Skip to Main Content

Compliance

The following are member rights in accordance with 42 CFR Section 438.100:

  • Be treated with respect and with recognition of the member’s dignity and need for privacy. (42 CFR 438.100.(b)(2)(ii));
  • The right to privacy includes protection of any information that identifies a particular member except when otherwise required or permitted by law.
  • The Health Plan and its providers must ensure the confidentiality of health, service and medical records and of other member information. (Refer to the Medical Records Requirements included in Policy 940 of the AHCCCS AMPM Chapter 900).
  • Receive required information in a manner and format that may be easily understood and is readily accessible. (42 CFR 438.10.c.1);
  • Notified that oral interpretation is available for any language and written information is available in prevalent languages, that auxiliary aids and services are available upon request at no cost to the member and how to access those services. (42 CFR 438.10.d.5);
  • Receive information on available treatment options and alternatives, presented in a manner appropriate to the Member’s condition and ability to understand (42 CFR 438.100(b)(2)(iii));
  • Participate in decisions regarding their health care, including the right to refuse treatment (42 CFR 438.100(b)(2)(iv));
  • Be free from any form of restraint or seclusion used as a means of coercion, discipline, convenience, or retaliation (42 CFR .438100(b)(2)(v));
  • Request and receive a copy of their medical records, and to request that the record be amended or corrected, as specified in 45 CFR part 164.524 and 164.526 and applicable state law (42 CFR 438.100(b)(2)(vi)); and
  • Free to exercise their rights and that the exercise of those rights shall not adversely affect service delivery to the Member (42 CFR 438.100(c)).

The Health Plan recognizes the member rights and responsibilities as set forth in the AHCCCS AMPM Chapter 900 - Policy 930. The expectation is that all providers are informed and have implemented processes to ensure that all elements described in Policy 930 are integral part of their operation.

The Health Plan and its providers must respond to the unique cultural, ethnic, and linguistic characteristics of the population they serve to ensure that services are culturally competent for all members.

The Health Plan has adopted the Culturally and Linguistically Appropriate Services in Health Care (National CLAS Standards; 42 CFR 438; Affordable Care Act Section 1557) as its cultural competency framework to support a more consistent and comprehensive approach to cultural and linguistic competence in health care. By tailoring services to an individual's culture and language preference, health professionals can help bring about positive health outcomes for diverse populations. Providers are required to adhere to and implement the CLAS standards in order to comply with Cultural Competency Health Care Requirements. The National CLAS Standards can be obtained and reviewed at https://minorityhealth.hhs.gov.

In order to ensure competence and proficiency of those providing language assistance, the Health Plan requires that persons who provide oral interpretation and written translation are certified through language testing by ALTA Services or another approved language testing vendor with a score of eight (8) or higher, with a higher level of proficiency needed for the provision of more complex communication, such as psychiatric services and psychological testing, and medical care. Providers can register for testing at http://www.altalang.com. The charge for the testing is the provider agency’s responsibility. Certificates of proficiency indicating level/testing scores shall be maintained in personnel records and/or subcontractor’s files and made available to The Health Plan. The Health Plan will audit providers to verify they are using certified bilingual staff at the appropriate level of proficiency to provide the language assistance or that they are using a language vendor.

The Health Plan makes available tools for individual and organizational self-assessments related to cultural and linguistic competence.  Providers who are interested in assessing their organization may email AzCHCulturalAffairs@azcompleteheatlh.com for more information.

What is Culture?

Culture refers to integrated patterns of human behavior that include the language, thoughts, communications, actions, customs, beliefs, values, and institutions of racial, ethnic, religious or social groups. Culture defines the preferred ways for meeting needs, and may be influenced by factors such as geographic location, lifestyle and age. Culture is dynamic in nature, and individuals may identify with multiple cultures over the course of their lifetimes.

AHCCCS defines Cultural Competency as “A set of congruent behaviors, attitudes and policies that come together in a system, agency, or among professionals, which enables that system, agency or those professionals to work effectively in cross-cultural situations. Competence implies having the capacity to function effectively as an individual and an organization with the context of the cultural beliefs, behaviors and needs presented by consumers and their communities.”

Culturally Competent Care

The Health Plan and its providers must ensure that cultural considerations are being integrated in approaches to member care. Culturally competent health care incorporates cultural considerations that include, but are not limited to the following: ethnicity, race, age, gender identity, sexual orientation, economic status, military experience, physical abilities and limitations, literacy, primary/preferred languages, spiritual beliefs and practices, communities, family roles, and English proficiency. To comply with the Culturally Competent Care requirements, The Health Plan and its providers must provide culturally relevant and appropriate services for all members. They must be treated fairly without regard to age, ethnicity, race, sex, religion, national origin, creed, tribal affiliation, ancestry, gender identity, sexual orientation, marital status, genetic information, socio-economic status, physical or intellectual disability, ability to pay, mental illness, and/or cultural and linguistic need. Cultural Competency Program representatives develop, establish and monitor programs for members that meet the cultural contractual requirements established by the Arizona Health Care Cost Containment System (AHCCCS). For more information on cultural and linguistic services provided by The Health Plan or cultural community resources, contact The Health Plan Cultural Competency Program at AzCulturalAffairs@AzCompleteHealth.com

Organizational Supports for Cultural and Linguistic Need

Under State guidance, and to comply with the Organizational Supports for Cultural Competence, The Health Plan and providers must:

  • Conduct ongoing assessments of the organization’s CLAS-related activities and integrate CLAS-related measures into measurement and continuous quality improvement activities;
  • Create conflict and grievance resolution processes that are culturally and linguistically appropriate to identify, prevent, and resolve conflicts or complaints;
  • Consult with diverse groups to develop relevant communications, outreach and marketing strategies that review, evaluate, and improve service delivery to diverse individuals, families, and communities, and address disparities in access and utilization of services.

Workforce Development and Training

Providers are required to:

  • Recruit, retain, promote, and support culturally and linguistically diverse representation within all levels of the organization that is responsive to the population in the service area(s) and reflects the cultural background of Members served;
  • Provide new hire, ongoing, and annual training to the workforce. This includes addressing the requirements in the Cultural Competency section of the Provider Manual, the CLAS Standards, use of language assistance and alternative formats for Members with Limited English Proficiency (LEP), diversity awareness, and culturally relevant topics customized to meet the needs of their service area(s).  Providers must maintain full compliance with all mandatory Cultural Competency trainings (see Section 15 — Training Requirements), and verify that staff at all levels and across all disciplines receive the ongoing education and training in culturally and linguistically appropriate service delivery;
  • Ensure all staff have access to resources for Members with diverse cultural needs.

Documenting Clinical Cultural and Linguistic Need

To advance health literacy, reduce health disparities, and identify the individual’s unique needs, providers are required to do the following:

  • Providers must document in a Member’s medical record if the person has a preferred language other than English. Maintain documentation within the medical record of oral interpretation provided in a language other than English- by certified bilingual staff or an interpretation vendor. Documentation must include the date of service, interpreter name, type of language provided, interpretation duration, and type of interpretation assistance provided;
  • Providers must document the language not only of the Member but also of the guardian or legal appointed representative if the Member care requires the presence of a legal parent or guardian who does not speak English (e.g., when the patient/Member is a minor or severely disabled).
  • Collect and maintain accurate and reliable cultural (for example: age, ethnicity, race, national origin, sex, gender identity, sexual orientation, tribal affiliation, refugee status, veteran status, disability) and linguistic (for example, primary language, preferred language, language spoken at home,) needs within the medical records to inform service delivery;

Communication and Language Assistance

In accordance with Title VI of the Civil Rights Act, Prohibition against national Origin Discriminations, the President’s Executive Order 131166, section 1557 of the Patient Protection and Affordable care Act, The Health Plan and its providers must make language assistance available to persons with Limited English Proficiency (LEP) at all points of contact during all hours of operation. Oral interpretation, American Sign Language, and written translation are provided at no charge to AHCCCS eligible persons. Members must be provided with information instructing them how to access these services. Providers must post nondiscrimination notices and language assistance taglines in lobbies and on websites. Language assistance taglines notify individuals of the availability of language assistance in at least the top 15 languages utilized in Arizona as identified by the ACA 1557, and include at least one tagline in 18 point font. Nondiscrimination notices and taglines must also be included in significant correspondence sent to the member. For more information on what specific information needs to be included in the nondiscrimination notice and taglines - https://www.hhs.gov/civil-rights/for-individuals/section-1557/1557faqs/index.html.

Providers must adhere to the rules established by the Arizona Commission for the Deaf and Hard of Hearing, in accordance with A.R.S. § 36-1946. The Arizona Commission for the Deaf and the Hard of Hearing provides a listing of licensed interpreters, information on auxiliary aids and the complete rules and regulations regarding the profession of interpreters in the State of Arizona. (Arizona Commission for the Deaf and the Hard of Hearing www.acdhh.org or 602-542-3323 (V/TTY)).The Health Plan can be contacted via TDD/TTY line, 24 hours a day, 7 days a week at 711.

All providers must have interpretation resources available during all hours of operation. Best practice for providing language assistance is to have certified bilingual staff available to meet the language assistance needs. For oral interpretation and American Sign Language, if a provider does not have certified bilingual staff or licensed American Sign Language interpreters available, the Provider is required to either contract with language vendors to meet these needs and/or may have the option to utilize the interpreters that are provided by Arizona Complete Health-Complete Care Plan at no cost to providers or members. Information regarding interpreter assistance is available by contacting The Health Plan Provider Services Call Center number at 866-796-0542 (TTY 711). When calling, the following information is required:

  • Member name;
  • Member ID number;
  • Appointment date and time (advance note preferred, if possible);
  • Type of interpretation needed;
  • Language requested.

The Health Plan has customer service representatives who are available to speak to members/family members in their preferred language, or will conference in an interpreter. The Provider Services Call Center, at 866-796-0542 also has the ability to conference in an interpreter, as needed.

Providers must ensure any document that requires the signature of the Member, and that contains vital information such as the treatment, medications or notices, or service plans must be translated into their preferred/primary language upon request.

Providers must ensure their websites meet compliance with Section 508 Accessibility Standards. Section 508 is a federal law that requires agencies to provide people with disabilities equal access to electronic information and data comparable to those who do not have disabilities.

