- A. Any entity wishing to provide F/EA services shall meet all of the standards for participation contained in this Rule, unless otherwise specifically noted within these provisions.
- B. The F/EA shall also abide by and adhere to any federal and state law, Rule, policy, procedure, performance agreement, or other state or federal requirements pertaining to the provision of F/EA services.
C. Failure to comply with the requirements of these standards for participation may result in the following actions including, but not limited to:
- 1. recoupment of funds;
- 2. sanctions for violations/non-performance as outlined in the performance agreement;
- 3. citation of deficient practice and plan of correction submission;
- 4. removal from the F/EA freedom of choice list; or
- 5. decertification as an F/EA and termination of the F/EA’s Medicaid provider enrollment.
- D. The F/EA shall make any required information or records, and any information reasonably related to assessment of compliance with these requirements, available to LDH.
- E. The F/EA shall, upon request by LDH, make available the legal ownership documents of the F/EA.
F. The F/EA must comply with all of LDH’s systems/software requirements, including the following:
1. The F/EA is required to transmit all non-proprietary data which is relevant for analytical purposes to LDH on a regular schedule in XML format.
- a. Final determination of relevant data will be made by LDH based on collaboration between all parties;
- b. The schedule for transmission of the data will be established by LDH and dependent on the needs of LDH related to the data being transmitted;
- c. XML files for this purpose will be transmitted via secure file transfer protocol (SFTP) to LDH; and
- d. Any other data or method of transmission used for this purpose must be approved via written agreement by all parties.
- 2. The F/EA is responsible for procuring and maintaining hardware and software resources which are sufficient for it to successfully perform the services detailed in this Rule.
- 3. The F/EA shall adhere to state and federal regulations and guidelines as well as industry standards and best practices for systems or functions required to support the requirements of this Rule.
- 4. Unless explicitly stated to the contrary, the F/EA is responsible for all expenses required to obtain access to LDH systems or resources which are relevant to successful completion of the requirements of this agreement. The F/EA is also responsible for expenses required for LDH to obtain access to the F/EA’s systems or resources which are relevant to the successful completion of the requirements of this agreement. Such expenses are inclusive of hardware, software, network infrastructure, and any licensing costs.
- 5. The F/EA, for all confidential or protected health information, must be encrypted to federal information processing standards (FIPS) 140-2 standards when at rest or in transit.
- 6. The F/EA shall ensure appropriate protections of shared personally identifiable information (PII), in accordance with 45 CFR §155.260.
- 7. The F/EA shall ensure that its system is operated in compliance with the Centers for Medicare and Medicaid Services’ (CMS) latest version of the minimum acceptable risk standards for exchanges (MARS-E) document suite.
- 8. Multi-factor authentication is a CMS requirement for all remote users, privileged accounts, and non-privileged accounts. In this context, remote user refers to staff accessing the network from offsite, normally with a client virtual private network (VPN) with the ability to access Medicaid and PII data.
- 9. A site-to-site tunnel is an extension of LDH’s network. If the agent utilizes a VPN site-to-site tunnel and also has remote users who access CMS data, the agent is responsible for providing and enforcing multi-factor authentication.
- 10. The F/EA owned resources must be compliant with industry standard physical and procedural safeguards (NIST SP 800-114, NIST SP 800-66, NIST 800-53A, ISO 17788, etc.) for confidential information (i.e., health information technology for economic and clinical health (HITECH), health insurance portability and accountability act (HIPAA) part 164).
- 11. Any F/EA use of flash drives or external hard drives for storage of LDH data must first receive written approval from LDH and upon such approval shall adhere to FIPS 140-2 hardware level encryption standards.
12. All F/EA utilized computers and devices must:
- a. be protected by industry standard virus protection software that is automatically updated on a regular schedule;
- b. have installed all security patches which are relevant to the applicable operating system and any other system software; and
- c. have encryption protection enabled at the operating system level.
G. F/EAs shall, at a minimum:
- 1. demonstrate administrative capacity and the financial resources to provide all core elements of financial management services and ensure effective service delivery in accordance with state and federal requirements;
- 2. have appropriate F/EA staff attend trainings, as mandated by LDH;
- 3. document and maintain records in accordance with federal and state regulations governing confidentiality and program requirements; and
- 4. assure that the F/EA will not provide both financial management services and support coordination or personal care services in Louisiana.
- H. Abuse and Neglect. Fiscal employer agencies shall establish policies and procedures relative to the reporting of abuse, neglect, exploitation, and extortion of participants, pursuant to the provisions of R.S. 15:1504-1505, R.S. 40:2009.20 and any subsequently enacted laws. The F/EA shall ensure that staff complies with these regulations.
Authority Note
AUTHORITY NOTE: Promulgated in accordance with R.S. 36:254 and Title XIX of the Social Security Act.
Historical Note
HISTORICAL NOTE: Promulgated by the Department of Health, Bureau of Health Services Financing, the Office of Aging and Adult Services, and the Office for Citizens with Developmental Disabilities, LR 49:1561 (September 2023).