90-590 MAINE HEALTH DATA ORGANIZATION (mhdo)
chapter 120: RELEASE OF DATA TO THE PUBLIC
TABLE OF CONTENTS PAGE
SECTION 1. GENERAL PURPOSE 3
SECTION 2. DEFINITIONS 4
SECTION 3. GENERAL PROVISIONS APPLICABLE TO ALL MHDO DATA 11
SECTION 4. MHDO DATA USE AGREEMENT (MHDO DUA) 15
SECTION 5. MHDO DATA Sets AND DATA RELEASE TYPES 17
SECTION 6. DATA REQUESTS FOR LEVEL I DATA 18
SECTION 7. DATA REQUESTS FOR LEVEL II DATA 19
SECTION 8. DATA REQUESTS FROM COVERED ENTITIES WHO ARE DATA PROVIDERS FOR LEVEL III DATA 20
SECTION 9. PUBLIC HEALTH AUTHORITIES PERMITTED USE AND RELEASE of Level iii data 21
SECTION 10. PUBLIC NOTICE OF ALL DATA REQUESTS INCLUDING NOTICE TO DATA PROVIDERS AND COMMENT PERIODS 22
SECTION 11. Decisions of the Executive director and the data release subcommittee and the mhdo board of directors. 23
SECTION 12. ROLE AND RESPONSIBILITIES OF THE MHDO DATA RELEASE SUBCOMMITTEE and the MHDo board of directors 24
SECTION 13. Individual Choice, Process to File Complaints 25
SECTION 14. DATA BREACH 26
SECTION 15. DATA GOVERNANCE, DATA USE AND STEWARDSHIP BY MHDO 27
SECTION 16. ENFORCEMENT AND PENALTY PROVISIONS 29
APPENDIX A. DATA ELEMENTS RELEASED IN LEVEL I FILE- DE-IDENTIFIED DATA 32
APPENDIX A.1 APCD Data Elements 32
APPENDIX A.2 Hospital Encounter Data Elements 38
APPENDIX A.3 Provider DATABASE 39
APPENDIX A.4 Hospital Quality Data 41
APPENDIX A.5 Non-Claims-Based Payments Data 42
APPENDIX B. DATA ELEMENTS RELEASED IN LEVEL II FILE- LIMITED DATA 43
APPENDIX B.1 APCD DATA ELEMENTS 43
APPENDIX B.2 HOSPTIAL ENCOUNTER DATA ELEMENTS 46
APPENDIX B.3 HOSPITAL financial data 46
APPENDIX B.4 Cancer-Incidence Registry Data Elements 47
Appendix B.5 Vital Statistics Birth Data Elements 47
Appendix B.6 Vital Statistics Death Data Elements 48
APPENDIX C. SUPPLEMENTAL DATA ELEMENTS FOR LEVEL I, II AND III DATA REQUESTS 49
APPENDIX D. DATA ELEMENTS RELEASED IN LEVEL III FILE- DIRECT IDENTIFIERS 49
90-590 MAINE HEALTH DATA ORGANIZATION
Chapter 120: RELEASE OF DATA TO THE PUBLIC
- GENERAL PURPOSE
- The Maine Health Data Organization (MHDO) is charged with collecting health care data. This Chapter governs the release of data submitted to the MHDO. The purpose of this rule is to specify the permissible uses of the data; Level I, II, and III Data file types; the process for which data requests will be reviewed and data released; public notice of data requests; the MHDO Data Use Agreement (MHDO DUA), MHDO internal use of the data, and the security and protection of the MHDO Data.
- Authority and Purpose
- MHDO Data are obtained to fulfill MHDO’s legislative mandate to create and maintain a useful, objective, reliable and comprehensive health information database that is used to improve the health of Maine citizens and to issue reports promoting public transparency of health care quality, outcomes, and costs. The MHDO will make data publicly available and accessible to the broadest extent consistent with the laws protecting individual privacy, and proprietary information.
- The primary use of the MHDO Data is to produce meaningful analysis in pursuit of improved health, health equity, and health care quality for Maine people. Acceptable uses of MHDO Data include, but are not limited to, study of health care disparities, health care costs, utilization, and outcomes; benchmarking; quality analysis; longitudinal research; other research; and administrative or planning purposes.
- Transition
- Data released under the prior rule Chapter 120 shall continue to be subject to those rules and agreements signed pursuant to those rules. Those agreements regarding use of MHDO Data shall remain effective until they end, are terminated by the MHDO Executive Director, or are replaced with updated MHDO DUA’s. MHDO data released under prior rule chapter 120 shall remain the property of MHDO.
- Constitutionality Clause
- Should any section, paragraph, sentence, clause, or phrase of these rules be declared unconstitutional or invalid for any reason, the remainder of said rule will not be affected thereby.
- DEFINITIONS
- Unless the context indicates otherwise, the following words and phrases shall have the following meanings:
- APCD. “APCD” means the All Payer Claims Database.
- APCD Data. “APCD Data is Health Care Claims Data consisting of, or derived directly from, member eligibility, medical claims which includes identifiable practitioner data elements, pharmacy claims, and/or dental claims files submitted by health care claims processors pursuant to Chapter 243 of the MHDO’s rules, Uniform Reporting System for Health Care Claims Data Sets.
- Applicant. An “Applicant” is an individual or organization that requests Data in accordance with this rule.
- Breach. A “Breach” is an impermissible use or disclosure under this rule that compromises the security or privacy of Protected Health Information (PHI). An impermissible use or disclosure of PHI is presumed to be a breach unless the MHDO demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
- Business Associate. "Business Associate" has the same meaning as under 45 Code of Federal Regulations, Section 160.103 (2015). Generally, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.
- Cancer-Incidence Registry Data. “Cancer-Incidence Registry Data” means information collected from the Maine Department of Health and Human Services, Office of Data Research and Vital Statistics pursuant to Chapter 730 of the MHDO rules, Interagency Reporting of Cancer-Incidence Registry and Vital Statistics Data.
- Carrier. “Carrier” means an insurance company as defined in Title 22, Chapter 1683, section 8702 (1-A).
- Choice Regarding Disclosure of Information. “Choice Regarding Disclosure of Information” means a mechanism that allows an individual to choose to not allow the MHDO to disclose their directly identifiable health care information for certain requests.
- Commercial Redistribution. ‘Commercial redistribution” is when a for-profit or not-for-profit business or organization purchases MHDO data or information for inclusion in a larger composite database for resale in any form.
- Covered Entity. "Covered Entity" has the same meaning as 45 Code of Federal Regulations, Section 160.103 (2015). “Covered Entities are health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
- Data Provider. A “Data Provider” is an entity or person that provides data to the MHDO pursuant to 22 M.R.S.A. Sections 8708, 8708-A, 8709, 8710 or 8711 and is a health care facility, health care practitioner, health care claims processor or carrier. For the purposes of this rule, “Data Provider” incudes the DRVS for date submitted pursuant to Chapter 730.
- Data Recipient. A “Data Recipient” is any entity or person that receives data pursuant to this rule.
- Data Release Subcommittee. “Data Release Subcommittee” is a subcommittee of the MHDO Board of Directors established to review applications for data release as specified in these Rules.
- Data Suppression. “Data Suppression” means the masking of certain data fields in situations where the small number of records in a subgroup might otherwise allow for the identification of individuals.
- Direct Identifiers. Direct Identifiers” are personal information as outlined in Chapter 125, such as name, social security number, and date of birth, that uniquely identifies an individual or that can be combined with other readily available information to uniquely identify an individual. A MHDO assigned replacement number or code (used to create anonymous data indices or linkage) is not a direct identifier. MHDO Level III Data includes MHDO Direct Identifiers.
- DRVS. “DRVS” means the Data, Research, and Vital Statistics office within the Department of Health and Human Services.
- Encryption. “Encryption” means the process of converting data to an unrecognizable form, in order to protect sensitive information including protected health information so that only authorized parties can view it. This includes data files and storage devices, as well as data transferred over wireless networks.
- Executive Director. “Executive Director” means the Executive Director of MHDO or the Acting Executive Director of MHDO.
- Federal Information Processing Standards (FIPS). “Federal Information Processing Standards” are public standards developed by the United States federal government for use in computer systems by all non-military government agencies and by government contractors. The purpose of FIPS is to ensure that all federal government and agencies adhere to the same guidelines regarding security and communication.
- Financial Data. “Financial data” means information collected from data providers pursuant to Chapter 300 of the MHDO rules, Uniform Reporting System for Hospital Financial Data, that include, but are not limited to, costs of operation, revenues, assets, liabilities, fund balances, other income, rates, charges and units of services.
- Health Care Claims Processor. “Health Care Claims Processor” means a third-party payer, third-party administrator, Medicare health plan sponsor, or pharmacy benefits manager.
