Skip to Main Content

Compliance

The following are member rights in accordance with 42 CFR Section 438.100:

  • Be treated with respect and with recognition of the member’s dignity and need for privacy. (42 CFR 438.100.(b)(2)(ii));
  • The right to privacy includes protection of any information that identifies a particular member except when otherwise required or permitted by law.
  • The Health Plan and its providers must ensure the confidentiality of health, service, and medical records and of other member information. (Refer to the Medical Records Requirements included in AHCCCS AMPM Policy 940 of the AHCCCS AMPM Chapter 900).
  • Receive required information in a manner and format that may be easily understood and is readily accessible. (42 CFR 438.10.c.1);
  • Notified that oral interpretation is available for any language and written information is available in prevalent languages, that auxiliary aids and services are available upon request at no cost to the member and how to access those services. (42 CFR 438.10.d.5);
  • Receive information on available treatment options and alternatives, presented in a manner appropriate to the Member’s condition and ability to understand (42 CFR 438.100(b)(2)(iii));
  • Participate in decisions regarding their health care, including the right to refuse treatment (42 CFR 438.100(b)(2)(iv));
  • Be free from any form of restraint or seclusion used as a means of coercion, discipline, convenience, or retaliation (42 CFR .438100(b)(2)(v));
  • Request and receive a copy of their medical records, and to request that the record be amended or corrected, as specified in 45 CFR part 164.524 and 164.526 and applicable state law (42 CFR 438.100(b)(2)(vi)); and
  • Free to exercise their rights and that the exercise of those rights shall not adversely affect service delivery to the Member (42 CFR 438.100(c)).

The Health Plan recognizes the member rights and responsibilities as set forth in 42 CFR 438.100. The expectation is that all providers are informed and have implemented processes to ensure that all elements described in Policy 930 are an integral part of their operation. 

The Health Plan and its providers must respond to the unique cultural, ethnic, and linguistic characteristics of the population they serve to ensure that services are culturally responsive for all members.

The Health Plan has adopted the Culturally and Linguistically Appropriate Services in Health Care (National CLAS Standards; 45 CFR § 92.201, 42 CFR 438.10; Affordable Care Act Section 1557) as its cultural responsiveness framework to support a more consistent, empathic, and comprehensive approach to cultural and linguistic responsiveness in health care. By tailoring services to an individual's culture and language preference, health professionals can help bring about positive health outcomes for diverse populations. Providers are required to adhere to and implement the CLAS standards to comply with Cultural Responsiveness Health Care Requirements. The National CLAS Standards can be obtained and reviewed at https://thinkculturalhealth.hhs.gov/clas/what-is-clas.

The Health Plan makes available tools for individual and organizational self-assessments related to cultural and linguistic responsiveness. Providers who are interested in assessing their organization may email azchculturalaffairs@azcompletehealth.com for more information.

What is Culture?

Culture refers to integrated patterns of human behavior that include the language, thoughts, communications, actions, customs, beliefs, values, and institutions of racial, ethnic, religious, or social groups. Culture defines the preferred ways for meeting needs and may be influenced by factors such as geographic location, lifestyle, and age. Culture is dynamic in nature, and individuals may identify with multiple cultures over the course of their lifetimes.

AHCCCS defines Cultural Competency as “A set of congruent behaviors, attitudes and policies that come together in a system, agency, or among professionals, which enables that system, agency, or those professionals to work effectively in cross-cultural situations. Culture refers to integrated patterns of human behavior that include the language, thoughts, communications, actions, customs, beliefs, values, and institutions of racial, ethnic, religious, or social groups. Competence implies having the capacity to function effectively as an individual and an organization with the context of the cultural beliefs, behaviors and needs presented by consumers and their communities.” Additionally, this includes health status, national origin, sex, gender, gender diversity, sexual orientation, and age.

Culturally Responsive Care

The Health Plan and its providers must ensure that cultural considerations are being integrated in approaches-interventions to member and family care. Culturally responsive health care incorporates cultural considerations that include, but are not limited to the following: ethnicity, race, age, gender diversity, sexual orientation, geographical location, economic status, military experience, physical/emotional/mental abilities, literacy, primary/preferred languages, spiritual beliefs and practices, communities, family roles, and English proficiency, and health-related social needs/desires. To comply with the Culturally Responsive Care requirements, the Health Plan and its providers must provide culturally relevant, responsive, and appropriate services for all members and families. They must be treated fairly without regard to age, ethnicity, race, sex, religion, national origin, creed, tribal affiliation, ancestry, gender identitydiversity, sexual orientation, marital status, genetic information, socio-economic status, physical or intellectual disability, ability to pay, mental illness, and/or cultural and linguistic need. Culturally responsive health care enables individuals and organizations to respond respectfully and effectively in a manner that recognizes, affirms, and values their worth, and is person-family-centered. Being culturally responsive requires having the ability to understand cultural differences, recognize potential biases, and look beyond differences to work productively with children, adults, families, and communities whose cultural contexts are different from one’s own. Cultural Competency Program representatives develop, establish, and monitor programs for members that meet the cultural contractual requirements established by the Arizona Health Care Cost Containment System (AHCCCS). For more information on cultural and linguistic services provided by the Health Plan or cultural community resources, contact the Health Plan Cultural Competency Program at azchculturalaffairs@azcompletehealth.com.

Organizational Supports for Cultural and Linguistic Need

Under State guidance, and to comply with the Organizational Supports for Cultural Competence, the Health Plan and providers must:

  • Conduct ongoing assessments of the organization’s CLAS-related activities and integrate CLAS-related goals/objectives into measurement and continuous quality improvement activities.
  • Create conflict and grievance resolution processes that are culturally and linguistically appropriate to identify, prevent, and resolve conflicts or complaints.
  • Consult with diverse groups to develop relevant communications, outreach and marketing strategies that review, evaluate, and improve service delivery to diverse individuals, families, and communities, and address disparities in access and utilization of services.

Workforce Development and Training

Providers are required to:

  • Recruit, retain, promote, and support culturally and linguistically diverse representation within all levels of the organization that is responsive to the population in the service area(s) and reflects the cultural background of members served.
  • Provide new hire, ongoing, and annual cultural competency training to the workforce. This includes addressing the requirements in the Cultural Competency section of the Provider Manual, the CLAS Standards, and the NCQA Standards, which include but are not limited to the use of language assistance and alternative formats for members with Limited English Proficiency (LEP), diversity awareness, health equity, health literacy, equity, bias diversity, inclusion, cultural humility, and culturally relevant topics customized to meet the needs of their service area(s). Providers must maintain full compliance with all mandatory Cultural Competency trainings (see Section 15 — Training Requirements) and verify that staff at all levels and across all disciplines receive the ongoing education and training in culturally and linguistically appropriate service delivery.
  • Ensure all staff have access to resources for Members with diverse cultural needs.

Documenting Clinical Cultural and Linguistic Need

To advance health literacy, reduce health disparities, and identify the individual’s unique needs, providers are required to do the following:

  • Providers must document in a member’s medical record if the person has a preferred language other than English. Maintain documentation within the medical record of oral interpretation provided in a language other than English- by certified bilingual staff or an interpretation vendor. Documentation must include the date of service, interpreter name, type of language provided, interpretation duration, and type of interpretation assistance provided.
  • Providers must document the language not only of the Member but also of the guardian or legal appointed representative if the Member care requires the presence of a legal parent or guardian who does not speak English (e.g., when the patient/Member is a minor or severely disabled).
  • Collect and maintain accurate and reliable cultural (for example: age, ethnicity, race, national origin, sex, gender identity, sexual orientation, tribal affiliation, refugee status, veteran status, disability) and linguistic (for example, primary language, preferred language, language spoken at home,) needs within the medical records to inform service delivery;

Communication and Language Assistance

In accordance with Title VI of the Civil Rights Act, Prohibition against national Origin Discriminations, the President’s Executive Order 131166, section 1557 of the Patient Protection and Affordable care Act, the Health Plan and its providers must make language assistance available to persons with Limited English Proficiency (LEP) at all points of contact during all hours of operation. Oral interpretation, American Sign Language, alternative formatting, augmentative-alternative communication device, and written translation are provided at no charge to AHCCCS eligible persons.

Members must be provided with information instructing them how to access language assistance. Per federal laws, providers must post nondiscrimination notices and language assistance taglines in lobbies and on websites. Language assistance taglines notify individuals of the availability of language assistance in at least the top 15 languages utilized in Arizona as identified by the ACA 1557 and include at least one tagline in conspicuously visible font. Nondiscrimination notices and taglines must also be included in correspondence sent to the member. For more information on what specific information needs to be included in the nondiscrimination notice and taglines, reference CMS and the Code of Federal Regulations.

In order to ensure competence and proficiency of those providing language assistance, the Health Plan requires that persons who provide oral interpretation and written translation are certified through language testing by ALTA Services or another approved language testing vendor with a score of eight (8) or higher (if using a different vendor, a comparable score is required) to be considered qualified, with a higher level of proficiency needed for the provision of more complex communication, such as psychiatric services and psychological testing, and medical care. If using ALTA Services for testing, providers can register for testing at http://www.altalang.com. The charge for the testing is the provider agency’s responsibility. Certificates of proficiency indicating level/testing scores shall be maintained in personnel records and/or subcontractor’s files and made available to the Health Plan. The Health Plan will audit providers to verify they are using certified bilingual staff at the appropriate level of proficiency to provide language assistance or that they are using a language vendor.

The providers are responsible for ensuring interpretation is arranged for each applicable appointment.

  • The best practice for providing language assistance is to have certified bilingual staff available to meet the language assistance needs.
  • For oral interpretation and American Sign Language, if a provider does not have certified bilingual staff or licensed American Sign Language interpreters available, the provider may utilize the interpreters that are provided by Arizona Complete Health-Complete Care Plan language vendors at no cost to providers or members. However, providers are required to contract with language vendors to meet these needs when Arizona Complete Health-Complete Care Plan vendors or staff are not able to secure interpretation for any reason. [Please note for after business hours access to telephone interpretation, providers will need to use their own contracts as AzCH-CCP staff will not be available to connect the calls.]
  • Arizona Complete Health-Complete Care Plan offers telephone, face to face, and video face-to-face interpretation options. Information regarding interpreter assistance is available by contacting the Health Plan Provider Services Call Center number at 866-796-0542 (TTY/TDD: 711). For face-to-face requests, please make the request in advance of the appointment with as much notice as possible. At a minimum, the request should be seven (7) days out from the appointment to allow time for the vendors to meet the need. When calling, the following information is required:
  • Member name.
  • Member ID number.
  • Appointment date and time (advance note preferred, if possible).
  • Type of interpretation needed.
  • Language requested.
  • If a provider receives a notice from the language vendor that an interpreter can’t be secured for an appointment, please call Customer Service to let them know, and to request they utilize a different vendor for the request. An interpreter will not be secured unless you make the request.
  • Providers may receive an email or call from language vendor to confirm details such as which health plan the member belongs to. Please respond to the vendor so they can finalize the interpretation, or they will not complete the request.
  • If there is still no interpreter secured due to a lack of interpreter availability, a telephone interpreter may meet the need. In addition, providers can and should utilize other resources to ensure the interpretation occurs as needed and without interruption of services to a member. Providers should not continually reschedule a member with interpreter needs because it does not foster effective communication and equitable access to care and may be considered discrimination. (Arizona Complete Health-Complete Care Plan language resources are an additional option. They are being provided as a courtesy to ease some of the burden if providers do not have their own resources. It is not required to use AzCH-Complete Care Plan resources. If providers would like to use other vendors to meet their needs, they are able to and should, to ensure member needs are met. However, AzCH-Complete Care Plan will not reimburse any provider for expenses related to the use of their own interpreter resources since interpretation is including in administrative funding. Ultimately, language assistance is a federal requirement and providers should do whatever needed to ensure interpreters are available.)

We have customer service representatives who can speak to members/ family members in their preferred language or will conference in an interpreter. Customer Service at 866-796-0542 can also conference in an interpreter, as needed.

