Data Sources Security & Privacy Update

  • Update is also available in Portable Document Format (PDF)

Alison Pingelski, DOH DOS Deputy Director, Security and Privacy Bureau

September 11, 2017


DOH DOS Update

  • PPS Progress toward Production
    • SIPPS, AHI and SCC are approved for Production
    • Maimonides submitted 9/8 – under review
  • DLA approved adding gender for matching
  • DOH added address to MAPP Download
  • Production sharing uses case review

MAPP Download Fields

Attribution: Performance Measure
Medicaid CIN# Medicaid CIN#
Member Name Member Name
Attribution Category Numerator
Attribution Length  
Sex Sex
DOB DOB
PPS PPS
Managed Care Plan Managed Care Plan
Health Home (HH) Health Home (HH)
Care Management Agency Care Management Agency
Downstream Shareable Downstream Shareable
Current Medicaid Enrollment Current Medicaid Enrollment
Eligible Date Eligible Date
Shareable Date Shareable Date
PSYCKES Indicator PSYCKES Indicator
Address  

Elements for Data Matching

  • Limited to those members who have shareable indicator of "Y"
  • Expansion from two data elements to FIVE for matching purposes only
  • Sharing comingled data still is limited to the Name & CIN from the claims files or MAPP Export until approved for production:
    • Name
    • CIN
    • Date of Birth
    • Address
    • Gender

PPS should ensure that any data sharing is limited to the minimum necessary for DSRIP project purposes in accordance with the DOH Guidance Documentation: Privacy and Data Sharing within DSRIP.


Use Cases – Under review

Admin DOH MCD/PHI sharing DOH –> PPS Lead –> PPS Downstream Provides based on "Opt–Out" (blue lines in DST deck DSRIP Data Sharing Nov 2014 pg 5/5)

  • PPS operated Production environment – DOH MDW Claims and Encounter data less SAMHSA; DEAA and Addendum; downstream provider BAA on file with DOH; PPS attributed patients less Opt–Out and Shareable Flag = ´N´; HIPAA minimum necessary rule; subject to advice from PPS Lead Legal Counsel
  • QE operated Production environment – same rules as PPS operated – or materially different?; QE use of PPS Roster (Attributed Patients less Opt–Out and Shareable Flag = ´N´) enabled Clinical Event Notifications (CENs) transmission to PPS Lead and downstream Providers – from only PPS Providers? – from all Providers? – less SAMHSA?
  • 3rd Party operated Production environment – same rules as PPS

HIPAA Affirmative Consent or 1:1 Exchange (Referral, Consult) enabled DOH MCD/PHI sharing (red lines in DST deck DSRIP Data Sharing Nov 2014 pg 5/5)

  • QE as host – all known Medicaid members in QE(?); DOH MCD/PHI less financials; sourced from all providers of all types; normal QE rules re Affirmative Consent apply; standard QE distribution channels available (Portal, Data Extract, Electronic Interface, CCD)
  • PPS as host – same rules as QE?
  • 3rd Party as host – same rules as PPS?

Business Arrangement (2 way BAAs, 1:1 Exchange, OHCA, etc.) enabled DOH MCD/PHI sharing based on Jun 2017 DSRIP Privacy Guidance, Other

  • QE as host – 2 WAY BAAs and 1:1 Exchange "instructions" from PPS Lead executed and on file with QE; PPS attributed members only – less Opt Out? – with Shareable Flag = Y"? – less SAMHSA data?; sourced only from PPS Lead and PPS providers and distributed only to PPS Lead and Providers
  • PPS as host – similar to QE, appropriate business arrangements
  • 3rd Party as host – same rules as PPS

Scenarios for PPS Use and Sharing of DOH MCD/PHI accessed directly from DOH

  • PPS Lead, either in PPS operated Production environment (incl 3rd Party) or QE operated Production environment, processes DOH MCD/PHI, possibly commingled with other PHI from PPS Providers, and shares (via PHM Analytics Portal, Reports, Data Extracts) with downstream providers for performance reporting, gaps/overlaps in care, outreach, etc.
  • PPS Lead requests that QE provide (transmit) Clinical Event Notifications (CENs) to PPS downstream providers, directly or via PPS Lead system, based on Attributed Patient Roster – less Opt–Out and Shareable = ´N" patients, and less SAMHSA events/data
  • PPS Lead requests that QE provide DOH MCD/PHI directly via Portal, CCD, or extract, or via PPS Lead system, to PPS downstream providers based on Attributed Patient Roster – less Opt–Out and Shareable = ´N" patients, and less SAMHSA events/data

DCE should ensure that any data sharing is limited to the minimum necessary for DSRIP project purposes in accordance with the DOH Guidance Documentation: Privacy and Data Sharing within DSRIP.


Data Source, Access and Sharing

PHI from State Medicaid Sources Type of Access Program Requirement Security Requirement for PPS Lead Security Requirement for PPS Lead Sharing Downstream Privacy Requirement
Demographic MAPP – PHI Download
  • NYS DOH Sponsor
  • Gatekeeper
  • DEAA
  • DEAA Amendment
  • BAA for each partner*
PPS should ensure that any data sharing is limited to the minimum necessary for DSRIP project purposes in accordance with the DOH Guidance Documentation: Privacy and Data Sharing within DSRIP.
Raw Data File – to RAM
  • N/A
  • DEAA
  • DEAA Amendment
  • RAM Request Form
NOT ALLOWED
Raw Data File – to production
  • Required for downstream data sharing
  • DEAA
  • DEAA Amendment
  • Security Attestation document – NEW
  • BAA for each partner
SIM – PHI Download – under development TBD
  • DEAA
  • DEAA Amendment
  • BAA for each partner
MDW
  • NYS DOH Sponsor
  • Gatekeeper
  • DEAA
  • DEAA Amendment
  • BAA for each partner
Member Roster MAPP – PHI Download
  • NYS DOH Sponsor
  • Gatekeeper
  • DEAA
  • DEAA Amendment
  • BAA for each partner
Raw Data File – to RAM
  • N/A
  • DEAA
  • DEAA Amendment
  • RAM Request Form
NOT ALLOWED
Raw Data File – to production
  • Required for downstream data sharing
  • DEAA
  • DEAA Amendment
  • Security Attestation document – NEW
  • BAA for each partner
SIM – Non PHI Download
  • NYS DOH Sponsor
  • Gatekeeper
  • DEAA
  • DEAA Amendment
  • N/A
SIM – PHI Download – under development TBD
  • DEAA
  • DEAA Amendment
  • BAA for each partner
MDW
  • NYS DOH Sponsor
  • Gatekeeper
  • DEAA
  • DEAA Amendment
  • BAA for each partner
Claims and Encounter Data Raw Data File – to RAM
  • N/A
  • DEAA
  • DEAA Amendment
  • RAM Request Form
NOT ALLOWED
Raw Data File – to production
  • Required for downstream data sharing
  • DEAA
  • DEAA Amendment
  • Security Attestation document – NEW
  • BAA for each partner
MDW
  • NYS DOH Sponsor
  • Gatekeeper
  • DEAA
  • DEAA Amendment
  • BAA for each partner

*All BAA must be DOH compliant and filed with DOH


Questions