HomeInside MDH > Procedural Guidelines for MDH Information Assurance Policies & Programs


Procedural Guidelines for MDH Information Assurance Policies and Programs


 

MDH Guidelines

Title:  Procedural Guidance for MDH Information Assurance Policies and Programs
Short Title:  Information Assurance Guidelines

I.          EXECUTIVE SUMMARY

 

These procedures accompany policy 02.01.06 to provide further guidance and direction on its implementation to assure confidentiality, integrity, and availability of MDH information assets.  It further clarifies the responsibilities of personnel to protect the interests of MDH and consumers with regard to the release of non-protected information and safeguarding of MDH protected and proprietary information. MDH Information Resources Management Administration maintains and periodically updates these mandatory guidelines as required.

 

II.          PROCEDURES

 

General Security Procedures

 

'Information Must Be Protected.'

 

This section describes procedures considered minimum security practice to maintain the security of Protected or Proprietary Information.

 

1. Staff in cubicles clear desks of protected and proprietary materials and lock contents when not present.

 

2.   Protected and proprietary information shall be maintained in a secure manner with access limited to designated personnel.  All client records are kept in a manner consistent with applicable federal and State regulations.

 

3. File cabinets, desk drawers, and doors to areas that contain protected and proprietary information are to be locked during non-working hours or when staff are not in the immediate area.

 

4.  Any protected or proprietary materials containing names or other identification shall be kept in locked, secure storage when not in use, and shall be maintained and/or disposed of in accord with applicable federal or State statute or regulations or Department policies, procedures, and protocols.  When sent to storage, these materials will be accompanied by an authorized state employee or agent, stored at state or other authorized facilities, and must be transmitted according to COMAR. 

 

When sent to disposal, such materials will be maintained in a secure manner, and shredded so that the information is neither readable or recoverable.  These materials will be destroyed under the supervision of state personnel, or under contract with non-state entities who assure that the methods used are appropriate for such destruction.

 

5.  Avoid the random display of protected or proprietary information where it can be easily observed. 

 

6.  When working with computerized confidential data, computer screens are to be kept in such a way as to prevent others from easily viewing the data.  The use of a screen saver that is password protected and activated at a minimal time interval is highly recommended, but must be in accord with applicable MDH security policies and procedures.

 

7.  Access to protected or proprietary information is granted by the custodian, data steward, or the designated responsible party.  This information is to be maintained as a secure user group on a secure portion of the LAN/WAN.  Automated access logs are to be maintained in accordance with applicable State and MDH policies.  Attempts to gain unauthorized access to protected or proprietary information are subject to disciplinary action in accord with MDH policy or other more restrictive federal or State laws.

 

8.  Conversations with clients should be conducted in private areas.

 

9.  Telephone conversations with clients should be conducted in a discreet manner using a level voice to protect confidentiality.

 

10.  Staff will not identify themselves in such a way as to jeopardize confidentiality of a client or other person when leaving messages or sending  correspondence.

 

11.  Staff should avoid the use of voice mail, electronic recording devices, E-mail, and fax machines as mechanisms to transmit and/or receive protected or proprietary information.  Protected information shall only be faxed with prior arrangement to (a) verify the correct fax number, and (b) assure the recipient or authorized agent is present during the transmission and receipt of the document.  Fax machines that are used to regularly receive or transmit protected information shall be located in a secured space or cabinet appropriate for such use.

 

12.  When authorized, documents or media containing protected or proprietary information shall be hand transported by a MDH employee, State courier, or other authorized courier service.  A tracking system shall be established to assure proper receipt of each transported item.

 

13.  Laptop and off-site computing equipment and associated media shall be transported, operated, and stored in accord with MDH protocols.  Special measures must be taken to assure protected information does not remain on processing units when shared with other staff, or when such information is placed on processing equipment not under the direct control or ownership of the Department.

 

14.  Avoid general discussion(s) of protected or proprietary information except as required to perform the job.

 

15.  Staff will first ensure that protected and proprietary information are not viewable or obtainable before admitting any outside person (e.g., guest, client, housekeeper) to an office or cubicle.

 

16.  Staff will maintain the confidentiality of vendor information in a manner consistent with COMAR regulations and other public regulations and laws.

 

17.  Staff will clarify any situation not covered by this policy with their supervisor prior to acting in a way that may in any way compromise protected or proprietary information.  When in doubt, ASK!

 

18.  When the safety or security of protected or proprietary information has been, or is suspected to have been, compromised, mishandled, lost and/or stolen, staff shall immediately inform designated personnel in accord with applicable MDH policies, procedures, and protocols.

 

19.  Examples of job functions in which Personnel may inadvertently learn of or be exposed to protected or proprietary information which is governed by the provisions of this policy or other more     restrictive federal or State laws include, but are not limited to: project site monitoring; patient chart review; program rosters or audits; prevention workshops, support groups, or use of training strategies which facilitate self-disclosure; telephone and facsimile communications with outside agencies or the general public; opening/delivery of mail; taking/relaying phone or other messages; document filing, scanning or data entry; handling or processing of laboratory results or medical claims data; writing or reviewing reports; and maintaining electronic information systems.

 

Custodians To Be Appointed - No further information is provided in this version.

 

Information Classification - See Section Attachment G, Definitions, Section 2.

 

Protection Levels Required Based on Risk Assessment - See Section Attachment G, Definitions, Roles and Responsibilities - Section 2pg 36

 

Access Based on 'Need to Know'  No further information is provided in this version.

 

 

III.  PROCEDURAL GUIDANCE LINKED TO POLICY STATEMENTS

 

This guidance is listed categorically by section and closely mirrors the structure of the policy 02.01.06.

 

Personal Access and Use

Personal access and use of MDH information resources shall be limited to levels appropriate for job requirements, reasonably protected, and used only within legitimate job specifications.

PROCEDURAL GUIDANCE

 

i.  Personnel shall use State-owned data and information only as authorized for specifically approved purposes limited to the conduct of State business. 

 

ii.  Personnel shall endeavor to ensure reasonable precautions are taken so that no state data or information will be fraudulently revised, altered, or destroyed.

 

iii.  Personnel shall not access, or attempt to access protected or proprietary information that they are not authorized to handle in the conduct of State business.

 

iv.  Personnel shall use protected or proprietary information only as needed to conduct legitimate State business.

 

v.  Personnel are not relieved, upon separation from State service, of the responsibilities and duties     as provided herein and under law as per SG ' 15-101 through ' 15-1001.

 

Separation of Duties - See Section Attachment G, Definitions, Roles and Responsibilities - Section 2pg 36

 

Employee and Contractor Awareness and Ethics Training - No further information is provided in this version.

 

Personnel  Must Know Their Obligations to Information Protection -  See below: ' Other Responsibilities of All Personnel'

 

IRMA Maintains this document - Version 1, September 2000

 

Personnel Must Know Obligations to Protect Information

 

Roles And Responsibilities - See Section H below Roles and Responsibilities - Section 2pg 36

 

 See also below: 'Personnel Requirements and Security Procedures for Information Assurance.'

 

Other Responsibilities of All Personnel 

The maintenance of the confidentiality of certain records is required by laws and policies, and it is the responsibility of personnel to know, or to determine, the specific protective requirements, to understand their obligations to protect these records, and to report any suspected or realized violations.

 

PROCEDURAL GUIDANCE

i.  Personnel understand that the confidentiality of patient records is required by law, and that there are statutes or policy reasons specifically mandating the confidentiality of, among other areas, mental health, HIV, and drug and alcohol-related treatment records.  Nothing in this policy overrides other, more restrictive policies or laws, governing the authorized release of confidential information.  Nor should this policy be construed as prohibiting or limiting authorized responses to inquiries governed by the Public Information Act.

 

ii.  Personnel have the responsibility to become familiar with and adhere to the laws, regulations, policies, and procedures that apply to their specific Administration, Division, Office, Program, and the protected information maintained thereby.  Any Personnel who are unsure of his/her obligations under this policy shall be responsible to consult with his/her supervisor.  If uncertain how to proceed in a particular situation, Personnel have the responsibility to seek instruction from his/her supervisor to avoid potential liability.

 

iii. Personnel have the responsibility to report any known or suspected violations of this policy.

 

Proprietary Interest Concerns of Non-protected and Protected Information

Specific Personnel shall take appropriate steps to assure the Department's proprietary interest in information are protected through legal and administrative means, and shall describe and document the qualities and limitations of MDH information in their custody.

 

POLICY PROCEDURAL GUIDANCE

 

i. MDH Copyright - For all non-protected and protected data formats and file configurations in which the Department has a proprietary interest, the custodian, data steward, and designated responsible party may seek copyright protection and shall assure that this proprietary information bear a legally sufficient notice or designation of copyright.  This shall be coordinated with the Director of the Information Resources Management Administration and the designated member of the Attorney General's Office. (Refer to additional guidance on Copyright Basics in Attachment D).

 

ii. Licensing Agreements - The custodian, data steward, and designated responsible party shall prepare a licensing agreement for all proprietary information.  Each licensing agreement shall provide the following sections:

(a)  Creation of the Data Files

(b)  Grant of License

(c)  Security Requirements

(d)  Restrictions on Use

(e)  Restrictions on Derived Products

(f)  Limited Warranty and Licensee Remedies

(g)  Licensee Breach or Threatened Breach of Agreement

(h)  Fees

(i)  Authority and Acknowledgment

(j)  Laws of the State of Maryland

 

iii. General Information Packet and Disclaimer of Warranties- The custodian, data steward, and designated responsible party shall prepare a general information packet including a disclaimer of warranties for all proprietary information.  Each packet shall provide a general overview and the procedures for obtaining or purchasing the data file.  For example, the packet shall provide a general overview of the data fields, collection procedures, response rates, editing strategies, data file formats, security requirements, data discontinuities, and known shortcomings of questions, responses, coding, etc.

 

iv. Overview Documentation - The custodian, data steward, and designated responsible party shall maintain a Data System Outline that provides: (a) identification of a data set in each version, (b) classification of a data set (e.g., non-protected, protected, or proprietary), and (c) identification of individuals with key roles and responsibilities. This information shall be provided to Information Resources Management Administration for posting and viewing by authorized MDH personnel on the Intranet.  (Refer to Attachment E).