Restrictions Related to Interpretation or Facilitation of Communication

A Provider shall NOT require an individual with limited English proficiency to provide their own interpreter or rely on an adult or child accompanying an individual with limited English proficiency to interpret or facilitate communication. In addition, a Provider shall NOT rely on staff other than qualified bilingual/multilingual staff to communicate directly with individuals with limited English proficiency. Exceptions to these expectations include:

  • In an emergency involving an imminent threat to the safety or welfare of an individual or the public where there is no qualified interpreter for the individual with limited English proficiency immediately available; 
  • Where the individual with limited English proficiency specifically requests that the accompanying adult interpret or facilitate communication, the accompanying adult agrees to provide such assistance, and reliance on that adult for such assistance is appropriate under the circumstances for minimal needs;

Laws and Policies Addressing Discrimination and Diversity

Provider agencies must abide by the following referenced federal and state applicable rules, regulations and guidance documents:

  • AHCCCS Contractor Operations Manual (ACOM) Section 405-Cultural Competency: This Policy applies to Acute Care, ALTCS/EPD, CRS, DCS/CMDP (CMDP), DES/DDD (DDD), and RBHA Contractors. Title VI of the Civil Rights Act prohibits discrimination on the basis of race, color, and national origin in programs and activities receiving federal financial assistance;
  • Section 1557 of the Patient Protection and Affordable Care Act is the nondiscrimination provision of the Affordable Care Act (ACA). The law prohibits discrimination on the basis of race, color, national origin, sex (including gender identity and sexual stereotypes), age, or disability in certain health programs or activities Section 1557 builds on long-standing and familiar Federal civil rights laws: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973 and the Age Discrimination Act of 1975. Section 1557 extends nondiscrimination protections to individuals participating in any health program or activity any part of which receive federal funding.
  • Department of Health and Human Services - Guidance to Federal Financial Assistance Members Regarding Title VI Prohibition Against National Origin Discrimination affecting Limited English Proficient Persons;
  • Section 504 of the Rehabilitation Act prohibits discrimination on the basis of disability in delivering contract services;
  • Section 508 of the Rehabilitation Act requires that institutions receiving federal funds solicit, procure, maintain and use all Information and Communication Technology (ICT) so that equal or alternate/comparable access is given to federal employees and members of the public with and without disabilities. It is a federal law that requires agencies to provide people with disabilities equal access to electronic information and data comparable to those who do not have disabilities; and,
  • The Americans with Disabilities Act prohibits discrimination against persons who have a disability. Providers must deliver services so that they are readily accessible to persons with a disability.

In the State of Arizona, verification of United States (U.S.) Citizenship or Lawful Presence of non-citizens is mandatory prior to a person being able to receive public health benefits (A.R.S. § 1-502 (PDF). In addition to citizenship/lawful presence, the Arizona Health Care Cost Containment System, (AHCCCS) requires verification of a person’s identification in order to determine eligibility. A person who has verified both citizenship/lawful presence and identification and has been found eligible for AHCCCS may:

  • Be eligible for Title XIX/XXI (Medicaid) or Title XXI (KidsCare) covered services; or
  • Not qualify for Title XIX/XXI entitlements, but be eligible for services.

The Health Plan and its providers must verify U.S. citizenship or lawful presence in the U.S. of all persons applying for publicly funded services.

9.3.1 Eligibility to Receive Public Services with Verification Of U.S. Citizenship/Lawful Presence

The following individuals are eligible for public services:

  • Persons determined to be eligible for AHCCCS; and

Persons not eligible for AHCCCS but with a Serious Mental Illness (SMI) AND who can provide documentation of citizenship/lawful presence (see AHCCCS Medical Assistance Chapter 500, Section 507 Proof of Citizenship at https://www.azahcccs.gov/Resources/GuidesManualsPolicies/EligibilityPolicy/EligibilityPolicyManual )

9.3.2 Eligibility to Receive Public Services Without Verification

Persons not eligible for AHCCCS and NOT with SMI, but who qualify to receive behavioral health services funded through the Substance Abuse Block Grant (SABG) or the Projects for Assistance in Transition from Homelessness (PATH) Program are eligible to receive services in accordance with Section 12.10 - Special Populations. However, persons receiving services funded by SABG or PATH must still be screened for AHCCCS eligibility in accordance with Section 12.1 - Eligibility Screening for AHCCCS Health Insurance, Medicare Part D Prescription Drug Coverage and the Limited Income Subsidy Program.

Persons presenting for and receiving crisis services are not required to provide documentation of eligibility with AHCCCS nor are they required to verify U.S. citizenship/lawful presence prior to or in order to receive crisis services.

9.3.3 Completing an AHCCCS Eligibility Determination Screening as Part of the Verification Process

If a person is currently enrolled with AHCCCS and has been assigned to a T/RBHA/Health Plan, verification of citizenship/lawful presence has already been completed.

For an illustration on how the verification process works, see Provider Manual Attachment 12.2.2, Citizenship/Lawful Presence Verification Process Through Health-e-Arizona PLUS which can be obtained by calling the Provider Services Call Center at 866-796-0542.

For a list of those persons who are exempt from citizenship verification, see Provider Manual Attachment 12.2.3, Persons Who Are Exempt from Verification of Citizenship during the Prescreening and Application Process which can be obtained by calling the Provider Services Call Center at 866-796-0542.

Providers must complete an eligibility determination screening for all persons who are not identified as being currently enrolled with AHCCCS using the subscriber version of the Health-e- Arizona PLUS online application found at https://www.healthearizonaplus.gov/. An eligibility screening will be conducted:

  • Upon initial request for services;
  • At least annually thereafter, if still receiving services; and
  • When significant changes occur in the person’s financial status.

9.3.3.1 What Is the Process for Completing the Eligibility Screening Using Health-E-Arizona PLUS?

The Health Plan or its provider meet with the person and complete the Health-e- Arizona PLUS online application found at https://www.healthearizonaplus.gov/Default/Default.aspx.. Once the online application screening has been completed, the Health-e-Arizona PLUS online application tool will indicate:

  • If the person is potentially AHCCCS eligible, The Health Plan or its provider must obtain from the applicant:
    • Documentation of identification and U.S. Citizenship needed if the person claims to be a U.S. citizen (see Provider Manual Attachment 12.2.1, Documents Accepted by AHCCCS To Verify Citizenship and Identity which can be obtained by calling the Provider Services Call Center at 866-796-0542 ); or
    • Documentation needed of identification and lawful presence in the U.S. if the applicant states that they are not a U.S. citizen (see Provider Manual Attachment 12.2.4, Non-Citizen/Lawful Presence Verification Documents which can be obtained by calling the Provider Services Call Center at 866-796-0542).
  • The required U.S. citizenship/lawful presence documents are considered “permanent documents”. Permanent documents include proof of age, Social Security Number, U.S. citizenship or immigration status. These are eligibility factors that typically do not change and only need to be verified once, and
  • When providers use the online Member verification system and enter a Member’s social security number, the Member’s photo, if available from the Arizona Motor Vehicles Department, will be displayed on the AHCCCS eligibility verification screen along with other AHCCCS coverage information. The added photo image assists providers to quickly validate the identity of a Member.

If the Health-e-Arizona PLUS online screening tool indicates that the person may not be eligible for AHCCCS, the person may:

  • Choose to continue with the AHCCCS eligibility application, in which case the provider must assist the person in completing the application process and obtain the required identification and citizenship/lawful presence documents as indicated above or those required for Non-Title XIX/XXI Eligible individuals as outlined in AHCCCS Medical Assistance Chapter 500, Section 507 Proof of Citizenship at https://www.azahcccs.gov/Resources/GuidesManualsPolicies/EligibilityPolicy/EligibilityPolicyManual ); or
  • Decide to not continue with the online application process. The provider will need to determine if the person is eligible for services as described in AHCCCS AMPM Policy 110 Special Populations. The provider must continue to work with the person to obtain the required citizenship/lawful presence documents whenever possible for future eligibility status need.

9.3.3.2 Inability to Provide the Required Identification or Citizenship/Lawful Presence Documents at the Time of Application

To the extent that it is practicable, The Health Plan or its providers are expected to assist applicants in obtaining required documentation of identification and citizenship/lawful presence within the timeframes indicated by Health-e-Arizona PLUS (30 days from date of application submission unless otherwise stated).

Persons who are unable to provide required documentation of citizenship or lawful presence are not eligible for publicly funded services unless they meet the criteria outline in this section. If the person obtains the required documentation at a later date they may reapply for AHCCCS eligibility using Health-e-Arizona PLUS (and submit all required documentation with the reapplication, with no waiting period).

Pending the outcome of the AHCCCS eligibility determination, a person may be provided services in accordance with Section 12.10 - Special Populations.

9.3.4 Documentation Requirements

Documentation of screening a Member through Health-e-Arizona PLUS must be included in medical record, including the Application Summary and final Determination of eligibility status notification printed from the Health-e-Arizona PLUS website.

If a person has refused to participate in the screening process, the documented refusal to participate in the screening and/or application process must be maintained in accordance with Section 12.1 - Eligibility Screening for AHCCCS Health Insurance, Medicare Part D Prescription Drug Coverage and the Limited Income Subsidy Program.

The State and/or The Health Plan may conduct unscheduled, periodic process and documentation audits to ensure that The Health Plan and/or its providers are in compliance with this section. The Health Plan may enforce all available contract remedies against a provider, up to and including termination for failure to comply with this section.

Employees of The Health Plan and its providers are considered agents of the State, and therefore, must report discovered violations of immigration status to AHCCCS, which is responsible for submitting the reports to the U.S. Immigration and Customs Enforcement (ICE) agency. Failure to report a discovered violation is a Class 2 Misdemeanor.

9.4.1 Identification of Violations

The Health Plan and its providers must refrain from conduct or actions that could be considered discriminatory behavior. It is unlawful and discriminatory to deny persons services, exclude persons from participation in those services, or otherwise discriminate against any person based on grounds of race, color or national origin.

The Health Plan and its providers must not use any information obtained about a person’s citizenship or lawful presence for any purpose other than to provide a person with services. Factors that must NOT be considered when identifying a potential violation:

  • The person’s primary language is a language other than English;
  • The person was not born in the United States;
  • The person does not have a Social Security number;
  • The person has a “foreign sounding” name;
  • The person cannot provide documentation of citizenship or lawful presence;
  • The person is identified by others as a non-citizen; and
  • The person has been denied AHCCCS eligibility for lack of proof of citizenship or lawful presence.

