90-590-120 Me. Code R. § 14

Current through 2024-51, December 18, 2024
Section 590-120-14 - DATA BREACH
1. Breach of PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the MHDO concludes based on demonstrable evidence that there is a low probability that the PHI has been compromised.
2. Any person may report, and employees, vendors, board and subcommittee members shall report, to the Executive Director of MHDO when they believe a potential breach of PHI has occurred or may occur. When a potential breach of PHI is reported or made known to the MHDO Executive Director, a risk assessment shall be conducted by the Executive Director or the Staff Delegate immediately and shall consider at least the following factors:
A. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
B. the unauthorized person who used the PHI or to whom the disclosure was made;
C. whether the PHI was actually acquired or viewed; and,
D. the extent to which the risk to the PHI has been mitigated.
E. Whether and how the data was secured, including encryption.
3. The Executive Director shall keep a report of any such investigations and make the results known to the MHDO Executive Committee within twenty-four hours of the determination.
4. If the Executive Director determines the data were encrypted or that there was a low probability of compromise to any PHI involved or that one of the exceptions to breach notification exists (unintentional or inadvertent disclosures to employees held to same security and privacy standards and not further disclosed or good faith reason to believe unauthorized person to whom a disclosure was made could not reasonably retain the PHI), there shall be no individual notification made.
5. If there is a breach of unencrypted data including PHI that would require notice to affected individuals if the breach occurred at a covered entity, MHDO will provide individual notification similar to notification requirements of the HIPAA Privacy Rule and HIPAA Breach Notification Rule.
6. In the event that the MHDO Executive Director determines a data breach was caused by the MHDO requiring notification to affected individuals, the Executive Director and the Executive Committee of the MHDO Board shall notify the Joint Standing Committee of the Legislature having jurisdiction over Health and Human Services matters, and the membership of the MHDO Board within 30 business days of the breach.
7. The notification to the Health and Human Services Committee and the MHDO Board regarding the breach will maintain the confidentiality of all individuals affected by the breach. The notification to the committee and board will include the types of information provided to individuals.
8. Any potential breaches of PHI by MHDO vendors, State employees, or recipients of MHDO Data shall be reported to the Executive Director, reviewed by the Executive Director, and results reported to the MHDO Board.

90-590 C.M.R. ch. 120, § 14