 

v.   User Documentation

(a) The custodian, data steward, and designated responsible party shall prepare user documentation including a disclaimer of warranties for all non-protected, protected, and proprietary computer data files.

 

(b)  The custodian, data steward, and designated responsible party shall provide to Information Resources Management Administration the necessary documentation to enable the establishment of appropriate security and confidentiality protocols, data standards, and knowledge management activities.  These activities shall be in accord with federal and State infrastructure goals of promoting efficiency in government and the Paperwork Reduction Act.

 

Authorized Collection, Maintenance, Protection, and Transfer of Information

Collection of information must be necessary, diligent, in accord with applicable laws and regulations to protect MDH interests and consumer rights, and may not be transmitted electronically unless permitted by previously approved written procedures.

 

PROCEDURAL GUIDANCE

 

i. Personnel shall collect information only as necessary for the authorized conduct of State business and in accord with existing laws, regulations, and policies.

 

ii. Personnel shall ensure that all individuals are informed of the legal authorization or specific purpose, intended use, and right to refuse to provide without penalty, any information the collection of which is not mandated by law.

 

iii. MDH websites may not collect personal information without notice about how the information is being used.  Links to the current version of the MDH standard Website Terms of Use/Privacy Statement shall be provided from all Department or Department-related pages.  Personal information collected from websites shall be collected and protected from disclosure in accordance with SG '' 10-624 and 10-626 or other more restrictive federal or State law, regulation, or policy, or applicable MDH policy.

 

iv. Personnel   may  not  misuse,  or  carelessly  handle information or fail to safeguard protected information pursuant to this policy and other federal or State laws, regulations, or policies or applicable MDH policy.

 

v. Personnel shall comply with all administrative, technical, and procedural policies, physical safeguards, and security standards established to protect the MDH information and to prevent unauthorized access.  (Refer to the Examples of Standard Security Procedures for Protected or Proprietary Information in Attachment A).

 

vi. Except in the authorized conduct of State business and as provided by laws, regulations, policies or applicable MDH policy and procedures designed to minimize unauthorized access to protected or proprietary information, Personnel shall not release, share, disclose, copy, alter, or destroy any information.

 

vii. State personnel may not electronically transfer protected or proprietary information to any unauthorized person, including unauthorized Personnel.  (Refer to the MDH 02.01.01 - Policy on the Use of MDH Electronic Information Systems) Because of the increased possibility of breaches of confidentiality, electronic transfer requires written procedures in accordance with MDH policy and the Information Resources Management Administration (IRMA) approval as necessary.

 

Passwords

The use and protection of passwords is required, and must follow MDH and other applicable guidelines or requirements.

 

PROCEDURAL GUIDANCE

 

i. Personnel shall be responsible for safeguarding and not disclosing passwords or any other data or information access authorization in compliance with the applicable version of the MDH 02.01.01 - Policy on the Use of MDH Electronic Information Systems.  Actions that may result in violations or breaches of confidentiality may result in disciplinary, civil, and criminal consequences for the responsible Personnel.

 

ii. Personnel understand that passwords are the property of MDH and may, along with access privileges, be revoked at any time.  User IDs/Passwords shall be inactivated upon notification of separation of service, loss of MDH access privileges, or when job duties no longer require access to that data system(s).  Any subsequent attempt to access a data system shall be deemed unauthorized.

 

Encryption

The use of approved encryption schemes are required when transferring certain information, as detailed in MDH 02.01.01 and other applicable guidelines or requirements.

 

PROCEDURAL GUIDANCE

 

i. Personnel shall be responsible for using and safeguarding MDH authorized encryption schemes when handling or transferring protected or proprietary  information as detailed in MDH 02.01.01 - Policy on the Use of MDH Electronic Information Systems.

 

ii. Encryption of information is required under certain circumstances when using portable or off-premise data processing equipment, whether or not the equipment used is state property. (MDH Laptop Protocol, IRMA Document)

 

Authorized Release of Non-protected Information and Associated Communications with the Public

Specific Personnel shall classify information in their custody, authorize certain personnel and procedures to prevent unintended disclosure, and facilitate and clarify the decision-making processes related to release or sharing.

 

POLICY PROCEDURAL GUIDANCE

 

i.    The custodian, data steward, and designated responsible party shall establish written policies that clearly identify non-protected information, the procedures by which a member of the public can access or acquire this information, and the formats and charges for this information. 

 

ii.  Absent Department policy or guidelines, the custodian, data steward, and designated responsible party shall establish written procedures for communications with the public and the media.  These procedures shall identify the individuals authorized to release non-protected information.

 

iii. The release of public information must follow applicable laws, regulations, or other requirements including MDH copyrighted material or matters. Information in any form or format in which the Department has a proprietary interest established through a copyright may not be released as non-protected.

 

iv. Authorized Personnel may release non-protected (public) data or information, however, the release shall follow all laws, regulations, and applicable written release and communication policies and procedures.  (Refer to MDH Media Protocol 6/99, Attachment C and as updated periodically).

 

v.  The custodian, data steward, and designated responsible party shall ensure the de-identification of data by redaction (removing all explicit individual identifiers) and, as appropriate, by preparing data so that it is not easily associated with an identifiable individual (e.g., aggregating data to satisfy bin/cell size requirements, changing singletons to median values, inserting complementary records, generalizing codes, swapping entries, scrambling records, suppressing and encrypting fields, and other appropriate and recognized confidentiality procedures).

 

Unauthorized Sharing of Protected and Proprietary Information

MDH protected or proprietary information resources may be shared with others if necessary and appropriate, in accordance with an explicit written understanding, but may not be physically or electronically removed or shared without appropriate authorization.

 

PROCEDURAL GUIDANCE

 

i. Personnel shall not share with other MDH Personnel, State agencies, or outside parties, protected or proprietary information in any form or format unless the information is necessary for the legal conduct of lawful State business, the individual is authorized to receive the information, and the sharing is made pursuant to a formal Memorandum of Understanding (Work for Hire or Chain of Trust Agreement) or Contract that is in accord with applicable federal and State laws, regulations, and policies, and MDH policy.

 

ii. Personnel may not remove protected or proprietary information (in electronic, paper, or other format) from MDH premises unless authorized to do so by the assigned custodian or designated responsible party for official business purposes.  Special custody provisions shall be observed at all times which include, but are not limited to, those identified in Attachment A, the MDH Laptop Protocol, or other applicable MDH policies, protocols, and procedures.

           

Unauthorized Disclosure of Protected and Proprietary Information

MDH protected or proprietary information may be disclosed to others if necessary and appropriate, only if authorized by the official custodian of record or designee.

 

PROCEDURAL GUIDANCE

 

i. Only a custodian or a designated responsible party is officially authorized to disclose or direct the disclosure of protected or proprietary information.

 

ii. Ownership of Protected and Proprietary Information

 

MDH  02.01.01 - Policy on the Use of MDH Electronic Information Systems states that the Department has a proprietary interest in maintaining the integrity of its State-owned systems, software, and related data and information.  Furthermore, any and all information, as well as the media, database structure, and architecture, transmitted by, received from, or stored therein is the property of the Department.

 

Authorized Sharing of Protected or Proprietary Information

Specific Personnel shall establish and follow written procedures that hold all subsequently approved users to the same Department and/or other requirements and responsibilities for the sharing and life-cycle management of certain information  with internal and external entities, including strict adherence to rules that require submission to an Institutional Review Board.

 

POLICY PROCEDURAL GUIDANCE

 

i.  In accord with this policy, the custodian, data steward, and designated responsible party shall establish written procedures and shall execute a Memorandum of Understanding for the legal sharing of protected or proprietary information with another authorized unit, subdivision, agency, Department, etc. of the State. 

 

ii.  The Memorandum of Understanding shall identify the individuals authorized to transfer and receive the protected or proprietary information, the applicable security and confidentiality requirements, the procedures for the return or destruction of MDH protected or proprietary information, and data remanence eradication.

 

iii.  When protected data are requested for the purpose of conducting additional research involving human subjects (refer to MDH Policy 11100), the approval of the appropriate authorized Institutional Review Board shall be obtained by the custodian, data steward, and designated responsible party prior to the development of a Memorandum of Understanding and the conveyance of any confidential research data.

 

 

Authorized Disclosure of Protected and Proprietary Information

Specific Personnel, as defined in this policy, are permitted to disclose protected or proprietary information  only if the requirements of this policy, or other more stringent requirements, are met before such disclosure.

 

POLICY PROCEDURAL GUIDANCE

 

i. Only a custodian, a data steward, or a designated responsible party is officially authorized to disclose or direct the disclosure of protected or proprietary information.  The disclosure must be necessary for the conduct of authorized State business or with the express written consent of the person in interest (client, patient, Personnel, etc.).

 

ii.  A custodian, data steward, or designated responsible party shall, before disclosure, verify that the individual obtaining the information is authorized to receive protected or proprietary information pursuant to a properly executed Memorandum of Understanding or contract that is in accord with applicable federal, and State laws, regulations, and policy, and MDH policy.

 

iii.    A custodian, a data steward, or a designated responsible party shall be responsible for ensuring that disclosure of protected or proprietary information that is delegated to staff is performed in compliance with MDH policy or other more restrictive federal or State laws, regulations, or policies.

 

iv.  MDH Contracts & Memoranda of Understanding - In order to protect MDH, maintain ownership and rights in data, and establish liability for security and inappropriate or unlawful disclosure, the custodian, data steward, and designated responsible party shall ensure the language provided in Attachment B is  incorporated into all MDH contracts and Memoranda of Understanding.  All disputes shall be handled by a specified member of the Attorney General's staff     and any waivers shall require written approval from the Secretary or Secretary's designee.

