Data Exchange and Health Homes Serving Children:
- Slides also available in Portable Document Format (PDF)
Data Exchange Application &
Agreements for Health Homes Serving Children
May 27, 2015
Purpose of Today´s Webinar
- To provide an understanding of the Medicaid Confidential Data (MCD) and Protected Health Information (PHI) privacy laws and regulations
- To review the policies and procedures around sharing MCD and PHI provided by New York State with Health Homes
- To review the policies and procedures around Health Homes sharing MCD and PHI with Health Home care managers
- Next Steps
Data Exchange: Minimum Necessary Standard
A Federal and State requirement for data sharing is to abide by the Minimum Necessary standard:
"When using or disclosing PHI (prior to consent), or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the "minimum necessary" to accomplish the intended purpose of the use, disclosure or request."
Source: HIPAA Administrative Simplification Regulation Text 45CFR parts 160, 162 & 164
- Staff can access only Personally Identifiable Information (PII) & Protected Health Information (PHI) needed to do their jobs
- Much data analysis can be obtained with aggregate data, eliminating the need to access PHI or PII
- PHI is similar to PII, except it relates specifically to Health information
Source: 45 CFR §§ 164.530, 164.502
Data Exchange Requirements for Sharing Limited PHI Prior to Member Consent
- Health Homes are required, by State and Federal Laws, to have Data Exchange Application Agreements with NYSDOH in order to share minimum necessary data prior to obtaining signed informed consent
- Health Homes, care managers, and plans will have access to the Medicaid Analytics Performance Portal (MAPP), the successor to the current Health Home Tracking System (HHTS), on August 15, 2015
- To facilitate outreach efforts (i.e., locating adult Medicaid members that have been identified as potentially Health Home eligible and placed on an assignment list) the MAPP (and currently the HHTS) provide "minimum PHI for Medicaid members (i.e., CIN, name, address, PHI from the last five claims and encounters)
- Although children will be enrolled in Health Homes through a referral process (see April 29 and May 11, 2015 Webinars at DOH Website for more information), the minimum PHI information described above for Medicaid members that are children will be available in MAPP and may be used by Health Homes, care managers, and Plans to assist in the referral process and care planning
- To allow the limited PHI information for both children and adults to be shared prior to consent the following agreements must in place:
- Data Exchange Application Agreements (DEAAs) between the New York State Department of Health and the lead Health Homes
- Existing Health Homes that also become designated to serve children will not need to amend DEAAs that have been accepted and are on file with the Departments
- New Health Homes must enter into DEAAs with the Department
- Business Associate Agreements (BAAs) between Health Homes and care management agencies
- Existing Health Homes will need to enter into BAAs with any new care management agencies they contract with
- New Health homes must enter into BAA agreements with care management agencies they contract with
- It is a Federal Health Insurance Portability and Accountability Act (HIPAA) and NYS Medicaid violation to share protected health information on Medicaid beneficiaries without an approved Data Exchange Application and Agreement (DEAA), or written informed consent from the recipient (Source: §160.202 and § 160.203 of HIPAA)
MAPP Access and DEAA/BAA Requirements
- Each Health Home serving children must designate a Lead Gatekeeper (and an alternate)
- The role of the Lead Gatekeeper is to:
- Coordinate, authorize and manage their organization´s MAPP users, assign the MAPP access type/role (Worker, Screener and Read Only role) to each user, and authorizing such users to access PHI data (Section 1B of the DEAA)
- Gatekeepers must be aware of HIPAA regulations regarding data sharing and confidentiality
- Coordinate, authorize and manage their organization´s MAPP users, assign the MAPP access type/role (Worker, Screener and Read Only role) to each user, and authorizing such users to access PHI data (Section 1B of the DEAA)
- Existing Health Homes have been working to establish Gatekeepers and assign user roles for MAPP access
- Following the designation of Health Homes for children (scheduled for June 15, 2015) the State will provide information regarding MAPP access
- DEAAs for Lead Health Homes and BAAs for care management agencies MUST be in place prior to granting such parties access to MAPP
Overview of Data Exchange Application Agreements and Business Associate Agreements Templates
DEAA Sections 1–3
1A: Demographic Information, Name and Title of person that can legally bind the organization to the terms of the agreement;
1B: Names of Gatekeepers and alternates that will keep track of who has access to information;
2: Project Purpose (this will be prepopulated by NYSDOH);
3: Deliverables–rules regarding publication of any data;
DEAA Section 4: Medicaid Data Elements
- The following individual Medicaid record level data elements may be made available:
- Medicaid beneficiary demographics, including but not limited to name, address, DOB, gender and CIN (client identification number).
- Eligibility data by Medicaid beneficiary including the eligibility start–end dates to facilitate enrollee recertification.
- Provider demographic data by Medicaid provider, Medicaid provider addresses at which they receive correspondence (including provider type)
- for all current Medicaid providers who have serviced at least one of the Health Home eligible population during historical and current time frame.
