Privacy and Security Standards for Medicaid/CHIP/Health Insurance Exchange



Similar documents
Status: Final. Form Date: 15-JAN-15. Question 1: OPDIV Question 1 Answer: CMS

APPENDIX B DEFINITIONS

Following is a discussion of the Hub s role within the health insurance exchanges, the results of our review, and concluding observations.

Federally Facilitated Exchange (FFE) and Data Services Hub (Hub) Overview. July 25, 2012

DEPARTMENT OF HEALTH AND HUMAN SERVICES. Centers For Medicare & Medicaid Services. Privacy Act of CMS Computer Match No.

Developing Performance Metrics for Marketplace and Medicaid Systems under Healthcare Reform

AGREEMENT BETWEEN WEB-BROKERS AND THE CENTERS FOR MEDICARE & MEDICAID SERVICES ( CMS )

Health Informa.on Technology Audits: "Meaningful Use" and HIPAA. January 23, 2015 Eli Poliakoff Gary Capps

Kansas. Architecture Review. Kansas Project Base line Review. Gate > Maryland ACA HCR Wireframes HIX end to end process flow (Individual / family)

HEALTHCARE.GOV. Actions Needed to Address Weaknesses in Information Security and Privacy Controls

BUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS

Harmonized Security and Privacy Framework Exchange Reference Architecture Supplement

Minimum Acceptable Risk Standards for Exchanges Exchange Reference Architecture Supplement

Federal Exchange Program System Data Services Hub Statement of Work

3.0 ELIGIBILITY AND ENROLLMENT

HIPAA Compliance Calendar

Establishment Review Process

STATE HEALTH INSURANCE MARKETPLACES. CMS Should Improve Oversight of State Information Technology Projects

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

APR Marilyn Tavenner Administrator Centers for Medicare & Medicaid Services

Compliance Training for Medicare Programs Version 1.0 2/22/2013

Health Reform and Medical Prac3ce in Maine. John Freedman MD MBA June 10, 2013

DEPARTMENT OF HEALTH & HUMAN SERVICES

BUSINESS ASSOCIATE AGREEMENT

Agent and Broker Participation in the Federally-facilitated Marketplace (FFM): An Overview for States

PATIENT PROTECTION AND AFFORDABLE CARE ACT. Status of CMS Efforts to Establish Federally Facilitated Health Insurance Exchanges

Information Privacy and Security Program Title:

HIPAA BUSINESS ASSOCIATE AGREEMENT

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

HIPAA Breaches, Security Risk Analysis, and Audits

Revision to the Executive Director for Health Care Policy and Financing Rule Concerning the All-Payers Claims Database, Section 1.

Stream Deployments in the Real World: Enhance Opera?onal Intelligence Across Applica?on Delivery, IT Ops, Security, and More

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE STATE OF [NAME OF STATE], [NAME OF STATE AGENCY]

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

HIPAA and Privacy Policy Training

Information Technology in Support of Health Insurance Exchange, Integrated Eligibility System, and Health Information Exchange

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

How To Understand The Health Care Exchange

IT Change Management Process Training

Entities Covered by the HIPAA Privacy Rule

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

Copyright Telerad Tech RADSpa. HIPAA Compliance

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

DRAFT BUSINESS ASSOCIATES AGREEMENT

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

DEPARTMENT OF HEALTH AND HUMAN SERVICES. AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

An Introduc+on to CloudPrime

HIPAA. Health Insurance Portability & Accountability Act Administrative Simplification FIVE THINGS YOU SHOULD KNOW ABOUT PAYMENTS AND HIPAA

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

Iterative Approach to Build an Enterprise Architecture for Health Insurance Exchange

Transcription:

Privacy and Security Standards for Medicaid/CHIP/Health Insurance Exchange Melissa Cummings- Niedzwiecki, IRS John Chip Garner, CMS Tom Schankweiler, CMS

Changes with the ACA New Connec@vity Paradigm State Agencies will receive informa3on through the Data Services Hub (Hub) A State must comply with federal privacy and security standards, including the appropriate methods for safeguarding federal informa3on Described in the Exchange Final Rule* New State Agency IT System Paradigm No longer just sending files securely to CMS or accessing CMS custom built applica3on front ends (e.g. HITECH, MSIS, MCSIS, PERM) Now we will need to establish State IT System to CMS IT System direct connec3ons (e.g. State E&E to FFE, State E&E to Hub) Requires addi3onal rigor in establishing and documen3ng security controls *Section 155.260 Available at - http://www.gpo.gov/fdsys/pkg/fr-2012-03-27/pdf/2012-6125.pdf

