MHDO Data recipients must demonstrate levels of security and privacy practices commensurate with health industry standards for protected health information (PHI) when both at rest and in transit. Data recipients must be able to demonstrate their ability to meet privacy and security requirements as required in MHDO’s Data User Agreement and consistent with health care industry standards. MHDO Data releases will be made available to authorized users via an encrypted secure download process.
All interested data users should refer to 90-590 CMR Chapter 120 and the MHDO Data Use Agreement for specifics regarding Data Security, Transmission and Storage. This page provides an overview of those requirements.
As part of the MHDO data application process, data applicants must submit copies of their organizational policies for data security, transmission, and storage. These policies must cover the following:
MHDO requires detailed information on where the data will be physically located. MHDO data must be segregated from other institutional data to ensure that, at the conclusion of the study or project, all MHDO data can be removed from institution computers and/or destroyed—consistent with privacy, security, and record retention requirements
For data stored on a network drive and not on your computer hard drive, the following MHDO requirements must be met:
For data stored on the local hard drive of a computer, the following MHDO requirements must be met:
MHDO Data Applicants who intends to store or analyze MHDO data in a computing environment where the Data Applicant is not solely responsible for the implementation of data security requirements under this agreement must provide evidence that the proposed computing environment meets or exceeds NIST 800-53v4 security standards at the moderate control level. Examples of acceptable evidence for demonstrating NIST 800-53 compliance include:
Other evidence supporting compliance with the cloud storage data security requirements will be considered by MHDO on a case-by-case basis and should be submitted with your application.
If the MHDO data applicant is sharing information between sites, MHDO requires additional information regarding data transmission. MHDO data transmitted must be encrypted with a key length of at least 256 bits.
MHDO data applicants must agree that the MHDO data will be retained for the period of time necessary to fulfill the requirements of the specific authorized data request. After that time, MHDO data must be destroyed. Please note that applicants must follow NIST Special Publications 800-88, Guidelines for Media Sanitization, Revision 1 See: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf.
The data destruction must occur within 30 days of the scheduled completion date of the project and MHDO must be notified when the data are destroyed.