Augmentative and Alternative Communication (AAC) evaluations and devices are covered services for all integrated AHCCCS population. Reference this information when reviewing benefits and eligibility, referrals and prior authorization requirements.

Steps

  1. Member’s physician writes a referral/prescription for an AAC assessment from a speech language pathologist (SLP)
  2. Health plan works with member/provider to identify providers in the state who conduct AAC evaluations.
  3. SLP does assessment for an ACC Device
  4. SLP submits PA for appropriate AAC Device
  5. If approved SLP will request DME provider to send ACC
  6. SLP will contact member/family to schedule training

Providers must ensure any document that requires the signature of the Member, and that contains vital information such as the treatment, medications or notices, or service plans, is translated into their preferred/primary language upon request.

Providers must ensure their websites meet compliance with Section 508 Accessibility Standards. Section 508 is a federal law that requires agencies to provide people with disabilities equal access to electronic information and data comparable to those who do not have disabilities.

We have customer service representatives who can speak to members/ family members in their preferred language or will conference in an interpreter. Customer Service at 866-796-0542 can also conference in an interpreter, as needed.

Augmentative and Alternative Communication (AAC) evaluations and devices are covered services for all integrated AHCCCS population. Reference this information when reviewing benefits and eligibility as well as referrals and prior authorization requirements.

A Provider shall NOT require an individual with limited English proficiency to provide their own interpreter or rely on an adult or child accompanying an individual with limited English proficiency to interpret or facilitate communication. In addition, a Provider shall NOT rely on staff other than qualified bilingual/multilingual staff to communicate directly with individuals with limited English proficiency. Exceptions to these expectations include:

  • In an emergency involving an imminent threat to the safety or welfare of an individual or the public where there is no qualified interpreter for the individual with limited English proficiency immediately available.
  • Where the individual with limited English proficiency specifically requests that the accompanying adult interpret or facilitate communication, the accompanying adult agrees to provide such assistance, and reliance on that adult for such assistance is appropriate under the circumstances for minimal needs.

Welcoming Environments

Creating welcoming environments is essential to member engagement. Using inclusive and sensitive language in all materials and conversations is paramount to fostering an environment where a member feels safe, visible, and included in care. Some examples of inclusive language:

  • Instead of using his/her, use their; instead of using he/she, use they; instead of using him/her, use them
  • Instead of saying hearing impaired, say deaf or hard of hearing
  • Instead of saying visually impaired, say blind or low vision
  • Instead of saying pregnant women, say pregnant invididuals or pregnant women and other pregnant indivduals
  • Best practice: ask the person about their preferred pronouns

The Health Plan makes available tools for individual and organizational self-assessments related to cultural and linguistic competence.  Providers who are interested in assessing their organization may email AzCHCulturalAffairs@azcompletehealth.com.

AzCH-CCP Nondiscrimination Notice:

Arizona Complete Health-Complete Care Plan complies with applicable Federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability, gender identity or sex. Arizona Complete Health-Complete Care Plan does not exclude people or treat them differently because of race, color, national origin, age, disability, gender identity or sex. Arizona Complete Health-Complete Care Plan:

  • Provides aids and services at no cost to people with disabilities to communicate effectively with us, such as: qualified sign language interpreters.
  • Provides written information in other formats (large print, audio, accessible electronic formats, other formats).
  • Provides language services at no cost to people whose primary language is not English, such as: qualified interpreters and information written in other languages. 

If you need these services, contact Member Services at 1-866-918-4450 (TTY: 711). 

If you believe that Arizona Complete Health-Complete Care Plan failed to provide these services or discriminated in another way on the basis of race, color, national origin, age, disability, gender identity or sex, you can file a grievance with the Chief Compliance Officer. You can file a grievance in person, by mail, fax, or email. Your grievance must be in writing and must be submitted within 180 days of the date that the person filing the grievance becomes aware of what is believed to be discrimination.

Submit your grievance to:

Arizona Complete Health- Chief Compliance Officer
1850 W. Rio Salado Parkway, Suite 211, Tempe, AZ 85281

You can also file a civil rights complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, electronically through the Office for Civil Rights Complaint Portal, available at https://ocrportal.hhs.gov/ocr/portal/lobby.jsf, or by mail at U.S. Department of Health and Human Services; 200 Independence Avenue, SW; Room 509F, HHH Building; Washington, D.C. 20201; or by phone: 1-800-368-1019, 1-800-537-7697 (TTY).

Complaint forms are available on the website.

All providers must have interpretation resources available during all hours of operation. It is the responsibility of the providers to ensure interpretation is arranged for each applicable appointment.

  • Best practice for providing language assistance is to have certified bilingual staff available to meet the language assistance needs. 
  • For oral interpretation and American Sign Language, if a provider does not have certified bilingual staff or licensed American Sign Language interpreters available, the provider may utilize the interpreters that are provided by Health Plan language vendors at no cost to providers or members. However, providers are required to contract with language vendors to meet these needs when Health Plan vendors or staff are not able to secure interpretation for any reason. [Please note for after business hours access to telephone interpretation, providers will need to use their own contracts as Health Plan staff will not be available to connect the calls.] 
  • Health Plan offers telephone, face to face, and video face-to-face interpretation options. Information regarding interpreter assistance is available by contacting the Health Plan Provider Services Call Center number at 866-796-0542 (TTY/TDD: 711). For face-to-face requests, please make the request in advance of the appointment with as much notice as possible. At a minimum, the request should be seven (7-10) days out from the appointment to allow time for the vendors to meet the need. When calling, the following information is required:
    • Member name;
    • Member ID number;
    • Appointment date and time (advance note preferred, if possible);
    • Type of interpretation needed;
    • Language requested.
  • If a provider receives notice from the language vendor that an interpreter cannot be secured for an appointment, please call Customer Service to let them know, and to request they utilize a different vendor for the request. An interpreter will not be secured unless you make the request.
  • Providers may receive an email or call from language vendor to confirm details such as which health plan the member belongs to. Please respond to the vendor so they can finalize the interpretation, or they will not complete the request.
  • If there is still no interpreter secured due to a lack of interpreter availability, a telephone interpreter may meet the need. In addition, providers can and should utilize other resources to ensure interpretation occurs as needed and without interruption of services to a member. Providers should not continually reschedule a member with interpreter needs because it does not foster effective communication and equitable access to care and may be considered discrimination. Health Plan language resources are an additional option. They are being provided as a courtesy to ease some of the burden if providers do not have their own resources. It is not required to use Health Plan resources. If providers would like to use other vendors to meet their needs, they are able to and should, to ensure member needs are met. However, Health Plan will not reimburse any provider for expenses related to the use of their own interpreter resources since interpretation is included in administrative funding. Language assistance is a federal requirement and providers should do whatever is needed to ensure interpreters are available.)

We have customer service representatives who can speak to members/ family members in their preferred language or will conference in an interpreter. Customer Service at 866-796-0542 can also conference in an interpreter, as needed.

Providers must ensure any document requiring the Member's signature and that contains vital information such as the treatment, medications or notices, or service plans, is translated into their preferred/primary language upon request

Providers must ensure their websites meet compliance with Section 508 Accessibility Standards. Section 508 is a federal law that requires agencies to provide people with disabilities equal access to electronic information and data comparable to those who do not have disabilities.

Restrictions Related to Interpretation or Facilitation of Communication

A Provider shall NOT require an individual with limited English proficiency to provide their own interpreter or rely on an adult or child accompanying an individual with limited English proficiency to interpret or facilitate communication. In addition, a Provider shall NOT rely on staff other than qualified bilingual/multilingual staff to communicate directly with individuals with limited English proficiency. Exceptions to these expectations include:

  • In an emergency involving an imminent threat to the safety or welfare of an individual or the public where there is no qualified interpreter for the individual with limited English proficiency immediately available.
  • Where the individual with limited English proficiency specifically requests that the accompanying adult interpret or facilitate communication, the accompanying adult agrees to provide such assistance, and reliance on that adult for such assistance is appropriate under the circumstances for minimal needs;

Welcoming Environments

Creating welcoming environments is essential to member-family engagement. Using inclusive, sensitive and plain language in all materials and conversations is paramount to fostering an environment where a member feels safe, visible, and included in care. Some examples of inclusive language:

  • Instead of using his/her, use their; instead of using he/she, use they; instead of using him/her, use them
  • Instead of saying hearing impaired, say deaf or hard of hearing
  • Instead of saying visually impaired, say blind or low vision
  • Instead of saying pregnant women, say pregnant invididuals or pregnant women and other pregnant indivduals
  • Best practice: ask the person about their preferred pronouns
  • The Health Plan makes available tools for individual and organizational self-assessments related to cultural and linguistic competence. Providers who are interested in assessing their organization may email  for more information.

Health Plan Nondiscrimination Notice:

Health Plan complies with applicable Federal civil rights laws and does not discriminate on the based on race, color, national origin, age, disability, gender diversity, or sex. Health Plan does not exclude people or treat them differently because of race, color, national origin, age, disability, gender identity or sex. Health Plan:

  • Provides aids and services at no cost to people with disabilities to communicate effectively with us, such as: qualified sign language interpreters.
  • Provides written information in other formats (large print, audio, accessible electronic formats, other formats).
  • Provides language services at no cost to people whose primary language is not English, such as: qualified interpreters and information written in other languages.

If you need these services, contact Member Services at 1-866-918-4450 (TTY: 711).

If you believe that the Health Plan did not provide these services or discriminated in another way based on race, color, national origin, age, disability, gender identity, or sex, you can file a grievance with the Chief Compliance Officer. You can file a grievance in person, by mail, fax, or email. Your grievance must be in writing and must be submitted within 180 days (about 6 months) of the date that the person filing the grievance becomes aware of what is believed to be discrimination.

Submit your grievance to:

Arizona Complete Health- Chief Compliance Officer

1850 W. Rio Salado Parkway, Suite 211, Tempe, AZ 85281.

Fax: 1-866-388-2247

You can also file a civil rights complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, electronically through the Office for Civil Rights Complaint Portal, available at , or by mail at U.S. Department of Health and Human Services; 200 Independence Avenue, SW; Room 509F, HHH Building; Washington, D.C. 20201; or by phone: 1-800-368-1019, 1-800-537-7697 (TTY).

Laws and Policies Addressing Discrimination and Diversity

Provider agencies must abide by the following referenced federal and state applicable rules, regulations, and guidance documents:

  • AHCCCS Contractor Operations Manual , Language Access Plan, and Family/Member Centered Care: https://www.azahcccs.gov/shared/ACOM/. This Policy applies to Acute Care, ALTCS/EPD, CRS, DCS/CHP, DES/DDD, and ACC-RBHA Contractors. Title VI of the Civil Rights Act prohibits discrimination based on race, color, and national origin in programs and activities receiving federal financial assistance.
  • Section 1557 of the Patient Protection and Affordable Care Act is the nondiscrimination provision of the Affordable Care Act (ACA). The law prohibits discrimination based on race, color, national origin, sex (including gender identity and sexual stereotypes), age, or disability in certain health programs or activities Section 1557 builds on long-standing and familiar Federal civil rights laws: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973 and the Age Discrimination Act of 1975. Section 1557 extends nondiscrimination protections to individuals participating in any health program or activity any part of which receive federal funding.
  • National Standards for Culturally and Linguistically Appropriate Services (CLAS) in Health and Health Care focused on health equity.
  • Title VI of the Civil Rights Act 1964 prohibits discrimination based on race, color, and national origin in programs and activities receiving federal financial assistance. Refer to: Department of Health and Human Services - Guidance to Federal Financial Assistance Members Regarding Title VI Prohibition Against National Origin Discrimination affecting Limited English Proficient Persons.
  • Executive Order 13166 - An Executive Order is an order given by the President to federal agencies. The LEP Executive Order (Executive Order 13166) says that people who have Limited English Proficiency should have meaningful access to federally conducted and federally funded programs and activities. 
  • Section 504 of the Rehabilitation Act prohibits discrimination based on disability in delivering contract services.
  • Section 508 of the Rehabilitation Act requires that institutions receiving federal funds solicit, procure, maintain, and use all Information and Communication Technology (ICT) so that equal or alternate/comparable access is given to federal employees and members of the public with and without disabilities. It is a federal law that requires agencies to provide people with disabilities equal access to electronic information and data comparable to those who do not have disabilities; and,
  • The Americans with Disabilities Act prohibits discrimination against persons who have a disability. Providers must deliver services so that they are readily accessible to persons with a disability.
  • 45 CFR § 92.201 - Meaningful access for individuals with limited English proficiency
  • 42 CFR § 438.10 - Information requirements

In the State of Arizona, and to the extent permitted by federal law, verification of United States (U.S.) Citizenship or Lawful Presence of non-citizens is mandatory prior to a person being able to receive public health benefits (A.R.S. § 1-502 (PDF). In addition to citizenship/lawful presence, the Arizona Health Care Cost Containment System, (AHCCCS) requires verification of a person’s identification in order to determine eligibility. A person who has verified both citizenship/lawful presence and identification and has been found eligible for AHCCCS may:

  • Be eligible for Title XIX/XXI (Medicaid) or Title XXI (KidsCare) covered services; or
  • Not qualify for Title XIX/XXI entitlements, but be eligible for services.