- Health Care Improvement Studies. “Health Care Improvement Studies” means studies of health care utilization, improvements, cost, or quality with a specified purpose for improving the health of Maine people.
- Health Care Operations. “Health Care Operations” means activities as defined in HIPAA 45 CFR 164.501 (2015), such as quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and planning analyses related to managing and operating entities providing health care or that provide planned coverage for health care payment.
- HIPAA. “HIPAA” means the federal Health Insurance Portability and Accountability Act of 1996. HIPAA regulations are in 45 CFR Parts 160, 162 and 164. Any reference of citation to 45 CFR is to the 2015 version. The cited sections of the CFR are available online at www.hhs.gov.
- Hospital Encounter Data. “Hospital Encounter Data” means information consisting of or derived directly from hospital inpatient and outpatient data, which includes identifiable practitioner data elements, or any other derived data sets filed or maintained pursuant to Chapter 241 of the MHDO’s rules, Uniform Reporting System for Hospital Inpatient and Hospital Outpatient and Emergency Department Data Sets.
- Longitudinal Research. “Longitudinal Research” is a research method in which data is gathered for the same subjects repeatedly over a period of time. Longitudinal research projects can extend over years. Data Recipients authorized to conduct longitudinal research may integrate the MHDO source data into their internal composite database for the purposes of internal longitudinal research.
- MHDO Assigned Member ID. “MHDO Assigned Member ID” is a MHDO assigned replacement Member ID which is unique for a given member within a given payer contract to the extent possible given the identifiers received from data submitters. The MHDO Assigned Member ID is not a direct identifier. MHDO assigned codes or numbers are owned by the MHDO and may only be used pursuant to MHDO DUA’s and for no other purpose. MHDO Level II APCD Data includes this deidentified Member ID.
- MHDO Assigned Person ID. “MHDO Assigned Person ID” is a MHDO-assigned replacement Person ID which is unique for a given person regardless of payer, contract, or hospital to the extent possible given the identifiers received from data submitters. The MHDO Assigned Person ID is not a direct identifier. MHDO assigned codes or numbers are owned by the MHDO and may only be used pursuant to MHDO DUA’s and for no other purpose. MHDO Level II APCD, Hospital Data, Cancer-Incidence Registration, Vital Statistics Birth Data, and Vital Statistics Death data includes this deidentified Person ID.
- MHDO Assigned Replacement Number or Code. A “MHDO Assigned Replacement Number or Code” is a MHDO created number or code that is used to create anonymous or encrypted data indices. The MHDO Assigned Replacement Number or Code is not a direct identifier. MHDO assigned codes or numbers are owned by the MHDO and may only be used pursuant to MHDO DUA’s and for no other purposes.
- MHDO Data. “MHDO Data” means all data submitted to or collected by MHDO. MHDO includes but is not limited to APCD Data (Health Care Claims Data), Hospital Encounter Data, Hospital Financial Data, as defined in MHDO law. All information submitted to or collected by MHDO in accordance with law shall be considered confidential data and protected by privacy and security measures consistent with health care industry standards.
- MHDO Data Use Agreement (MHDO DUA). “MHDO Data Use Agreement” is a MHDO document detailing a Data Recipient’s commitment to data privacy and security, as well as restrictions on the disclosure and use of data.
- MHDO De-Identified Data. “MHDO De-Identified Data” means information that does not directly or indirectly identify an individual patient and for which there is no reasonable basis to believe the data can be used to identify an individual patient. MHDO Level I Data is considered MHDO De-Identified Data. Level I Data sets may only be used in ways that maintain patient anonymity and for acceptable MHDO uses.
- MHDO Limited Data Set. A “MHDO Limited Data Set” includes limited identifiable patient information specified in HIPAA regulations. A MHDO Limited Data Set may be disclosed to a data recipient without a patient’s authorization in certain conditions: (1) the purpose of the disclosure must be limited to research, public health, health care operations; (2) the purpose of the disclosure must be consistent with the purposes of the MHDO and (3) the Data Recipient must sign a MHDO DUA. The identifiable patient information that may remain in a MHDO limited data set includes:
- dates such as admission, discharge, service, Date of Birth (DOB), and Date of Death (DOD);
- city, state, five-or-more-digit zip code, and
- age in years, months or days or hours.
- MHDO Level II Data releases are a limited data set. Limited data sets may only be used in ways that maintain patient anonymity.
- MHDO Provider Database. “MHDO’s Provider Database” is a directory of healthcare providers in Maine, including identity information for facility providers and individual providers, as well as the relationships between providers and health systems. The information is classified by provider type, specialties, credentials, demographics, and service locations. The database also provides hierarchical structure to allow users to associate service locations within provider groups and health systems.
- Minimum Necessary. “Minimum Necessary” is the principle requiring data applicants and recipients to make reasonable efforts to request and use only the minimum amount of data needed to accomplish the intended purpose of the data request for which MHDO approval was granted and for no other purpose.
- National Institute of Standards and Technology (NIST). “The National Institute of Standards and Technology” is a measurement standards laboratory. NIST is a non-regulatory agency of the United States Department of Commerce. The institute’s official mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
- 37. Non-Claims Based Payments. “Non-claims-based” means payments that are for something other than a fee-for-service claim. These payments include but are not limited to Capitation Payments, Care Management/Care Coordination/Population Health Payments, Electronic Health Records/Health Information Technology Infrastructure/Other Data Analytics Payments, Global Budget Payments, Patient-centered Medical Home Payments, Pay-for-performance Payments, Pay-for-reporting Payments, Primary Care and Behavioral Health Integration Payments, Prospective Case Rate Payments, Prospective Episode-based Payments, Provider Salary Payments, Retrospective/Prospective Incentive Payments, Risk-based Payments, Shared-risk Recoupments, and Shared-savings Distributions.
- Non-Commercial Redistribution. ‘Non-commercial redistribution” is when an entity purchases MHDO data for inclusion in a larger composite database that is publicly released and available at no cost.
- Pharmacy Benefits Manager. "Pharmacy Benefits Manager" means an entity that performs pharmacy benefits management as defined by 24-A MRS §1913.
- Proprietary Data. “Proprietary Data” is data that is submitted to the MHDO by a Data Provider which has not been made available to the public and is information that if made available to the public will directly result in the data provider being placed in a competitive economic disadvantage.
- Protected Health Information (PHI). “Protected Health Information” includes any individually identifiable health information (including any combination of data elements) that relates to the past, present, or future physical or mental health or condition of an individual; or the past, present or future payment for the provision of health care to an individual; and (a) identifies an individual, or (b) with respect to which there is a reasonable basis to believe that the information can be used to identify an individual patient. It includes direct identifiers such as those in MHDO Chapter 125. PHI also includes individually identifiable registrant information.
- Public Data. “Public Data” is data that is published on the MHDO publicly accessible website as required by Title 22, Chapter 1683. Public data includes those parts of hospital Financial Data, described in Chapter 300, and Quality Data, described in Chapter 270 which are available on the MHDO publicly accessible website.
- Public Health Authority. “Public Health Authority” means a state or federal agency or authority that is responsible for public health matters as part of its mandate, such as those legally authorized to collect and or receive information for the purposes of preventing or controlling disease, injury or disability. For example, the Maine Center for Disease Control and Prevention, and the federal Centers for Disease Control and Prevention are Public Health Authorities.
- Quality Data. “Quality Data” means information consisting of or derived directly from data providers pursuant to Chapter 270 of the MHDO’s rules, Uniform Reporting System for Quality Data Sets. "Quality data" do not include analysis, reports, or studies if those analyses, reports, or studies have already been released as part of a general distribution of public information by the MHDO.
- Research. “Research” is any systematic investigation designed to develop or contribute to generalizable knowledge, meaning knowledge that can be applied to populations outside of the population studied.
- Researchers. Academic researchers, including those affiliated with public and private universities and medical schools, as well as other organizations and researchers undertaking health care research or health-care related projects.
- Registrant. “Registrant” means the individual(s) to whom the record pertains: the child named on a birth certificate, the decedent named on a death certificate, and the subject of cancer registry data.
- Staff Delegate. “Staff Delegate” means a member of the MHDO staff to whom the Executive Director delegates specific responsibilities under this Chapter.
- Supplemental Data. “Supplemental Data” consists of data elements that are derived directly from the APCD Data and the Hospital Encounter Data and can be requested as supplements to data requests. Specifically, Supplemental Data includes the Group ID Elements and Practitioner Identifiable Data Elements as listed in Appendix C.
- Treatment, Payment and Health Care Operations (TPO). “Treatment, Payment and Health Care Operations” has the same meaning as in HIPAA regulations at 45 CFR 164.506(2015). The MHDO may release and disclose PHI to a covered entity for the covered entity’s own treatment, payment, and health care operations activities, in accordance with these rules.