- Upon consent and functionality availability, Medicaid claims data for Health Homes enrolled members will be provided
DEAA Sections 5–11
- 5 – BEGIN AND END DATES
- 6 – STORAGE AND DISPOSAL OF DATA
- 7 – MODIFICATIONS
- 8 – LIMITATIONS & LIABILITIES
- 9 – ASSIGNMENT
- 10 – ATTESTATION REGARDING PRIVACY/SECURITY OF MEDICAID CONFIDENTIAL DATA
- 11 – EXECUTORY CLAUSE (must be signed and Notarized)
DEAA Section 12–Attachments
Attachment A: Third Party Contractor Language
Attachment B: HIPAA Business Associate Agreement
Attachment C: Data Disposal Attestation Form
Attachment D: Subcontractor Documentation
Attachment A
You must comply with the following state and federal laws and regulations:
- Section 367b(4) of the NY Social Services Law
- New York State Social Services Law Section 369 (4)
- Article 27–F of the New York Public Health Law + 18 NYCRR 360–8.1
- Social Security Act,42 USC 1396a (a)(7)
- Federal regulations at 42 CFR 431.302, 42 CFR Part 2
- The Health Insurance Portability and Accountability act (HIPAA), at 45 CFR Parts 160 and 164
Please note that MCD released to you may contain AIDS/HIV related confidential information as defined in Section 2780(7) of the New York Public Health Law. As required by New York Public Health Law Section 2782(5), the following notice is provided to you:
"This information has been disclosed to you from confidential records which are protected by state law. State law prohibits you from making any further disclosure of this information without the specific written consent of the person to whom it pertains, or as otherwise permitted by law. Any unauthorized further disclosure in violation of state law may result in a fine or jail sentence or both. A general authorization for the release of medical or other information is NOT sufficient authorization for the release for further disclosure."
Alcohol and Substance Abuse Related Confidentiality Restrictions:
Alcohol and substance abuse information is confidential pursuant to 42 CFR Part
General authorizations are ineffective to obtain the release of such data. The federal regulations provide for a specific release for such data.
You agree to ensure that you and any agent, including a subcontractor, to whom you provide MCD/PHI, agrees to the same restrictions and conditions that apply throughout this Agreement. Further, you agree to state in any such agreement, contract or document that the part to whom you are providing the MCD/PHI may not further disclose it without the prior written approval of the New York State Department of Health. You agree to include the notices preceding, as well as references to statutory and regulatory citations set forth above, in any agreement, contract or document that you enter into that involves MCD/PHI.
ANY AGREEMENT, CONTRACT OR DOCUMENT WITH A SUBCONTRACTOR MUST CONTAIN ALL OF THE ABOVE PROVISIONS PERTAINING TO CONFIDENTIALITY. IT MUST CONTAIN THE HIV/AIDS NOTICE AS WELL AS A STATEMENT THAT THE SUBCONTRACTOR MAY NOT USE OR DISCLOSE THE MCD WITHOUT THE PRIOR WRITTEN APPROVAL OF THE NYSDOH.
Applicant Signature: ______________________________________________ Date……/……/…………
Name Printed: [Insert contractor´s name and office held] Company: [Insert name of your Health Home]
Attachment B HIPAA Business Associate Agreement (BAA)
ATTACHMENT B
HIPAA Business Associate Agreement
To be signed by CONTRACTOR that uses or discloses individually identifiable health information on behalf of a New York State Department of Health HIPAA–Covered Program
Definitions. For purposes of this AGREEMENT:
"Business Associate" shall mean: [Insert name of your Health Home]
"Covered Program" shall mean: NYS Department of Health Office of Health Insurance Programs
Other terms used, but not otherwise defined, in this AGREEMENT shall have the same meaning as those terms in the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH") and implementing regulations, including those at 45 CFR Parts 160 and 164.
Obligations and Activities of Business Associate:
- Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by this AGREEMENT or as Required By Law.
- Business Associate agrees to use the appropriate administrative, physical and technical safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this AGREEMENT, and to comply with the security standards for the protection of electronic protected health information in 45 CFR Part 164, Subpart C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this AGREEMENT.
- Business Associate agrees to report to Covered Program as soon as reasonably practicable any use or disclosure of the Protected Health Information not provided for by this AGREEMENT of which it becomes aware. Business Associate also agrees to report to Covered Program any Breach of Unsecured Protected Health Information of which it becomes aware. Such report shall include, to the extent possible:
- A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
- A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
- Any steps individuals should take to protect themselves from potential harm resulting from the breach;
- A description of what Business Associate is doing to investigate the Breach, to mitigate harm to individuals, and to
- protect against any further Breaches; and Contact procedures for Covered Program to ask questions or learn additional information.
- Business Associate agrees, in accordance with 45 CFR § 164.502(e)(1)(ii), to ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions and conditions that apply to Business Associate with respect to such information.
- Business Associate agrees to provide access, at the request of Covered Program, and in the time and manner designated by Covered Program, to Protected Health Information in a Designated Record Set, to Covered Program in order for Covered Program to comply with 45 CFR § 164.524.
- Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that Covered Program directs in order for Covered Program to comply with 45 CFR § 164.526.
- Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Program to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528; and Business Associate agrees to provide to Covered Program, in time and manner designated by Covered Program, information collected in accordance with this AGREEMENT, to permit Covered Program to comply with 45 CFR § 164.528.
- Business Associate agrees, to the extent the Business Associate is to carry out Covered Program´s obligation under 45 CFR Part 164, Subpart E, to comply with the requirements of 45 CFR Part 164, Subpart E that apply to Covered Program in the performance of such obligation.
______________
- Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Program available to Covered Program, or to the Secretary of the federal Department of Health and Human Services, in a time and manner designated by Covered Program or the Secretary, for purposes of the Secretary determining Covered Program´s compliance with HIPAA, HITECH and 45 CFR Parts 160 and 164.
- Permitted Uses and Disclosures by Business Associate Except as otherwise limited in this AGREEMENT, Business Associate may only use or disclose Protected Health Information as necessary to perform functions, activities, or services for, or on behalf of, Covered Program as specified in this AGREEMENT.
- Business Associate may use Protected Health Information for the proper management and administration of Business Associate. Business Associate may disclose Protected Health Information as Required by Law.
- Term and Termination
- This AGREEMENT shall be effective for the term as specified on the cover page of this AGREEMENT, after which time all of the Protected Health Information provided by the Covered Program to Business Associate, or created or received by Business Associate on behalf of Covered Program, shall be destroyed or returned to Covered Program; provided that, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this AGREEMENT.
- Termination for Cause. Upon Covered Program´s knowledge of a material breach by Business Associate, Covered Program may provide an opportunity for Business Associate to cure the breach and end the violation or may terminate this AGREEMENT if Business Associate does not cure the breach and end the violation within the time specified by Covered Program, or Covered Program may immediately terminate this AGREEMENT if Business Associate has breached a material term of this AGREEMENT and cure is not possible.
- Effect of Termination.
- Except as provided in paragraph (c)(2) below, upon termination of this AGREEMENT, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Program or created or received by Business Associate on behalf of Covered Program. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
- In the event that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Program notification of the conditions that make return or destruction infeasible. Upon mutual agreement of Business Associate and Covered Program that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this AGREEMENT to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
- Violations
- Any violation of this AGREEMENT may cause irreparable harm to the STATE. Therefore, the STATE may seek any legal remedy, including an injunction or specific performance for such harm, without bond, security or necessity of demonstrating actual damages.
- Business Associate shall indemnify and hold the STATE harmless against all claims and costs resulting from acts/omissions of Business Associate in connection with Business Associate´s obligations under this AGREEMENT. Business Associate shall be fully liable for the actions of its agents, employees, partners or subcontractors and shall fully indemnify and save harmless the STATE from suits, actions, damages and costs, of every name and description relating to breach notification required by 45 CFR Part 164 Subpart D, or State Technology Law § 208, caused by any intentional act or negligence of Business Associate, its agents, employees, partners or subcontractors, without limitation; provided, however, that Business Associate shall not indemnify for that portion of any claim, loss or damage arising hereunder due to the negligent act or failure to act of the STATE.
- Miscellaneous
Regulatory References. A reference in this AGREEMENT to a section in the Code of Federal Regulations means the section as in effect or as amended, and for which compliance is required.
Amendment. Business Associate and Covered Program agree to take such action as is necessary to amend this AGREEMENT from time to time as is necessary for Covered Program to comply with the requirements of HIPAA, HITECH and 45 CFR Parts 160 and 164.
Survival. The respective rights and obligations of Business Associate under (IV)(C) of this Appendix H of this AGREEMENT shall survive the termination of this AGREEMENT.
Interpretation. Any ambiguity in this AGREEMENT shall be resolved in favor of a meaning that permits Covered Program to comply with HIPAA, HITECH and 45 CFR Parts 160 and 164.
HIV/AIDS. If HIV/AIDS information is to be disclosed under this AGREEMENT, Business Associate acknowledges that it has been informed of the confidentiality requirements of Public Health Law Article 27–F.
(Signature pf CEO/President, required)
Attachment C: Data Disposal Attestation Form
- Please note that Attachment C is an affidavit and is to be held until the termination of your Data Exchange Agreement
Attachment D: Subcontractor Documentation
ATTACHMENT D: SUBCONTRACTOR DOCUMENTATION [Insert Name of Lead Health Home]
Please list the names, addresses, phone numbers and email addresses of all subcontractors. You are responsible to maintain a current listing of all your subcontractor´s individuals who access Medicaid data. This list may need to be provided to NYSDOH in the event of a NYS or a CMS audit. (Add more lines as necessary).
Subcontractor A: _________________________________________________________________________________
Address _______________________________ City ______________________ State ______ Zip Code: _____________
Phone: ____________________________________ email address: ___________________________________________
Acknowledgement of Business Associate Agreement (BAA) on file: ____________ YES NO
If YES, please attach copy of BAA
QUESTIONS:
Caryl Shakshober, MS, Privacy CoordinatorNew York State Department of Health
Office of Health Insurance Programs
Division of Program Development & Management
Corning Tower (OCP 720)
Albany, NY 12237
518–486–5771
hhsc@health.ny.gov