The Health Plan and its providers must verify U.S. citizenship or lawful presence in the U.S. of all persons applying for publicly funded services.

9.3.1 Eligibility to Receive Public Services with Verification Of U.S. Citizenship/Lawful Presence

The following individuals are eligible for public services:

  • Persons determined to be eligible for AHCCCS; and

Persons not eligible for AHCCCS but with a Serious Mental Illness (SMI) AND who can provide documentation of citizenship/lawful presence (see AHCCCS Medical Assistance Eligibilty Policy Manual Chapter 500, Section 507 Citizen of United States).

9.3.2 Eligibility to Receive Public Services Without Verification

Persons not eligible for AHCCCS and NOT with a SMI, but who qualify to receive behavioral health services funded through the Substance Abuse Block Grant (SABG), the Mental Health Block Grant (MHBG) program or State Appropriation Funds are eligible to receive services in accordance with Section 12.10.11 - Mental Health and Substance Use Disorder Services; Including, Federal Grant and State Appropriations Requirements. However, persons receiving services funded through these sources must still be screened for AHCCCS eligibility in accordance with Section 12.1 - Eligibility Screening for AHCCCS Health Insurance, Medicare Part D Prescription Drug Coverage and the Limited Income Subsidy Program.

Persons presenting for and receiving crisis services are not required to provide documentation of eligibility with AHCCCS nor are they required to verify U.S. citizenship/lawful presence prior to or in order to receive crisis services.

9.3.3 Completing an AHCCCS Eligibility Determination Screening as Part of the Verification Process

If a person is currently enrolled with AHCCCS and has been assigned to a T/RBHA/Health Plan, verification of citizenship/lawful presence has already been completed.

For an illustration on how the verification process works, see Provider Manual Attachment 12.2.2, Citizenship/Lawful Presence Verification Process Through Health-e-Arizona PLUS which can be obtained by calling the Provider Services Call Center at 866-796-0542.

For a list of those persons who are exempt from citizenship verification, see Provider Manual Attachment 12.2.3, Persons Who Are Exempt from Verification of Citizenship during the Prescreening and Application Process which can be obtained by calling the Provider Services Call Center at 866-796-0542.

Providers must complete an eligibility determination screening for all persons who are not identified as being currently enrolled with AHCCCS using the subscriber version of the Health-e- Arizona PLUS online application found at https://www.healthearizonaplus.gov/. An eligibility screening will be conducted:

  • Upon initial request for services;
  • At least annually thereafter, if still receiving services; and
  • When significant changes occur in the person’s financial status.

9.3.3.1 What Is the Process for Completing the Eligibility Screening Using Health-E-Arizona PLUS?

The Health Plan or its provider meet with the person and complete the Health-e- Arizona PLUS online application found at https://www.healthearizonaplus.gov/. Once the online application screening has been completed, the Health-e-Arizona PLUS online application tool will indicate:

  • If the person is potentially AHCCCS eligible, The Health Plan or its provider must obtain from the applicant:
    • Documentation of identification and U.S. Citizenship needed if the person claims to be a U.S. citizen (see Provider Manual Attachment 12.2.1, Documents Accepted by AHCCCS To Verify Citizenship and Identity which can be obtained by calling the Provider Services Call Center at 866-796-0542 ); or
    • Documentation needed of identification and lawful presence in the U.S. if the applicant states that they are not a U.S. citizen (see Provider Manual Attachment 12.2.4, Non-Citizen/Lawful Presence Verification Documents which can be obtained by calling the Provider Services Call Center at 866-796-0542).
  • The required U.S. citizenship/lawful presence documents are considered “permanent documents”. Permanent documents include proof of age, Social Security Number, U.S. citizenship or immigration status. These are eligibility factors that typically do not change and only need to be verified once, and
  • When providers use the online member verification system and enter a member’s social security number, the member’s photo, if available from the Arizona Motor Vehicles Department, will be displayed on the AHCCCS eligibility verification screen along with other AHCCCS coverage information. The added photo image assists providers to quickly validate the identity of a member.

If the Health-e-Arizona PLUS online screening tool indicates that the person may not be eligible for AHCCCS, the person may:

  • Choose to continue with the AHCCCS eligibility application, in which case the provider must assist the person in completing the application process and obtain the required identification and citizenship/lawful presence documents as indicated above or those required for Non-Title XIX/XXI Eligible individuals as outlined in AHCCCS Medical Assistance Chapter 500, Section 507 Proof of Citizenship); or
  • Decide to not continue with the online application process. The provider will need to determine if the person is eligible for services as described in AHCCCS AMPM Policy 110 Special Populations. The provider must continue to work with the person to obtain the required citizenship/lawful presence documents whenever possible for future eligibility status need.

9.3.3.2 Inability to Provide the Required Identification or Citizenship/Lawful Presence Documents at the Time of Application

To the extent that it is practicable, The Health Plan or its providers are expected to assist applicants in obtaining required documentation of identification and citizenship/lawful presence within the timeframes indicated by Health-e-Arizona PLUS (30 days from date of application submission unless otherwise stated).

Persons who are unable to provide required documentation of citizenship or lawful presence are not eligible for publicly funded services unless they meet the criteria outline in this section. If the person obtains the required documentation at a later date, they may reapply for AHCCCS eligibility using Health-e-Arizona PLUS (and submit all required documentation with the reapplication, with no waiting period).

Pending the outcome of the AHCCCS eligibility determination, a person may be provided services in accordance with Section 12.10.11 - Mental Health and Substance Use Disorder Services; Including, Federal Grant and State Appropriations Requirements.

9.3.4 Documentation Requirements

Documentation of screening a Member through Health-e-Arizona PLUS must be included in medical record, including the Application Summary and final Determination of eligibility status notification printed from the Health-e-Arizona PLUS website.

If a person has refused to participate in the screening process, the documented refusal to participate in the screening and/or application process must be maintained in accordance with Section 12.1 - Eligibility Screening for AHCCCS Health Insurance, Medicare Part D Prescription Drug Coverage and the Limited Income Subsidy Program.

The State and/or The Health Plan may conduct unscheduled, periodic process and documentation audits to ensure that The Health Plan and/or its providers are in compliance with this section. The Health Plan may enforce all available contract remedies against a provider, up to and including termination for failure to comply with this section.

Employees of The Health Plan and its providers are considered agents of the State, and therefore, must report discovered violations of immigration status to AHCCCS, which is responsible for submitting the reports to the U.S. Immigration and Customs Enforcement (ICE) agency. Failure to report a discovered violation is a Class 2 Misdemeanor.

9.4.1 Identification of Violations

The Health Plan and its providers must refrain from conduct or actions that could be considered discriminatory behavior. It is unlawful and discriminatory to deny persons services, exclude persons from participation in those services, or otherwise discriminate against any person based on grounds of race, color, or national origin.

The Health Plan and its providers must not use any information obtained about a person’s citizenship or lawful presence for any purpose other than to provide a person with services. Factors that must NOT be considered when identifying a potential violation:

  • The person’s primary language is a language other than English;
  • The person was not born in the United States;
  • The person does not have a Social Security number;
  • The person has a “foreign sounding” name;
  • The person cannot provide documentation of citizenship or lawful presence;
  • The person is identified by others as a non-citizen; and
  • The person has been denied AHCCCS eligibility for lack of proof of citizenship or lawful presence.

If a person applying for services, in the course of completing the application process or while conducting business with The Health Plan or a The Health Plan provider, voluntarily reveals that they are not lawfully present in the United States then and only then may The Health Plan or its providers consider it to be a reportable violation.

The Health Plan and its providers must not require documentation of citizenship or lawful presence from persons who are not personally applying for services, but who are acting on behalf of or assisting the applicant (for example, a parent applying on behalf of a child).

It is not the responsibility of The Health Plan or its providers to ensure the validity of the submitted documents. Documents must be copied for files and submitted, as requested, to the appropriate agency, as instructed through Health-e-Arizona PLUS (see Section 9.2 - Verification of U.S. Citizenship or Lawful Presence for Public Behavioral Health Benefits).

The criteria for screening and applying for AHCCCS eligibility are not changed by these reporting requirements. Further, the documentation requirements for verifying or establishing citizenship or lawful presence are not changed by this process (see Section 9.2 - Verification of U.S. Citizenship or Lawful Presence for Public Behavioral Health Benefits).

The Health Plan and its providers must follow the expectations outlined in this policy when identifying and reporting violations. Questions regarding reporting requirements may be submitted via email to the AHCCCS Corporate Compliance Officer at AHCCCSFraud@azahcccs.gov

9.4.2 Reporting Process

The Health Plan or a provider that identifies a violation must submit a report to AHCCCS via secure email to AHCCCS Corporate Compliance at  AHCCCSFraud@azahcccs.gov  that contains the following information:

  • First and last name of identified individual;
  • Residential address/street, address of identified individual, including city, state, and zip code; and
  • Reason for referral.

Additionally, the link “How to Report Fraud, Waste or Abuse of the Program is:  https://www.azahcccs.gov/Fraud/ReportFraud/

9.4.3 Documentation Expectations

The Health Plan or its providers must document in the person’s medical record (if a provider) or in the Compliance Office (AzCH-CCP) the following:

  • Reason for making a report, including how the information was obtained and whether it was an oral or written declaration;
  • The date the report was submitted to AHCCCS;
  • Any actions taken as a result of the report; and
  • A copy of the email to AHCCCS that contains the report.

Any provider staff with a basis to believe that abuse, neglect, exploitation, injuries, and unexpected death of an incapacitated or vulnerable adult or minor child has occurred shall immediately report the incident to a peace officer, the Department of Economic Security/ Adult Protective Services (DES/APS) or the Department of Economic Security/Department of Child Safety (DES/DCS) worker as appropriate, as well as to The Health Plan.  The Health Plan will then report it to AHCCCS Quality Management.

9.5.1 Duty to Report Abuse, Neglect or Exploitation of a Vulnerable Adult

Providers responsible for the care of adults, including incapacitated or vulnerable adults, and who have a reasonable basis to believe that abuse or neglect of the adult has occurred or that exploitation of the adult's property has occurred shall report this information immediately either in person or by telephone. This report shall be made to a peace officer or to a protective services worker within APS. Information on how to contact APS to make a report is located by going to the webpage for the APS Central Intake Unit. A written report must also be mailed or delivered within forty-eight hours or on the next working day if the forty-eight hours expire on a weekend or holiday. The report shall contain:

  • The names and addresses of the adult and any persons who have control or custody of the adult, if known;
  • The adult's age and the nature and extent of their incapacity or vulnerability;
  • The nature and extent of the adult's injuries or physical neglect or of the exploitation of the adult's property; and
  • Any other information that the person reporting believes might be helpful in establishing the cause of the adult's injuries or physical neglect or of the exploitation of the adult's property.