 

v. The Institutional Review Board (IRB) -

 

(a)  The custodian, data steward, and designated responsible party shall ensure that data requests for confidential research data have been referred to the appropriate authorized IRB for review prior to disclosure of any information.  An authorized MDH Institutional Review Board shall review and approve all proposed research projects (including those submitted by another unit of State government), which entail MDH funding, confidential research data, or involvement in human subject research in accord with  applicable federal and State laws, regulations, and policies and MDH policies.  Projects involving data collection in which there is identifiable linkage to the subject or involving physical, social, psychological, or privacy risks to the subject require IRB review.  The IRB is charged with the responsibility of determining if a project qualifies as being exempt from its review requirements.

 

(b) The Custodian of Record or designee may disclose protected information to a researcher for a stated research purpose provided that prior approval of the appropriate authorized MDH Institutional Review Board has been obtained and the researcher agrees to comply with all applicable protections for security, confidentiality, and privacy specified by this policy or other more restrictive federal or State laws, regulations, policies and other Department policies, protocols, and procedures.

 

(c) The custodian may deny inspection of a public record that contains the specific details of a research project that an institution of the State or political subdivision is conducting, except for name, title, expenditures, and date when the final project summary will be available, in accord with SG '10-618(d).

 

Procurement & Contract Monitoring

Specific Personnel involved in the preparation and monitoring of MDH contracts and memoranda of understanding (MOU) shall ensure that vendors, agents, or other entities who provide work-for-hire or for in-kind service, understand and comply with all applicable requirements for the protection of MDH information when shared, maintained, changed or developed.

 

PROCEDURAL GUIDANCE

 

i.  Personnel involved in contract and MOU preparation shall ensure that all applicable federal and State laws, regulations, and policies, and Department policies, protocols, and procedures for electronic information system security and confidentiality requirements are sufficiently detailed in each solicitation issued and contract awarded.

 

ii. Personnel involved in contract and MOU preparation shall include a statement in the RFP/RPB requiring offerors to present for approval a detailed outline of their present or proposed electronic information systems security and confidentiality procedures in their proposals.

 

iii. Personnel involved in contract and MOU preparation shall include a statement in the RFP/RFB that offerors are required to comply with the Statement of Work (SOW) and with all MDH electronic information systems security and confidentiality requirements.

 

iv.  Personnel involved in contract and MOU preparation shall furnish to offerors who respond to the     RFP/RFB, copies of the applicable federal and State laws, regulations, and policies, and Department policies, protocols, and procedures, including this policy.

 

v.  MDH contract monitors shall forward copies of any submitted forms required in the RFP/RFB that were obtained by the successful bidder to verify personnel security clearances (e.g., staff working on the project) to the MDH Information Assurance Coordinator.

 

vi.  MDH contract monitors shall ensure the contractor's compliance with the security and confidentiality requirements, and shall ensure that the technical evaluation reports either detail any electronic information system security deficiencies or confirm that the proposals are in compliance with the requirements.

 

vii.  MDH contract monitors shall ensure compliance with the MDH (Service Contracts) Procurement Manual and other applicable State, Department, and federal policies and procedures.

 

Enforcement and Compliance Responsibility for Personal Access and Use

Persons designated or acting in the capacity of a custodian, data steward, designated responsible party, database administrator, and network (system) administrator(s) (hereafter referred to in this policy as Specific Personnel) shall be responsible to take any and all reasonable and appropriate and legal steps ensure the compliance of Personnel with the terms of this policy.

 

            Disciplinary, Civil, and Criminal Consequences

Violation of this policy may result in disciplinary action up to and including separation from State service, and may include civil or criminal penalties.  These remedies include but are not limited to those specified in SG ' 10-626 through ' 10-628, HG ' 4-309, and Crimes and Punishments Article 27'45A.

 

Personnel Requirements and Security Procedures for Information Assurance

Specific Personnel are directed to take measures as required or directed to assure appropriate Personnel, Department, and other required practices are followed, and to report any known or suspected violations throughout the lifecycle of MDH information in their custody.

 

POLICY PROCEDURAL GUIDANCE

 

i. The custodian, data steward, designated responsible party, database administrator, and network (system) administrator(s) shall be responsible to ensure compliance with the terms of this policy. This includes but is not limited to monitoring Personnel practices and reporting known or suspected breaches of confidentiality as required by MDH policy and written data system procedures.

 

ii. The custodian, data steward, designated responsible party, database administrator, and network (system) administrator(s) shall ensure compliance with approved practices for the electronic transfer of information in accordance with MDH policy or with approval of the Director of the Information Resources Management Administration or designee.

 

iii. The custodian, data steward, designated responsible party, database administrator, and network (system) administrator(s) shall be responsible for conducting monthly access reviews.   These reviews are to ensure that only authorized Personnel with a continued need to access protected information for the lawful conduct of State business may have access to all or part of any MDH data system.  Each access review shall include, but not be limited to,  an examination of:

(a) Personnel separated from State service

      (b) Compliance with encryption, monthly password changes and other security measures

(c) Investigations of reported breaches of security and confidentiality, and

(d) Compliance with retrieval or destruction of protected information in accord with contracts or Memoranda of Understanding.

 

iv. The custodian, data steward, and designated responsible party shall be responsible, together and separately, for ensuring that all Public Information Act (PIA) requests are reviewed, researched, and receive a written response.

 

v. In accord with SG ' 10-631 through ' 634 and MDH Policy 02.03.07 - Policy on the Management of Records,  the custodian, data steward, and designated responsible party shall ensure that all record and non-record material, in any format both electronic and/or paper, containing protected or proprietary information that is remanded for retention or disposal is maintained with requisite security.

 

vi. In accord with SG 10-624(b), the custodian, data steward, and designated responsible party shall prepare and submit an annual report to the Secretary of General Services on any data set that keeps personal records.

 

vii. The custodian, data steward, and designated responsible party shall ensure compliance with all applicable federal or State laws, regulations, or policies and the MDH policy, protocols, and procedures for data remanence eradication.

 

IV.  REFERENCES

 

•Governor's Executive Order 01.01.1983.18 - State Data Security Committee, State Agency Information Security Practices

 

•Article 27, Sections 45A and 146 of the Annotated Code of Maryland Subject: Prevention of Software Copyright Infringement Maryland Department of Budget and Fiscal Planning Manual, #95-1, effective date: June 1, 1995

 

•MDH Policy 02.01.02 (formerly Policy MDH 9170) -Policy On The Use Of And Copying Of Computer Software And The Prevention Of Computer Software Copyright Infringement, effective May 12, 1998.

 

 •MDH Policy 02.01.01, Policy On The Use Of MDH Electronic Information Systems, effective June 5, 1998

 

 • Other References are included in context of this document.

 

 

*************

 

 

Approved:____________________________________________        __________________

Georges C. Benjamin, M.D.                            Date

Secretary

 

ATTACHMENTS

 

ATTACHMENT A

 

Language to be Incorporated in all MDH Contracts

 

1.         Rights in Data

 

A.  Work produced as a result of this contract with MDH is and shall remain the sole property of MDH.  As sole owner, MDH shall have a royalty-free, nonexclusive, and irrevocable license to use, duplicate, disclosure in any manner and for any purpose whatsoever, publish, translate, reproduce, deliver, perform, dispose of, and to authorize others to do so, and have others so do, all data delivered under this contract except where such use may contravene federal or state law.

 

B.  All documents, equipment, and materials, including but not limited to, reports, drawings, studies, specifications, estimates, texts, computer software including software documentation and related materials, maps, photographs, designs, graphics, mechanicals, artwork, computations and data prepared by or for, or purchased by or for, the vendor because of the contract shall, at any time during the term of the contract, be available to MDH and shall become and remain the exclusive property of MDH during and upon termination or completion of the services required to be performed under the contract.  MDH shall have the right to use same without restriction and without compensation other than that provided in the contract.

 

C.  The vendor agrees that, at all times during the term of the contract and thereafter, the works created and services performed shall be 'works made for hire' as that term is interpreted under U.S. copyright law.  To the extent that any products created under this contract are not works for hire for MDH, the vendor hereby transfers and assigns to MDH all of its rights, title, and interest (including all intellectual property rights) to all such products created under the contract, and will cooperate reasonably with MDH in effectuating and registering any necessary assignments.

 

D. The vendor shall exert all reasonable effort to advise MDH, at the time of delivery of data furnished under this contract, of all invasions of the right of privacy contained therein and of all portions of such data copied from work not composed or produced in the performance of this contract and not licensed under this clause.

 

E.  The vendor shall report to MDH, promptly and in written detail, each notice or claim of copyright infringement received by the vendor with respect to all data delivered under the contract.

 

F.  The vendor shall not affix any restrictive markings upon any data and if such markings are affixed, MDH shall have the right at any time to modify, remove, obliterate, or ignore such markings.

 

G.  Equipment, including but not necessarily limited to computers and computer software (including software documentation and related materials), which is lent or otherwise provided to the vendor by MDH or which is purchased by or for the vendor with MDH funding expressly for purposes of accomplishing the goals set forth in this contract shall be available to MDH without restriction during the term of the contract and ownership of same shall remain with MDH during contract execution and upon termination.

 

H.  After written request and upon receipt of express written approval of MDH (including, but not limited to, approval by the appropriate authorized MDH Institutional Review Board), the vendor may publish all or part of the findings derived from work directly resulting from this contract, provided:  1) the State of Maryland, Maryland Department of Health is given credit for having funded the project; and 2) co-authorship shall be afforded the Secretary and other staff providing direct and substantive assistance, if so requested by MDH.  Failure to obtain written approval may result in Institutional Review Board sanctions, MDH procurement sanctions, and civil or criminal penalties.

 

II            Patents, Copyrights, Trade Secrets, and Associated Indemnification

 

A.  If the vendor furnished any design, device, material, process or other item which is covered by a patent or copyright or which is proprietary to or a trade secret of another, it is solely the responsibility of the vendor to obtain the necessary permission or license to use such item or items.

 

B.  The vendor will defend or settle, at its own expense, any claim or suit against the State alleging that any such item furnished by the vendor infringes any patent, trademark, copyright, or trade secret.  The vendor also will pay all damages and costs that by final judgement might be assessed against the State due to such infringement and all attorney fees and litigation expenses reasonably incurred by the State to defend against such a claim or suit.  The obligations of this paragraph are in addition to those stated in the paragraph below.

