Proposed Rules Title 1

TITLE 1. ADMINISTRATION

PART 10. DEPARTMENT OF INFORMATION RESOURCES

CHAPTER 202. INFORMATION SECURITY STANDARDS

The Texas Department of Information Resources (department) proposes amendments to 1 Texas Administrative Code (TAC) Chapter 202, §§202.1, 202.23, 202.27, 202.73, and 202.77, concerning Information Security Standards. The proposed changes update the Texas Risk and Authorization Management Program (TX-RAMP) to incorporate necessary programmatic changes to address cybersecurity and stakeholder needs and expands upon the requirements for the information security assessment and report required by Texas Government Code §2054.515(c). The department also proposes a new section, §202.5, to create a singular location for all TX-RAMP requirements for the department and instructions on how vendors may adhere to the requirements of the program.

The department amends the title of 1 TAC Chapter 202, Subchapter A, to include "and Responsibilities" to reflect the expansion of elements within Subchapter A outside of definitions.

In §202.1, the department corrects certain grammatical errors within definitions used by 1 TAC Chapter 202. The department also revises the definition for "security incident" and creates a new definition for "local government."

In §202.23, for state agencies, and §202.73, for institutions of higher education, the department proposes amendments that establish the minimum requirements for an entity's biennial information security assessment as well as the method and time by which an entity must report its information security assessment to all statutorily-identified parties. In addition, the department proposes amendments that incorporate statutory admonishments to state agencies, local governments, and institutions of higher education on notifyng the department of the conclusion of a security incident within 10 days after the eradication, closure, and recovery from a security incident.

In §202.23, the department incorporates reporting requirements for local government security incidents as required by Senate Bill 271 [88th Legislature (Regular)]. The proposed local government security incident reporting mimic those requirements currently existing for state agencies.

In §202.27, for state agencies, and §202.77, for institutions of higher education, the department proposes amendments to streamline the sections to include only those items that are specific to the type of entity to which the subchapter is applicable.

The department proposes the creation of a new section, §202.5, concerning TX-RAMP. The Texas Legislature passed Senate Bill 475 (SB 475), which created the state risk and authorization management program, in the 87th Regular Session. Under TX-RAMP, the department must provide a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services. This requires the department to institute a number of regulatory requirements and procedures, both for itself and vendors who are seeking to become or are already TX-RAMP certified, that apply regardless of whether the customer is a state agency or institution of higher education. The proposed new section consolidates department and vendor requirements that are identical regardless of customer entity.

The proposed rule applies to state agencies, institutions of higher education, and, in limited scope as required by Senate Bill 271 [88th Legislative Session (Regular)], local governments, a term which may include approximately 1,100 rural communities as defined by Texas Government Code §2006.001(1-a). It does not apply to small business or micro-businesses. As a result, there is no economic impact on small businesses or micro-businesses as a result of enforcing or administering the amended rule as proposed.

There is no adverse economic impact to rural communities as a result of the proposed rule. Previously, rural communities who found themselves the victim of a security incident were required to address the recovery from the security incident on their own. With the passage of Senate Bill 271 [88th Legislative Session (Regular)], local governments, including rural communities as defined by by Texas Government Code §2006(1-a), are now required to comply with the same security incident reporting rules imposed upon state agencies and institutions of higher education. The department discussed this matter extensively with local governments prior to the passage of Senate Bill 271 [88th Legislative Session (Regular)] to ensure that there was no adverse impact to local governments, including rural communities. Rural communities must report their security incidents by either submitting a form through the department-hosted system or call to a specified department number to report a security incident. This allows rural communities to receive efficient and increased access to department support and resources where before rural communities may not have known who to contact during a security incident and not been able to receive department and/or statewide assistance in a timely fashion. Due to the lack of complexity associated with how rural communities are required to report security incidents and the benefits associated with reporting, there is no adverse economic impact to rural communities.

The department worked extensively with local government representatives during the legislative session and following the passage of Senate Bill 271 [88th Legislative Session (Regular)] to ensure that the required rules imposed the least administrative burden upon local governments, including rural communities. As proposed, these rules are the least burdensome means of implementing the statutory requirements.

The assessment of the impact of the proposed changes on institutions of higher education was prepared in consultation with the Information Technology Council for Higher Education (ITCHE) in compliance with Texas Government Code §2054.121(c). DIR submitted the proposed amendments to the Information Technology Council of Higher Education for their review. DIR determined that there was no direct impact on institutions of higher education as a result of the proposed rules.

Nancy Rainosek, Chief Information Security Officer for the State of Texas, has determined that there will be no fiscal impact upon state agencies, institutions of higher education, and local government during the first five year period following the adoption of the proposed amendments. By permitting certain third-party certifications or attestations to partially satisfy TX-RAMP certification requirements at the department's discretion and realigning baseline levels to permit entities to assess required needs based upon an impact standard, the department has increased the overall effectiveness of the TX-RAMP rules and addresses the statutory requirement for the department to administer a robust and standardized security assessment program for cloud computing service providers. The department's creation of minimum requirements for the information security assessment that each state agency and institution of higher education must complete allows for a rigorous yet still customizable assessment that entities must complete at least biennially to determine the entity's overall security; many of the minimum requirements align with best practice standards already required for information security and, as such, do not result in a fiscal impact. Furthermore, local government's reporting of security incidents, in alignment with Senate Bill 271 [88th Legislative Session (Regular)] and the proposed rule requirements, allow local governments better access to department expertise and support, which not only results in no fiscal impact but may actually alleviate tension upon local government resources. There is no fiscal impact as a result of the proposed changes to state agencies, institutions of higher education, and local government. Ms. Rainosek has further determined that for each year of the first five years following the adoption of the amended 1 TAC Chapter 202, there are no anticipated additional economic costs to persons or small businesses required to comply with the amendments and proposed new rules.

Pursuant to Texas Government Code §2001.0221, the agency provides the following Governmental Growth Impact Statement for the proposed amendments. The agency has determined the following:

The proposed rules neither create nor eliminate a government program. The TX-RAMP program and the information security assessment and report were created by Senate Bill 475 during the 87th Legislature and the proposed rules merely administer and implement these required items.

Implementation of the proposed rules does not require the creation or elimination of employee positions. There are no additional employees required nor employees eliminated to implement the rule as amended.

Implementation of the proposed rules does not require an increase or decrease in future legislative appropriations to the agency. There is no fiscal impact as implementing the rule does not require an increase or decrease in future legislative appropriations.

The proposed rules do not require an increase or decrease in fees paid to the agency.

The proposed rules create a new rule section that consolidates existing duplicated requirements for the department and cloud computing services found in Subchapters B and C. A significant portion of the information contained in the new rule section previously existed in 1 TAC §§202.27 and 202.77.

The proposed rules do not repeal an existing regulation.

The proposed rules do not increase or decrease the number of individuals subject to the rule's applicability. 1 TAC §202.23(e) as proposed now requires local governments to report security incidents as defined by rule. Senate Bill 271 [88th Legislative Session (Regular)] requires local governments to comply with all security incident reporting rules required of state agencies; the department has simply adapted its rule to incorporate this statutory requirement. Beyond the change mandated by Senate Bill 271 [88th Legislative Session (Regular)], the department has neither expanded nor reduced the overall applicability of these rules and, as such, the amount of individuals subject to the rule has not changed.

The proposed rules do not positively or adversely affect the state's economy. The proposed amendments to the TX-RAMP program, local government security incident reporting requirements, and minimum requirements necessary for an entity's information security assessment increase the security of governmental entities.

Written comments on the proposed rules may be submitted to Christi Koenig Brisky, Assistant General Counsel, 300 West 15th Street, Suite 1300, Austin, Texas 78701, or to rules.review@dir.texas.gov. Comments will be accepted for 30 days after publication in the Texas Register.

SUBCHAPTER A. DEFINITIONS

1 TAC §202.1, §202.5

The amendments are proposed pursuant to Texas Government Code §2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054; Texas Government Code §2054.0593(c) , which requires the department to adopt rules necessary to implement and administer the Texas Risk and Management Authorization Program; Senate Bill 271 [88th Legislative Session (Regular)], which orders local government compliance with all department rules relating to security incident reporting; and Texas Government Code §2054.515(c), which requires the department to establish the requirements for the information security assessment and report in its administrative rules.

No other code, article, or statute is affected by this proposal.

§202.1.Applicable Terms and Technologies for Information Security Standards.

The following words and terms, when used in this chapter, shall have the following meanings, unless the context clearly indicates otherwise.

(1) Access--The physical or logical capability to view, interact with, or otherwise make use of information resources.

(2) Agency Head--The top-most senior executive with operational accountability for an agency, department, commission, board, office, council, authority, or other agency in the executive or judicial branch of state government, that is created by the constitution or a statute of the state; or institutions of higher education, as defined in Texas Education Code §61.003.

(3) Application--As defined in Texas Government Code §2054.003(1).

(4) Availability--The security objective of ensuring timely and reliable access to and use of information.

(5) Cloud Computing--Has the same meaning as "Advanced Internet-Based Computing Service" as defined in Texas Government Code §2157.007(a).

(6) Cloud Computing Service--The [~~the~~] meaning assigned by Special Publication 800-145 issued by the United States Department of Commerce National Institute of Standards and Technology[,] as the definition existed on January 1, 2015.

(7) Confidential Information--Information that must be protected from unauthorized disclosure or public release based on state or federal law or other legal agreement.

(8) Confidentiality--The security objective of preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

(9) Control--A safeguard or countermeasure, including devices, policies, procedures, techniques, or other measures, that are prescribed to meet security requirements of an information system or organization to preserve. Controls may include security features, management constraints, personnel security, and security of physical structures, areas, and devices.

(10) Control Standards Catalog--The document that provides state agencies and higher education institutions state specific implementation guidance for alignment with the National Institute of Standards and Technology (NIST) SP (Special Publication) 800-53 security controls.

(11) Custodian--See information custodian.

(12) Department--The Department of Information Resources.

(13) Destruction--The result of actions taken to ensure that physical and digital media cannot be reused as originally intended and that information is technologically infeasible or prohibitively expensive to recover.

(14) Electronic Communication--A process used to convey a message or exchange information via electronic media. It includes the use of electronic mail (email), Internet access, Instant Messaging (IM), Short Message Service (SMS), facsimile transmission, and other paperless means of communication.

(15) Encryption (encrypt or encipher)--The conversion of plaintext information into a code or cipher text using a variable called a "key" and processing those items through a fixed algorithm to create the encrypted text that conceals the data's original meaning.

(16) FedRAMP--Federal Risk and Authorization Management Program.

(17) Guideline--Recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.

(18) High Impact Information Resources--Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Such an event could:

(A) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions;

(B) result in major damage to organizational assets;

(D) result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.

(19) Information--Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic, or audiovisual forms.

(20) Information Custodian--A department, agency, or third-party service provider responsible for implementing the information owner-defined controls and access to an information resource.

(21) Information Owner(s)--A person(s) with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

(22) Information Resources--As defined in Texas Government Code §2054.003(7).

(23) Information Resources Manager--As defined in Texas Government Code §2054.071.

(24) Information Security Program--The policies, standards, procedures, elements, structure, strategies, objectives, plans, metrics, reports, services, and resources that establish an information resources security function within an institution of higher education or state agency.

(25) Information System--A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. An Information System normally includes, but is not limited to, hardware, software, network infrastructure, information, applications, communications, and people.

(26) Integrity--The security objective of guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity.

(27) ITCHE--Information Technology Council for Higher Education.

(28) Local Government - As defined by Texas Government Code §2054.003(9).

(29) [~~(28)~~] Low Impact Information Resources--Information resources whose loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Such an event could:

(A) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced;

(B) result in minor damage to organizational assets;

(D) result in minor harm to individuals.

(30) [~~(29)~~] Moderate Impact Information Resources--Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. Such an event could:

(A) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced;

(B) result in significant damage to organizational assets;

(D) result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries.

(31) [~~(30)~~] Network Security Operations Center (NSOC)--As established by Texas Government Code §2059.101.

(32) [~~(31)~~] Nonconfidential Data--Information that is not required to be or may not be protected from unauthorized disclosure or public release based on state or federal law or other legal agreement.

(33) [~~(32)~~] Personal Identifying Information (PII)--A category of personal identity information as defined by Texas Business and Commerce Code §521.002(a)(1).

(34) [~~(33)~~] Procedure--Instructions to assist information security staff, custodians, and users in implementing policies, standards, and guidelines.

(35) [~~(34)~~] Program Manual--Program manual for the Texas risk and authorization management program.

(36) [~~(35)~~] Residual Risk--The risk that remains after security measures have been applied.

(37) [~~(36)~~] Risk--The effect on the entity's missions, functions, image, reputation, assets, or constituencies considering the probability that a threat will exploit a vulnerability, the safeguards already in place, and the resulting impact. Risk outcomes are a consequence of Impact levels defined in this section.

(38) [~~(37)~~] Risk Assessment--The process of identifying, evaluating, and documenting the probability and level of impact on an organization's mission, functions, image, reputation, assets, or individuals that may result from the operation of information systems. Risk Assessment incorporates threat and vulnerability analyses and considers mitigations provided by planned or in-place security controls.

(39) [~~(38)~~] Risk Management--The process of aligning information resources risk exposure with the organization's risk tolerance by either accepting, transferring, or mitigating risk exposures.

(40) [~~(39)~~] Security Assessment--The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

(41) [~~(40)~~] Security Incident--An incident that meets one of the requirements enumerated at Texas Government Code §2054.603(a)(1)(A) - (B). [~~An event that results in the accidental or deliberate unauthorized access, loss, disclosure, modification, disruption, exposure, or destruction of information or information resources.~~]

(42) [~~(41)~~] Sensitive Personal Information--A category of personal identity information as defined by Texas Business and Commerce Code §521.002(a)(2).

(43) [~~(42)~~] Standards--Specific mandatory controls that help enforce and support the information security policy.

(44) [~~(43)~~] State-controlled data--Any and all data that is created, processed, or stored by a state agency.

(45) [~~(44)~~] StateRAMP--The risk and authorization management program, built upon the National Institute of Standards and Technology Special Publication 800-53 and modeled after the FedRAMP program, that provides state and local governments a common method for verification of cloud security.

(46) [~~(45)~~] Statewide Technology Centers--As defined in Texas Government Code §2054.375(2).

(47) [~~(46)~~] Threat--Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals by the unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

(48) [~~(47)~~] TX-RAMP--the Texas Risk [~~risk~~] and Authorization [~~authorization~~ ] Management [~~management~~] Program [~~program~~].