Upon written and signed request for records from the investigating peace officer or APS worker, the person who has custody or control of medical or financial records of the incapacitated or vulnerable adult for whom a report is required shall make such records, or a copy of such records, available (see Section 9.6.1, Disclosure of Health Information). Records disclosed are confidential and may be used only in a judicial or administrative proceeding or investigation resulting from the report. If psychiatric records are requested, the custodian of the records shall notify the attending psychiatrist, who may remove the following information from the records before they are made available:

  • Personal information about individuals other than the patient; and
  • Information regarding specific diagnoses or treatment of a psychiatric condition, if the attending psychiatrist certifies in writing that release of the information would be detrimental to the patient's health or treatment.

If any portion of a psychiatric record is removed, a court, upon request of a peace officer or APS worker, may order that the entire record or any portion of such record containing information relevant to the reported abuse or neglect be made available to the peace officer or APS worker investigating the abuse or neglect.

Additionally, providers must report to The Health Plan healthcare acquired conditions, abuse, neglect, exploitation, injuries, high profile cases and unexpected death of adults as required under Section 10.12 - Reporting of Incidents, Accidents, and Deaths.

9.5.2 Duty to Report Abuse, Neglect, Exploitation, Injuries, Denial or Deprivation of Medical or Surgical Care or Nourishment, and Unexpected Death of a Minor

Any provider who reasonably believes that any of the following incidents has occurred shall immediately report this information to a peace officer or to a Department of Child Safety (DCS) worker by calling the Arizona Child Abuse Hotline, and must also notify The Health Plan of:

  • Any physical injury, abuse, reportable offense, or neglect involving a minor that cannot be identified as accidental by the available medical history; or
  • A denial or deprivation of necessary medical treatment, surgical care, or nourishment with the intent to cause or allow the death of an infant.

In the event that a report concerns a person who does not have care, custody or control of the minor, the report shall be made to a peace officer only. Reports shall be made immediately by telephone or in person and shall be followed by a same-day progress note in the Member’s Health Record. The report shall contain:

  • The names and addresses of the minor and the minor's parents or the person(s) having custody of the minor, if known;
  • The minor's age and the nature and extent of the minor's abuse, physical injury, or neglect, including any evidence of previous abuse, physical injury, or neglect; and
  • Any other information that the person believes might be helpful in establishing the cause of the abuse, physical injury, or neglect.

If a physician, psychologist, or behavioral health professional receives a statement from a person other than a parent, stepparent, or guardian of the minor during the course of providing sex offender treatment that is not court ordered or that does not occur while the offender is incarcerated in the State Department of Corrections or the Department of Juvenile Corrections, the physician, psychologist, or behavioral health professional may withhold the reporting of that statement if the physician, psychologist, or behavioral health professional determines it is reasonable and necessary to accomplish the purposes of the treatment.

Upon written request by the investigating peace officer or DCS worker, the person who has custody or control of medical records of a minor for whom a report is required shall make the records, or a copy of the records, available (see Section 9.6.1 - Disclosure of Health Information). Records are confidential and may be used only in a judicial or administrative proceeding or investigation resulting from the required report. If psychiatric records are requested, the custodian of the records shall notify the attending psychiatrist, who may remove the following information before the records are made available:

  • Personal information about individuals other than the patient; and
  • Information regarding specific diagnoses or treatment of a psychiatric condition, if the attending psychiatrist certifies in writing that release of the information would be detrimental to the patient's health or treatment.

If any portion of a psychiatric record is removed, a court, upon request by a peace officer or DCS worker, may order that the entire record or any portion of the record that contains information relevant to the reported abuse, physical injury or neglect be made available for purposes of investigation.

Additionally, providers must report to The Health Plan healthcare acquired conditions, abuse, neglect, exploitation, injuries, high profile cases, denial, or deprivation of medical or surgical care or nourishment, and unexpected death of minors as required under Section 10.12 - Reporting of Incidents, Accidents, and Deaths.

Any health provider employed or subcontracted by The Health Plan or a mental health provider that has determined a patient poses a serious danger of violence to others shall take reasonable actions to protect the potential victim(s) of that danger https://www.azahcccs.gov/shared/Downloads/MedicalPolicyManual/900/960.pdf .

9.6.1 Duty to Protect Potential Victims of Physical Harm

All providers, regardless of their specialty or area of practices, have a duty to protect others against a member’s potential danger to self and/or danger to others. When a provider determines, or under applicable professional standards, reasonably should have determined, that a member poses a serious danger to self or others, the provider has a duty to exercise care to protect others against imminent danger of a patient harming themselves or others. The foreseeable victim need not be specifically identified by the member but may be someone who would be the most likely victim of the member’s dangerous conduct.

  • The responsibility of behavioral health provider to take reasonable precautions to prevent harm threatened by a member may include any of the following: Communicating, when possible, the threat to all identifiable victims,
  • Notifying a law enforcement agency in the vicinity where the patient or any potential victim resides,
  • Taking reasonable steps to initiate proceedings for voluntary or involuntary hospitalization, if appropriate, and in accordance with AMPM Policy 320-U, or
  • Taking any other precautions that a reasonable and prudent health provider would take under the circumstances.

The Health Plan contracted providers are required to immediately notify by telephone the Health Plan crisis line provider (The Crisis Call Center) when a patient is identified as a potential danger to self or others, and update the Crisis Call Center as appropriate based on the level of risk to the member and the community. Providers are required to report to the Crisis Call Center all relevant information; including, information about the person’s access to weapons, names and addresses of potential victims, attempts to protect victims, police involvement, relevant clinical information, and support system information. With respect to the legal liability of a behavioral health provider, A.R.S. § 36-517.02 provides that no cause of action or legal liability shall be imposed against a behavioral health provider for breaching a duty to prevent harm to a person caused by a patient unless both of the following occur:

·         The patient has communicated to the mental health provider an explicit threat of imminent serious physical harm or death to a clearly identified or identifiable victim or victims, and the patient has the apparent intent and ability to carry out such threat, and

The mental health provider fails to take reasonable precautions

9.7.1 Disclosure of Health Information

This section is intended to provide guidance to protect the privacy of persons who receive services, guidance as to whom information can be disclosed and when authorization[1] is required prior to that disclosure, and guidance on the notification of those persons in the event their unsecured Protected Health Information (PHI) is breached. It is not all-inclusive of the HIPAA and State Laws; the references throughout are available for providers to access and examine the applicable laws in more detail.

Information and records obtained in the course of providing or paying for services to a person are confidential and are only disclosed according to the provisions of applicable federal and State law. In the event of an unauthorized use/disclosure of unsecured PHI, The Health Plan’s providers must notify all affected persons.

9.7.2 Overview of Confidentiality Information

The Health Plan and its providers must keep medical records, payment records, behavioral health records and all information contained in those records, and any other personal health and enrollment information that may identify a particular Member or subset of Members confidential and cannot disclose such information unless permitted or required by federal or State law. Providers must verify that all emails being sent by the provider with Protected Health Information (PHI) are sent using a secure email program and must use an individualized secure business domain email, and not use public email entities (such as Google or Yahoo) to conduct business and transmit PHI.

The law regulates two major categories of confidential information:

  • Information obtained when providing services not related to alcohol or drug abuse referral, diagnosis, and treatment; and
  • Information obtained in the referral, diagnosis and treatment of alcohol or drug abuse.

The Health Plan also requires its providers to have policies and procedures in place to protect the privacy of individuals verified to be in the Address Confidentiality Program.  See 41 A.R.S. § 161 et seq.

9.7.2.1 Health Information Not Related to Alcohol and Drug Treatment

[1] For purposes of uniformity and clarity, the term “authorization” is used throughout this section to reference a person’s permission to disclose medical records and protected health information and has the same meaning as “consent” which is used in 42 C.F.R. Part 2.

Information obtained when providing services not related to alcohol and drug abuse treatment is governed by State law and the HIPAA Privacy Rule, 45 C.F.R., Part 164, Subparts A and E, Part 160 Subparts A and B (“the HIPAA Rule”). The HIPAA Rule permits a covered entity (health plan, health care provider, or health care clearinghouse) to use or disclose protected health information with or without patient authorization in a variety of circumstances, some of which are required and others that are permissive. Many of the categories of disclosures contain specific words and phrases that are defined in the HIPAA Rule. Careful attention must be paid to the definitions of words and phrases in order to determine whether disclosure is allowed. In addition, the HIPAA Rule may contain exceptions or special rules that apply to a particular disclosure. State law may affect a disclosure. For example, the HIPAA Rule may preempt State law or State law may preempt the HIPAA Rule. HIPAA, when read together with State law, may impose additional requirements for disclosure. In addition, a covered entity must, with certain exceptions, make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the disclosure.

Before disclosing protected health information, it is good practice to consult the specific citation to the HIPAA Rule, State law, and consult with legal counsel. See Section 9.7.4 below for more detail regarding the disclosure of health information not related to alcohol or drug referral, diagnosis, or treatment.

9.7.2.2 Drug and Alcohol Abuse Information

Information regarding treatment for alcohol or drug abuse is afforded special confidentiality by federal statute and regulation (42 U.S.C. § 290 dd-2, and 42 C.F.R. Part 2). This includes any information concerning a person’s diagnosis or treatment from a federally assisted alcohol or drug abuse program or referral to a federally assisted alcohol or drug abuse program. See Section 9.7.5 below for more detail regarding the disclosure of drug and alcohol abuse information.

9.7.3 General Procedures for All Disclosures

Unless otherwise accepted by State or federal law, all information obtained about a person related to the provision of services to the person is confidential whether the information is in oral, written, or electronic format.

All records generated as a part of the State or The Health Plan grievance and appeal processes are legal records, not medical or payment records, although they may contain copies of portions of a person’s medical record. To the extent these legal records contain personal medical information, the State or The Health Plan will redact or de-identify the information to the extent allowed or required by law.

9.7.3.1 List of Persons Accessing Records

The Health Plan’s providers must verify that a list is kept of every person or organization that inspects a currently or previously enrolled person’s records other than the person’s clinical team, the uses to be made of that information and the staff person authorizing access. The access list must be placed in the enrolled person’s record and must be made available to the enrolled person, their guardian or other designated representative.

9.7.3.2 Disclosure to Clinical Teams

Disclosure of information to Members of a clinical team may or may not require an authorization depending upon the type of information to be disclosed and the status of the receiving party. Information concerning diagnosis, treatment or referral for drug or alcohol treatment may only be disclosed to Members of a clinical team with authorization from the enrolled person as prescribed in Section 9.7.3. Information not related to drug and alcohol treatment may be disclosed without patient authorization to Members of a clinical team who are providers of health, mental health or social services, provided the information is for treatment purposes as defined in the HIPAA Rule. Disclosure to Members of a clinical team who are not providers of health, mental health or social services requires the authorization of the person or the person’s legal guardian or parent as prescribed in Section 9.7.4 below.

9.7.3.3 Disclosure to Persons Involved in Court Proceedings

Disclosure of information to persons involved in court proceedings including attorneys, probation or parole officers, guardian ad litem and court appointed special advocates may or may not require an authorization depending upon the type of information to be disclosed and whether the court has entered orders permitting the disclosure.

