Table of Contents

Office of Health Insurance Programs (OHIP) Information Privacy Program

The purpose of the OHIP Information Privacy Program is to protect the confidentiality and privacy of New Yorkers enrolled in the Medicaid program. Federal and state laws and regulations provide specific protections for people enrolled in the Medicaid program to ensure that sensitive data, including Protected Health Information (PHI) and Personally Identifiable Information (PII), is shared only under specific conditions.

|top of page|

Sharing OHIP Medicaid Confidential Data (MCD)

MCD consists of NYS Medicaid program members’ Medicaid claims data. The NYS Medicaid program may only release this information for specific purposes that will administer the NYS Medicaid program. Federal Medicaid law ensures that MCD may only be used to administer the Medicaid Program. It is illegal to use MCD for any other reason.

In NYS, only OHIP can determine whether an MCD request administers the NYS Medicaid program. If OHIP determines that an MCD requestor may use MCD, the MCD requestor provides a detailed description of how they will protect the privacy, confidentiality, and security of MCD before the requestor accesses or uses the data.

|top of page|

Data Use Agreement (DUA)

OHIP uses the information provided by the MCD requestor about the use case to determine whether it administers the Medicaid program. This use case information is then used to populate the DUA, a legal agreement, between OHIP and the MCD requestor. The DUA is a legally binding contract between OHIP and the MCD requestor. The DUA details the specific terms and conditions under which MCD may be released to the MCD requestor. The MCD requestor is responsible for understanding and adhering to the conditions specified in the DUA. Because DUAs are legal contracts, it is essential that MCD requestors carefully read and comprehend the DUA and consult with their legal counsel as appropriate. To ensure compliance with all applicable federal and state laws and regulations, the DUA terms and conditions may not be modified.

MCD requestors complete updates to the DUA with the use of a DUA Addendum.

MCD requestors will provide a description of the update and receive a pre-populated DUA Addendum to execute and submit to the OHIP Security and Privacy Bureau.

MCD requestors also submit a completed Names List form with their DUA submission. The names list includes the names of all individuals who will access the MCD on behalf of the MCD requestor, including contractors and business associates. MCD requestors may obtain a copy of the names list by contacting the Security and Privacy Bureau at:

|top of page|

Business Associate Agreements (BAAs)

A BAA is a contractual agreement between a covered entity and its business associate and must contain the elements specified at 45 CFR 164.504. For more information on BAAs, covered entities, and business associates see the Health and Human Services website.

OHIP must acknowledge an executed BAA between the MCD requestor and each contractor and downstream partner with which the MCD requestor intends to share data before the MCD requestor shares MCD with those organizations. Because the BAA is a legally binding agreement between the MCD requestor and third parties, the Security and Privacy Bureau may not review drafts, or provide legal advice about the contents, of any BAA. The Security and Privacy Bureau will not provide a copy of a BAA for MCD requestors to use. If an MCD requestor requires a BAA, they should consult with their legal counsel and see the Health and Human Services website.

The federal Centers for Medicare & Medicaid Services (CMS) requires that all contracts and agreements executed between the Department of Health and any party that will receive MCD must include contract language that will bind such parties that ensures the contractor and business associates abide by the regulations and laws that govern the protection of MCD. OHIP will not acknowledge any BAA that does not include CMS required Confidentiality Language for Third Parties. This language may be found in Section 11: Sharing Data with Third Parties, III. The full language required can be found in the DUA, or you may request a copy by contacting the Security and Privacy Bureau at:

|top of page|

Sensitive Data

Under NYS and federal laws, certain data sets have heightened protections in addition to the requirements listed above. A list of these data sets and their corresponding laws is below:

  • Substance Use Disorder (SUD) - 42 CFR Part 2
  • HIV/AIDS - Article 27-F of the New York Public Health Law and 18 NYCRR 360-8.1
  • Mental Health - NYS Mental Hygiene Law Section 33.13
  • Medicaid -
    • Section 367-b(4) of the NY Social Services Law
    • New York State Social Services Law Section 369(4)
    • Social Security Act, 42 USC 1396a(a)(7)
    • Federal regulations at 42 CFR 431.302
  • Genetics - NY Civil Rights Law 79-L
  • PHI - The Health Insurance Portability and Accountability Act (HIPAA), HITECH and the Omnibus Final Rule
|top of page|