Data Sharing and Security Update

  • Presentation is also available in Portable Document Format (PDF)

December 8, 2017

Agenda

SSP Attestation Update

  • 4 PPS´ Production Environments Approved:
    • Staten Island PPS
    • Adirondack Health Institute
    • Suffolk Care Collaborative
    • Care Compass Network
  • 8 PPS´ Submissions in Progress:
    • Millennium Collaborative Care
    • SBH Health System
    • New York City Health & Hospitals Corporation
    • Maimonides Medical Center
    • Better Health for Northeast New York (AMC)
    • Advocate Community Providers
    • Montefiore Medical Center
    • Central New York Care Collaborative
|top of page|

Common Problems and Lessons Learned

  • The SSP Attestation requires the PPS to submit documented policies and procedures to satisfy the "dash–one" control requirements.
  • Policies and procedures from vendors that host PPS production systems must be submitted with the SSP Attestation.
  • It has been commonplace for PPSs to declare required controls "not applicable" that have not been implemented. This has resulted in the need for re–submission and further discussion.
  • A number of PPSs have changed the personnel assigned to working with the Bureau to complete SSP Attestations. This has required DOS provide training for the new personnel as they gain experience with the process.
|top of section| |top of page|

Data Sharing Grid Updates

  • Added foot note to "Security Requirement for PPS Lead Sharing Downstream"**
    • **Refer to the Business Associate Agreement (BAA) BAA section II, B: "Business Associate agrees to use the appropriate administrative, physical and technical safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this AGREEMENT, and to comply with the security standards for the protection of electronic protected health information in 45 CFR Part 164, Subpart C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this AGREEMENT." and BAA section II, D: "Business Associate agrees, in accordance with 45 CFR 164.502(e)(1)(ii), to ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions and conditions that apply to Business Associate with respect to such information."
    • PPS Leads should consult corporate counsel regarding responsibilities under HIPAA between their organization and the Department, and the responsibilities of their downstream partners to them.
  • Added PPS Downstream Sharing
    • PPS should follow HIPAA and where applicable consult with their legal counsel
|top of section| |top of page|

Data Use Agreement (DUA) Implementation

  • The Security and Privacy Bureau has retired the use of the Data Exchange Application and Agreement (DEAA) and its Amendments
  • Any entity that contacts the Bureau to perform a DEAA update will receive a DUA to complete instead
  • The Bureau will migrate all PPSs to the DUA beginning in January 2018
|top of page|

Sandbox Pilot Update

|top of page|

MAPP 2.0 Summary

MAPP 2.0 Summary
  • Orchestration Console to manage all MAPP data
  • Tableau Dashboards capable of flexible and rapid drill downs and roll ups, allowing for analysis of the data at multiple granularities
  • Secure Data Assistant to deliver self–defined high–volume data via encrypted files to the user´s desktop
  • Dynamic Analytics Platform allowing the user to provision and populate their platform with data and may operate on it with a flexible set of analytics

Current Status: MAPP 2.0 Release 1: DSRIP Functionality: Target all PPS in February 2018

|top of page|

Sandbox Pilot Update – December 2017

  • The purpose of the sandbox is to pilot Dynamic Analytics Platform (DAP). DAP will provide super user access to the data and tools to meet the detailed analysis needs of the PPS.
  • DAP is a component of the MAPP 2.0
  • The 3 PPS participating in the sandbox
    • Bronx Health Access (Bronx Lebanon)
    • Bronx Partners for Healthy Communities (St. Barnabas)
    • Nassau Queens PPS
  • Current Status: Team is working on VPN connection, DUA and Security attestations for 3 PPS
|top of page|

Sandbox Pilot Update – December 2017

  • Sandbox users will be able to:
    • Utilize Oracle database
    • Tableu analytics
    • Select their MDW data sets
      • Initial Pilot data: Member Roster, Claims file and shred file
      • Data will be updated monthly
  • Expected pilot feedback:
    • Each PPS will utilize the pilot DAP and provide end user feedback on setup, capabilities and how it meets the PPS use cases.
    • Lessons Learned will be applied to improve larger scale rollout
|top of section| |top of page|