- Unauthorized Disclosure. “Unauthorized Disclosure” means to communicate PHI and any other MHDO Data to a person not already in possession of that information or to use information for a purpose not originally authorized. For example, to inform a person of the identity of a previously unnamed patient is to "disclose" unauthorized information not already in that person's possession with respect to the patient.
- Vital Statistics Data. “Vital Statistics Data” means information collected from the Maine Department of Health and Human Services, Office of Data Research and Vital Statistics pursuant to Chapter 730 of the MHDO rules, Interagency Reporting of Cancer-Incidence Registry and Vital Statistics Data.
- GENERAL PROVISIONS APPLICABLE TO ALL MHDO DATA
- Confidentiality of Data
- MHDO data may be released only in accordance with this chapter and rules. MHDO may designate certain reports or data as open to public inspection by publishing them on the MHDO public website (Public Data).
- MHDO Data and records or documents containing PHI are confidential, may not be open to public inspection, are not public records for purposes of any state or federal freedom of access laws and may not be examined in any judicial, executive, legislative, administrative or other proceeding as to the existence or content of any individual's identifying health information , except that an individual's identifying health information may be used to the extent necessary to prosecute civil or criminal violations regarding information in the MHDO database.
- Decisions of the MHDO or employees and subcommittees of MHDO denying or limiting data release are not reviewable externally.
- Data elements related to health care facility or practitioner charges (total charges, line-item charges, charge amount) for services rendered shall only be released by MHDO in the average or aggregate in a manner which will prevent a charge/paid ratio to be computed for each type of service rendered for any individual health care claims processor, health care facility, or health care practitioner. All other data related to payment of claims contained in the appendices is publicly available contingent upon MHDO approval of the data request.
- Any data that directly identifies or would lead to the indirect identification of practitioners performing abortions as defined by 22 M.R.S. §1596, including a practitioner’s tax identification number, or a practitioner’s Drug Enforcement Administration (DEA) registration number, or National Provider Identifier (NPI) are deemed to be confidential and shall not be released.
- HIV Tests and status. Level III Data shall not be released, nor shall any data released by MHDO be used, to individually identify any person’s HIV status, including the results of an HIV test, except to the Maine Center for Disease Control on appropriate application and with a MHDO DUA, to fulfill its statutory duties under 22 M.R.S.A. Chapters 250 and 251. 5 M.R.S. §§ 19203 & 19203-D.
- Psychiatric treatment records. Level III Data shall not be released, nor shall any MHDO Data be used to individually identify any patient receiving mental health services including treatment from licensed psychiatric in-patient treatment facilities. 34-B M.R.S. §1207.
- Substance abuse treatment. Level III Data shall not be released, nor shall any MHDO Data be used to individually identify any patient regarding receipt of substance abuse treatment by a licensed substance abuse treatment provider. 42 CFR §2.13 (2015).
- All data, which are not public data, must be requested by application made to the MHDO, by completing application forms prescribed by MHDO. Data applications shall at a minimum:
- Identify the name and address of the person and/or company requesting the data, and identify professional qualifications and affiliations;
- identify the specific level of data requested;
- describe how any Level II or Level III Data requested meets the standard of “minimum necessary”;
- the purpose for which the data will be used;
- whether or not an Institutional review board is to be utilized;
- the ultimate recipient or user of the data;
- specify security and privacy measures that will be taken in order to safeguard patient privacy; and
- describe how, or if, the results of the Applicant’s analysis will be published and made publicly accessible.
- All uses of released data are governed by the following principles of release:
- Level I and Level II Data releases may include MHDO replacement numbers to distinguish individual subjects so long as those individuals remain unidentified and anonymous to the data recipient and anyone obtaining information or reports from the data recipient.
- Level III Data requests shall be reviewed and must be approved by the MHDO Data Release Subcommittee before release. Level III Data may be linked and identified only as specified in the MHDO DUA.
- All data releases shall be limited to information that is necessary for the stated purpose of the release (minimum necessary).
- Supplemental data may only be requested with Level I, Level II, or Level III Data, and is subject to the same limitations and requirements that are associated with the level of data it supplements. In addition, supplemental data element “Payer Assigned Group ID Number” shall be subject to the following conditions:
- In order for the MHDO to consider releasing a payer assigned group ID number the affected employer must have at least 500 covered employees on their health plan. The` Data Applicant must obtain written authorization from the affected health plan and employer and/ or plan sponsor.
- 2. Written authorization must include a detailed description of the use of this level of information. The written authorization must also include a statement from the employer certifying that the data will not be used to identify employees and/or dependents.
- 3. Written authorization must be included with the submission of the data request to the MHDO.
- 4. Before the release of data including the payer assigned group ID can occur the data applicant will provide the MHDO with the affected payer assigned Group ID Numbers.
- All data releases will be governed by a MHDO DUA that provides adequate privacy and security measures including accountability and breach notification requirements similar to those required in business associate agreements under HIPAA. Standard MHDO DUA’s shall be published on the MHDO Public Website.
- The MHDO Executive Director and the Data Release Subcommittee have the authority to deny any request for data. A decision to deny or limit a request for data is not reviewable outside the MHDO.
- MHDO Data recipients must demonstrate levels of security and privacy practices commensurate with health industry standards for PHI, and with data encrypted at rest and in transit. Data recipients must be able to demonstrate their ability to meet privacy and security requirements. Data releases may be made available to authorized users via an encrypted secure download process.
- Data elements related to payment may be arrayed or displayed publicly in a way that shows payments for specific health care services by individual health care claims processors and health care facilities or practitioners only by MHDO. Data recipients may not publicly array or display MHDO Data in this way.
- A data recipient may not sell, re-package or in any way make MHDO Data available at the individual element level, unless the ultimate viewers of that data have applied to MHDO for this data, been approved for such access and signed an MHDO DUA.
- Data Ownership. MHDO shall maintain ownership of all data elements and sets it releases including any MHDO generated numbers or identifiers therein. MHDO ownership of the data and the laws controlling MHDO Data survive the expiration of any DUA or Agreement regarding MHDO Data. MHDO reserves the authority to stop access to MHDO Data without notice, and demand the return or destruction of MHDO Data. MHDO Data recipients acquire no enforceable property rights to MHDO Data or access to MHDO Data. Data Recipients must submit a written certification to the MHDO verifying destruction of the MHDO data within five business days of the completion of the data recipients stated purpose of the data use, or demand by the MHDO Executive Director.
- The Executive Director reserves the right to stop access to Data even after approval; and/or demand and secure the destruction or return of all MHDO Data, when the Executive Director concludes that is necessary to protect the privacy, integrity or security of MHDO Data.
- Data Recipients are prohibited from computing or trying to compute any charge/paid ratio for a type of service rendered for any individual health care claims processor, health care facility, or health care practitioner.
- MHDO DATA USE AGREEMENT (MHDO DUA)
- All Data Recipients must sign a MHDO DUA. Only MHDO may use the MHDO DUA. The MHDO DUA is the document that details the data Recipient’s commitments to data privacy and security, as well as the restrictions on the disclosure and use of the MHDO Data. The MHDO DUA shall provide adequate privacy and security measures that include appropriate accountability and breach notification requirements as required of business associates under HIPAA. Standard MHDO DUA’s shall be published on the MHDO public website.
- Data Recipients must sign the MHDO DUA before the MHDO will release data at any level. MHDO DUA’s shall include, but not be limited to the key provisions listed below:
- The Data Recipient will only use the MHDO released data for the approved purposes that were specified in the data request application.
- The Data Recipient will not release, furnish, disclose, publish or otherwise disseminate MHDO released data to any person unless authorized in writing by the MHDO.
- The MHDO shall retain all ownership rights to the data.
- The Data Recipient will reference the MHDO as the source of the data in all reports, publications, tables, graphs, or other products produced from the data.
- Unless authorized in writing by the MHDO, the Data Recipient will not use the MHDO Data, or link these data to other records or data bases, if the result allows for identifying individuals.
- MHDO Data may not be used to take legal, administrative, or other actions against individual subjects of data or to contact or assist others to contact any individual patients and/or physicians.
- Maine law controls the confidentiality, release, and use of MHDO Data.
- Data recipients shall be responsible for reporting any potential or actual data breaches to the MHDO. Data recipients shall indemnify MHDO for any damages resulting from a data recipient’s data breach or other violation of law, and mitigate to the extent practicable, all harmful effects resulting from misuse of MHDO data.
- MHDO shall retain rights to track any person’s use of or access to MHDO Data, and to deny access to data, when in the opinion of the MHDO Executive Director that is necessary to protect the privacy, security, or integrity of the data.
