CMA rings


Complying with Federal and State Security Requirements for Medicaid Data Warehouse

Complying with Federal and State Security Requirements for Medicaid Data Warehouse


About the NYS Medicaid Data Warehouse

CMA currently operates an enterprise-wide security solution for the New York State Medicaid Data Warehouse (NYS MDW) that meets, or exceeds, all the current Health Insurance Portability and Accountability Act (HIPAA) and the Electronic Health Record provisions of the Health Information Technology for Economic and Clinical Health (HITECH) requirements, in addition to all NYS and DOH specific privacy and security requirements for Protected Healthcare Information or Individually Identifiable Information (PHI/III).

NYS DOH oversees the NYS Medicaid Program, which supports:

  • Over 6.6 million monthly eligibles
  • Pays out over 250,000,000 new day claims a year
  • Totals almost 70 billion dollars a year in payouts
  • Over 1500 end users

CMA has decades of experience being the custodian of highly confidential information and the accompanying required system security. We recognize the sensitivity of the data entrusted to our care and accept the significant responsibility of safeguarding this data.

Business Case

NYS DOH was looking for a Medicaid Data Warehouse that complied with the NYSOITS, HIPAA, and FERPA security requirements. This provides clients with a secure and compliant data warehouse that reduces project risk and provides cost savings.

Data security best practices are based on the confidentiality, integrity, and availability of that data. Policies and controls need to be implemented in a comprehensive manner, within the following sectors: roles and responsibilities, policy, physical security, logical security, monitoring, and compliance.

Data needs to be protected both while in transit (where it may be intercepted and disclosed) and at rest. “Data at rest” is Information stored on disk drives, USB drives, USB Flash devices, magnetic tape, CDR, and DVD’s. There is also risk that confidential information stored on PCs, Laptops, USB devices and optical media may be lost or stolen. This can result in a disclosure of confidential information.

The Solution

CMA implemented an aggressive security program based on data security best practices. The program is based on National Institute of Standards and Technology (NIST), HIPAA, HITECH and the NY State’s own policies and controls. 

Roles and Responsibilities: For any security solution to be successful it is critical that the roles and responsibilities be clearly defined and documented. The CMA Team worked with NYS DOH to identify the necessary organization. Once these roles were identified and their corresponding responsibilities clearly defined, qualified resource(s) were assigned to each of these roles.

Policy: More than 400 policies and procedures were developed jointly by CMA and NYS DOH for the new Medicaid Data Warehouse (MDW). These policies and procedures accounted for all Federal and State regulatory policies and national information security standards.

Physical Security:  CMA instituted strict physical security using all the latest technology such as proximity cards, that allow access only on an as needed basis, and security cameras.

Logical Security:  CMA’s MDW solution included a logical security design that encompasses technical controls that were applied for the protection of confidentiality, integrity and availability of data. CMA implemented safeguards to protect information based upon the level of sensitivity as designated by NYS DOH.

Monitoring:  CMA’s Health Care Data Warehouse solution for the NYS MDW satisfied all HIPAA, HITECH, and OCS policies regarding auditing, logging, and reporting.

Compliance:  CMA reviewed all security standards to ensure that the security provided to NYS DOH meets or exceeds all applicable Federal and State requirements. Logs and alerts from all production application platforms are monitored daily using automated monitoring features. Alerts are prioritized and reviewed, usage anomalies are investigated, and system performance is documented.

Data Protection: CMA’s architectural design and security strategy for NYS DOH ensured that all data is protected both while in transit and at rest. To counter the inherent risk that any data in transit may be intercepted and disclosed, CMA incorporated the most current encryption technology to ensure that any inbound or outbound transmission containing sensitive or confidential data across a public or non-trusted network was protected. Concerning data at rest, it is CMA’s policy to encrypt all data on portable data storage media including laptops and PCs.

The Results

Customers gained a secure and compliant data warehouse that reduced the overall project risk and provided cost savings.


    Fill out the form or give us a call and one of our experts will be in touch with you soon.