Section 590-120-15 - DATA GOVERNANCE, DATA USE AND STEWARDSHIP BY MHDO1. Internal MHDO Use of Data: The MHDO will use the data it collects as described in 90-590 C.M.R. Chapters 241, 243, 270, 300 and 630 to: A. Fulfill its responsibilities as described in Title 22 Chapter 1683;B. Link APCD data with hospital encounter data or other MHDO data; and, if authorized in the data application, link external data sets to the MHDO Data set provided that the data are released to the Data Recipient de-identified;C. Produce customized reports as requested by the Governor's office, other government agencies, the Maine State Legislature and other external parties;D. Authenticate and ensure the integrity of data filed with MHDO;E. Produce MHDO generated numbers to allow for the distinguishing of and longitudinal tracing of individuals, without individually identifying the individuals; and F. Identify and exclude data entitled to special confidentiality protections as provided in this rule.2. Safeguards. The MHDO will maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting of MHDO data, records and documents as follows:A. MHDO administrative safeguards will ensure the confidentiality, integrity, and availability of all data MHDO creates, receives, maintains or transmits, and ensure compliance by our workforce and vendor(s).B. The MHDO will use security management processes, and its security and privacy officer to identify and analyze potential risks to confidential data and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.C. Information Access Management. The MHDO will continue to implement policies and procedures for authorizing access to confidential data only when such access is appropriate based on the user or recipient's role (role-based access).D. Workforce Training and Management. The MHDO will provide appropriate authorization and supervision of workforce members who work with confidential data. The MHDO will train all workforce members regarding its security policies and procedures and must have and apply appropriate sanctions against workforce members who violate its policies and procedures. Sanctions shall be disciplinary actions that follow principles of progressive discipline similar to those outlined in the State's bargaining contract applicable to the Professional and Technical Services Bargaining Unit agreement. Sanctions may include any of the following depending on the severity of the action for which they are given: oral or written reprimand, suspension, demotion, and dismissal.E. Evaluation. The MHDO will perform an annual assessment of its security policies and procedures to ensure that they are functioning appropriately and report the results to the MHDO Board.F. MHDO will apply health care industry standards to provide physical safeguards and technical safeguards to protect PHI and data. These safeguards will be specified in an MHDO policy.3. MHDO vendors shall be held by contract to high PHI security standards including federal standards such as the Federal Information Security Management Act, provisions of mandatory Federal Information Processing Standards (FIPS), and shall meet all of NIST's IT, data, system and physical security requirements. By contract, the MHDO Data warehouse vendor must maintain appropriate insurance coverage for MHDO's data.90-590 C.M.R. ch. 120, § 15