90-590-120 Me. Code R. § 2

Current through 2025-02, January 8, 2025
Section 590-120-2 - DEFINITIONS

Unless the context indicates otherwise, the following words and phrases shall have the following meanings:

1. APCD. "APCD" means the All Payer Claims Database.
2. APCD Data. "APCD Data is Health Care Claims Data consisting of, or derived directly from, member eligibility, medical claims which includes identifiable practitioner data elements, pharmacy claims, and/or dental claims files submitted by health care claims processors pursuant to Chapter 243 of the MHDO's rules, Uniform Reporting System for Health Care Claims Data Sets.
3. Applicant. An "Applicant" is an individual or organization that requests Data in accordance with this rule.
4. Breach. A "Breach" is an impermissible use or disclosure under this rule that compromises the security or privacy of Protected Health Information (PHI). An impermissible use or disclosure of PHI is presumed to be a breach unless the MHDO demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
A. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
B. The unauthorized person who used the PHI or to whom the disclosure was made;
C. Whether the PHI was actually acquired or viewed; and
D. The extent to which the risk to the PHI has been mitigated.
5. Business Associate. "Business Associate" has the same meaning as under 45 Code of Federal Regulations, Section 160.103(2015). Generally, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.
6. Cancer-Incidence Registry Data. "Cancer-Incidence Registry Data" means information collected from the Maine Department of Health and Human Services, Office of Data Research and Vital Statistics pursuant to Chapter 730 of the MHDO rules, Interagency Reporting of Cancer-Incidence Registry and Vital Statistics Data.
7. Carrier. "Carrier" means an insurance company as defined in Title 22, Chapter 1683, section 8702 (1-A).
8. Choice Regarding Disclosure of Information. "Choice Regarding Disclosure of Information" means a mechanism that allows an individual to choose to not allow the MHDO to disclose their directly identifiable health care information for certain requests.
9. Commercial Redistribution. "Commercial redistribution" is when a for-profit or not-for-profit business or organization purchases MHDO data or information for inclusion in a larger composite database for resale in any form.
10. Covered Entity. "Covered Entity" has the same meaning as 45 Code of Federal Regulations, Section 160.103(2015). "Covered Entities are health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities").
11. Data Provider. A "Data Provider" is an entity or person that provides data to the MHDO pursuant to 22 M.R.S.A. Sections8708, 8708-A, 8709, 8710 or 8711 and is a health care facility, health care practitioner, health care claims processor or carrier. For the purposes of this rule, "Data Provider" incudes the DRVS for date submitted pursuant to Chapter 730.
12. Data Recipient. A "Data Recipient" is any entity or person that receives data pursuant to this rule.
13. Data Release Subcommittee. "Data Release Subcommittee" is a subcommittee of the MHDO Board of Directors established to review applications for data release as specified in these Rules.
14. Data Suppression. "Data Suppression" means the masking of certain data fields in situations where the small number of records in a subgroup might otherwise allow for the identification of individuals.
15. Direct Identifiers. Direct Identifiers" are personal information as outlined in Chapter 125, such as name, social security number, and date of birth, that uniquely identifies an individual or that can be combined with other readily available information to uniquely identify an individual. A MHDO assigned replacement number or code (used to create anonymous data indices or linkage) is not a direct identifier. MHDO Level III Data includes MHDO Direct Identifiers.
16. DRVS. "DRVS" means the Data, Research, and Vital Statistics office within the Department of Health and Human Services.
17. Encryption. "Encryption" means the process of converting data to an unrecognizable form, in order to protect sensitive information including protected health information so that only authorized parties can view it. This includes data files and storage devices, as well as data transferred over wireless networks.
18. Executive Director. "Executive Director" means the Executive Director of MHDO or the Acting Executive Director of MHDO.
19. Federal Information Processing Standards (FIPS). "Federal Information Processing Standards" are public standards developed by the United States federal government for use in computer systems by all non-military government agencies and by government contractors. The purpose of FIPS is to ensure that all federal government and agencies adhere to the same guidelines regarding security and communication.
20. Financial Data. "Financial data" means information collected from data providers pursuant to Chapter 300 of the MHDO rules, Uniform Reporting System for Hospital Financial Data, that include, but are not limited to, costs of operation, revenues, assets, liabilities, fund balances, other income, rates, charges and units of services.
