Frequently Asked Questions

1. Q: Why can´t I edit the header and insert the Identification Number?

A: This field is locked and only editable by the OHIP Security and Privacy Bureau (the Bureau). You will receive an Identification Number when the Bureau provides you with a pre-populated DUA.

2. Q: Who can be an authorized individual/MCD requestor?

A: Anyone able to legally bind the requesting organization to contracts. If you are unsure who should sign the DUA, speak to your legal counsel.

3. Q: In Section 1.II, what if we do not have a contract or grant number?

A: Leave the field blank.

4. Q: In Section 2, why must our purpose administer the Medicaid program?

A: Per §1902(a)(7) of the Federal Social Security Act (42 USC §1396a(a)(7)) and §369 of the New York State Social Security Law data may only be released by New York State Medicaid for purposes which administer the Medicaid program.

5. Q: In Section 4.III, is the notice of a change in Custodian requirement within 24 hours after knowledge of the change or after the occurrence itself?

A: Within 24 business hours after knowledge of the change.

6. Q: Who should be a Custodian?

A: A member of the requesting entity who can be relied on to maintain the Names List and assist in ensuring the necessary security and privacy protocols are in place. If a third-party contractor is hosting MCD on the requesting entity´s behalf, at least one person from this entity should be designated as a Custodian.

7. Q: What constitutes written approval for transfer of data from the environment listed in Section 6 of the DUA?

A: Acceptance of a DUA Addendum that lists the new environment.

8. Q: What should my organization select under Type of Storage Environment in Section 6?

A: This is pre-determined by the Bureau and the respective OHIP program area.

9. Q: Is there any flexibility to the offshoring policy of Section 8 in the DUA?

A: No. DOH does not permit access to MCD from outside the United States and its territories.

10. Q: What if there is no end date for our project? Must we enter an end date?

A: All DUAs require an end date. This does not mean your project ends but indicates that your DUA will be re-evaluated periodically. If, after the evaluation, your purpose is determined to still be valid, a DUA Addendum will be provided to extend the end date.

11. Q: In Section 13.XIII., what do we put for DUA Identification Number?

A: This number is prepopulated by the Bureau.

12. Q: If we do not agree with the language in the DUA, can we propose changes?

A: No, OHIP does not accept changes to the DUA.

13. Q: What is the purpose of the number at the top of the pages?

A: The number at the top of the page is the identification number assigned to your DUA. It is on every page so that anyone reviewing the DUA will know instantly what DUA they are viewing.

14. Q: How does my organization make updates to our DUA after it is submitted?

A: Reach out to the Medicaid Data Exchange Mailbox [] and a DUA Addendum will be provided.

15. Q: Does Attachment B - Data Destruction Affidavit Form need to be filled out and submitted when the DUA is submitted?

A: No, the Data Destruction Affidavit Form is submitted once the DUA is expired or the project completes and after the Data Destruction has concluded.

16. Q: Why do I need to complete a BAA with the OHIP?

A: When you access or possess MCD from OHIP to administer the Medicaid program, you become a Business Associate of OHIP; a Covered Entity.

17. Q: What entity should be entered in the Business Associate section of the BAA?

A: The same entity listed on the DUA that is requesting access to MCD.

18. Q: Who should sign the BAA?

A: The same individual who signs the DUA.

19. Q: What must be in place between the requesting entity and third parties with whom they will share MCD?

A: A BAA containing the language required in Section 11. III of the DUA.

20. Q: Do I need to submit all BAAs with Third Parties to the Bureau?

A: Only the BAAs for those who will be storing, processing, accessing, or transmitting

21. Q. When we submit the completed DUA document to DOH, do we need to include all signed BAAs?

A. Requestors should submit only those BAAs between themselves and their business associates if those business associates will access Medicaid data. If the requestor establishes a relationship with a new business associate that will access Medicaid data, they should submit those BAAs as well.

22. Q: What is required with the language found in Section 11.III, Third Party Confidentiality Language?

A: The language found in Section 11. III Third Party Confidentiality Language of the DUA must be included in any BAA between your organization and other parties with whom you intend to share MCD. If this language is not in the BAA, the Bureau will not acknowledge the BAA and the third party will not have access to MCD.

23. Q: The Third-Party Confidentiality Language is not in our BAA, is this okay?

A: The Bureau will not acknowledge BAAs that do not contain this language and your Business Associate will not be able to access MCD.

24. Q: Does the Bureau have a copy of a BAA we can use?

A: The Bureau is unable to provide a BAA for your use with a third party. You should speak to your organization´s legal counsel to draft an appropriate BAA.

25. Q. Do you review drafts of our BAA to verify that all required information is contained in the agreement?

A: This is a legal document between the requesting entity and its Business Associate and should be reviewed by your organization´s legal counsel. We only review executed BAAs.

