1.    Basis and Purpose

2.    State Plan Requirements

3.    Purpose Directly Related To State Plan Administration

4.   State Authority For Safeguarding Information

5.   Publicizing Safeguarding Requirements

6.   Types of Information To Be Safeguarded

7.   Release of Information

8.   Distribution of Information Materials

9.   Single State Agency

10. Maintenance of Records

11. ePACES Access Control

Question 1: What are Medicaid’s confidentiality standards and who defines them?

FEDERAL MEDICAID CONFIDENTIALITY STANDARDS:

The federal Medicaid confidential data standard is established by §1902(a)(7) of the Social Security Act (42 USC §1396a(a)(7)). The law requires that a “State plan for medical assistance must: (7) provide safeguards which restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with the administration of the plan.” This statutory requirement is implemented in regulations at 42 CFR §431.300 et seq.. 42 CFR §431.302 defines Medicaid program administration to include:

(A)Establishing Eligibility;

(B)Determining the amount of Medical Assistance;

(C)Providing services for recipients; and

(D)Conducting or assisting an investigation, prosecution, or civil or criminal proceeding related to the administration of the plan.

42 C.F.R. §431.306 requires the single state agency to have criteria specifying the conditions for release and use of information about applicants and recipients. The information for which the agency must have criteria to safeguard must include: (1) names and addresses; (2) medical services provided; (3) social and economic conditions; (4) agency evaluation of personal information; (5) medical data, including diagnosis and past history of disease or disability; and (6) any information received for verifying income eligibility and amount of medical assistance payments, of which information received from the Internal Revenue Service (IRS) or Social Security Administration (SSA) must be safeguarded pursuant to the requirements of those agencies.

These criteria apply to all requests for information from outside sources, including governmental bodies, the courts, or law enforcement officials. Access to information concerning applicants or recipients must be restricted to persons or agency representatives who are subject to standards of confidentiality that are comparable to those of the agency. The agency is prohibited from publishing names of applicants or recipients. Furthermore, whenever possible, the agency must obtain permission from the individual or his family before responding to a request for information from an outside source, unless the information is to be used to verify income, eligibility and the amount of medical assistance payments. Before information is requested from or released to another bureau or agency (not part of Medicaid program administration) to verify income, eligibility, and the amount of assistance, the Department must execute data exchange agreements with those agencies. Data exchange agreements are also required before the department may request information from or release information to other agencies to identify third party resources. If an emergency situation prevents the department from obtaining recipient consent prior to release, the department must notify the family or individual immediately after supplying the information. Where a court issues a subpoena for a case record or for any agency representative to testify concerning an applicant or recipient, the department must inform the court of the applicable statutory provisions, policies, and regulations restricting disclosure of information.

Back to top

MEDICAID ALCOHOL AND SUBSTANCE CONFIDENTIALITY RESTRICTIONS:

Federal law also requires that certain confidential drug and alcohol abuse treatment records must be accorded enhanced protection. Requirements pertaining to drug and alcohol treatment records are codified at 42 U.S.C. §290dd-3, which is implemented in regulations at 42 C.F.R. §2.1 et seq.. Records concerning the identity, diagnosis, prognosis, or treatment of any patient which are connected with drug abuse prevention, or alcoholism education, training, treatment, rehabilitation or research, which are conducted, regulated, or directly or indirectly assisted by any department or agency of the United States, may only be disclosed as expressly authorized in §2.1 et seq.. Such records may be disclosed in accordance with the patient’s prior written consent. Whether or not the patient provides written consent, his or her records may be disclosed:

(A)to medical personnel to the extent necessary to meet a bona fide medical emergency;

(B)to qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, but such personnel may not identify, directly or indirectly, any individual patient in any report of such research, audit, or evaluation, or otherwise disclose patient identities in any manner; and

(C)if authorized by an appropriate order of a court of competent jurisdiction granted after application showing good cause therefor.

