Cybersecurity and Data Privacy: New York State Revises Final Guidance on Health Care Privacy and Data Exchange

June 22, 2017

Just three weeks after releasing a "final" guidance statement on New York State and federal laws on privacy and data sharing ("Final Guidance"), the New York State Department of Health issued a revised final guidance statement on June 5, 2017 ("Revised Guidance"). Like the prior statement, the Revised Guidance focuses on the exchange of data for the Delivery System Redesign Incentive Payment program ("DSRIP"), but has broader implications for data sharing in New York State. The issuance of revised guidance so soon after the prior statement reflects DOH’s efforts to address legal barriers to data exchange and, at the same time, suggests significant uncertainty about the application of federal and state privacy laws to the complex issues posed by data exchange for DSRIP. The Revised Guidance is also part of a constantly evolving set of standards for access to and use of data from the Medicaid claims data base administered by New York State ("Medicaid Confidential Data").

The shifting positions by DOH over the past year about the exchange of Medicaid Confidential Data have created a significant challenge for entities that lead Performing Provider Systems ("PPS Leads") as they seek to implement projects dependent on shared data for success. Another mark of uncertainty as DOH traverses new legal ground in the privacy arena is the repeated references throughout the Revised Guidance to the fact that the statement is not legal advice, and that PPS Leads and providers should seek such advice from counsel.

Bond prepared a memorandum on the Final Guidance. This memorandum summarizes the changes and new material set forth in the Revised Guidance. The Revised Guidance reiterates that PPS participants and PPS Leads can share Medicaid Confidential Data only if a business associate agreement is in place and the data is shared for purposes of the Medicaid program. The Revised Guidance places the responsibility on the PPS Lead to assure that any data for Medicaid recipients who have opted out of data sharing will no longer be used by the Performing Provider System ("PPS") or shared, although the data does not have to be redacted from existing data sets.

In an important clarification from prior statements, the Revised Guidance provides that PPS Leads can commingle Medicaid Confidential Data with other data sets generated by PPS participants or managed care organizations ("MCOs"). Any such data set, if it contains only the name and CIN numbers of Medicaid members, is not governed by the extensive security and privacy standards and requirements that apply to Medicaid Confidential Data generally. The Revised Guidance includes an additional section focused on data sharing with MCOs and advises that MCOs can share PHI with a PPS Lead for members attributed to the PPS, based on consent in the Medicaid application, for members who have not opted out of data sharing.

The Revised Guidance discusses several different approaches to data sharing within a PPS, including creation of an Organized Health Care Arrangement or an "OCHA," in accordance with HIPAA. While an OCHA allows the participants to share Protected Health Information ("PHI") for purposes of operations of the OCHA, participating providers and PPS Leads should first assess if establishing an OCHA yields a clear benefit, given that entities covered by HIPAA can share data without consent for the broad purposes of treatment, payment and health care operations, even if an OCHA is not established. Whether or not an OCHA is formed, data sharing practices within a PPS should be reflected in an updated Notice of Privacy Practices by participating providers, and by the PPS Lead if the PPS Lead is a covered entity.

As an alternative to an OCHA, the Revised Guidance proposes that providers and PPS Leads rely on business associate agreements to create the legal structure for sharing data generated within the PPS and by participating providers, noting that such data sharing would meet the HIPAA exception for treatment, payment and health care operations. However, the challenges posed for data sharing under HIPAA, and for value-based payment more generally, do not arise from HIPAA for that reason, but from federal and state laws that establish more specific, rigorous requirements for disclosing particular kinds of sensitive health care information, including HIV-related information, substance use disorder treatment information, and mental health and reproductive health information ("Sensitive Information"). Hence, even if business associate agreements are in place as required by HIPAA, this does not address or resolve the need for specific consent for Sensitive Information, unless an exception applies in accordance with the applicable federal or state laws and regulations. Further analysis of the law and regulations that apply to each type of Sensitive Information is therefore required in order to determine the requirement for consent, whether that has been satisfied, or whether an exception to consent applies to the purpose for the data exchange.

For further information about the Revised or Final Guidance Statements and applicable federal and state privacy laws, contact Tracy E. Miller, Deputy Chair, Health Care Practice and Co-Chair, Cybersecurity and Data Privacy Practice.