If a person applying for services, in the course of completing the application process or while conducting business with The Health Plan or a The Health Plan provider, voluntarily reveals that they are not lawfully present in the United States then and only then may The Health Plan or its providers consider it to be a reportable violation.

The Health Plan and its providers must not require documentation of citizenship or lawful presence from persons who are not personally applying for services, but who are acting on behalf of or assisting the applicant (for example, a parent applying on behalf of a child).

It is not the responsibility of The Health Plan or its providers to ensure the validity of the submitted documents. Documents must be copied for files and submitted, as requested, to the appropriate agency, as instructed through Health-e-Arizona PLUS (see Section 9.2 - Verification of U.S. Citizenship or Lawful Presence for Public Behavioral Health Benefits).

The criteria for screening and applying for AHCCCS eligibility are not changed by these reporting requirements. Further, the documentation requirements for verifying or establishing citizenship or lawful presence are not changed by this process (see Section 9.2 - Verification of U.S. Citizenship or Lawful Presence for Public Behavioral Health Benefits).

The Health Plan and its providers must follow the expectations outlined in this policy when identifying and reporting violations. Questions regarding reporting requirements may be submitted via email to the AHCCCS Corporate Compliance Officer at AHCCCSFraud@azahcccs.gov

9.4.2 Reporting Process

The Health Plan or a provider that identifies a violation must submit a report to AHCCCS via secure email to AHCCCS Corporate Compliance at  AHCCCSFraud@azahcccs.gov  that contains the following information:

  • First and last name of identified individual;
  • Residential address/street, address of identified individual, including city, state, and zip code; and
  • Reason for referral.

Additionally, the link “How to Report Fraud, Waste or Abuse of the Program is:  https://www.azahcccs.gov/Fraud/ReportFraud/

9.4.3 Documentation Expectations

The Health Plan or its providers must document in the person’s medical record (if a provider) or in the Corporate Compliance Office (The Health Plan) the following:

  • Reason for making a report, including how the information was obtained and whether it was an oral or written declaration;
  • The date the report was submitted to AHCCCS;
  • Any actions taken as a result of the report; and
  • A copy of the email to AHCCCS that contains the report.

Any employee of The Health Plan with a basis to believe that abuse, neglect, exploitation, injuries, and unexpected death of an incapacitated or vulnerable adult or minor child has occurred shall immediately report the incident to a peace officer, the Department of Economic Security/ Adult Protective Services (DES/APS) or the Department of Economic Security/Department of Child Safety (DES/DCS) worker as appropriate, as well as to The Health Plan.  The Health Plan will then report it to AHCCCS Quality Management.

9.5.1 Duty to Report Abuse, Neglect or Exploitation of a Vulnerable Adult

Providers responsible for the care of adults, including incapacitated or vulnerable adults, and who have a reasonable basis to believe that abuse or neglect of the adult has occurred or that exploitation of the adult's property has occurred shall report this information immediately either in person or by telephone. This report shall be made to a peace officer or to a protective services worker within APS. Information on how to contact APS to make a report is located by going to the webpage for the APS Central Intake Unit. A written report must also be mailed or delivered within forty-eight hours or on the next working day if the forty-eight hours expire on a weekend or holiday. The report shall contain:

  • The names and addresses of the adult and any persons who have control or custody of the adult, if known;
  • The adult's age and the nature and extent of their incapacity or vulnerability;
  • The nature and extent of the adult's injuries or physical neglect or of the exploitation of the adult's property; and
  • Any other information that the person reporting believes might be helpful in establishing the cause of the adult's injuries or physical neglect or of the exploitation of the adult's property.

Upon written and signed request for records from the investigating peace officer or APS worker, the person who has custody or control of medical or financial records of the incapacitated or vulnerable adult for whom a report is required shall make such records, or a copy of such records, available (see Section 9.6.1, Disclosure of Health Information). Records disclosed are confidential and may be used only in a judicial or administrative proceeding or investigation resulting from the report. If psychiatric records are requested, the custodian of the records shall notify the attending psychiatrist, who may remove the following information from the records before they are made available:

  • Personal information about individuals other than the patient; and
  • Information regarding specific diagnoses or treatment of a psychiatric condition, if the attending psychiatrist certifies in writing that release of the information would be detrimental to the patient's health or treatment.

If any portion of a psychiatric record is removed, a court, upon request of a peace officer or APS worker, may order that the entire record or any portion of such record containing information relevant to the reported abuse or neglect be made available to the peace officer or APS worker investigating the abuse or neglect.

Additionally, providers must report to The Health Plan healthcare acquired conditions, abuse, neglect, exploitation, injuries, high profile cases and unexpected death of adults as required under Section 10.10 - Reporting of Incidents, Accidents, and Deaths.

9.5.2 Duty to Report Abuse, Neglect, Exploitation, Injuries, Denial or Deprivation of Medical or Surgical Care or Nourishment, and Unexpected Death of a Minor

Any provider who reasonably believes that any of the following incidents has occurred shall immediately report this information to a peace officer or to a Department of Child Safety (DCS) worker by calling the Arizona Child Abuse Hotline, and must also notify The Health Plan of:

  • Any physical injury, abuse, reportable offense or neglect involving a minor that cannot be identified as accidental by the available medical history; or
  • A denial or deprivation of necessary medical treatment, surgical care or nourishment with the intent to cause or allow the death of an infant.

In the event that a report concerns a person who does not have care, custody or control of the minor, the report shall be made to a peace officer only. Reports shall be made immediately by telephone or in person and shall be followed by a same-day progress note in the Member’s Health Record. The report shall contain:

  • The names and addresses of the minor and the minor's parents or the person(s) having custody of the minor, if known;
  • The minor's age and the nature and extent of the minor's abuse, physical injury or neglect, including any evidence of previous abuse, physical injury or neglect; and
  • Any other information that the person believes might be helpful in establishing the cause of the abuse, physical injury or neglect.

If a physician, psychologist, or behavioral health professional receives a statement from a person other than a parent, stepparent, or guardian of the minor during the course of providing sex offender treatment that is not court ordered or that does not occur while the offender is incarcerated in the State Department of Corrections or the Department of Juvenile Corrections, the physician, psychologist, or behavioral health professional may withhold the reporting of that statement if the physician, psychologist, or behavioral health professional determines it is reasonable and necessary to accomplish the purposes of the treatment.

Upon written request by the investigating peace officer or DCS worker, the person who has custody or control of medical records of a minor for whom a report is required shall make the records, or a copy of the records, available (see Section 9.6.1 - Disclosure of Health Information). Records are confidential and may be used only in a judicial or administrative proceeding or investigation resulting from the required report. If psychiatric records are requested, the custodian of the records shall notify the attending psychiatrist, who may remove the following information before the records are made available:

  • Personal information about individuals other than the patient; and
  • Information regarding specific diagnoses or treatment of a psychiatric condition, if the attending psychiatrist certifies in writing that release of the information would be detrimental to the patient's health or treatment.

If any portion of a psychiatric record is removed, a court, upon request by a peace officer or DCS worker, may order that the entire record or any portion of the record that contains information relevant to the reported abuse, physical injury or neglect be made available for purposes of investigation.

Additionally, providers must report to The Health Plan healthcare acquired conditions, abuse, neglect, exploitation, injuries, high profile cases, denial or deprivation of medical or surgical care or nourishment, and unexpected death of minors as required under Section 10.10 - Reporting of Incidents, Accidents, and Deaths.

Any health provider employed or subcontracted by The Health Plan or a mental health provider that has determined a patient poses a serious danger of violence to others shall take reasonable actions to protect the potential victim(s) of that danger (AHCCCS AMPM 960).

9.6.1 Duty to Protect Potential Victims of Physical Harm

When a health provider employed or subcontracted by The Health Plan or a provider of a mental health provider determines, or under applicable professional standards, reasonably should have determined that a patient poses a serious danger to others, they bear a duty to exercise care to protect the foreseeable victim of that danger. The foreseeable victim need not be specifically identified by the patient, but may be someone who would be the most likely victim of the patient’s violent conduct.

While the discharge of this duty may take various forms, health providers employed or subcontracted by The Health Plan or a provider of a mental health provider need only exercise that reasonable degree of skill, knowledge and care ordinarily possessed and exercised by Members of that professional specialty under similar circumstances. Any duty owed by a health provider employed or subcontracted by The Health Plan or a provider of a mental health to take reasonable precautions to prevent harm threatened by a patient can be discharged by any of the following, depending upon the circumstances:

  • Communicating, when possible, the threat to all identifiable victims;
  • Notifying a law enforcement agency in the vicinity where the patient or any potential victim resides;
  • Taking reasonable steps to initiate proceedings for voluntary or involuntary hospitalization, if appropriate, and in accordance with  Section 12.9 - Pre-petition Screening, Court Ordered Evaluation and Court Ordered Treatment; or
  • Taking any other precautions that a reasonable and prudent health provider would take under the circumstances.

The Health Plan contracted providers are required to immediately notify by telephone The Health Plan crisis line provider (The Crisis Call Center) when a patient is identified as a potential danger to self or others, and update The Crisis Call Center as appropriate based on the level of risk to the Member and the community. Providers are required to report to The Crisis Call Center all relevant information; including, information about the person’s access to weapons, names and addresses of potential victims, attempts to protect victims, police involvement, relevant clinical information and support system information.

9.7.1 Disclosure of Health Information

This section is intended to provide guidance to protect the privacy of persons who receive services, guidance as to whom information can be disclosed and when authorization[1] is required prior to that disclosure, and guidance on the notification of those persons in the event their unsecured Protected Health Information (PHI) is breached. It is not all-inclusive of the HIPAA and State Laws; the references throughout are available for providers to access and examine the applicable laws for more detail.

Information and records obtained in the course of providing or paying for services to a person are confidential and are only disclosed according to the provisions of applicable federal and State law. In the event of an unauthorized use/disclosure of unsecured PHI, The Health Plan’s providers must notify all affected persons.

9.7.2 Overview of Confidentiality Information

The Health Plan and its providers must keep medical records, payment records, behavioral health records and all information contained in those records, and any other personal health and enrollment information that may identify a particular Member or subset of Members confidential and cannot disclose such information unless permitted or required by federal or State law. Providers must verify that all emails being sent by the provider with Protected Health Information (PHI) are sent using a secure email program and must use an individualized secure business domain email, and not use public email entities (such as Google or Yahoo) to conduct business and transmit PHI.