21. Health Care Claims Processor. "Health Care Claims Processor" means a third-party payer, third-party administrator, Medicare health plan sponsor, or pharmacy benefits manager.
22. Health Care Improvement Studies. "Health Care Improvement Studies" means studies of health care utilization, improvements, cost, or quality with a specified purpose for improving the health of Maine people.
23. Health Care Operations. "Health Care Operations" means activities as defined in HIPAA 45 CFR 164.501 (2015), such as quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and planning analyses related to managing and operating entities providing health care or that provide planned coverage for health care payment.
24. HIPAA. "HIPAA" means the federal Health Insurance Portability and Accountability Act of 1996. HIPAA regulations are in 45 CFR Parts 160, 162 and 164. Any reference of citation to 45 CFR is to the 2015 version. The cited sections of the CFR are available online at www.hhs.gov.
25. Hospital Encounter Data. "Hospital Encounter Data" means information consisting of or derived directly from hospital inpatient and outpatient data, which includes identifiable practitioner data elements, or any other derived data sets filed or maintained pursuant to Chapter 241 of the MHDO's rules, Uniform Reporting System for Hospital Inpatient and Hospital Outpatient and Emergency Department Data Sets.
26. Longitudinal Research. "Longitudinal Research" is a research method in which data is gathered for the same subjects repeatedly over a period of time. Longitudinal research projects can extend over years. Data Recipients authorized to conduct longitudinal research may integrate the MHDO source data into their internal composite database for the purposes of internal longitudinal research.
27. MHDO Assigned Member ID. "MHDO Assigned Member ID" is a MHDO assigned replacement Member ID which is unique for a given member within a given payer contract to the extent possible given the identifiers received from data submitters. The MHDO Assigned Member ID is not a direct identifier. MHDO assigned codes or numbers are owned by the MHDO and may only be used pursuant to MHDO DUA's and for no other purpose. MHDO Level II APCD Data includes this deidentified Member ID.
28. MHDO Assigned Person ID. "MHDO Assigned Person ID" is a MHDO-assigned replacement Person ID which is unique for a given person regardless of payer, contract, or hospital to the extent possible given the identifiers received from data submitters. The MHDO Assigned Person ID is not a direct identifier. MHDO assigned codes or numbers are owned by the MHDO and may only be used pursuant to MHDO DUA's and for no other purpose. MHDO Level II APCD, Hospital Data, Cancer-Incidence Registration, Vital Statistics Birth Data, and Vital Statistics Death data includes this deidentified Person ID.
29. MHDO Assigned Replacement Number or Code. A "MHDO Assigned Replacement Number or Code" is a MHDO created number or code that is used to create anonymous or encrypted data indices. The MHDO Assigned Replacement Number or Code is not a direct identifier. MHDO assigned codes or numbers are owned by the MHDO and may only be used pursuant to MHDO DUA's and for no other purposes.
30. MHDO Data. "MHDO Data" means all data submitted to or collected by MHDO. MHDO includes but is not limited to APCD Data (Health Care Claims Data), Hospital Encounter Data, Hospital Financial Data, as defined in MHDO law. All information submitted to or collected by MHDO in accordance with law shall be considered confidential data and protected by privacy and security measures consistent with health care industry standards.
31. MHDO Data Use Agreement (MHDO DUA). "MHDO Data Use Agreement" is a MHDO document detailing a Data Recipient's commitment to data privacy and security, as well as restrictions on the disclosure and use of data.
32. MHDO De-Identified Data. "MHDO De-Identified Data" means information that does not directly or indirectly identify an individual patient and for which there is no reasonable basis to believe the data can be used to identify an individual patient. MHDO Level I Data is considered MHDO De-Identified Data. Level I Data sets may only be used in ways that maintain patient anonymity and for acceptable MHDO uses.
33. MHDO Limited Data Set. A "MHDO Limited Data Set" includes limited identifiable patient information specified in HIPAA regulations. A MHDO Limited Data Set may be disclosed to a data recipient without a patient's authorization in certain conditions:
(1) the purpose of the disclosure must be limited to research, public health, health care operations;
(2) the purpose of the disclosure must be consistent with the purposes of the MHDO and
(3) the Data Recipient must sign a MHDO DUA. The identifiable patient information that may remain in a MHDO limited data set includes:
A. dates such as admission, discharge, service, Date of Birth (DOB), and Date of Death (DOD);
B. city, state, five-or-more-digit zip code, and
C. age in years, months or days or hours.