(49) [~~(48)~~] User of Information Resources--An individual, process, or automated application authorized to access an information resource in accordance with federal and state law, agency policy, and the information-owner's procedures and rules.

(50) [~~(49)~~] Vulnerability Assessment--A documented evaluation containing information described in Texas Government Code §2054.077(b), which includes the susceptibility of a particular system to a specific attack.

§202.5.Texas Risk and Authorization Management Program Responsibilities and Mandatory Standards.

(a) Mandatory Standards for Cloud Computing Services Subject to the Texas Risk and Authorization Management Program.

(1) The department shall define mandatory standards for Texas cloud computing services identified by subsection (a) of this section in the program manual published on the department's website. Revisions to this document will be executed in compliance with subsection (d) of this section.

(2) The mandatory standards established by the department shall include at least the below stated baseline standards for:

(A) TX-RAMP Level 1 Baseline - This baseline is required for cloud computing services that are subject to TX-RAMP certification and categorized by a state agency as Low Impact Information Resources; and

(B) TX-RAMP Level 2 Baseline - This baseline is required for cloud computing services that are subject to TX-RAMP and categorized by a state agency as Moderate or High Impact Information Resources.

(3) The department shall establish the categories and characteristics of cloud computing services that are subject to TX-RAMP requirements in the program manual published on the department's website pursuant to subsection (a)(1).

(b) Responsibilities of Cloud Computing Service Vendors:

(1) To be certified under TX-RAMP, a cloud computing service vendor shall:

(A) Provide evidence of compliance with TX-RAMP requirements for the cloud computing service as detailed by the program manual; and

(B) Demonstrate continuous compliance in accordance with the program manual.

(2) Primary contracting vendors who provide or sell cloud computing services subject to TX-RAMP, including resellers who provide or sell these services, shall present evidence of certification of the cloud computing service being sold to the state agency or institution of higher education in accordance with the program manual. Such certification is required for all cloud computing services subject to TX-RAMP being provided through the contract or in furtherance of the contract, including services provided through subcontractors or third-party providers.

(3) Subcontractors or third-party providers responsible solely for servicing or supporting a cloud computing service provided by another vendor shall not be required to provide evidence of certification.

(1) Prior to publishing new or revised program standards as required by subsections (a) - (b) of this section, the department shall:

(A) solicit comment through the department's electronic communications channels for the proposed standards to be changed from the Information Resources Managers and Information Security Officers of state agencies and institutions of higher education and ITCHE; and

(B) after reviewing the comments provided, present the proposed program manual to the department's Board and obtain approval from the Board for publication.

(2) The department shall:

(A) perform assessments to certify cloud computing services provided by cloud computing vendors; and

(B) publish on the department's website the list of cloud computing products certified under TX-RAMP.

(d) Acceptance of External Assessments.

(1) The department shall accept a vendor's compliance with FedRAMP and StateRAMP authorizations in satisfaction of the [above] baselines established by subsection (a) once the department receives evidence of compliance with these programs.

(2) At the department's discretion, another state's risk and authorization management program certification may be accepted in satisfaction of the [above] baselines established by subsection (a) once certification is demonstrated by the vendor in alignment with program manual standards.

(3) At the department's discretion, the department may allow a third-party security assessment or third-party audit to satisfy certain mandatory program standards. A vendor may demonstrate satisfaction of certain mandatory program standards by submitting a third-party security assessment or third-party audit that the department has authorized to align with and satisfy these standards.

The agency certifies that legal counsel has reviewed the proposal and found it to be within the state agency's legal authority to adopt.

Filed with the Office of the Secretary of State on August 22, 2023.

TRD-202303094

Joshua Godbey

General Counsel

Department of Information Resources

Earliest possible date of adoption: October 8, 2023

For further information, please call: (512) 475-4552

SUBCHAPTER B. INFORMATION SECURITY STANDARDS FOR STATE AGENCIES

1 TAC §202.23, §202.27

No other code, article, or statute is affected by this proposal.

§202.23.Security Reporting.

(a) [~~Agency Reporting.~~] Each Information Security Officer shall directly report to the agency head, at least annually, on the adequacy and effectiveness of information security policies, procedures, practices, compliance with the requirements of this chapter, and:

(1) effectiveness of current information security program and status of key initiatives;

(2) residual risks identified by the state agency risk management process; and

(3) state agency information security requirements and requests.

(b) Each state agency shall submit to the department a Biennial Information Security Plan in accordance with Texas Government Code §2054.133.

~~[(b) Report to the Department.]~~

~~[(1) Urgent Incident Report.]~~

[(A) Each state agency shall assess the significance of a security incident based on the business impact on the affected resources and the current and potential technical effect of the incident (e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks). Security incidents shall be promptly reported to immediate supervisors and the agency Information Security Officer. Confirmed or suspected security incidents shall be reported to the department within 48 hours of discovery in the form and manner specified by the department where the security incident is assessed to:]

~~(i) propagate to other state systems;~~

~~(ii) result in criminal violations that shall be reported to law enforcement in accordance with state or federal information security or privacy laws;~~

(iii) involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information as defined in Texas Business and Commerce Code §521.002(a)(2) and other applicable laws that may require public notification; or

~~(iv) be an unauthorized incident that compromises, destroys, or alters information systems, applications, or access to such systems or applications in any way.~~

[(B) If the security incident is assessed to involve suspected criminal activity (e.g., violations of Texas Penal Code Chapter 33 or Texas Penal Code Chapter 33A, the state agency shall contact law enforcement, as required, and the security incident shall be investigated, reported, and documented in accordance with the legal requirements for handling of evidence.]

[(C) Depending on the nature of the incident, it will not always be feasible to gather all the information prior to reporting. In such cases, incident response teams shall continue to report information to the department as it is collected. The department shall instruct state agencies as to the manner in which they shall report such information to the department. Supporting vendors or other third parties that report security incident information to an agency shall submit such reports to the agency in the form and manner specified by the department, unless otherwise directed by the agency. Agencies shall ensure that compliant reporting requirements are included in any contract where incident reporting may be necessary.]

[(2) Monthly Incident Report. Summary reports of security-related events shall be sent to the department on a monthly basis no later than nine (9) calendar days after the end of the month. State agencies shall submit summary security incident reports in the form and manner specified by the department. Supporting vendors or other third parties that report security incident information to a state agency shall submit such reports to the agency in the form and manner specified by the department, unless otherwise directed by the agency.]

~~[(3) Biennial Information Security Plan. Each state agency shall submit to the department a Biennial Information Security Plan in accordance with Texas Government Code §2054.133.]~~

(c) At least every two years, each state agency shall complete and submit an information security assessment in compliance with the requirements of Texas Government Code §2054.515 and this subsection.

(1) The agency's Biennial Information Security Plan may be considered to satisfy the information security assessment requirements of Texas Government Code §2054.515(a)(1) if the agency's Biennial Information Security Plan assesses:

(A) The security of the agency's information resources systems, network systems, and digital data storage systems;

(B) The measures in place to establish digital data security; and

(C) The vulnerabilities of the agency's information resources, including an evaluation determining how well the organization's security policies protect its data and information systems.

(2) To comply with Texas Government Code §2054.515(a)(2), a state agency must complete a data maturity assessment in alignment with the requirements established at 1 Texas Administrative Code §218.10.

(3) Upon completion of its information security assessment, a state agency shall report the results of its assessment to the department in the form and manner identified by the department. A state agency must comply with a request for the results of its assessment received from the Office of the Governor, Lieutenant Governor, or speaker of the House of Representatives.

(d) Each state agency shall assess the significance of a security incident based on the business impact on the affected resources and the current and potential technical effect of the incident (e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks). Security incidents shall be promptly reported to immediate supervisors and the agency Information Security Officer.

(1) A state agency shall report security incidents to the department within 48 hours of discovery in the form and manner specified by the department where the security incident is assessed to:

(A) propagate to other state systems;

(B) result in criminal violations that shall be reported to law enforcement in accordance with state or federal information security or privacy laws;

(C) involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information as defined in Texas Business and Commerce Code §521.002(a)(2) and other applicable laws that may require public notification; or

(D) be an unauthorized incident that compromises, destroys, or alters information systems, applications, or access to such systems or applications in any way.

(2) If the security incident is assessed to involve suspected criminal activity (e.g., violations of Texas Penal Code Chapter 33 or Texas Penal Code Chapter 33A), the state agency shall contact law enforcement, as required, and the security incident shall be investigated, reported, and documented in accordance with the legal requirements for handling of evidence.

(3) Depending on the nature of the incident, it will not always be feasible to gather all the information prior to reporting. In such cases, incident response teams shall continue to report information to the department as it is collected. The department shall instruct state agencies as to the manner in which they shall report such information to the department. Supporting vendors or other third parties that report security incident information to an agency shall submit such reports to the agency in the form and manner specified by the department, unless otherwise directed by the agency. Agencies shall ensure that compliant reporting requirements are included in any contract where incident reporting may be necessary.

(4) Ten days after the date of the eradication, closure, and recovery from a security incident, a state agency shall notify the department and the chief information security officer in the form and manner prescribed by the department of the security incident details and an analysis of the security incident cause.

(e) A local government shall report security incidents that are assessed by the entity to meet the criteria listed in subsection (d)(1) of this section to the department within 48 hours of discovery.

(1) A local government must submit its report of the security incident in the form and manner specified by the department.

(2) A local government is not required to report a security incident described by subsection (d) of this section where statute expressly states that compliance with the department reporting requirements is excluded for a security incident of that type.

(3) Ten days after the date of the eradication, closure, and recovery from a security incident, a local government shall notify the department and the chief information security officer in the form and manner prescribed by the department of the security incident details and an analysis of the security incident cause.

§202.27.Texas Risk and Authorization Management Program for State Agencies.

[(a) Mandatory Standards. Mandatory standards for Texas cloud computing services identified by subsection (b)(1) of this section shall be defined by the department in the program manual published on the department's website. Revisions to such document will be executed in compliance with subsection (d) of this section.]

[(b) Cloud Computing Standards Subject to the Texas Risk and Authorization Management Program. The standards required by subsection (a) of this section shall include the below stated baseline standards for:]

~~[(1) TX-RAMP Public Controls Baseline (TX-RAMP Level 1) - This baseline is required for cloud computing services that:]~~

~~[(A) store, process, or transmit nonconfidential data of a state agency; or]~~

~~[(B) host low impact information resources.]~~

~~[(2) TX-RAMP Confidential Controls Baseline (TX-RAMP Level 2) - This baseline is required for cloud computing services that:]~~

~~[(A) store, process, or transmit confidential data of a state agency; and]~~

~~[(B) host moderate impact information resources or high impact information resources.]~~

~~[(c) Responsibilities of Cloud Computing Service Vendors.]~~

~~[(1) To be certified under the TX-RAMP program, a cloud computing service vendor shall:]~~

~~[(A) Provide evidence of compliance for information they are storing, processing, or transmitting as detailed by the program manual; and]~~

~~[(B) Demonstrate continuous compliance in accordance with the program manual.]~~

[(2) Primary contracting vendors, including resellers, who provide or sell cloud computing services to state agencies shall present evidence of certification of the cloud computing service being sold in accordance with the program manual. Such certification is required for all cloud computing services being provided through the contract or in furtherance of the contract, including services provided through subcontractors or third-party providers.]

[(3) Subcontractors or third-party providers responsible solely for servicing or supporting a cloud computing service provided by another vendor shall not be required to provide evidence of certification.]

~~[(d) Responsibilities of the Department.]~~

(1) [Responsibilities of the Department in Developing Updates to the Program Manual. Prior to publishing new or revised program standards as required by subsections (a) - (d) of this section, the department shall:]

(A) [solicit comment through the department's electronic communications channels for proposed standards from the Information Resources Managers, ITCHE, and Information Security Officers of agencies and institutions of higher education at least 30 days prior to publication of proposed program manual; and

(B) [after reviewing comments provided during the comment period described by section (1)(A) of this subsection, present the proposed program manual to the department's Board and obtain approval from the Board for publication.]

~~(2) [Responsibilities of the Department for Certifying Vendor's Cloud Computing Products and Services. The department shall:]~~

~~(A) [perform reviews to certify cloud computing services provided by cloud computing vendors; and]~~

~~(B) [publish on the department's Internet website the list of cloud computing products certified under TX-RAMP.]~~

~~[(e)~~ ~~Responsibilities of a State Agency Contracting for Cloud Computing Services.]~~ A state agency contracting for cloud computing services that store, process, or transmit data of the state agency shall:

(1) confirm that vendors contracting with the state agency to provide cloud computing services for the state agency are certified through TX-RAMP prior to entering or renewing a cloud computing services contract on or after January 1, 2022; and

(2) require a vendor contracting with the state agency to provide cloud computing services for the state agency that are subject to the state risk and authorization management program to maintain TX-RAMP compliance and certification throughout the term of the contract.

~~[(f) Acceptance of Other RAMP Certifications:]~~

~~[(1) FedRAMP and StateRAMP certifications shall be accepted in satisfaction of the above baselines once demonstrated by the vendor.]~~

[(2) At the department's discretion, another state's risk and authorization management program certification may be accepted in satisfaction of the above baselines once certification is demonstrated by the vendor in alignment with program manual standards.]

The agency certifies that legal counsel has reviewed the proposal and found it to be within the state agency's legal authority to adopt.

Filed with the Office of the Secretary of State on August 22, 2023.

TRD-202303095

Joshua Godbey

General Counsel

Department of Information Resources

Earliest possible date of adoption: October 8, 2023

For further information, please call: (512) 475-4552

SUBCHAPTER C. INFORMATION SECURITY STANDARDS FOR INSTITUTIONS OF HIGHER EDUCATION

1 TAC §202.73, §202.77

No other code, article, or statute is affected by this proposal.

§202.73.Security Reporting.

(a) [~~Institution Reporting.~~] Each Information Security Officer shall directly report to the agency head, at least annually, on the adequacy and effectiveness of information security policies, procedures, practices, compliance with the requirements of this chapter, and:

(1) effectiveness of current information security program and status of key initiatives;

(2) residual risks identified by the institution of higher education risk management process; and

(3) institution of higher education information security requirements and requests.

(b) Each institution of higher education shall submit to the department a Biennial Information Security Plan in accordance with Texas Government Code §2054.133.