The law regulates two major categories of confidential information:

  • Information obtained when providing services not related to alcohol or drug abuse referral, diagnosis and treatment; and
  • Information obtained in the referral, diagnosis and treatment of alcohol or drug abuse.

The Health Plan also requires its providers to have policies and procedures in place to protect the privacy of individuals verified to be in the Address Confidentiality Program.  See 41 A.R.S. § 161 et seq.

9.7.2.1 Health Information Not Related to Alcohol and Drug Treatment

[1] For purposes of uniformity and clarity, the term “authorization” is used throughout this section to reference a person’s permission to disclose medical records and protected health information and has the same meaning as “consent” which is used in 42 C.F.R. Part 2.

Information obtained when providing services not related to alcohol and drug abuse treatment is governed by State law and the HIPAA Privacy Rule, 45 C.F.R., Part 164, Subparts A and E, Part 160 Subparts A and B (“the HIPAA Rule”). The HIPAA Rule permits a covered entity (health plan, health care provider, or health care clearinghouse) to use or disclose protected health information with or without patient authorization in a variety of circumstances, some of which are required and others that are permissive. Many of the categories of disclosures contain specific words and phrases that are defined in the HIPAA Rule. Careful attention must be paid to the definitions of words and phrases in order to determine whether disclosure is allowed. In addition, the HIPAA Rule may contain exceptions or special rules that apply to a particular disclosure. State law may affect a disclosure. For example, the HIPAA Rule may preempt State law or State law may preempt the HIPAA Rule. HIPAA, when read together with State law, may impose additional requirements for disclosure. In addition, a covered entity must, with certain exceptions, make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the disclosure.

Before disclosing protected health information, it is good practice to consult the specific citation to the HIPAA Rule, State law, and consult with legal counsel. See Section 9.6.4 below for more detail regarding the disclosure of health information not related to alcohol or drug referral, diagnosis or treatment.

9.7.2.2 Drug and Alcohol Abuse Information

Information regarding treatment for alcohol or drug abuse is afforded special confidentiality by federal statute and regulation (42 U.S.C. § 290 dd-3, 290 ee-3, 42 C.F.R. Part 2). This includes any information concerning a person’s diagnosis or treatment from a federally assisted alcohol or drug abuse program or referral to a federally assisted alcohol or drug abuse program. See Section 9.7.5 below for more detail regarding the disclosure of drug and alcohol abuse information.

9.7.3 General Procedures for All Disclosures

Unless otherwise accepted by State or federal law, all information obtained about a person related to the provision of services to the person is confidential whether the information is in oral, written, or electronic format.

All records generated as a part of the State or The Health Plan grievance and appeal processes are legal records, not medical or payment records, although they may contain copies of portions of a person’s medical record. To the extent these legal records contain personal medical information, the State or The Health Plan will redact or de-identify the information to the extent allowed or required by law.

9.7.3.1 List of Persons Accessing Records

The Health Plan’s providers must verify that a list is kept of every person or organization that inspects a currently or previously enrolled person’s records other than the person’s clinical team, the uses to be made of that information and the staff person authorizing access. The access list must be placed in the enrolled person’s record and must be made available to the enrolled person, their guardian or other designated representative.

9.7.3.2 Disclosure to Clinical Teams

Disclosure of information to Members of a clinical team may or may not require an authorization depending upon the type of information to be disclosed and the status of the receiving party. Information concerning diagnosis, treatment or referral for drug or alcohol treatment may only be disclosed to Members of a clinical team with authorization from the enrolled person as prescribed in Section 9.7.3. Information not related to drug and alcohol treatment may be disclosed without patient authorization to Members of a clinical team who are providers of health, mental health or social services, provided the information is for treatment purposes as defined in the HIPAA Rule. Disclosure to Members of a clinical team who are not providers of health, mental health or social services requires the authorization of the person or the person’s legal guardian or parent as prescribed in Section 9.7.4 below.

9.7.3.3 Disclosure to Persons Involved in Court Proceedings

Disclosure of information to persons involved in court proceedings including attorneys, probation or parole officers, guardian ad litem and court appointed special advocates may or may not require an authorization depending upon the type of information to be disclosed and whether the court has entered orders permitting the disclosure.

9.7.4 Disclosure of Information Not Related to Alcohol and Drug Treatment

The HIPAA Rule and State law allow a covered entity to disclose protected health information under a variety of conditions. This is a general overview and does not include an entire description of legal requirements for each disclosure. Below is a general description of all required or permissible disclosures:

  • To the individual and the individual’s health care decision maker;
  • To health, mental health and social service providers for treatment, payment or health care operations;
  • Incidental to a use or disclosure otherwise permitted or required by 45 C.F.R. Part 160 and Part 164, Subpart E;
  • To a person or entity with a valid authorization;
  • Provided the individual is informed in advance and has the opportunity to agree or prohibit the disclosure:
    • For use in facility directories;
    • To persons involved in the individual’s care and for notification purposes.
  • When required by State or federal law;
  • For public health activities;
  • About victims of child abuse, neglect or domestic violence;
  • For health oversight activities;
  • For judicial and administrative proceedings;
  • For law enforcement purposes;
  • About deceased persons;
  • For cadaveric organ, eye or tissue donation purposes;
  • For research purposes, if the activity is conducted pursuant to applicable federal or State laws and regulations governing research;
  • To avert a serious threat to health or safety or to prevent harm threatened by patients;
  • To a human rights committee;
  • For purposes related to the Sexually Violent Persons program;
  • With communicable disease information;
  • To personal representatives including agents under a health care directive;
  • For evaluation or treatment;
  • To business associates;
  • To the Secretary of Health and Human Services or designee to investigate or determine compliance with the HIPAA Rule;
  • For specialized government functions;
  • For worker’s compensation;
  • Under a data use agreement for limited data;
  • For fundraising;
  • For underwriting and related purposes;
  • To the Arizona Center For Disability Law in its capacity as the State Protection and Advocacy Agency;
  • To a third party payer the payer’s contractor to obtain reimbursement;
  • To a private entity that accredits a health care provider;
  • To the legal representative of a health care entity in possession of the record for the purpose of securing legal advice;
  • To a person or entity as otherwise required by state or federal law;
  • To a person or entity permitted by the federal regulations on alcohol and drug abuse treatment (42 CFR Part 2);
  • To a person or entity to conduct utilization review, peer review and quality assurance pursuant to A.R.S. §§ 36-441, 36-445, 36-2402 or 36-2917;
  • To a person maintaining health statistics for public health purposes as authorized by law; and
  • To a grand jury as directed by subpoena.

9.7.4.1 Disclosure to an Individual

A covered entity is required to disclose information in a designated record set to an individual when requested unless contraindicated. Contraindicated means that access is reasonably likely to endanger the life or physical safety of the patient or another person (See A.R.S. § 36-507(3); 45 CFR § 164.524; A covered entity should read and carefully apply the provisions in 45 CFR §164.524 before disclosing protected health information in a designated record set to an individual.

An individual has a right of access to their designated record set, except for psychotherapy notes and information compiled for pending litigation. See 45 CFR § 164.524(a)(1) and Section 13405(e) of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Under certain conditions a covered entity may deny an individual access to the medical record without providing the individual an opportunity for review. See 45 CFR § 164.524(a)(2); ARS § 12-2293. Under other conditions, a covered entity may deny an individual access to the medical record and must provide the individual with an opportunity for review. See 45 CFR § 164.524(a)(3). A covered entity must follow certain requirements for a review when access to the medical record is denied. See 45 CFR § 164.524(a)(4).

An individual must be permitted to request access or inspect or obtain a copy of their medical record. See 45 CFR § 164.524(b)(1). A covered entity is required to act upon an individual’s request in a timely manner. See 45 CFR § 164.524(b)(2). An individual may inspect and be provided with one free copy per year of their own medical record, unless access has been denied.

A covered entity must follow certain requirements for providing access, the form of access and the time and manner of access. See 45 CFR § 164.524(c).

A covered entity is required to make other information available in the record when access is denied, must follow other requirements when making a denial of access, must inform an individual of where medical records are maintained and must follow certain procedures when an individual requests a review when access is denied. See 45 CFR § 164.524(d).

A covered entity is required to maintain documentation related to an individual’s access to the medical record. See 45 CFR § 164.524(e).

9.7.4.2 Disclosure with an Individual or the Individual’s Health Care Decision Maker’s Authorization

The HIPAA Rule allows information to be disclosed with an individual’s written authorization.

For all uses and disclosures that are not permitted by the HIPAA Rule, patient authorization is required. See 45 CFR §§ 164.502(a)(1)(iv); and 164.508. An authorization must contain all of the elements in 45 CFR § 164.508.

A copy of the authorization must be provided to the individual. The authorization must be written in plain language and must contain the following elements:

  • A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
  • The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;
  • A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;
  • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository; and
  • Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of the representative’s authority to act for the individual must also be provided.

In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:

  • The individual’s right to revoke the authorization in writing, and either:
    • The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
    • A reference to the covered entity’s notice of privacy practices if the notice of privacy practices tells the individual how to revoke the authorization.
  • The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
    • The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in 45 CFR § 164.508 (b)(4) applies; or
    • The consequences to the individual of a refusal to sign the authorization when, in accordance with 45 CFR § 164.508 (b) (4), the covered entity can condition treatment, enrollment in the health plan or eligibility for benefits on failure to obtain such authorization.
  • The potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the Member.

9.7.4.3 Disclosure to Health, Mental Health and Social Service Providers for Treatment, Payment or Health Care Operations; Reports of Abuse and Neglect

Disclosure is permitted without patient authorization to health, mental health and social service providers involved in caring for or providing services to the person for treatment, payment or health care operations as defined in the HIPAA Rule. These disclosures are typically made to primary care Providers, psychiatrists, psychologists, social workers (including DES and DDD) or other behavioral health professionals. Particular attention must be paid to 45 CFR §164.506(c) and the definitions of treatment, payment and health care operations to determine the scope of disclosure. For example, a covered entity is allowed to disclose protected health information for its own treatment, payment or health care operations. See 45 CFR §164.506(c)(1). A covered entity may disclose for treatment activities of a health care provider including providers not covered under the HIPAA Rule. See 45 CFR § 164.506(c)(2). A covered entity may disclose to both covered and non-covered health care providers for payment activities. See 45 CFR § 164.506(c)(3). A covered entity may disclose to another covered entity for the health care operations activities of the receiving entity if each entity has or had a direct treatment relationship with the individual and the disclosure is for certain specified purposes in the definition of health care operations 42 CFR. See 45 CFR § 164.506(c)(4).

