Security and Privacy

Below is an overview of where the MHDO Data Warehouse resides and the system protections that are in place to protect and secure all data that the MHDO receives through its online systems.

Data Submission Protocols

In order to ensure the security of Protected Health Information (PHI) that is submitted to the MHDO Data Warehouse the MHDO requires data submitters to encrypt all files before uploading to the warehouse. This file-level encryption ensures the confidentiality of all data, not just individual fields. Once the encrypted file is received, it is not decrypted until it has been transferred into our secure data enclave. At that point, all PHI is segregated from the rest of the data in its own access-controlled schema by an automated process. Additionally, in order to enhance security, the MHDO performs “integer substitution” on certain fields. The process replaces the underlying value with a unique integer. The integer is not derived from the contents of the field, meaning that there is no way for data users to decode the integer into the original field value. However, every instance of a given field value will always be assigned the same integer, allowing for matching between records. Integer substitution is performed on the payer’s claim ID, social security numbers, contract numbers, and MHDO-Assigned Member Numbers. The original values are stored separately from the main data and access is restricted.

Substance Abuse and Mental Health Services Administration (SAMHSA)-Confidentiality of Substance Use Disorder (SUD) Patient Records, 42 CFR Part 2

Commercial payers submitting data to MHDO redact SUD -related codes from their data submissions to MHDO as they feel is required under Federal Rule, 42 CFR Part 2.

MHDO’s Data Warehouse and Systems Security Protection

All MHDO Data Warehouse systems physically reside within NORC's SOC II certified datacenter, which is managed by DataBank Holdings Ltd. The datacenter implements physical access and environmental controls per NIST 800-53 guidelines. All logical access and network security are managed by NORC.

MHDO Data Warehouse systems are further protected by the following network and system boundary controls, which are implemented by NORC per NIST 800-53 guidelines:

  • Managed firewall and IPS
  • Configuration management baselines: FDCC\USGCB for laptops, Center for Internet Security (CIS) benchmarks for network and server systems
  • Least privilege access to system boundary
  • Continuous physical and system security monitoring
  • Managed security policies using domain group policies for complex passwords and mandatory renewal
  • Domain-managed virus protection
  • Access control procedures for data and systems
  • Virus and spam filtering of email
  • Encryption, FIPS 140-2 Level 2 – laptops (Full Disk), VPN connection (2-factor authentication), Encrypted backups tapes

The NORC Data Enclave complies with the following federal guidance for Information Technology Systems:

  • NIST Special Publication (SP) 800-55, Security Metrics Guide for Information Technology Systems
  • NIST SP 800-53, Recommended Security Controls for Federal Information Systems
  • NIST SP 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
  • NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems
  • NIST SP 800-34, Contingency Planning Guide for Information Technology Systems
  • NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems
  • NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems
  • Health Insurance Portability and Accountability Act (HIPAA) of 1996
  • FIPS 200, Minimum Security Requirements for Federal Information and Information Systems
  • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems
  • FIPS 191, Guideline for the Analysis of Local Area Network Security

The NORC Data Enclave IT Security Plan is fully compliant with the Federal Information Security Management Act, provisions of mandatory Federal Information Processing Standards (FIPS), and meets all of NIST’s IT, data, system and physical security requirements. In addition to internal NORC confidentiality and ethics statements, all NORC Data Enclave employees must sign project specific Nondisclosure Agreements as specified in Commerce Acquisition Regulation (CAR) 1352.209-72, Restrictions against Disclosures. NORC complies with the NIST IT Security Management Handbook, including section 8.3 regarding policy on rules of behavior. The NIST Policy on IT Resources Access and Use must be followed for rules of behavior for this system. The NORC Data Enclave is subject to Minimum Implementation Standards along with the IT security laws and federal regulations set forth in:

  • Public Law 107-347 E-Government Act of 2002 (FISMA included), Title V: Confidentiality Information Protection and Statistical Efficiency Act (CIPSEA)
  • Public Law 200-253 Computer Security Act of 1987
  • OMB Circular No. A-130, Appendix III, Security of Automated Information Resources
  • Department of Commerce Administrative Orders and
  • NIST Administrative Manual Chapter 11.02 and the NIST IT Security

NORC Insurance Coverage

NORC holds the following insurance policies and coverage with an accredited insurance carrier.

Policy/Coverage Description Limit
Professional Liability  
Errors & Omissions $5,000,000
Network Security $5,000,000
Sublimit for Regulatory Actions $1,000,000
Sublimit for Event Management Insurance $500,000
Cyber Extortion $5,000,000

In addition MHDO adheres to the security and privacy policies established by the State's Office of Information Technology (OIT). These policies can be found on their site located at