~~[(b) Report to the Department.]~~

~~[(1) [Urgent Incident Report.]~~

[(A) Each state institution of higher education shall assess the significance of a security incident based on the business impact on the affected resources and the current and potential technical effect of the incident (e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks). Confirmed or suspected incidents shall be reported to immediate supervisors and the institution of higher education Information Security Officer. Confirmed or suspected security incidents shall be reported to the department within 48 hours of discovery in the form and manner specified by the department where the security incident is assessed to:]

~~[(i) propagate to other state systems;]~~

~~[(ii) result in criminal violations that shall be reported to law enforcement in accordance with state or federal information security or privacy laws;]~~

[(iii) involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information as defined in Texas Business and Commerce Code §521.002(a)(2) and other applicable laws that may require public notification; or]

~~[(iv) be an unauthorized incident that compromises, destroys, or alters information systems, applications, or access to such systems or applications in any way.]~~

[(B) If the security incident is assessed to involve suspected criminal activity (e.g., violations of Texas Penal Code Chapters 33 or 33A, the institution of higher education shall contact law enforcement, as required, and the security incident shall be investigated, reported, and documented in accordance with the legal requirements for handling of evidence.]

[(C) Depending on the nature of the incident, it will not always be feasible to gather all the information prior to reporting. In such cases, incident response teams shall continue to report information to the department as it is collected. The department shall instruct state institutions of higher education as to the manner in which they shall report such information to the department. Supporting vendors or other third parties that report security incident information to an institution of higher education shall submit such reports to the institution of higher education in the form and manner specified by the department, unless otherwise directed by the institution of higher education. Institutions of higher education shall ensure that compliant reporting requirements are included in any contract where incident reporting may be necessary.]

[(2) Monthly Incident Report. Summary reports of security-related events shall be sent to the department on a monthly basis no later than nine (9) calendar days after the end of the month. Institutions of higher education shall submit summary security incident reports in the form and manner specified by the department. Supporting vendors or other third parties that report security incident information to an institution of higher education shall submit such reports to the institution of higher education in the form and manner specified by the department, unless otherwise directed by the institution of higher education.]

[(3) Biennial Information Security Plan. Each state institution of higher education shall submit to the department a biennial Information Security plan, in accordance with Texas Government Code §2054.133.]

(c) At least every two years, each institution of higher education shall complete and submit an information security assessment in compliance with the requirements of Texas Government Code §2054.515 and this subsection.

(1) The institution of higher education's Biennial Information Security Plan may be considered to satisfy the information security assessment requirements of Texas Government Code §2054.515(a)(1) if the institution's Biennial Information Security Plan assesses:

(A) The security of the institution's information resources systems, network systems, and digital data storage systems;

(B) The measures in place to establish digital data security; and

(C) The vulnerabilities of the institution's information resources, including an evaluation determining how well the organization's security policies protect its data and information systems.

(2) To comply with Texas Government Code §2054.515(a)(2), an institution of higher education must complete a data maturity assessment in alignment with the requirements established at 1 Texas Administrative Code §218.10.

(3) Upon completion of its information security assessment, an institution of higher education shall report the results of its assessment to the department in the form and manner identified by the department. An institution of higher education must comply with a request for the results of its assessment received from the Office of the Governor, Lieutenant Governor, or speaker of the House of Representatives.

(d) Each state institution of higher education shall assess the significance of a security incident based on the business impact on the affected resources and the current and potential technical effect of the incident (e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks). Confirmed or suspected incidents shall be reported to immediate supervisors and the institution of higher education Information Security Officer.

(1) An institution of higher education shall report security incidents to the department within 48 hours of discovery in the form and manner specified by the department where the security incident is assessed to:

(A) propagate to other state systems;

(B) result in criminal violations that shall be reported to law enforcement in accordance with state or federal information security or privacy laws;

(D) be an unauthorized incident that compromises, destroys, or alters information systems, applications, or access to such systems or applications in any way.

(2) If the security incident is assessed to involve suspected criminal activity (e.g., violations of Texas Penal Code Chapters 33 or 33A, the institution of higher education shall contact law enforcement, as required, and the security incident shall be investigated, reported, and documented in accordance with the legal requirements for handling of evidence.

(3) Depending on the nature of the incident, it will not always be feasible to gather all the information prior to reporting. In such cases, incident response teams shall continue to report information to the department as it is collected. The department shall instruct state institutions of higher education as to the manner in which they shall report such information to the department. Supporting vendors or other third parties that report security incident information to an institution of higher education shall submit such reports to the institution of higher education in the form and manner specified by the department, unless otherwise directed by the institution of higher education. Institutions of higher education shall ensure that compliant reporting requirements are included in any contract where incident reporting may be necessary.

(4) Ten days after the date of the eradication, closure, and recovery from a security incident, an institution of higher education shall notify the department and the chief information security officer in the form and manner prescribed by the department of the security incident details and an analysis of the security incident cause.

§202.77.Texas Risk and Authorization Management Program for Institutions of Higher Education.

~~[(1) TX-RAMP Public Controls Baseline (TX-RAMP Level 1) - This baseline is required for cloud computing services that:]~~

~~[(A) store, process, or transmit nonconfidential data of an institution of higher education; or]~~

~~[(B) host low impact information resources.]~~

~~[(2) TX-RAMP Confidential Controls Baseline (TX-RAMP Level 2) - This baseline is required for cloud computing services that:]~~

~~[(A) store, process, or transmit confidential data of an institution of higher education; and]~~

~~[(B) host moderate impact information resources or high impact information resources.]~~

~~[(c) Responsibilities of Cloud Computing Service Vendors.]~~

~~[(1) To be certified under the TX-RAMP program, a cloud computing service vendor shall:]~~

~~[(A) Provide evidence of compliance for information they are storing, processing, or transmitting as detailed by the program manual; and]~~

~~[(B) Demonstrate continuous compliance in accordance with the program manual.]~~

[(2) Primary contracting vendors, including resellers, who provide or sell cloud computing services to institutions of higher education shall present evidence of certification of the cloud computing service being sold in accordance with the program manual. Such certification is required for all cloud computing services being provided through the contract or in furtherance of the contract, including services provided through subcontractors or third-party providers.]

[(d) Responsibilities of the Department in Developing Updates to the Program Manual. Prior to publishing new or revised program standards as required by subsections (a) - (d) of this section, the department shall:]

[(1) solicit comment through the department's electronic communications channels for proposed standards from the Information Resources Managers, ITCHE, and Information Security Officers of agencies and institutions of higher education at least 30 days prior to publication of proposed program manual; and]

[(2) after reviewing comments provided during the comment period described by paragraph (1) of this subsection, present the proposed program manual to the department's Board and obtain approval from the Board for publication.]

~~[(e)~~ ~~Responsibilities of an Institution of Higher Education Contracting for Cloud Computing Services.]~~ An institution of higher education contracting for cloud computing services that store, process, or transmit data of the institution of higher education shall:

(1) confirm that vendors contracting with the institution of higher education to provide cloud computing services for the institution of higher education are certified through TX-RAMP prior to entering or renewing a cloud computing services contract on or after January 1, 2022; and

(2) require a vendor contracting with the institution of higher education to provide cloud computing services for the institution of higher education that are subject to the state risk and authorization management program to maintain program compliance and certification throughout the term of the contract.

~~[(f) Acceptance of Other RAMP Certifications.]~~

~~[(1) FedRAMP and StateRAMP certifications shall be accepted in satisfaction of the above baselines once demonstrated by the vendor.]~~

The agency certifies that legal counsel has reviewed the proposal and found it to be within the state agency's legal authority to adopt.

Filed with the Office of the Secretary of State on August 22, 2023.

TRD-202303096

Joshua Godbey

General Counsel

Department of Information Resources

Earliest possible date of adoption: October 8, 2023

For further information, please call: (512) 475-4552

CHAPTER 218. DATA GOVERNANCE AND MANAGEMENT

The Texas Department of Information Resources (department) proposes the creation of 1 Texas Administrative Code (TAC) Chapter 218, Subchapter A, §§218.1 - 218.3, Subchapter B, §218.10, and Subchapter C, §218.20. This proposed chapter addresses the requirements for a state agency as defined by Texas Government Code Chapter 2054 to conduct an information security assessment of the agency's data governance program.

Within Subchapter A, the department proposes the creation §§218.1 - 218.3. Section 218.1 introduces any specialized definitions required by the rule, which includes the terms "data governance program," "data management officer," and "data maturity assessement." Section 218.2 defines the term state agency. Section 218.3 defines the term institution of higher education.

The department proposes the creation of subchapter B, §218.20, for state agencies, and subchapter C, §218.30, for institutions of higher education. These sections establish the minimum requirements that an entity's information security assessment of its data governance program as required by Texas Government Code § 2054.515(a)(2) must meet to be considered compliant with the statutory requirement. In §218.30, the department also proposes the clarification that the data maturity assessment is considered a statutory component of the information security assessment, which is information security standard, and, as such, public junior colleges must comply with this requirement subject to Texas Government Code § 2054.0075.

There is no economic impact on rural communities or small businesses as a result of enforcing or administering the new rules as proposed.

The new rules in this chapter apply only to state agencies and institutions of higher education.

The assessment of the impact of the proposed changes on institutions of higher education was prepared in consultation with the Information Technology Council for Higher Education (ITCHE) in compliance with Texas Government Code § 2054.121(c). DIR submitted the proposal to the Information Technology Council of Higher Education for their review. DIR determined that there was no direct impact on institutions of higher education as a result of the proposed rules.

Neil Cooke, the Chief Data Officer, has determined that there will be no fiscal impact upon state agencies, institutions of higher education, and local governments during the first five year period following the adoption of the proposed new rules. State agencies are required by Texas Government Code § 2054.515(a) to complete a biennial information security assessment of, among other elements, its data governance program; the proposed rules simply establish the minimum necessary components of this data maturity assessment. This allows for a rigorous data maturity assessment that still permits any entity-specific customizability and scaling to address its unique data governance program. As such, the proposed chapter does not result in a fiscal impact to state agencies, institutions of higher education, or local governments. Mr. Cooke has further determined that for each year of the first five years following the adoption of the new 1 TAC Chapter 218, there are no anticipated additional economic costs to persons or small businesses required to comply with the proposed new rules.

Pursuant to Texas Government Code § 2001.0221, the agency provides the following Governmental Growth Impact Statement for the proposed new rules. The agency has determined the following:

The proposed rules neither create nor eliminate a government program. Texas Government Code § 2054.515(a)(2) requires state agencies complete the information security assessment and report, including the data maturity assessment. The proposed rules merely administer the minimum requirements for this assessment.

The proposed rules do not require an increase or decrease in fees paid to the agency.

The proposed rules create a new rule chapter that clarifies the minimum requirements for the state agency data maturity assessment mandated by Texas Government Code § 2054.515(a)(2). The department previously addressed items referential to the data maturity assessment in 1 Texas Administrative Code Chapter 202; the department proposes this new chapter in alignment with the rulemaking authority granted by Texas Government Code § 2054.515 to streamline the information security assessment process and alleviate confusion regarding data maturity assessment requirements.

The proposed rules do not repeal an existing regulation.

The proposed rules do not increase or decrease the number of individuals subject to the rule's applicability. Texas Government Code § 2054.515 requires state agencies to complete the information security assessment, which includes the data maturity assessment; Texas Government Code Chapter 2054 establishes the parameters of the term "state agency," which identifies the entities that are subject to this chapter's requirements. Public junior colleges are not excepted from information security standards established by the department. Tex. Gov't Code § 2054.0075. These information security standards are established, among other places, in 1 TAC Chapter 202. To the extent that the data security maturity assessment is a statutory component of the information security assessment and the information security assessment requirements reside in 1 TAC Chapter 202, public junior colleges are subject to this requirement.

The proposed rules do not positively or adversely affect the state's economy. The creation of rules establishing minimum requirements for an entity's data maturity assessment ensures that state agencies are scrutinizing their data governance program to ensure rigorous security standards and alignment with best practices.

SUBCHAPTER A. DEFINITIONS

1 TAC §§218.1 - 218.3

The new rules are proposed pursuant to Texas Government Code § 2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054, and Texas Government Code § 2054.515(a)(2), which admonishes the department to establish the data maturity assessment requirements by rule.

No other code, article, or statute is affected by this proposal.

§218.1.Definitions.

(a) Data Governance Program - the program established pursuant to the requirements of Texas Government Code § 2054.137(b)(2).

(b) Data Management Officer - the full-time employee designated by the state agency or institution of higher education to fulfill the statutory duties required by Texas Government Code § 2054.137(b). A state agency or institution of higher education is only required to designate such an employee to the extent that it meets the statutory requirement to do so.

(c) Data Maturity Assessment - the assessment of an agency's data governance program required by Texas Government Code § 2054.137(b)(2) that is conducted by the designated data management officer.

§218.2.State Agency.

A department, commission, board, office, council, authority, or other agency in the executive or judicial branch of state government, other than an institution of higher education, that is created by the constitution or a statute of this state.

§218.3.Institution of Higher Education.

A university system or institution of higher education as defined by Texas Education Code § 61.003.

The agency certifies that legal counsel has reviewed the proposal and found it to be within the state agency's legal authority to adopt.

Filed with the Office of the Secretary of State on August 22, 2023.

TRD-202303100

Joshua Godbey

General Counsel

Department of Information Resources

Earliest possible date of adoption: October 8, 2023

For further information, please call: (512) 475-4552

SUBCHAPTER B. DATA GOVERNANCE AND MANAGEMENT FOR STATE AGENCIES

1 TAC §218.10

The new rule is proposed pursuant to Texas Government Code § 2054.052(a), which authorizes the department to adopt rules as necessary to implement its responsibilities under Texas Government Code Chapter 2054, and Texas Government Code § 2054.515(a)(2), which admonishes the department to establish the data maturity assessment requirements by rule.

No other code, article, or statute is affected by this proposal.

§218.10.Data Maturity Assessment.

(a) A state agency shall conduct a data maturity assessment by November 15 of each even-numbered year, December 1 of the year in which the agency completes the assessment, or the 60th day after the agency completes the assessment, whichever comes first.

(b) The data maturity assessment shall include at least the below elements:

(1) Data Architecture;

(2) Data Analytics;

(3) Data Governance and Standardization;

(4) Data Management and Methodology;

(5) Data Program Management and Change Control;

(6) Data Quality;

(7) Data Security and Privacy;

(8) Data Strategy and Roadmap;

(9) Master Data Management; and

(10) Metadata Management.

(c) State agencies may complete their data maturity assessment through a method identified by the department or by using their own tool that includes the elements required by subsection (b) of this section.

(d) The data maturity assessment completed pursuant to this subsection addresses the requirement to review an agency's data governance program found in Texas Government Code § 2054.515(a)(2).