If the disclosure is not for treatment, payment, or health care operations or required by law, patient authorization is required unless otherwise allowed by law.

The HIPAA Rule does not modify a covered entity’s obligation under A.R.S. § 13-3620 to report child abuse and neglect to Department of Child Safety or disclose a child’s medical records to the Department of Child Safety for investigation of child abuse cases.

Similarly, a covered entity may have an obligation to report adult abuse and neglect to Adult Protective Services. See A.R.S. § 46-454. The HIPAA Rule imposes other requirements in addition to those contained in A.R.S. § 46-454, primarily that the individual be notified of the making of the report or a determination by the reporting person that it is not in the individual’s best interest to be notified. See 45 CFR § 164.512(c).

9.7.4.4 Disclosure to Other Persons Including Family Members Who Are Actively Participating in The Patient’s Care, Treatment, or Supervision

A covered entity may disclose protected health information without authorization to other persons including family members actively participating in the patient's care, treatment or supervision. Prior to releasing information, an agency or non-agency treating professional or that person's designee must have a verbal discussion with the person to determine whether the person objects to the disclosure. If the person objects, the information cannot be disclosed. If the person does not object, or the person lacks capacity to object, or in an emergency circumstance, the treating professional must perform an evaluation to determine whether disclosure is in that person's best interests. A decision to disclose or withhold information is subject to review pursuant to A.R.S. § 36-517.01.

An agency or non-agency treating professional may only release information relating to the person's diagnosis, prognosis, need for hospitalization, anticipated length of stay, discharge plan, medication, medication side effects, and short-term and long-term treatment goals. See A.R.S. § 36-509(7).

The HIPAA Rule imposes additional requirements when disclosing protected health information to other persons including family members. A covered entity may disclose to a family member or other relative the protected health information directly relevant to the person’s involvement with the individual’s care or payment related to the individual’s health care. If the individual is present for a use or disclosure and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it obtains the individual’s agreement, provides the individual with the opportunity to object to the disclosure and the individual does not express an objection. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s health care. See 45 CFR § 164.510(b).

9.7.4.5 Disclosure to an Agent Under a Health Care Directive

A covered entity may treat an agent appointed under a health care directive as a personal representative of the individual. See 45 CFR § 164.502(g). Examples of agents appointed to act on an individual’s behalf include an agent under a health care power of attorney, see A.R.S. § 36-3221 et seq.; surrogate decision makers, see A.R.S. § 36-3231; and an agent under a mental health care power of attorney, see A.R.S. § 36-3281.

9.7.4.6 Disclosure to a Personal Representative

A covered entity may disclose protected health information to a personal representative, including the personal representative of an un-emancipated minor, unless one or more of the exceptions described in 45 CFR §§ 164.502(g)(3)(i) or 164.502(g)(5) applies. See 45 CFR § 164.502(g)(1).

The general rule is that if State law, including case law, requires or permits a parent, guardian or other person acting in loco parentis to obtain protected health information, then a covered entity may disclose the protected health information. See 45 CFR § 164.502(g)(3)(ii)(A).

Similarly, if State law, including case law, prohibits a parent, guardian or other person acting in loco parentis from obtaining protected health information, then a covered entity may not disclose the protected health information. See 45 CFR § 164.502(g)(3)(ii)(B).

When State law, including case law, is silent on whether protected health information can be disclosed to a parent, guardian or other person acting in loco parentis, a covered entity may provide or deny access under 45 CFR § 164.524 to a parent, guardian or other person acting in loco parentis if the action is consistent with State or other applicable law, provided that such decision must be made by a licensed health care professional, in the exercise of professional judgment. See 45 CFR § 164.502(g)(3)(ii)(C).

9.7.4.7 Disclosure to a Personal Representative, Adults and Emancipated Minors

If under applicable law, a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such persons as a personal representative with respect to protected health information relevant to such personal representation. See 45 CFR § 164.502(g)(2). Simply stated, if there is a State law that permits the personal representative to obtain the adult or emancipated minor’s protected health information, the covered entity may disclose it. A covered entity may withhold protected health information if one or more of the exceptions in 45 CFR § 164.502(g)(5) applies.

9.7.4.8 Deceased Persons

If under applicable law, an executor, administrator or other person has authority to act on behalf of a deceased individual or of the individual’s estate, a covered entity must treat such persons as a personal representative with respect to protected health information relevant to the personal representation. See 45 CFR § 164.502(g)(4). A covered entity may withhold protected health information if one or more of the exceptions in 45 CFR § 164.502(g)(5) applies. A.R.S. § 12-2294 (D) provides certain persons with authority to act on behalf of a deceased person.

9.7.4.9 Disclosure for Court-Ordered Evaluation or Treatment

An agency in which a person is receiving court ordered evaluation or treatment is required to immediately notify the person's guardian or agent or, if none, a member of the person's family that the person is being treated in the agency. See A.R.S. § 36-504(B). The agency shall disclose any further information only after the treating professional or that person's designee interviews the person undergoing treatment or evaluation to determine whether the person objects to the disclosure and whether the disclosure is in the person's best interests. A decision to disclose or withhold information is subject to review pursuant to section A.R.S. § 36-517.01.

If the individual or the individual’s guardian makes the request for review, the reviewing official must apply the standard in 45 CFR § 164.524(a)(3). If a family member makes the request for review, the reviewing official must apply the “best interest” standard in A.R.S. § 36-517.01.

The reviewer’s decision may be appealed to the superior court. See A.R.S. § 36-517.01(B). The agency or non-agency treating professional must not disclose any treatment information during the period an appeal may be filed or is pending.

9.7.4.10 Disclosure for Health Oversight Activities

A covered entity may disclose protected health information without patient authorization to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions or other activities necessary for appropriate oversight of entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards. See 45 CFR § 164.512(d).

9.7.4.11 Disclosure for Judicial And Administrative Proceedings Including Court Ordered Disclosures

A covered entity may disclose protected health information without patient authorization in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by the order. See 45 CFR § 164.512(e). In addition, a covered entity may disclose information in response to a subpoena, discovery request or other lawful process without a court order if the covered entity receives satisfactory assurances that the requesting party has made reasonable efforts to provide notice to the individual or has made reasonable efforts to secure a qualified protective order. See 45 CFR §§ 164.512(e)(1)(iii),(iv) and (v) for what constitutes satisfactory assurances.

9.7.4.12 Disclosure to Persons Doing Research

A covered entity may disclose protected health information to persons doing research without patient authorization provided it meets the de-identification standards of 45 CFR § 164.514(b). If the covered entity wants to disclose protected health information that is not de-identified, patient authorization is required or an Institutional Review Board or a privacy board in accordance with the provisions of 45 CFR § 164.512(i)(1)(i) can waive it.

9.7.4.13 Disclosure to Prevent Harm Threatened by Patients

Mental health providers have a duty to protect others against the harmful conduct of a patient under certain circumstances. See A.R.S. § 36-517.02. When a patient poses a serious danger of violence to another person, the provider has a duty to exercise reasonable care to protect the foreseeable victim of the danger. Little v. All Phoenix South Community Mental Health Center, Inc., 186 Ariz. 97, 919 P.2d 1368 (1996). A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information without patient authorization if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat, or is necessary for law enforcement authorities to identify or apprehend an individual. See 45 CFR § 164.512(j)(1)(ii); 164.512(f)(2) and (3) for rules that apply for disclosures made to law enforcement. See 45 CFR § 164.512(j)(4) for what constitutes a good faith belief.

9.7.4.14 Disclosures to Human Rights Committees

Protected health information may be disclosed to a human rights committee without patient authorization provided personally identifiable information is redacted or de-identified from the record. See A.R.S. §§ 36-509(10) and 41-3804. In redacting personally identifiable information, a covered entity must comply with the HIPAA Rule de-identification standards in 45 CFR §164.514(b) and not State law. If a human rights committee wants non-redacted identifiable health information for official purposes, it must first demonstrate to AHCCCS that the information is necessary to perform a function that is related to the oversight of the health system, and in that case, a covered entity may disclose protected health information to the human rights committee in its capacity as a health oversight agency. See 45 CFR §164.512(d)(1).

9.7.4.15 Disclosure to the Arizona Department of Corrections

Protected health information may be disclosed without patient authorization to the state department of corrections in cases where prisoners confined to the State prison are patients in the State hospital on authorized transfers either by voluntary admission or by order of the court. See A.R.S. § 36-509(5) The HIPAA Rule limits disclosure to correctional institutions to certain categories of information that are contained in 45 CFR § 164.512(k)(5).

9.7.4.16 Disclosure to a Governmental Agency or Law Enforcement To Secure Return of a Patient

Protected health information may be disclosed to governmental or law enforcement agencies if necessary to secure the return of a patient who is on unauthorized absence from any agency where the patient was undergoing court ordered evaluation or treatment. See A.R.S. § 36-509(6). A covered entity may disclose limited information without patient authorization to law enforcement to secure the return of a missing person. See 45 CFR § 164.512(f)(2)(i). In addition, a covered entity is permitted limited disclosure to governmental agencies to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. See 45 CFR § 164.512(j).

9.7.4.17 Disclosure to a Sexually Violent Persons (SVP) Program

Protected health information may be disclosed to a governmental agency or a competent professional, as defined in A.R.S. § 36-3701, in order to comply with the SVP Program (Arizona Revised Statutes, Title 36, Chapter 37). See A.R.S. § 36-509(9)).

A "competent professional" is a person who may be a psychologist or psychiatrist, is approved by the Superior Court and is familiar with the State's sexually violent person’s statutes and sexual offender treatment programs. A competent professional is either statutorily required or may be ordered by the court to perform an examination of a person involved in the sexually violent persons program and must be given reasonable access to the person in order to conduct the examination and must share access to all relevant medical and psychological records, test data, test results and reports. See A.R.S. § 36-3701(2).

In most cases, the disclosure of protected health information to a competent professional or made in connection with the sexually violent persons program is required by law or ordered by the court. In either case, disclosure under the HIPAA Rule without patient authorization is permitted. See 45 CFR § 164.512(a) (disclosure permitted when required by law) and 45

CFR § 164.512(e) (disclosure permitted when ordered by the court). If the disclosure is not required by law or ordered by the court or is to a governmental agency other than the sexually violent persons program, the covered entity may have the authority to disclose if the protected health information is for treatment, payment or health care operations. See 45 CFR § 164.506(c) to determine rules for disclosure for treatment, payment or health care operations.