- At least twenty (20) business days prior to releasing any manuscript, report, or any other type of document or data compilation intended for dissemination or publication beyond the data recipient and that contains and/or uses MHDO Data, the Data Recipient agrees to provide the MHDO with a copy of such document. If the MHDO Data includes Cancer-Incidence Registry Data, the MHDO will forward a copy of the document to the Maine Cancer Registry. If the document contains/uses Cancer-Incidence Registry Data, that shall be sourced as follows: The Cancer-Incidence Registry Data was collected by the Maine Cancer Registry which participates in the National Program of Cancer Registries (NPCR) of the Centers for Disease Control and Prevention. If the MHDO determines that the manuscript, report, or any other type of document violates the MHDO DUA or does not provide adequate data suppression, the Data Recipient will be notified and must modify the report prior to its release.
- The MHDO DUA will specify the term of use, and identify the individual responsible for ensuring compliance with the DUA and specify the people who will have access to the data.
- MHDO DUA’s shall make appropriate provision for the destruction of MHDO Data when use is complete, or when directed to by the MHDO Executive Director.
- Data Recipients shall immediately inform the MHDO of any legal process by which third parties try to obtain access to MHDO data held by entities authorized through an approved MHDO DUA and shall not turn over any data except as permitted by MHDO.
- MHDO may develop a memorandum of understanding and MHDO DUA with the Maine Center for Disease Control and Prevention (Maine CDC) for the ongoing release of Level I and Level II data to the Maine CDC for their purposes of conducting investigations as described in its MHDO application or evaluating the completeness or quality of data submitted to the Department of Health and Human Services disease surveillance programs.
- MHDO DATA Sets AND DATA RELEASE TYPES
- MHDO Data Sets available for Public Access:
- APCD Data-Available in three Levels: Level I, Level II and Level III Data sets
- Hospital Encounter Data- Available in three Levels: Level I, Level II and Level III Data sets
- Hospital Financial Data- Considered Level II Data
- Provider Database - Considered Level I Data
- Hospital Quality Data-Considered Level I Data
- Supplemental Data-Available with any of the three Levels: Level I, Level II and Level III Data Sets
- Cancer-Incidence Registry Data – Available in Level II and Level III Data Sets
- Vital Statistics Birth Data – Available in Level II and Level III Data Sets
- Vital Statistics Death Data – Available in Level II and Level III Data Sets
- Non-Claims-Based Payments Data – Available in Level I
- 2. MHDO Data Sets include data elements listed in the appendices so long as the MHDO collects the data elements. If a data elements code, version, name and or usage are changed the updated data element shall be released.
- DATA REQUESTS FOR LEVEL I DATA
- MHDO Level I Data Elements
- The data elements available in the MHDO Level I Data Sets are listed in Appendices A and C.
- Process for Requesting Level I Data
- Requests for Level I Data shall be made in writing by filing an application with the MHDO in a form specified by the MHDO as provided on the MHDO Public Website. Data in APPENDIX C must be specifically requested.
- Data requests for purposes of commercial redistribution that are aggregate level reporting, including online tools, are only eligible for Level I data elements.
- The MHDO shall fulfill requests for Level I Data based upon an application that establishes to the MHDO’s satisfaction that the purpose of the data request is consistent with the permissible use of the MHDO Level I De-Identified data.
- MHDO Level I Data requests require review and approval by the Executive Director or staff delegate.
- The Executive Director may take Level I Data requests to the MHDO Data Release Subcommittee for advice.
- The Executive Director or designee has discretion to deny a request for Level I Data if they determine that the use of the data is not consistent with the permissible uses and/or that applicant does not meet requirements regarding security and privacy protections.
- The Executive Director may add any restrictions to the MHDO DUA.
- The data applicant and or the data provider may request a review of the decision(s) made by the MHDO Executive Director as described in Section 11.
- Prior to releasing the MHDO Data the authorized entity or individual must enter into a MHDO DUA.
- DATA REQUESTS FOR LEVEL II DATA
- MHDO Level II Data Elements:
- The data elements available in the MHDO Level II Data include those available at Level I and those listed in Appendix B.
- Process for Requesting Level II Data
- Requests for Level II Data shall be made in writing by filing an application with the MHDO in a form specified by the MHDO as provided on the MHDO Public Website. Data in APPENDIX C must be specifically requested.
- The Executive Director shall fulfill requests for Level II Data based upon an application that establishes to their satisfaction that the data request and use of the data meets the defined purposes and permissible uses of the MHDO Level II Limited Data Sets.
- MHDO Level II Data requests will be reviewed by the Executive Director or staff delegate.
- The Executive Director may take Level II Data requests to the MHDO Data Release Subcommittee for advice.
- The Executive Director may deny a request for Level II Data if it is determined the use of the data is not consistent with the permissible uses and or requirements regarding security and privacy protections.
- The Executive Director may add any restrictions to the MHDO DUA.
- The data applicant and or the data provider may request a review of the decision(s) made by the MHDO Executive Director as described in Section 11.
- Prior to releasing the MHDO Data the authorized entity or individual must enter into a MHDO DUA.
- DATA REQUESTS FROM COVERED ENTITIES WHO ARE DATA PROVIDERS FOR LEVEL III DATA
- MHDO Level III Data Elements:
- The data elements available in the MHDO Level III Data include elements available at Level I Data and Level II Data, and additional elements in APPENDIX D. Data in APPENDIX C must be specifically requested.
- Process for Requesting Level III Data
- Requests for Level III Data shall be made in writing by filing an application with the MHDO in a form specified by the MHDO as provided on its Website.
- Level III Data may be requested by a covered entity that is a Data Provider or the Covered Entity’s Business Associate for the purposes of Treatment, Payment and Health Plan Operations and which meet the permissible uses for MHDO Data releases.
- Level III Data may also be used for Health Care Improvement Studies involving patients with whom the study entity has a treatment or payor relationship.
- MHDO may release Level III Data to a covered entity’s data applicant or to the covered entity's business associates, provided the business associates are listed on, and bound by, the MHDO DUA.
- The Executive Director shall convene the MHDO Data Release Subcommittee to review and consider all Level III applications as provided for in Section 12.
- The Executive Director shall bring to the MHDO Data Release Subcommittee all comments received regarding the data release, including any claims of proprietary data.
- An applicant receiving Level III Data may use the data only to the minimum extent necessary to accomplish the purposes stated in the application for which approval was granted and for no other purpose. The MHDO Data Release Subcommittee may add any restrictions to the MHDO DUA.
- The decision of the MHDO Data Release Subcommittee to release Level III Data is final, unless a timely appeal to the Board of Directors is filed in accordance with Section 11 and 12.
- Prior to releasing the MHDO Data the applicant must enter into a MHDO DUA.
- PUBLIC HEALTH AUTHORITIES PERMITTED USE AND RELEASE of Level iii data
- The MHDO may release Level III Data to a Public Health Authority for public health purposes authorized or mandated by state and or federal law.
- The public health authority shall complete an MHDO application. The application shall include descriptions of the public health investigation or research; professional qualifications and affiliations of the staff; background of the study; research questions; research design or specify other permissible use.
- After receipt of a data request from a Public Health Authority, the MHDO shall publish the request and notify each affected data provider. The notice will include a copy of the proposed protocol and will summarize the nature of the proposed investigation or research.
- Data providers or other interested parties may submit comments to the Executive Director related to Level III Data requests.
- The Executive Director shall convene the MHDO Data Release Subcommittee to review and consider all Level III applications as provided for in Section 12.
- An applicant receiving Level III Data may use the data only to the minimum extent necessary to accomplish the purposes stated in the application for which approval was granted and for no other purpose. The MHDO Data Release Subcommittee may add any restrictions to the MHDO DUA.
- The decision of the MHDO Data Release Subcommittee to release Level III Data is reviewable as provided in Sections 11 and 12.
- Prior to releasing the MHDO Data the applicant must enter into a MHDO DUA.
- PUBLIC NOTICE OF ALL DATA REQUESTS INCLUDING NOTICE TO DATA PROVIDERS AND COMMENT PERIODS
- The MHDO shall create a page on its web site that lists the identity and address of all parties requesting MHDO Data. The MHDO will include the level of data requested and the purpose of the request.
- MHDO shall add new data requests to the public site on the first business day of every week.
- MHDO will send an electronic notification to the data providers that are responsible for the submission of the data to the MHDO, and other interested parties notifying them of new data requests on the first business day of the week.
- For all data requests the data providers or other interested parties may submit to the Executive Director comments related to the data request. To be considered, comments must be received by the Executive Director in writing or electronic notification no later than thirty business days after the initial posting of the data request on the MHDO web site. If the Executive Director determines that (a) the comments received are of significant enough importance to delay the release of Data and/or (b) additional information is required from the requesting party to address the comments; then the data shall not be released until the additional information has been received from the requesting party and an additional review is conducted by the Executive Director or the MHDO Data Release Subcommittee, as applicable, to ensure that the requesting party conforms to all applicable requirements of this chapter.