(e) To comply with Texas Government Code § 2054.515(a), a state agency must complete a data maturity assessment that is compliant with this section in addition to addressing all information security assessment requirements enumerated in 1 Texas Administrative Code Chapter 202.

The agency certifies that legal counsel has reviewed the proposal and found it to be within the state agency's legal authority to adopt.

Filed with the Office of the Secretary of State on August 22, 2023.

TRD-202303101

Joshua Godbey

General Counsel

Department of Information Resources

Earliest possible date of adoption: October 8, 2023

For further information, please call: (512) 475-4552

SUBCHAPTER C. DATA GOVERNANCE AND MANAGEMENT FOR INSTITUTIONS OF HIGHER EDUCATION

1 TAC §218.20

No other code, article, or statute is affected by this proposal.

§218.20.Data Maturity Assessment.

(a) An institution of higher education shall conduct a data maturity assessment by November 15 of each even-numbered year, December 1 of the year in which the institution of higher education completes the assessment, or the 60th day after the institution of higher education completes the assessment, whichever comes first.

(b) An institution of higher education's data maturity assessment shall include at least the below elements:

(1) Data Architecture;

(2) Data Analytics;

(3) Data Governance and Standardization;

(4) Data Management and Methodology;

(5) Data Program Management and Change Control;

(6) Data Quality;

(7) Data Security and Privacy;

(8) Data Strategy and Roadmap;

(9) Master Data Management; and

(10) Metadata Management.

(c) Institutions of higher education may complete their data maturity assessment through a method identified by the department or by using their own tool that includes the elements required by subsection (b) of this section.

(d) The data maturity assessment completed pursuant to this subsection addresses the requirement to review an institution of higher education's data governance program found at Texas Government Code § 2054.515(a)(2).

(e) To comply with Texas Government Code § 2054.515(a), an institution of higher education must complete a data maturity assessment that is compliant with this section in addition to addressing all information security assessment requirements enumerated in 1 Texas Administrative Code Chapter 202.

(f) To the extent that the data maturity assessment is an element of the information security assessment required by Texas Government Code § 2054.515 and codified at 1 Texas Administrative Code Chapter 202, it is an information security standard to which a public junior college is subject pursuant to Texas Government Code § 2054.0075.

The agency certifies that legal counsel has reviewed the proposal and found it to be within the state agency's legal authority to adopt.

Filed with the Office of the Secretary of State on August 22, 2023.

TRD-202303102

Joshua Godbey

General Counsel

Department of Information Resources

Earliest possible date of adoption: October 8, 2023

For further information, please call: (512) 475-4552

PART 15. TEXAS HEALTH AND HUMAN SERVICES COMMISSION

CHAPTER 353. MEDICAID MANAGED CARE

SUBCHAPTER E. STANDARDS FOR MEDICAID MANAGED CARE

1 TAC §353.425, §353.427

The Executive Commissioner of the Texas Health and Human Services Commission (HHSC) proposes new §353.425, concerning MCO Processing of Prior Authorization Requests Received with Incomplete or Insufficient Documentation; and §353.427, concerning Accessibility of Information Regarding Medicaid Prior Authorization Requirements in Title 1, Part 15, Chapter 353, Subchapter E, Standards for Medicaid Managed Care.

BACKGROUND AND PURPOSE

The purpose of the proposal is to comply with Texas Government Code §533.00282, §533.00284, §533.002841, and §531.024163 added by Senate Bill 1207, 86th Legislature, Regular Session, 2019. These sections of the Government Code require HHSC to establish a uniform process and timeline for a prior authorization (PA) request submitted with incomplete or insufficient information or documentation and require Medicaid managed care organizations (MCOs) to improve website accessibility of information related to PA requirements.

SECTION-BY-SECTION SUMMARY

Proposed new §353.425 describes a uniform timeline and process for an MCO to use when reviewing a PA request submitted with incomplete or insufficient documentation for a member who is not hospitalized at the time of the request. The proposed rule defines "incomplete prior authorization request" and describes a standard process for MCOs to allow a provider to submit missing information and documentation necessary to establish medical necessity as listed in the PA requirements on the MCO's website. The proposed rule sets forth requirements for MCOs to communicate with providers and Medicaid members regarding incomplete or insufficient information or documentation, offers an opportunity for a peer-to-peer physician consultation, and creates a standard timeline for making a final determination on a PA request.

Proposed new §353.427 requires an MCO to maintain on its website in an easily searchable and accessible format the items listed in the proposed rule. Specifically, the items listed in the rule are applicable timelines for prior authorization requirements, an accurate and up-to-date catalogue of coverage criteria and prior authorization requirements, and the process and contact information for a provider or member to contact the MCO for the reasons described in the proposed rule. The proposed rule also defines what "accessible" means when used in the section.

FISCAL NOTE

Trey Wood, HHSC Chief Financial Officer, has determined that for each year of the first five years that the rules will be in effect, enforcing or administering the rules does not have foreseeable implications relating to costs or revenues of state or local governments.

GOVERNMENT GROWTH IMPACT STATEMENT

HHSC has determined that during the first five years that the rules will be in effect:

(1) the proposed rules will not create or eliminate a government program;

(2) implementation of the proposed rules will not affect the number of HHSC employee positions;

(3) implementation of the proposed rules will result in no assumed change in future legislative appropriations;

(4) the proposed rules will not affect fees paid to HHSC;

(5) the proposed rules will create new rules;

(6) the proposed rules will not expand, limit, or repeal an existing rule;

(7) the proposed rules will not change the number of individuals subject to the rule; and

(8) the proposed rules will not affect the state's economy.

SMALL BUSINESS, MICRO-BUSINESS, AND RURAL COMMUNITY IMPACT ANALYSIS

Trey Wood has also determined that there will be no adverse economic effect on small businesses, micro-businesses, or rural communities because the rules apply to MCOs, and there are no MCOs that are small businesses, micro-businesses, or rural communities.

LOCAL EMPLOYMENT IMPACT

The proposed rules will not affect a local economy.

COSTS TO REGULATED PERSONS

Texas Government Code §2001.0045 does not apply to these rules because the rules are necessary to implement legislation that does not specifically state that §2001.0045 applies to the rules and the rules are necessary to protect the health, safety, and welfare of the residents of Texas.

PUBLIC BENEFIT AND COSTS

Emily Zalkovsky, State Medicaid Director, has determined that for each year of the first five years the rules are in effect, the public benefit will be increased transparency, appropriate utilization, and improved health care outcomes for Medicaid members by reducing unnecessary denials and delays in processing of PA requests under the Medicaid managed care program.

Trey Wood has also determined that for the first five years the rules are in effect, there are no anticipated economic costs to MCOs that are required to comply with the proposed rules because the MCOs have incorporated the proposed process into their PA processes and have made that information easily searchable and accessible on their websites.

TAKINGS IMPACT ASSESSMENT

HHSC has determined that the proposal does not restrict or limit an owner's right to his or her property that would otherwise exist in the absence of government action and, therefore, does not constitute a taking under Texas Government Code §2007.043.

PUBLIC COMMENT

Written comments on the proposal may be submitted to Rules Coordination Office, P.O. Box 13247, Mail Code 4102, Austin, Texas 78711-3247, or street address 701 W. 51st Street, Austin, Texas 78751, or emailed to HHSRulesCoordinationOffice@hhs.texas.gov.

To be considered, comments must be submitted no later than 31 days after the date of this issue of the Texas Register. Comments must be (1) postmarked or shipped before the last day of the comment period; (2) hand-delivered before 5:00 p.m. on the last working day of the comment period; or (3) emailed before midnight on the last day of the comment period. If the last day to submit comments falls on a holiday, comments must be postmarked, shipped, or emailed before midnight on the following business day to be accepted. When emailing comments, please indicate "Comments on Proposed Rule 20R083" in the subject line.

STATUTORY AUTHORITY

The new sections are authorized by Texas Government Code §531.0055, which provides that the Executive Commissioner of HHSC shall adopt rules for the operation and provision of services by the health and human services agencies, and Texas Human Resources Code §32.021(a) and Texas Government Code §531.021(a), which provide HHSC with the authority to administer the federal medical assistance (Medicaid) program in Texas. The new sections are also authorized by Texas Government Code §533.00282, §533.00284, §533.002841 and §531.024163.

The new sections affect Texas Government Code Chapters 531 and 533 and Texas Human Resources Code Chapter 32.

§353.425.MCO Processing of Prior Authorization Requests Received with Incomplete or Insufficient Documentation.

(a) The rules in this section apply when a prior authorization (PA) request is submitted with incomplete or insufficient information or documentation on behalf of a member who is not hospitalized at the time of the request.

(b) In this section, "incomplete PA request" means a request for service that is missing information or documentation necessary to establish medical necessity as listed in the PA requirements on the managed care organization's (MCO's) website.

(c) An MCO must comply with Title 42 Code of Federal Regulations §438.210, Texas Insurance Code Chapter 4201, applicable provisions of Texas Government Code Chapter 533, and the PA process and timeline requirements included in an MCO's contract with the Texas Health and Human Services Commission (HHSC).

(d) If an MCO or an entity reviewing a request on behalf of an MCO receives a PA request with incomplete or insufficient information or documentation, the MCO or reviewing entity must comply with the following HHSC requirements.

(1) An MCO reviewing the request must notify the requesting provider and the member, in writing, of the missing information no later than three business days after the MCO receives an incomplete PA request.

(2) If an MCO does not receive the information requested within three business days after the MCO notifies the requesting provider and the PA request will result in an adverse benefit determination, the MCO must refer the PA request to the MCO medical director for review.

(3) The MCO must offer to the requesting physician an opportunity for a peer-to-peer consultation with a physician no less than one business day before the MCO issues an adverse benefit determination.

(4) The MCO must make a final determination as expeditiously as the member's condition requires but no later than three days after the date the missing information is provided to an MCO.

(e) The HHSC requirements for MCO reconsideration of an incomplete PA request do not affect any related timeline for:

(1) an MCO's internal appeal process;

(2) a Medicaid state fair hearing;

(3) a review conducted by an external medical reviewer; or

(4) any rights of a member to appeal a determination on a PA request.

§353.427.Accessibility of Information Regarding Medicaid Prior Authorization Requirements.

(a) In this section, "accessible" means publicly available and capable of being found and read without impediment. Usernames and passwords cannot be required to view the information.

(b) A managed care organization (MCO) must maintain on its public-facing website the MCO's criteria and policy for prior authorizations and website links to any prior authorization request forms the provider uses.

(1) Applicable timelines for prior authorization requirements, including:

(A) the timeframe in which the MCO must make a determination on a prior authorization request;

(B) a description of the notice the MCO provides to a provider or member regarding the documentation required to complete a prior authorization determination; and

(2) An accurate and up-to-date catalogue of coverage criteria and prior authorization requirements, including:

(A) the effective date of a prior authorization requirement, if the requirement is first imposed on or after September 1, 2019;

(B) a list or description of any supporting or supplemental documentation necessary to obtain prior authorization for a specified service; and

(C) the date and results of each annual review of the MCO's prior authorization requirements as required by Texas Government Code §533.00283(a).

(3) The process and contact information for a provider or member to contact the MCO to:

(A) clarify prior authorization requirements; and

(B) obtain assistance in submitting a prior authorization request.

The agency certifies that legal counsel has reviewed the proposal and found it to be within the state agency's legal authority to adopt.

Filed with the Office of the Secretary of State on August 21, 2023.

TRD-202303081

Karen Ray

Chief Counsel

Texas Health and Human Services Commission

Earliest possible date of adoption: October 8, 2023

For further information, please call: (512) 438-4395

CHAPTER 354. MEDICAID HEALTH SERVICES

SUBCHAPTER O. ELECTRONIC VISIT VERIFICATION

The Executive Commissioner of the Texas Health and Human Services Commission (HHSC) proposes amendments to §354.4001, concerning Purpose and Authority; and §354.4003, concerning Definitions; the repeal of §354.4005, concerning Applicability; §354.4007, concerning EVV System; §354.4009, concerning Requirements for Claims Submission and Approval; §354.4011, concerning Member Rights and Responsibilities; and §354.4013, concerning Additional Requirements; and new §354.4005, concerning Personal Care Services that Require the Use of EVV; §354.4006, concerning Home Health Care Services that Require the Use of EVV; §354.4007, concerning EVV System; §354.4009, concerning EVV Visit Transaction and EVV Claim; §354.4011, concerning Visit Maintenance; §354.4013, concerning HHSC and MCO Compliance Reviews and Enforcement Actions; §354.4015, concerning EVV Training Requirements; §354.4017, concerning Process to Request Approval of a Proposed EVV Proprietary System and Additional Requirements for a PSO; §354.4019, concerning Access to EVV System and EVV Documentation; §354.4021, concerning Additional Requirements; §354.4023, concerning Sanctions; and §354.4025, concerning Administrative Hearing.

BACKGROUND AND PURPOSE

In accordance with Section 1903(l) of the Social Security Act (42 U.S.C. §1396b(l)), HHSC requires that electronic visit verification (EVV) be used to document the provision of certain personal care services provided through Medicaid. One purpose of the proposed rules is to ensure that HHSC complies with the requirement in Section 1903(l) that EVV be used to document the provision of Medicaid home health care services. Although Section 1903(l) requires the use of EVV for Medicaid home health services to have begun January 1, 2023, the Centers for Medicare & Medicaid Services granted HHSC an extension allowing HHSC to implement this requirement by January 1, 2024.

Another purpose of the proposed rules is to codify in rules current policies and procedures related to EVV including training requirements, visit maintenance requirements, compliance reviews, and the process for HHSC to recognize a health care provider's proprietary EVV system as described in Texas Government Code §531.024172(g).

The proposed rules repeal several rules and replace them with new rules.

SECTION-BY-SECTION SUMMARY

The proposed amendment to §354.4001, Purpose and Authority, makes minor editorial changes to terminology, deletes language for brevity and clarity, and corrects a statutory reference.

The proposed amendment to §354.4003, Definitions, reformats some of the defined terms and makes edits to some of the definitions for clarity. In addition, the proposed amendment adds definitions for the following new terms: EVV claim; EVV portal; EVV portal user; EVV system user; home health aide; ICF/IID--intermediate care facility for individuals with an intellectual disability or related conditions; IMD--institution for mental diseases; LVN--licensed vocational nurse; nursing facility; occupational therapist; PCS--personal care services; PDN--private duty nursing; physical therapist; PSO--proprietary system operator; RN--registered nurse; vendor hold; and visit maintenance.