Back to top

MEDICAID HIV CONFIDENTIALITY RESTRICTIONS:

The Health Care Financing Administration (HCFA) also has issued a State Operations Letter #91-32, regarding the confidentiality and release of Medicaid data concerning persons with AIDS. The letter establishes that sharing of claims data regarding AIDS patients with other state agencies is a violation of federal privacy safeguards. The operations letter notes that while it is a legitimate public health concern to engage in disease prevalence surveillance, federal law and regulations permit disclosure of information concerning Medicaid applicants or recipients, including AIDS data, only for purposes directly related to State Medicaid plan administration.Accordingly, state health departments seeking recipient information for reasons unrelated to administration of the Medicaid program must rely on provider compliance with State reporting requirements. Medicaid data cannot be released for such purposes, including accurate counting of AIDS cases. The HCFA suggests that as an alternative to the release of patient identifying information, Medicaid agencies may provide summary data, including recipient counts and expenditures.

Also note that Medicaid Confidential Data (MCD) may contain HIV related confidential information, as defined in Section 2780(7) of the N.Y. Pub. Health Law. As required by N.Y. Pub. Health Law Section 2782(5). The New York Department of Health hereby provides the following notice:

42CFR 430.306 et. seq. require that the Department enter into a “data exchange agreement” before any data is released. Additionally, on December 18, 1990 the Medicaid Data Security Committee issued a document on Data Exchange Guidelines and Issue Analysis. The purpose of this document was twofold; first to reinforce the Department’s Data Security Policy, and also to provide guidelines for creation of data security processes for each Division. The purpose of this section is to outline the specific role, procedures, and processes through which the Office of Medicaid Management’s data security policy be implemented.

New changes in office automation and data processing have increased the ability of researchers, data warehouse companies, and organizations, outside the Medicaid program, to create large recipient specific databases. With these new technological changes, the Office of Medicaid Management has witnessed an increase in the demand for recipient specific or identifiable data. The role of the New York State Department of Health Office of Medicaid Management’s confidential data review policy is to assess the appropriateness of exchanging and handling these requests for recipient identifiable data. Recipient identifiable data is defined as any individual or summary level Medicaid data that can lead to the identification or re-identification of a Medicaid recipient. New York State Department of Health’s Office of Medicaid Management is required by law, regulation, and policy to safeguard and take specific steps to ensure the confidentiality of recipient-identifiable data. Therefore, Medicaid recipient records can be released only for purposes directly related to the NEW YORK STATE Medicaid program. Medicaid’s data protection policy is set forth in the following cited laws and regulations.

Pursuant to Social Services Law Section 369 (4) which states:

Any inconsistent provision of this chapter or other law notwithstanding, all information received by public welfare officers concerning applicants for and recipients of medical assistance may be disclosed or used only for purposes directly connected with the administration of medical assistance for needy persons.

Also following New York State Department of Health Medicaid State Plan requirements, Social Security Act, Section 1902(a) (7), 42 USC 1396a(a)7) a.d., and federal regulations 42 CFR 431.300 which provide for the protection of recipient specific information.

Back to top

II.Scope:

(A) All inquiries and requests for access to individual recipient level data to be used outside of the Office of Medicaid Management be referred to the Medicaid Data Security Coordinator (DSC). The Medicaid data security policy staff act as primary contact for all confidential data requests.

(B) Medicaid research (e.g. professional, medical, academic, grants or foundation research) be evaluated according to the guidelines set forth in 42 CFR 431.300 et. seq.. Initial decisions on all applications will be made by the Medicaid Confidential Data Review Committee (MCDRC) and referred to Legal for clearance.

(C) Confidential recipient data will be made accessible to the Local Social Services Districts (LSSDs) for authorized Medicaid program-related purposes.

Back to top

III.Medicaid Confidential Data Review Committee Creation:

To facilitate the processing of confidential data requests, the Office of Medicaid Management (formerly the Social Services’, Division of Health & Long Term Care) established the Medicaid Confidential Data Review Committee (MCDRC). This committee consists of representatives from the Bureaus of Eligibility, Medicaid Management Information Systems, Primary Care and Ambulatory Utilization Review, Long Term Care, Managed Care, Legal Affairs and will include the Data Security Coordinator. This committee reports to and is chaired by the Director’s appointed representative. In the absence of the Director’s appointed representative, the MCDRC is chaired by Medicaid’s Data Security Coordinator. The Medicaid Confidential Data Review Committee meets, as needed, to review all requests for confidential data.

