Below is an overview of where the MHDO Data Warehouse resides and the system protections that are in place to protect and secure the hospital and claims data that the MHDO receives.
In order to ensure the security of Protected Health Information (PHI) that is submitted to the MHDO Data Warehouse the MHDO requires data submitters to encrypt all files before uploading to the warehouse. This file-level encryption ensures the confidentiality of all data, not just individual fields. Once the encrypted file is received, it is not decrypted until it has been transferred into our secure data enclave. At that point, all PHI is segregated from the rest of the data in its own access-controlled schema by an automated process. Additionally, in order to enhance security, the MHDO performs “integer substitution” on certain fields. The process replaces the underlying value with a unique integer. The integer is not derived from the contents of the field, meaning that there is no way for data users to decode the integer into the original field value. However, every instance of a given field value will always be assigned the same integer, allowing for matching between records. Integer substitution is performed on the payer’s claim ID, social security numbers, contract numbers, and MHDO-Assigned Member Numbers. The original values are stored separately from the main data and access is restricted.
MHDO applies the CMS/ResDAC filter to all data in the APCD including, commercial, Medicare and MaineCare data to redact claim lines containing SUD-related codes prior to releasing MHDO APCD data to authorized MHDO data users; which means we have removed any claim lines that have a code that is included on the redaction list. We leave any portion of a claim that doesn’t include one of these codes. This SUD-related data is stored in its own protected database and may be available to authorized MHDO data users under the terms and conditions of payment, health care operations and other health care related activities.
All MHDO Data Warehouse systems reside within NORC's secure facilities. These facilities have strictly controlled physical access and maintain boundary protection utilizing network firewalls, Intrusion Prevention System (IPS) and security monitoring using a unified situational platform. The IT environment is thoroughly documented and managed through proven NIST 800-53 Rev.3 framework. Security provisions are established and maintained to include:
The NORC Data Enclave complies with the following federal compliance guidance:
The NORC Data Enclave IT Security Plan is fully compliant with the Federal Information Security Management Act, provisions of mandatory Federal Information Processing Standards (FIPS), and meets all of NIST’s IT, data, system and physical security requirements. In addition to internal NORC confidentiality and ethics statements, all NORC Data Enclave employees must sign project specific Nondisclosure Agreements as specified in Commerce Acquisition Regulation (CAR) 1352.209-72, Restrictions against Disclosures. NORC is in compliance with DOC IT Security Program Policy, section 4.5 and the NIST IT Security Management Handbook, including section 8.3 regarding policy on rules of behavior. The NIST Policy on IT Resources Access and Use must be followed for rules of behavior for this system. The NORC Data Enclave is subject to the DOC IT Security Program Policy and Minimum Implementation Standards along with the IT security laws and federal regulations including:
NORC holds the following insurance policies and coverage with an accredited insurance carrier.
|Errors & Omissions||$5,000,000|
|Sublimit for Regulatory Actions||$1,000,000|
|Sublimit for Event Management Insurance||$500,000|
In addition MHDO adheres to the security and privacy policies established by the State's Office of Information Technology (OIT). These policies can be found on their site located at www.maine.gov/oit/policies/index.shtml.