Proposed new §354.4005, Personal Care Services that Require the Use of EVV, requires a program provider to ensure that a service provider uses EVV to document the provision of certain specified personal care services by the program provider. The new section also requires a consumer directed services (CDS) employer to ensure that a service provider uses EVV to document the provision of certain specified personal care services through the CDS option. One of the specified services in this section is in-home individualized skills and socialization, which replaces day habilitation provided in a member's residence.

The proposed repeal of §354.4005, Applicability, deletes the rule because it is no longer necessary, and replaces it with proposed new §354.4005, Personal Care Services that Require the Use of EVV.

Proposed new §354.4006, Home Health Care Services that Require the Use of EVV, requires a program provider to ensure that a service provider uses EVV to document the provision of certain specified home health care services by the program provider on or after January 1, 2024. The new section also requires a CDS employer to ensure that a service provider uses EVV to document the provision of certain specified home health care services using the CDS option on or after January 1, 2024.

Proposed new §354.4007, EVV System, provides that a program provider or a financial management services agency (FMSA) must use either an EVV vendor system or EVV proprietary system to document the provision of a service and requires a CDS employer to use the EVV system selected by their FMSA. The proposed new rule requires that, except as provided in subsection (d), a program provider, an FMSA, and a CDS employer ensure that a service provider uses an EVV system to electronically document the provision of a service described in proposed new §354.4005 or §354.4006. The proposed new rule describes the action a program provider, FMSA or a CDS employer must take if a service provider fails to use an EVV system to document the provision of a service described in proposed new §354.4005 or §354.4006 or if a service provider cannot use an EVV system because the EVV system is unavailable. The proposed new rule provides that HHSC may take certain actions if a program provider or an FMSA does not comply with subsections (a), (c), or (d) of this section. The proposed new rule also provides that HHSC or managed care organization (MCO) may take certain actions if a CDS employer does not comply with subsections (b), (c), or (d) of this section.

The proposed repeal of §354.4007, EVV System deletes the rule because it is no longer necessary, and replaces it with proposed new §354.4007, EVV System.

Proposed new §354.4009, EVV Visit Transaction and EVV Claim, requires a program provider and an FMSA to ensure that an EVV visit transaction contains certain specified data elements required by the EVV system and that the data elements are accurate. The proposed new rule also includes a similar requirement for a CDS employer who elects to complete visit maintenance on the HHSC Employer's Selection for Electronic Visit Verification Responsibilities form. The proposed new rule requires a program provider and an FMSA to make certain assurances before submitting an EVV claim including that the EVV visit transaction is transmitted to and accepted by the EVV Portal, and to submit the EVV claim in accordance with HHSC or MCO billing requirements and the EVV Policy Handbook. Further, the proposed new rule provides that HHSC or an MCO denies an EVV claim or recoups a payment made to a program provider or an FMSA if the EVV claim does not meet requirements described in the EVV Policy Handbook.

The proposed repeal of §354.4009, Requirements for Claims Submission and Approval deletes the rule because it is no longer necessary, and replaces it with proposed new §354.4009, EVV Visit Transaction and EVV Claim.

Proposed new §354.4011, Visit Maintenance, requires a program provider and an FMSA to complete visit maintenance in accordance with the EVV Policy Handbook. The proposed new rule also includes a similar requirement for a CDS employer who elects to complete visit maintenance on the HHSC Employer's Selection for Electronic Visit Verification Responsibilities form. In addition, the proposed new rule allows the program provider, FMSA, and CDS employer to complete visit maintenance after the visit maintenance time frame has expired only if the program provider, FMSA, or CDS employer submits a Visit Maintenance Unlock Request in accordance with the EVV Policy Handbook and HHSC or an MCO approves the Visit Maintenance Unlock Request.

The proposed repeal §354.4011, Member Rights and Responsibilities deletes the rule because it is no longer necessary, and replaces it with proposed new §354.4011, Visit Maintenance.

Proposed new §354.4013, HHSC and MCO Compliance Reviews and Enforcement Actions, describes the types of compliance reviews conducted by HHSC and an MCO of a program provider, FMSA, and CDS employer and the circumstances under which certain action may be taken based on a review, including recoupment of payment, imposition of a vendor hold, or termination of a member's participation in the CDS option.

The proposed repeal §354.4013, Additional Requirements deletes the rule because it is no longer necessary, and replaces it with proposed new §354.4013, HHSC and MCO Compliance Reviews and Enforcement Actions.

Proposed new §354.4015, EVV Training Requirements, describes the requirements for a program provider, an FMSA, and a proprietary system operator (PSO) regarding EVV System Training, EVV Policy Training, and EVV Portal Training; the requirements for a CDS employer regarding EVV System Training and EVV Policy Training; and the requirements for a program provider and CDS employer on training a service provider on the clock in and clock out portion of the EVV System Training. In addition, the proposed new rule describes the documentation requirements to demonstrate compliance with the training requirements and the actions that may be taken by HHSC, an MCO, or an FMSA if a program provider, FMSA, PSO, or CDS employer does not comply with the training requirements.

Proposed new §354.4017, Process to Request Approval of a Proposed EVV Proprietary System and Additional Requirements for a PSO, describes the process by which a program provider or FMSA seeks HHSC's approval of a proposed proprietary system and the basis on which HHSC approves a proposed proprietary system. In addition, the proposed new rule describes the requirements of a PSO, allows HHSC to conduct an audit of a proprietary system, and describes the actions HHSC may take if a PSO is not in compliance with the requirements in the proposed rule.

Proposed new §354.4019, Access to EVV System and EVV Documentation, requires a program provider and an FMSA to allow HHSC and the MCO with which the program provider or FMSA has a contract access to the EVV system the program provider or FMSA uses and to allow HHSC and the MCO to review EVV system documentation or obtain a copy of that documentation at no charge to HHSC or the MCO.

Proposed new §354.4021, Additional Requirements, requires a program provider, FMSA, CDS employer, service provider, member, and MCO to comply with applicable state and federal laws, rules, regulations, and the EVV Policy Handbook.

Proposed new §354.4023, Sanctions, provides that HHSC or an MCO may propose to recoup funds, impose a vendor hold, or propose to terminate the contract of a program provider or FMSA as described in proposed §354.4007, §354.4009, and §354.4013.

Proposed new §354.4025, Administrative Hearing, provides that a program provider or FMSA may request an administrative hearing in accordance with 26 TAC §357.484, Request for a Hearing, to appeal a proposed contract termination or recoupment or imposition of a vendor hold by HHSC and may appeal a proposed contract termination or recoupment or imposition of a vendor hold by an MCO in accordance with the MCO's policy.

FISCAL NOTE

Trey Wood, HHSC Chief Financial Officer, has determined that for each year of the first five years that the rules will be in effect, there will be an estimated additional cost to state government as a result of enforcing and administering the rules as proposed. Enforcing or administering the rules does not have foreseeable implications relating to costs or revenues of local government.

The effect on state government for each year of the first five years the proposed rule(s) are in effect is an estimated cost of $475,938 in Federal Funds (FF) ($544,438 All Funds (AF)) in fiscal year (FY) 2022, $836,286 in FF ($951,598 AF) in FY 2023, $1,136,250 in FF ($1,515,000 AF) in FY 2024, $1,136,250 in FF ($1,515,000 AF) in FY 2025, and $1,136,250 in FF ($1,515,000 AF) in FY 2026.

GOVERNMENT GROWTH IMPACT STATEMENT

HHSC has determined that during the first five years that the rule(s) will be in effect:

(1) the proposed rules will not create or eliminate a government program;

(2) implementation of the proposed rules will not affect the number of HHSC employee positions;

(3) implementation of the proposed rules will result in no assumed change in future legislative appropriations;

(4) the proposed rules will not affect fees paid to HHSC;

(5) the proposed rules will create a new rule;

(6) the proposed rules will expand and repeal existing rules;

(7) the proposed rules will increase the number of individuals subject to the rules; and

(8) the proposed rules will not affect the state's economy.

SMALL BUSINESS, MICRO-BUSINESS, AND RURAL COMMUNITY IMPACT ANALYSIS

Trey Wood has also determined that there will be an adverse economic effect on small businesses or micro-businesses, or rural communities.

HHSC is unable to estimate the number of small businesses and micro-businesses subject to the proposed rules; no rural communities are EVV providers. The entities subject to the proposed rules are program providers; CDS employers; FMSAs; service providers; Medicaid recipients; and MCOs. The projected economic impact for a small or micro business is the cost to comply with the proposed rules.

The proposed rules implement the requirements of federal statute and failure to comply will result in reduced federal Medicaid funding, therefore no alternative methods were considered.

LOCAL EMPLOYMENT IMPACT

The proposed rules will not affect a local economy.

COSTS TO REGULATED PERSONS

Texas Government Code §2001.0045 does not apply to these rules because the rules are necessary to receive a source of federal funds or comply with federal law.

PUBLIC BENEFIT AND COSTS

Emily Zalkovsky, State Medicaid Director, has determined that for each year of the first five years the rules are in effect, the public benefit is that the provision of Medicaid home health care services will be documented by EVV in compliance with Section 1903(l) of the Social Security Act. Another public benefit is the clear identification of programs and services for which the use of EVV is required.

Trey Wood has also determined that for the first five years the rules are in effect, MCOs, program providers, FMSAs, and CDS employers who are required to comply with the proposed rules may incur economic costs. However, HHSC is unable to estimate the cost for individuals required to comply with the proposed rules.

An MCO may have additional costs: to ensure new MCO program providers subject to these proposed rules are in compliance with the EVV requirements; to provide notice to new members of the requirement for the member and service provider to use EVV; and to educate any new members about EVV.

A program provider not using EVV prior to the effective date of the proposed rules may have additional costs: to implement the use of the EVV system; to purchase and manage EVV equipment such as alternative devices; to purchase mobile devices for service providers; to use the mobile application on a mobile device; to train service providers on the use of the EVV system; to monitor and verify the service provider's service delivery using EVV; and to ensure all data elements required by HHSC are uploaded or entered completely and accurately into the EVV system before billing for the delivered services.

An FMSA not using EVV prior to the effective date of the proposed rules may have additional costs: to train CDS employers on using EVV; to train the CDS employers and service providers on their responsibilities for using EVV; to assist CDS employers with the purchase and management of EVV equipment such as alternative devices or mobile devices for service providers to use while employed; to provide on-going assistance and support to the CDS employer regarding EVV; to monitor and verify the service provider's service delivery using EVV; and to ensure all data elements required by HHSC are uploaded or entered completely and accurately into the EVV system before billing for the delivered services.

A CDS employer not using EVV prior to the effective date of the proposed rules may have additional costs: for travel costs to attend optional in-person training events; to purchase equipment to enable a service provider to clock in and out of the EVV system, such as a landline telephone or mobile device; and to purchase equipment to enable the CDS employer to access the EVV system, such as a mobile device, computer, tablet, mobile service, or internet service.

A CDS employer's costs may be reduced or offset depending on the CDS employer's individual situation. Examples include: attending online training instead of traveling to receive training; using the CDS employer's support services budget to purchase equipment, services or pay for travel costs; delegating EVV system responsibilities to the FMSA, thus minimizing the need to purchase equipment or services; and using existing or free equipment, such as the CDS employer's existing landline or mobile device, a mobile device obtained through federal assistance programs, or an alternative device provided by the EVV vendor.

TAKINGS IMPACT ASSESSMENT

PUBLIC COMMENT

Written comments on the proposal may be submitted to Sarah Hambrick, EVV Operations Policy Specialist, P.O. Box 13247, Mail Code W-465, Austin, Texas 78711-3247, street address 701 W 51st St, Austin, Texas, 78751-2312; or e-mailed to EVV@hhs.texas.gov.

To be considered, comments must be submitted no later than 31 days after the date of this issue of the Texas Register. Comments must be (1) postmarked or shipped before the last day of the comment period; (2) hand-delivered before 5:00 p.m. on the last working day of the comment period; or (3) emailed before midnight on the last day of the comment period. If last day to submit comments falls on a holiday, comments must be postmarked, shipped, or emailed before midnight on the following business day to be accepted. When emailing comments, please indicate "Comments on Proposed Rule 21R152" in the subject line.

1 TAC §§354.4001, 354.4003, 354.4005 - 354.4007, 354.4009, 354.4011, 354.4013, 354.4015, 354.4017, 354.4019, 354.4021, 354.4023, 354.4025

STATUTORY AUTHORITY

The amendments and new sections are authorized by Texas Government Code, §531.0055, which provides that the Executive Commissioner of HHSC shall adopt rules for the operation and provision of services by the health and human services agencies; Human Resources Code, §32.021, which provides that HHSC shall adopt necessary rules for the proper and efficient operation of the Medicaid program; and Texas Government Code, §531.024172, which provides that the Executive Commissioner of HHSC may adopt rules to implement an electronic visit verification system to electronically verify that personal care services or other services identified by HHSC are provided to Medicaid recipients.

The amendments and new sections affect Texas Government Code, §531.0055 and §531.024172 and Human Resources Code, §32.021.

§354.4001.Purpose and Authority.

[~~(a)~~] The purpose of this subchapter is to describe [~~implement~~] requirements related to [~~for the Texas~~] electronic visit verification authorized by: [(EVV) system to electronically verify that services identified in this subchapter, or any other services identified by HHSC, are provided to a member in accordance with a prior authorization or plan of care as applicable to the appropriate program.]

(1) Title XIX, Section 1903(l) of the Social Security Act (42 U.S.C. §1396b(l));

(2) Texas Government Code §531.024172; and

(3) Texas Human Resources Code §161.086.

~~[(b) The provisions of this subchapter are issued in accordance with the following federal and state laws:]~~

~~[(1) Title XIX, Section 1903(l) of the Social Security Act (42 U.S.C. §1396b);]~~

~~[(2) Texas Government Code §531.024172; and]~~

~~[(3) Texas Human Resource Code §161.086.]~~

§354.4003.Definitions.

The following words and terms, when used in this subchapter, have the following meanings, unless the context clearly indicates otherwise:

(1) CDS employer--Consumer directed services employer. A member or the member's legally authorized representative who participates in the CDS option and whose financial management services agency (FMSA) uses an electronic visit verification (EVV) vendor system or an EVV proprietary system. A CDS employer is responsible for hiring and retaining a service provider who delivers a service described in §354.4005 of this subchapter (relating to Personal Care Services that Require the Use of EVV) or §354.4006 of this subchapter (relating to Home Health Care Services that Require the Use of EVV).