 

C.  If any products furnished by the vendor become, or in the vendor's opinion are likely to become, the subject of a claim of infringement, the vendor will, at its option: a) procure for the State the right to continue using the applicable item, b) replace the product with a non-infringing product substantially complying with the item's specifications, or c) modifying the item so that it becomes non-infringing and performs in a substantially similar manner to the original item.

 

D.  If the vendor obtains or uses for purposes of this contract (or any subcontracts) any design, device, material, process, supplies, equipment, text, instructional material, services or other work, the vendor shall indemnify the State, MDH, their officials, agents, and Personnel with respect to any claim, action, cost, or judgement for patent, trademark, or copyright infringement, arising out of the possession or use of any design, device, material, process, supplies, equipment, text, instructional material, services or other work covered by any contract awarded as a result of this contract.

 

III            Document Retention and Inspection Clause

 

Unless specified by a documents retention and inspection clause in the contract and approved by the MDH Information Assurance Coordinator, the vendor shall eradicate any and all data remnants from their electronic information systems in compliance with the stricter of MDH policy or federal or state laws, regulations, and policies.

 

IV            Transfer of Non-protected, Protected, or Proprietary Information

 

A.  The transfer of data increases the possibility of breaches of confidentiality and, therefore,     requires written procedures in accordance with MDH policy and Information Resources Management Administration approval as necessary.

 

B.  The vendor may not transfer protected or proprietary information electronically to any unauthorized person, including unauthorized Personnel.

 

C.  The vendor shall follow Department approved procedures for using and safeguarding MDH authorized encryption schemes when storing or transferring protected or proprietary  information.

 

V            Security

A.  The vendor shall present a detailed outline of its present or proposed electronic information systems security and confidentiality procedures for securing MDH non-protected, protected, or proprietary information from unauthorized access, loss, or theft.

 

B.  The vendor may request a copy of the applicable federal and State laws, regulations, and policies, and Department policies, protocols, and procedures from the contract monitor.

 

C.  The vendor shall submit to the contract monitor any required forms to verify or obtain personnel security clearances.

 

D.  The vendor shall comply with the Statement of Work (SOW) and with all MDH electronic information systems security and confidentiality requirements.

 

VI            Liability for Loss of Data or Breach of Confidentiality

In the event of loss of data or records necessary for the performance of this contract, where such loss is due to the error or negligence of the vendor, the vendor shall be responsible, irrespective of cost to the vendor, for recreating such lost data or records in a manner, format, and time-frame acceptable to MDH.

 

Failure to secure MDH non-protected, protected, or proprietary information in any form or format from unauthorized access, loss, or theft is a serious offense.  Breach of non-protected, protected, or proprietary information by the vendor or any sub-vendor shall entitle MDH to immediately terminate the contract upon written notice to the vendor of such breach and to such other remedies that may result in civil or criminal penalties.  Liability for breach of confidentiality or privacy resulting from negligence, gross negligence, or failure to comply with required security protocols by the vendor or sub-vendor shall be incurred by the vendor.  Under security provisions, MDH may retain information on any such breach of non-protected, protected, or proprietary information by the vendor and may use this knowledge when assessing the vendor's ability to meet the requirements established in future contracts.

ATTACHMENT B

 

VENDOR ACKNOWLEDGMENT AND CONFIDENTIALITY STATEMENTS

 

The vendor, by signature of an authorized agent below, acknowledges receipt and review of the Maryland Department of Health policy governing Rights in Data; Patents, Copyrights, Trade Secrets, and Associated Indemnification; Document Retention and Inspection Clause; Transfer of Non-protected, Protected, or Proprietary Information; Security; and Liability for Loss of Data or Breach of Confidentiality, and consents to comply with this policy and to abide by the consequences should a breach of this policy occur.  More specifically, the vendor agrees as follows:

 

All non-protected, protected or proprietary information obtained, gathered, produced, or derived from or in connection with the contract shall remain confidential and shall be released by the vendor only with advance, specific, written permission of MDH.  Failure of the vendor or any sub-vendor to obtain written approval shall entitle MDH to immediately terminate the contract upon written notice to the vendor of such breach and to such other remedies that may result in Institutional Review Board sanctions, MDH procurement sanctions, and civil or criminal penalties.

 

All non-protected, protected, or proprietary information obtained may be used only to assist the vendor in the performance of its duties and responsibilities under the contract.  The vendor will not, at any time, use the data or information in any fashion, form, or manner except in furtherance of the duties of the vendor in its capacity as an independent vendor to MDH under the contract.

 

The vendor agrees to maintain the confidentiality of all non-protected, protected, or proprietary information in the same manner that the confidentiality of the vendor's proprietary products of like kind is protected and in accord with MDH policy.

 

MDH protected, or proprietary information may not be copied or reproduced without MDH advance written consent.

 

All non-protected, protected, or proprietary information made available to the vendor in any form or format, including copies thereof, shall be returned to MDH upon the first to occur of (1) completion of the project or (2) request of MDH.

 

The foregoing shall not prohibit or limit the vendor's use of the non-protected, protected, or proprietary information (including, but not limited to, data, ideas, concepts, know-how, techniques, and methodologies) (1) previously known to it, (2) independently developed by it, (3) acquired by it from a third party, or (4) which is or becomes part of the public domain through no breach of this contract by the vendor.

 

The Vendor Acknowledgment and Confidentiality Statement shall become effective as of the date that non-protected, protected, or proprietary information is first made available to the vendor and shall survive the contract and be a continuing requirement.  This statement is incorporated into and made a part of the contract for all purposes.

 

Vendor & Address_________________________________________  Vendor Phone:_____________

Signature of Vendor:  ______________________________________   Date:________________

 

ATTACHMENT C

 

Language to be Incorporated in all MDH Memoranda of Understanding

 

I           Rights in Data

 

A.  Work produced as a result of this agreement with MDH is and shall remain the sole property of MDH.  As sole owner, MDH shall have a royalty-free, nonexclusive, and irrevocable license to use, duplicate, disclosure in any manner and for any purpose whatsoever, publish, translate, reproduce, deliver, perform, dispose of, and to authorize others to do so, and have others so do, all data delivered under this contract except where such use may contravene federal or state law.

B.  All documents, equipment, and materials, including but not limited to, reports, drawings, studies, specifications, estimates, texts, computer software including software documentation and related materials, maps, photographs, designs, graphics, mechanicals, artwork, computations and data prepared by or for, or purchased by or for, the vendor because of the agreement shall, at any time during the term of the agreement, be available to MDH and shall become and remain the exclusive property of MDH during and upon termination or completion of the services required to be performed under the agreement.  MDH shall have the right to use same without restriction and without compensation other than that provided in the agreement.

 

C.  The vendor agrees that, at all times during the term of the agreement and thereafter, the works created and services performed shall be 'works made for hire' as that term is interpreted under U.S. copyright law.  To the extent that any products created under this agreement are not works for hire for MDH, the vendor hereby transfers and assigns to MDH all of its rights, title, and interest (including all intellectual property rights) to all such products created under the agreement, and will cooperate reasonably with MDH in effectuating and registering any necessary assignments.

 

D.  The vendor shall exert all reasonable effort to advise MDH, at the time of delivery of data furnished under this agreement, of all invasions of the right of privacy contained therein     and of all portions of such data copied from work not composed or produced in the performance of this agreement and not licensed under this clause.

 

E. The vendor shall report to MDH, promptly and in written detail, each notice or claim of copyright infringement received by the vendor with respect to all data delivered under the agreement.

 

F.  The vendor shall not affix any restrictive markings upon any data and if such markings are affixed, MDH shall have the right at any time to modify, remove, obliterate, or ignore such markings.

 

G.  Equipment, including but not necessarily limited to computers and computer software (including software documentation and related materials), which is lent or otherwise provided to the vendor by MDH or which is purchased by or for the vendor with MDH funding expressly for purposes of accomplishing the goals set forth in this agreement shall be available to MDH without restriction during the term of the agreement and ownership of same shall remain with MDH during agreement execution and upon termination.

 

H.  After written request and upon receipt of express written approval of MDH (including, but not limited to, approval by the appropriate authorized MDH Institutional Review Board), the vendor may publish all or part of the findings derived from work directly resulting from this agreement, provided:  1) the State of Maryland, Maryland Department of Health is given credit for having funded the project; and 2) co-authorship shall be afforded the Secretary and other staff providing direct and substantive assistance, if so requested by MDH.  Failure to obtain written approval may result in Institutional Review Board sanctions or MDH procurement sanctions against the vendor, and may include disciplinary action, up to and including separation from State service, and civil or criminal penalties against an individual(s).

 

II         Patents, Copyrights, Trade Secrets, and Associated Indemnification

 

A.  If the vendor furnished any design, device, material, process or other item which is covered by a patent or copyright or which is proprietary to or a trade secret of another, it is solely the responsibility of the vendor to obtain the necessary permission or license to use such item or items.

 

B.  The vendor will defend or settle, at its own agency's expense, any claim or suit against the State alleging that any such item furnished by the vendor infringes any patent, trademark, copyright, or trade secret.  The vendor also will pay from its own agency's budget all damages and costs that by final judgement might be assessed against the State due to such infringement and all attorney fees and litigation expenses reasonably incurred by the State to defend against such a claim or suit.  The obligations of this paragraph are in addition to those stated in the paragraph below.

 

C.  If any products furnished by the vendor become, or in the vendor's opinion are likely to become, the subject of a claim of infringement, the vendor will, at its option: a) provide funding from its own agency's budget to procure for the State the right to continue using the applicable item, b) replace the product with a non-infringing product substantially complying with the item's specifications, or c) modifying the item so that it becomes non-infringing and performs in a substantially similar manner to the original item.

 

D.  If the vendor obtains or uses for purposes of this agreement (or any sub-agreements or subcontracts) any design, device, material, process, supplies, equipment, text, instructional material, services or other work, the vendor shall indemnify MDH, their officials, agents, and Personnel with respect to any claim, action, cost, or judgement for patent, trademark, or copyright infringement, arising out of the possession or use of any design, device, material, process, supplies, equipment, text, instructional material, services or other work covered by any agreement awarded as a result of this agreement.

