INSTRUCTIONS

Non-Governmental Applicants may request MD APCD Standard Analytics Files by submitting this completed Application, including attachments and the Data Management Plan. MHCC will review the application package to determine whether the request meets the criteria for data release pursuant to COMAR 10.25.05. Review data availability here then calculate the applicable fees here. Review Important notes:

• Incomplete applications will be returned to the Applicant and the request may be delayed.
• All applications require a non-refundable application fee, payable at the time of submission.
• All application attachments will be incorporated into the Data Use Agreement (DUA) that must be signed prior to any MCDB data being transmitted. A draft DUA will be provided to the applicant after this Application is submitted, so that the Applicant can review the terms and conditions.  
• COMAR 10.25.05.07A requires that all completed applications be published on the Commission's website while the application is under review, without the data management plan and security measures.
• Requests that include Maryland Medicaid Managed Care data and Medicare Fee for Service data require special consideration that may increase the review timeline.

Data Fee Calculator available to estimate the fee for your data sets. The Data Fee Waiver is available to support those who are unable to access the data for financial hardship. If completing a Data Fee Waiver, please attach it to this application under Attachment H. 

This application should only be completed and submitted for Standard Analytic Files. All requests for Custom Data Files should be sent directly to MHCC at mhcc.datarelease@maryland.gov. 

ATTACHMENT A: PROJECT SCOPE

ATTACHMENT B: MD APCD DATASET REQUESTED

ATTACHMENT C: ADDITIONAL DATA SOURCES AND LINKAGE

ATTACHMENT D: DATA MANAGEMENT PLAN 

ATTACHMENT E: USE OF CONTRACTORS AND/OR CONSULTANTS (External Entities)

ATTACHMENT F: APPLICANT QUALIFICATIONS

ATTACHMENT G: ATTESTATION

ATTACHMENT H: INSTITUTIONAL REVIEW BOARD AND DATA FEE DOCUMENTS

If you answer "yes" to any of the following questions, describe the types of products, software, services, or tools and what the corresponding fees will be for such products, software, services, or tools. 

The MD APCD contains fully processed records for eligibility and professional, institutional, and pharmacy claims for privately fully-insured and non-ERISA self-insured health insurance plans licensed in Maryland for both in-state and out-of-state covered members. Please review the data dictionary before completing this section. Calendar years 2010-2021 are currently avaliable. 

MD APCD Data Dictionary:https://mhcc.maryland.gov/mhcc/pages/apcd/apcd_data_release/documents/User_Manual_2019_V1_Codebook.pdf  

 

Standard Analytic Files: Formerly known as the Standard Data Extract. The Standard Analytics Files contain four fixed (i.e., non-customizable) files- the Medicaid Eligibility File, the Professional Services File, and the Pharmacy File. Information about the specific data elements provided within each of the four files can be found in the Data Dictionary. This data set does not include data from Medicare. 

Custom Data Sets: A custom data extract can be created based on criteria provided by an Applicant if the data are deemed the minimum amount necessary for an Applicant's proposed use of the data and includes:  

 

a. Indirect individual identifiers that cannot be used to identify indviduals when combined with other information or data; or 

 

b. Aggregate, summary data in which the risk of identifying individuals is minimal.

Custom Data Sets can also include requests for linkage across data sets.  

 

This application should only be completed and submitted for Standard Analytic Files. All requests for Custom Data Files should be sent directly to MHCC at mhcc.datarelease@maryland.gov.

Which MD APCD files are you requesting? Provide a brief justification (1-3 sentences) for each one. Specifically address why this is the minimum necessary data to accomplish the study. 

Applications for access to Medicaid Managed Care data are sent to the Maryland Medicaid Administration for review and comment. The fields avaliable on the Medicaid MCO data sets have been aligned with Maryland APCD fields to the extent greatest possible. Medicaid Fee for Service data sets are not avaliable.  