(2) CDS option--Consumer directed services option. A service delivery option in which a CDS employer employs and retains a service provider and directs the delivery of a service described in §354.4005 or §354.4006 of this subchapter.

(3) CFC--Community First Choice. A Medicaid state plan option governed by Code of Federal Regulations, Title 42, Part 441, Subpart K, Home and Community-Based Attendant Services and Supports State Plan Option (Community First Choice). CFC services include the following.

(A) CFC HAB--CFC habilitation. A Medicaid state plan service that provides habilitation through CFC as described in §354.1361 of this chapter (relating to Definitions).

(B) CFC PAS--CFC personal assistance services. A Medicaid state plan service that provides personal assistance services through CFC as described in §354.1361 of this chapter.

(C) CFC PAS/HAB--CFC personal assistance services/habilitation. A Medicaid state plan service provided through CFC that provides both personal assistance services and habilitation.

(4) CLASS Program--Community Living Assistance and Support Services Program. A Medicaid waiver program approved by the Centers for Medicare & Medicaid Services under Title XIX, Section 1915(c) of the Social Security Act, as described in 26 TAC Chapter 259 (relating to Community Living Assistance and Support Services (CLASS) Program and Community First Choice (CFC) Services).

(5) [~~(1)~~] CMS--Centers for Medicare & Medicaid Services. [~~(CMS)--~~] The federal agency within the United States Department of Health and Human Services that administers the Medicare and Medicaid programs.

[(2) Claims administrator--The entity HHSC has designated to perform functions such as processing certain Medicaid program provider claims, managing the EVV aggregator, and performing EVV vendor management functions.]

(6) [~~(3)~~] Community Attendant Services Program--A Medicaid state plan program operating under Title XIX of the Social Security Act, as described in 40 TAC Chapter 47 (relating to Primary Home Care, Community Attendant Services, and Family Care Programs).

[(4) Community First Choice (CFC)--A Medicaid state plan option governed by Code of Federal Regulations, Title 42, Part 441, Subpart K, Home and Community-Based Attendant Services and Supports State Plan Option (Community First Choice). This includes STAR members who receive these services through the traditional Medicaid service model also referred to as fee-for-service. CFC services include:]

~~[(A) Community First Choice Habilitation (CFC HAB), a Medicaid state plan service that provides habilitation through CFC;]~~

~~[(B) Community First Choice Personal Assistance Services (CFC PAS), a Medicaid state plan service that provides personal assistance services through CFC; and]~~

[(C) Community First Choice Personal Assistance Services/Habilitation (CFC PAS/HAB), a Medicaid state plan service provided through CFC that provides both personal assistance services and habilitation combined into one service.]

[(5) Community Living Assistance and Support Services (CLASS) Program--The Medicaid waiver program approved by CMS under Title XIX, Section 1915(c) of the Social Security Act, as described in 40 TAC Chapter 45 (relating to Community Living Assistance and Support Services and Community First Choice (CFC) Services).]

[(6) Consumer Directed Services (CDS) employer--A member or legally authorized representative (LAR) who chooses to participate in the CDS option. A CDS employer, the member or LAR, is responsible for hiring and retaining a service provider who delivers a service described in §354.4005 of this subchapter (relating to Applicability).]

[(7) Consumer Directed Services option (CDS option)--A service delivery option in which a member or LAR employs and retains a service provider and directs the delivery of a service described in §354.4005 of this subchapter.]

(7) [~~(8)~~] DBMD Program--Deaf Blind with Multiple Disabilities. [~~(DBMD) Program--~~] The Medicaid waiver program approved by CMS under Title XIX, Section 1915(c) of the Social Security Act, as described in 26 TAC Chapter 260 [~~40 TAC Chapter 42~~] (relating to Deaf Blind with Multiple Disabilities (DBMD) Program and Community First Choice (CFC) Services).

(8) [~~(9)~~] EVV--Electronic visit verification. [~~(EVV)--~~]The documentation and verification of service delivery through an EVV system.

(9) [~~(10)~~] EVV aggregator--A centralized database that collects, validates, and stores statewide EVV visit data transmitted by an EVV system.

(10) EVV claim--A request for payment of a service described in §354.4005 or §354.4006 of this subchapter submitted to HHSC, HHSC's designated contractor, or a managed care organization (MCO) in accordance with the EVV Policy Handbook.

(11) EVV Policy Handbook--A handbook promulgated by HHSC that contains policies and requirements related to EVV [~~The HHSC handbook that provides EVV standards and policy requirements~~].

(12) EVV portal--An online system established by HHSC that allows users to perform searches, view reports and view EVV claim match results associated with data in the EVV aggregator.

(13) EVV portal user--A person who is employed by or contracts with a program provider or FMSA and has access to the EVV portal.

(14) [~~(12)~~] EVV proprietary system--An HHSC EVV system purchased or developed by a program provider or FMSA approved by HHSC in accordance with §354.4013 of this subchapter (relating to HHSC and MCO Compliance Reviews and Enforcement Actions) [~~HHSC-approved EVV system~~] that a program provider or FMSA uses [~~financial management services agency (FMSA) may opt to use~~] instead of an EVV vendor system. [~~that:~~]

~~[(A) is purchased or developed by a program provider or an FMSA;]~~

~~[(B) is used to exchange EVV information with HHSC or a managed care organization (MCO); and]~~

~~[(C) complies with the requirements of Texas Government Code §531.024172 or its successors.]~~

(15) [~~(13)~~] EVV system--An EVV vendor system or an EVV proprietary system used to electronically document and verify the data elements described in §354.4009(a) of this subchapter (relating to EVV Visit Transaction and EVV Claim) [~~§354.4007 of this subchapter (relating to EVV System)~~] for a visit conducted to provide a service described in §354.4005 or §354.4006 of this subchapter.

(16) EVV system user--A person who has access to the EVV system, including a person employed by or contracting with a program provider, FMSA, or CDS employer.

(17) [~~(14)~~] EVV vendor system--An EVV system developed and operated by a vendor that contracts with HHSC or HHSC's designated contractor [~~provided by an EVV vendor selected by the claims administrator, on behalf of HHSC~~] that a program provider or FMSA uses [~~may opt to use~~] instead of an EVV proprietary system.

(18) [~~(15)~~] EVV visit transaction--A [~~data~~] record generated by an EVV system that contains the data elements described in §354.4009(a) [~~§354.4007~~ ] of this subchapter for a visit conducted to provide a service described in §354.4005 or §354.4006 of this subchapter.

(19) [~~(16)~~] FC Program--Family Care [~~(FC)~~] Program. [--]A program funded under Title XX, Subtitle A of the Social Security Act, as described in 40 TAC Chapter 47.

(20) [~~(17)~~] FMSA--Financial management services agency. [~~(FMSA)--~~]A program provider [~~An entity~~] that contracts with HHSC or an MCO to provide financial management services to a CDS employer as described in 40[,] TAC Chapter 41 (relating to Consumer Directed Services Option).

(21) HCBS-AMH Program--Home and Community-Based Services Adult Mental Health Program. A Medicaid state plan option approved by CMS under Title XIX, Section 1915(i) of the Social Security Act, as described in 26 TAC Chapter 307, Subchapter B (relating to Home and Community-Based Services--Adult Mental Health Program).

(22) HCS Program--Home and Community-based Services Program. A Medicaid waiver program approved by CMS under Title XIX, Section 1915(c) of the Social Security Act, as described in 26 TAC Chapter 263 (relating to Home and Community-based Services (HCS) Program and Community First Choice (CFC)).

(23) [~~(18)~~] HHSC--Texas Health and Human Services Commission.

[(19) Home and Community-Based Services (HCBS) Adult Mental Health Program--A Medicaid state plan option approved by CMS under Title XIX, Section 1915(i) of the Social Security Act, as described in 26 TAC Chapter 307, Subchapter B (relating to Home and Community-Based Services--Adult Mental Health Program).]

[(20) Home and Community-based Services (HCS) Program--A Medicaid waiver program approved by CMS under Title XIX, Section 1915(c) of the Social Security Act, as described in 40 TAC Chapter 9, Subchapter D (relating to Home and Community-based Services (HCS) Program and Community First Choice (CFC)).]

(24) Home health aide--Has the meaning set forth in 26 TAC §558.2 (relating to Definitions).

(25) ICF/IID--Intermediate care facility for individuals with an intellectual disability or related conditions. An ICF/IID is a facility that is licensed in accordance with THSC Chapter 252 or certified by HHSC.

(26) IMD--Institution for mental diseases. Has the meaning set forth in 25 TAC §419.373 (relating to Definitions).

(27) LVN--Licensed vocational nurse. A person licensed to practice as a vocational nurse as described in Texas Occupations Code Chapter 301.

(28) [~~(21)~~] MCO--Managed care organization. [~~(MCO)--~~] Has the meaning set forth in Texas Government Code §536.001.

(29) [~~(22)~~] MDCP--Medically Dependent Children Program. [~~(MDCP)--~~] A Medicaid waiver program approved by CMS under Title XIX, Section 1915(c) of the Social Security Act, as described in Chapter 353, Subchapter M of this title (relating to Home and Community Based Services in Managed Care).

(30) [~~(23)~~] MDCP STAR Health covered service--Medically Dependent Children Program STAR Health [~~(MDCP STAR Health)~~] covered service. [--]A service provided to a member eligible to receive MDCP benefits under the STAR Health Program.

(31) [~~(24)~~] MDCP STAR Kids covered service--Medically Dependent Children Program STAR Kids [~~(MDCP STAR Kids)~~] covered service. [--]A service provided to a member eligible to receive MDCP benefits under the STAR Kids Program.

(32) [~~(25)~~] Member--A person enrolled in one of the following: [~~eligible to receive a service described in §354.4005 of this subchapter.~~]

(A) traditional Medicaid service delivery model also referred to as fee-for-service;

(B) the CLASS Program;

(D) the DBMD Program;

(E) the FC Program;

(F) the HCBS-AMH Program;

(G) the HCS Program;

(H) the Primary Home Care Program;

(I) the STAR Program;

(J) the STAR Health Program;

(K) the STAR Kids Program;

(L) the STAR+PLUS Program;

(M) the STAR+PLUS Home and Community-Based Services Program;

(N) the STAR+PLUS Medicare-Medicaid Program;

(O) the Texas Home Living Program;

(P) Texas Health Steps Comprehensive Care Program (CCP); or

(Q) the Youth Empowerment Services Program.

(33) Nursing facility--A facility licensed in accordance with Texas Health and Safety Code Chapter 242.

(34) Occupational therapist--A person licensed as an occupational therapist in accordance with Texas Occupations Code Chapter 454.

(35) PCS--Personal Care Services. Support services provided to a member enrolled in Texas Health Steps CCP who requires assistance with activities of daily living or instrumental activities of daily living as described in §363.602 of this title (relating to Definitions).

(36) PDN--Private duty nursing. Has the same meaning as the term "Private duty nursing (PDN) Services" in 1 TAC Chapter 363, Subchapter C, §363.303 (relating to Definitions).

(37) [~~(26)~~] Primary Home Care Program--A Medicaid state plan program operating under Title XIX of the Social Security Act, as described in 40 TAC Chapter 47.

(38) Physical therapist--A person licensed as a physical therapist in accordance with Texas Occupations Code Chapter 453.

(39) [~~(27)~~] Program provider--An entity that contracts with HHSC or an MCO to provide a service described in §354.4005 or §354.4006 of this subchapter and that uses an EVV vendor system or an EVV proprietary system. A service provider described in paragraph (43)(B) of this section is both a program provider and a service provider.

(40) PSO--Proprietary system operator. A program provider or FMSA that uses an EVV proprietary system.

(41) [~~(28)~~] Reason code--A standardized HHSC-approved code entered in [~~into~~] an EVV system to explain the [~~specific~~] reason for completing visit maintenance [~~a change was made to an EVV visit transaction~~].

(42) RN--Registered nurse. A person licensed to practice as a registered nurse as described in Texas Occupations Code Chapter 301.

(43) [~~(29)~~] Service provider--A person who provides a service described in §354.4005 or §354.4006 of this subchapter and who [~~is employed or contracted by~~]:

(A) is employed by or contracting with:

(i) a program provider; or

(ii) a CDS employer; or

(B) who is contracting with:

(i) an MCO; or

(ii) HHSC.

~~[(A) a program provider;]~~

~~[(B) a CDS employer; or]~~

~~[(C) a member who has selected the service responsibility option (SRO).]~~

(44) [~~(30)~~] SRO--Service responsibility option. [~~(SRO)--~~] A service delivery option described in 40 TAC Chapter 43 (relating to Service Responsibility Option) in which a member or legally authorized representative [~~LAR~~] selects, trains, and provides daily management of a service provider, while the fiscal, personnel, and service back-up plan responsibilities remain with the program provider.

(45) [~~(31)~~] STAR--State of Texas Access Reform.

[(32) STAR Program--A Medicaid program operating under Title XIX, Section 1115 of the Social Security Act. The program provides services through a managed care delivery model to a member enrolled in STAR as described in Chapter 353, Subchapter I of this title (relating to STAR).]

(46) [~~(33)~~] STAR Health Program--A [~~The~~] Medicaid program operating under Title XIX, Section 1915(a) of the Social Security Act and Texas Family Code, Chapter 266. The program provides services through a managed care delivery model to a member enrolled in STAR Health as described in Chapter 353, Subchapter H of this title (relating to STAR Health).

(47) [~~(34)~~] STAR Kids Program--A [~~The~~] Medicaid program operating under Title XIX, Section 1115 of the Social Security Act and Texas Government Code Chapter 533. The program provides services through a managed care delivery model to a member enrolled in STAR Kids as described in Chapter 353, Subchapter N of this title (relating to STAR Kids).

(48) STAR Program--A Medicaid program operating under Title XIX, Section 1115 of the Social Security Act. The program provides services through a managed care delivery model to a member enrolled in STAR as described in Chapter 353, Subchapter I of this title (relating to STAR).

(49) [~~(35)~~] STAR+PLUS HCBS Program--STAR+PLUS Home and Community-Based Services Program. [~~(STAR+PLUS HCBS Program)--~~] A Medicaid program operating through a federal waiver under Title XIX, Section 1115 of the Social Security Act. The program provides services to a member eligible to receive HCBS benefits under the STAR+PLUS Program, as described in Chapter 353, Subchapter M of this title (relating to Home and Community Based Services in Managed Care).

