Update to Section 10 of the NCDHHS Provider Administrative Participation Agreement

The North Carolina Department of Health and Human Services (NCDHHS) has updated Section 10 (Release of Liability) of the NCDHHS Provider Administrative Participation Agreement. The following paragraph has been added:

All electronic data related to the access of NCDHHS systems and the provision of services provided to NC Medicaid beneficiaries by entities enrolled in North Carolina Medicaid must be safeguarded against breaches. Measures must be in place to protect access, including login and password information, and to safeguard Protected Health Information (PHI) and Personally Identifiable Information (PII) from unauthorized disclosure, including social engineering attacks. Enrolled providers, Managed Care Health Plans, business associates and entities contracted to carry out activities on behalf of NCDHHS who violate their obligations to protect PHI, PII, and/or access to NCDHHS systems are directly liable. HIPAA violations, including those related to security breaches, may result in civil monetary penalties and other enforcement actions. The Breach Notification Rule outlines requirements for health information safeguards and for notifications after the discovery of a breach of unsecured PHI (45 CFR §§ 164.400–414).

This update applies to all current and future NCTracks applications, and the revised agreement will be visible when the Participation Agreement is displayed during an NCTracks application. Providers are encouraged to review and ensure compliance with this updated requirement.