• Guidance is also available in Portable Document Format (PDF)


This is a reference document and should be used as a companion when completing the Data Use Agreement (DUA). The Instructions explain the sections and terms of the DUA, as well as provides direction for completing the DUA. The Instructions are for information purposes only and not intended to serve as legal advice. Specific questions regarding compliance with federal and state laws should be referred to your own legal counsel.

Before completing, please note the language contained in this DUA cannot be altered in any form.

All fields must be completed for the DUA to be accepted by the Security and Privacy Bureau.


The DUA is a legally binding agreement between the Department of Health, Office of Health Insurance Programs (DOH, OHIP), and the Requestor to govern the Requestor´s use and access to Medicaid Confidential Data (MCD). A Requestor is the person requesting the access to MCD on their own or their organization´s behalf and is also known as the Authorized Individual. The DUA is used when DOH has determined the Requestor´s stated purpose benefits the administration of the Medicaid program and meets the minimum necessary standard established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)1.


  • Section 1: Requestor Information
    • Section 1.I. Insert Organization Name: Legal name of the Organization requesting MCD.
    • Section 1.I. Insert Name of Individual Authorized to Bind the Organization: Name of someone who is legally able to bind the organization and able to sign the DUA. This individual is typically a CEO or Executive Director and must sign both the DUA and the Business Associates Agreement (BAA).
    • Section 1.II. Authorized Individual: Same as "Name of Individual Authorized to Bind the Organization" listed above.
    • Section 1.II. Title: Title of the Authorized Individual.
    • Section 1.II. Organization: Same as "Organization Name" listed above. Section 1.II. Address: Physical address of the Organization requesting MCD.
    • Section 1.II. Telephone: Business telephone number of the Authorized Individual.
    • Section 1.II. Email address: Valid business email address of the Authorized Individual.
    • Section 1.II. Contract or Grant Number: Number of the DOH contract or the State or Federal grant number, if applicable.
    • Section 1.II. Entity Type: Check the entity that best describes the Organization requesting MCD.*
      • Qualified Entity (QE): These entities are also known as a Regional Health Information Organizations (RHIO). A QE is a local hub where a region´s electronic health information is stored and shared and allows patient information to be securely shared statewide. There are eight certified QEs in New York State and all fall under the State Health Information Network of New York regulations (SHIN-NY).
      • Health Home (HH): These entities are a group of health care and service providers who work together to develop a care plan that maps out services needed for an individual.
      • Performing Provider System (PPS): These entities are a group of providers that form partnerships and collaborate in a Delivery System Reform Incentive Payment (DSRIP) Project Plan.
      • Value Based Payment (VBP) Participant: An entity that contracts for VBP arrangements with a Managed Care Organization (MCO), and can be an Accountable Care Organization (ACO), an Independent Practice Association (IPA), or an individual provider.
      • Managed Care Organization/Plan (MCO/MCP): A managed care organization (MCO) is a health care provider, group, or organization of medical service providers who offers managed care health plans. Managed care plans are a type of health insurance. They have contracts with health care providers and medical facilities to provide care for members at reduced costs. These providers make up the plan´s network
      • State Entity: Entities that are part of the New York State government.
      • Other Entities: Examples include federal entities, colleges/ universities, individual researchers, etc.
  • Section 2: Purpose
    • Section 2.II. Purpose: Describe the purpose of the project and how it would benefit the Medicaid Program.*
  • Section 3: Data Description
    • Section 3.I.A. Data Elements: List the minimum necessary2 individual Medicaid record level data elements needed (i.e. Client Data, Provider Data, Patient Data). *
    • Section 3.I.B. Date Range: Provide the date range for data requested. *
    • Section 3.I.C. Frequency: State the frequency (i.e. weekly, monthly) and the specific schedule as applicable. *
  • Section 4: Custodian
    • Section 4.V. Lead Custodian: Individual is responsible for maintaining all security arrangements for MCD and for maintaining the list of employee and subcontractor names for those who have access to MCD.
    • Section 4.V. Title: Job title of the Lead Custodian.
    • Section 4.V. Organization: Organization where the Lead Custodian is employed/represents.
    • Section 4.V. Address: Physical address of the Organization.
    • Section 4.V. Telephone: Telephone number of the Lead Custodian.
    • Section 4.V. Email Address: Valid email address of the Lead Custodian.
    • Section 4.V. Date of Signature: Date of when the Lead Custodian signed the DUA.
    • Section 4.V. Signature: Wet signature of the Lead Custodian.
  • VI. Alternate Custodian Assignment Section:
    • Section 4.VI. Alternate Custodian: Individual has the same responsibilities as the Lead Custodian and will act as Custodian if the Lead is unable to perform their duties.
    • Section 4.VI. Title: Job title of the Alternate Custodian.
    • Section 4.VI. Organization: Organization where the Alternate Custodian is employed/ represents.
    • Section 4.VI. Address: Physical address of the Organization.
    • Section 4.VI. Telephone: Telephone number of the Alternate Custodian.
    • Section 4.VI. Email Address: Valid email address of the Alternate Custodian.
    • Section 4.VI. Date of Signature: Date of when the Alternate Custodian Signs.
    • Section 4.VI. Signature: Wet signature of the Alternate Custodian.
  • Section 6: Data Storage and Access
    • Section 6.I. Type of Storage Environment: Choose the storage environment that applies to your request. This information will be provided to you by DOH prior to the completion of the DUA.
      • Restricted Access Model (Limited Usage): Physical or logical isolated technical environment that is intended to help an organization meet near-term business objectives in a controlled environment, while a permanent technical solution is implemented and authorized. *
      • Production: Managed and controlled environment actively used by the business to support its mission objectives. Typically includes facility, personnel, networking, servers, application components, and workstations. *
      • DOH System Access: Access to MCD using a DOH system housed within the DOH network. This access does not involve the organization possessing any data. *42;
      • Other: If one of the above does not accurately describe storage environment planned, describe here. *
    • Section 6.I. Title of Location: Applicable for Data Storage and Access types: Restricted Access Model, Production or Other.
    • Section 6.I. Company Housing Data: Name of the company housing the data for your organization.
    • Section 6.I. Address of Location: Physical address of location where data will be housed.
  • Section 7: End Date and Destruction of Data
    • Section 7.I. End Date: Insert the date that the contract, grant, or sponsorship ends. If your request requires sponsorship, the End Date will be provided to you by the sponsor. *
  • Section10: HIPAA Business Associates Agreement: Provide the completed HIPAA Business Associate Agreement (Attachment A). It must be signed by the same individual who signs the DUA.
  • Section 13: Attestation and Execution
    Section 13.XII.A. Confidentiality Statement: Insert the Purpose Language (located in Section 2: Purpose, II); the contract number, grant number, or name of sponsor; the DUA Identification Number (provided with receipt of DUA); the contract, grant, or sponsor end date. *
  • End of DUA
    • Date: Date of signature of Requestor. This must be the same individual identified in Section 1 of the DUA.
    • Signature of Requestor: Requestor must sign in the presence of a Notary.
    • Requestor´s Name: Full name of the Requestor.
    • Requestor´s Title: Title of Requestor as entered in Section 1.II.
    • Organization: Organization as listed in Section 1.II.
    • Address: Physical as listed in Section 1.II.
    • Notary: Standard Notary required.
    • DOH Acceptance: DOH completes this as evidence of acceptance of the relationship this document represents.

*These sections are prepopulated by the Security and Privacy Bureau.


1.  1
2.  2