(50) [~~(36)~~] STAR+PLUS MMP--STAR+PLUS Medicare-Medicaid Plan. [~~(STAR+PLUS MMP)--~~] A managed care program operating under Title XIX, Section 1115A of the Social Security Act that provides the authority to test and evaluate a fully integrated care model for clients who are dual eligible. The STAR+PLUS MMPs contract [~~are contracted~~] with CMS and HHSC to participate in the Dual Demonstration Program described in Chapter 353, Subchapter L of this title (relating to Texas Dual Eligibles Integrated Care Demonstration Project).

(51) [~~(37)~~] STAR+PLUS Program--A Medicaid program operating under Title XIX, Section 1115 of the Social Security Act, and Texas Government Code Chapter 533. The program provides services through a managed care delivery model to a member enrolled in STAR+PLUS as described in Chapter 353, Subchapter G of this title (relating to STAR+PLUS).

(52) [~~(38)~~] TAC--Texas Administrative Code.

(53) [~~(39)~~] Texas Health Steps CCP--Texas Health Steps Comprehensive Care Program. [--] A Medicaid comprehensive program approved by CMS under Title XIX, Section 1905 of the Social Security Act, as described in Chapter 363 [~~, Subchapter F~~] of this title (relating to Texas Health Steps Comprehensive Care Program [~~Personal Care Services~~]). [~~This includes STAR members who receive these services through the traditional Medicaid service model also referred to as fee-for-service.~~]

(54) [~~(40)~~] TxHmL--Texas Home Living [~~(TxHmL)~~] Program. [--]A Medicaid waiver program approved by CMS under Title XIX, Section 1915(c) of the Social Security Act, as described in 26 TAC Chapter 262 [~~40 TAC Chapter 9, Subchapter N~~] (relating to Texas Home Living (TxHmL) Program and Community First Choice (CFC)).

(55) Vendor hold--A temporary suspension of payments for claims that are due to a program provider or FMSA.

(56) Visit maintenance--As described in the EVV Policy Handbook, a process to:

(A) manually enter data elements described in §354.4009(a) of this subchapter in an EVV system;

(B) correct the data elements described in §354.4009(a) of this subchapter that are inaccurate in an EVV visit transaction; or

(57) [~~(41)~~] YES Program--Youth Empowerment Services Program. [--]A Medicaid waiver approved by CMS under Title XIX, Section 1915(c) of the Social Security Act as described in 26 TAC Chapter 307, Subchapter A (relating to Youth Empowerment Services (YES)).

§354.4005.Personal Care Services that Require the Use of EVV.

(a) A program provider must ensure a service provider uses EVV to document the provision of the following personal care services by the program provider:

(1) in the traditional Medicaid service model also referred to as fee-for-service, including for members enrolled in STAR who receive PCS through fee-for-service:

(A) CFC PAS;

(B) CFC HAB;

(D) PCS-Behavioral Health provided under Texas Health Steps CCP, including SRO;

(2) in the CLASS Program:

(A) CFC PAS/HAB; and

(B) in-home respite;

(3) personal attendant services provided through the Community Attendant Services Program, including SRO;

(4) in the DBMD Program:

(A) CFC PAS/HAB; and

(B) in-home respite;

(5) personal attendant services provided through the FC Program, including SRO;

(6) in the HCBS-AMH Program:

(A) supported home living; and

(B) in-home respite;

(7) in the HCS Program:

(A) CFC PAS/HAB;

(B) in-home respite; and

(8) personal attendant services provided through the Primary Home Care Program, including SRO;

(9) in the STAR Health Program:

(A) CFC PAS, including SRO;

(B) CFC HAB, including SRO; and

(i) in-home respite, with and without RN delegation, including SRO; and

(ii) flexible family support, with and without RN delegation, including SRO;

(10) in the STAR Kids Program:

(A) CFC PAS, including SRO;

(B) CFC HAB, including SRO; and

(i) in-home respite, with and without RN delegation, including SRO; and

(ii) flexible family support, with and without RN delegation, including SRO;

(11) in the STAR+PLUS Program:

(A) personal assistance services, including SRO;

(B) CFC PAS, including SRO; and

(12) in the STAR+PLUS HCBS Program:

(A) in-home respite care, including SRO;

(B) protective supervision, including SRO;

(D) CFC PAS, including SRO; and

(E) CFC HAB, including SRO;

(13) in the STAR+PLUS MMP:

(A) in-home respite care, including SRO;

(B) protective supervision, including SRO;

(D) CFC PAS, including SRO; and

(E) CFC HAB, including SRO;

(14) in the TxHmL Program:

(A) CFC PAS/HAB;

(B) in-home respite; and

(15) in-home respite provided in the YES Program; and

(16) any other service required by federal or state mandates.

(b) A CDS employer must ensure a service provider uses EVV to document the provision of the following personal care services through the CDS option:

(1) in the traditional Medicaid service model also referred to as fee-for-service:

(A) CFC PAS;

(B) CFC HAB;

(D) PCS-Behavioral Health provided under Texas Health Steps CCP;

(2) in the CLASS Program:

(A) CFC PAS/HAB; and

(B) in-home respite;

(3) personal attendant services provided through the Community Attendant Services Program;

(4) in the DBMD Program:

(A) CFC PAS/HAB; and

(B) in-home respite;

(5) personal attendant services provided through the FC Program;

(6) in the HCS Program:

(A) CFC PAS/HAB; and

(B) in-home respite;

(7) personal attendant services provided through the Primary Home Care Program;

(8) in the STAR Health Program:

(A) CFC PAS;

(B) CFC HAB; and

(i) in-home respite, with and without RN delegation; and

(ii) flexible family support, with and without RN delegation;

(9) in the STAR Kids Program:

(A) CFC PAS;

(B) CFC HAB; and

(i) in-home respite, with and without RN delegation; and

(ii) flexible family support, with and without RN delegation;

(10) in the STAR+PLUS Program:

(A) personal assistance services;

(B) CFC PAS; and

(11) in the STAR+PLUS HCBS Program:

(A) in-home respite care;

(B) protective supervision;

(D) CFC PAS; and

(E) CFC HAB;

(12) in the STAR+PLUS MMP:

(A) in-home respite care;

(B) protective supervision;

(D) CFC PAS; and

(E) CFC HAB; and

(13) in the TxHmL Program:

(A) CFC PAS/HAB;

(B) in-home respite; and

§354.4006.Home Health Care Services that Require the Use of EVV.

(a) A program provider must ensure a service provider uses EVV to document the provision of the following home health care services by the program provider on or after January 1, 2024:

(1) in the traditional Medicaid service model also referred to as fee-for-service, for a member who does not reside in a nursing facility, an ICF/IID, or an IMD, the following services when provided in the residence of the member:

(A) any nursing service, other than PDN;

(B) occupational therapy; and

(2) in the CLASS Program, for a member who does not receive support family services or continued family services, the following services when provided in the residence of the member:

(A) any nursing service;

(B) occupational therapy; and

(3) in the DBMD Program, for a member who does not receive licensed assisted living or licensed home health assisted living, the following services when provided in the residence of the member:

(A) any nursing service;

(B) occupational therapy; and

(4) in the HCS Program, for a member whose residential type is "own/family home," the following services when provided in the residence of the member:

(A) any nursing service;

(B) occupational therapy; and

(5) in the HCBS-AMH Program, for a member who does not receive host home/companion care, supervised living services, or assisted living services, the following services when provided in the residence of the member:

(A) nursing - RN; and

(B) nursing - LVN;

(6) in the STAR Program, the following services when provided in the residence of the member:

(A) home health nursing;

(B) occupational therapy;

(D) personal care services provided by a home health aide under the supervision of an RN, occupational therapist, or physical therapist;

(7) in the STAR Health Program, the following services when provided in the residence of the member:

(A) home health nursing, other than PDN;

(B) occupational therapy;

(D) personal care services provided by a home health aide under the supervision of an RN, occupational therapist, or physical therapist;

(E) nursing delegation and supervision of PCS and CFC tasks; and

(F) for a member in STAR Health MDCP, the following services when provided in the residence of the member:

(i) RN delegation and supervision of personal care services and CFC tasks, other than PDN;

(ii) flexible family supports services performed by RN or an LVN; and

(iii) in-home respite performed by RN or an LVN;

(8) in the STAR Kids Program, the following services when provided in the residence of the member:

(A) home health nursing, other than PDN;

(B) occupational therapy;

(D) personal care services provided by a home health aide under the supervision of an RN, occupational therapist, or physical therapist;

(E) nursing delegation and supervision of PCS and CFC tasks; and

(F) for a member in STAR Kids MDCP, the following services when provided in the residence of the member:

(i) RN delegation and supervision of personal care services and CFC tasks, other than PDN;

(ii) flexible family supports services performed by an RN or LVN; and

(iii) in-home respite performed by an RN or LVN;

(9) in the STAR+PLUS Program, the following services when provided in the residence of the member:

(A) home health nursing;

(B) occupational therapy;

(D) personal care services provided by a home health aide under the supervision of an RN, occupational therapist, or physical therapist;

(10) in the STAR+PLUS HCBS Program, for members not receiving adult foster care, assisted living services - single occupancy, assisted living services - double occupancy, or assisted living services - non-apartment, the following services when provided in the residence of the member:

(A) home health nursing, including SRO;

(B) occupational therapy, including SRO;

(D) personal care services provided by a home health aide under the supervision of an RN, occupational therapist, or physical therapist, including SRO;

(11) in the STAR+PLUS MMP, for members not receiving adult foster care, assisted living services - single occupancy, assisted living services - double occupancy, or assisted living services - non-apartment, the following services when provided in the residence of the member:

(A) home health nursing, including SRO;

(B) occupational therapy, including SRO;

(D) personal care services provided by a home health aide under the supervision of an RN, occupational therapist, or physical therapist, including SRO;

(12) in the TxHmL Program, the following services when provided in the residence of the member:

(A) any nursing service;

(B) occupational therapy; and

(13) any other service required by federal or state mandates.

(b) A CDS employer must ensure a service provider uses EVV to document the provision of the following home health care services using the CDS option on or after January 1, 2024:

(1) in the CLASS Program, the following services when provided in the residence of the member:

(A) any nursing service;

(B) occupational therapy; and

(2) in the HCS Program, for a member whose residential type is "own/family home," the following services when provided in the residence of the member:

(A) any nursing service;

(B) occupational therapy; and

(3) in the STAR Health Program for a member in STAR Health MDCP, the following services when provided in the residence of the member:

(A) flexible family supports services performed by any RN or any LVN; and

(B) in-home respite performed by any RN or any LVN;

(4) in the STAR Kids Program for a member in STAR Kids MDCP, the following services when provided in the residence of the member:

(A) flexible family supports services performed by any RN or any LVN; and

(B) in-home respite performed by any RN or any LVN;

(5) in the STAR+PLUS Program, the following services when provided in the residence of the member:

(A) home health nursing;

(B) occupational therapy;

(D) personal care services provided by a home health aide under the supervision of an RN, occupational therapist, or physical therapist;

(6) in the STAR+PLUS HCBS Program, the following services when provided in the residence of the member:

(A) home health nursing;

(B) occupational therapy;

(D) home health aide services as an extension of physical therapy, occupational therapy, or nursing services;

(7) in the STAR+PLUS MMP, the following services when provided in the residence of the member:

(A) home health nursing;

(B) occupational therapy;

(D) home health aide services as an extension of physical therapy, occupational therapy, or nursing services; and

(8) in the TxHmL Program, the following services when provided in the residence of the member:

(A) any nursing service;

(B) occupational therapy; and

§354.4007.EVV System.

(a) A program provider or FMSA must use one of the following EVV systems to electronically document the provision of a service described in §354.4005 or §354.4006 of this subchapter (relating to Personal Care Services that Require the Use of EVV and Home Health Care Services that Require the use of EVV):

(1) an EVV vendor system; or

(2) an EVV proprietary system.

(b) A CDS employer must use the EVV system selected by their FMSA.

(c) Except as provided in subsection (d) of this section, a program provider, an FMSA, and a CDS employer must ensure that a service provider uses an EVV system to electronically document the provision of a service described in §354.4005 or §354.4006 of this subchapter as described in the EVV Policy Handbook.

(d) If a service provider fails to use an EVV system to document the provision of a service described in §354.4005 or §354.4006 of this subchapter or if a service provider cannot use an EVV system because the EVV system is unavailable, a program provider, FMSA or a CDS employer must:

(1) ensure the data elements required by §354.4009(a)(1) of this subchapter (relating to EVV Visit Transaction and EVV Claim) are accurate; and

(2) complete visit maintenance.

(e) If a program provider or an FMSA does not comply with subsections (a), (c), or (d) of this section, HHSC or an MCO may do one or more of the following:

(1) deny payment for a service;

(2) take enforcement action including:

(A) requiring a program provider or FMSA to complete a corrective action plan; or

(B) propose to terminate the contract of the program provider or FMSA.

(f) If a CDS employer does not comply with subsections (b), (c), or (d) of this section, HHSC or an MCO may:

(1) require the CDS employer to complete a corrective action plan; or

(2) propose to terminate the member's participation in the CDS option.

§354.4009.EVV Visit Transaction and EVV Claim.

(a) A program provider and an FMSA must:

(1) ensure that an EVV visit transaction contains the data elements required by the EVV system, including:

(A) the first and last name of the member who received the service;

(B) the type of service provided;

(D) the time the service began and the time the service ended;

(E) the first and last name of the service provider who provided the service;

(F) the location, including the address or geolocation, where the service was provided; and

(G) other information HHSC determines necessary to ensure the accurate payment of a claim for services, as described in the EVV Policy Handbook; and

(2) ensure the data elements required by paragraph (1) of this subsection are accurate.

(b) A CDS employer who elects to complete visit maintenance on the HHSC Employer's Selection for Electronic Visit Verification Responsibilities form must:

(1) ensure that an EVV visit transaction contains the data elements required by the EVV system, including those listed in subsection (a)(1) of this section; and

(2) ensure the data elements required by paragraph (1) of this subsection are accurate.

(1) before submitting an EVV claim:

(A) ensure that the EVV visit transaction is transmitted to and accepted by the EVV Portal; and

(B) ensure that the data elements on the EVV claim match the data elements in the accepted EVV visit transaction; and

(2) submit the EVV claim in accordance with HHSC or MCO billing requirements and the EVV Policy Handbook.

(d) HHSC or an MCO denies an EVV claim or recoups a payment made to a program provider or an FMSA if the EVV claim does not meet requirements described in the EVV Policy Handbook, including if:

(1) the EVV claim does not match the accepted EVV visit transaction; or

(2) there is no accepted EVV visit transaction that supports the EVV claim.

§354.4011.Visit Maintenance.

