Security Assessment Affidavit

  • Affidavit is also available in Portable Document Format (PDF)

I, __________________________________, the Chief Information Security Officer (CISO) am authorized to affirm the
following to be true on behalf of ___________________________________.
                                                                        (PPS Lead Entity)


Section 1: Steps to execute Security Assessment Affidavit

By signing this Affidavit, the CISO attests on behalf of the PPS Lead entity (PPS Lead) that:

  1. He/she is the same CISO who completed and signed the DEAA Addendum.

    If someone other than the current CISO signed and returned the DEAA addendum to the New York State Department of Health (DOH), the current CISO will resubmit the DEAA Addendum at the time of this Affidavit for Security Assessment submission.
  2. The PPS Lead Organization (PPS Lead) has identified the need to enable access to DOH Medicaid Data (data containing Protected Health Information originating from the DOH, including data sets that may be “comingled” by the PPS Lead as part of their own analytic activity) in one or more of the following cases:
    1. Enabling remote and expanded access across the PPS Lead
    2. Enabling access to downstream PPS partners via connection to the PPS Lead IT systems
    3. Sharing DOH Medicaid Data directly to downstream PPS partner

    In Section 2b, below, of this Security Assessment Affidavit, explain the need to enable access to DOH Medicaid Data via remote and expanded access across the PPS Lead as well as, if needed, for enabling access to downstream PPS partners via the PPS Lead IT systems or direct file transfer.
  3. Copies of all relevant contracts and Business Associate Agreements for those downstream partners with a need to access DOH Medicaid data via the PPS Lead systems have been attached to this Affidavit.

    In Section 2c, below, of this Security Assessment Affidavit, provide a list of PPS downstream partners who will be accessing DOH Medicaid Data.
  4. DOH Medicaid Data will remain stored and accessed as per the DEAA Addendum until the PPS Lead has completed the Identity Assurance Level Risk Assessments for each access point and role accessing DOH Medicaid data, and DOH has approved this Affidavit request and notified the PPS Lead.

    Along with the submission of this Security Assessment Affidavit, PPS Lead will include copies of all completed Identity Assurance Level Assessments.
  5. Controls have been implemented on the applicable systems, as prescribed by the completed Identity Assurance Level Assessment(s), which include but are not limited to multi–factor authentication and encryption–at–rest standards.

    In Section 2d, below, of this Security Assessment Affidavit, provide a list of the IT systems that are storing and enabling access to DOH Medicaid data.

    In Section 2e, below, of this Security Assessment Affidavit, provide an adequate description of the controls that are in place to ensure compliance with the following NYS policies and standards:
    1. Identity Assurance Policy [NYS IT Policy No.: NYS–P10–006]
    2. Identity Assurance Standard [NYS IT Policy No.: NYS–S13–004]
    3. Authentication Tokens Standard [NYS IT Policy No.: NYS–S14–006]
  6. Following any meaningful changes in business processes, due to the realization of additional risk factors, or at minimum, annually, the PPS Lead must re–conduct the Identity Assurance Assessment for each DOH Medicaid data access point and submit the results to DOH via updating this Affidavit. Additionally, PPS Leads are responsible for maintaining records of reported assessment results.
  7. DOH reserves the right to perform compliance assessments of any Applicant, PPS partner organization, or business associate, who is accessing and or sharing DOH Medicaid data under an existing DEAA.
  8. Prior to enabling access to DOH Medicaid data to downstream partners, the PPS Lead must receive notification from DOH that the DSRIP Opt–Out process has been completed. Even if this Security Assessment Affidavit is approved by DOH, providing DOH Medicaid Data to downstream partners via any means is prohibited until the DSRIP Opt–Out process has been completed.
  9. With this Affidavit, the PPS has updated SSP Overview document, as originally submitted during the DY1Q2 System Security Plan (SSP) submission in the implementation plan. This must include an IT network diagram to clearly depict the flow of NYS Medicaid Data within the PPS and relevant partners including downstream access points. A copy of the SSP Overview template is included with this Affidavit as Attachment A: SSP Workbook Overview Document.

Section 2: Third–Party Participation and Evidence

THIRD–PARTY PARTICIPATION

A partner of the PPS Lead provides a service (e.g. analytics) and/or contributes to a component of the system(s) that hosts and provide access to DOH Medicaid Data.

Yes _________ No _________

If Yes:
  1. The PPS Lead must collaborate with each partner, to complete the portions of its SSPs that apply to the services being provided by that partner. The SSPs as previously submitted by the PPS to the DOH must be updated to include relevant changes as impacted by joining partners, and BAAs as per stipulation #3 above need also be in place. The updated SSPs must be submitted to DOH within one quarter’s (three months) time of this document’s approval.
  2. Where a downstream partner receives DOH Medicaid Data to directly support the business product or operations of the PPS, the PPS will request and receive a formal attestation from the partner that it has implemented and documented the controls identified in Attachment B: Downstream Partner Security Controls, as appropriate. These controls represent those most critical to protecting the privacy and confidentiality of NYS Medicaid Data in reference to the OHIP DEAA. The PPS will retain a copy of this attestation for its records and make copies available to the Department on request. * **
    • * This will not apply to PPS network partners receiving a subset of data from PPS maintaining DOH Medicaid data fields for their own downstream business use. A BAA for data exchange is the minimum requirement of network partners who do not meet the criteria above as business or operations partners.
      ** The Department strongly recommends the PPS requires a full set of SSPs from downstream partners, where feasible. Such an SSP would be reviewed and retained by the PPS for its own assurance purposes and not necessarily submitted to DOH.
Name of Partner Components or services provided or supported
   
   
   
   
  1. Provide an adequate description of the need to access DOH Medicaid data outside the Medicaid Analytics Performance Portal (MAPP) read–only view. Include any business and technical challenges, as appropriate.






  2. List the downstream partners who will be granted access to DOH Medicaid data within the PPS Lead systems, or via a downstream distribution from the PPS Lead to partner.
      Organization Name Partner Contact Partner Phone Number
    1.      
    2.      
    3.      
    4.      
    5.      
    6.      
    7.      
    8.      
    9.      
    10.      
  3. List the IT applications and systems that will be storing and providing access to DOH Medicaid data.

    1. ____________________________________________________________________________________

    2. ____________________________________________________________________________________

    3. ____________________________________________________________________________________

    4. ____________________________________________________________________________________

    5. ____________________________________________________________________________________
  4. Provide an adequate description of the controls that are in place to ensure compliance with the below NYS policies and standards. Include or attach supporting artifacts, such as screen prints, procedure documents, excerpts from log files, etc., to demonstrate controls have been implemented, as appropriate.
    1. Identity Assurance Policy [NYS IT Policy No.: NYS–P10–006]
    2. Identity Assurance Standard [NYS IT Policy No.: NYS–S13–004]
    3. Authentication Tokens Standard [NYS IT Policy No.: NYS–S14–006]

Section 3: Notarized Attestation

Signed,

_______________________________________________________________________________________________________________________________

_______________________________________________________________________________________________________________________________
Address

_______________________________________
Phone Number

_______________________________________
Email Address


Notarization

Subscribed and sworn to before me on

This the ________ day of ___________, ______________




_________________________________________________
Notarization


Return To:

The Office of Health Insurance Programs Privacy Office: doh.sm.Medicaid.Data.Exchange@health.ny.gov

Cc: the DSRIP Program: dsrip@health.ny.gov