The New York State Department of Health (NYSDOH) has issued proposed regulations to coordinate Medicaid providers accessing patient information through the SHIN-NY (Statewide Health Information Network for New York).  Items in bold italics is new language; items in [brackets] is deleted language.

Department of Health

PROPOSED RULE MAKING

NO HEARING(S) SCHEDULED

Provider Enrollment and Collection of Patient Consent to Access Medicaid Confidential Data in the SHIN-NY

I.D. No. HLT-26-24-00012-P

PURSUANT TO THE PROVISIONS OF THE State Administrative Procedure Act, NOTICE is hereby given of the following proposed rule:

Proposed Action: Amendment of section 504.9 of Title 18 NYCRR.

Statutory authority: Public Health Law, sections 201(1)(v), 206(18-a); Social Services Law, sections 363-a and 365-a(2)

Subject: Provider Enrollment and Collection of Patient Consent to Access Medicaid Confidential Data in the SHIN-NY.

Purpose: To clarify that providers of medical goods and services, rather than the QEs, are required to enroll in the Medicaid program.

Text of proposed rule: Pursuant to the authority vested in the Commissioner of Health under sections 201(1)(v) and 206(18-a) of the Public Health Law and sections 363-a and 365-a(2) of the Social Services Law, section 504.9 of Title 18 (Department of Social Services) of the Official Compilation of Codes, Rules and Regulations of the State of New York is amended, to be effective upon publication of a Notice of Adoption in the New York State Register, to read as follows:

504.9  Service bureaus, billing services and electronic media billers.

(a)(1) Persons submitting claims, verifying client eligibility or obtaining service authorizations for or on behalf of providers, except those individuals employed by providers enrolled in the medical assistance program, must enroll in the medical assistance program in accordance with this Part and must meet the appropriate additional requirements set forth in this section.  However, payment may be made only to the provider of the medical care, services or supplies; or in accordance with a reassignment from a provider to a government agency or reassignment by court order; or to an employer of a practitioner, if the practitioner is required as a condition of their employment to turn over their fees to the employer; or to a facility or a foundation, plan or similar organization operating an organized health care delivery system, if the practitioner has a contract under which the facility or organization submits the claims; or to a business agent, including a service bureau, billing service, or accounting firm, if the payment is made in the name of the provider and the agent’s compensation for the services is related to the cost of processing the claim, is not related on a percentage or other basis to the amount billed or collected, and is not dependent upon collection of the payment.

(2) Providers submitting their claims by means of electronic/ magnetic media (computer tape, disks, etc.) must also meet the requirements of this section in order to be eligible to submit their claims by such media.

(b) Service bureaus must maintain a system approved by the department for notifying providers of the claims to be submitted on their behalf.  Prior to submission to the department, claim submissions must be reviewed by the provider of the care, services or supplies in order that the provider may correct any inaccurate claims, delete improper claims or otherwise revise the intended submission to ensure that only claims for services actually provided, due and owing are submitted.

(c) Service bureaus must submit systems documentation to the department for the systems configuration which they will be using to process claims prior to acceptance of their enrollment application.  Such documentation must be revised as necessary to assure its accuracy.  The department will not disclose any proprietary software, firmware or other systems component of a proprietary nature to any person other than another governmental agency as may be required for the efficient administration of the program.

(d) Service bureaus must meet the processing standards established by the department and its fiscal intermediary and satisfactorily perform claims submissions based upon a test claim provided by the department or its fiscal intermediary prior to acceptance of their enrollment applications.

(e) Service bureaus must enter into an electronic/magnetic billing agreement with the department or its fiscal intermediary, establishing the rights and obligations of the service bureau, the provider and the department, prior to acceptance of any claims from the service bureau.  Such agreements will include provisions for liability in case of errors, submission criteria, record retention requirements, data integrity, confidentiality of client data, and audit requirements.

(f) Client identifying data may not be used by any service bureau, provider, or any person verifying eligibility or obtaining service authorizations on behalf of a provider for any purpose other than claiming for medical care, services or supplies actually furnished to the client, or verifying client eligibility or obtaining service authorizations or another valid purpose directly related to the administration of the medical assistance program, and may not be released or disclosed to any person or entity other than the department, the State Medicaid Fraud Control Unit or the Federal Department of Health and Human Services without express written authorization of the department.

(g) Any provider desiring to submit claims, verify client eligibility, or obtain service authorizations for or on behalf of any other provider must enroll as a service bureau in addition to enrolling as a provider of medical care, services or supplies.

(h) As applicable, the definitions in section 300.1 of Title 10 of the New York Codes, Rules and Regulations shall apply to the terms used in this subdivision.

