powered by LeadingAge New York
  1. Home
  2. » Providers
  3. » Managed Long Term Care
  4. » MLTC (Partially-Capitated Plans)
  5. » MLTC Conflict Free Enrollment Policy and UAS-NY Security Advisory Released

MLTC Conflict Free Enrollment Policy and UAS-NY Security Advisory Released

The Department of Health (DOH) has released new managed long term care (MLTC) policies governing Conflict Free Evaluation and Enrollment Center (CFEEC) dispute resolution and security for the UAS-NY assessment tool. The CFEEC policy describes the process to be followed in the event that a plan disagrees with the CFEEC’s determination concerning a beneficiary’s eligibility for MLTC enrollment. The UAS-NY policy advises plans and their UAS-NY assessment subcontractors of steps they can take to reduce the risk of security breaches of UAS-NY data.

Under the CFEEC dispute resolution policy (MLTC Policy 15.08), if an MLTC plan determines, upon conducting its own UAS-NY assessment, that a beneficiary is not clinically eligible for MLTC enrollment, it must submit a dispute resolution form to the CFEEC within two business days following the plan’s assessment. The plan then has up to six business days to resolve the matter with the CFEEC. If the plan and the CFEEC are unable to reach a resolution, the CFEEC will refer the case to DOH for determination by a DOH medical professional. If the plan’s denial of enrollment is overturned by the DOH medical professional, the CFEEC will send a notice to the beneficiary outlining the steps necessary to complete the MLTC enrollment. The MLTC plan is then required to enroll the beneficiary. If the DOH medical professional upholds the plan’s denial of enrollment, the CFEEC will notify the beneficiary that he or she is ineligible for enrollment and will apprise the beneficiary of his or her fair hearing rights.

The UAS-NY security policy (MLTC Policy 15.07) describes potential HIPAA violations that could result from insufficient controls over UAS-NY assessor roles and user accounts and steps to reduce the risk of violations. The policy cautions that if an MLTC plan staff person or a member of the staff of a subcontractor “performs any action within the UAS-NY that could be construed as fraudulent, a security breach, or a violation of HIPAA or HITECH, the organization that assigned the UAS-NY role and the organization under which the Health Commerce System (HCS) user account was created may be held accountable for the security violation.”

The policy provides three scenarios in which the security of information contained in the UAS-NY system might be compromised:

  • A user has multiple UAS-NY roles provisioned by multiple organizations (e.g., MLTC plan, LHCSA, and/or CHHA) and accesses the UAS-NY on behalf of the wrong organization. In this scenario, the assessor logs into the UAS-NY for the purpose of conducting an assessment, chooses the incorrect organization, attests to a business need to access the record on behalf of the incorrect organization, and adds the consumer to the incorrect organization’s case list, and conducts an assessment for the incorrect organization. This may be a HIPAA violation because that organization does not have a legitimate business need to access the consumer's record.
  • An organization does not terminate the Health Commerce System (HCS) account of a former employee, who continues to access that account on behalf of a new employer. In failing to delete the HCS user account which it created, the original employer is in violation of the HCS Organization Security and Use Agreement.
  • An organization does not terminate the UAS-NY role of a former employee, who continues to use that role on behalf of a new employer.  The user conducts an assessment of a consumer on behalf of the new employer, under the role assigned by the former employer. This may be a HIPAA violation because the former employer does not have a legitimate business need to access the consumer record. It is also a violation of the HCS Organization Security and Use Agreement.

The policy urges each MLTC plan to review its business operations and procedures for assigning and terminating HCS accounts and UAS roles. Specifically, each MLTC plan should review its internal procedures for:

  • creating HCS user accounts and establishing Trust Level 3 assurance for staff and subcontractor staff;
  • managing and updating UAS-NY role assignments for staff and subcontractor staff; and
  • creating, managing and accessing the organization's case list for the MLTC plan.

To reduce their security exposure, MLTC plans are advised to require UAS-NY assessment subcontractors to fulfill the above functions. Specifically, each subcontractor should be responsible for:

  • creating HCS user accounts and establishing Trust Level 3 assurance for its staff;
  • managing and updating UAS-NY role assignments for its staff; and
  • creating, managing and accessing the organization case list for the subcontractor, which will include only those case records that the subcontractor is required to access.

All DOH MLTC policies are available here.

Contact:  Karen Lipson, klipson@leadingageny.org, 518-867-8383 ext. 124.