155.260.
7. The F/EA shall ensure that its system is
operated in compliance with the Centers for Medicare and Medicaid Services'
(CMS) latest version of the minimum acceptable risk standards for exchanges
(MARS-E) document suite.
8.
Multi-factor authentication is a CMS requirement for all remote users,
privileged accounts, and non-privileged accounts. In this context, remote user
refers to staff accessing the network from offsite, normally with a client
virtual private network (VPN) with the ability to access Medicaid and PII
data.
9. A site-to-site tunnel is
an extension of LDH's network. If the agent utilizes a VPN site-to-site tunnel
and also has remote users who access CMS data, the agent is responsible for
providing and enforcing multi-factor authentication.
10. The F/EA owned resources must be
compliant with industry standard physical and procedural safeguards (NIST SP
800-114, NIST SP 800-66, NIST 800-53A, ISO 17788, etc.) for confidential
information (i.e., health information technology for economic and clinical
health (HITECH), health insurance portability and accountability act (HIPAA)
part 164).
11. Any F/EA use of
flash drives or external hard drives for storage of LDH data must first receive
written approval from LDH and upon such approval shall adhere to FIPS 140-2
hardware level encryption standards.
12. All F/EA utilized computers and devices
must:
a. be protected by industry standard
virus protection software that is automatically updated on a regular
schedule;
b. have installed all
security patches which are relevant to the applicable operating system and any
other system software; and
c. have
encryption protection enabled at the operating system level.
G. F/EAs shall, at a
minimum:
1. demonstrate administrative
capacity and the financial resources to provide all core elements of financial
management services and ensure effective service delivery in accordance with
state and federal requirements;
2.
have appropriate F/EA staff attend trainings, as mandated by LDH;
3. document and maintain records in
accordance with federal and state regulations governing confidentiality and
program requirements; and
4. assure
that the F/EA will not provide both financial management services and support
coordination or personal care services in Louisiana.
H. Abuse and Neglect. Fiscal employer
agencies shall establish policies and procedures relative to the reporting of
abuse, neglect, exploitation, and extortion of participants, pursuant to the
provisions of
R.S.
15:1504-1505,
R.S.
40:2009.20 and any subsequently enacted laws.
The F/EA shall ensure that staff complies with these regulations.
AUTHORITY
NOTE: Promulgated in accordance with
R.S.
36:254 and Title XIX of the Social Security
Act.
