The Strategic Data Initiative (SDI) Team is tasked with reviewing data-related agreements and updating data use policies to ensure that MDH data is protected. As MDH’s operations continually move toward reliance on IT systems, it is important to know where, how, and with whom our data is being shared. Under the direction of the Office of Internal Controls and Audit Compliance, SDI uses a multi-disciplinary review approach to ensure adequate safeguards and access controls are in place for all MDH Data-Related Agreements. SDI is charged with updating MDH data protection and usage policies and reviewing agreements for consistency with those policies and guidance from the State Chief Data Officer and the State Chief Privacy Officer.
As of August 3, 2021, all Data Use Agreements, Business Associate Agreements, and other data-related agreements are required to have a risk assessment conducted by the SDI Team as part of their charter. Requests for agreements from third parties and agreements proposed by MDH staff must be directed to the SDI Team for approval prior to execution.
The Maryland Department of Health is entrusted with both personally identifiable information (PII) and protected health information (PHI) in order to carry out its duties under State and federal law to protect the health and safety of Marylanders.
In conjunction with 2021 Executive Orders from Gov. Larry Hogan outlining the need to make data protection and usage a core business function, MDH updated its data protection and usage policies to implement the following directive:
Third parties may use MDH data but must view, analyze, and create/store data exclusively in an approved State system (MDThink, DoIT, other MDH systems) unless granted a waiver by the Secretary. Data may not be processed in any external system unless risks are fully disclosed and accepted by the Department.