Government Entity Application for Maryland Medical Care Data Base

Application for Standard Analytic Files from the Maryland Medical Care Data Base (Governmental Entity)
Application Received

MonthDayYear
Date
Application Approved

MonthDayYear
Date
Data Obtained

MonthDayYear
Date
INSTRUCTIONS

This form is required for Governmental Entity Applicants requesting Standard Analytic Extracts. Applicants must complete all of the attachments. The completed Application and the Data Management Plan will be used by MHCC to determine whether the request meets the criteria for data release, pursuant to COMAR 10.25.05. Incomplete applications will be returned to the Applicant and the request will be delayed. All applications must include evidence that the project has been reviewed by the governmental entity's legal counsel regarding the entity's legal authority to use the data requested for the purpose described.
Note to Applicants:
- Review data availability here and here
- All application attachments will be incorporated into the Data Use Agreement (DUA) that will need to be signed prior to any Maryland APCD data being transmitted. A draft DUA will be provided to the applicant after this Application is received, so that the applicant can review the terms and conditions.
Questions?

Email mhcc.datarelease@maryland.gov
Data Fee Calculator available to estimate the fee for your data sets.

TABLE OF CONTENTS

INSTRUCTIONS	1
PROJECT INFORMATION	3
ATTACHMENT A: SCOPE OF WORK	4
ATTACHMENT B: MCDB DATASET REQUESTED	7
ATTACHMENT C: ADDITIONAL DATA SOURCES AND LINKAGE	8
ATTACHMENT D: DATA MANAGEMENT PLAN	10
ATTACHMENT E: USE OF CONTRACTORS AND/OR CONSULTANTS (External Entities)	15
ATTACHMENT F: APPLICANT QUALIFICATIONS	16
ATTACHMENT G: ATTESTATION	17

PROJECT INFORMATION
Project Title blanks
Scheduled Project Start Date Date
Scheduled Project End Date Date
Project Overview: Provide an abstract or brief summary (150 words) of the specific purpose and objectives of the Project.

0/150
Applicant (Governmental Entity)
Organization Name   Type a label
Website   Type a label
Email Address   Email
Telephone Number  Phone Number
Mailing Address   Street Address      City   State   Zip
Principal Investigator/Project Manager (individual responsible for the research team using the data)
Name   First Name   Last Name
Title   Type a label
Email Address   Email
Telephone Number      Phone Number
Organization Name   Type a label
Mailing Address   Street Address      City   State   Zip
Data Custodian (person responsible for receiving, organizing, storing, and archiving data)
Name   First Name   Last Name
Title  Type a label
Email Address   Email
Telephone Number      Phone Number
Organization Company (if different from Applicant)Type a label
Mailing Address   Street Address      City   State   Zip
Relationship to Applicant (e.g., Contractor)   Type a label
Project Contact (person responsible for all communications with MHCC)
Name   First Name   Last Name
Title  Type a label
Email Address   Email
Telephone Number      Phone Number
Organization Name Type a label
Mailing Address   Street Address      City   State   Zip

ATTACHMENT A: SCOPE OF WORK
1. Project Purpose
a. Describe the specific research question(s) you are trying to answer or problem(s) you are trying to solve with the requested data or describe the intended product or report that will be derived from the requested data. If a research project, please list each individual question or aim of the analysis.
b. Briefly describe the purpose(s) for which MD APCD data are sought. Use quantitative indicators of public health importance where possible. For example: variation in costs of care; rates of under or over service utilization; health system performance measures, the effect of public health initiatives, health insurance, etc.
c. Explain in detail how the planned project that will use MD APCD data is in the public interest and give specific examples of how the project will serve the public interest.
2. Project Methodology
a. Provide a written description of the project methodology, state the project objectives, the protocol, software and/or identify relevant study questions and analysis method to allow MHCC to understand how the MD APCD Data will be used to meet project objectives or address research questions.

ATTACHMENT B: MD APCD DATASET REQUESTED
MHCC collects privately insured data (claims and membership), known as the Medical Care Data Base (MCDB), on a quarterly basis from life and health insurance carriers, health maintenance organizations (HMOs), third party administrators (TPAs), and pharmacy benefits managers (PBMs) that are licensed to do business in Maryland. The MCDB is Maryland's APCD. The MCDB data that is available for release contains eligibility and professional, institutional, and pharmacy claims. Starting in 2015, the Medical Care Data Base (MCDB) excludes private plan data for self-insured ERISA plans due to the Gobeille v. Liberty Mutual Supreme Court ruling.

