Section 450.205 - Recordkeeping and Disclosure(A) The MassHealth agency will not pay a provider for services if the provider does not have adequate documentation to substantiate the provision of services payable under MassHealth. All providers must keep such records, including medical records, as are necessary to disclose fully the extent and medical necessity of services provided to, or prescribed for, members and must provide to the MassHealth agency and the Attorney General's Medicaid Fraud Division, the State Auditor and the United States Department of Health and Human Services on request such information and any other information about payments claimed by the provider for providing services or otherwise described in 130 CMR 450.205. (See e.g., 42 U.S.C. 1396a(a)(27).) All providers must also disclose such records and information to any other state and federal agency to which disclosure is required by law.(B) All providers must maintain complete patient account records. Patient account records must include complete documentation of charges, indicate the date and amount of all debit and credit transactions, and support the appropriateness of the amounts billed and paid. Institutional providers must, in addition, provide on request all records maintained by or within the institution about services provided to members by other providers. Pharmacy providers must, in addition, keep photocopies of the temporary MassHealth cards referenced when filling prescriptions, if applicable, and must produce a copy of the card on request.(C) A provider must maintain and disclose any and all financial, statistical, and other information as may be required by the MassHealth agency, the Center for Health Information and Analysis, or any other agency described in 130 CMR 450.205(A). The required information must include, but is not limited to, ownership and licensure information, cost reports, charge books, audited financial statements, financial records, federal and state tax returns, invoices, general ledgers, trial balances, remittance advices, and explanations of benefits from health insurers and managed care organizations. Such records and documents must be provided within the time period specified by the requesting agency.(D) All records including, but not limited to, those containing signatures of medical professionals authorizing services, such as prescriptions, must, at a minimum, be legible and comply with generally accepted standards for recordkeeping within the applicable provider type as they may be found in laws, rules, and regulations of the relevant board of registration, professional treatises, and guidelines and other information published, adopted, or promulgated by state or national professional organizations and societies. All accounting records must be maintained in accordance with generally accepted accounting principles. In those instances where MassHealth regulations identify specific recordkeeping requirements for particular types of providers, such regulations constitute an additional standard against which the adequacy of records will be measured for the purposes of 130 CMR 450.205. In no instance will the completion of the appropriate MassHealth claim, the maintenance of a copy of such claim, or the simple notation of service codes constitute sufficient documentation for the purpose of 130 CMR 450.205.(E) Except as provided in 130 CMR 450.205(F), the records and information required to be maintained or disclosed under 130 CMR 450.000 include only those that relate in any manner to services provided to or prescribed for members, provided, however, that disclosure may not be refused on the ground that such records are commingled with records related to persons who are not members. Such records and information must be made available to the MassHealth agency and any other agency described in 130 CMR 450.205(A) for examination or copying during reasonable office hours at the provider's place of business or record depository. Alternatively, the requesting agency may require that the provider submit copies of such records and information.(F)(1) Providers subject to the federal requirements for employee education about false claims laws under 42 U.S.C. 1396a(a)(68) must: (a) provide written certification, on or before June 30th of each year, or such other date as specified by the MassHealth agency, signed under the pains and penalties of perjury, of compliance with the federal requirements;(b) make available to the MassHealth agency, upon request, a copy of all written policies implemented in accordance with 42 U.S.C. 1396a(a)(68), any employee handbook, and other information as the MassHealth agency may deem necessary to determine compliance; and(c) initiate corrective actions necessary to comply with such federal requirements.(2) The MassHealth agency may recover as overpayments any payments made to a provider that the MassHealth agency determines failed to comply with the requirements of 130 CMR 450.205(F)(1) or 42 U.S.C. 1396a(a)(68), and impose sanctions against a provider in accordance with the provisions of 130 CMR 450.000.(G) Notwithstanding any regulatory or contractual provisions that may provide for a shorter retention period, all records described in 130 CMR 450.204 and 450.205 must be kept for at least six years after the date of medical services for which claims are made or the date services were prescribed, or for such length of time as may be dictated by the generally accepted standards for recordkeeping within the applicable provider type, whichever period is longer. Providers must retain records to substantiate costs listed on a cost report for at least six years following the date of filing of the cost report or for such length of time as may be required by regulations of the Centers for Health Information and Analysis or other governing agency, whichever period is longer. In no event may any provider destroy any records while any review, audit, or administrative or judicial action involving such records is pending.(H) In cases where audits or other reviews reveal provider noncompliance with 130 CMR 450.204 or 450.205, the MassHealth agency may seek to pursue recovery of overpayments and to impose sanctions in accordance with the provisions of 130 CMR 450.000.(I)(1) The provider, as holder of personal data under M.G.L. c. 66A, must comply with all regulatory and statutory requirements applicable to such a holder, including those set forth in M.G.L. c. 66A, and must inform each of its employees having access to such personal data of such requirements and ensure compliance by each employee with such requirements.(2) The provider must take reasonable steps to ensure the physical security of personal data under its control including, but not limited to:(b) protection against smoke and water damage;(d) locked files, guards, or other devices reasonably expected to prevent loss or unauthorized removal of manually held data;(e) passwords, access logs, badges, or other methods reasonably expected to prevent loss or unauthorized access to electronically or mechanically held data by ensuring limited terminal access; and(f) limited access to input and output documents.Amended by Mass Register Issue 1341, eff. 6/16/2017.Amended by Mass Register Issue 1354, eff. 12/18/2017.