Statutes, codes, and regulations
Louisiana Administrative Code
Title 50 - PUBLIC HEALTH-MEDICAL ASSISTANCEPart XXI - Home and Community-Based Services WaiversSubpart 1 - General ProvisionsChapter 11 - Fiscal Employer Agent Standards for Participation in Home and Community-Based Services Waiver Programs
Subchapter C - Provider Responsibilities
Section XXI-1129 - General Provisions

La. Admin. Code tit. 50 § XXI-1129

Download
PDF
Current through Register Vol. 50, No. 11, November 20, 2024
Section XXI-1129 - General Provisions
A. Any entity wishing to provide F/EA services shall meet all of the standards for participation contained in this Rule, unless otherwise specifically noted within these provisions.
B. The F/EA shall also abide by and adhere to any federal and state law, Rule, policy, procedure, performance agreement, or other state or federal requirements pertaining to the provision of F/EA services.
C. Failure to comply with the requirements of these standards for participation may result in the following actions including, but not limited to:
1. recoupment of funds;
2. sanctions for violations/non-performance as outlined in the performance agreement;
3. citation of deficient practice and plan of correction submission;
4. removal from the F/EA freedom of choice list; or
5. decertification as an F/EA and termination of the F/EA's Medicaid provider enrollment.
D. The F/EA shall make any required information or records, and any information reasonably related to assessment of compliance with these requirements, available to LDH.
E. The F/EA shall, upon request by LDH, make available the legal ownership documents of the F/EA.
F. The F/EA must comply with all of LDH's systems/software requirements, including the following:
1. The F/EA is required to transmit all non-proprietary data which is relevant for analytical purposes to LDH on a regular schedule in XML format.
a. Final determination of relevant data will be made by LDH based on collaboration between all parties;
b. The schedule for transmission of the data will be established by LDH and dependent on the needs of LDH related to the data being transmitted;
c. XML files for this purpose will be transmitted via secure file transfer protocol (SFTP) to LDH; and
d. Any other data or method of transmission used for this purpose must be approved via written agreement by all parties.
2. The F/EA is responsible for procuring and maintaining hardware and software resources which are sufficient for it to successfully perform the services detailed in this Rule.
3. The F/EA shall adhere to state and federal regulations and guidelines as well as industry standards and best practices for systems or functions required to support the requirements of this Rule.
4. Unless explicitly stated to the contrary, the F/EA is responsible for all expenses required to obtain access to LDH systems or resources which are relevant to successful completion of the requirements of this agreement. The F/EA is also responsible for expenses required for LDH to obtain access to the F/EA's systems or resources which are relevant to the successful completion of the requirements of this agreement. Such expenses are inclusive of hardware, software, network infrastructure, and any licensing costs.
5. The F/EA, for all confidential or protected health information, must be encrypted to federal information processing standards (FIPS) 140-2 standards when at rest or in transit.
6. The F/EA shall ensure appropriate protections of shared personally identifiable information (PII), in accordance with 45 CFR § 155.260.
7. The F/EA shall ensure that its system is operated in compliance with the Centers for Medicare and Medicaid Services' (CMS) latest version of the minimum acceptable risk standards for exchanges (MARS-E) document suite.
8. Multi-factor authentication is a CMS requirement for all remote users, privileged accounts, and non-privileged accounts. In this context, remote user refers to staff accessing the network from offsite, normally with a client virtual private network (VPN) with the ability to access Medicaid and PII data.
9. A site-to-site tunnel is an extension of LDH's network. If the agent utilizes a VPN site-to-site tunnel and also has remote users who access CMS data, the agent is responsible for providing and enforcing multi-factor authentication.
10. The F/EA owned resources must be compliant with industry standard physical and procedural safeguards (NIST SP 800-114, NIST SP 800-66, NIST 800-53A, ISO 17788, etc.) for confidential information (i.e., health information technology for economic and clinical health (HITECH), health insurance portability and accountability act (HIPAA) part 164).
11. Any F/EA use of flash drives or external hard drives for storage of LDH data must first receive written approval from LDH and upon such approval shall adhere to FIPS 140-2 hardware level encryption standards.
12. All F/EA utilized computers and devices must:
a. be protected by industry standard virus protection software that is automatically updated on a regular schedule;
b. have installed all security patches which are relevant to the applicable operating system and any other system software; and
c. have encryption protection enabled at the operating system level.
G. F/EAs shall, at a minimum:
1. demonstrate administrative capacity and the financial resources to provide all core elements of financial management services and ensure effective service delivery in accordance with state and federal requirements;
2. have appropriate F/EA staff attend trainings, as mandated by LDH;
3. document and maintain records in accordance with federal and state regulations governing confidentiality and program requirements; and
4. assure that the F/EA will not provide both financial management services and support coordination or personal care services in Louisiana.
H. Abuse and Neglect. Fiscal employer agencies shall establish policies and procedures relative to the reporting of abuse, neglect, exploitation, and extortion of participants, pursuant to the provisions of R.S. 15:1504-1505, R.S. 40:2009.20 and any subsequently enacted laws. The F/EA shall ensure that staff complies with these regulations.

La. Admin. Code tit. 50, § XXI-1129

Promulgated by the Department of Health, Bureau of Health Services Financing, the Office of Aging and Adult Services, and the Office for Citizens with Developmental Disabilities, LR 491561 (9/1/2023).
AUTHORITY NOTE: Promulgated in accordance with R.S. 36:254 and Title XIX of the Social Security Act.