Oregon Department of Human Services

Rule Rule 407-120-0370
Requirements for Financial, Clinical, and Other Records


The Department shall analyze and monitor the operation of its programs and audit and verify the accuracy and appropriateness of payment, utilization of services, or items.


The Department shall comply with client coverage criteria and requirements for the level of care or service or item authorized or reimbursed by the Department and the quality of covered services or items and service or item delivery, and access to covered services or items.


The provider and the provider’s designated billing service or other entity responsible for the maintenance of financial, service delivery, and other records must:


Develop and maintain adequate financial and service delivery records and other documentation which supports the specific care, items, or services for which payment has been requested. The Department shall not make payment for services that are not adequately documented. The following documentation must be completed before the service is billed to the Department:


All records documenting the specific service provided, the number of services or items comprising the service provided, the extent of the service provided, the dates on which the service was provided, and identification of the individual who provided the service. Patient account and financial records must also include documentation of charges, identify other payment resources pursued, indicate the date and amount of all debit or credit billing actions, and support the appropriateness of the amount billed and paid. For cost reimbursed services, the provider must maintain adequate records to thoroughly and accurately explain how the amounts reported on the cost statement were determined.


Service delivery, clinical records, and visit data, including records of all therapeutic services, must document the basis for service delivery and record visit data if required under program-specific rules or contracts. A client’s clinical record must be annotated each time a service is provided and signed or initialed by the individual providing the service or must clearly identify the individual providing the service. Information contained in the record must be sufficient in quality and quantity to meet the professional standards applicable to the provider or practitioner and any additional standards for documentation found in this rule, program-specific rules, and any pertinent contracts.


All information about a client obtained by the provider or its officers, employees, or agents in the performance of covered services, including information obtained in the course of determining eligibility, seeking authorization, and providing services, is confidential. The client information must be used and disclosed only to the extent necessary to perform these functions.


Implement policies and procedures to ensure confidentiality and security of the client’s information. These procedures must ensure the provider may release such information in accordance with program-specific federal and state statutes or contract, which may include but is not limited to, ORS 179.505 (Disclosure of written accounts by health care services provider) to 179.507 (Enforcement of ORS 179.495 and 179.505), 411.320 (Disclosure and use of records limited to purposes connected to administration of public assistance programs), 433.045 (Notice of HIV test required), 42 CFR part 2, 42 CFR part 431 subpart F, 45 CFR 205.50, and ORS 433.045 (Notice of HIV test required)(3) with respect to HIV test information.


Ensure the use of electronic record-keeping systems does not alter the requirements of this rule.


A provider’s electronic record-keeping system includes electronic transactions governed by HIPAA transaction and code set requirements and records, documents, documentation, and information include all information, whether maintained or stored in electronic media, including electronic record-keeping systems, and information stored or backed up in an electronic medium.


If a provider maintains financial or clinical records electronically, the provider must be able to provide the Department with hard-copy versions. The provider must also be able to provide an auditable means of demonstrating the date the record was created and the identity of the creator of a record, the date the record was modified, what was changed in the record and the identity of any individual who has modified the record. The provider must supply the information to individuals authorized to review the provider’s records under subsection (e) of this rule.


Providers may comply with the documentation review requirements in this rule by providing the electronic record in an electronic format acceptable to an authorized reviewer. The authorized reviewer must agree to receive the documentation electronically.


Retain service delivery, visit, and clinical records for seven years and all other records described in this rule, program-specific rules and contract for at least five years from the date of service.


Furnish requested documentation (including electronically recorded information or information stored or backed up in an electronic medium) immediately or within the time-frame specified in the written request received from the Department, the Oregon Secretary of State, DHHS or other federal funding agency, Office of Inspector General, the Comptroller General of the United States (for federally funded programs), MFCU (for Medicaid-funded services or items), or the client representative. Copies of the documents may be furnished unless the originals are requested. At their discretion, official representatives of the Department, Medicaid Fraud Unit, DHHS, or other authorized reviewers may review and copy the original documentation in the provider’s place of business. Upon written request of the provider, the program or the unit, may, at its sole discretion, modify or extend the time for provision of such records if, in the opinion of the program or unit good cause for such extension is shown. Factors used in determining if good cause exists include:


Whether the written request was made prior to the deadline for production;


If the written request is made after the deadline for production, the amount of time lapsed since that deadline;


The efforts already made to comply with the request;


The reasons the deadline cannot be met;


The degree of control that the provider had over its ability to produce the records prior to the deadline; and


Other extenuating factors.


Access to records, inclusive of clinical charts and financial records does not require authorization or release from the client, unless otherwise required by more restrictive state and federal regulations if the purpose of such access is:


To perform billing review activities;


To perform utilization review activities;


To review quality, quantity, medical appropriateness of care, items, and services provided;


To facilitate service authorization and related services;


To investigate a client’s hearing request;


To facilitate investigation by the MFCU or DHHS; or


To review records necessary to the operation of the program.


Failure to comply with requests for documents within the specified time-frame means that the records subject to the request may be deemed by the Department not to exist for purposes of verifying appropriateness of payment, clinical appropriateness, the quality of care, and the access to care in an audit or overpayment determination, and subjects the provider to possible denial or recovery of payments made by the Department or to sanctions.

Last accessed
Jun. 8, 2021