- The Executive Director will bring all comments received from the data providers and or other interested parties for the release of Level III Data to the MHDO Data Release Subcommittee for consideration.
- MHDO will publish notice of the Level III Data requests in, at a minimum, three major news publications.
- Decisions of the Executive director and the data release subcommittee and the mhdo board of directors
- Decisions of the Executive Director which either allow or deny a data applicant’s data request for Level I or Level II data, or any elements of a data request for Level I or Level II data, or that add additional requirements to a related MHDO Data Use MOU, may be appealed by either the data applicant or data provider to the Data Release Subcommittee, and then to the MHDO Board of Directors pursuant to Section 11 and 12.
- Decisions of the Data Release Subcommittee regarding release of Level III Data that deny or allow a data applicant’s data request or any elements of a data request, or that add additional requirements to a MHDO DUA, are reviewable. The data applicant or data provider may appeal the decision(s) of the Data Release Subcommittee to the MHDO Board of Directors.
A. Decisions of the Executive Director or Data Release Subcommittee or MHDO Board of Directors shall be provided by electronic notification to data providers who submitted comment to the Executive Director and to data applicants.
B. The data shall be released as approved no less than ten business days after the electronic notification and provided that the data applicant meets the requirements of these rules.
C. Level I and Level II Data approved by the MHDO Executive Director, and Level III Data approved by Data Release Subcommittee, shall be released as approved unless a data provider or data applicant takes action within ten business days of the electronic notification by submitting in writing to the attention of the MHDO Executive Director a request for review to the next higher authority. The request shall clearly state the basis for the review or requested action.
D. There shall be no further review, administrative or judicial, from a decision of the MHDO Board of Directors regarding release of MHDO Data.
- The Executive Director or Data Release Subcommittee or the MHDO Board of Directors may deny release of any data requested or any data element requested for any reason, including but not limited to protecting the privacy, integrity or security of MHDO data. The Data Applicant will be informed of any such decisions and the reasons for the decision. Such decisions are not reviewable, except as stated above in Subsection 11(1)(2).
- ROLE AND RESPONSIBILITIES OF THE MHDO DATA RELEASE SUBCOMMITTEE and the MHDo board of directors
- The MHDO Board of Directors shall establish a Data Release Subcommittee. This committee will review and consider all data applications that include the request for Level III Data. This subcommittee will review and consider all data applicant and or data providers’ requests for review of the decisions of the MHDO executive director regarding Level I and Level II data as described above in Section 11(1).
- This subcommittee may also provide advisory reviews of other data applications and or requests at the discretion of the Executive Director.
- The Data Release Subcommittee shall include 6 members of the MHDO Board of Directors. The Chair and Vice Chair of the board shall appoint the members of the subcommittee with the approval of the board. The composition of the committee is: one member representing health care plans, one member representing health care providers, one member representing hospitals, one member representing employers, one member representing consumers and one member representing government. The Executive Director shall staff the Data Release Subcommittee meetings.
- The Data Release Subcommittee requires four votes in the affirmative to take action.
- The Executive Director shall convene the Data Release Subcommittee no later than sixty business days after the initial posting of the data request on the MHDO web site to review and consider Level III applications for data.
- If a review is requested, the Executive Director shall convene the Data Release Subcommittee no later than sixty business days after the initial decision made by the executive director to allow or deny a data release as described in Section 11(1).
- The Data Release Subcommittee shall review applications for Data as provided for in these rules and will determine whether the data applicant has met the MHDO criteria for release and may take any other action provided for in these rules.
- The MHDO Board of Directors requires a majority vote in the affirmative to take action.
- The Data Release Subcommittee may meet via electronic means, as long as a record is made of the meetings, and they provide for public participation.
- The MHDO will post information about the Data Release Subcommittee’s membership, scheduled meetings, and agendas on its Website.
- Individual Choice, Process to File Complaints
- Individual Choice
- Choice regarding disclosure of information: The MHDO shall provide the opportunity for any person to choose to opt out and have their direct identifiers excluded from all subsequent Level III Data releases.
- An individual that decides to opt out or opt back in is responsible for completing the MHDO Choice Disclosure Form available on the MHDO Public Website or by calling the MHDO and filling the form out telephonically. Individuals who opt out of a specific study will remain opted out of Level III Data releases unless they opt back in.
- The MHDO will post all Level III Data requests on its publicly accessible website. Individuals who want to opt out of a specific Level III Data release may do so by completing the MHDO Choice Disclosure Form no later than thirty business days after the initial posting of the data request on the MHDO web site. Individuals that do this will remain opted out of all subsequent Level III Data releases by MHDO unless they choose to opt back in.
- A person who has chosen to have their direct identifiers excluded from Level III Data releases may choose to opt back in at any time.
- Process to File a Written Complaint
- If an individual believes that his or her direct identifiers have been released by the MHDO, the board, or an employee of the organization, in violation of laws applicable to the MHDO, that individual may file a written complaint with the MHDO’s Executive Director.
- Instructions on how and where to submit the written complaint are provided on the MHDO public website.
- The MHDO Executive Director or Staff Delegate shall respond in writing to the individual regarding whether the complaint alleges a violation of applicable law; if so, whether any violation of the rules has occurred; and any measures that have been taken as a result of the complaint.
- If the individual is not satisfied with the response of MHDO, the complainant will be advised of how to make a complaint to the Joint Committee on Health and Human Services of the Maine Legislature.
- Any complaint received by MHDO shall be reported by the Executive Director to the MHDO Executive Committee within fifteen business days of the receipt of the written complaint, and to the MHDO Board at the next public meeting.
- The Executive Director may take any steps necessary protect the privacy, security and integrity of MHDO Data.
- DATA BREACH
- Breach of PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the MHDO concludes based on demonstrable evidence that there is a low probability that the PHI has been compromised.
- Any person may report, and employees, vendors, board and subcommittee members shall report, to the Executive Director of MHDO when they believe a potential breach of PHI has occurred or may occur. When a potential breach of PHI is reported or made known to the MHDO Executive Director, a risk assessment shall be conducted by the Executive Director or the Staff Delegate immediately and shall consider at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- the unauthorized person who used the PHI or to whom the disclosure was made;
- whether the PHI was actually acquired or viewed; and,
- the extent to which the risk to the PHI has been mitigated.
- Whether and how the data was secured, including encryption.
- The Executive Director shall keep a report of any such investigations and make the results known to the MHDO Executive Committee within twenty-four hours of the determination.
- If the Executive Director determines the data were encrypted or that there was a low probability of compromise to any PHI involved or that one of the exceptions to breach notification exists (unintentional or inadvertent disclosures to employees held to same security and privacy standards and not further disclosed or good faith reason to believe unauthorized person to whom a disclosure was made could not reasonably retain the PHI), there shall be no individual notification made.
- If there is a breach of unencrypted data including PHI that would require notice to affected individuals if the breach occurred at a covered entity, MHDO will provide individual notification similar to notification requirements of the HIPAA Privacy Rule and HIPAA Breach Notification Rule.
- In the event that the MHDO Executive Director determines a data breach was caused by the MHDO requiring notification to affected individuals, the Executive Director and the Executive Committee of the MHDO Board shall notify the Joint Standing Committee of the Legislature having jurisdiction over Health and Human Services matters, and the membership of the MHDO Board within 30 business days of the breach.
- The notification to the Health and Human Services Committee and the MHDO Board regarding the breach will maintain the confidentiality of all individuals affected by the breach. The notification to the committee and board will include the types of information provided to individuals.
- Any potential breaches of PHI by MHDO vendors, State employees, or recipients of MHDO Data shall be reported to the Executive Director, reviewed by the Executive Director, and results reported to the MHDO Board.
- DATA GOVERNANCE, DATA USE AND STEWARDSHIP BY MHDO
- Internal MHDO Use of Data: The MHDO will use the data it collects as described in 90-590 C.M.R. Chapters 241, 243, 270, 300 and 630 to:
- Fulfill its responsibilities as described in Title 22 Chapter 1683;
- Link APCD data with hospital encounter data or other MHDO data; and, if authorized in the data application, link external data sets to the MHDO Data set provided that the data are released to the Data Recipient de-identified;
- Produce customized reports as requested by the Governor’s office, other government agencies, the Maine State Legislature and other external parties;
- Authenticate and ensure the integrity of data filed with MHDO;
- Produce MHDO generated numbers to allow for the distinguishing of and longitudinal tracing of individuals, without individually identifying the individuals; and
- Identify and exclude data entitled to special confidentiality protections as provided in this rule.
