Sec. 10.25.06.06. Protection of Confidential Information Generally and in Submissions

Latest version.

A. Filing Data Using Encryption.

(1) To assure that confidential records or information are protected, each reporting entity shall encrypt each of the following data elements in such a manner that each unique value for a data element produces an identical unique encrypted data element:

(a) Patient or enrollee identifier; and

(b) Internal subscriber contract number.

(2) In order to maintain a consistent and unique identifier for each patient across providers, payors, and services, the Commission shall:

(a) As necessary, provide each reporting entity with an encryption algorithm using one-way hashing consistent with the Advanced Encryption Standard (AES) recognized by the National Institute of Standards and Technology; and

(b) Beginning with 2014 submissions, direct each reporting entity to:

(i) Provide selected data to the State-designated HIE for the creation and encryption of a Master Patient Index; and

(ii) Include Master Patient Index identifiers received from the State-designated HIE in its eligibility data report, as provided in Regulation .11 of this chapter.

(3) Each reporting entity shall maintain the security and preserve the confidentiality of the encryption algorithms provided by the Commission.

B. Security Safeguards.

(1) Any person accessing or retrieving data collected for and stored in the Medical Care Data Base shall use safeguards developed in accordance with State agency data systems security practices.

(2) Only an authorized individual designated in writing by the Executive Director, or his designee, shall have access to the Maryland Medical Care Data Base.

(a) The Executive Director, or his designee, shall establish a scope of access for each authorized individual.

(b) Each authorized individual shall sign a confidentiality security agreement as specified by the Commission.

C. Disclosure of Data for Research Use. To ensure that confidential or privileged patient information is kept confidential, prior to any disclosure of data that contains directly or indirectly identifiable health information", as defined in HIPAA:

(1) A review shall be conducted by an appropriate Institutional Review Board, as provided in COMAR 10.25.11;

(2) The Maryland Medical Assistance Program (Medicaid) shall review and approve any request for the release of Medicaid data.

                    
                        var val = document.getElementById('citecontent').innerHTML;
                        art.dialog.defaults.title = window.location.href;
                        art.dialog.data('cite', val);
                        art.dialog.data('homeDemoPath', '/Scripts/plus/artDialog/');
                        art.dialog.open('/Scripts/plus/artDialog/citeiframe.html');