The data which is refreshed and updated annually contains only privately fully-insured and self-insured non-ERISA health insurance plans for Maryland and non-Maryland residents. The MCDB encompasses about 90-95% of the privately fully insured market in Maryland and 25%-30% of the self-insured market (post-Gobeille, primarily non-ERISA). To determine the years for which data are available please check on the MHCC website. That site also contains information about the most current MCDB Release Version and a full list of elements in the release including the release record layouts, data dictionaries, and supporting documentation here.
Institutional Claims
Years of Institutional Claims (Specify for Medicaid and Commercial if different)
Justification for Requesting Institutional Claims
Professional Claims
Years of Professional Claims (Specify for Medicaid and Commercial if different)
Justification for Requesting Professional Claims
Pharmacy Claims
Years of Pharmacy Claims (Specify for Medicaid and Commercial if different)
Justification for Requesting Pharmacy Claims
Member Eligibility
Years of Member Eligibility (Specify for Medicaid and Commercial if different)
Justification for Requesting Member Eligibility

ATTACHMENT C: ADDITIONAL DATA SOURCES AND LINKAGE
1. Maryland Medicaid Data

Applications for access to Medicaid Managed Care data for studies comparing the privately insured to Medicaid Managed Care patients can be submitted but require a separate approval from the Maryland Medicaid Administration. The fields available on the Medicaid MCO data sets have been aligned with MD APCD fields to the extent possible.
a. Indicate whether you are seeking Medicaid data:
b. Do you intend to merge or link MD APCD data with Medicaid data?
If yes, provide a brief justification.
c. Federal law (42 USC 1396a (a) 7) restricts the use of individually identifiable data of Medicaid recipients to uses that are directly connected to the administration of the Medicaid program. If you are requesting Maryland Medicaid Data, please describe, in the space below, why your use of the Data meets this requirement.
2. Medicare Data

If requesting Medicare data, the request is reviewed in accordance with the State Agency DUA and CMS State Data Request Memo.

Privacy Board Approval: As required by HIPAA, all data disclosures for research must be approved by the Privacy Board. For the Privacy Board to approve any data release, it must conclude that several criteria laid out at 45 CFR 164.512(i)(2)(ii) are met. Specifically the requesting agency must provide:
a. A plan to protect the data from the improper use or disclosure and assurances that the data will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research for which the data was requested, or for other research for which the use or disclosure of PHI would be permitted under 45 CFR 164.512(i)(2)(ii). In the space below, explain how your request for Medicare data meets this requirement.
b. A plan to destroy identifiers when the research is completed, unless there is a research justification for retaining the identifiers. In the space below, explain how your request for Medicare data meets this requirement.
c. An assertion that the research could not practicably be conducted without access to and use of protected health information. In the space below, attest that your request for Medicare data meets this requirement.

3. Other Linkages

Data linkage involves combining MD APCD data with other data to create a more extensive database for analysis.
1. Do you intend to merge or link MD APCD Data with other data? If Yes, please complete questions a-e that follow.
a. What are the files to be linked?
b. Why is this linkage needed?
c. Which MD APCD data elements will be linked to the data elements in the external file?
d. What methodology or algorithm will be used to create this match? If you intend to create a unique algorithm, describe how it will link each dataset.
e. Which variables from each of the source files will be included in the final linked analytic file?
2. Explain why the linkages are needed.
3. Describe the specific steps you will take to prevent the identification of individuals in the linked files.