If requesting Medicare data, the request will be reviewed in accordance with the State Agency DUA and CMS State Data Request Memo. Per the CMS State Data Request Memo, researchers that are not doing work under the direction of the state will need to request the data through the current CMS research request process. Additionally, researchers in states that receive data under this process for studies that are under the direction of, and are partially funded by a state, will still be required to request the data through the current CMS research request process for other studies that are conducted under different authorities or funding. 

The undersigned certifies and agrees as follows: 

• The data will be used for approved purposes of analysis and presentation. 
• The Organization will comply with all administrative, technical, and procedural policies and physical safeguards established to protect the confidentiality of the data and to prevent unauthorized access to the data. 
• The data will be encrypted at rest and in motion on storage media (backup tapes, local hard drives, network storage, et al.) with at least an AES-256 standard or stronger. 
• The Organization understands and agrees that any intentional breach of confidentiality will result in termination of the Data Use Agreement. 
• Anti-virus software or service is active on any server or endpoint containing the MD APCD data. 
• Staff with access to PHI or other sensitive data have received all relevant training. 
• The Orgnaization has policies and procedures in place to address: 
  • The sharing, transmission, and distribution of PHI
  • The physical possession and storage of PHI
  • The destruction of PHI upon completion of data use.
  • Confidentiality agreements with each individual, including contractors, who will access PHI 
  • Agreements governing the use and disclosure of PHI with all non-employees who will access PHI

Responsible Individuals

Describe the name and data security assessment level of each physical location and the Cloud Service Provider where the data will be stored. Provide evidence that the proposed computing environment meets or exceeds NIST 800-53v4security standards. Identify all certifications held by entities that will store or hold data.

• SOC 2 Type Audit
• HITRUST Certification
• ISO 27001 Audit Certification
• Independent external HIPAA standards Assessment
• SSAE 16 Overview, and/or
• FedRAMP Certification

Data Sharing, Electronic Transmission, and Distribution

Describe the Requesting Organization's technical safehguards preventing unauthorized access to Maryland APCD data files: 

Applicant must agree that the Maryland APCD data, all copies and backups must be destroyed immediately after the period of time necessary to fulfill the requirements of the data request in accordance with the terms and conditions of the Data Use Agreement. All data destruction must follow and confirm to NIST Special Publications 800-88. Guidelines for Media Sanitization.

Provide the following information for all consultants and contractors who will have access to the Maryland APCD data. The Requesting Organization must have a written agreement with the contractor/consultant to ensure the use of MD APCD data only for the approved project(s) of this application as well as the privacy and security standards set forth in the Data Use Agreement. MD APCD data may not be shared with any third party without prior written consent from MHCC, or an amendment to this application. 

If yes, a separate Data Management Plan must be completed by this contractor/consultant.

Project Personnel

Has the Applicant or any person or entity that is an officer, owner, operator, or part of management of the applicant's organization who will have access and use of the data been subject of or a party to a state or federal regulatory agency action or civil or crimincal action involving a data breach, HIPAA violation, or other matter involving unauthorized access, use, and disclosure of data regardless of whether there has been a finding or admission of guilt, including being:  

• Convicted of a felony or pleading guilty, or receiveing a diversionary disposition regarding a felony; 
• A subject of an investigation conducted by, or a pending complaint, charge, or indictment issued by, a local, state, or federal governmental regulatory agency or other state or federal law enforcement agency; or
• A party to a final dispositive action in a state or federal governmental agency regulatory action or a civil action that resulted in entry into a settlement agreement, consent agreement, decree or order, corporate integrity agreement, corrective action agreement, or other similar agreement or other disposition in a civil action regardless of whether there has been an admission or finding of guilt or liability.  

A. Institutional Review Board Determination

Letter and Supporting Materials

B. Data Fee Quote 

C. Data Fee Waiver 

When you submit this application, a draft DUA will be produced for your review of the terms and conditions. There is no action needed on the DUA at this time. If your application is approved, MHCC will send you a final formal DUA for execution.