MHDO Level II Data releases are a limited data set. Limited data sets may only be used in ways that maintain patient anonymity.

34. MHDO Provider Database. "MHDO's Provider Database" is a directory of healthcare providers in Maine, including identity information for facility providers and individual providers, as well as the relationships between providers and health systems. The information is classified by provider type, specialties, credentials, demographics, and service locations. The database also provides hierarchical structure to allow users to associate service locations within provider groups and health systems.
35. Minimum Necessary. "Minimum Necessary" is the principle requiring data applicants and recipients to make reasonable efforts to request and use only the minimum amount of data needed to accomplish the intended purpose of the data request for which MHDO approval was granted and for no other purpose.
36. National Institute of Standards and Technology (NIST). "The National Institute of Standards and Technology" is a measurement standards laboratory. NIST is a non-regulatory agency of the United States Department of Commerce. The institute's official mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
37. Non-Claims Based Payments. "Non-claims-based" means payments that are for something other than a fee-for-service claim. These payments include but are not limited to Capitation Payments, Care Management/Care Coordination/Population Health Payments, Electronic Health Records/Health Information Technology Infrastructure/Other Data Analytics Payments, Global Budget Payments, Patient-centered Medical Home Payments, Pay-for-performance Payments, Pay-for-reporting Payments, Primary Care and Behavioral Health Integration Payments, Prospective Case Rate Payments, Prospective Episode-based Payments, Provider Salary Payments, Retrospective/Prospective Incentive Payments, Risk-based Payments, Shared-risk Recoupments, and Shared-savings Distributions.
38. Non-Commercial Redistribution. "Non-commercial redistribution" is when an entity purchases MHDO data for inclusion in a larger composite database that is publicly released and available at no cost.
39. Pharmacy Benefits Manager. "Pharmacy Benefits Manager" means an entity that performs pharmacy benefits management as defined by 24-A MRS § 1913.
40. Proprietary Data. "Proprietary Data" is data that is submitted to the MHDO by a Data Provider which has not been made available to the public and is information that if made available to the public will directly result in the data provider being placed in a competitive economic disadvantage.
41. Protected Health Information (PHI). "Protected Health Information" includes any individually identifiable health information (including any combination of data elements) that relates to the past, present, or future physical or mental health or condition of an individual; or the past, present or future payment for the provision of health care to an individual; and (a) identifies an individual, or (b) with respect to which there is a reasonable basis to believe that the information can be used to identify an individual patient. It includes direct identifiers such as those in MHDO Chapter 125. PHI also includes individually identifiable registrant information.
42. Public Data. "Public Data" is data that is published on the MHDO publicly accessible website as required by Title 22, Chapter 1683. Public data includes those parts of hospital Financial Data, described in Chapter 300, and Quality Data, described in Chapter 270 which are available on the MHDO publicly accessible website.
43. Public Health Authority. "Public Health Authority" means a state or federal agency or authority that is responsible for public health matters as part of its mandate, such as those legally authorized to collect and or receive information for the purposes of preventing or controlling disease, injury or disability. For example, the Maine Center for Disease Control and Prevention, and the federal Centers for Disease Control and Prevention are Public Health Authorities.
44. Quality Data. "Quality Data" means information consisting of or derived directly from data providers pursuant to Chapter 270 of the MHDO's rules, Uniform Reporting System for Quality Data Sets. "Quality data" do not include analysis, reports, or studies if those analyses, reports, or studies have already been released as part of a general distribution of public information by the MHDO.
45. Research. "Research" is any systematic investigation designed to develop or contribute to generalizable knowledge, meaning knowledge that can be applied to populations outside of the population studied.
46. Researchers. Academic researchers, including those affiliated with public and private universities and medical schools, as well as other organizations and researchers undertaking health care research or healthcare related projects.
47. Registrant. "Registrant" means the individual(s) to whom the record pertains: the child named on a birth certificate, the decedent named on a death certificate, and the subject of cancer registry data.
48. Staff Delegate. "Staff Delegate" means a member of the MHDO staff to whom the Executive Director delegates specific responsibilities under this Chapter.
49. Supplemental Data. "Supplemental Data" consists of data elements that are derived directly from the APCD Data and the Hospital Encounter Data and can be requested as supplements to data requests. Specifically, Supplemental Data includes the Group ID Elements and Practitioner Identifiable Data Elements as listed in Appendix C.
50. Treatment, Payment and Health Care Operations (TPO). "Treatment, Payment and Health Care Operations" has the same meaning as in HIPAA regulations at 45 CFR 164.506 (2015). The MHDO may release and disclose PHI to a covered entity for the covered entity's own treatment, payment, and health care operations activities, in accordance with these rules.
51. Unauthorized Disclosure. "Unauthorized Disclosure" means to communicate PHI and any other MHDO Data to a person not already in possession of that information or to use information for a purpose not originally authorized. For example, to inform a person of the identity of a previously unnamed patient is to "disclose" unauthorized information not already in that person's possession with respect to the patient.
52. Vital Statistics Data. "Vital Statistics Data" means information collected from the Maine Department of Health and Human Services, Office of Data Research and Vital Statistics pursuant to Chapter 730 of the MHDO rules, Interagency Reporting of Cancer-Incidence Registry and Vital Statistics Data.

90-590 C.M.R. ch. 120, § 2