O.K. Admin. Code 317:30-3-4.1 - Uniform Electronic Transaction Act

This act applies to an electronic record and an electronic signature created with a record that is generated, sent, communicated, received or stored by the Oklahoma Health Care Authority. The Oklahoma Health Care Authority is the custodian of the original electronic record, including those of SoonerCare beneficiaries submitted electronically, and will retain that record in accordance with a disposition schedule as referenced by the Records Destruction Act. The Oklahoma Health Care Authority will retain an authoritative copy of the transferable record as described in the Electronic Transaction Act that is unique, identifiable and unalterable. Receivers of electronic information may both print and store the electronic information they receive.

These rules apply when both parties agree to conduct business electronically, although they are not required to do so. If a party chooses to do business electronically with the Oklahoma Health Care Authority, the following is required:

• Only authorized employees may make entries in the member's medical record, so long as it is dated and authenticated in a way that identifies the author. The identification method may include computer keys, Private/Public Key Infrastructure (PKIs), voice authentication systems that utilize a personal identification number (PIN) and voice authentication, or other codes. When an authorized employee is terminated, providers must deactivate the employee's access to records;
• When PKIs, computer key/code(s), voice authentication systems or other codes are used, the authorized employee must provide a signed statement that s/he is the sole controller of the chosen method and demonstrate that all codes used can be verified, that safeguards are in place to protect against unauthorized use, and that sanctions are in place to punish improper use of codes or systems;
• The author of an entry into a record must take a deliberate action to verify the accuracy of an entry for certain recording systems including, but not limited to online review systems using key code verification, signing off against a list of entries in the member's records, mailing transcripts for review, postcards verifying the record(s) signed and returned by the employee, or voice authentication clearly identifying the author via a personal identification number or security code;
• Automatically authenticating a report before the record has been transcribed is not an acceptable authentication method;
• Records may be edited by designated administrators within the provider's facility, so long as it preserves original entries, is authenticated by the original author, and the edits are completed prior to claims submission or no later than 45 days after the date of service, whichever is later.
• Electronic signature for clinical documentation have the same effect as a written signature, but the electronic portion of the record must be authenticated by the employee or individual who provided the described service.
• Any authentication method for electronic signatures must be unique and attributable to the person signing it, be capable of verification in a way that ensures documentation cannot be altered after the signature has been affixed, be under the sole control of the person using it, prevent data alteration, and provide strong and substantial evidence that will make it difficult for the signer to claim that the electronic representation is not valid.
• Failure to properly maintain or authenticate medical records can result in the denial or recoupment of SoonerCare payments.

Providers must retain electronic medical records and have access to the records in accordance with guidelines found at OAC 317:30-3-15.

The manner and format required by the Oklahoma Health Care Authority will vary base on whether the sender of the document is a member or a provider, or where the provider is also a client, the based upon the function served by the receipt of the record. If that function is a request for services, then the format required is that required by a recipient; where the function is related to payment for services, then the format required is that required by a provider.

Members are permitted to request SoonerCare services electronically. An electronic signature will be authenticated after data has been validated by a separate database. Providers may contract with, review claims filed with, and file prior authorization requests with the Oklahoma Health Care Authority. Providers with a social security number or federal employer's identification number will be given a personal identification number (PIN) to access the database and to subsequently transact business electronically.

Providers, assisted by Oklahoma Health Care Authority, must create and utilize a security policy that identifies who has access to their data and what transaction employees are permitted to complete per the electronic records and signature rules in this section.

Providers must authorize a third Party biller’s access to its PIN number to complete electronic transactions, but only after a power of attorney by the provider is executed.

These provisions apply to the time and place of receipt with the exception of a power failure, Internet interruption or Internet virus, in which case confirmation is required by the receiving party.

Any person who fraudulently represents facts in an electronic transaction, acts without authority, or exceeds their authority to perform an electronic transaction may be prosecuted under all applicable criminal and civil laws.