- Safeguards. The MHDO will maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting of MHDO data, records and documents as follows:
- MHDO administrative safeguards will ensure the confidentiality, integrity, and availability of all data MHDO creates, receives, maintains or transmits, and ensure compliance by our workforce and vendor(s).
- The MHDO will use security management processes, and its security and privacy officer to identify and analyze potential risks to confidential data and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Information Access Management. The MHDO will continue to implement policies and procedures for authorizing access to confidential data only when such access is appropriate based on the user or recipient's role (role-based access).
- Workforce Training and Management. The MHDO will provide appropriate authorization and supervision of workforce members who work with confidential data. The MHDO will train all workforce members regarding its security policies and procedures and must have and apply appropriate sanctions against workforce members who violate its policies and procedures. Sanctions shall be disciplinary actions that follow principles of progressive discipline similar to those outlined in the State’s bargaining contract applicable to the Professional and Technical Services Bargaining Unit agreement. Sanctions may include any of the following depending on the severity of the action for which they are given: oral or written reprimand, suspension, demotion, and dismissal.
- Evaluation. The MHDO will perform an annual assessment of its security policies and procedures to ensure that they are functioning appropriately and report the results to the MHDO Board.
- MHDO will apply health care industry standards to provide physical safeguards and technical safeguards to protect PHI and data. These safeguards will be specified in an MHDO policy.
- MHDO vendors shall be held by contract to high PHI security standards including federal standards such as the Federal Information Security Management Act, provisions of mandatory Federal Information Processing Standards (FIPS), and shall meet all of NIST’s IT, data, system and physical security requirements. By contract, the MHDO Data warehouse vendor must maintain appropriate insurance coverage for MHDO’s data.
- ENFORCEMENT AND PENALTY PROVISIONS
- In addition to other applicable civil and criminal provisions, the following provisions apply to violations of the laws and these rules for the safeguarding of the identification of individual patients and confidential information.
- Any person or entity that receives data or information pursuant to this Chapter or who has access to MHDO data as an employee or a vendor of MHDO and who uses, sells or transfers the data in violation of the board’s rules for commercial advantage, pecuniary gain, personal gain or malicious harm is considered to have committed a civil violation under 22 M.R.S. §8705-A for which a fine not to exceed $500,000 may be levied by the MHDO, as set forth in 90-590 C.M.R. Chapter 100.
- Reports or knowledge of any such activity shall be referred to the MHDO Board by the Executive Director and the Board shall investigate such reports, make findings, determine and levy an appropriate fine.
- The MHDO shall consider criteria such as the amount of data misused, whether the data misused involved any PHI, amount of any gain involved, extent of harm to any individual whose data was misused, and any other criteria MHDO deems pertinent to such a fine.
- Any person or entity that receives data or information pursuant to this Chapter, and who does not fall within Subsection 2, but who violates a provision of a MHDO DUA or these rules, does not return or destroy MHDO Data when directed to by the Executive Director, or who does not modify a document that contains or uses MHDO Data, in accordance with directives of the Executive Director, commits a violation of these rules for which a fine of up to $2500 may be levied by the MHDO, in accordance with procedures set forth in Chapter 100. Each day that any such violation exists may be considered a separate occurrence.
- Petition for Review; Fair Hearing; Judicial Review. Unless otherwise provided for by statute a person adversely affected by any determination made under this Section by the MHDO may petition the MHDO Board for review of the decision. The petition must be filed within fifteen business days, in accordance with 5 M.R.S. Chapter 375. If such petition is denied in whole or part, that decision shall be Final Agency Action and shall be appealable to Superior Court in accordance with the provisions of 5 M.R.S. Chapter 375 and M.R.Civ.P. 80C.
- Upon a finding that a person or entity has failed to comply with the requirements of 22 M.R.S., Chapter 1683, any rules adopted by the MHDO Board, or pay a fine levied by the MHDO Board, the MHDO Board may undertake any or all of the following:
- Refer the matter to the Department of Health and Human Services or board that issued a license to the provider for such action as the Department or board considers appropriate.
- Refer the matter to the Department of Professional and Financial Regulation, Bureau of Insurance for such action against the payer as the Bureau considers appropriate.
- Injunctive Relief. File a complaint with the Superior Court in the county in which the person resides or the entity is located, or in Kennebec County, seeking an order to require that person or entity in non-compliance to comply with the requirements for which adjudication is being sought, and for the enforcement of any fine determined by the Board or for other relief from the court.
STATUTORY AUTHORITY:
22 MRS §8704(4) and PL 2013, Chapter 528
- EFFECTIVE DATE:
June 27, 1984
AMENDED:
- October 5, 1987
April 24, 1991
November 5, 1991
July 6, 1994
January 1, 1995
February 17, 1998
February 13, 2000 – filing 2000-69
August 9, 2003 - filing 2003-244, major substantive
August 6, 2005 – filing 2005-278, major substantive
January 1, 2007 – filing 2006-209, major substantive
- June 22, 2008 – filing 2008-227, major substantive
August 15, 2009 – filing 2009-366, major substantive
REPEALED AND REPLACED:
July 28, 2016 – filing 2016-108, major substantive
AMENDED:
May 28, 2022 – filing 2022-074, major substantive
- DATA ELEMENTS RELEASED IN LEVEL I FILE- DE-IDENTIFIED DATA
APCD Data includes: eligibility, claims, pharmacy and dental files (A.1)
Hospital Encounter Data includes Inpatient and Outpatient data files (A.2)
Level I Data sets also include Provider Database (APPENDIX A.3), Hospital Quality Data (APPENDIX A.4) and Non-Claims-Based Payments Data (APPENDIX A.5).
APPENDIX A.1 APCD Data Elements
Medical Eligibility File Data Elements:
- MHDO assigned Submitter ID Number/Name
- MHDO assigned Payer ID Number/Name
- Payer NAIC
- Year
- Month
- Coverage Level Code
- Member Gender
- Member State or Province
- Medical Coverage
- Prescription Drug Coverage
- Dental Coverage
- Primary Insurance Indicator
- Coverage Type
- Market Category Code
- Record Type
- Member Age (Calculated age for individuals 90 or over will be displayed as “90 or over”.)
- MHDO assigned Record ID Number
- Medicare Coverage
- File ID
- Standardized Insurance Individual Relationship Code
- Standardized Insurance Type/Product Code
- Duplicate Indicator
- Coverage Period (Year + Month)
Medical Claims File Data Elements:
- MHDO assigned Submitter ID Number/Name
- MHDO assigned Payer ID Number/Name
- Payer NAIC
- Claim Line Number
- Claim Version Number
- Individual Relationship Code
- Member Gender
- Member State or Province
- Priority (Type) of Admission or Visit
- Point of Origin for Admission or Visit
- Patient Discharge Status
- Type of Bill - Institutional
- Place of Service - Professional
- Claim Status
- Revenue Code
- Procedure Codes
- Procedure Modifiers
- Quantity
- Paid Amount
- Prepaid Amount
- Copay Amount
- Coinsurance Amount
- Deductible Amount
- Diagnosis-Related Group (DRG)
- DRG Version
- Ambulatory Payment Classification (APC)
- APC Version
- National Drug Code (NDC)
- Billing Provider Number
- Diagnoses (Principal, Admitting, Reason for Visit, External Cause of Injury, Other)
- Present on Admission Indicators
- MHDO assigned Record Type
- Member Age (Calculated age for individuals 90 or over will be displayed as “90 or over”.)
- MHDO assigned Record ID Number
- Medicare Coverage
- File ID
- MHDO assigned Provider ID Number
- Standardized Insurance Type/Product Code
- Year Paid
- Year Incurred
- Quarter Paid
- Quarter Incurred
- Rendering Provider Specialty
- Rendering Provider City Name
- Rendering Provider State or Province
- Rendering Provider Zip Code
- Data Processing Center Code
- Rendering Provider Taxonomy Code
- Rendering Provider Country
- Service Facility Location Name
- Service Facility NPI
- Service Facility Location Address
- Service Facility Location City
- Service Facility Location State or Province
- Service Facility Location Zip Code
- Service Facility Number
- Attending Provider Specialty
- Attending Provider City Name
- Attending Provider State or Province
- Attending Provider Zip Code
- Operating Provider City Name
- Operating Provider State or Province
- Referring Provider Zip Code
- Referring Provider City Name
- Referring Provider State or Province
- Referring Provider Zip Code
- In-Plan Network Flag
Pharmacy Eligibility File Data Elements:
- MHDO assigned Submitter ID Number/Name
- MHDO assigned Payer ID Number/Name
- Payer NAIC
- Year
- Month
- Coverage Level Code
- Member Gender
- Member State or Province
- Medical Coverage
- Prescription Drug Coverage
- Dental Coverage
- Primary Insurance Indicator
- Coverage Type
- Market Category Code
- Record Type
- Member Age (Calculated age for individuals 90 or over will be displayed as “90 or over”.)
