Privacy and Security Standards for Medicaid/CHIP/Health Insurance Exchange

Transcription

1 Privacy and Security Standards for Medicaid/CHIP/Health Insurance Exchange Melissa Cummings- Niedzwiecki, IRS John Chip Garner, CMS Tom Schankweiler, CMS

2 Changes with the ACA New Paradigm State Agencies will receive informa3on through the Data Services Hub (Hub) A State must comply with federal privacy and security standards, including the appropriate methods for safeguarding federal informa3on Described in the Exchange Final Rule* New State Agency IT System Paradigm No longer just sending files securely to CMS or accessing CMS custom built applica3on front ends (e.g. HITECH, MSIS, MCSIS, PERM) Now we will need to establish State IT System to CMS IT System direct connec3ons (e.g. State E&E to FFE, State E&E to Hub) Requires addi3onal rigor in establishing and documen3ng security controls *Section Available at -

3 New State Agency State Programs: Medicaid, CHIP,... SSA DHS FMS Applicant Web browser HHS Federal, Regional/State Exchange, & Contractors HHS HUB IRS Call Center Web browser Portal Portal Navigator Web browser Caseworker (in- person at Exchange) Web browser

4 Federal Interagency CMS is working to harmonize privacy and security standards for the types of informa3on a Health Insurance Exchange (HIX), Medicaid or CHIP program might use, collect or disclose CMS is partnering with federal agencies, including SSA, DHS, and IRS to ensure that States have adequate support and guidance regarding the privacy and security standards

5 Privacy and Security Standards Must establish and implement privacy and security standards that are consistent with the following seven principles: 1. Individual Access 2. Correc3on 3. Openness and Transparency 4. Collec3on, use, and disclosure limita3ons 5. Data quality and integrity 6. Safeguards 7. Accountability

6 Privacy and Security Guidance Exchange Reference Architecture (ERA) Supplements (Three documents) 1. Harmonized Security and Privacy Framework 2. Minimum Acceptable Risk Standards for Exchanges 3. Catalog of Minimum Acceptable Risk Controls for States

7 Required Documents from State Agencies Documents required to Connect with CMS systems (CALT document number) System Security Plan (doc7280, & doc2158)* Informa3on Security Risk Assessment (doc5299) * IRS Safeguard Procedures Report (doc8982) * Privacy Impact Assessment (doc4708) * Interconnec3on Security s (template(s) under development) * h_ps://calt.hhs.gov/

8 Master and ISA Document CMS will require State system owners to sign ISAs to ensure systems are secure prior to sharing informa7on through the Hub Data Exchange s Fed2Fed Master ISA DEAs MOUs CMAs IEAs ISAs Fed2Fed IRS Fed2Fed SSA Fed2Fed HHS Fed2Fed DHS Fed2Fed VHA Fed2Fed Peace Corps ISAs Fed2NonFed Master ISA State Exchanges State Medicaid Agencies Other

9 Federal to State Exchange s (IEAs) CMS will require new data sharing agreements exis7ng data sharing agreements to receive federal informa7on cannot be reused for this effort CMS DSH CMS FFE CMS IEA (DSH to State) State- Based Exchange State Medicaid and CHIP CMS IEA (FFE to State) Add HIPAA BAA if FFE: (1) Processing PHI (2) On behalf of Medicaid and CHIP CMS Contractors State Data Sharing (State agreement, no CMS involvement) Contractors need to be covered by a DUA

10 IRS Safeguard Requirements IRS is partnering with CMS/CCIIO to ensure the minimum security requirements include security controls for all data, including FTI Office of Safeguards is responsible for ensuring compliance with Publica3on 1075, Tax Informa3on Security Guidelines for Federal State and Local Agencies Safeguards will authorize the release of FTI with an approved Safeguard Procedures Report (SPR)

11 IRS Source Data Elements Provided for Insurance Affordability Program Eligibility I.R.C 6103(l)(21) authorizes the release of the following taxpayer informa3on: (i) taxpayer iden3ty informa3on; (ii) filing status; (iii) number of individuals for which a deduc3on under sec3on 151 was allowed (family size); (iv) modified adjusted gross income; and (v) taxable year to which any such informa3on relates or, alterna3vely, that such informa3on is not available. Trigger for disclosure is the filing of an applica3on for financial assistance No3ce of Proposed Rulemaking dated April 30, 2012 proposes addi3onal items of return informa3on that could be disclosed: See Federal Register, vol. 77, no. 83 (77 FR 25378)

12 Key Tenants of IRS Safeguards Recordkeeping Secure Storage Restric3ng Access Employee Awareness & Internal Inspec3ons Repor3ng Requirements Disposal Need and Use Computer Security

13 IRS Safeguards Efforts Support CMS in implemen3ng ACA rela3ve to the safeguarding of Federal Tax Informa3on Par3cipate in state reviews and CMS cross- func3onal working teams Provide guidance and assistance; FFE & Hub technical & program staff to discuss Federal Tax Informa3on security related topics Work directly with state agencies and contractors on State- specific issues

14 Info/TA available Contact your CCIIO or CMCS State Officer Melissa Cummings- Niedzwiecki - Melissa.Cummings- [email protected] John Chip Garner [email protected] Tom Schankweiler [email protected] Liz Kane [email protected]