 

III            Document Retention and Inspection Clause

 

Unless specified by a documents retention and inspection clause in the agreement and approved by the MDH Information Assurance Coordinator, the vendor shall eradicate any and all data remnants from their electronic information systems in compliance with the stricter of MDH policy or federal or state laws, regulations, and policies.

 

IV            Transfer of Non-protected, Protected, or Proprietary Information

 

A.  The transfer of data increases the possibility of breaches of confidentiality and, therefore,     requires written procedures in accordance with MDH policy and Information Resources Management Administration approval as necessary.

 

B.  The vendor may not transfer protected or proprietary information electronically to any unauthorized person, including unauthorized Personnel.

 

C.  The vendor shall follow Department approved procedures for using and safeguarding MDH authorized encryption schemes when storing or transferring protected or proprietary  information.

 

V            Security

 

A.  The vendor shall present a detailed outline of its present or proposed electronic information systems security and confidentiality procedures for securing MDH non-protected, protected, or proprietary information from unauthorized access, loss, or theft.

 

B.  The vendor may request a copy of the applicable federal and State laws, regulations, and policies, and Department policies, protocols, and procedures from the agreement monitor.

 

C.  The vendor shall submit to the agreement monitor any required forms to verify or obtain personnel security clearances.

 

D.  The vendor shall comply with the Statement of Work (SOW) and with all MDH electronic information systems security and confidentiality requirements.

 

VI            Liability for Loss of Data or Breach of Confidentiality

 

A.  In the event of loss of data or records necessary for the performance of this agreement, where such loss is due to the error or negligence of the vendor, the vendor shall be responsible, irrespective of cost to the agency budget of the vendor, for recreating such lost data or records in a manner, format, and time-frame acceptable to MDH.

 

B.  Failure to secure MDH non-protected, protected, or proprietary information in any form or format from unauthorized access, loss, or theft is a serious offense.  Breach of non-protected, protected, or proprietary information by the vendor or any sub-vendor shall entitle MDH to immediately terminate the agreement upon written notice to the vendor of such breach and to such other remedies that may result in Institutional Review Board sanctions or MDH procurement sanctions against the vendor, and may include disciplinary action, up to and including separation from State service, and civil or criminal penalties against an individual(s).    Liability for breach of confidentiality or privacy resulting from negligence, gross negligence, or failure to comply with required security protocols by the vendor or sub-vendor shall be incurred by the vendor's agency.  Under security provisions, MDH may retain information on any such breach of non-protected, protected, or proprietary information by the vendor and may use this knowledge when assessing the vendor's ability to meet the requirements established in future agreements.

ATTACHMENT D

 

Media Protocol

 

It is the protocol of the Maryland Department of Health that all media inquiries be cleared through the MDH Office of Public Relations prior to conducting interviews with reporters.  This protocol is not to be interpreted as a means of censorship, but rather as a means to coordinate communication.

 

*NOTE: this protocol does not apply to media inquiries regarding employees'personal views on any particular subject -- only to those soliciting information for an official response on behalf of the Department.

 

The Department has an obligation to provide consistent and factual information to the media.  In order for this to occur, the Office of Public Relations must be informed proactively about issues or incidents which may attract media attention.  This notification may be done by telephone (410-767-6490) or e-mail to Karen Black, Director, Office of Public Relations Karen.black@maryland.gov.  This is necessary so that the Office of Public Relations may respond in a timely manner and maintain consistency regarding matters of MDH or Administration policy.

 

After the Secretary of Maryland Department of Health, the Director of Public Relations is designated as the Department's chief spokesperson.  When appropriate, the Director will assign responsibility to those staff members with particular expertise needed to provide information or technical support.

 

When contacted by the media, ascertain the issue, then advise the reporter that she/he will be contacted by an appropriate party.  All media contacts, no matter to whom they are directed, are to be forwarded to the Office of Public Relations, where a decision will be made, in concert with appropriate Administration Directors, etc., as to what, if any, information will be released, by whom and in what format.  Health Professional Boards and Commissions are excluded from this policy, however, follow-up information to the Office of Public Relations would be appreciated.

 

All media calls are returned and all requests for information are responded to in a timely manner.  Under some circumstances, it may be necessary and appropriate to require reporters to file a Public Information Act request and pay a reasonable fee for copies of documents.

Program personnel unable to obtain prior approval from the Office of Public Relations should use their best judgement in granting an interview or providing written information.  This especially  applies when programs are contacted by the media in response to press releases or advisories issued by the Department.  If information is released, notify the Office of Public Relations immediately afterwards with a phone call, written memo, or e-mail.

 

The scope of responsibility encompassed by the Department makes it essential that media contacts by handled in a prompt and professional manner.  In addition to its coordinating function, programs are encouraged to use the Office of Public Relations as a resource in preparing for media contacts.  The Office of Public Relations must be contacted regarding information to be distributed via press release or through a media event.  The Office of Public Relations is able to provide assistance in the distribution of press releases and/or other information to the media, and in coordinating press conferences, special events, etc.

 

 

 

6/96 (revised 9/99)

 

ATTACHMENT E

 

Copyright Protection

 

MDH may declare copyright protection for its non-protected and protected data formats, file configurations, or in value added information (e.g., reports, articles, computer code, etc), but may not declare a copyright in raw data or information in the public domain.  Custodians interested in pursuing copyright protection shall contact the designated member of the Attorney General's Office, and may also refer to the Library of Congress for the most current information.  The website address is:

http://lcweb.loc.gov/copyright/circs/circ01.pdf

 

ATTACHMENT F

 

DATA SYSTEM OUTLINE

 

 

(To be included)

 

ATTACHMENT G

 

DEFINITIONS

 

CATEGORICAL LISTING OF ALL DEFINITIONS

 

1.              Roles and Responsibilities

 

a.  Authorized MDH Institutional Review Board - An official review board convened by MDH, Health Care Access and Cost Commission, Health Services Cost Review Commission, or Baltimore City.

 

b.  Official Custodian - As defined in SG ' 10-611(d) and for purposes of this  policy, the Official Custodian is an officer of MDH, a local health department, a commission, or a professional licensing board, who, whether or not the officer or employee has physical custody and control of a public record, is officially responsible for keeping the public record.

 

C.  Custodian of Record - As defined in SG ' 10-611(c), is (1) the official custodian; or (2) any other authorized individual who has physical custody and control of a public record.

 

d.  Data Stewards - Personnel responsible as defined in SG ' 10-6118 for a MDH data system.  The data steward shall be a Program Director, facility Chief Executive Officer, Local Health Officer, Executive Director or other high level designee of the Custodian.  The data steward is responsible for drafting and enforcing data system procedures, and may, where appropriate, assign specific information handling responsibilities to staff (e.g., a designated responsible party, a network (systems) administrator, a contract monitor).

 

e.  Designated Responsible Party - The designated responsible party may be a Custodian of Record as defined in SG ' 10-611(c)(2).  This individual shall be delegated day-to-day administrative responsibility for the implementation and enforcement of the MDH data security standards and shall certify annually, and in conjunction with the Network/System Administrator, that all applicable security requirements are being met.  The designated responsible party shall have the additional responsibilities and authority as detailed in this policy, shall serve as one of the contacts with public health professionals and the community, and shall be responsible for ensuring that protected and proprietary information is handled (collected, maintained, analyzed, and conveyed) in accordance with this and other more restrictive federal and State, laws, regulations, and policies and Departmental policies and procedures. When deemed appropriate, the designated responsible party may act as a contract preparer or monitor.

 

f.  Network (System) Administrator - Personnel delegated the day-to-day technical responsibility for the operation of the hardware, software (excluding the content application), and communications components of an information system (e.g., including but not limited to servers, personal computers, terminals, LANs/WANs, mainframes).  In addition, this individual shall act as a security monitor to enforce the MDH data security standards and shall certify annually, and in conjunction with the Designated Responsible Party, that all applicable security requirements are being met.

 

g.  Database Administrator - Personnel delegated the responsibility for meeting with Custodians, Data Stewards, Designated Responsible Parties, and other system users, vendors, Network (System) Administrators, and information system staff as necessary to plan, create, and maintain a database.  Job functions include, but are not limited to: troubleshooting and resolving database problems related to system performance, utilization and capacity; confirming back up procedures and disaster recovery planning; managing, controlling, and monitoring database access; creating user profiles; and ensuring data security through solid network integrity, privacy, authentication, authorization, and compliance with applicable federal and State laws, regulations, and policies, and Department policies, protocols, and procedures.  This individual shall also actively participate in the preparation, maintenance, and distribution of database management system documentation and technical literature related to database management services, policies, procedures and standards.

 

h.  Data Technician - Personnel with access, but not control of a public record (physical possession not decision-making authority), such as Personnel or a contractor who maintains a data set while reporting to a designated responsible party.  The data technician is not the official custodian or the custodian of record as defined in SG ' 10-611(c-d).

 

i. Information Security Assurance Coordinator - ISAC Personnel with direct responsibility for the enterprise-wide coordination of all aspects of security and confidentiality pursuant to applicable federal and State laws, regulations, and policies, and Department policies, protocols, and procedures. The ISAC develops and reviews system security and privacy policies, grants exceptions to them, provides guidance to users and specialized personnel to assure the integrity of all MDH information while it is being processed and/or transmitted electronically, the security and confidentiality of the resources associated with the processing functions, reports on the status of MDH as required, assures that all software controls as stated in MDH policy are being implemented on all systems, ensures that MDH procurements of new systems or COTS products meet the requirements of the information assurance policy, assumes the lead role in resolving security and privacy incidents, acts as the Chief Privacy Officer for interpretation of  privacy and records management policies and ensuring that these policies are being correctly implemented, coordinates with network security staff, ensures that a risk assessment is completed and reviewed for all sensitive IT systems, approves contingency plans, and coordinates with internal and external audit staff to assure policy requirements are included in audit reviews.

  

j. Contract Monitor - Personnel selected to oversee the performance of a chosen vendor with respect to the vendor's ability to meet all the terms and conditions as defined in a contract or Memorandum of Understanding (MOU).  This oversight function provides a means by which both the vendor and MDH are able to address any and all concerns with respect to the contract.

