Or. Admin. Code § 407-120-0160

Current through Register Vol. 63, No. 11, November 1, 2024
Section 407-120-0160 - Conduct of Transactions - EDI Transactions
(1) EDI Submitter Obligations. An EDI submitter is responsible for the conduct of the EDI transactions registered on behalf of a trading partner, including the following:
(a) EDI Transmission Accuracy. An EDI submitter shall take reasonable care to ensure that data and data transmissions are timely, complete, accurate, and secure; and shall take reasonable precautions to prevent unauthorized access to the information system, the data transmission, or the contents of an envelope which is transmitted either to or from the Department. The Department will not correct or modify an incorrect transaction prior to processing. The transaction may be rejected and an EDI submitter notified of the rejection.
(b) Re-transmission of Indecipherable Transmissions. Where there is evidence that a data transmission is lost or indecipherable, the sending party must make best efforts to trace and re-transmit the original data transmission in a manner which allows it to be processed by the receiving party as soon as practicable.
(c) Cost of Equipment. An EDI submitter and the Department will pay for their own information system costs. An EDI submitter shall, at its own expense, obtain and maintain its own information system. An EDI submitter shall pay its own costs for all charges related to data transmission including, without limitation, charges for information system equipment, software and services, electronic mailbox maintenance, connect time, terminals, connections, telephones, modems, any applicable minimum use charges, and for translating, formatting, sending, and receiving communications over the electronic network to the electronic mailbox, if any, of the Department. The Department is not responsible for providing technical assistance in the processing of an EDI transaction.
(d) Back-up Files. EDI submitters must maintain adequate data archives and back-up files or other means sufficient to re-create a data transmission in the event that re-creation becomes necessary for any purpose, within timeframes required by state and federal law, or by contractual agreement. Data archives or back-up files shall be subject to these rules to the same extent as the original data transmission.
(e) Transmissions Format. Except as otherwise provided herein, EDI submitters must send and receive all data transmissions in the federally mandated format, or (if no federal standard has been promulgated) other formats as the Department designates.
(f) Testing. EDI submitters must, prior to the initial data transmission and throughout the term of a TPA, test and cooperate with the Department in the testing of information systems as the Department considers reasonably necessary to ensure the accuracy, timeliness, completeness, and confidentiality of each data transmission.
(2) Security and Confidentiality. To protect security and confidentiality of transmitted data, EDI submitters must comply with the following:
(a) Refrain from copying, reverse engineering, disclosing, publishing, distributing, or altering any data, data transmissions, or the contents of an envelope, except as necessary to comply with the terms of these rules or the TPA, or use the same for any purpose other than that which an EDI submitter was specifically given access and authorization by the Department or a trading partner;
(b) Refrain from obtaining access by any means to any data, data transmission, envelope, mailbox, or the Department's information system for any purpose other than that which an EDI submitter has received express authorization. If an EDI submitter receives data or data transmissions from the Department which clearly are not intended for an EDI submitter, an EDI submitter shall immediately notify the Department and make arrangements to return or re-transmit the data or data transmission to the Department. After re-transmission, an EDI submitter shall immediately delete the data contained in the data transmission from its information system;
(c) Install necessary security precautions to ensure the security of the information systems or records relating to the information systems of either the Department or an EDI submitter when the information system is not in active use by an EDI submitter;
(d) Protect and maintain the confidentiality of security access codes issued by the Department to an EDI submitter; and
(e) Provide special protection for security and other purposes, where appropriate, by means of authentication, encryption, the use of passwords, or other means. Unless otherwise provided in these rules, the recipient of a protected data transmission must at least use the same level of protection for any subsequent transmission of the original data transmission.
(3) Department Obligations. The Department shall:
(a) Make available to an EDI submitter, by electronic media, those types of data and data transmissions which an EDI submitter is authorized to receive.
(b) Inform an EDI submitter of acceptable formats in which data transmissions may be made and provide notification to an EDI submitter within reasonable time periods consistent with HIPAA transaction standards, if applicable, or at least 30 days prior by electronic notice of other changes in formats.
(c) Provide an EDI submitter with security access codes that will allow an EDI submitter access to the Department's information system. Security access codes are strictly confidential and EDI submitters must comply with all of the requirements of OAR 407-120-0170. The Department may change the designated security access codes at any time and manner as the Department, in its sole discretion, deems necessary. The release of security access codes shall be limited to authorized electronic data personnel of an EDI submitter and the Department with a need to know.

Or. Admin. Code § 407-120-0160

OMAP 25-2003(Temp), f. & cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03; DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from 410-001-0160, DHSD 1-2008, f. & cert. ef. 2-1-08

Stat. Auth.: ORS 409.050, 414.065

Stats. Implemented: ORS 414.065