HIE Adoption with the Data Exchange Incentive Program (DEIP)
Building EHR interfaces to New York State Qualified Entities (QEs) will increase the quantity of data in the Statewide Health Information Network for New York (SHIN-NY) and build value for the providers and patients at the point of care.
About the Program
The New York State Department of Health (DOH), with support from Centers for Medicare & Medicaid Services (CMS), has established the Data Exchange Incentive Program (DEIP) to increase HIE adoption across the state for Medicaid providers.
Participating organizations are incentivized to contribute a pre-defined set of data elements to the SHIN-NY through a QE. This program is designed to help defray the cost for an organization when connecting to their local QE.
New York eHealth Collaborative is coordinating the rollout of the program and the incentive payments on behalf of the State Department of Health. Limited funding is available, and this program is operated on a first-come, first-served basis.
DEIP is open to the following organizations and providers:
- Organizations with at least one provider that has attested to and been paid under the Medicare or Medicaid MU program (any year, any stage)
- Long-Term Care providers (Article 28 nursing homes, Article 36 home care agencies & Article 40 hospice facilities)
- Behavioral Health providers (OMH, OASAS, and HCBS designated providers)
Eligibility Criteria for the Data Exchange Incentive Program
Eligibility criteria for the DEIP funding requires that providers and organizations meet several requirements, including some related to the EHR products that they utilize. OOrganizations attesting for DEIP funding must utilize an EHR that has obtained at least one of the following Privacy & Security Assurances (A, B, or C):
- ONC Certification* for, at a minimum, the following Privacy & Security criteria:
- (d.1) Authentication, Access Control, and Authorization
- (d.2) Auditable Events
- (d.3) Audit Report(s)
- (d.4) Amendments
- (d.5) Automatic Log-off
- (d.6) Emergency Access
- (d.7) End-user device encryption
- (d.8) Integrity
- Current SOC 2, Type II audit with no material findings**
- Current, validated HITRUST assessment or NIST cybersecurity framework assessment**
An organization must:
- Have at least one provider that accepts Medicaid (Fee-For-Service or Medicaid Managed Care)
- Contribute specific data elements to the SHIN-NY (e.g. demographics, medications, labs, allergies)
- Meet other program-specific criteria related to the organization type and eligibility
EHR products that have met option ‘A’ and achieved ONC certification for the aforementioned criteria can be found here: https://chpl.healthit.gov/#/search
- Netsmart Technologies
This list will be updated as new vendors are added.
DEIP Enrollment and Attestation Process
Providers and organizations interested in DEIP should contact their local Qualified Entity (QE) to get started. QEs will:
- Provide the necessary enrollment and attestation forms
- Confirm eligibility in accordance with program requirements
- Answer questions
- Provide you with more information on QE services
Once completed, QEs will submit the enrollment/attestation forms to NYeC on your behalf.
Incentive funding is $13,000 per organization. In order to receive funding, all milestones must be completed by September 30, 2018.
- Milestone 1: Enrollment
- Milestone 2: Go Live
QE Contacts for DEIP
*If the EHR vendors meets requirement ‘A’, they must have and maintain a Certification Status of ‘Active’ from an ONC Authorized Testing & Certification Body (ONC-ATCB). EHR vendor may certify against additional Privacy & Security criteria as desired. Certification may be against the 2014 or 2015 Edition of ONC Certification. Additionally, the ONC-ATCB may also require (g.4) Quality Management System and/or (g.5) Accessibility-Centered Design.
**If the EHR vendor meets requirement ‘B’ or ‘C’, they must also provide NYeC with an attestation that demonstrates their product’s ability to meet the requirements 45 CFR 170.314(d)(1) through 170.314(d)(8) which represent the EHR features, functions, and behaviors related to privacy and security. SOC 2, Type II audit will only be acceptable through September 30, 2019, at which time the vendor must be certified or assessed and compliant with ONC Privacy & Certification criteria, HITRUST, or NIST.