(A) The Medicaid Confidential Data Review Committee (MCDRC) has the preliminary authority, subject to Director approval, to determine the appropriateness and merits of all confidential data requests. The MCDRC is responsible for the evaluation of each request. Determinations on each request will at a minimum consider the following:

1. How does the applicant’s request directly relate to the direct administration of the Medicaid program?

2. What specific Medicaid program, policy, rule or law will be affected or changed?

3. What will be the status of internal program priorities relative to the approved confidential request?

4. How will the Office of Medicaid Management’s objectives be helped or impaired by answering a request?

5. What impact or cost (staff and systems resources) is incurred by Medicaid producing the data?

6. Will the confidential data requests have the potential for:

a.Reducing cost of the Medicaid program,

b. Improving access for recipients, and/or

c.Increasing quality of care to recipients?

(B)The MCDRC recommends approval or denial of a request for confidential recipient data subject to ratification by Counsel and the Director of Medicaid.

(C)The MCDRC may not approve any request for recipient confidential data unless it clearly meets the cited legal conditions in Section I of the “MEDICAID CONFIDENTIAL DATA REQUIREMENTS” of this document.

(D)Once an application is approved by the MCDRC and Legal, it is forwarded to the Data Security Coordinator for action.

Back to top

IV.Medicaid Confidential Data Review Committee Procedures:

(A) The MCDRC meets as needed. Prior to each meeting, MCDRC members receive copies of each application for evaluation along with all previous reviews and recommendations pertaining to that request. Members are responsible for reviewing all applications prior to each meeting.

(B) The Data Security Coordinator in consultation with the Director’s Representative, sets the agenda of applications to be reviewed for each MCDRC meeting.

(C) The MCDRC approves, denies, refers, or pends all requests on the periodic meeting agenda.

(D) Each application approved by the MCDRC is evaluated by the Division of Legal Affairs representative. After counsel renders an opinion on a confidential data request, the application is sent back to Medicaid’s Data Security Coordinator for action.

(E) Approved applications are forwarded to a data source bureau that will respond to the request.

(F) The data source bureau must always attempt to satisfy request for confidential recipient data with summary or aggregate data. If summary or aggregate data cannot be used then only the specific or minimal amount of recipient identifiable information necessary to answer the request can be disseminated.

(G) All adjudicated applications are forwarded to the Office of Medicaid Management’s Data Security Coordinator. The Data Security Coordinator maintains a central database log and is the central contact between the Department and all applicants( while the request is under review). The Data Security Coordinator is responsible for notifying all applicants on the status of their request.

(H) The Data Security Coordinator be the Medicaid Bureau’s representative to the Department’s Data Security Committee and be responsible for informing the MCDRC of relevant Departmental data security policies and guidelines.

Back to top

ATTACHMENT B

Data Exchange Regulations

for

Data Security and Confidentiality

New York State Department of Health

Office of Medicaid Management

Subpart F—Safeguarding Information on Applicants and Recipients

Source: 44 FR 17934, Mar. 29, 1979, unless otherwise noted.

42CFR 431.300 Basis and purpose.

(a)Section 1902(a)(7) of the Act requires that a State plan must provide safeguards that restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with the administration of the plan. This subpart specifies State plan requirements, the types of information to be safeguarded, the conditions for release of safeguarded information, and restrictions on the distribution of other information.

(b)Section 1137 of the Act, which requires agencies to exchange information in order to verify the income and eligibility of applicants and recipients (see §435.94 0ff), requires State agencies to have adequate safeguards to assure that—

(1)Information exchanged by the State agencies is made available only to the extent necessary to assist in the valid administrative needs of the program receiving the information, and information received under section 6103(l) of the Internal Revenue Code of 1954 is exchanged only with agencies authorized to receive that information under that section of the Code; and (2) The information is adequately stored and processed so that it is protected against unauthorized disclosure for other purposes.

[51 FR 7210, Feb. 28, 1986]

Back to top

42CFR 431.301 State plan requirements.

A State plan must provide, under a State statute that imposes legal sanctions, safeguards meeting the requirements of this subpart that restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with the administration of the plan.

Back to top

42CFR 431.302 Purposes directly related to State plan administration.

Purposes directly related to plan administration include—

(a)Establishing eligibility;

(b)Determining the amount of medical assistance;

(c)Providing services for recipients; and

(d)Conducting or assisting an investigation, prosecution, or civil or criminal proceeding related to the administration of the plan.