 

k.  Contract Preparer - Personnel involved in the preparation of the contract or Memorandum of Understanding (MOU) Statement of Work.  This individual could subsequently act as the Contact Monitor.

 

l.  Personnel - This policy covers any individual who is directly employed by or is working at the direction of MDH, or any component thereof, in a full time, part time, temporary, emergency, contractual, consultative, agency, or volunteer capacity.

 

m.  Person in Interest - In accord with SG ' 10-611(e), this means: A(1) a person or governmental unit that is the subject of a public record or a designee of the person or governmental unit; (2) if the person has a legal disability, the parent or legal representative of the person; or (3) as to requests for correction of certificates of death under ' 5-310 (d)(2) of the Health-General Article, the spouse, adult child, parent, adult sibling, grandparent, or guardian of the person of the deceased at the time of the deceased's death.@

 

2.              Classifications of MDH Information and Records

 

a.  Proprietary Information - Non-protected and protected information in any form or format     in which the Department has a business or proprietary interest established through a copyright.

 

b.  Protected Information - Confidential, confidential research, highly confidential, or commercial data or information in any form or format.

 

1.  Confidential Information - Information that is protected by law and that may contain the name or other data variables that, separately or in combination with other data, may readily be associated with the identity of an individual.  Examples include, but are not limited to, confidential records as defined in Md. Code Ann. Health-Gen. (HG) ' 4-101, patient medical records as defined in HG ' 4-301(g), patient laboratory data as regulated by the Federal Clinical Laboratory Act and the State Medical Laboratory Law, unique patient identification numbers (UPINs), State personnel information, personal information, information about the security of an information system (including passwords), or other public information exemptions as specified in SG ' 10-611 et seq. or other federal or State law.

 

a.  Hospital Records - Information contained in a hospital record that (1) relates to: (I) medical administration; (ii) staff; (iii) medical care; or (iv) other medical information; and (2) contains general or specific information about 1 or more individuals,' pursuant to SG ' 10-616(j).

 

b.  Information Systems - The part of a public record that contains information about the security of an information system, inspection of which shall be denied by the custodian pursuant to SG ' 10-617(g).

 

c.  Licensing Records - The part of a public record that contains information about the licensing of an individual in an occupation or profession.  PART 2) Inspection of that part of the licensing record not designated as public shall be denied pursuant to SG ' 10-617 et seq.     and applicable sections of the Maryland Health Occupations Article.

 

d.  Medical and Psychological Information - Information protected by law under SG ' 10-617(b) whereby  (1) . . . a custodian shall deny inspection of the part of a public record that contains medical or psychological information about an individual, other than an autopsy report of a medical examiner; (2) A custodian shall permit the person in interest to inspect the public record to the extent permitted under ' 4-302(b) of the Health-General Article.

 

e.  Medical Record - As defined in HG ' 4-301(g), A(1) >Medical record' means any oral, written, or other transmission in any form or medium of information that (I) Is entered in the record of a patient or recipient; (ii) Identifies or can readily be associated with the identity of a patient or recipient; and (iii) Relates to the health care of the patient or recipient.  (2)>Medical record includes any: (I) Documentation of disclosures of a medical record to any person who is not an employee, agent, or consultant of the health care provider; (ii) File or record maintained under ' 12-403(b)(13) of the Health Occupations Article by a pharmacy of a prescription order for drugs, medicines, or devices that identifies or may be readily associated with the identity of a patient; (iii) Documentation of an examination of a patient regardless of who: 1. Requested the examination; or 2. Is making payment for the examination; and (iv) File or record received from another health care provider that: 1. Relates to the health care of a patient or recipient received from that health care provider; and 2. Identifies or can readily be associated with the identity of the patient or recipient.

 

f.  Personal Records - Pursuant to SG ' 10-624(a), A 'personal record' means a public record that names or, with reasonable certainty, otherwise identifies an individual by an identifying factor such as: (1) an address; (2) a description; (3) a finger or voice print; (4) a number; or (5) a picture  For purposes of this policy, this definition also includes various demographic data which in combination may be used to identify an individual, especially if linked to other data sets.

 

 

g. Sociological Information - Pursuant to SG ' 10-617(c), ..If the official custodian has adopted rules or regulations that define sociological information for purposes of this subsection, a custodian shall deny inspection of the part of a public record that contains sociological information, in accordance with the rules or regulations.

 

h.  Vital Record - Part 1) 'A certificate or report of birth, death, fetal death, marriage, divorce, dissolution or annulment of marriage, adoption, or adjudication of paternity that is required by law to be filed with the Secretary,' pursuant to HG ' 4-201(n); and

 

i.  Welfare Records - Public records that relate to welfare for an individual, pursuant to SG '10-616(c).

 

2.  Confidential Research Data - Protected information to which the official custodian may permit access for approved research purposes in accordance with SG ' 10-6248 and the Policy on the Review of Department of Health and  Research Involving Human Subjects (Policy 11100).

 

a.  Research Projects Under the Policy on the Review of Maryland Department of Health and  Research Involving Human Subjects (Policy 11100), research is defined as 'A systematic investigation, including Research Development, Testing, and Evaluation designed to develop or contribute to generalizable knowledge.'  Activities which meet this definition constitute research for purposes of this policy, whether or not they are conducted or supported for under a program which is considered research for other purposes.  For example, some demonstration and service programs may include research activities. 

 

3.  Highly Confidential Information - Confidential or other data and information required by     applicable federal law, regulations, or standards to be handled using the specified level of security protections.

 

4.  Commercial Information - 'Any of the following information provided by or obtained from any person or governmental unit: (1) a trade secret; (2) confidential commercial information; (3) confidential financial information; or (4) confidential geological or geophysical information,' pursuant to SG 10 ' 617(d).

 

 

c.  Non-protected Information - MDH data or information, in any form or format, which has not otherwise been identified as confidential, confidential research, highly confidential, or commercial data.

 

1.  Licensing Records - The '...part of a public record that contains information about the licensing of an individual in an occupation or profession.'   

 

2.  Public Information Act Data - All data subject to inspection by the public pursuant to SG ' 10-611 et seq.

 

3. Research Projects Under the Policy on the Review of Department of Health  Research Involving Human Subjects (Policy 11100), research is defined as  '...systematic investigation, including Research Development, Testing, and Evaluation designed to develop or contribute to generalizable knowledge.  Activities which meet this definition constitute research for purposes of this policy, whether or not they are conducted or supported for under a program which is considered research for other purposes.  For example, some demonstration and service programs may include research activities.

 

4.  Vital Record - Is to be disclosed pursuant to HG ' 4-224 and the Code of Maryland Regulations (COMAR) 10.03.01.07.

 

D.  Non-records - As defined in MDH Policy 02.03.07 (and p. vi, DGS Record Management Manual), non-records refers to unofficial '...materials created or acquired for reference, exhibition, or back- up such as: manuals, pamphlets and informational letters; copies of records and documents used as working, reading, tickler, and suspense files; shorthand notes and notebooks which have been transcribed; other temporary papers used to control internal work in progress including telephone messages of a non-policy nature, and stocks of publications, office reference materials (dictionaries, thesaurus, telephone directories, etc.) and other reproduced documents.'

 

e.  Record materials or 'public records'

 

i.      As defined in SG '10-611(f) a 'Public record' means the original or any copy of any documentary material that:

 

(1) is made by a unit or instrumentality of the State government or of a political subdivision or received by the unit or instrumentality in connection with the transaction of public business; and

 

(2) is in any form; including: (a) a card; (b) a computerized record; 8 correspondence; (d) a drawing; (e) film or microfilm; (f) a form; (g) a map; (h) a photograph or photostat; (I) a recording; or (j) a tape. 

 

ii.  'Public record' includes a document that lists the salary of an employee of a unit or instrumentality of the State government or of a political subdivision. 

 

iii.  'Public record' does not include a digital photographic image or signature of an individual, or the actual stored data thereof, recorded by the Motor Vehicle Administration.'  Furthermore,  in accord with MDH Policy 02.03.07 (and p. vi, DGS, Records Management Manual), 'Record materials or  'public records' are defined as 'any paper, correspondence, form, book, photograph, microform, magnetic tape, compact disk, computer storage media, map, drawing, or other document, regardless of physical form or characteristics, that has been made or received by a State, county, or municipal agency in connection with the transaction of official business and needs to be preserved for informational value or as evidence of a transaction.  'There is only one official record of anything in the Maryland Records Management System...'

 

3.           Data System Actions

 

a.  Electronic Transfer of Information - The electronic interchange of data or information.

 

b.  Release - The authorized conveying of non-protected information in any form or format pursuant to this policy.  The release may be in response to a Public Information Act request or in the lawful conduct of official MDH business.

 

1.  De-identification of Data - The removal of all explicit individual identifiers and appropriately preparing data so that it would not be easily associated with an individual (i.e. aggregate data to satisfy bin/cell size requirements, changing singletons to median values, inserting complementary records, generalizing codes, swapping entries, scrambling records, suppressing information, and encrypting fields).

 

c. Sharing - The legal exchange of protected or proprietary information, under a properly executed Memorandum of Understanding (Work for Hire or Chain of Trust Agreement), by the Secretary or Secretary's designee to another unit, etc. of the State or other individuals or entities as specified in MDH Policy for the legal conduct of official State business.

 

1. Memorandum/a of Understanding (MOU)  - Written agreement between two units, subdivisions, agencies, Departments, etc. of the State or other individuals or entities as specified in MDH Policy.  The document, which  shall conform to the applicable Departmental policy, may be either a:

 

i) Memorandum of Understanding Work-for-Hire.  This is a MDH written agreement for sharing protected or proprietary information with another unit, etc., of the State for the legal conduct of official State business when monetary compensation is provided in exchange for a product or service.  In these instances the language in Attachment xx - Section 2 of MDH Policy 02.01.06 shall be incorporated into all Agreements; or

 

ii) Memorandum of Understanding Chain of Trust Agreement.  This is a MDH written agreement for sharing protected or proprietary information with another unit, etc., of the State or other individuals or entities as specified in MDH Policy for the legal conduct of official State business without providing monetary compensation for a product or service. [At the time of this writing this refers to draft MDH POLICY  02.01.07 'Policy for the Sharing of MDH Data' - Establishing a Memorandum of Understanding Chain of Trust Agreement].