(1) A Qualified [Health Information Technology] Entity [, as defined in paragraph (2) of this subdivision, seeking access to medical assistance information must enroll] in receipt of medical assistance information may only disclose such information to a Qualified Entity Participant provided that the Qualified Entity Participant is enrolled in the medical assistance program in accordance with this Part and [must meet] the appropriate additional requirements set forth in this section are met.

(2) A Qualified [Health Information Technology Entities, which may include but are not limited to regional health information organizations (RHIOs), are entities to whom recipient-specific medical assistance information is released, with the consent of the medical assistance recipient, for the purpose of sharing such information with one or more of its members] Entity may not disclose a recipient’s medical assistance information unless the recipient has provided proof of written authorization in accordance with subdivisions (a) and (b) of section 300.5 of Title 10 of the New York Codes, Rules and Regulations [that are providing medical care, services, or supplies to such recipient].  The release of such information is intended to improve the quality of care delivered to medical assistance recipients, reduce the occurrence of medically adverse events, and reduce costs through better coordination of care.

(3) As a condition of [enrollment and of] receipt and disclosure of medical assistance information pursuant to this subdivision, Qualified [Health Information Technology] Entities must develop and maintain policies and procedures adequate:

(a) to ensure that [informed consent] written authorization is obtained from medical assistance recipients in accordance with subdivisions (a) and (b) of section 300.5 of Title 10 of the New York Codes, Rules and Regulations for the release of [confidential] medical assistance information;

(b) to handle [and], safeguard and disclose [confidential] medical assistance information in compliance with all applicable federal and State laws and regulations, including but not limited to ensuring that disclosure and use is for purposes directly connected with the administration of the medical assistance program; and

(c) to ensure that [their members] Qualified Entity Participants comply with all applicable federal and State laws and regulations regarding [confidential] medical assistance information.

(4) The policies and procedures required by paragraph (3) of this subdivision shall be subject to inspection by the department upon request.  Upon inspection, the department may require any amendments necessary to comply with this section or other State or federal laws or regulations.  To appropriately safeguard medical assistance information, the department may direct a Qualified Entity to take corrective action, including but not limited to restricting a Qualified Entity Participant’s access to medical assistance information or termination of their participation agreement.  Qualified Entities shall make required amendments or take corrective action as soon as possible and no later than within 30-days-notice from the department, provided however that the department may in its sole discretion stay such deadline for reason given.

Text of proposed rule and any required statements and analyses may be obtained from: Katherine Ceroalo, DOH, Bureau of Program Counsel, Reg. Affairs Unit, Room 2438, ESP Tower Building, Albany, NY 12237, (518) 473-7488, email: regsqna@health.ny.gov

Data, views or arguments may be submitted to: Same as above.

Public comment will be received until: 60 days after publication of this notice.  This rule was not under consideration at the time this agency submitted its Regulatory Agenda for publication in the Register.

Regulatory Impact Statement

Statutory Authority: Section 201(1)(v) of the Public Health Law (PHL) designates the Department of Health as the single state agency for New York’s Medicaid program, “with responsibility to supervise the plan for medical assistance. . . and to adopt regulations as may be necessary to implement” the plan.  Section 363-a of the Social Services Law (SSL) authorizes the Department to make such rules and regulations as are required to implement and manage the state Medicaid program consistent with applicable law.  PHL section 206(18-a)(d) authorizes the Commissioner to make such rules and regulations as may be necessary to promote the development of a self-sufficient Statewide Health Information Network for New York (SHINNY) to enable widespread, non-duplicative interoperability among disparate health information systems, including electronic health records, personal health records, health care claims, payment and other administrative data and public health information systems, while protecting patient privacy and ensuring data security.

Legislative Objectives: The proposed amendments will give effect to the broader legislative objectives for both the Medicaid program and the SHIN-NY.

SSL section 363 contains the State’s declaration that a program to provide high-quality medical assistance for residents in financial need is a matter of public concern, and provides that “[i]n carrying out this program every effort shall be made. . . to facilitate. . . the provision of such medical assistance.”  SSL section 365-G sets forth the legislature’s intention to “safeguard against unnecessary utilization of care and services” by medical assistance program members, thereby promoting efficiency and cost savings for the Medicaid program and better health outcomes for members.

With respect to the SHIN-NY, paragraph (d) of PHL section 206(18-a) explicitly requires the Commissioner to “promote the development of a statewide health information network” in order to “enable widespread interoperability among disparate health information systems.”  PHL 206(18-a)(a)(iii) illustrates the broader legislative goal of utilizing health information technology, including the SHIN-NY, “to increase the quality and efficiency of health care across the state.”