Back to top

42CFR 431.303 State authority for safeguarding information.

The Medicaid agency must have authority to implement and enforce the provisions specified in this subpart for safeguarding information about applicants and recipients.

Back to top

42CFR 431.304 Publicizing safeguarding requirements.

(a)The agency must publicize provisions governing the confidential nature of information about applicants and recipients, including the legal sanctions imposed for improper disclosure and use.

(b)The agency must provide copies of these provisions to applicants and recipients and to other persons and agencies to whom information is disclosed.

Back to top

42CFR 431.305 Types of information to be safeguarded.

(a)The agency must have criteria that govern the types of information about applicants and recipients that are safeguarded.

(b)This information must include at least—

(1)Names and addresses;

(2)Medical services provided;

(3)Social and economic conditions or circumstances;

(4)Agency evaluation of personal information;

(5)Medical data, including diagnosis and past history of disease or disability; and

(6)Any information received for verifying income eligibility and amount of medical assistance payments (see _435.940ff). Income information received from SSA or the Internal Revenue Service must be safeguarded according to the requirements of the agency that furnished the data.

(7)Any information received in connection with the identification of legally liable third party resources under _433.138 of this chapter.

[44 FR 17934, Mar. 29, 1979, as amended at 51 FR 7210, Feb. 28, 1986; 52 FR 5975, Feb. 27, 1987]

Back to top

42CFR 431.306 Release of information.

(a)The agency must have criteria specifying the conditions for release and use of information about applicants and recipients.

(b)Access to information concerning applicants or recipients must be restricted to persons or agency representatives who are subject to standards of confidentiality that are comparable to those of the agency.

(c)e agency must not publish names of applicants or recipients.

(d)The agency must obtain permission from a family or individual, whenever possible, before responding to a request for information from an outside source, unless the information is to be used to verify income, eligibility and the amount of medical assistance payment under section 1137 of this Act and §435.940 through §435.965 of this chapter. If, because of an emergency situation, time does not permit obtaining consent before release, the agency must notify the family or individual immediately after supplying the information.

(e)The agency’s policies must apply to all requests for information from outside sources, including governmental bodies, the courts, or law enforcement officials.

(f)If a court issues a subpoena for a case record or for any agency representative to testify concerning an applicant or recipient, the agency must inform the court of the applicable statutory provisions, policies, and regulations restricting disclosure of information.

(g)Before requesting information from, or releasing information to, other agencies to verify income, eligibility and the amount of assistance under §435.940 through §435.965 of this chapter, the agency must execute data exchange agreements with those agencies, as specified in §435.945(f).

(h)Before requesting information from, or releasing information to, other agencies to identify legally liable third party resources under §433.138(d) of this chapter, the agency must execute data exchanges agreements, as specified in §433.138(h)(2) of this chapter.

[44 FR 17934, Mar. 29, 1979, as amended at 51 FR 7210, Feb. 28, 1986; 52 FR 5975, Feb. 27, 1987]

Back to top

42CFR 431.307 Distribution of information materials.

(a)All materials distributed to applicants, recipients, or medical providers must—

(1)Directly relate to the administration of the Medicaid program;

(2)Have no political implications;

(3)Contain the names only of individuals directly connected with the administration of the plan; and

(4)Identify those individuals only in their official capacity with the State or local agency.

(b)The agency must not distribute materials such as ``holiday’’ greetings, general public announcements, voting information, and alien registration notices.

©The agency may distribute materials directly related to the health and welfare of applicants and recipients, such as announcements of free medical examinations, availability of surplus food, and consumer protection information.

Back to top

42CFR 431.10 Single State agency.

(a)Basis and purpose. This section implements section 1902(a)(5) of the Act, which provides for designation of a single State agency for the Medicaid program. (b) Designation and certification. A State plan must—

(1)Specify a single State agency established or designated to administer or supervise the administration of the plan; and

(2)Include a certification by the State Attorney General, citing the legal authority for the single State agency to—

(i)Administer or supervise the administration of the plan; and

(ii)Make rules and regulations that it follows in administering the plan or that are binding upon local agencies that administer the plan.