 

d.  Disclose or Disclosure - The transmission or communication of protected or proprietary information in any form or format.  Examples include, but are not limited to, divulging, releasing, selling, loaning, revising, or revealing protected or proprietary information or the fact that particular information on an individual exists.

 

 4.              Required Data System Documents

 

a.  Data System Outline - The general information for each substantial change to a field, data element, or data definition of a MDH data set, including identification of key data personnel, to be developed and maintained by the data steward or designated responsible party.  The format for the MDH Data System Outline appears in Attachment E.

b.  Data System Procedures - Written documentation establishing the methods for operating MDH data systems and the guidelines for the release, sharing, and disclosure of associated data and information.  Furthermore, these written procedures shall include: 

 

1) The rules and regulations that govern the timely production and inspection of a public record in accord with SG ' 10-613 et seq.;

2) The procedures for the copying/reproduction of the public record in accord with SG ' 10-620 et seq.; 

 

3) The establishment of a reasonable fee schedule for '...the search for, preparation of, and reproduction of a public record,' in accord with SG ' 10-621 et seq.; and

 

4) Guidelines for preparing and submitting of an annual report to the Secretary of General Services on any data set that keeps personal records in accord with SG ' 10-624(b).

 

c.  User Documentation - Written documentation including a Disclaimer of Warranties for all computer data files of non-protected information released or for all protected or proprietary information shared or disclosed.  Each packet is intended to provide data file users with the necessary details to enable a reasonable person to draw reliable conclusions from the data.  For example, the packet shall provide details regarding collection procedures, response rates, editing strategies, discontinuities, and known shortcomings of questions, responses, coding, etc.

 

Alphabetical Listing of All Definitions

 

a. Authorized MDH Institutional Review Board - An official review board convened by MDH, Maryland Health Care Commission, Health Services Cost Review Commission, or Baltimore City Health Department.

 

b.  Commercial Information B 'any of the following information provided by or obtained from any person or governmental unit: (1) a trade secret; (2) confidential commercial information; (3) confidential financial information; or (4) confidential geological or geophysical information,@ pursuant to SG 10 ' 617(d).

 

c.  Confidential Information - Information that is protected by law and that may contain the name or other data variables that, separately or in combination with other data, may readily be associated with the identity of an individual.  Examples include, but are not limited to, confidential records as defined in Md. Code Ann. Health-Gen. (HG) ' 4-101, patient medical records as defined in HG ' 4-301(g), patient laboratory data as regulated by the Federal Clinical Laboratory Act and the State Medical Laboratory Law, unique patient identification numbers (UPINs), State personnel information, personal information, information about the security of an information system (including passwords), or other public information exemptions as specified in SG ' 10-611 et seq. or other federal or State law.

 

d.  Confidential Research Data - Protected information to which the official custodian may permit access for approved research purposes in accordance with SG ' 10-624(c) and the Policy on the Review of Department of Health Research Involving Human Subjects (MDH Policy 11100).

 

e. Contract Monitor - Personnel selected to oversee the performance of a chosen vendor with respect to the vendor's ability to meet all the terms and conditions as defined in a contract or Memorandum of Understanding (MOU).  This oversight function provides a means by which both the vendor and MDH are able to address any and all concerns with respect to the contract.

 

f.  Contract Preparer - Personnel involved in the preparation of the contract or Memorandum of Understanding (MOU) Statement of Work.  This individual could subsequently act as the Contact Monitor.

 

G.  Custodian of Record - As defined in SG ' 10-611(c), is '(1) the official custodian; or (2) any other authorized individual who has physical custody and control of a public record.'

 

h.  Data Stewards - Personnel responsible as defined in SG ' 10-611(c) for a MDH data system.  The data steward shall be a Program Director, facility Chief Executive Officer, Local Health Officer, Executive Director or other high level designee of the Custodian.  The Data Steward is responsible for drafting and enforcing data system procedures, and may, where appropriate, assign specific information handling responsibilities to staff (e.g., a Designated Responsible Party, a Network (Systems) Administrator, a Contract Monitor).

 

i.  Data System Outline - A identification of key data personnel and an overview of the contents of a database which shall be developed and maintained (reflecting any substantial change to a field, data element, data definition or designated personnel) by the Data Steward or Designated Responsible Party.  The format for the MDH Data System Overview appears in the Attachment .

 

j.  Data System Procedures - Written documentation establishing the methods for operating MDH data systems and the guidelines for the handling and security of non-protected, protected, and proprietary data and information.  Furthermore, these written procedures shall include: 

 

1) Rules and regulations that govern the timely production and inspection of a public record in accord with SG ' 10-613 et seq.;

 

2) Procedures for the copying/reproduction of the public record in accord with SG ' 10-620 et seq.; 

 

3) A reasonable fee schedule for 'the search for, preparation of, and reproduction of a public record@ in accord with SG ' 10-621 et seq.; and

 

4) Guidelines for preparing and submitting of an annual report to the Secretary of General Services on any data set that keeps personal records in accord with SG ' 10-624(b).

 

k.  Data Technician - Personnel with access (physical  possession), but not control (decision-making authority), such as Personnel or a contractor who maintains a data set while reporting to a Designated Responsible Party.  The Data Technician is not the Official Custodian or the Custodian of Record as defined in SG ' 10-611(c-d).

 

l.  Database Administrator - Personnel delegated the responsibility for meeting with Custodians, Data Stewards, Designated Responsible Parties, and other system users, vendors, Network (System) Administrators, and information system staff as necessary to plan, create, and maintain a database.  Job functions include, but are not limited to: troubleshooting and resolving database problems related to system performance, utilization and capacity; confirming back up procedures and disaster recovery planning; managing, controlling, and monitoring database access; creating user profiles; and ensuring data security through solid network integrity, privacy, authentication, authorization, and compliance with applicable federal and State laws, regulations, and policies, and Department policies, protocols, and procedures.  The Database Administrator shall also actively participate in the preparation, maintenance, and distribution of database management system documentation and technical literature related to database management services, policies, procedures and standards

 

m.  De-identification of Data - The removal of all explicit individual identifiers and appropriately preparing data so that it would not be easily associated with an individual (i.e. aggregate data to satisfy bin/cell size requirements, changing singletons to median values, inserting complementary records, generalizing codes, swapping entries, scrambling records, suppressing information, and encrypting fields).

 

 

Security Monitor- SM - The MDH SM serves as the central point of contact and authorization control agent in designated units for the daily IT security program. The SM's responsibilities include close coordination with the MDH Security Officer of lists of authorized users, changes, and audits as required, participates to address unit and MDH security issues, participates in IT security awareness and training, acts as the central point of contact for unit-level IT security related incidents or violations, disseminates information concerning security alerts and potential threats to all MDH system owners, ensures that users receive the notification of security-related policies and procedures, and assists in the annual systems evaluation program.

 

Security Officer- SO - The MDH SO serves as the central point of contact and access control agent for the daily IT security program. The SO's responsibilities include system audits as directed, coordination with MDH Security Monitors about access control, authentication and authorization issues or concerns, participates to address general security issues, assists in the development of MDH systems contingency and disaster recovery plans, provides appropriate IT security awareness and training to all personnel, functions as the daily operational central point of contact for any type of IT security related incidents or violations, disseminates information concerning security alerts and potential threats to all MDH system owners, ensures that users receive the notification of security-related policies and procedures, assists in the annual systems evaluation of major processes like incident handling, security awareness training, and risk management to determine whether they are effective in reducing security incidents.

  

n.   Designated Responsible Party - An individual who handles the day-to-day administrative responsibility for the implementation and enforcement of the MDH data security standards and who certifies annually, and in conjunction with the Network (System) Administrator, that all applicable security requirements are being met.  The Designated Responsible Party has the additional responsibilities and authority as detailed in this policy, serves as one of the contacts with public health professionals and the community, and is responsible for ensuring that protected and proprietary information is handled (collected, maintained, analyzed, and conveyed) in accordance with this and other more restrictive federal and State, laws, regulations, and policies and Departmental policies and procedures.  When deemed appropriate, the designated responsible party may act as a contract preparer or monitor. The Designated Responsible Party may be a Custodian of Record as defined in SG ' 10-611(c)(2). 

 

o.  MDH Information Security Assurance Coordinator - ISAC Personnel with direct responsibility for the enterprise-wide coordination of all aspects of security and confidentiality pursuant to applicable federal and State laws, regulations, and policies, and Department policies, protocols, and procedures. The ISAC develops and reviews system security and privacy policies, grants exceptions to them, provides guidance to users and specialized personnel to assure the integrity of all MDH information while it is being processed and/or transmitted electronically, the security and confidentiality of the resources associated with the processing functions, reports on the status of MDH as required, assures that all software controls as stated in MDH policy are being implemented on all systems, ensures that MDH procurements of new systems or COTS products meet the requirements of the information assurance policy, assumes the lead role in resolving security and privacy incidents, acts as the Chief Privacy Officer for interpretation of  privacy and records management policies and ensuring that these policies are being correctly implemented, coordinates with network security staff, ensures that a risk assessment is completed and reviewed for all sensitive IT systems, approves contingency plans, and coordinates with internal and external audit staff to assure policy requirements are included in audit reviews.

 

 p.  Disclose or Disclosure - The transmission or communication of protected or proprietary information in any form or format.  Examples include, but are not limited to, divulging, releasing, selling, loaning, revising, or revealing protected or proprietary information or the fact that particular information on an individual exists.

q.  Electronic Transfer of Information - The electronic interchange of data or information.

 

r.  Highly Confidential Information - Confidential or other data and information required by applicable federal law, regulations, or standards to be handled using the specified level of security protections.

 

s.  Hospital Records - AInformation contained in a hospital record that (1) relates to: (i) medical administration; (ii) staff; (iii) medical care; or (iv) other medical information; and (2) contains general or specific information about 1 or more individuals,@ pursuant to SG ' 10-616(j).