ATTACHMENT D: DATA MANAGEMENT PLAN
Certification

The undersigned certifies and agrees as follows:
- The data will be used only for approved purposes of analysis and presentation.
- The Requesting Organization will comply with all administrative, technical, and procedural policies and physical safeguards established to protect the confidentiality of the data and to prevent unauthorized access to the data.
- The data will be encrypted at rest and in motion on storage media (backup tapes, local hard drives, network storage, et al.) with at least an AES-256 standard or stronger.
- The Requesting Organization understands and agrees that any intentional breach of confidentiality will result in termination of the Data Use Agreement.
- Anti-virus software or service is active on any server or endpoint containing the MD APCD data.
- Staff with access to PHI or other sensitive data have received all relevant training.
The Requesting Organization has policies and procedures in place to address:
- The sharing, transmission, and distribution of PHI
- The physical possession and storage of PHI
- The destruction of PHI upon completion of data use
- Confidentiality agreements with each individual, including contractors, who will access PHI
- Agreements governing the use and disclosure of PHI with all non-employees who will access PHI
Confirm you certify and agree to the above statement
1. Responsible Individuals
a. Provide the name(s) of the custodian responsible for receiving, organizing, storing, or archiving the data.
Name First Name   Last Name
Title   Type a label
Email Address   Email
Telephone Number   Area Code   Phone Number
Organization Name   Type a label
Mailing Address   Street Address      City   State   Zip
b. Provide the name of the person who will notify MHCC of any breach of the MD APCD data, Data Use Agreement, or the Data Management Plan
Name First Name   Last Name
Title   Type a label
Email Address   Email
Telephone Number   Area Code   Phone Number
Organization Name   Type a label
Mailing Address   Street Address      City   State   Zip
c. Provide the name of the person responsible for ensuring proper data destruction upon the termination of the Data Use Agreement, and submission of the Certification of Data Destruction.
Name First Name   Last Name
Title   Type a label
Email Address   Email
Telephone Number   Area Code   Phone Number
Organization Name   Type a label
Mailing Address   Street Address      City   State   Zip

d. Provide the name of the person who will notify MHCC of any project staffing changes, maintain the roster of staff who have formal, documented permission to access specific files for specific purposes, and ensure that all individuals with access to the data comply with the Data Use Agreement.
Name First Name   Last Name
Title   Type a label
Email Address   Email
Telephone Number   Area Code   Phone Number
Organization Name   Type a label
Mailing Address   Street Address      City   State   Zip
2. Physical Possession and Storage of Data Files
1. Where will the data be stored?
2. Provide the delivery address for the data, including the location where the data will be stored.
i. Delivery Address
Street Address City State Zip
ii. Storage Address
Street Address City State Zip
3. Provide the name and address of the Cloud Service Provider
Name Type a label
Cloud Service Provider Address
Street Address City State Zip
4. Describe the name and data security assessment level of each physical location and the Cloud Service Provider where the data will be stored. Provide evidence that the proposed computing environment meets or exceeds NIST 800-53v4 security standards. Identify all certifications held by entities that will store or hold data.
1. SOC 2 Type Audit
2. HITRUST Certification
3. ISO 27001 Audit Certification
4. Independent external HIPAA standards Assessment
5. SSAE 16 Overview, and/or
6. FedRAMP Certification

5. Has each individual who will access the data agreed to the Requesting Organization's privacy and security rules when using MD APCD data files?
6. Within the last 12 months, has each individual who will access MD APCD data received training on the proper handling of protected health information and/or personal data?
If no, provide a brief description of the circumstances and detail the training that each such person will receive and by what date.
7. Explain the infrastructure (facilities, hardware, software, etc.) that will secure the MD APCD data files.
8. Briefly describe the policies and procedures regarding the physical possession and storage of MD APCD data files.
9. Briefly describe the system or the process to track the status and roles of the individuals with access to the MD APCD data files.
10. Briefly describe physical and technical safeguards that will be used to protect MD APCD data files.
11. Briefly describe how the data will be backed up and how the backup files will be managed.
3. Data Sharing, Electronic Transmission, and Distribution
1. Briefly describe the Applicant's policies and procedures regarding the sharing, transmission, and distribution of sensitive data files (including Data Sharing Agreements).
2. Describe the Applicant's policies and procedures applicable to the physical removal, transport, and transmission of MD APCD data files.

4. Completion of Research Tasks and Data Destruction

Applicant must agree that the MD APCD data, all copies and backups must be destroyed immediately after the period of time necessary to fulfill the requirements of the data request in accordance with the terms and conditions of the Data Use Agreement. All data destruction must follow and conform to NIST Special Publications 800-88. Guidelines for Media Sanitization.
1. Describe the Applicant's process to complete the Certificate of Data Destruction form and the Applicant's policies and procedures to destroy data files upon completion of the project.
2. If a copy of the data is needed to be maintained for a longer period, explain why a longer time period is necessary.