- MHDO assigned Record ID Number
- Medicare Coverage
- File ID
- Standardized Insurance Individual Relationship Code
- Standardized Insurance Type/Product Code
- Duplicate Indicator
- Coverage Period (Year + Month)
Pharmacy Claims File Data Elements:
- MHDO assigned Submitter ID Number/Name
- MHDO assigned Payer ID Number/Name
- Payer NAIC
- Claim Line Number
- Individual Relationship Code
- Member Gender
- Member State or Province
- Claim Status
- Drug Code
- Drug Name
- New Prescription or Refill
- Generic Drug Indicator
- Dispense as Written Code
- Compound Drug Indicator
- Quantity Dispensed
- Days’ Supply
- Paid Amount
- Ingredient Cost/List Price
- Postage Amount Claimed
- Dispensing Fee
- Copay Amount
- Coinsurance Amount
- Deductible Amount
- Patient Pay Amount
- Record Type
- Member Age (Calculated age for individuals 90 or over will be displayed as “90 or over”.)
- Record ID Number
- File ID
- Standardized Member Gender
- Standardized Insurance Type/Product Code
- MHDO Assigned Pharmacy ID Number
- Year Paid
- Year Incurred
- Quarter Paid
- Quarter Incurred
- Prescribing Physician ID Number
- Submitter Code
- MHDO Assigned DPC Code
- Pharmacy Number
- Pharmacy Name
- National Pharmacy ID Number
- Pharmacy Location City
- Pharmacy Location State
- Pharmacy ZIP Code
- Pharmacy Country Name
- In-Plan Network Flag
Dental Eligibility File Data Elements:
- MHDO assigned Submitter ID Number/Name
- MHDO assigned Payer ID Number/Name
- Payer NAIC
- Year
- Month
- Coverage Level Code
- Member Gender
- Member State or Province
- Medical Coverage
- Prescription Drug Coverage
- Dental Coverage
- Primary Insurance Indicator
- Coverage Type
- Market Category Code
- Record Type
- Member Age (Calculated age for individuals 90 or over will be displayed as “90 or over”.)
- MHDO assigned Record ID Number
- Medicare Coverage
- File ID
- Standardized Insurance Individual Relationship Code
- Standardized Insurance Type/Product Code
- Duplicate Indicator
- Coverage Period (Year + Month)
Dental Claims File Data Elements:
- MHDO assigned Submitter ID Number/Name
- MHDO assigned Payer ID Number/Name
- Payer NAIC
- Individual Relationship Code
- Member Gender
- Member State or Province
- Facility Type – Professional
- Claims Status
- CDT Code
- Procedure Modifiers
- Paid Amount
- Copay Amount
- Coinsurance Amount
- Deductible Amount
- Billing Provider Number
- Record Type
- Member Age (Calculated age for individuals 90 or over will be displayed as “90 or over”.)
- MHDO assigned Record ID Number
- MHDO assigned Provider ID Number
- File ID
- Standardized Insurance Type/Product Code
- Year Paid
- Year Incurred
- Quarter Paid
- Quarter Incurred
- Rendering Provider Specialty
- MHDO Assigned DPC Code
- Service Provider Taxonomy Code
- Service Provider Country
- Service Facility Location Name
- Service Facility NPI
- Service Facility Location Address
- Service Facility Location City
- Service Facility Location State or Province
- Service Facility Location Zip Code
- Service Facility Number
- In-Plan Network Flag
APPENDIX A.2 Hospital Encounter Data Elements
Hospital Inpatient Data Elements:
- MHDO Assigned Record ID
- MHDO Assigned Record Sequence Number
- MHDO assigned Payer ID Number/Name
- Payer NAIC
- Hospital Code
- Patient Gender
- Patient Age (Calculated age for individuals 90 or over will be displayed as “90 or over”.)
- Priority of Visit (Type)
- Point of Origin of Admission (Source)
- Admitting Diagnosis
- Patient Hospital Service Area
- Patient Health Planning Area
- Patient State
- Admission Year
- Admission Quarter
- Discharge Year
- Discharge Quarter
- Patient Discharge Status
- MHDO Assigned Payer Code(s)
- Diagnosis Code(s)
- Procedure Code(s)
- MHDO-assigned Attending Provider Specialty Code
- MHDO-assigned Operating Provider Specialty Code
- Accommodations Revenue Code(s)
- Accommodations Units
- DRG and MDC Code(s)
- Length of Stay
- Estimated Birth Weight (< 30 Days Old)
- Ancillary Revenue Code(s)
- Total Number of Ancillary Revenue Code(s)
- MHDO assigned Attending Physician Code
- MHDO assigned Operating Provider Code
- Attending Physician Taxonomy
- Surgeon/Other Provider Taxonomy
Hospital Outpatient and Emergency Department Data Elements:
- MHDO Assigned Record ID
- MHDO Assigned Record Sequence Number
- MHDO assigned Payer ID Number/Name
- Payer NAIC
- Hospital Code
- Location of Service
- Patient Gender
- Patient Age (Calculated age for individuals 90 or over will be displayed as “90 or over”.)
- Patient State
- Hospital Service Area of Patient
- Health Planning Area of Patient
- Date of Service From (Year and Quarter)
- Date of Service Thru (Year and Quarter)
- Bill Type
- Patient Discharge Status
- Point of Origin
- Diagnosis Code(s)
- Procedure Code(s)
- Service Date(s) (Year and Quarter)
- MHDO-assigned Attending Provider Specialty Code
- MHDO-assigned Operating Provider Specialty Code
- MHDO assigned Payer Code(s)
- Revenue Code(s)
- Modifier(s)
- Number of Detail Records
- Units
- MHDO Assigned Emergency Department Indicator
- MHDO assigned Attending Physician Code
- MHDO assigned Operating Provider Code
- Attending Physician Taxonomy
- Surgeon/Other Provider Taxonomy
APPENDIX A.3 Provider DATABASE
The MHDO Provider Database includes relational and organizational information on health systems and facilities in Maine, including but not limited to hospitals, physician practices, specialty care practices, primary care practices, behavioral health service providers, chiropractors and MaineCare providers. These data can be accessed as standalone data files or can be joined to other MHDO data files that include provider information.
Data elements are:
- Entity Name
- Entity ID
- Entity Type
- Facility National Provider Identifier (NPI)
- Facility On CompareMaine
- Entity Physical Address
- Entity Phone Number
- Entity Fax Number
- Entity Website
- Entity Hospital Service Area
- Entity County
- Entity Latitude
- Entity Longitude
- Entity Relationship
- Entity Last Updated Date
- Provider National Provider Identifier
- Provider ID
- Provider Prefix
- Provider First Name
- Provider Middle Name or Initial
- Provider Last Name
- Provider Suffix
- Provider Credential
- Provider Office Street Address
- Provider County
- Provider Phone Number
- Provider Fax Number
- Provider Website
- Provider NPI Last Update Date
- NPI Provider Enumeration Date
- NPI Provider Deactivation Date
- NPI Provider Deactivation Reason Code
- NPI Provider Certification Date
- NPI Provider Gender
- Provider Specialties
- Provider Employment Start Date
- Provider Employment End Date
APPENDIX A.4 Hospital Quality Data
Hospital Quality Data includes the following data elements:
Healthcare Associated Infections (HAI)
Measure | Measure Overview | Numerator | Denominator |
|---|
HAI-1 | Central line catheter associated blood stream infection rate for intensive care unit patients | Number of infections | Number of central line days |
HAI-2 | Central line catheter associated blood stream infection rate for high-risk nursery patients All birth weight categories | Number of infections | Number of catheter days |
HAI-6 | Catheter-associated urinary tract infection rates | Number of infections | Number of catheter days |
HAI-7 | Surgical Site Infection rate for patients undergoing inpatient knee prosthesis (arthroplasty of knee) surgical procedures | Number of infections | Number of operative procedures |
HAI-8 | Surgical Site Infection rate for patients undergoing inpatient hip prosthesis (arthroplasty of hip) surgical procedures |
LabID Events |
MRSA | Healthcare-associated Methicillin-Resistant Staphylococcus aureus (MRSA) bloodstream events (a MRSA event is a laboratory discovery of MRSA bacteria in a patient's blood sample) | Number of LabID events | Number of patient days |
C.diff. | Healthcare-associated Clostridioides difficile (C.diff.) LabID events (a laboratory discovery of C.diff. bacteria in a patient's loose stool) | Number of LabID events | Number of patient days |
Nursing Sensitive Indicators (NSI)
Measure | Measure Overview | Numerator | Denominator |
NSPC1 | Percentage of inpatients who have a hospital-acquired Stage 1 or greater pressure ulcer | Number of inpatients w/ Stage 2 or higher hospital acquired pressure ulcer | Number of inpatients in the prevalence study |
NSPC2 | Number of inpatient falls per inpatient day | Number of falls | Number of inpatient days |
NSPC3 | Number of inpatient falls with injuries per inpatient day | Number of falls with injury |
APPENDIX A.5 Non-Claims-Based Payments Data
Non-claims-based payments data includes the following aggregated data elements:
- Insurance Type/Product Code
- Total Number of Members
- Total Member Months
- Total Dollars Non-Claims-Based Payments
- Total Dollars Non-Claims-Based Payments (Primary Care Only/Portion)
- DATA ELEMENTS RELEASED IN LEVEL II FILE- LIMITED DATA
Level II Limited Data includes the data listed in Appendix A, plus the data elements in Appendix B.
