Systems Security Plans

Frequently Asked Questions (FAQs)

  • FAQs also available in EXCEL Format (XLSX, 80KB)
No. Date Submitted Topic Reference Question Answer Source Organization
1 2015-08-28 Data access and sharing   When will I be able to share DOH Medicaid data with my PPS Network? Following PPS Lead completion of the Security Affidavit and DOH completion of the opt-out process, PPS Lead Organizations will be able to permit access to data on PPS Lead systems, for PPS Network organizations. PPS Network Organizations may not gain possession of a copy of the data, such as through downloading from the PPS Lead systems, etc. DOH
2 2015-07-10 Requirements Clarification   Should the PPS Lead chose as the data storage center consider designating a secure server for the process of receiving PHI? Yes, a secure server is necessary to store PHI data. Note that there needs to be a secure file system within the server.   DOH
3 2015-07-10 Data access and sharing   What patient information is included in the claims data? PHI within the claims extract will include: member´s name, birthday, member´s county code, member´s Medicaid identification number and gender.  DOH
5 2015-07-10 Data Destruction   How does data destruction apply to modern bulk or virtual storage pools such as NAS/SAN disk arrays? Is the use of commercial or certified secure deletion programs an allowable "Purge" option? Refer to the encryption standard; an encrypting file system is required for the server that is using the NAS/SAN so that the data on the NAS/SAN is encrypted. DOH
6 2015-07-10 Data access and sharing   Can the Department provide examples of allowable secure transmission mechanisms that would allow PPSs to share PHI with downstream providers, including smaller providers? PHI cannot be shared with any downstream providers until the Security Assessment Affidavit is completed, previous data has been destroyed or returned with DEAA Attachment C finalized, and the opt-out process has completed. Any downstream providers receiving PHI from the PPS Lead Entity (PPS Lead) need to have Business Associate Agreements in place. The provider agreements may be specific to the PPS project selection. DOH
7 2015-07-10 Data access and sharing   Assuming encrypted files could be transferred, would every recipient downstream provider need to meet the same "local server" requirements? After the Security Assessment process is completed and the Affidavit approved by the Department, and following opt-out, your downstream providers may receive encrypted files with the same protections required of the lead on their own local servers. Currently, before the Security Assessment, data destruction and opt-out process is finalized, no PPS Lead may transfer encrypted files to downstream partners. The PPS Lead and any downstream providers receiving data are expected to be compliant with the applicable NYS policies and standards, which are provided in the following link: DOH
8 2015-07-10 Requirements Clarification   What does the Department mean by "remotely sharing PHI data with respect to the Lead Entity?" Remote sharing refers to not being in the same physical location on the same physical network. The server used needs to be physically cabled to the workstation containing PHI data. This excludes the use of WiFi. DOH
9 2015-07-10 Requirements Clarification   Are PPS´ outsourced I.T. systems or any other PPS vendor with whom significant PPS I.T. assesses reside considered "downstream partners" and cannot receive PHI? Yes. According to the DEAA Addendum they are considered downstream partners. DOH
11 2015-07-10 Requirements Clarification   Should the PPS Lead chose as the data storage center consider designating a secure server for the process of receiving PHI? Yes, a secure server is necessary to store PHI data. Note that there needs to be a secure file system within the server.   DOH
12 2015-07-10 Data access and sharing   Can a RHIO named on the PPS DEAA download the files on behalf of a PPS? They are still considered a subcontractor to the PPS Lead Entity, so the same data sharing restrictions apply as they would to any other PPS non-lead entity. DOH
13 7/10/2015 updated. Requirements Clarification   Is a NewCo required to store data at one of the co-lead locations, or can the NewCo set up a secure server to store data compliant with all policies and laws? The NewCo PPS is subject to the same restrictions as non-NewCo PPS. Before the Security Assessment Affidavit is completed and approved, the PHI data may be stored at rest at rest at a co-lead location on a secure server following submission of the NewCo DEAA Amendment including updated BAAs. The data cannot be stored on a remotely hosted server. Follow the guidance in the DEAA Addendum, NewCo DEAA Amendment and Security Assessment Affidavit. DOH
14 7/10/2015 updated. General Guidance   Can the Department offer guidance to those NewCos that may consist of multiple partners, which are considered equally contributing to the composition of the NewCo? The Department has created an Amendment to the DEAA to acknowledge the multiple founding entities of the NewCo and recognize them as co-lead partners. However, access to data will remain restricted prior to the completion of the Security Assessment Affidavit and opt-out process. More information on NewCos and data sharing can be found in the "NewCo DEAA Amendment." DOH
15 2015-07-10 General Guidance   What is the status of those Medicaid beneficiaries who do not respond to the opt-out? They are considered opted-in to DSRIP data sharing as long as the opt-out letter got delivered to them. DOH
16 2015-07-10 General Guidance   How will the PPSs be notified of Medicaid members who do not want their data shared? There will be no official notice. Those members who have selected to opt-out of DSRIP data sharing will not be refreshed in subsequent releases of the Member Roster files. DOH
17 2015-07-10 General Guidance   Can the Department share the letter with the PPSs to educate their beneficiaries? Yes, the letter can be shared after it has been finalized. The Department is working towards finalizing the opt-out letter sometime in August. DOH
18 2015-07-10 Requirements Clarification   If we are to get claims data for all attributed patients, does that mean the PPS Lead will know which patients are attributed to the PPS? How will new Medicaid members be reflected? Member Rosters and claims data received by a PPS will reflect that PPS´ attributed lives. The PPS receives all Medicaid claims for members within their PPS. If a member is not eligible for Medicaid on the day the extract is run the members won´t be included in that claims file. DOH
19 2015-07-10 Requirements Clarification   How will this claims data affect the data in Salient? Will there be PHI in Salient data? The Department intends to provide PHI through Salient Interactive Miner (SIM) and Salient Performance Dashboards to the PPS´ for authorized users. Salient is working with the Department to determine the requirements necessary for PHI views in SIM and develop a timeline for access. SIM and Performance Dashboards will not expose member level data for members who have opted-out. PPS users will still have the ability to view performance measures at the PPS (summary) level that include members who have opted out. DOH
20 7/10/2015 updated. Identity Validation   Are there any other i.d.s that will be accepted in lieu of a NYS DMV issued identification in terms of Multifactor Authentication MAPP access? The Department has released guidance to each HCS Coordinator for methods of identity proofing out-of-state HCS Users that do not have a NYS issued-identification. The Department is also working to build both a PHI and a non-PHI view, however a timeline has not been released for this future development. DOH
22 2015-07-10 MAPP   Will the Department expand MAPP user slots per PPS? Not at this time. The Department expanded the MAPP user slots available to each PPS in the recent past (June 4, 2015). If a PPS requires an update to understand their current MAPP users they may request this information via the DSRIP email address: DOH