New State Agency Connec@ons State Programs: Medicaid, CHIP,... SSA DHS FMS Applicant Web browser HHS Federal, Regional/State Exchange, & Contractors HHS HUB IRS Call Center Web browser Portal Portal Navigator Web browser Caseworker (in- person at Exchange) Web browser

Federal Interagency Harmoniza@on CMS is working to harmonize privacy and security standards for the types of informa3on a Health Insurance Exchange (HIX), Medicaid or CHIP program might use, collect or disclose CMS is partnering with federal agencies, including SSA, DHS, and IRS to ensure that States have adequate support and guidance regarding the privacy and security standards

Privacy and Security Standards Must establish and implement privacy and security standards that are consistent with the following seven principles: 1. Individual Access 2. Correc3on 3. Openness and Transparency 4. Collec3on, use, and disclosure limita3ons 5. Data quality and integrity 6. Safeguards 7. Accountability

Privacy and Security Guidance Exchange Reference Architecture (ERA) Supplements (Three documents) 1. Harmonized Security and Privacy Framework 2. Minimum Acceptable Risk Standards for Exchanges 3. Catalog of Minimum Acceptable Risk Controls for States

Required Documents from State Agencies Documents required to Connect with CMS systems (CALT document number) System Security Plan (doc7280, & doc2158)* Informa3on Security Risk Assessment (doc5299) * IRS Safeguard Procedures Report (doc8982) * Privacy Impact Assessment (doc4708) * Interconnec3on Security s (template(s) under development) * h_ps://calt.hhs.gov/

Master and ISA Document Rela@onships CMS will require State system owners to sign ISAs to ensure systems are secure prior to sharing informa7on through the Hub Data Exchange s Fed2Fed Master ISA DEAs MOUs CMAs IEAs ISAs Fed2Fed IRS Fed2Fed SSA Fed2Fed HHS Fed2Fed DHS Fed2Fed VHA Fed2Fed Peace Corps ISAs Fed2NonFed Master ISA State Exchanges State Medicaid Agencies Other

Federal to State Informa@on Exchange s (IEAs) CMS will require new data sharing agreements exis7ng data sharing agreements to receive federal informa7on cannot be reused for this effort CMS DSH CMS FFE CMS IEA (DSH to State) State- Based Exchange State Medicaid and CHIP CMS IEA (FFE to State) Add HIPAA BAA if FFE: (1) Processing PHI (2) On behalf of Medicaid and CHIP CMS Contractors State Data Sharing (State agreement, no CMS involvement) Contractors need to be covered by a DUA

IRS Safeguard Requirements IRS is partnering with CMS/CCIIO to ensure the minimum security requirements include security controls for all data, including FTI Office of Safeguards is responsible for ensuring compliance with Publica3on 1075, Tax Informa3on Security Guidelines for Federal State and Local Agencies Safeguards will authorize the release of FTI with an approved Safeguard Procedures Report (SPR)

IRS Source Data Elements Provided for Insurance Affordability Program Eligibility I.R.C 6103(l)(21) authorizes the release of the following taxpayer informa3on: (i) taxpayer iden3ty informa3on; (ii) filing status; (iii) number of individuals for which a deduc3on under sec3on 151 was allowed (family size); (iv) modified adjusted gross income; and (v) taxable year to which any such informa3on relates or, alterna3vely, that such informa3on is not available. Trigger for disclosure is the filing of an applica3on for financial assistance No3ce of Proposed Rulemaking dated April 30, 2012 proposes addi3onal items of return informa3on that could be disclosed: See Federal Register, vol. 77, no. 83 (77 FR 25378)

Key Tenants of IRS Safeguards Recordkeeping Secure Storage Restric3ng Access Employee Awareness & Internal Inspec3ons Repor3ng Requirements Disposal Need and Use Computer Security

IRS Safeguards Efforts Support CMS in implemen3ng ACA rela3ve to the safeguarding of Federal Tax Informa3on Par3cipate in state reviews and CMS cross- func3onal working teams Provide guidance and assistance; FFE & Hub technical & program staff to discuss Federal Tax Informa3on security related topics Work directly with state agencies and contractors on State- specific issues

Addi@onal Info/TA available Contact your CCIIO or CMCS State Officer Melissa Cummings- Niedzwiecki - Melissa.Cummings- Niedzwiecki@irs.gov John Chip Garner John.Garner1@cms.hhs.gov Tom Schankweiler Thomas.Schankweiler@cms.hhs.gov Liz Kane Elizabeth.Kane@cms.hhs.gov

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information