(a) General rule. A PACE organization must collect data, maintain records, and submit reports as required by CMS and the State administering agency.

(b) Access to data and records. A PACE organization must allow CMS and the State administering agency access to data and records including, but not limited to, the following:

(1)(i) Participant health outcomes data.

(ii) Financial books and records.

(iii) Medical records.

(iv) Personnel records.

(2) CMS and the State administering agency must be able to obtain, examine or retrieve the information specified at paragraph (b)(1) of this section, which may include reviewing information at the PACE site or remotely. PACE organizations may also be required to upload or electronically transmit information, or send hard copies of required information by mail.

(c) Reporting. A PACE organization must submit to CMS and the State administering agency all reports that CMS and the State administering agency require to monitor the operation, cost, quality, and effectiveness of the program and establish payment rates.

(d) Safeguarding data and records. A PACE organization must do all of the following:

(1) Establish written policies and implement procedures to safeguard all data, books, and records against loss, destruction, unauthorized use, or inappropriate alteration.

(2) Maintain all written communications received in any format (for example, emails, faxes, letters, etc.) from participants or other parties in their original form when the communications relate to a participant's care, health, or safety including, but not limited to the following:

(i) Communications from the participant, his or her designated representative, a family member, a caregiver, or any other individual who provides information pertinent to a participant's, care, health, or safety.

(ii) Communications from an advocacy or governmental agency such as Adult Protective Services.

(e) Confidentiality of health information. A PACE organization must establish written policies and implement procedures to do the following:

(1) Safeguard the privacy of any information that identifies a particular participant. Information from, or copies of, records may be released only to authorized individuals. Original medical records are released only in accordance with Federal or State laws, court orders, or subpoenas.

(2) Maintain complete records and relevant information in an accurate and timely manner.

(3) Grant each participant timely access, upon request, to review and copy his or her own medical records and to request amendments to those records.

(4) Abide by all Federal and State laws regarding confidentiality and disclosure for mental health records, medical records, and other participant health information.

(f) Retention of records. (1) A PACE organization must retain records for the longest of the following periods:

(i) The period of time specified in State law.

(ii) Ten years from the last entry date.

(iii) For medical records of disenrolled participants, 10 years after the date of disenrollment.

(2) If litigation, a claim, a financial management review, or an audit arising from the operation of the PACE program is started before the expiration of the retention period, specified in paragraph (f)(1) of this section, the PACE organization must retain the records until the completion of the litigation, or resolution of the claims or audit findings.

[64 FR 66279, Nov. 24, 1999, as amended at 84 FR 25677, June 3, 2019; 86 FR 6134, Jan. 19, 2021; 88 FR 22345, Apr. 12, 2023]