Taken together, these statutory provisions reflect the legislature’s intent to utilize the SHIN-NY to promote better outcomes for patients across the State through the efficient allocation of resources, enhanced coordination of care, and the reduction of unnecessary service utilization.  The proposed amendments will support each of these legislative objectives by codifying the use of existing SHIN-NY consent procedures and technological infrastructure to facilitate the exchange of Medicaid Confidential Data (MCD) between enrolled providers, enabling them to access clinical and other information about their patients for the first time.  The amendments will also promote interoperability by clarifying that enrolled providers may receive MCD stored and transmitted by Qualified Entities (QEs) consistent with patient consent and applicable law.  This change will remove an obstacle that has in practice prevented the transmission of MCD to authorized providers through the SHIN-NY.

Needs and Benefits:

Alignment with SHIN-NY Regulations

Subdivision 504.9(h) of Title 18 of the New York Codes, Rules and Regulations (NYCRR) was adopted on February 15, 2012, and authorizes regional health information organizations (RHIOs) to receive information about Medicaid beneficiaries and their treatment if the requirements listed within 18 NYCRR section 504.9 are satisfied.  10 NYCRR Part 300 was adopted on March 9, 2016, and established the SHIN-NY as the State’s network for secure health information exchange between providers who have received consent to access patient data.  10 NYCRR subdivision 300.1(b) clarified that RHIOs which have met the applicable certification requirements are considered QEs within the SHIN-NY.

In making RHIOs a type of Medicaid service provider, the adoption of 18 NYCRR subdivision 504.9(h) represented a significant step toward encouraging the secure electronic exchange of health information pertaining to Medicaid beneficiaries in accordance with patient consent and applicable law and policy.  However, the subsequent establishment of the SHIN-NY and its constituent QEs as the state’s health information exchange network necessarily introduced processes that either did not exist or had not been finalized when 18 NYCRR section 504.9 was initially promulgated in 2012.  In particular, the current text of 18 NYCRR paragraph 504.9(h)(2) states that RHIOs “are entities to whom recipient-specific medical assistance information is released, with the consent of the medical assistance recipient. . .” (emphasis added).  This text can be read to suggest that the QEs must independently obtain patient consent at the entity level in order for their participants to access patient information; however, as 10 NYCRR section 300.5 makes clear, consent is obtained (or refused) during patient interactions with the individual physicians, practices, and agencies who are participants within each QE.  In practice, QEs provide the technical infrastructure that allows participant organizations to access patient information in accordance with consent and applicable law, but do not actively collect patient consent decisions as the current text of 18 NYCRR paragraph 504.9(h)(2) may be read to suggest.

The proposed amendments would clarify that patient consent for a provider to access electronic health information in the SHIN-NY is obtained, and the information accessed by, individual QE participants as opposed to the QEs as entities.  Moreover, the proposed changes would establish the sufficiency of patient consent obtained consistent with subsections (a) and (b) of 10 NYCRR section 300.5 to allow QEs to provide, and their participants to access, MCD in the SHIN-NY.  In so doing, the proposed amendment will bring 18 NYCRR paragraph 504.9(h)(2) into alignment with the SHIN-NY regulation and remove any question as to whether QEs must obtain a separate consent at the entity level in order for their participants to access data pertaining to Medicaid beneficiaries consistent with applicable law and policy.

Beyond the need to clarify that patient consent is obtained at the provider level and establish the sufficiency of patient consent obtained in accordance with the SHIN-NY regulation, the current text of 18 NYCRR paragraphs 504.9(h)(1) and (h)(3) contains language indicating that QEs are required to enroll in the Medicaid program in order to receive information about medical assistance recipients and make such information available to authorized providers.  However, as the remainder of 18 NYCRR Part 504 regulations demonstrate, the entities required to enroll are the providers of medical goods and services as opposed to any health information technology network to which they belong.  The proposed amendments to 18 NYCRR paragraphs 504.9(h)(1) and (h)(3) will clarify that QEs are not required to enroll as Medicaid providers in order to facilitate the exchange of clinical and other data pursuant to patient consent.

The proposed amendment to 18 NYCRR paragraph 504.9(h)(2) is necessary to resolve the current inconsistency between 18 NYCRR section 504.9 and the patient consent provisions in the SHIN-NY regulation at 10 NYCRR section 300.5.  Additionally, the current text of 18 NYCRR paragraph 504.9(h)(2) may be misread to require QEs to separately or independently obtain patient consent in order to lawfully provide access to authorized participants within their networks.  Such requirement would be unnecessarily duplicative and out of sync with the text and intent of current SHIN-NY regulation and policy.  By resolving this ambiguity and clarifying that patient consent decisions are obtained by QE participant organizations, the proposed amendment will eliminate the need for QEs, participants, and the Department to parse 18 NYCRR paragraph 504.9(h)(2) against the established policies and practices pertaining to the SHIN-NY.