9.7.4 Disclosure of Information Not Related to Alcohol and Drug Treatment

The HIPAA Rule and State law allow a covered entity to disclose protected health information under a variety of conditions. This is a general overview and does not include an entire description of legal requirements for each disclosure. Below is a general description of all required or permissible disclosures:

  • To the individual and the individual’s health care decision maker;
  • To health, mental health and social service providers for treatment, payment or health care operations;
  • Incidental to a use or disclosure otherwise permitted or required by 45 C.F.R. Part 160 and Part 164, Subpart E;
  • To a person or entity with a valid authorization;
  • Provided the individual is informed in advance and has the opportunity to agree or prohibit the disclosure:
    • For use in facility directories;
    • To persons involved in the individual’s care and for notification purposes.
  • When required by State or federal law;
  • For public health activities;
  • About victims of child abuse, neglect or domestic violence;
  • For health oversight activities;
  • For judicial and administrative proceedings;
  • For law enforcement purposes;
  • About deceased persons;
  • For cadaveric organ, eye, or tissue donation purposes;
  • For research purposes, if the activity is conducted pursuant to applicable federal or State laws and regulations governing research;
  • To avert a serious threat to health or safety or to prevent harm threatened by patients;
  • To a human rights committee;
  • For purposes related to the Sexually Violent Persons program;
  • With communicable disease information;
  • To personal representatives including agents under a health care directive;
  • For evaluation or treatment;
  • To business associates;
  • To the Secretary of Health and Human Services or designee to investigate or determine compliance with the HIPAA Rule;
  • For specialized government functions;
  • For worker’s compensation;
  • Under a data use agreement for limited data;
  • For fundraising:
  • For underwriting and related purposes;
  • To the Arizona Center for Disability Law in its capacity as the State Protection and Advocacy Agency;
  • To a third-party payer the payer’s contractor to obtain reimbursement;
  • To a private entity that accredits a health care provider;
  • To the legal representative of a health care entity in possession of the record for the purpose of securing legal advice;
  • To a person or entity as otherwise required by state or federal law;
  • To a person or entity permitted by the federal regulations on alcohol and drug abuse treatment (42 CFR Part 2);
  • To a person or entity to conduct utilization review, peer review and quality assurance pursuant to A.R.S. §§ 36-441, 36-445, 36-2402 or 36-2917;
  • To a person maintaining health statistics for public health purposes as authorized by law; and
  • To a grand jury as directed by subpoena.

9.7.4.1 Disclosure to an Individual

A covered entity is required to disclose information in a designated record set to an individual when requested unless contraindicated. Contraindicated means that access is reasonably likely to endanger the life or physical safety of the patient or another person (See A.R.S. § 36-507(3); 45 CFR § 164.524; A covered entity should read and carefully apply the provisions in 45 CFR §164.524 before disclosing protected health information in a designated record set to an individual.

An individual has a right of access to their designated record set, except for psychotherapy notes and information compiled for pending litigation. See 45 CFR § 164.524(a)(1) and Section 13405(e) of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Under certain conditions a covered entity may deny an individual access to the medical record without providing the individual an opportunity for review. See 45 CFR § 164.524(a)(2); ARS § 12-2293. Under other conditions, a covered entity may deny an individual access to the medical record and must provide the individual with an opportunity for review. See 45 CFR § 164.524(a)(3). A covered entity must follow certain requirements for a review when access to the medical record is denied. See 45 CFR § 164.524(a)(4).

An individual must be permitted to request access or inspect or obtain a copy of their medical record. See 45 CFR § 164.524(b)(1). A covered entity is required to act upon an individual’s request in a timely manner. See 45 CFR § 164.524(b)(2). An individual may inspect and be provided with one free copy per year of their own medical record unless access has been denied.

A covered entity must follow certain requirements for providing access, the form of access and the time and manner of access. See 45 CFR § 164.524(c).

A covered entity is required to make other information available in the record when access is denied, must follow other requirements when making a denial of access, must inform an individual of where medical records are maintained and must follow certain procedures when an individual requests a review when access is denied. See 45 CFR § 164.524(d).

A covered entity is required to maintain documentation related to an individual’s access to the medical record. See 45 CFR § 164.524(e).

9.7.4.2 Disclosure with an Individual or the Individual’s Health Care Decision Maker’s Authorization

The HIPAA Rule allows information to be disclosed with an individual’s written authorization.

For all uses and disclosures that are not permitted by the HIPAA Rule, patient authorization is required. See 45 CFR §§ 164.502(a)(1)(iv); and 164.508. An authorization must contain all of the elements in 45 CFR § 164.508.

A copy of the authorization must be provided to the individual. The authorization must be written in plain language and must contain the following elements:

  • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
  • The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;
  • A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;
  • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository; and
  • Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of the representative’s authority to act for the individual must also be provided.

In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:

  • The individual’s right to revoke the authorization in writing, and either:
    • The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
    • A reference to the covered entity’s notice of privacy practices if the notice of privacy practices tells the individual how to revoke the authorization.
  • The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
    • The covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in 45 CFR § 164.508 (b)(4) applies; or
    • The consequences to the individual of a refusal to sign the authorization when, in accordance with 45 CFR § 164.508 (b) (4), the covered entity can condition treatment, enrollment in the health plan or eligibility for benefits on failure to obtain such authorization.
  • The potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the Member.

9.7.4.3 Disclosure to Health, Mental Health and Social Service Providers for Treatment, Payment or Health Care Operations; Reports of Abuse and Neglect

Disclosure is permitted without patient authorization to health, mental health and social service providers involved in caring for or providing services to the person for treatment, payment or health care operations as defined in the HIPAA Rule. These disclosures are typically made to primary care Providers, psychiatrists, psychologists, social workers, or other behavioral health professionals. Particular attention must be paid to 45 CFR §164.506(c) and the definitions of treatment, payment, and health care operations to determine the scope of disclosure. For example, a covered entity is allowed to disclose protected health information for its own treatment, payment, or health care operations. See 45 CFR §164.506(c)(1). A covered entity may disclose for treatment activities of a health care provider including providers not covered under the HIPAA Rule. See 45 CFR § 164.506(c)(2). A covered entity may disclose to both covered and non-covered health care providers for payment activities. See 45 CFR § 164.506(c)(3). A covered entity may disclose to another covered entity for the health care operations activities of the receiving entity if each entity has or had a direct treatment relationship with the individual and the disclosure is for certain specified purposes in the definition of health care operations 42 CFR. See 45 CFR § 164.506(c)(4).

If the disclosure is not for treatment, payment, or health care operations or required by law, patient authorization is required unless otherwise allowed by law.

The HIPAA Rule does not modify a covered entity’s obligation under A.R.S. § 13-3620 to report child abuse and neglect to Department of Child Safety or disclose a child’s medical records to the Department of Child Safety for investigation of child abuse cases.

Similarly, a covered entity may have an obligation to report adult abuse and neglect to Adult Protective Services. See A.R.S. § 46-454. The HIPAA Rule imposes other requirements in addition to those contained in A.R.S. § 46-454, primarily that the individual be notified of the making of the report or a determination by the reporting person that it is not in the individual’s best interest to be notified. See 45 CFR § 164.512(c).

9.7.4.4 Disclosure to Other Persons Including Family Members Who Are Actively Participating in The Patient’s Care, Treatment, or Supervision

A covered entity may disclose protected health information without authorization to other persons including family members actively participating in the patient's care, treatment, or supervision. Prior to releasing information, an agency or non-agency treating professional or that person's designee must have a verbal discussion with the person to determine whether the person objects to the disclosure. If the person objects, the information cannot be disclosed. If the person does not object, or the person lacks capacity to object, or in an emergency circumstance, the treating professional must perform an evaluation to determine whether disclosure is in that person's best interests. A decision to disclose or withhold information is subject to review pursuant to A.R.S. § 36-517.01.

An agency or non-agency treating professional may only release information relating to the person's diagnosis, prognosis, need for hospitalization, anticipated length of stay, discharge plan, medication, medication side effects, and short-term and long-term treatment goals. See A.R.S. § 36-509(7).

The HIPAA Rule imposes additional requirements when disclosing protected health information to other persons including family members. A covered entity may disclose to a family member or other relative the protected health information directly relevant to the person’s involvement with the individual’s care or payment related to the individual’s health care. If the individual is present for a use or disclosure and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it obtains the individual’s agreement, provides the individual with the opportunity to object to the disclosure and the individual does not express an objection. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s health care. See 45 CFR § 164.510(b).

9.7.4.5 Disclosure to an Agent Under a Health Care Directive

A covered entity may treat an agent appointed under a health care directive as a personal representative of the individual. See 45 CFR § 164.502(g). Examples of agents appointed to act on an individual’s behalf include an agent under a health care power of attorney, see A.R.S. § 36-3221 et seq.; surrogate decision makers, see A.R.S. § 36-3231; and an agent under a mental health care power of attorney, see A.R.S. § 36-3281.

9.7.4.6 Disclosure to a Personal Representative

A covered entity may disclose protected health information to a personal representative, including the personal representative of an un-emancipated minor, unless one or more of the exceptions described in 45 CFR §§ 164.502(g)(3)(i) or 164.502(g)(5) applies. See 45 CFR § 164.502(g)(1).

The general rule is that if State law, including case law, requires or permits a parent, guardian or other person acting in loco parentis to obtain protected health information, then a covered entity may disclose the protected health information. See 45 CFR § 164.502(g)(3)(ii)(A).

Similarly, if State law, including case law, prohibits a parent, guardian or other person acting in loco parentis from obtaining protected health information, then a covered entity may not disclose the protected health information. See 45 CFR § 164.502(g)(3)(ii)(B).

When State law, including case law, is silent on whether protected health information can be disclosed to a parent, guardian or other person acting in loco parentis, a covered entity may provide or deny access under 45 CFR § 164.524 to a parent, guardian or other person acting in loco parentis if the action is consistent with State or other applicable law, provided that such decision must be made by a licensed health care professional, in the exercise of professional judgment. See 45 CFR § 164.502(g)(3)(ii)(C).

9.7.4.7 Disclosure to a Personal Representative, Adults and Emancipated Minors

If under applicable law, a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such persons as a personal representative with respect to protected health information relevant to such personal representation. See 45 CFR § 164.502(g)(2). Simply stated, if there is a State law that permits the personal representative to obtain the adult or emancipated minor’s protected health information, the covered entity may disclose it. A covered entity may withhold protected health information if one or more of the exceptions in 45 CFR § 164.502(g)(5) applies.

9.7.4.8 Deceased Persons

If under applicable law, an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual’s estate, a covered entity must treat such persons as a personal representative with respect to protected health information relevant to the personal representation. See 45 CFR § 164.502(g)(4). A covered entity may withhold protected health information if one or more of the exceptions in 45 CFR § 164.502(g)(5) applies. A.R.S. § 12-2294 (D) provides certain persons with authority to act on behalf of a deceased person.

9.7.4.9 Disclosure for Court-Ordered Evaluation or Treatment

An agency in which a person is receiving court ordered evaluation or treatment is required to immediately notify the person's guardian or agent or, if none, a member of the person's family that the person is being treated in the agency. See A.R.S. § 36-504(B). The agency shall disclose any further information only after the treating professional or that person's designee interviews the person undergoing treatment or evaluation to determine whether the person objects to the disclosure and whether the disclosure is in the person's best interests. A decision to disclose or withhold information is subject to review pursuant to section A.R.S. § 36-517.01.

If the individual or the individual’s guardian makes the request for review, the reviewing official must apply the standard in 45 CFR § 164.524(a)(3). If a family member makes the request for review, the reviewing official must apply the “best interest” standard in A.R.S. § 36-517.01.

The reviewer’s decision may be appealed to the superior court. See A.R.S. § 36-517.01(B). The agency or non-agency treating professional must not disclose any treatment information during the period an appeal may be filed or is pending.

9.7.4.10 Disclosure for Health Oversight Activities

A covered entity may disclose protected health information without patient authorization to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions or other activities necessary for appropriate oversight of entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards. See 45 CFR § 164.512(d).

9.7.4.11 Disclosure for Judicial and Administrative Proceedings Including Court Ordered Disclosures

A covered entity may disclose protected health information without patient authorization in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by the order. See 45 CFR § 164.512(e). In addition, a covered entity may disclose information in response to a subpoena, discovery request or other lawful process without a court order if the covered entity receives satisfactory assurances that the requesting party has made reasonable efforts to provide notice to the individual or has made reasonable efforts to secure a qualified protective order. See 45 CFR §§ 164.512(e)(1)(iii),(iv) and (v) for what constitutes satisfactory assurances.

