Section 590-120-3 - GENERAL PROVISIONS APPLICABLE TO ALL MHDO DATA1. Confidentiality of Data A. MHDO data may be released only in accordance with this chapter and rules. MHDO may designate certain reports or data as open to public inspection by publishing them on the MHDO public website (Public Data). B. MHDO Data and records or documents containing PHI are confidential, may not be open to public inspection, are not public records for purposes of any state or federal freedom of access laws and may not be examined in any judicial, executive, legislative, administrative or other proceeding as to the existence or content of any individual's identifying health information , except that an individual's identifying health information may be used to the extent necessary to prosecute civil or criminal violations regarding information in the MHDO database.C. Decisions of the MHDO or employees and subcommittees of MHDO denying or limiting data release are not reviewable externally.D. Data elements related to health care facility or practitioner charges (total charges, line-item charges, charge amount) for services rendered shall only be released by MHDO in the average or aggregate in a manner which will prevent a charge/paid ratio to be computed for each type of service rendered for any individual health care claims processor, health care facility, or health care practitioner. All other data related to payment of claims contained in the appendices is publicly available contingent upon MHDO approval of the data request.E. Any data that directly identifies or would lead to the indirect identification of practitioners performing abortions as defined by 22 M.R.S. § 1596, including a practitioner's tax identification number, or a practitioner's Drug Enforcement Administration (DEA) registration number, or National Provider Identifier (NPI) are deemed to be confidential and shall not be released.F. HIV Tests and status. Level III Data shall not be released, nor shall any data released by MHDO be used, to individually identify any person's HIV status, including the results of an HIV test, except to the Maine Center for Disease Control on appropriate application and with a MHDO DUA, to fulfill its statutory duties under 22 M.R.S.A. Chapters 250 and 251. 5 M.R.S. §§ 19203 & 19203- D.G. Psychiatric treatment records. Level III Data shall not be released, nor shall any MHDO Data be used to individually identify any patient receiving mental health services including treatment from licensed psychiatric in-patient treatment facilities. 34-B M.R.S. § 1207. H. Substance abuse treatment. Level III Data shall not be released, nor shall any MHDO Data be used to individually identify any patient regarding receipt of substance abuse treatment by a licensed substance abuse treatment provider. 42 CFR § 2.13(2015).2. All data, which are not public data, must be requested by application made to the MHDO, by completing application forms prescribed by MHDO. Data applications shall at a minimum: A. Identify the name and address of the person and/or company requesting the data, and identify professional qualifications and affiliations;B. identify the specific level of data requested;C. describe how any Level II or Level III Data requested meets the standard of "minimum necessary";D. the purpose for which the data will be used;E. whether or not an Institutional review board is to be utilized;F. the ultimate recipient or user of the data;G. specify security and privacy measures that will be taken in order to safeguard patient privacy; and H. describe how, or if, the results of the Applicant's analysis will be published and made publicly accessible.3. All uses of released data are governed by the following principles of release: A. Level I and Level II Data releases may include MHDO replacement numbers to distinguish individual subjects so long as those individuals remain unidentified and anonymous to the data recipient and anyone obtaining information or reports from the data recipient.B. Level III Data requests shall be reviewed and must be approved by the MHDO Data Release Subcommittee before release. Level III Data may be linked and identified only as specified in the MHDO DUA.C. All data releases shall be limited to information that is necessary for the stated purpose of the release (minimum necessary).D. Supplemental data may only be requested with Level I, Level II, or Level III Data, and is subject to the same limitations and requirements that are associated with the level of data it supplements. In addition, supplemental data element "Payer Assigned Group ID Number" shall be subject to the following conditions:1. In order for the MHDO to consider releasing a payer assigned group ID number the affected employer must have at least 500 covered employees on their health plan. The` Data Applicant must obtain written authorization from the affected health plan and employer and/ or plan sponsor.2. Written authorization must include a detailed description of the use of this level of information. The written authorization must also include a statement from the employer certifying that the data will not be used to identify employees and/or dependents.3. Written authorization must be included with the submission of the data request to the MHDO.4. Before the release of data including the payer assigned group ID can occur the data applicant will provide the MHDO with the affected payer assigned Group ID Numbers.E. All data releases will be governed by a MHDO DUA that provides adequate privacy and security measures including accountability and breach notification requirements similar to those required in business associate agreements under HIPAA. Standard MHDO DUA's shall be published on the MHDO Public Website.F. The MHDO Executive Director and the Data Release Subcommittee have the authority to deny any request for data. A decision to deny or limit a request for data is not reviewable outside the MHDO.G. MHDO Data recipients must demonstrate levels of security and privacy practices commensurate with health industry standards for PHI, and with data encrypted at rest and in transit. Data recipients must be able to demonstrate their ability to meet privacy and security requirements. Data releases may be made available to authorized users via an encrypted secure download process.H. Data elements related to payment may be arrayed or displayed publicly in a way that shows payments for specific health care services by individual health care claims processors and health care facilities or practitioners only by MHDO. Data recipients may not publicly array or display MHDO Data in this way.I. A data recipient may not sell, re-package or in any way make MHDO Data available at the individual element level, unless the ultimate viewers of that data have applied to MHDO for this data, been approved for such access and signed an MHDO DUA.J. Data Ownership. MHDO shall maintain ownership of all data elements and sets it releases including any MHDO generated numbers or identifiers therein. MHDO ownership of the data and the laws controlling MHDO Data survive the expiration of any DUA or Agreement regarding MHDO Data. MHDO reserves the authority to stop access to MHDO Data without notice, and demand the return or destruction of MHDO Data. MHDO Data recipients acquire no enforceable property rights to MHDO Data or access to MHDO Data. Data Recipients must submit a written certification to the MHDO verifying destruction of the MHDO data within five business days of the completion of the data recipients stated purpose of the data use, or demand by the MHDO Executive Director.K. The Executive Director reserves the right to stop access to Data even after approval; and/or demand and secure the destruction or return of all MHDO Data, when the Executive Director concludes that is necessary to protect the privacy, integrity or security of MHDO Data.L. Data Recipients are prohibited from computing or trying to compute any charge/paid ratio for a type of service rendered for any individual health care claims processor, health care facility, or health care practitioner.90-590 C.M.R. ch. 120, § 3