The proposed amendments to 18 NYCRR paragraphs 504.9(h)(1) and (h)(3) are necessary to resolve any ambiguity as to whether QEs are required to enroll in the Medicaid program as providers in order to receive and facilitate provider access to patient information.  Additionally, the proposed insertion of new 18 NYCRR paragraph 504.9(h)(4) is necessary in order to meet the requirement under 42 CFR sections 431.303 and 306 that persons who receive MCD be subject to standards of confidentiality comparable to those applicable to the Department, and that the Department have the authority to implement and enforce such requirements.

Promoting Health Equity and Supporting the Medicaid Program

As a practical matter, the current misalignment between regulations and resulting lack of a clear mandate to permit the sharing of MCD through the SHIN-NY has made the Medicaid member population the only substantial segment of New York residents whose treating physicians are unable to access their claims information electronically, even in the case of patients who have provided written consent.  The ability of enrolled providers and their Medicaid member patients to make treatment decisions with the benefit of the patient’s full clinical and administrative history in electronic format will help Medicaid providers reduce duplicative costs and increase the quality of care.  By eliminating this unnecessary and unintended distinction between the Medicaid and non-Medicaid populations, the proposed amendments would promote health equity and give effect to the State’s mandate in SSL section 363 to “make every effort” to ensure that high-quality medical care is provided to members.

QEs in the SHIN-NY will serve as the information exchange backbone to support the New York Health Equity Reform 1115 Medicaid Waiver.  QEs will be required to support the exchange of data between the Medicaid program and social care networks identified through an application process.  QEs will further support the waiver by making information available on Medicaid providers involved in the demonstration and ensuring there is information on the eligibility of Medicaid members for services under the waiver.  Additionally, the SHIN-NY and QEs will support required reporting of data from the social care networks to the Medicaid program for oversight and reporting to the Centers for Medicare and Medicaid Services.  The proposed changes to 18 NYCRR subparagraph 504.9(h)(3)(b) will make clear that the QEs may permissibly disclose MCD where the patient has provided consent and the disclosure is made for a purpose connected to the administration of the Medicaid program.  This clarification will resolve any extant ambiguity regarding the propriety of reporting MCD to the Department for purposes authorized by law.

Costs:

Costs to Private Regulated Parties: The private parties subject to the proposed amendment are the QEs and their participants which constitute the SHIN-NY.  The proposed amendment would impose no cost on private regulated parties, as the proposed updates to the language in 18 NYCRR subdivision 504.9(h) are clarifications that make the regulation consistent with 10 NYCRR Part 300, SHIN-NY policy, and current practice among QE participants.

Costs to State and Local Government: This proposal will not impact State and local governments.

Costs to the Department of Health: This proposal will not impact the Department of Health.

Costs to Other State Agencies: This proposal will not impact other state agencies.

Local Government Mandates: No new local government program, project or activity is required by the proposed regulations.

Paperwork: No new paperwork requirements would be imposed under the proposed regulatory changes.

Duplication: These regulatory amendments do not duplicate existing State or federal requirements.

Alternatives: The alternative would be not to amend 18 NYCRR subdivision 504.9(h) to clarify that QE participants are the entities that must enroll in the Medicaid program and obtain patient consent decisions and access electronic health information pursuant to such consent.  As noted above, the current text of 18 NYCRR subdivision 504.9(h) is inconsistent with the text of the SHIN-NY regulation, SHIN-NY policy, and current practice among QE participants.  No alternative approach exists which would resolve this ambiguity and bring 18 NYCRR subdivision 504.9(h) into alignment with SHIN-NY regulation and policy.

Federal Standards: The proposed regulations do not duplicate or conflict with any federal regulations.

Compliance Schedule: The regulations will be effective upon publication of a Notice of Adoption in the New York State Register.

Regulatory Flexibility Analysis

No Regulatory Flexibility Analysis is required pursuant to section 202- (b)(3)(a) of the State Administrative Procedure Act.  The proposed amendment does not impose an adverse economic impact on small businesses or local governments, and it does not impose reporting, recordkeeping or other compliance requirements on small businesses or local governments.

Rural Area Flexibility Analysis

A Rural Area Flexibility Analysis for this amendment is not being submitted because the amendment will not impose any adverse impact or significant reporting, recordkeeping or other compliance requirements on public or private entities in rural areas.  There are no professional services, capital, or other compliance costs imposed on public or private entities in rural areas as a result of the proposed amendments.

Job Impact Statement

A Job Impact Statement for the proposed regulatory amendments is not being submitted because it is apparent from the nature and purposes of the amendment that it will not have a substantial adverse impact on jobs and/or employment opportunities.