9.7.4.12 Disclosure to Persons Doing Research

A covered entity may disclose protected health information to persons doing research without patient authorization provided it meets the de-identification standards of 45 CFR § 164.514(b). If the covered entity wants to disclose protected health information that is not de-identified, patient authorization is required or an Institutional Review Board or a privacy board in accordance with the provisions of 45 CFR § 164.512(i)(1)(i) can waive it.

9.7.4.13 Disclosure to Prevent Harm Threatened by Patients

Mental health providers have a duty to protect others against the harmful conduct of a patient under certain circumstances. See A.R.S. § 36-517.02. When a patient poses a serious danger of violence to another person, the provider has a duty to exercise reasonable care to protect the foreseeable victim of the danger. Little v. All Phoenix South Community Mental Health Center, Inc., 186 Ariz. 97, 919 P.2d 1368 (1996). A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information without patient authorization if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat, or is necessary for law enforcement authorities to identify or apprehend an individual. See 45 CFR § 164.512(j)(1)(ii); 164.512(f)(2) and (3) for rules that apply for disclosures made to law enforcement. See 45 CFR § 164.512(j)(4) for what constitutes a good faith belief.

9.7.4.14 Disclosures to Human Rights Committees

Protected health information may be disclosed to a human rights committee without patient authorization provided personally identifiable information is redacted or de-identified from the record. See A.R.S. §§ 36-509(10) and 41-3804. In redacting personally identifiable information, a covered entity must comply with the HIPAA Rule de-identification standards in 45 CFR §164.514(b) and not State law. If a human rights committee wants non-redacted identifiable health information for official purposes, it must first demonstrate to AHCCCS that the information is necessary to perform a function that is related to the oversight of the health system, and in that case, a covered entity may disclose protected health information to the human rights committee in its capacity as a health oversight agency. See 45 CFR §164.512(d)(1).

9.7.4.15 Disclosure to the Arizona Department of Corrections

Protected health information may be disclosed without patient authorization to the state department of corrections in cases where prisoners confined to the State prison are patients in the State hospital on authorized transfers either by voluntary admission or by order of the court. See A.R.S. § 36-509(5) The HIPAA Rule limits disclosure to correctional institutions to certain categories of information that are contained in 45 CFR § 164.512(k)(5).

9.7.4.16 Disclosure to a Governmental Agency or Law Enforcement to Secure Return of a Patient

Protected health information may be disclosed to governmental or law enforcement agencies if necessary to secure the return of a patient who is on unauthorized absence from any agency where the patient was undergoing court ordered evaluation or treatment. See A.R.S. § 36-509(6). A covered entity may disclose limited information without patient authorization to law enforcement to secure the return of a missing person. See 45 CFR § 164.512(f)(2)(i). In addition, a covered entity is permitted limited disclosure to governmental agencies to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. See 45 CFR § 164.512(j).

9.7.4.17 Disclosure to a Sexually Violent Persons (SVP) Program

Protected health information may be disclosed to a governmental agency or a competent professional, as defined in A.R.S. § 36-3701, in order to comply with the SVP Program (Arizona Revised Statutes, Title 36, Chapter 37). See A.R.S. § 36-509(9)).

A "competent professional" is a person who may be a psychologist or psychiatrist, is approved by the Superior Court and is familiar with the State's sexually violent person’s statutes and sexual offender treatment programs. A competent professional is either statutorily required or may be ordered by the court to perform an examination of a person involved in the sexually violent persons program and must be given reasonable access to the person in order to conduct the examination and must share access to all relevant medical and psychological records, test data, test results and reports. See A.R.S. § 36-3701(2).

In most cases, the disclosure of protected health information to a competent professional or made in connection with the sexually violent persons program is required by law or ordered by the court. In either case, disclosure under the HIPAA Rule without patient authorization is permitted. See 45 CFR § 164.512(a) (disclosure permitted when required by law) and 45

CFR § 164.512(e) (disclosure permitted when ordered by the court). If the disclosure is not required by law or ordered by the court or is to a governmental agency other than the sexually violent persons program, the covered entity may have the authority to disclose if the protected health information is for treatment, payment, or health care operations. See 45 CFR § 164.506(c) to determine rules for disclosure for treatment, payment, or health care operations.

9.7.4.18 Disclosure to Third Party Payors

Disclosure is permitted to a third-party payor to obtain reimbursement for health care, mental health care or behavioral health care provided to a patient. See A.R.S. § 36-509(13).

9.7.4.19 Disclosure to Accreditation Organization

Disclosure is permissible to a private entity that accredits a health care provider and with whom the health care provider has an agreement that requires the agency to protect the confidentiality of patient information. See A.R.S. § 36-509(14).

9.7.4.20 Disclosure of Communicable Disease Information

A.R.S. § 36-661 et seq., includes a number of provisions that address the disclosure of communicable disease information. The general rule is that a person who obtains communicable disease related information in the course of providing a health service or pursuant to a release of communicable disease related information must not disclose or be compelled to disclose that information. See A.R.S. § 36-664(A). Certain exceptions for disclosure are permitted to:

  • The individual or the individual’s health care decision maker;
  • AHCCCS or a local health department for the purpose of notifying a Good Samaritan;
  • An agent or employee of a health facility or a health care provider;
  • A health facility or a health care provider;
  • A federal, State or local health officer;
  • Government agencies authorized by law to receive communicable disease information;
  • Persons authorized pursuant to a court order;
  • The Department of Economic Security for adoption purposes;
  • The Industrial Commission;
  • The Department of Health Services to conduct inspections;
  • Insurance entities;
  • A private entity that accredits a health care facility or a health care provider; and
  • A person or entity for research only if the research is conducted pursuant to applicable federal or State laws governing research.

A.R.S. § 36-664 also addresses issues with respect to Disclosures to the Department of Health Services or local health departments. These disclosures are also permissible under certain circumstances:

  • Authorizations;
  • Re-disclosures;
  • Disclosures for supervision, monitoring and accreditation;
  • Listing information in death reports;
  • Reports to the Department; and
  • Applicability to insurance entities.

An authorization for the release of communicable disease related information must be signed by the protected person or, if the protected person lacks capacity to consent, the person’s health care decision maker (see A.R.S. § 36-664(F)). If an authorization for the release of communicable disease information is not signed, the information cannot be disclosed. An authorization must be dated and must specify to whom disclosure is authorized, the purpose for disclosure and the time period during which the authorization is effective. A general authorization for the release of medical or other information, including communicable disease related information, is not an authorization for the release of HIV-related information unless the authorization specifically indicates its purpose as authorization for the release of HIV-related information and complies with the requirements of A.R.S. § 36-664(F).

The HIPAA Rule does not preempt State law with respect to disclosures of communicable disease information; however, it may impose additional requirements depending upon the type, nature, and scope of disclosure. It is advisable to consult with the HIPAA Compliance Officer and/or legal counsel prior to disclosure of communicable disease information.

For example, if a disclosure of communicable disease information is made pursuant to an authorization, the disclosure must be accompanied by a statement in writing which warns that the information is from confidential records which are protected by State law that prohibits further disclosure of the information without the specific written consent of the person to whom it pertains or as otherwise permitted by law. A.R.S. § 36-664(H) affords greater privacy protection than 45 CFR § 164.508(c)(2)(ii), which requires the authorization to contain a statement to place the individual on notice of the potential re-disclosure of the Member and thus, is no longer protected. Therefore, any authorization for protected health information that includes communicable disease information must contain the statement that re-disclosure of that information is prohibited.

9.7.4.21 Disclosure to Business Associates

The HIPAA Rule allows a covered entity to disclose protected health information to a business associate if the covered entity obtains satisfactory assurances that the business associate will safeguard the information in accordance with 45 CFR § 164.502(e) and the HITECH Act. See the definition of “business associate” in 45 CFR § 160.103. Also see 45 CFR § 164.504(e) and Section 13404 of the HITECH Act for requirements related to the documentation of satisfactory assurances through a written contract or other written agreement or arrangement.

9.7.4.22 Disclosure to the Arizona Center for Disability Law, Acting in its Capacity as the State Protection and Advocacy Agency Pursuant To 42 U.S.C. § 10805 is:

  • Allowed when an enrolled person is mentally or physically unable to consent to a release of confidential information, and the person has no legal guardian or other legal representative authorized to provide consent; and
  • Allowed when a grievance has been received by the Center or the Center asserts that the Center has probable cause to believe that the enrolled person has been abused or neglected.

9.7.5 Disclosures of Alcohol and Drug Information

The Health Plan and its providers that provide drug and alcohol screening, diagnosis or treatment services are federally assisted alcohol and drug programs and must ensure compliance with all provisions contained in the federal statutes and regulations referenced in this section.

The Health Plan and its providers must notify persons seeking and/or receiving alcohol or drug abuse services of the existence of the federal confidentiality laws and regulations and provide each person with a written summary of the confidentiality provisions. The notice and summary must be provided at admission or as soon as deemed clinically appropriate by the person responsible for clinical oversight of the person.

The Health Plan or its providers may require enrolled persons to carry identification cards while the person is on the premises of an agency. The Health Plan or its provider may not require enrolled persons to carry cards or any other form of identification when off The Health Plan or its provider’s premises that will identify the person as a member of drug or alcohol services.

The Health Plan or its providers may not acknowledge that a currently or previously enrolled person is receiving or has received alcohol or drug abuse services without the enrolled person’s authorization as provided in this section.

The Health Plan or its providers must respond to any request for a disclosure of the records of a currently or previously enrolled person that is not permissible under this policy or federal regulations in a way that will not reveal that an identified individual has been or is being diagnosed or treated for alcohol or drug abuse.

The Health Plan or its providers must advise the person or guardian of the special protection given to such information by federal law.

Release of information concerning diagnosis, treatment or referral from an alcohol or drug abuse program must be made only as follows:

  • The currently or previously enrolled person or their guardian authorizes the release of information. In this case:
    • The Health Plan or its providers must advise the person or guardian of the special protection given to such information by federal law;
    • Authorization must be documented on an authorization form which has not expired or been revoked by the patient. The proper authorization form must be in writing and must contain each of the following specified items:
      • The name or general designation of the program making the disclosure;
      • The name of the individual or organization that will receive the disclosure;
      • The name of the person who is the subject of the disclosure;
      • The purpose or need for the disclosure;
      • How much and what kind of information will be disclosed;
      • A statement that the person may revoke the authorization at any time, except to the extent that the program has already acted in reliance on it;
      • The date, event, or condition upon which the authorization expires, if not revoked before;
      • The signature of the person or guardian; and
      • The date on which the authorization is signed.
    • Re-disclosure

Any disclosure, whether written or oral, made with the person’s authorization as provided above must be accompanied by the following abbreviated written statement: “Federal law/42 CFR part 2 prohibits unauthorized disclosure of these records.

If the person is a minor, authorization must be given by both the minor and their parent or legal guardian.

If the person is deceased, authorization may be given by:

  • A court-appointed executor, administrator or other personal representative;
  • If no such appointments have been made, by the person’s spouse; or
  • If there is no spouse, by any responsible member of the person’s family.