 

t.  Information Systems - The Apart of a public record that contains information about the security of an information system,@ ispection of which shall be denied by the custodian pursuant to SG '10-617(g).

 

u.  Licensing Records - The 'part of a public record that contains information about the licensing of an individual in an occupation or profession.'

 

1) The non-protected (public) portion of a licensing record is detailed in SG ' 10-617(h) (2-4), whereby,  A(2) A custodian shall permit inspection of the part of a public record that gives: (i) the name of the licensee; (ii) the business address of the licensee or, if the business address is not available, the home address; (iii) the business telephone number of the licensee; (iv) the educational and occupational background of the licensee; (v) the professional qualifications of the licensee; (vi) any orders and findings that result from formal disciplinary actions; and (vii) any evidence that has been provided to the custodian to meet the requirements of a statute as to financial responsibility.  (3) A custodian may permit inspection of other information about a licensee if: (i) the custodian finds a compelling public purpose; and (ii) the rules or regulations of the official custodian permit the inspection.  (4) Except as otherwise provided by this subsection or other law, a custodian shall permit inspection by the person in interest.@

 

2) Inspection of that part of the licensing record not designated as public (non-protected) shall be denied pursuant to SG ' 10-617(h)(1) and applicable sections of the Maryland Health Occupations Article.

 

v.  Medical and Psychological Information - Medical or psychological information about an individual.

In accord with SG ' 10-617(b)(1) A[A] custodian shall deny inspection of the part of a public record that contains medical or psychological information about an individual, other than an autopsy report of a medical examiner;@

 

A(2) A custodian shall permit the person in interest to inspect the public record to the extent permitted under ' 4-302(a) of the Health-General Article.@

 

w.  Medical Record - As defined in HG ' 4-301(g), A(1) >Medical record= means any oral, written, or other transmission in any form or medium of information that (i) Is entered in the record of a patient or recipient; (ii) Identifies or can readily be associated with the identity of a patient or recipient; and (iii) Relates to the health care of the patient or recipient.  (2) >Medical record= includes any: (i) Documentation of disclosures of a medical record to any person who is not an employee, agent, or consultant of the health care provider; (ii) File or record maintained under ' 12-403(b)(13) of the Health Occupations Article by a pharmacy of a prescription order for drugs, medicines, or devices that identifies or may be readily associated with the identity of a patient; (iii) Documentation of an examination of a patient regardless of who: 1. Requested the examination; or 2. Is making payment for the examination; and (iv) File or record received from another health care provider that: 1. Relates to the health care of a patient or recipient received from that health care provider; and 2. Identifies or can readily be associated with the identity of the patient or recipient.@ 

 

(1) In accord with HG ' 4-302(a)(1) the medical record of a patient or recipient shall be kept confidential.

 

(2) Release, sharing or disclosure of a medical record shall be in accord with HG ' 4-302(a)(2) through ' 4-307 or other more restrictive federal or State statues or regulations.

 

x.  Memorandum/a of Understanding (MOU) - Written agreement between two units, subdivisions, agencies, Departments, of the State or other individuals or entities as specified in MDH Policy.  The document, which  shall conform to the applicable Departmental policy, may be either a:

 

1) Memorandum of Understanding Work-for-Hire.  This is a MDH written agreement for sharing protected or proprietary information with another unit, etc., of the State for the legal conduct of official State business when funding is provided in exchange for a product or service.  In these instances the language in Attachment B - Section 2 of MDH Policy 02.01.06 shall be incorporated into all Agreements; or

 

2) Memorandum of Understanding Chain of Trust Agreement.  This is a MDH written agreement for sharing protected or proprietary information with another unit, etc., of the State or other individuals or entities as specified in MDH Policy for the legal conduct of official State business without providing funding for a product or service. [At the time of this writing this refers to draft MDH POLICY  02.01.07 - Policy for the Sharing of MDH Data - Establishing a Memorandum of Understanding Chain of Trust Agreement].

 

y.  Network (System) Administrator - Personnel delegated the day-to-day technical responsibility for the operation of the hardware, software (excluding the content application), and communications components of an information system (e.g., including but not limited to servers, personal computers, terminals, LANs/WANs, mainframes).  In addition, this individual shall act as a security monitor to enforce the MDH data security standards and shall certify annually, and in conjunction with the Designated Responsible Party, that all applicable security requirements are being met.

 

z.  Non-protected Information - MDH data or information, in any form or format, which has not otherwise been identified as confidential, confidential research, highly confidential, or commercial data.

 

AA.  Non-records - As defined in MDH Policy 02.03.07 (and p. vi, DGS Record Management Manual), non-records refers to unofficial Amaterials created or acquired for reference, exhibition, or >back up= such as: manuals, pamphlets and informational letters; copies of records and documents used as working, reading, tickler, and suspense files; shorthand notes and notebooks which have been transcribed; other temporary papers used to control internal work in progress including telephone messages of a non-policy nature, and stocks of publications, office reference materials (dictionaries, thesaurus, telephone directories, etc.) and other reproduced documents.@

 

bb.  Official Custodian - As defined in SG ' 10-611(d) and for purposes of this  policy, the Official Custodian is an officer of MDH, a local health department, a commission, or a professional licensing board, who, whether or not the officer or employee has physical custody and control of a public record, is officially responsible for keeping the public record.

 

cc.  Person in Interest - In accord with SG ' 10-611(e), this means: A(1) a person or governmental unit that is the subject of a public record or a designee of the person or governmental unit; (2) if the person has a legal disability, the parent or legal representative of the person; or (3) as to requests for correction of certificates of death under ' 5-310 (d)(2) of the Health-General Article, the spouse, adult child, parent, adult sibling, grandparent, or guardian of the person of the deceased at the time of the deceased=s death.@

 

dd.  Personal Records - Pursuant to SG ' 10-624(a), A>personal record= means a public record that names or, with reasonable certainty, otherwise identifies an individual by an identifying factor such as: (1) an address; (2) a description; (3) a finger or voice print; (4) a number; or (5) a picture.@  For purposes of this policy, this definition also includes various demographic data which in combination may be used to identify an individual, especially if linked to other data sets.

 

ee.  Personnel - This policy covers any individual who is directly employed by or is working at the direction of MDH, or any component thereof, in a full time, part time, temporary, emergency, contractual, consultative, agency, or volunteer capacity.

 

ff.  Proprietary Information - Non-protected and protected information in any form or format in which the Department has a business or proprietary interest established through a copyright or licensing agreement.

 

gg.  Protected Information - Confidential, confidential research, highly confidential, or commercial data or information in any form or format.

 

hh.  Public Information Act Data - All data subject to inspection by the public pursuant to SG ' 10-611 et seq.

 

ii.  Record materials or Apublic records@

 

i.      As defined in SG ' 10-611(f) a A>Public record= means the original or any copy of any documentary material that:

 

(1) is made by a unit or instrumentality of the State government or of a political subdivision or received by the unit or instrumentality in connection with the transaction of public business; and

 

(2) is in any form; including: (a) a card; (b) a computerized record; (c) correspondence; (d) a drawing; (e) film or microfilm; (f) a form; (g) a map; (h) a photograph or photostat; (i) a recording; or (j) a tape. 

 

ii.  >Public record= includes a document that lists the salary of an employee of a unit or instrumentality of the State government or of a political subdivision. 

iii.  >Public record= does not include a digital photographic image or signature of an individual, or the actual stored data thereof, recorded by the Motor Vehicle Administration.@  Furthermore,  in accord with MDH Policy 02.03.07 (and p. vi, DGS, Records Management Manual), ARecord materials or >public records= are defined as >any paper, correspondence, form, book, photograph, microform, magnetic tape, compact disk, computer storage media, map, drawing, or other document, regardless of physical form or characteristics, that has been made or received by a State, county, or municipal agency in connection with the transaction of official business and needs to be preserved for informational value or as evidence of a transaction.=  >There is only one official record of anything in the Maryland Records Management System . . .=@

 

jj.  Release - The authorized conveying of non-protected information in any form or format pursuant to this policy.  The release may be in response to a Public Information Act request or in the lawful conduct of official MDH business.

 

kk. Research Projects Under the Policy on the Review of Department of Health Research Involving Human Subjects (MDH Policy 11100), research is defined as AA systematic investigation, including Research Development, Testing, and Evaluation designed to develop or contribute to generalizable knowledge.  Activities which meet this definition constitute research for purposes of this policy, whether or not they are conducted or supported for under a program which is considered research for other purposes.  For example, some demonstration and service programs may include research activities.@

 

ll.  Sharing - The legal exchange of protected or proprietary information, under a properly executed Memorandum of Understanding (Work for Hire or Chain of Trust Agreement), by the Secretary, or designee to another unit, etc. of the State or other individuals or entities as specified in MDH Policy for the legal conduct of official State business.

 

mm.  Sociological Information - Pursuant to SG ' 10-617(c), AIf the official custodian has adopted rules or regulations that define sociological information for purposes of this subsection, a custodian shall deny inspection of the part of a public record that contains sociological information, in accordance with the rules or regulations.@

 

nn.  User Documentation - Written documentation including a Disclaimer of Warranties for all computer data files of non-protected information released or for all protected or proprietary information shared or disclosed.  Each packet is intended to provide data file users with the necessary details to enable a reasonable person to draw reliable conclusions from the data.  For example, the packet shall provide details regarding collection procedures, response rates, editing strategies, discontinuities, and known shortcomings of questions, responses, coding, etc.

 

oo.  Vital Record AA certificate or report of birth, death, fetal death, marriage, divorce, dissolution or annulment of marriage, adoption, or adjudication of paternity that is required by law to be filed with the Secretary,@ pursuant to HG '  4-201(n).

 

(1) Avital record is released

 

(2)  A Avital record is shared for the legal conduct of official State business as exemplified by Art 47 (OCYF) or disclosed pursant to HG ' 4-224 and the Code of Maryland Regulations (COMAR) 10.03.01.07.

 

pp.  Welfare Records - APublic records that relate to welfare for an individual,@ and are protected pursuant to SG ' 10-616(c).

COPYRIGHT © 2001 Maryland MDH

Updated:  06/08/01