Below is an overview of where the MHDO Data Warehouse resides and the system protections that are in place to protect and secure all data that the MHDO receives through its online systems.
In order to ensure the security of Protected Health Information (PHI) that is submitted to the MHDO Data Warehouse the MHDO requires data submitters to encrypt all files before uploading to the warehouse. This file-level encryption ensures the confidentiality of all data, not just individual fields. Once the encrypted file is received, it is not decrypted until it has been transferred into our secure data enclave. At that point, all PHI is segregated from the rest of the data in its own access-controlled schema by an automated process. Additionally, in order to enhance security, the MHDO performs “integer substitution” on certain fields. The process replaces the underlying value with a unique integer. The integer is not derived from the contents of the field, meaning that there is no way for data users to decode the integer into the original field value. However, every instance of a given field value will always be assigned the same integer, allowing for matching between records. Integer substitution is performed on the payer’s claim ID, social security numbers, contract numbers, and MHDO-Assigned Member Numbers. The original values are stored separately from the main data and access is restricted.
MHDO applies the CMS/ResDAC filter to all data in the APCD including, commercial, Medicare and MaineCare data to redact claim lines containing SUD-related codes prior to releasing MHDO APCD data to authorized MHDO data users; which means we have removed any claim lines that have a code that is included on the redaction list. We leave any portion of a claim that doesn’t include one of these codes. This SUD-related data is stored in its own protected database and may be available to authorized MHDO data users under the terms and conditions of payment, health care operations and other health care related activities.
All MHDO Data Warehouse systems physically reside within NORC's SOC II certified datacenter, which is managed by Zayo Group. The datacenter implements physical access and environmental controls per NIST 800-53 guidelines. All logical access and network security are managed by NORC.
MHDO Data Warehouse systems are further protected by the following network and system boundary controls, which are implemented by NORC per NIST 800-53 guidelines:
The NORC Data Enclave complies with the following federal guidance for Information Technology Systems:
The NORC Data Enclave IT Security Plan is fully compliant with the Federal Information Security Management Act, provisions of mandatory Federal Information Processing Standards (FIPS), and meets all of NIST’s IT, data, system and physical security requirements. In addition to internal NORC confidentiality and ethics statements, all NORC Data Enclave employees must sign project specific Nondisclosure Agreements as specified in Commerce Acquisition Regulation (CAR) 1352.209-72, Restrictions against Disclosures. NORC complies with the NIST IT Security Management Handbook, including section 8.3 regarding policy on rules of behavior. The NIST Policy on IT Resources Access and Use must be followed for rules of behavior for this system. The NORC Data Enclave is subject to Minimum Implementation Standards along with the IT security laws and federal regulations set forth in:
NORC holds the following insurance policies and coverage with an accredited insurance carrier.
|Errors & Omissions||$5,000,000|
|Sublimit for Regulatory Actions||$1,000,000|
|Sublimit for Event Management Insurance||$500,000|
In addition MHDO adheres to the security and privacy policies established by the State's Office of Information Technology (OIT). These policies can be found on their site located at www.maine.gov/oit/policies/index.shtml.