ATTACHMENT E: USE OF CONTRACTORS AND/OR CONSULTANTS

(External Entities)
Provide the following information for all consultants and contractors who will have access to the MD APCD data. The Applicant must have a written agreement with the contractor/consultant to ensure the use of MD APCD data only for the approved project(s) of this application as well as the privacy and security standards set forth in the Data Use Agreement. MD APCD data may not be shared with any third party without prior written consent from MHCC, or an amendment to this Application.
Entity   Contractor    Subcontractor    Consultant
Contractor/Subcontractor/Consultants Name   Type a label
Title   Type a label
Website   Type a label
Contact Person   First Name   Last Name
Email Address   Email
Telephone Number   Area Code   Phone Number
Mailing Address   Street Address      City   State   Zip
Term of Contract   Type a label
1. Describe the tasks and products assigned to this entity for this project.
2. Describe the qualifications of this entity to perform and complete the tasks.
3. Describe the Applicant's oversight and monitoring of the activities and actions of this entity for this project, including how you will ensure the privacy and security of the MD APCD data to which the consultant or contractor has access.
4. Will this entity have access to or store the MD APCD data at a location other than the data custodian location, off-site server, and/or database?
If yes, a separate Data Management Plan must be completed by this contractor/consultant.

ATTACHMENT F: APPLICANT QUALIFICATIONS
1. Describe previous experience using claims data. This question should be answered by the primary investigator/project manager and should encompass the experience of the entire project team who will be using the data.
2. Resumes/CVs: When submitting this Application, include resumes or curricula vitae of the principal investigator/project manager and any project team with relevant experience.

Cancelof

ATTACHMENT G: ATTESTATION
ATTESTATION OF GOVERNMENTAL ENTITY AGENCY HEAD OR CHIEF EXECUTIVE OFFICER

I, First Name Last Name , Title , of Type a label , the Applicant in this Application, have been duly authorized by the Applicant to execute this attestation on its behalf. I solemnly affirm under penalties of perjury that the information contained in the Application, its attachments, and this Attestation, is true and correct to the best of my knowledge, information, and belief.
Signature of authorized representative of Applicant
   Signature*
Printed Name   First Name*   Last Name*
Title   Type a label*
Date   Date*
ATTESTATION OF LEGAL COUNSEL FOR REQUESTING GOVERNMENTAL ENTITY

I,   First Name   Last Name   ,   Title   , of   Type a label   , the Applicant in this Application, solemnly affirm that the Applicant has legal authority to use the requested data for the purposes described herein.

Signature of legal counsel of the Requesting Governmental Entity
Signature
Printed Name   First Name   Last Name
Title   Type a label
Date   Date
When you submit this application, a draft DUA will be produced for your review of the terms and conditions. There is no action needed on the DUA at this time. If your application is approved, MHCC will send you a final formal DUA for execution.
Should be Empty:

Application for Standard Analytic Files from the Maryland Medical Care Data Base (Governmental Entity)

INSTRUCTIONS

Questions?

TABLE OF CONTENTS

INSTRUCTIONS

1

PROJECT INFORMATION

3

ATTACHMENT A: SCOPE OF WORK

4

ATTACHMENT B: MCDB DATASET REQUESTED

7

ATTACHMENT C: ADDITIONAL DATA SOURCES AND LINKAGE

8

ATTACHMENT D: DATA MANAGEMENT PLAN

10

ATTACHMENT E: USE OF CONTRACTORS AND/OR CONSULTANTS (External Entities)

15

ATTACHMENT F: APPLICANT QUALIFICATIONS

16

ATTACHMENT G: ATTESTATION

17

PROJECT INFORMATION

ATTACHMENT A: SCOPE OF WORK

1. Project Purpose

2. Project Methodology

3. Publication and Dissemination

ATTACHMENT B: MD APCD DATASET REQUESTED

ATTACHMENT C: ADDITIONAL DATA SOURCES AND LINKAGE

1. Maryland Medicaid Data

2. Medicare Data

3. Other Linkages

ATTACHMENT D: DATA MANAGEMENT PLAN

Certification

1. Responsible Individuals

2. Physical Possession and Storage of Data Files

3. Data Sharing, Electronic Transmission, and Distribution

4. Completion of Research Tasks and Data Destruction

ATTACHMENT E: USE OF CONTRACTORS AND/OR CONSULTANTS

If yes, a separate Data Management Plan must be completed by this contractor/consultant.

ATTACHMENT F: APPLICANT QUALIFICATIONS

ATTACHMENT G: ATTESTATION

ATTESTATION OF GOVERNMENTAL ENTITY AGENCY HEAD OR CHIEF EXECUTIVE OFFICER

ATTESTATION OF LEGAL COUNSEL FOR REQUESTING GOVERNMENTAL ENTITY