Data Sources Security & Privacy Update
- Update is also available in Portable Document Format (PDF)
Alison Pingelski, DOH DOS Deputy Director, Security and Privacy Bureau
September 11, 2017
DOH DOS Update
- PPS Progress toward Production
- SIPPS, AHI and SCC are approved for Production
- Maimonides submitted 9/8 – under review
- DLA approved adding gender for matching
- DOH added address to MAPP Download
- Production sharing uses case review
MAPP Download Fields
| Attribution: | Performance Measure |
|---|---|
| Medicaid CIN# | Medicaid CIN# |
| Member Name | Member Name |
| Attribution Category | Numerator |
| Attribution Length | |
| Sex | Sex |
| DOB | DOB |
| PPS | PPS |
| Managed Care Plan | Managed Care Plan |
| Health Home (HH) | Health Home (HH) |
| Care Management Agency | Care Management Agency |
| Downstream Shareable | Downstream Shareable |
| Current Medicaid Enrollment | Current Medicaid Enrollment |
| Eligible Date | Eligible Date |
| Shareable Date | Shareable Date |
| PSYCKES Indicator | PSYCKES Indicator |
| Address |
Elements for Data Matching
- Limited to those members who have shareable indicator of "Y"
- Expansion from two data elements to FIVE for matching purposes only
- Sharing comingled data still is limited to the Name & CIN from the claims files or MAPP Export until approved for production:
- Name
- CIN
- Date of Birth
- Address
- Gender
PPS should ensure that any data sharing is limited to the minimum necessary for DSRIP project purposes in accordance with the DOH Guidance Documentation: Privacy and Data Sharing within DSRIP.
Use Cases – Under review
Admin DOH MCD/PHI sharing DOH –> PPS Lead –> PPS Downstream Provides based on "Opt–Out" (blue lines in DST deck DSRIP Data Sharing Nov 2014 pg 5/5)
- PPS operated Production environment – DOH MDW Claims and Encounter data less SAMHSA; DEAA and Addendum; downstream provider BAA on file with DOH; PPS attributed patients less Opt–Out and Shareable Flag = ´N´; HIPAA minimum necessary rule; subject to advice from PPS Lead Legal Counsel
- QE operated Production environment – same rules as PPS operated – or materially different?; QE use of PPS Roster (Attributed Patients less Opt–Out and Shareable Flag = ´N´) enabled Clinical Event Notifications (CENs) transmission to PPS Lead and downstream Providers – from only PPS Providers? – from all Providers? – less SAMHSA?
- 3rd Party operated Production environment – same rules as PPS
HIPAA Affirmative Consent or 1:1 Exchange (Referral, Consult) enabled DOH MCD/PHI sharing (red lines in DST deck DSRIP Data Sharing Nov 2014 pg 5/5)
- QE as host – all known Medicaid members in QE(?); DOH MCD/PHI less financials; sourced from all providers of all types; normal QE rules re Affirmative Consent apply; standard QE distribution channels available (Portal, Data Extract, Electronic Interface, CCD)
- PPS as host – same rules as QE?
- 3rd Party as host – same rules as PPS?
Business Arrangement (2 way BAAs, 1:1 Exchange, OHCA, etc.) enabled DOH MCD/PHI sharing based on Jun 2017 DSRIP Privacy Guidance, Other
- QE as host – 2 WAY BAAs and 1:1 Exchange "instructions" from PPS Lead executed and on file with QE; PPS attributed members only – less Opt Out? – with Shareable Flag = Y"? – less SAMHSA data?; sourced only from PPS Lead and PPS providers and distributed only to PPS Lead and Providers
- PPS as host – similar to QE, appropriate business arrangements
- 3rd Party as host – same rules as PPS
Scenarios for PPS Use and Sharing of DOH MCD/PHI accessed directly from DOH
- PPS Lead, either in PPS operated Production environment (incl 3rd Party) or QE operated Production environment, processes DOH MCD/PHI, possibly commingled with other PHI from PPS Providers, and shares (via PHM Analytics Portal, Reports, Data Extracts) with downstream providers for performance reporting, gaps/overlaps in care, outreach, etc.
- PPS Lead requests that QE provide (transmit) Clinical Event Notifications (CENs) to PPS downstream providers, directly or via PPS Lead system, based on Attributed Patient Roster – less Opt–Out and Shareable = ´N" patients, and less SAMHSA events/data
- PPS Lead requests that QE provide DOH MCD/PHI directly via Portal, CCD, or extract, or via PPS Lead system, to PPS downstream providers based on Attributed Patient Roster – less Opt–Out and Shareable = ´N" patients, and less SAMHSA events/data
DCE should ensure that any data sharing is limited to the minimum necessary for DSRIP project purposes in accordance with the DOH Guidance Documentation: Privacy and Data Sharing within DSRIP.
Data Source, Access and Sharing
| PHI from State Medicaid Sources | Type of Access | Program Requirement | Security Requirement for PPS Lead | Security Requirement for PPS Lead Sharing Downstream | Privacy Requirement |
|---|---|---|---|---|---|
| Demographic | MAPP – PHI Download |
|
|
|
PPS should ensure that any data sharing is limited to the minimum necessary for DSRIP project purposes in accordance with the DOH Guidance Documentation: Privacy and Data Sharing within DSRIP. |
| Raw Data File – to RAM |
|
|
NOT ALLOWED | ||
| Raw Data File – to production |
|
|
|
||
| SIM – PHI Download – under development | TBD |
|
|
||
| MDW |
|
|
|
||
| Member Roster | MAPP – PHI Download |
|
|
|
|
| Raw Data File – to RAM |
|
|
NOT ALLOWED | ||
| Raw Data File – to production |
|
|
|
||
| SIM – Non PHI Download |
|
|
|
||
| SIM – PHI Download – under development | TBD |
|
|
||
| MDW |
|
|
|
||
| Claims and Encounter Data | Raw Data File – to RAM |
|
|
NOT ALLOWED | |
| Raw Data File – to production |
|
|
|
||
| MDW |
|
|
|
*All BAA must be DOH compliant and filed with DOH
Questions
- Data Access: Contact the Division of Operations and Systems Security and Privacy Bureau
doh.sm.Medicaid.data.Exchange@health.ny.gov - DSRIP Program and goals: Contact DSRIP
DSRIP@health.ny.gov
Follow Us