9.7.4.18 Disclosure to Third Party Payors

Disclosure is permitted to a third party payor to obtain reimbursement for health care, mental health care or behavioral health care provided to a patient. See A.R.S. § 36-509(13).

9.7.4.19 Disclosure to Accreditation Organization

Disclosure is permissible to a private entity that accredits a health care provider and with whom the health care provider has an agreement that requires the agency to protect the confidentiality of patient information. See A.R.S. § 36-509(14).

9.7.4.20 Disclosure of Communicable Disease Information

A.R.S. § 36-661 et seq., includes a number of provisions that address the disclosure of communicable disease information. The general rule is that a person who obtains communicable disease related information in the course of providing a health service or pursuant to a release of communicable disease related information must not disclose or be compelled to disclose that information. See A.R.S. § 36-664(A). Certain exceptions for disclosure are permitted to:

  • The individual or the individual’s health care decision maker;
  • AHCCCS or a local health department for the purpose of notifying a Good Samaritan;
  • An agent or employee of a health facility or a health care provider;
  • A health facility or a health care provider;
  • A federal, State or local health officer;
  • Government agencies authorized by law to receive communicable disease information;
  • Persons authorized pursuant to a court order;
  • The Department of Economic Security for adoption purposes;
  • The Industrial Commission;
  • The Department of Health Services to conduct inspections;
  • Insurance entities;
  • A private entity that accredits a health care facility or a health care provider; and
  • A person or entity for research only if the research is conducted pursuant to applicable federal or State laws governing research.

A.R.S. § 36-664 also addresses issues with respect to Disclosures to the Department of Health Services or local health departments. These disclosures are also permissible under certain circumstances:

  • Authorizations;
  • Re-disclosures;
  • Disclosures for supervision, monitoring and accreditation;
  • Listing information in death reports;
  • Reports to the Department; and
  • Applicability to insurance entities.

An authorization for the release of communicable disease related information must be signed by the protected person or, if the protected person lacks capacity to consent, the person’s health care decision maker (see A.R.S. § 36-664(F)). If an authorization for the release of communicable disease information is not signed, the information cannot be disclosed. An authorization must be dated and must specify to whom disclosure is authorized, the purpose for disclosure and the time period during which the authorization is effective. A general authorization for the release of medical or other information, including communicable disease related information, is not an authorization for the release of HIV-related information unless the authorization specifically indicates its purpose as authorization for the release of HIV-related information and complies with the requirements of A.R.S. § 36-664(F).

The HIPAA Rule does not preempt State law with respect to disclosures of communicable disease information; however, it may impose additional requirements depending upon the type, nature and scope of disclosure. It is advisable to consult with the HIPAA Compliance Officer and/or legal counsel prior to disclosure of communicable disease information.

For example, if a disclosure of communicable disease information is made pursuant to an authorization, the disclosure must be accompanied by a statement in writing which warns that the information is from confidential records which are protected by State law that prohibits further disclosure of the information without the specific written consent of the person to whom it pertains or as otherwise permitted by law. A.R.S. § 36-664(H) affords greater privacy protection than 45 CFR § 164.508(c)(2)(ii), which requires the authorization to contain a statement to place the individual on notice of the potential re-disclosure of the Member and thus, is no longer protected. Therefore, any authorization for protected health information that includes communicable disease information must contain the statement that re-disclosure of that information is prohibited.

9.7.4.21 Disclosure to Business Associates

The HIPAA Rule allows a covered entity to disclose protected health information to a business associate if the covered entity obtains satisfactory assurances that the business associate will safeguard the information in accordance with 45 CFR § 164.502(e) and the HITECH Act. See the definition of “business associate” in 45 CFR § 160.103. Also see 45 CFR § 164.504(e) and Section 13404 of the HITECH Act for requirements related to the documentation of satisfactory assurances through a written contract or other written agreement or arrangement.

9.7.4.22 Disclosure to the Arizona Center for Disability Law, Acting in its Capacity as the State Protection and Advocacy Agency Pursuant To 42 U.S.C. § 10805 is:

  • Allowed when an enrolled person is mentally or physically unable to consent to a release of confidential information, and the person has no legal guardian or other legal representative authorized to provide consent; and
  • Allowed when a grievance has been received by the Center or the Center asserts that the Center has probable cause to believe that the enrolled person has been abused or neglected.

9.7.5 Disclosures of Alcohol and Drug Information

The Health Plan and its providers that provide drug and alcohol screening, diagnosis or treatment services are federally assisted alcohol and drug programs and must ensure compliance with all provisions contained in the federal statutes and regulations referenced in this section.

The Health Plan and its providers must notify persons seeking and/or receiving alcohol or drug abuse services of the existence of the federal confidentiality laws and regulations and provide each person with a written summary of the confidentiality provisions. The notice and summary must be provided at admission or as soon as deemed clinically appropriate by the person responsible for clinical oversight of the person.

The Health Plan or its providers may require enrolled persons to carry identification cards while the person is on the premises of an agency. The Health Plan or its provider may not require enrolled persons to carry cards or any other form of identification when off The Health Plan or its provider’s premises that will identify the person as a member of drug or alcohol services.

The Health Plan or its providers may not acknowledge that a currently or previously enrolled person is receiving or has received alcohol or drug abuse services without the enrolled person’s authorization as provided in this section.

The Health Plan or its providers must respond to any request for a disclosure of the records of a currently or previously enrolled person that is not permissible under this policy or federal regulations in a way that will not reveal that an identified individual has been, or is being diagnosed or treated for alcohol or drug abuse.

The Health Plan or its providers must advise the person or guardian of the special protection given to such information by federal law.

Release of information concerning diagnosis, treatment or referral from an alcohol or drug abuse program must be made only as follows:

  • The currently or previously enrolled person or their guardian authorizes the release of information. In this case:
    • The Health Plan or its providers must advise the person or guardian of the special protection given to such information by federal law;
    • Authorization must be documented on an authorization form which has not expired or been revoked by the patient. The proper authorization form must be in writing and must contain each of the following specified items:
      • The name or general designation of the program making the disclosure;
      • The name of the individual or organization that will receive the disclosure;
      • The name of the person who is the subject of the disclosure;
      • The purpose or need for the disclosure;
      • How much and what kind of information will be disclosed;
      • A statement that the person may revoke the authorization at any time, except to the extent that the program has already acted in reliance on it;
      • The date, event or condition upon which the authorization expires, if not revoked before;
      • The signature of the person or guardian; and
      • The date on which the authorization is signed.
    • Re-disclosure

Any disclosure, whether written or oral, made with the person’s authorization as provided above must be accompanied by the following abbreviated written statement: “Federal law/42 CFR part 2 prohibits unauthorized disclosure of these records.

If the person is a minor, authorization must be given by both the minor and their parent or legal guardian.

If the person is deceased, authorization may be given by:

  • A court-appointed executor, administrator or other personal representative;
  • If no such appointments have been made, by the person’s spouse; or
  • If there is no spouse, by any responsible member of the person’s family.

Authorization is not required under the following circumstances:

  • Medical Emergencies – information may be disclosed to medical personnel who need the information to treat a condition which poses an immediate threat to the health of any individual, not necessarily the currently or previously enrolled person, and which requires immediate medical intervention. The disclosure must be documented in the person’s medical record and must include the name of the medical person to whom disclosure is made and their affiliation with any health care facility, name of the person making the disclosure, date and time of the disclosure and the nature of the emergency. After emergency treatment is provided, written confirmation of the emergency must be secured from the requesting entity;
  • Payment and Health Care Operations:  The Final Rule allows lawful holders of patient records to re-disclose the minimum amount of information necessary to contractors, subcontractors, and legal representatives for purposes of payment and health care operations. Disclosures to contractors, subcontractors, and legal representatives are not permitted to carry out other purposes, such as activities related to patient diagnosis, treatment, or referral for treatment.  The list of the proposed payment and health care operations activities include the following:
    • Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data processing;
    • Clinical professional support services (e.g., quality assessment and improvement initiatives; utilization review and management services);
    • Patient safety activities;
    • Activities pertaining to:
      • The training of student trainees and health care professionals,
      • The assessment of practitioner competencies,
      • The assessment of provider and/or health plan performance, and
      • Training of non-health care professionals;
    • Accreditation, certification, licensing, or credentialing activities;
    • Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;
    • Third-party liability coverage;
    • Activities related to addressing fraud, waste and abuse;
    • Conducting or arranging for medical review, legal services, and auditing functions;
    • Business planning and development, such as conducting cost-management and planning related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies;
    • Business management and general administrative activities, including management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations;
    • Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;
    • Resolution of internal grievances;
    • The sale, transfer, merger, consolidation, or dissolution of an organization;
    • Determinations of eligibility or coverage (e.g., coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
    • Risk adjusting amounts due based on enrollee health status and member characteristics; and
    • Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges.
  • Research Activities – information may be disclosed for the purpose of conducting scientific research according to the provisions of 42 CFR § 2.52;
  • Audit and Evaluation Activities – information may be disclosed to individuals or entities who perform audits and evaluations on behalf of federal, state, and local governments providing financial assistance to, or regulating the activities of, lawful holders as well as 42 CFR Part 2 programs. If disclosures are made to an individual or entity under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy, further disclosures may be made to the individual’s or entity’s contractors, subcontractors, or legal representatives to carry out the audit or evaluation.;
  • Qualified Service Organizations – information may be provided to a qualified service organization when needed by the qualified service organization to provide services to a currently or previously enrolled person;
  • Internal Agency Communications - the staff of an agency providing alcohol and drug abuse services may disclose information regarding an enrolled person to other staff within the agency, or to the part of the organization having direct administrative control over the agency, when needed to perform duties related to the provision of alcohol or drug abuse diagnosis, treatment, or referral for treatment to a person. For example, an organization that provides several types of services might have an administrative office that has direct administrative control over each unit or agency that provides direct services; and
  • Information concerning an enrolled person that does not include any information about the enrolled person’s receipt of alcohol or drug abuse diagnosis, treatment or referral for treatment is not restricted under this section. For example, information concerning an enrolled person’s receipt of medication for a psychiatric condition, unrelated to the person’s substance abuse, could be released as provided above in Section 9.7.4.
  • Court-ordered disclosures. A State or federal court may issue an order that authorizes an agency to make a disclosure of identifying information that would otherwise be prohibited. A subpoena, search warrant or arrest warrant is not sufficient standing alone, to require or permit an agency to make a disclosure.
  • Crimes committed by a person on an agency’s premises or against program personnel. Agencies may disclose information to a law enforcement agency when a person who is receiving treatment in a substance abuse program has committed or threatened to commit a crime on agency premises or against agency personnel. In such instances, the agency must limit the information disclosed to the circumstances of the incident. It may only disclose the person’s name, address, last known whereabouts and status as a person receiving services at the agency.
  • Child abuse and neglect reporting. Federal law does not prohibit compliance with the child abuse reporting requirements contained in A.R.S. § 13-3620.