(a) A program provider and an FMSA must complete visit maintenance, including the visit maintenance described in §354.4007(d) of this subchapter (relating to EVV System):

(1) in accordance with the EVV Policy Handbook; and

(2) within the visit maintenance time frame after the date a service was provided as described in the EVV Policy Handbook.

(b) If a CDS employer elects to complete visit maintenance on the HHSC Employer's Selection for Electronic Visit Verification Responsibilities form, the CDS employer must complete visit maintenance in accordance with subsection (a)(1) and (2) of this section.

(c) After the visit maintenance time frame has expired, the program provider, FMSA, and CDS employer may complete visit maintenance only if:

(1) the program provider, FMSA, or CDS employer submits a Visit Maintenance Unlock Request in accordance with the EVV Policy Handbook; and

(2) HHSC or an MCO approves the Visit Maintenance Unlock Request.

§354.4013.HHSC and MCO Compliance Reviews and Enforcement Actions.

(a) HHSC and an MCO conduct the following compliance reviews in accordance with the EVV Policy Handbook:

(1) an EVV Usage Review;

(2) an EVV Landline Phone Verification Review; and

(3) an EVV Required Free Text Review.

(b) If HHSC or an MCO determines from an EVV Usage Review that a program provider's or FMSA's EVV Usage score is less than 80% and such score is:

(1) the first occurrence within a 24-month period, HHSC or an MCO may require the program provider or FMSA to complete EVV policy, system, and portal trainings within a specific time frame;

(2) the second occurrence within a 24-month period, HHSC or an MCO may require the program provider or FMSA to complete a corrective action plan within 10 business days after the date the program provider or FMSA is notified that the EVV Usage score is less than 80%; or

(3) the third occurrence within a 24-month period, HHSC or an MCO may propose to terminate the contract of the program provider or FMSA.

(c) If HHSC or an MCO determines from an EVV Usage Review that a CDS Employer's EVV Usage score is less than 80% and such score is:

(1) the first occurrence within a 24-month period, HHSC or an MCO may require the CDS employer to complete EVV policy and system trainings within a specific time frame;

(2) the second occurrence within a 24-month period, HHSC or an MCO may require the CDS employer to complete a corrective action plan within 10 business days after the date the CDS employer is notified that the EVV Usage score is less than 80%; or

(3) the third occurrence within a 24-month period, HHSC or an MCO may propose to terminate the member's participation in the CDS option.

(d) If a program provider or FMSA does not complete EVV trainings or a corrective action plan as required by subsection (b)(1) and (2) of this section, HHSC or the MCO may impose a vendor hold on the program provider or FMSA until the EVV trainings or a corrective action plan is completed.

(e) If a CDS employer does not complete EVV trainings required by subsection (c)(1) of this section, HHSC or the MCO may require the CDS employer to complete a corrective action plan within 10 business days after the date the CDS employer is notified that EVV trainings were not completed.

(f) If a CDS employer does not complete a corrective action plan as required by subsections (c)(2) or (e) of this section, HHSC or the MCO may propose to terminate the member's participation in the CDS option.

(g) If HHSC or an MCO determines from an EVV Landline Phone Verification Review that a service provider has used an unallowable phone type as described in the EVV Policy Handbook to clock in and clock out of the EVV system:

(1) HHSC or an MCO provides written notification of such determination to the program provider or FMSA;

(2) within 20 business days after receipt of the written notification, the program provider or FMSA must provide the documentation described in the written notification to HHSC or the MCO; and

(3) if the program provider or FMSA does not provide the documentation described in the written notification to HHSC or the MCO, HHSC or the MCO may impose a vendor hold on the program provider or FMSA until the program provider or FMSA provides the documentation.

(h) If HHSC or an MCO determines from an EVV Required Free Text Review that a program provider, an FMSA, or a CDS employer who elects to complete visit maintenance on the HHSC Employer's Selection for Electronic Visit Verification Responsibilities form did not enter free text in the EVV system on an EVV visit transaction when using a reason code as required by the EVV Policy Handbook, HHSC or the MCO may recoup payment made to the program provider or the FMSA for the EVV claim associated with the EVV visit transaction.

§354.4015.EVV Training Requirements.

(a) A program provider that uses an EVV vendor system, an FMSA that uses a vendor system, and a CDS employer whose FMSA uses an EVV vendor system must ensure that an EVV system user completes EVV System Training described in the EVV Policy Handbook and provided by the EVV vendor:

(1) before the EVV system user begins using the EVV system; and

(2) yearly thereafter.

(b) A PSO or a CDS employer whose FMSA is a PSO must ensure that an EVV system user completes EVV System Training described in the EVV Policy Handbook and provided by the PSO or an entity on behalf of the PSO:

(1) before the EVV system user begins using the EVV system; and

(2) yearly thereafter.

(c) A program provider, an FMSA, and a CDS employer must ensure that an EVV system user completes EVV Policy Training described in the EVV Policy Handbook and provided by HHSC or the MCO with which the program provider or FMSA contracts:

(1) before the EVV system user begins using the EVV system; and

(2) yearly thereafter.

(d) A program provider and FMSA must ensure that an EVV portal user:

(1) completes EVV Portal Training described in the EVV Policy Handbook and provided by HHSC or its designated contractor:

(A) before the EVV portal user begins using the EVV portal; and

(B) yearly thereafter; and

(2) completes EVV Policy Training described in the EVV Policy Handbook provided by HHSC or the MCO with which the program provider or FMSA contracts:

(A) before the EVV portal user begins using the EVV portal; and

(B) yearly thereafter.

(e) A program provider and a CDS employer must train a service provider on the clock in and clock out portion of the EVV System Training described in subsections (a) and (b) of this section:

(1) before the service provider begins using the EVV system; and

(2) yearly thereafter.

(f) A program provider that is not an FMSA and uses an EVV vendor system must document the following to demonstrate compliance with subsections (a) and (c) - (e) of this section:

(1) the name of the training;

(2) the name of the person who completed the training; and

(3) the date of the training.

(g) A PSO that is not an FMSA must document the following to demonstrate compliance with subsections (b) - (e) of this section:

(1) the name of the training;

(2) the name of the person who completed the training; and

(3) the date of the training.

(h) An FMSA that is not a PSO must document the following to demonstrate compliance with subsections (a), (c) and (d) of this section:

(1) the name of the training;

(2) the name of the person who completed the training; and

(3) the date of the training.

(i) An FMSA that is a PSO must document the following to demonstrate compliance with subsections (b) - (d) of this section:

(1) the name of the training;

(2) the name of the person who completed the training; and

(3) the date of the training.

(j) A CDS employer whose FMSA is not a PSO must document the following to demonstrate compliance with subsections (a), (c) and (e) of this section:

(1) the name of the training;

(2) the name of the person who completed the training; and

(3) the date of the training.

(k) A CDS employer whose FMSA is a PSO must document the following to demonstrate compliance with subsections (b), (c) and (e) of this section:

(1) the name of the training;

(2) the name of the person who completed the training; and

(3) the date of the training.

(l) If a program provider or an FMSA does not comply with subsections (a), (c), or (d) of this section, HHSC or an MCO may require the program provider or FMSA to complete a corrective action plan.

(m) If a PSO does not comply with subsection (b) of this section, HHSC or an MCO may require the PSO to complete a corrective action plan.

(n) If a program provider that is not an FMSA does not comply with subsection (e) of this section, HHSC or an MCO may require the program provider to complete a corrective action plan.

(o) If a CDS employer whose FMSA is not a PSO does not comply with subsections (a), (c), and (e), an FMSA may require the CDS employer to complete a corrective action plan.

(p) If a CDS employer whose FMSA is a PSO does not comply with subsections (b), (c) and (e), an FMSA may require the CDS employer to complete a corrective action plan.

§354.4017.Process to Request Approval of a Proposed EVV Proprietary System and Additional Requirements for a PSO.

(a) This section applies to a program provider or FMSA seeking HHSC's approval of a proposed EVV proprietary system. To request HHSC's approval of a proposed EVV proprietary system, a program provider or FMSA must comply with the onboarding process described in the EVV Policy Handbook, which includes:

(1) completing and submitting the EVV Proprietary System Request Form; and

(2) participating in an operational readiness review session.

(b) HHSC approves a proposed EVV proprietary system if a program provider or FMSA:

(1) demonstrates that the proposed EVV proprietary system complies with:

(A) the EVV Policy Handbook

(B) the EVV Business Rules for Proprietary Systems; and

(2) successfully completes the operational readiness review by receiving a score of 100% in the following methods, as described in the EVV Policy Handbook:

(A) certification;

(B) documentation;

(D) trading partner testing.

(1) ensure the EVV proprietary system complies with the HHSC EVV Policy Handbook, the EVV Business Rules for Proprietary Systems, and state and federal laws governing EVV;

(2) assume responsibility for the design, development, operation, and performance of the EVV proprietary system;

(3) cover all costs to develop, implement, operate, and maintain the EVV proprietary system;

(4) ensure the accuracy of EVV data collected, stored, and reported by the EVV proprietary system;

(5) assume all liability and risk for the use of the EVV proprietary system;

(6) maintain all data generated by the EVV proprietary system to demonstrate compliance with this subchapter and for general business purposes;

(7) develop training materials on the proprietary system and train HHSC staff and MCO staff;

(8) provide access to all HHSC-approved clock in and clock out methods offered by the PSO to a service provider at no cost to a member, HHSC, an MCO, or HHSC's designated contractor;

(9) ensure the functionality and accuracy of all clock in and clock out methods provided to a service provider;

(10) comply with the process in the HHSC EVV Policy Handbook if transferring EVV proprietary systems; and

(11) notify HHSC, in writing, if:

(A) the EVV proprietary system is not in compliance with the HHSC EVV Policy Handbook, the EVV Business Rules for Proprietary Systems, and state and federal laws governing EVV; or

(B) if the PSO plans to make significant changes to the EVV system.

(d) HHSC may, at its discretion, audit an EVV proprietary system. Such audit may be conducted by a contractor of HHSC.

(e) If HHSC determines that a PSO is not in compliance with subsection (c) of this section, HHSC may, in accordance with the HHSC EVV Policy Handbook:

(1) require the PSO to correct the non-compliance within a time frame specified by HHSC;

(2) reject EVV visit transactions from the proprietary system until HHSC determines the non-compliance is corrected;

(3) cancel the use of the EVV proprietary system if:

(A) the PSO fails to correct the non-compliance within the time frame specified by HHSC; or

(B) the PSO does not respond to a written communication from HHSC about the non-compliance within the time frame specified by HHSC; and

(4) cancel the use of an EVV proprietary system without giving the PSO the opportunity to correct the non-compliance:

(A) if the non-compliance is egregious, as determined by HHSC; or

(B) because of a substantiated allegation of fraud, waste, or abuse by the Office of Inspector General.

§354.4019.Access to EVV System and EVV Documentation.

A program provider and an FMSA must:

(1) allow HHSC and the MCO with which the program provider or FMSA has a contract immediate, direct, and on-site access to the EVV system the program provider or FMSA uses;

(2) at HHSC's request, allow HHSC to review EVV system documentation or obtain a copy of that documentation at no charge to HHSC; and

(3) at the request of an MCO with which an EVV claim is filed, allow the MCO to review EVV system documentation related to the EVV claim or obtain a copy of that documentation at no charge to the MCO.

§354.4021.Additional Requirements.

A program provider, an FMSA, a CDS employer, a service provider, a member, and an MCO must comply with:

(1) applicable state and federal laws, rules, regulations, including the Health Insurance Portability Accountability Act of 1966 at 42 U.S.C. §1320d, et. seq., and regulations adopted under that act at 45 CFR Parts 160 and 164; and

(2) the EVV Policy Handbook.

§354.4023.Sanctions.

(a) HHSC or an MCO may propose to recoup funds paid to a program provider or FMSA as described in:

(1) §354.4009(d) of this subchapter (relating to EVV Visit Transaction and EVV Claim); and

(2) §354.4013(h) of this subchapter (relating to HHSC and MCO Compliance Reviews and Enforcement Actions.

(b) HHSC or an MCO may impose a vendor hold against a program provider or FMSA as described in §354.4013(d) and (g)(3) of this subchapter.

(1) §354.4007(e)(2)(B) of this subchapter (relating to EVV System); and

(2) §354.4013(b)(3) of this subchapter.

§354.4025.Administrative Hearing.

(a) If, as described in this subchapter, HHSC proposes to terminate the contract of a program provider or FMSA, proposes to recoup funds paid to a program provider or FMSA, or imposes a vendor hold on a program provider or FMSA, the program provider or FMSA may request an administrative hearing in accordance with §357.484 of this title (relating to Request for a Hearing).

(b) If, as described in this subchapter, an MCO proposes to terminate the contract of a program provider or FMSA, proposes to recoup funds paid to a program provider or FMSA, or imposes a vendor hold on a program provider or FMSA, the program provider or FMSA may appeal the proposed action in accordance with the MCO's policy.

The agency certifies that legal counsel has reviewed the proposal and found it to be within the state agency's legal authority to adopt.

Filed with the Office of the Secretary of State on August 25, 2023.

TRD-202303168

Karen Ray

Chief Counsel

Texas Health and Human Services Commission

Earliest possible date of adoption: October 8, 2023

For further information, please call: (512) 438-5241

1 TAC §§354.4005, 354.4007, 354.4009, 354.4011, 354.4013

STATUTORY AUTHORITY

The repeals are authorized by Texas Government Code, §531.0055, which provides that the Executive Commissioner of HHSC shall adopt rules for the operation and provision of services by the health and human services agencies; Human Resources Code, §32.021, which provides that HHSC shall adopt necessary rules for the proper and efficient operation of the Medicaid program; and Texas Government Code, §531.024172, which provides that the Executive Commissioner of HHSC may adopt rules to implement an electronic visit verification system to electronically verify that personal care services or other services identified by HHSC are provided to Medicaid recipients.

The repeals affect Texas Government Code, §531.0055 and §531.024172 and Human Resources Code, §32.021.

§354.4005.Applicability.

§354.4007.EVV System.

§354.4009.Requirements for Claims Submission and Approval.

§354.4011.Member Rights and Responsibilities.

§354.4013.Additional Requirements.

The agency certifies that legal counsel has reviewed the proposal and found it to be within the state agency's legal authority to adopt.

Filed with the Office of the Secretary of State on August 25, 2023.

TRD-202303169

Karen Ray

Chief Counsel

Texas Health and Human Services Commission

Earliest possible date of adoption: October 8, 2023

For further information, please call: (512) 438-5241