(c)Determination of eligibility. (1) The plan must specify whether the agency that determines eligibility for families and for individuals under 21 is—

(i)The Medicaid agency; or

(ii)The single State agency for the financial assistance program under title IV - A (in the 50 States or the District of Columbia), or under title I or XVI (AABD), in Guam, Puerto Rico, or the Virgin Islands.

(2)The plan must specify whether the agency that determines eligibility for the aged, blind, or disabled is—

(i)The Medicaid agency;

(ii)The single State agency for the financial assistance program under title IV - A (in the 50 States or the District of Columbia) or under title I or XVI (AABD), in Guam, Puerto Rico, or the Virgin Islands; or

(iii)The Federal agency administering the supplemental security income program under title XVI (SSI). In this case, the plan must also specify whether the Medicaid agency or the title IV - An agency determines eligibility for any groups whose eligibility is not determined by the Federal agency.

(d)Agreement with Federal or State agencies. The plan must provide for written agreements between the Medicaid agency and the Federal or other State agencies that determine eligibility for Medicaid, stating the relationships and respective responsibilities of the agencies.

(e)Authority of the single State agency. In order for an agency to qualify as the Medicaid agency—

(1)The agency must not delegate, to other than its own officials, authority to—

(i)Exercise administrative discretion in the administration or supervision of the plan, or

(ii)Issue policies, rules, and regulations on program matters.

(2)The authority of the agency must not be impaired if any of its rules, regulations, or decisions are subject to review, clearance, or similar action by other offices or agencies of the State.

(3)If other State or local agencies or offices perform services for the Medicaid agency, they must not have the authority to change or disapprove any administrative decision of that agency, or otherwise substitute their judgment for that of the Medicaid agency with respect to the application of policies, rules, and regulations issued by the Medicaid agency.

[44 FR 17930, Mar. 23, 1979]

Back to top

42CFR 431.17 Maintenance of records.

(a)Basis and purpose. This section, based on section 1902(a)(4) of the Act, prescribes the kinds of records a Medicaid agency must maintain, the retention period, and the conditions under which microfilm copies may be substituted for original records.

(b)Content of records. A State plan must provide that the Medicaid agency will maintain or supervise the maintenance of the records necessary for the proper and efficient operation of the plan. The records must include—

(1)Individual records on each applicant and recipient that contain information on—

(i)Date of application;

(ii)Date of and basis for disposition;

(iii)Facts essential to determination of initial and continuing eligibility;

(iv)Provision of medical assistance;

(v)Basis for discontinuing assistance;

(vi)The disposition of income and eligibility verification information received under ··§435.940 through §435.960 of this subchapter; and

(2)Statistical, fiscal, and other records necessary for reporting and accountability as required by the Secretary.

(c)Retention of records. The plan must provide that the records required under paragraph (b) of this section will be retained for the periods required by the Secretary.

(d)Conditions for optional use of microfilm copies. The agency may substitute certified microfilm copies for the originals of substantiating documents required for Federal audit and review, if the conditions in paragraphs (d)(1) through (4) of this section are met.

(1)The agency must make a study of its record storage and must show that the use of microfilm is efficient and economical.

(2)The microfilm system must not hinder the agency’s supervision and control of the Medicaid program.

(3)The microfilm system must—

(i)Enable the State to audit the propriety of expenditures for which FFP is claimed; and

(ii)Enable the HHS Audit Agency and HCFA to properly discharge their respective responsibilities for reviewing the manner in which the Medicaid program is being administered.

(4)The agency must obtain approval from the HCFA regional office indicating—

(i)The system meets the conditions of paragraphs (d)(2) and (3) of this section; and

(ii)The microfilming procedures are reliable and are supported by an adequate retrieval system.

[44 FR 17931, Mar. 23, 1979, as amended at 51 FR 7210, Feb. 28, 1986]

Back to top

ePACES Access Control

Warning: As per the Health Insurance Portability and Accountability Act (HIPAA), eMedNY or the on-site ePACES Administrator is required to assign unique user ids and passwords for identifying and tracking user’s identity [Ref: § 164.312(a)(2)(i)].Users that share their ePACES user id and password are in violation of the HIPAA Security Regulation.If this practice is detected, the user’s access will be revoked and other sanctions may apply.

Back to top