Authorization is not required under the following circumstances:

  • Medical Emergencies – information may be disclosed to medical personnel who need the information to treat a condition which poses an immediate threat to the health of any individual, not necessarily the currently or previously enrolled person, and which requires immediate medical intervention. The disclosure must be documented in the person’s medical record and must include the name of the medical person to whom disclosure is made and their affiliation with any health care facility, name of the person making the disclosure, date and time of the disclosure and the nature of the emergency. After emergency treatment is provided, written confirmation of the emergency must be secured from the requesting entity;
  • Payment and Health Care Operations: The Final Rule allows lawful holders of patient records to re-disclose the minimum amount of information necessary to contractors, subcontractors, and legal representatives for purposes of payment and health care operations. Disclosures to contractors, subcontractors, and legal representatives are not permitted to carry out other purposes, such as activities related to patient diagnosis, treatment, or referral for treatment.  The list of the proposed payment and health care operations activities include the following:
    • Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data processing;
    • Clinical professional support services (e.g., quality assessment and improvement initiatives; utilization review and management services);
    • Patient safety activities;
    • Activities pertaining to:
      • The training of student trainees and health care professionals,
      • The assessment of practitioner competencies,
      • The assessment of provider and/or health plan performance, and
      • Training of non-health care professionals;
    • Accreditation, certification, licensing, or credentialing activities;
    • Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;
    • Third-party liability coverage;
    • Activities related to addressing fraud, waste and abuse;
    • Conducting or arranging for medical review, legal services, and auditing functions;
    • Business planning and development, such as conducting cost-management and planning related analyses related to managing and operating, including formulary development and administration, development, or improvement of methods of payment or coverage policies;
    • Business management and general administrative activities, including management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations;
    • Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;
    • Resolution of internal grievances;
    • The sale, transfer, merger, consolidation, or dissolution of an organization;
    • Determinations of eligibility or coverage (e.g., coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
    • Risk adjusting amounts due based on enrollee health status and member characteristics; and
    • Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges.
  • Research Activities – information may be disclosed for the purpose of conducting scientific research according to the provisions of 42 CFR § 2.52;
  • Audit and Evaluation Activities – information may be disclosed to individuals or entities who perform audits and evaluations on behalf of federal, state, and local governments providing financial assistance to, or regulating the activities of, lawful holders as well as 42 CFR Part 2 programs. If disclosures are made to an individual or entity under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy, further disclosures may be made to the individual’s or entity’s contractors, subcontractors, or legal representatives to carry out the audit or evaluation.;
  • Qualified Service Organizations – information may be provided to a qualified service organization when needed by the qualified service organization to provide services to a currently or previously enrolled person;
  • Internal Agency Communications - the staff of an agency providing alcohol and drug abuse services may disclose information regarding an enrolled person to other staff within the agency, or to the part of the organization having direct administrative control over the agency, when needed to perform duties related to the provision of alcohol or drug abuse diagnosis, treatment, or referral for treatment to a person. For example, an organization that provides several types of services might have an administrative office that has direct administrative control over each unit or agency that provides direct services; and
  • Information concerning an enrolled person that does not include any information about the enrolled person’s receipt of alcohol or drug abuse diagnosis, treatment or referral for treatment is not restricted under this section. For example, information concerning an enrolled person’s receipt of medication for a psychiatric condition, unrelated to the person’s substance abuse disorder, could be released as provided above in Section 9.7.4.
  • Court-ordered disclosures. A State or federal court may issue an order that authorizes an agency to make a disclosure of identifying information that would otherwise be prohibited. A subpoena, search warrant or arrest warrant is not sufficient standing alone, to require or permit an agency to make a disclosure.
  • Crimes committed by a person on an agency’s premises or against program personnel. Agencies may disclose information to a law enforcement agency when a person who is receiving treatment in a substance abuse disorder program has committed or threatened to commit a crime on agency premises or against agency personnel. In such instances, the agency must limit the information disclosed to the circumstances of the incident. It may only disclose the person’s name, address, last known whereabouts and status as a person receiving services at the agency.
  • Child abuse and neglect reporting. Federal law does not prohibit compliance with the child abuse reporting requirements contained in A.R.S. § 13-3620.

A general medical release form or any authorization form that does not contain all of the elements listed above is not acceptable.

9.7.6 Telemedicine

To ensure confidentiality of telemedicine sessions, providers must do the following when providing services via HIPAA compliant telemedicine:

  • The videoconferencing room door must remain closed at all times;
  • If the room is used for other purposes, a sign must be posted on the door, stating that a clinical session is in progress;
  • If a recording of the session is made, an authorization, signed by the Member, shall be obtained;
  • All videoconferencing equipment shall be set to automatically mute its microphone(s) when answering any incoming calls;
  • All videoconferencing equipment shall be set not to automatically answer multipoint calls;
  • All videoconferencing equipment with internet access that is used for telemedicine shall be set to not allow remote monitoring; and
  • All videoconferencing equipment in rooms used for telemedicine or Member services shall have the camera lens covered and the microphone muted or must be turned off whenever the equipment is not in use.

9.7.7 Security Breach Notification

The Health Plan and its providers, in the event of an impermissible use/disclosure of unsecured PHI, must provide notification to any and all persons affected by the breach in accordance with Section 13402 of the HITECH Act.

Any questions or incidents concerning Member rights, protected health information (PHI) and/or the use and disclosure of such information may be obtained by contacting The Health Plan Compliance Officer at 1-866-796-0542 or by writing to The Health Plan:

Arizona Complete Health-Complete Care Plan
Attn: Compliance Officer
1850 W. Rio Salado Parkway, Suite 211
Tempe, AZ 85281
1-866-795-0542
AzCHPrivacy@azcompletehealth.com

9.7.8 Pledge to Protect Confidential Information

If requested by the AHCCCS Procurement Office, providers must sign a “Pledge to Protect Confidential Information” and abide by the statements addressing the creation, use and disclosure of confidential information, including information designated as protected health information and all other confidential or sensitive information as defined in policy. In addition, if requested, providers must attend or participate in HIPAA training offered by AHCCCS or provide written verification that the provider has attended or participated in job-related HIPAA training that is: (1) intended to make the provider proficient in HIPAA for purposes of performing the services required and (2) presented by a HIPAA Privacy Officer or other person or program knowledgeable and experienced in HIPAA and who has been approved by the ADOA-ASET Arizona State Chief Information Security Officer.

The reporting of suspected fraud and program abuse is a requirement of the Arizona Health Care Cost Containment System (AHCCCS). Under the requirements of the Corporate Compliance Program, and in accordance with A.R.S. §36-2918.01, §36-2932, §36-2905.04 and AHCCCS ACOM Policy 103, The Health Plan, its subcontractors and providers are required to immediately notify the AHCCCS Office of Inspector General (AHCCCS-OIG) regarding all allegations of fraud, waste or abuse (FWA) involving the AHCCCS Program.

Providers must be cognizant of the potential for fraud, waste, and abuse within the public health system. Fraud as defined by Federal law and as recognized in the State of Arizona is an intentional deception or misrepresentation made by a person with the knowledge that the deception could result in some unauthorized benefit to themselves or some other person. It includes any act that constitutes fraud under applicable State or Federal law, as defined in 42 CFR 455.2.

Individuals and/or entities found to be submitting fraudulent claims for services will be reported to AHCCCS – Office of Inspector General (OIG) and may be subject to an investigation that could lead to an exclusion from participating in any Federally funded health care program pursuant to section 1128 of the Social Security Act.

Under the federal False Claims Act (FCA) provisions, no specific intent to defraud is required. The civil FCA defines "knowing" to include not only actual knowledge but also instances in which the person acted in deliberate ignorance or reckless disregard of the truth or falsity of the information. Further, the civil FCA contains a whistleblower provision that allows a private individual to file a lawsuit on behalf of the United States government against those who have defrauded the government and entitles that whistleblower to a percentage of any recoveries.

In the context of this section of the Provider Manual, persons receiving care in the public health system can also commit acts of fraud, waste, and abuse (e.g., by loaning or selling their AHCCCS identification card).

The Health Plan’s providers are responsible for ensuring that mechanisms are in place for the identification, prevention, detection and reporting of fraud, waste, and abuse. All employees of providers must be familiar with the types of FWA that could occur during their normal daily activities. The Health Plan. The Health Plan has designated a Compliance Officer and a Compliance Committee responsible for the development and implementation of the Corporate Compliance Program which addresses FWA prevention, detection, deterrence, and reporting.

Under the applicable law of the state of Arizona, a person may not present cause to be presented to this state or to a contractor:

  1. A claim for a medical or other item or service that the person knows or has reason to know was not provided as claimed.
  2. A claim for a medical or other item or service that the person knows or has reason to know is false or fraudulent.
  3. A claim for payment that the person knows or has reason to know may not be made by the system because:
    1. The person was terminated or suspended from participation in the program on the date for which the claim is being made.
    2. The item or service claimed is substantially in excess of the needs of the individual or of a quality that fails to meet professionally recognized standards of health care.
    3. The patient was not a member on the date for which the claim is being made. ARS 36-2918

The state may impose civil penalties and assessments or both, pursuant to R9-22-1101. Basis for Civil Monetary Penalties and Assessments for Fraudulent Claims. This Article applies to prohibited acts as described under A.R.S. § 36-2918(A), and submissions of encounters to the Administration. The Administration considers a person who aids and abets a prohibited act affecting any of the AHCCCS programs or Health Care Group to be engaging in a prohibited act under A.R.S. § 36-2918(A).

9.8.1 Methods for Reporting Fraud, Waste and Abuse

The Health Plan providers are required to immediately report all suspected FWA involving any Title XIX/XXI and NTXIX/XXI funds, AHCCCS providers, or AHCCCS Members to the AHCCCS Office of Inspector General (OIG) in writing using the AHCCCS reporting form available at: https://azahcccs.gov/Fraud/ReportFraud/, and which may be submitted online, or via the following methods:

Mail: Arizona Health Care Cost Containment System (AHCCCS)
Inspector General
Office of Inspector General (OIG)
801 E. Jefferson St., Mail Drop 4500
Phoenix, AZ, 85034

To Report Provider Fraud

  • In Arizona: 602-417-4045
  • Outside of Arizona Only: 888-ITS-NOT-OK or 888-487-6686

To Report Member Fraud

  • In Arizona: 602-417-4193
  • Outside of Arizona Only: 888-ITS-NOT-OK or 888-487-6686

Email: AHCCCSFraud@azahcccs.gov
Fax: 602‐417‐4102
Website: https://azahcccs.gov/Fraud/ReportFraud/

This includes acts of suspected or confirmed FWA that were resolved internally but involved AHCCCS funds or AHCCCS providers. Failure to comply with the requirement to report suspected FWA may result in the penalty described in A.R.S. § 36-2992.

9.8.2 Reporting Fraud, Waste and Abuse to the Health Plan

In addition to notifying AHCCCS, all providers must immediately notify the Health Plan of all suspected or confirmed FWA activities. Health Plan providers must report suspected FWA to the health plan via mail, phone, or email to:

Arizona Complete Health-Complete Care Plan
Attn: Compliance Officer
1850 W. Rio Salado Parkway, Suite 211
Tempe, AZ 85281
Fraud and Abuse Hotline: (866) 685-8664
    ·Hotline is available 24/7, all calls are confidential and can be made anonymously.
Customer Service 888-778-4408 (TTY 711)
Email: AzCHFWA@azcompletehealth.com

The public, members, staff, and providers may report FWA cases confidentially and anonymously by submitting information to any of the above locations.

Providers are required to develop, maintain, and publicize a confidential and anonymous FWA reporting process. The reporting process must be made readily accessible to the public, members, employees, and contractors.

Once a suspected case of fraud, waste, or program abuse has been reported to AHCCCS's OIG, the Health Plan will take no action to audit, investigate, recoup, or otherwise offset any suspected overpayments.  The requirements to take no action following referral to AHCCCS OIG also applies to subcontractors working on behalf of Arizona Complete Health.  If the Health Plan receives anything of value that could be construed to represent the repayment of any amount expended due to fraud, waste or abuse, the Health Plan shall forward that recovery to AHCCCS/OIG within 30 days of its receipt.  As specified in the AHCCCS Minimum Subcontractor Provisions (MSP), the above requirements apply to any actions undertaken on behalf of a Contractor by a Subcontractor.

9.8.3 AHCCCS-OIG Communications

The Health Plan Providers shall report to the Health Plan (ATTN: Vice President, Compliance) and the AHCCCS-Office of Inspector General (OIG) immediately, but no later then (10) days from receipt of notification, any and all contact made by AHCCCS-OIG in reference to any open/closed FWA case, a voluntary self-disclosure or settlement, and/or any other type of FWA activity involving official communications by AHCCCS-OIG.

The Health Plan (ATTN: Vice President, Compliance) shall be advised of the final disposition of any case and/or settlement agreement made between a provider and AHCCCS-OIG.

