Data Security and Information Sharing

Identity Assurance Level Assessment and Security Affidavit Process Flow

Identity Assurance Level Assessment Worksheet:

The New York State Department of Health is committed to ensuring that Medicaid data containing Protected Health Information (PHI) originating from the DOH (hereafter referred to as DOH Medicaid data) follows secure channels of access. This section contains information regarding measures PPS Leads must take to obtain and access DOH Medicaid data.

Two worksheets are provided as examples of completed Identity Assurance Level Assessments. The necessity of the Identity Assurance Assessment is outlined within the DEAA addendum.

The New York State Department of Health is committed to ensuring that Medicaid data containing Protected Health Information (PHI) originating from the DOH (hereafter referred to as DOH Medicaid data) follows secure channels of access. This section contains information regarding measures PPS Leads must take to obtain and access DOH Medicaid data.

This document is provided for added clarity regarding the Security Assessment Affidavit to be completed by the PPS Lead as stated in the DEAA addendum. This is intended for illustrative purposes only. Please refer to the addendum for complete terms and conditions.

As stated in the DEAA addendum, an alternative to the Security Assessment Affidavit process would be to allow PPS employees, member organizations and business associates to access the PPS´ Medicaid data via the Medicaid Analytics Performance Portal (MAPP).

Refer to the link below for information regarding MAPP.
http://www.health.ny.gov/health_care/medicaid/redesign/dsrip/medicaid_analytics_performance_portal.htm

As stated in the DEAA Addendum, if a PPS Lead entity wishes to allow either its employees or downstream partners to have remote access to DOH Medicaid data housed in its IT System, an Identity Assurance Level (IAL) Assessment must be completed with and security controls, and based on the results of the assessment, implemented to mitigate identified risks. Additionally, Business Associate Agreement (BAA)s with PPS partners must be updated, as needed, with those PPS downstream partners accessing the DOH Medicaid data, with assurance from downstream partners that the necessary security controls for accessing DOH Medicaid data through the PPS Lead´s IT system are in place. Once a PPS Lead has completed the IAL Assessment, implemented the necessary security controls and updated relevant BAAs, the PPS Lead´s Chief Information Security Officer (CISO) must then complete and submit the attached Security Assessment Affidavit. DOH will then review the affidavit, verify the implementation of data security controls and notify the PPS Lead when they have been approved to allow broader access to DOH Medicaid data.

Prior to undertaking the IAL Assessment, PPS are strongly encouraged to assess the use of the Medicaid Analytics Performance Portal (MAPP) as an alternative means of allowing PPS employees and downstream partners access to the PPS´ DOH Medicaid data.

This serves as an accompanying attachment to the Security Assessment Affidavit. This is an updated version of the Overview Document PPSs have/will submit along with their Systems Security Plans, and will be required as an update along with the S.A.A.

  • S.A.A. Attachment B – Downstream Partner Security Controls

This document also accompanies the Security Assessment Affidavit and notifies the PPS as to which controls at minimum the PPS must have documented as implemented from downstream partners contributing to the business product or operations of the PPS Lead Organization. The intent of this minimum set of control documentation is to ensure those controls that most directly align with the privacy and security requirements within the OHIP DEAA are accounted for by partners that are receiving a data set from the PPS of the same or similar volume as the PPS has gained from NYS directly.