Security and Privacy

Below is an overview of where the MHDO Data Warehouse resides and the system protections that are in place to protect and secure the hospital and claims data that the MHDO receives.

Data Submission Protocols

In order to ensure the security of Protected Health Information (PHI) that is submitted to the MHDO Data Warehouse the MHDO requires data submitters to encrypt all files before uploading to the warehouse. This file-level encryption ensures the confidentiality of all data, not just individual fields. Once the encrypted file is received, it is not decrypted until it has been transferred into our secure data enclave. At that point, all PHI is segregated from the rest of the data in its own access-controlled schema by an automated process. Additionally, in order to enhance security, the MHDO performs “integer substitution” on certain fields. The process replaces the underlying value with a unique integer. The integer is not derived from the contents of the field, meaning that there is no way for data users to decode the integer into the original field value. However, every instance of a given field value will always be assigned the same integer, allowing for matching between records. Integer substitution is performed on the payer’s claim ID, social security numbers, contract numbers, and MHDO-Assigned Member Numbers. The original values are stored separately from the main data and access is restricted.

Substance Abuse and Mental Health Services Administration (SAMHSA)-Confidentiality of Substance Use Disorder (SUD) Patient Records, 42 CFR Part 2

MHDO applies the CMS/ResDAC filter to all data in the APCD including, commercial, Medicare and MaineCare data to redact claim lines containing SUD-related codes prior to releasing MHDO APCD data to authorized MHDO data users; which means we have removed any claim lines that have a code that is included on the redaction list. We leave any portion of a claim that doesn’t include one of these codes. This SUD-related data is stored in its own protected database and may be available to authorized MHDO data users under the terms and conditions of payment, health care operations and other health care related activities.

Notes:

  • Commercial payers use their own filters to suppress SUD-related claim lines before submitting the data files to the MHDO. The application of the CMS/ResDac filter is an additional measure taken by the MHDO.
  • A listing of the CMS/ResDAC codes used for redaction is available on our All Payer Claims Database (APCD) page.

MHDO’s Data Warehouse and Systems Security Protection

All MHDO Data Warehouse systems reside within NORC's secure facilities. These facilities have strictly controlled physical access and maintain boundary protection utilizing network firewalls, Intrusion Prevention System (IPS) and security monitoring using a unified situational platform. The IT environment is thoroughly documented and managed through proven NIST 800-53 Rev.3 framework. Security provisions are established and maintained to include:

  • Managed firewall and IPS
  • Configuration management baselines: FDCC\USGCB for laptops, Center for Internet Security (CIS) benchmarks for network and server systems
  • Least privilege access to system boundary
  • Continuous physical and system security monitoring
  • Managed security policies using domain group policies for complex passwords and mandatory renewal
  • Domain-managed virus protection
  • Access control procedures for data and systems
  • Virus and spam filtering of email
  • Encryption, FIPS 140-2 Level 2 – laptops (Full Disk), VPN connection (2-factor authentication), Encrypted backups tapes

The NORC Data Enclave complies with the following federal compliance guidance:

  • NIST Special Publication (SP) 800-55, Security Metrics Guide for Information Technology Systems
  • NIST SP 800-53, Recommended Security Controls for Federal Information Systems
  • NIST SP 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
  • NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems
  • NIST SP 800-34, Contingency Planning Guide for Information Technology Systems
  • NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems
  • NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems
  • Health Insurance Portability and Accountability Act (HIPAA) of 1996
  • FIPS 200, Minimum Security Requirements for Federal Information and Information Systems
  • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems
  • FIPS 191, Guideline for the Analysis of Local Area Network Security
  • IEEE Std 829-1998, IEEE Standard for Software Test Documentation

The NORC Data Enclave IT Security Plan is fully compliant with the Federal Information Security Management Act, provisions of mandatory Federal Information Processing Standards (FIPS), and meets all of NIST’s IT, data, system and physical security requirements. In addition to internal NORC confidentiality and ethics statements, all NORC Data Enclave employees must sign project specific Nondisclosure Agreements as specified in Commerce Acquisition Regulation (CAR) 1352.209-72, Restrictions against Disclosures. NORC is in compliance with DOC IT Security Program Policy, section 4.5 and the NIST IT Security Management Handbook, including section 8.3 regarding policy on rules of behavior. The NIST Policy on IT Resources Access and Use must be followed for rules of behavior for this system. The NORC Data Enclave is subject to the DOC IT Security Program Policy and Minimum Implementation Standards along with the IT security laws and federal regulations including:

  • Public Law 107-347 E-Government Act of 2002 (FISMA included), Title V: Confidentiality Information Protection and Statistical Efficiency Act (CIPSEA)
  • Public Law 200-253 Computer Security Act of 1987
  • OMB Circular No. A-130, Appendix III, Security of Automated Information Resources
  • Department of Commerce Administrative Orders and
  • NIST Administrative Manual Chapter 11.02 and the NIST IT Security

NORC Insurance Coverage

NORC holds the following insurance policies and coverage with an accredited insurance carrier.

Policy/Coverage Description Limit
Professional Liability  
Errors & Omissions $5,000,000
Network Security $5,000,000
Sublimit for Regulatory Actions $1,000,000
Sublimit for Event Management Insurance $500,000
Cyber Extortion $5,000,000

In addition MHDO adheres to the security and privacy policies established by the State's Office of Information Technology (OIT). These policies can be found on their site located at www.maine.gov/oit/policies/index.shtml.