A general medical release form or any authorization form that does not contain all of the elements listed above is not acceptable.

9.7.6 Telemedicine

To ensure confidentiality of telemedicine sessions, providers must do the following when providing services via telemedicine:

  • The videoconferencing room door must remain closed at all times;
  • If the room is used for other purposes, a sign must be posted on the door, stating that a clinical session is in progress;
  • If a recording of the session is made, an authorization, signed by the Member, shall be obtained;
  • All videoconferencing equipment shall be set to automatically mute its microphone(s) when answering any incoming calls;
  • All videoconferencing equipment shall be set not to automatically answer multipoint calls;
  • All videoconferencing equipment with internet access that is used for telemedicine shall be set to not allow remote monitoring; and
  • All videoconferencing equipment in rooms used for telemedicine or Member services shall have the camera lens covered and the microphone muted or must be turned off whenever the equipment is not in use.

9.7.7 Security Breach Notification

The Health Plan and its providers, in the event of an impermissible use/disclosure of unsecured PHI, must provide notification to any and all persons affected by the breach in accordance with Section 13402 of the HITECH Act.

Any questions or incidents concerning Member rights, protected health information (PHI) and/or the use and disclosure of such information may be obtained by contacting The Health Plan Compliance Officer at 1-888-788-4408 or by writing to The Health Plan:

Arizona Complete Health-Complete Care Plan
Attn: Compliance Officer
1870 W. Rio Salado Parkway
Tempe, AZ 85281
1-888-788-4408
AzCHPrivacy@azcompletehealth.com

9.7.8 Pledge to Protect Confidential Information

If requested by the AHCCCS Procurement Office, providers must sign a “Pledge to Protect Confidential Information” and abide by the statements addressing the creation, use and disclosure of confidential information, including information designated as protected health information and all other confidential or sensitive information as defined in policy. In addition, if requested, providers must attend or participate in HIPAA training offered by AHCCCS or provide written verification that the provider has attended or participated in job-related HIPAA training that is: (1) intended to make the provider proficient in HIPAA for purposes of performing the services required and (2) presented by a HIPAA Privacy Officer or other person or program knowledgeable and experienced in HIPAA and who has been approved by the ADOA-ASET Arizona State Chief Information Security Officer.

The reporting of suspected fraud and program abuse is a requirement of the Arizona Health Care Cost Containment System (AHCCCS). Under the requirements of the Corporate Compliance Program, and in accordance with A.R.S. §36-2918.01, §36-2932, §36-2905.04 and AHCCCS ACOM Policy 103, The Health Plan, its subcontractors and providers are required to immediately notify the AHCCCS Office of Inspector General (AHCCCS-OIG) regarding all allegations of fraud, waste or abuse (FWA) involving the AHCCCS Program.

Providers must be cognizant of the potential for fraud, waste and abuse within the public health system. Fraud as defined by Federal law and as recognized in the State of Arizona is an intentional deception or misrepresentation made by a person with the knowledge that the deception could result in some unauthorized benefit to themselves or some other person. It includes any act that constitutes fraud under applicable State or Federal law, as defined in 42 CFR 455.2.

Individuals and/or entities found to be submitting fraudulent claims for services will be reported to AHCCCS-Office of Inspector General (OIG) and may be subject to an investigation that will lead to an exclusion to participate in any program associated with federal Medicare/Medicaid funding.

Under the federal False Claims Act (FCA) provisions, no specific intent to defraud is required. The civil FCA defines "knowing" to include not only actual knowledge but also instances in which the person acted in deliberate ignorance or reckless disregard of the truth or falsity of the information. Further, the civil FCA contains a whistleblower provision that allows a private individual to file a lawsuit on behalf of the United States and entitles that whistleblower to a percentage of any recoveries.

In the context of this section of the Provider Manual, persons receiving care in the public health system can also commit acts of fraud, waste and abuse (e.g., by loaning or selling their AHCCCS identification card).

The Health Plan’s providers are responsible for ensuring that mechanisms are in place for the identification, prevention, detection and reporting of fraud, waste and abuse. All employees of providers must be familiar with the types of FWA that could occur during their normal daily activities. The Health Plan. The Health Plan has designated a Compliance Officer and a Compliance Committee responsible for the development and implementation of the Corporate Compliance Program which addresses FWA prevention, detection, deterrence and reporting.

Under the applicable law of the state of Arizona, a person may not present cause to be presented to this state or to a contractor:

  1. A claim for a medical or other item or service that the person knows or has reason to know was not provided as claimed.
  2. A claim for a medical or other item or service that the person knows or has reason to know is false or fraudulent.
  3. A claim for payment that the person knows or has reason to know may not be made by the system because:
    1. The person was terminated or suspended from participation in the program on the date for which the claim is being made.
    2. The item or service claimed is substantially in excess of the needs of the individual or of a quality that fails to meet professionally recognized standards of health care.
    3. The patient was not a member on the date for which the claim is being made. ARS 36-2918

The state may impose civil penalties and assessments or both, pursuant to R9-22-1101. Basis for Civil Monetary Penalties and Assessments for Fraudulent Claims. This Article applies to prohibited acts as described under A.R.S. § 36-2918(A), and submissions of encounters to the Administration. The Administration considers a person who aids and abets a prohibited act affecting any of the AHCCCS programs or Health Care Group to be engaging in a prohibited act under A.R.S. § 36-2918(A).

9.8.2 Methods for Reporting Fraud, Waste and Abuse

The Health Plan providers are required to immediately report all suspected FWA involving any Title XIX/XXI and NTXIX/XXI funds, AHCCCS providers, or AHCCCS Members to the AHCCCS Office of Inspector General (OIG) in writing using the AHCCCS reporting form available at: https://azahcccs.gov/Fraud/ReportFraud/, and which may be submitted online, or via the following methods:

Mail: Arizona Health Care Cost Containment System (AHCCCS)
Inspector General
Office of Inspector General (OIG)
801 E. Jefferson St., Mail Drop 4500
Phoenix, AZ, 85034

To Report Provider Fraud

  • In Maricopa County: 602-417-4045
  • Outside of Maricopa County: 888-ITS-NOT-OK or 888-487-6686

To Report Member Fraud

  • In Maricopa County: 602-417-4193
  • Outside of Maricopa County: 888-ITS-NOT-OK or 888-487-6686

Email: AHCCCSFraud@azahcccs.gov
Fax: 602‐417‐4102
Website: https://azahcccs.gov/Fraud/ReportFraud/

This includes acts of suspected or confirmed FWA that were resolved internally but involved AHCCCS funds or AHCCCS providers. Failure to comply with the requirement to report suspected FWA may result in the penalty described in A.R.S. § 36-2992.

9.8.3 Reporting Fraud, Waste and Abuse to the Health Plan

In addition to notifying AHCCCS, all providers must immediately notify The Health Plan of all suspected or confirmed FWA. Health Plan providers must report suspected FWA to:

Arizona Complete Health-Complete Care Plan
Attn: Compliance Officer
1870 W. Rio Salado Parkway
Tempe, AZ 85281

Fraud and Abuse Hotline: (866) 685-8664 - Hotline is available 24/7, all calls are confidential and can be made anonymously

Fax Number: (800) 398-6182
Email: AZFWA@centene.com

The public, members, staff, and providers may report FWA cases confidentially and anonymously by submitting information to the above locations.

Providers are required to develop, maintain and publicize a confidential and anonymous reporting process for the public, members, employees and contractors to report FWA.

Once the Health Plan has referred a suspected case of fraud, waste or program abuse to AHCCCS's OIG, the Health Plan will take no action to recoup or otherwise offset any suspected overpayments until AHCCCS provides notice to The Health Plan of the case disposition status.

9.8.4 AHCCCS-OIG Communications

The Health Plan Providers shall report to The Health Plan (ATTN: Vice President, Compliance) and the AHCCCS-Office of Inspector General (OIG), immediately, but within ten (10) days of notification, any and all contact made by AHCCCS-OIG in reference to any open/closed FWA case, a voluntary self-disclosure or settlement, and/or any other type of FWA activity involving official communications by AHCCCS-OIG.

The Health Plan (ATTN: Vice President, Compliance) shall be advised of the final disposition of any case and/or settlement agreement made between a provider and AHCCCS-OIG.

9.8.5 Cooperation with AHCCCS and the Health Plan

Providers must respond timely to all The Health Plan, and AHCCCS-OIG requests for interviews, information, data or documents as a part of any investigation, inquiry, or audit. AHCCCS-OIG may conduct an audit review or investigation on-site without notice and the provider must provide access to all records, documents, and data related to the provider’s contract at all times.

Upon request, providers must furnish any and all documents to include original copies, to representatives of The Health Plan and AHCCCS-OIG at no cost. The Health Plan or AHCCCS-OIG will establish the designated timeframe to copy the requested documents, which will not exceed twenty (20 business days, from the date of The Health Plan request.

In addition, providers must verify that all emergent phone calls from The Health Plan to the provider’s point of contact are returned within 4 hours; all urgent phone calls returned within one work day and all routine calls are returned within two work days. Providers must verify that all emails sent from Health Plan staff are addressed timely with responses from the provider received within three work days.

9.9.1 Corporate Compliance Plan

Providers must maintain a Corporate Compliance Plan that is reviewed and updated annually. The current Corporate Compliance Plan must be made available to The Health Plan upon request.

