Current through 2024-38, September 18, 2024
1. Internal MHDO Use of Data: The MHDO will
use the data it collects as described in 90-590 C.M.R. Chapters 241, 243, 270,
300 and 630 to:
A. Fulfill its
responsibilities as described in Title 22 Chapter 1683;
B. Link APCD data with hospital encounter
data or other MHDO data; and, if authorized in the data application, link
external data sets to the MHDO Data set provided that the data are released to
the Data Recipient de-identified;
C. Produce customized reports as requested by
the Governor's office, other government agencies, the Maine State Legislature
and other external parties;
D.
Authenticate and ensure the integrity of data filed with MHDO;
E. Produce MHDO generated numbers to allow
for the distinguishing of and longitudinal tracing of individuals, without
individually identifying the individuals; and
F. Identify and exclude data entitled to
special confidentiality protections as provided in this
rule.
2. Safeguards. The
MHDO will maintain reasonable and appropriate administrative, technical, and
physical safeguards for protecting of MHDO data, records and documents as
follows:
A. MHDO administrative safeguards
will ensure the confidentiality, integrity, and availability of all data MHDO
creates, receives, maintains or transmits, and ensure compliance by our
workforce and vendor(s).
B. The
MHDO will use security management processes, and its security and privacy
officer to identify and analyze potential risks to confidential data and
implement security measures that reduce risks and vulnerabilities to a
reasonable and appropriate level.
C. Information Access Management. The MHDO
will continue to implement policies and procedures for authorizing access to
confidential data only when such access is appropriate based on the user or
recipient's role (role-based access).
D. Workforce Training and Management. The
MHDO will provide appropriate authorization and supervision of workforce
members who work with confidential data. The MHDO will train all workforce
members regarding its security policies and procedures and must have and apply
appropriate sanctions against workforce members who violate its policies and
procedures. Sanctions shall be disciplinary actions that follow principles of
progressive discipline similar to those outlined in the State's bargaining
contract applicable to the Professional and Technical Services Bargaining Unit
agreement. Sanctions may include any of the following depending on the severity
of the action for which they are given: oral or written reprimand, suspension,
demotion, and dismissal.
E.
Evaluation. The MHDO will perform an annual assessment of its security policies
and procedures to ensure that they are functioning appropriately and report the
results to the MHDO Board.
F. MHDO
will apply health care industry standards to provide physical safeguards and
technical safeguards to protect PHI and data. These safeguards will be
specified in an MHDO policy.
3. MHDO vendors shall be held by contract to
high PHI security standards including federal standards such as the Federal
Information Security Management Act, provisions of mandatory Federal
Information Processing Standards (FIPS), and shall meet all of NIST's IT, data,
system and physical security requirements. By contract, the MHDO Data warehouse
vendor must maintain appropriate insurance coverage for MHDO's data.