26. Q: What individuals need to be included on the names template?

A: Each requesting entity must document the name of every individual accessing MCD on their behalf, in any fashion, on the Names List. If a contractor is performing any service-such as running analytics or hosting data-that results in MCD access, then the Requesting entity should include the names of the contractors on the names list.

27. Q: What is the Identification Number?

A: The DUA Identification Number provided by the Bureau.

28. Q: What is entered in the Start and End Date fields?

A: The dates the individual listed in the Names List started and stopped accessing MCD. It is understood that the start date may not always be exact.

29. Q. Is it acceptable to send the updated Names List via this regular email; or do you prefer through the secured portal?

A. The names list can be submitted via email to the Medicaid Data Exchange Mailbox.

30. Q: If our subcontractor has a breach, is our organization held responsible?

A: You should speak to your organization´s legal counsel.

31. Q: If we need to publish our board notes do they still need to go through the OHIP publication committee?

A: Yes. You should provide the notes for review to

32. Q: What if we have less than 45 days to publish our report?

A: Contact the publication committee at:

33. Q: When do we submit the Data Destruction Affidavit?

A: Complete and submit the Data Destruction Affidavit within 30 days after the project ends.

34. MCD requestor
  • Individual requesting MCD on behalf of the Requesting Entity
  • Authorized to legally bind the organization, such as a CEO
  • Also known in Section 1 as Authorized Individual
35. Custodian(s)
  • Individual charged with the responsibility to ensure security and privacy within the requesting organization
  • Keeps track of employees and all individuals who will access MCD
  • Provides Names List of employees to the Bureau quarterly
36. Contractor/Vendor
  • Contracted by requesting organization to perform a service
  • If accessing MCD, must be on a Names List submitted quarterly to the Bureau
  • BAA must be on file and acknowledged by the Bureau
37. Subcontractor/Business Associate
  • Person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity
  • These terms are used interchangeably in the DUA
38. Medicaid Confidential Data (MCD)
  • Includes but is not limited to: names and addresses of Medicaid applicants/recipients, medical services provided, social and economic conditions or circumstances, NYSDOH evaluation of personal information, medical data, including diagnosis and past history of disease and disability, any information regarding income eligibility and amount of Medicaid payment, income information and information regarding the identification of third parties.
  • Each element of Medicaid confidential data is confidential regardless of the document or mode of communication or storage in which it is found.
39. Q: How often does my organization need to complete a third-party attestation assessment?

A: Risks must be assessed whenever a major scope change is requested. Depending on the risk to the department, leadership will determine whether additional documentation is necessary, or the independent assessment is required. Please refer to the Bureau´s Third-Party Assessor audit requirements for more information.

40. Q: How frequent should POA&M updates be delivered to the Bureau?

A: At a minimum, the Bureau requires quarterly POA&M updates.

41.Q: How do I submit documentation to the Bureau?

A: There are two options:

  1. The Health Commerce System (HCS) Secure File Transport (SFT) service for sensitive and encrypted files: HCS Bureau Security Mailbox
  2. The Security & Privacy Data Exchange Mailbox for general questions and unencrypted files:
42. Q: How do I determine scope for the System Security Plan attestation (attestation)?

A: When scoping the attestation, the organization must include the systems that store, process, or provide access to OHIP MCD in a production environment.

43. Q: How many controls does my organization need to attest to?

A: There are 215 individual controls on the System Security Plan (SSP) Critical Controls attestation.

44. Q: When does my organization´s third-party assessment need to be submitted to the Bureau?

A: Within six months of the attestation authorization letter date.

45. Q: How does my organization select a third-party assessor?

A: OHIP cannot recommend any program or vendor. Please refer to the SSP v3.1 Critical Control Attestation Guidance document for more information.

46. Q: Does my organization need to submit System Security Plan (SSP) Workbooks to the Bureau?

A: No, the Bureau does not require a copy of an entities SSP Workbooks. The Security and Privacy Bureau recommends your organization retain a copy of your SSP Workbooks for the third-party assessor.

47. Q: What artifacts does my organization need to submit with the attestation?

A: Submit policies that support the requirements of the individual attestation controls. Policies should be indexed and referenced by page number in the attestation. Please reference the sample Access Control Policy for as an example policy.

48. Q: Is my organization´s SSP attestation or artifacts subject to FOIL (Freedom of Information Law)?

A: No. According to Sections 84-90 Freedom of Information Law §87. Access to agency records. 2. (i) if disclosed, would jeopardize the capacity of an agency or an entity that has shared information with an agency to guarantee the security of its information technology assets, such assets encompassing both electronic information systems and infrastructures.

49. Q: Can my organization send draft responses to the Bureau before the Attestation submission to request comments and ensure the responses are acceptable?

A: Unfortunately, the Bureau cannot process partial submissions or drafts. Questions submitted to the Bureau mailbox [] will be answered as quickly as possible.