The Corporate Compliance Plan must include, at a minimum, the following elements:

  • Designated Compliance Officer.
  • Provisions of the Deficit Reduction Act of 2007 and the Federal False Claims Act provisions, the administrative remedies for false statements State laws relating to civil or criminal penalties for false claims and statements; and whistleblower protections. Business Ethics and Conduct Policy, including the establishment of Codes of Conduct.
  • Establishment of an effective training and education program as a systematic means for educating and training agency employees and subcontractor employees to identify and report suspected waste, fraud and abuse.
  • A process to conduct periodic monitoring of claims/encounters, claims medical review and other operations for compliance with laws, regulations and payer requirements, such as conducting periodic internal audits.
  • A process for employees to receive information on how to identify and report incidents of suspected waste, fraud and abuse through (The Health Plan's) Ethics and Compliance Hotline.
  • Compliance committee to oversee the implementation of an effective compliance program.
  • Verify all staff and subcontractor staff have been trained annually regarding fraud, waste, abuse, false claims act, whistleblower protections and State laws relating to civil or criminal penalties for false claims and statements.

9.9.2 Deficit Reduction and Federal False Claims Act

The Health Plan requires all providers to adhere to Deficit Reduction Act (DRA) requirements. The DRA requires that any entity that receives or makes payments under a state plan approved under Title XIX or under any waiver of such plan, totaling at least $5 million annually, must establish written policies for its employees, management, contractors, and agents regarding the federal False Claims Act (FCA).

The FCA applies to claims presented for payment by federal health care programs. The FCA allows private persons to bring a civil action against those who knowingly submit false claims upon the government. The following are activities for which one may be liable under the FCA:

  • Knowingly presenting to an officer or employee of the United States government a false or fraudulent claim for payment or approval;
  • Knowingly making, using or causing a false record or statement to get a false or fraudulent claim paid or approved by the government.
  • Conspiring to defraud the government by getting false or fraudulent claims allowed or paid.
  • Having possession, custody or control of property or money used, or to be used by the government, and intending to defraud the government by willfully concealing property, delivering or causing to be delivered less property than the amount for which the individual receives;
  • Authorizing to make or deliver a document, certifying receipt of property used by the government and intending to defraud the government and making or delivering a receipt without completely knowing that the information on the receipt is true.
  • Knowingly buying, or receiving as a pledge of an obligation or debt, public property from an officer or employee of the government, or a member of the Armed Forces, who lawfully may not sell or pledge the property.
  • Knowingly making, using or causing to be made or used, a false record or statement to conceal, avoid or decrease an obligation to pay or transmit money or property to the government.

The definition of “knowing” and “knowingly” as it relates to the FCA includes actual knowledge of the information, acting in deliberate ignorance of the truth or falsity of the information, and/or acting in reckless disregard of the truth or falsity of the information. Proof of specific intent to defraud is not required for reporting potential violations of the law.

9.9.3 Identifying Fraud, Waste and Abuse

Providers must conduct internal monitoring and auditing in accordance with 42 CFR 438.608 and must include elements and audit steps to discover or identify suspected fraud, waste and program abuse within the provider’s organization. Providers must develop and implement a data analytics tool to evaluate encounters/claims data or other administrative data to identify trends or behavior at all system levels that indicate fraud, waste and/or program abuse.

9.9.3.1 Additional Requirement for Behavioral Health Specialty Providers and Crisis Providers

Behavioral health specialty providers and crisis care providers must also contract with an independent auditor to conduct an annual claims review to verify compliance with all State and federal laws, regulations and payer requirements.

9.9.4 Corporate Compliance Program

Providers must have a comprehensive Corporate Compliance Program, which meets the requirements in 42 CFR 438.608, supported by other administrative procedures, that is designed to deter, detect and prevent fraud, waste and program abuse. Providers must include, at a minimum, the following:

  • Written policies, procedures, and standards of conduct that articulate the organization's commitment to processes for, complying with all applicable federal and State Standards;
  • A Corporate Compliance Committee that meets regularly and reports to provider’s senior management. The Corporate Compliance Committee members, at a minimum, shall include the Corporate Compliance Officer; staff with experience and expertise in finance and budgets; and other executive staff with the authority to commit resources;
  • An effective education and training program for the Corporate Compliance Officer and provider’s employees on the detection, prevention and reporting of fraud, waste and program abuse. The training must include the False Claims Act provisions, administrative remedies for false claims and statements, Arizona laws relating to civil or criminal penalties for false claims and statements and the whistleblower protections under such laws.
  • A process for the monthly screening of all provider existing staff, potential staff and subcontractors against the List of Excluded Individuals and Entities (LEIE) & The System for Award Management (SAM) formerly known as The Excluded Parties List (EPLS) databases for those that have been debarred, suspended or otherwise excluded as well as any other databases as required/requested by The Health Plan, AHCCCS or Centers for Medicare and Medicaid Services (CMS). All potential staff and subcontractors must be checked before hire and all existing staff and subcontractors must be checked on a monthly basis;
  • Unfettered access and open lines of communication between the Corporate Compliance Officer and the provider’s employees;
  • A mechanism for enforcement of standards through well-publicized disciplinary guidelines;
  • In accordance with A.R.S. §36-2918.01 and ACOM Policy 103, have a process to, upon discovery, promptly address and notify The Health Plan and AHCCCS-OIG of any instances of an excluded provider or employee that is, or appears to be, in a prohibited relationship with the Subcontractor (42 CFR 455.17);
  • Have a process to confirm the identity and determine the exclusion status of any person with an ownership or control interest in the Contractor and with regard to its fiscal agents, to identify, obtain and report the exclusion status on persons convicted of crimes; and
  • Develop and maintain robust internal controls and mechanisms in order to consistently identify, prevent, deter and detect fraud, waste and program abuse that includes the implementation of corrective action plans (42 CFR 438.608).

9.9.5 Compliance Officer

Providers must establish written criteria for selecting a Compliance Officer and job description that clearly outlines the responsibilities and authority of the position. The Compliance Officer shall have the authority to assess records and independently refer suspected Member fraud, provider fraud, waste and Member abuse cases to The Health Plan and the AHCCCS-OIG. The Compliance Officer shall not have any title, duties or responsibilities that could constitute a potential or actual conflict of interest. Providers must require the Compliance Officer to be responsible for the following:

  • Provide training and ongoing education to employees in identifying and reporting fraud, waste and program abuse.
  • Oversee internal and external compliance audits
  • Record, track and trend all fraud, waste and abuse related complaints received including those initiated by  The Health Plan or a subcontractor, which shall capture and maintain the following information, at a minimum;
    • Contact information of complainant;
    • Name and identifying information of person or entity suspected of fraud, waste and/or program abuse;
    • Date and time complaint was received;
    • Nature of the allegations and summary of concern;
    • Potential estimated dollar loss amount and specific identification of funding source(s) involved;
    • Subcontractor's unique case identifying number;
    • The department or agency in which the complaint has been reported, and
    • Date in which the case was referred to The Health Plan or AHCCCS-OIG.

Providers must ensure the Compliance Officer has complete access to all information, databases, files, records and documents in order to conduct audits and to strategically structure the position to report suspected fraud, waste and program abuse directly The Health Plan and AHCCCS-OIG independently (42 CFR 455.17).

9.9.6 Other Activities

The provider must conduct additional activities, such as:

  • Regular fraud, waste and abuse awareness activities (i.e. campaigns, newsletters)
  • Develop and maintain internal control assessments
  • Risk assessments
  • The Health Plan responds to and coordinates responses made by  the Health Plan Compliance Committee
  • Notify  The Health Plan of any CMS compliance issues related to HIPAA transactions and code set complaints or sanctions
  • Communicate with  The Health Plan and AHCCCS OIG on the final disposition of the research and advice of actions, if any, taken by the provider
  • Contract with an independent auditor to conduct an annual claims review to verify compliance with all State and federal laws, regulations and payer requirements.

The Centers for Medicare and Medicaid Services (CMS) requires the Arizona Health Care Cost Containment System (AHCCCS) to conduct encounter validation studies as a condition for receiving federal Medicaid funding. AHCCCS requires The Health Plan to conduct encounter validation studies of their providers.

The purpose of encounter validation studies is to compare recorded utilization information from a clinical record or other source with submitted encounter data. The review “validates” or confirms that covered services are encountered timely, correctly and completely. The purpose of this section is to:

  • Inform providers that encounter validation studies may be performed by AHCCCS, The Health Plan and/or AHCCCS staff; and
  • Convey the AHCCCS’ expectation that providers cooperate fully with any encounter validation review that AHCCCS, The Health Plan and/or AHCCCS may conduct.

9.10.1 Criteria Used in Encounter Validation Studies

The criteria used in encounter validation studies include timeliness, correctness and omission of encounters, in addition to encountering for services not documented in the medical record. These criteria are defined as follows:

  • Timeliness - The time elapsed between the date of service and the date that the encounter is received. The Health Plan is required to provide specific information for providers on Timeliness standards;
  • Correctness - A correct encounter contains a complete and accurate description of a covered behavioral health service provided to a person. Correctness errors frequently identified include, but are not limited to, invalid procedure or revenue codes and ICD-10 diagnoses not reported to the correct level of specificity;
  • Omission - Provider documentation shows a service was provided, however, an encounter was not submitted; and
  • Lack of Documentation - A description of adequate documentation is referenced in Section 10.2 – Medical Records Standards.

In addition, assessment compliance must be monitored by The Health Plan in accordance with Section 12.5 - Assessment and Service Planning. Providers may be subject to sanctions for failure to meet the criteria used in encounter audits, which may include timeliness, correctness, and omission of encounters.

Providers must notify The Health Plan if, on the basis of moral or religious grounds, the provider elects not to provide coverage of a covered counseling or referral service pursuant to 42 CFR 438.102(a)(2). If the provider elects not to provide coverage of a covered counseling or referral service pursuant to 42 CFR 438.102(a) (2), the provider is required to make alternative arrangements with another entity to provide the service. A provider must notify The Health Plan prior to entering into a contract or adopting a policy as described above during the term of the provider’s contract with The Health Plan. The notification and policy must be consistent with the provisions of 42 CFR 438.10; must be provided to Members during their initial appointment; and must be provided to Members at least thirty (30) days prior to the effective date of the policy.

9.11.1 Provider Responsibilities

Providers must deliver covered services in accordance with the AHCCCS Covered Behavioral Health Service Guide located at https://www.azahcccs.gov/PlansProviders/GuidesManualsPolicies/guidesandmanuals.html

Providers must document adequate information in the clinical record and submit encounters to The Health Plan. Any audit findings that indicate suspected fraud, waste and/or program abuse must be reported to The Health Plan’s Compliance Department.