(a) Management information system. Managed care organizations (MCOs) and comprehensive provider agencies must ensure their management information systems provide timely, accurate, and accessible information that supports clinical, administrative, and fiscal decision-making.(b) Maintenance of medical records. MCOs and comprehensive provider agencies must ensure:(1) protection against unauthorized access, disclosure, modification, or destruction of medical records, whether accidental or deliberate;(2) the availability, integrity, utility, authenticity, and confidentiality of information within the medical record;(3) a current, organized, legible, and comprehensive records system that:(A) conforms to good professional practice;(B) permits effective clinical review and audit; and(C) facilitates prompt and systematic retrieval of information;(4) a medical records system with sufficient redundancy to ensure access to individual records; and(5) a medical records system that ensures compliance with applicable federal and state laws, rules, and regulations, including the Health Insurance Portability and Accountability Act and 42 CFR Part 2.(c) Documentation retention. A comprehensive provider agency must maintain all records necessary to fully disclose the services delivered. These records must be retained for a period of ten years from the date of the service, or until all audit questions are resolved, whichever is longer. Records and supporting information regarding any payment of claims, as well as premises access, must be made available to HHSC, HHSC OIG, the federal Health and Human Services, the State Auditor's Office, or any person acting on behalf of such entity, upon request.(d) Disaster recovery plan. A comprehensive provider agency must maintain a written disaster recovery plan for information resources in order to ensure service continuity, and must implement the plan as necessary.