APCD Data includes: eligibility, claims, pharmacy and dental files (B.1)
- Hospital Encounter Data includes Inpatient and Outpatient and Emergency Department data files (B.2)
Level II Data sets also include Hospital Financial Data (B.3), Cancer-Incidence Registry Data (B.4), Vital Statistics Birth Data (B.5), and Vital Statistics Death Data (B.6)
APPENDIX B.1 APCD DATA ELEMENTS
Medical Eligibility File Data Elements:
- Member County
- MHDO assigned replacement for subscriber's Social Security Number
- MHDO assigned replacement for member's contract number
- MHDO assigned replacement for member's Social Security Number
- MHDO assigned Member ID
- MHDO assigned Person ID
- Member Date of Birth
- Member Race
- Member Ethnicity
- Member City
- Member Zip Code
- Member FIPS Code
Medical Claims File Data Elements:
- Member County
- Date Service Approved (AP Date)
- Admission Date
- Admission Hour
- Discharge Hour
- Date of Service From (Year/Month/Day)
- Date of Service Thru (Year/Month/Day)
- Discharge Date
- Month Paid
- Month Incurred
- MHDO Assigned Replacement for Payer’s Claim ID
- MHDO assigned replacement for subscriber's Social Security Number
- MHDO assigned replacement for member's contract number
- MHDO assigned replacement for member's Social Security Number
- MHDO assigned Member ID
- MHDO assigned Person ID
- Member Date of Birth
- Member Race
- Member Ethnicity
- Member City
- Member Zip Code
- Member FIPS Code
Pharmacy Eligibility File:
- Member County
- MHDO assigned replacement for subscriber's Social Security Number
- MHDO assigned replacement for member's contract number
- MHDO assigned replacement for member's Social Security Number
- MHDO assigned Member ID
- MHDO assigned Person ID
- Member Date of Birth
- Member Race
- Member Ethnicity
- Member City
- Member Zip Code
- Member FIPS Code
Pharmacy Claims File Data Elements:
- Member County
- Date Service Approved (AP Date)
- Date Prescription Filled
- Month Paid
- Month Incurred
- MHDO Assigned Replacement for Payer’s Claim ID
- MHDO assigned replacement for subscriber's Social Security Number
- MHDO assigned replacement for member's contract number
- MHDO assigned replacement for member's Social Security Number
- MHDO assigned Member ID
- MHDO assigned Person ID
- Member Date of Birth
- Patient Race
- Patient Ethnicity
- Member City
- Member Zip Code
- Member FIPS Code
Dental Eligibility File Data Elements:
- Member County
- MHDO assigned replacement for subscriber's Social Security Number
- MHDO assigned replacement for member's contract number
- MHDO assigned replacement for member's Social Security Number
- MHDO assigned Member ID
- MHDO assigned Person ID
- Member Date of Birth
- Member Race
- Member Ethnicity
- Member City
- Member Zip Code
- Member FIPS Code
Dental Claims File Data Elements:
- Member County
- Date Service Approved (AP Date)
- Date of Service From (Year/Month/Day)
- Date of Service Thru (Year/Month/Day)
- Month Paid
- Month Incurred
- MHDO Assigned Replacement for Payer’s Claim ID
- MHDO assigned replacement for subscriber's Social Security Number
- MHDO assigned replacement for member's contract number
- MHDO assigned replacement for member's Social Security Number
- MHDO assigned Member ID
- MHDO assigned Person ID
- Member Date of Birth
- Member Race
- Member Ethnicity
- Member City
- Member Zip Code
- Member FIPS Code
APPENDIX B.2 HOSPTIAL ENCOUNTER DATA ELEMENTS
Hospital Inpatient Data Elements:
- MHDO assigned replacement for Medical Record Number
- MHDO assigned Person ID
- Patient County
- Admission Date
- Admission Hour
- Discharge Date
- Discharge Hour
- Procedure Code Date(s)
- Patient Date of Birth
- Patient Race
- Patient Ethnicity
- Patient City
- Patient Zip Code
- Patient FIPS Code
Hospital Outpatient and Emergency Department Data Elements:
- MHDO assigned replacement for Medical Record Number
- MHDO assigned Person ID
- Patient County
- Date of Service From
- Date of Service Thru
- Procedure Code Date(s)
- Patient Date of Birth
- Patient Race
- Patient Ethnicity
- Patient City
- Patient Zip Code
- Patient FIPS Code
APPENDIX B.3 HOSPITAL financial data
Hospital financial data includes audited financial statements from the hospital and parent entity (if applicable). These financial statements include a balance sheet, income statement, statement of changes in net assets, and cash flow statements in PDF format.
APPENDIX B.4 Cancer-Incidence Registry Data Elements
These data can be released once integrated with MHDO’s claims or hospital data sets.
- MHDO Assigned Person ID
- Date of Birth
- Address at Diagnosis; including
- City or Town of Residence
- County of Residence
- State of Residence
- Zip Code
- Registrant’s FIPS Code
- Sex/Gender
- Race
- Attending Physician
- Referring Physician
- Date of Diagnosis
- Topography of Cancer (ICD)
- Morphology of Cancer (ICD)
- Usual Occupation
- Usual Industry
- Stage of Disease at Diagnosis (AJCC coding system)
- Date of Admission
- Laterality
- Grade
- Spanish/Hispanic Origin
- Diagnostic Confirmation
- Summary Stage
- Date of First Course of Treatment (when available in the medical record)
- Type of First Course of Treatment (when available in the medical record)
Appendix B.5 Vital Statistics Birth Data Elements
These data can be released once integrated with MHDO’s claims or hospital data sets.
- MHDO Assigned Person ID
- Date of Birth
- Sex/Gender
- Race
- Hispanic Indicator
- Event Location
- City or Town
- County
- State
- Zip Code
- FIPS Code
- Registrant’s Parent’s(s’)
- Date of Birth
- Sex/Gender
- Race
- Hispanic Indicator
- Residence City or Town
- Residence County
- Residence State
- Residence Zip Code
- Residence FIPS Code
Appendix B.6 Vital Statistics Death Data Elements
These data can be released once integrated with MHDO’s claims or hospital data sets.
- MHDO Assigned Person ID
- Date of Birth
- Sex/Gender
- Race
- Hispanic Indicator
- Residence City or Town
- Residence County
- Residence State
- Residence Zip Code
- Residence FIPS Code
- Event Location
- City or Town
- County
- State
- Zip Code
- FIPS Code
- Cause of death ICD 10 code
- SUPPLEMENTAL DATA ELEMENTS FOR LEVEL I, II AND III DATA REQUESTS
- C. 1. Group ID Data Elements - Level I, II and III APCD data requests may include the following additional Group ID Data Element:
- Payer Assigned Group ID Number
C. 2. Practitioner Identifiable Data Elements
Level I, II and III APCD data requests may include the following additional Practitioner Identifiable Data Elements:
- Provider First Name
- Provider Middle Initial or Name
- Provider Last Name
- Service Provider Suffix
- Provider NPI
- Billing Provider Last/Organization Name
- Billing Provider NPI
Level I, II and III Inpatient, Outpatient and Emergency Department Hospital Encounter data requests may include the following additional Practitioner Identifiable Data Elements:
- Attending Practitioner First Name
- Attending Practitioner Middle Initial
- Attending Practitioner Last Name
- Attending Provider NPI
- Operating Practitioner First Name
- Operating Practitioner Middle Initial
- Operating Practitioner Last Name
- Operating Practitioner NPI
- DATA ELEMENTS RELEASED IN LEVEL III FILE- DIRECT IDENTIFIERS
Level III Limited Data includes the data listed in APPENDIX A and B, including Supplemental Data if requested, plus the following direct identifiers:
- Patient/Member/Registrant: First Name, Middle initial, and Last Name
- Self-Pay Name (Individuals who are payers in the hospital data)