9.8.4 Cooperation with AHCCCS and the Health Plan

Providers must respond timely to all the Health Plan, and AHCCCS-OIG requests for interviews, information, data, or documents as a part of any investigation, inquiry, or audit. AHCCCS-OIG may conduct an audit review or investigation on-site without notice and the provider must provide access to all records, documents, and data related to the provider’s contract at all times.

Upon request, providers must furnish any and all documents, to include original copies, to representatives of the Health Plan and AHCCCS-OIG at no cost. The Health Plan or AHCCCS-OIG will establish the designated timeframe to copy the requested documents, which will not exceed twenty (20 business days, from the date of The Health Plan request.

In addition, providers must verify that all emergent phone calls from the Health Plan to the provider’s point of contact are returned within 4 hours; all urgent phone calls returned within one workday and all routine calls are returned within two workdays. Providers must verify that all emails sent from Health Plan staff are addressed timely with responses from the provider received within three workdays.

9.9.1 Corporate Compliance Plan

Providers must maintain a Corporate Compliance Plan that is reviewed and updated annually. The current Corporate Compliance Plan must be made available to The Health Plan upon request.

The Corporate Compliance Plan must include, at a minimum, the following elements:

  • Designated Compliance Officer.
  • Provisions of the Deficit Reduction Act of 2005 (DRA)  and provisions of the Federal False Claims Act, Business Ethics and Conduct Policy, including the establishment of Codes of Conduct.
  • Establishment of an effective training and education program as a systematic means for educating and training agency employees and subcontractor employees to identify and report suspected waste, fraud, and abuse.
  • A process to conduct periodic monitoring of claims/encounters, claims medical review and other operations for compliance with laws, regulations, and payer requirements, such as conducting periodic internal audits.
  • A process for employees to receive information on how to identify and report incidents of suspected waste, fraud, and abuse through (The Health Plan's) Ethics and Compliance Hotline.
  • Compliance committee to oversee the implementation of an effective compliance program.
  • Verify all staff and subcontractor staff have been trained annually regarding fraud, waste, abuse, false claims act, whistleblower protections and State laws relating to civil or criminal penalties for false claims and statements.

9.9.2 Deficit Reduction and Federal False Claims Act

The Health Plan requires all providers to adhere to Deficit Reduction Act (DRA) requirements. The DRA requires that any entity that receives or makes payments under a state plan approved under Title XIX or under any waiver of such plan, totaling at least $5 million annually, must establish written policies for its employees, management, contractors, and agents regarding the federal False Claims Act (FCA), the administrative remedies for false claims and statements, applicable state laws that provide civil or criminal penalties for making false claims and statements, the “whistleblower” protections afforded under such laws and the role of such laws in preventing and detecting FWA.

The FCA applies to claims presented for payment by federal health care programs. The FCA allows private persons to bring a civil action against those who knowingly submit false claims upon the government. The following are activities for which one may be liable under the FCA:

  • Knowingly presenting to an officer or employee of the United States government a false or fraudulent claim for payment or approval;
  • Knowingly making, using or causing a false record or statement to get a false or fraudulent claim paid or approved by the government.
  • Conspiring to defraud the government by getting false or fraudulent claims allowed or paid.
  • Having possession, custody or control of property or money used, or to be used by the government, and intending to defraud the government by willfully concealing property, delivering or causing to be delivered less property than the amount for which the individual receives;
  • Authorizing to make or deliver a document, certifying receipt of property used by the government and intending to defraud the government and making or delivering a receipt without completely knowing that the information on the receipt is true.
  • Knowingly buying or receiving as a pledge of an obligation or debt, public property from an officer or employee of the government, or a member of the Armed Forces, who lawfully may not sell or pledge the property.
  • Knowingly making, using, or causing to be made or used, a false record or statement to conceal, avoid or decrease an obligation to pay or transmit money or property to the government.

The definition of “knowing” and “knowingly” as it relates to the FCA includes actual knowledge of the information, acting in deliberate ignorance of the truth or falsity of the information, and/or acting in reckless disregard of the truth or falsity of the information. Proof of specific intent to defraud is not required for reporting potential violations of the law.

Violation of the False Claims Act is punishable by a civil penalty as prescribed by federal or state law. A federal false claims action may be brought by the U.S. Attorney General.

9.9.3 Identifying Fraud, Waste and Abuse

Providers must conduct internal monitoring and auditing in accordance with 42 CFR 438.608 and must include elements and audit steps to discover or identify suspected fraud, waste, and program abuse within the provider’s organization. Providers must develop and implement a data analytics tool to evaluate encounters/claims data or other administrative data to identify trends or behavior at all system levels that indicate fraud, waste and/or program abuse.

9.9.3.1 Additional Requirement for Behavioral Health Specialty Providers and Crisis Providers

Providers must conduct internal monitoring and auditing in an effort to discover or identify suspected fraud, waste, and program abuse within the provider’s organization.  In accordance with A.R.S. §36-2918.01 and ACOM Policy 103, providers should have a process to, upon discovery, promptly address and notify the Health Plan and AHCCCS-OIG of any instances of an excluded provider or employee that is, or appears to be, in a prohibited relationship with the Subcontractor (42 CFR 455.17).

9.9.4 Corporate Compliance Program

Providers must have a comprehensive Corporate Compliance Program designed to deter, detect, and prevent fraud, waste, and abuse.  The Corporate Compliance Programs should be compliant with the requirements of Section 6032 Deficit Reduction Act of 2005 (DRA) [Section 1902(a)(68) of the Social Security Act, Title 42 CFR 457.1285, and Title 42 CFR 438.608 (a) (6).  The provider must establish written policies, and shall ensure adequate training and ongoing education for, all of its employees including management, members, and of any subcontractors or agents regarding the following:

  • Detailed information about the Federal False Claims Act,
  • The administrative remedies for false claims and statements,
  • Any State laws relating to civil or criminal liability or penalties for fasle claims and statements, and
  • The whistleblower protections under such laws.

Additionally, the Corporate Compliance Program should include:

  • Written policies, procedures, and standards of conduct that articulate the organization's commitment to processes for, complying with all applicable federal and State Standards;
  • A process for the monthly screening of all provider existing staff, potential staff and subcontractors against the List of Excluded Individuals and Entities (LEIE) & the System for Award Management (SAM) formerly known as the Excluded Parties List (EPLS) databases for those that have been debarred, suspended, or otherwise excluded as well as any other databases as required/requested by the Health Plan, AHCCCS or Centers for Medicare and Medicaid Services (CMS). All potential staff and subcontractors must be checked before hire and all existing staff and subcontractors must be checked on a monthly basis;
  • A mechanism for enforcement of standards through well-publicized disciplinary guidelines;
  • Have a process to confirm the identity and determine the exclusion status of any person with an ownership or control interest in the Contractor and with regard to its fiscal agents, to identify, obtain and report the exclusion status on persons convicted of crimes; and
  • Develop and maintain robust internal controls and mechanisms in order to consistently identify, prevent, deter, and detect fraud, waste and program abuse that includes the implementation of corrective action plans (42 CFR 438.608).

9.9.5 Compliance Officer

Providers must establish written criteria for selecting a Compliance Officer and job description that clearly outlines the responsibilities and authority of the position. The Compliance Officer shall have the authority to assess records and independently refer suspected Member fraud, provider fraud, waste and Member abuse cases to The Health Plan and the AHCCCS-OIG. The Compliance Officer shall not have any title, duties or responsibilities that could constitute a potential or actual conflict of interest. Providers must require the Compliance Officer to be responsible for the following:

  • Provide training and ongoing education to employees in identifying and reporting fraud, waste, and program abuse.
  • Oversee internal and external compliance audits
  • Record, track and trend all fraud, waste and abuse related complaints received including those initiated by  The Health Plan or a subcontractor, which shall capture and maintain the following information, at a minimum;
    • Contact information of complainant;
    • Name and identifying information of person or entity suspected of fraud, waste and/or program abuse;
    • Date and time complaint was received;
    • Nature of the allegations and summary of concern;
    • Potential estimated dollar loss amount and specific identification of funding source(s) involved;
    • Subcontractor's unique case identifying number;
    • The department or agency in which the complaint has been reported, and
    • Date in which the case was referred to The Health Plan or AHCCCS-OIG.

Providers must ensure the Compliance Officer has complete access to all information, databases, files, records, and documents in order to conduct audits and to strategically structure the position to report suspected fraud, waste, and program abuse directly The Health Plan and AHCCCS-OIG independently (42 CFR 455.17).

9.9.6 Other Activities

The provider must conduct additional activities, such as:

  • Regular fraud, waste, and abuse awareness activities (i.e., campaigns, newsletters)
  • Develop and maintain internal control assessments
  • Risk assessments
  • The Health Plan responds to and coordinates responses made by  the Health Plan Compliance Committee
  • Notify  The Health Plan of any CMS compliance issues related to HIPAA transactions and code set complaints or sanctions
  • Communicate with  The Health Plan and AHCCCS OIG on the final disposition of the research and advice of actions, if any, taken by the provider
  • Contract with an independent auditor to conduct an annual claims review to verify compliance with all State and federal laws, regulations, and payer requirements.

The Centers for Medicare and Medicaid Services (CMS) requires the Arizona Health Care Cost Containment System (AHCCCS) to conduct encounter validation studies as a condition for receiving federal Medicaid funding. AHCCCS requires The Health Plan to conduct encounter validation studies of their providers.

The purpose of encounter validation studies is to compare recorded utilization information from a clinical record or other source with submitted encounter data. The review “validates” or confirms that covered services are encountered timely, correctly, and completely. The purpose of this section is to:

  • Inform providers that encounter validation studies may be performed by AHCCCS, The Health Plan and/or AHCCCS staff; and
  • Convey the AHCCCS’ expectation that providers cooperate fully with any encounter validation review that AHCCCS, The Health Plan and/or AHCCCS may conduct.

9.10.1 Criteria Used in Encounter Validation Studies

The criteria used in encounter validation studies include timeliness, correctness, and omission of encounters, in addition to encountering for services not documented in the medical record. These criteria are defined as follows:

  • Timeliness - The time elapsed between the date of service and the date that the encounter is received. The Health Plan is required to provide specific information for providers on Timeliness standards;
  • Correctness - A correct encounter contains a complete and accurate description of a covered behavioral health service provided to a person. Correctness errors frequently identified include, but are not limited to, invalid procedure or revenue codes and ICD-10 diagnoses not reported to the correct level of specificity;
  • Omission - Provider documentation shows a service was provided; however, an encounter was not submitted; and
  • Lack of Documentation - A description of adequate documentation is referenced in Section 10.2 – Medical Records Standards.

In addition, assessment compliance must be monitored by The Health Plan in accordance with Section 12.6 - Assessment and Service Planning. Providers may be subject to sanctions for failure to meet the criteria used in encounter audits, which may include timeliness, correctness, and omission of encounters.

Providers must notify The Health Plan if, on the basis of moral or religious grounds, the provider elects not to provide coverage of a covered counseling or referral service pursuant to 42 CFR 438.102(a)(2). If the provider elects not to provide coverage of a covered counseling or referral service pursuant to 42 CFR 438.102(a) (2), the provider is required to make alternative arrangements with another entity to provide the service. A provider must notify The Health Plan prior to entering into a contract or adopting a policy as described above during the term of the provider’s contract with The Health Plan. The notification and policy must be consistent with the provisions of 42 CFR 438.10; must be provided to Members during their initial appointment; and must be provided to Members at least thirty (30) days prior to the effective date of the policy.

9.11.1 Provider Responsibilities

Providers must deliver covered services in accordance with the Medical Policy Manual .

Providers must document adequate information in the clinical record and submit encounters to The Health Plan. Any audit findings that indicate suspected fraud, waste and/or program abuse must be reported to The Health Plan’s Compliance Department as described in Section 9.8.2 Reporting Fraud, Waste and Abuse to the Health Plan.