Requesting Maryland Medical Assistance Data - Frequently-Asked Questions

​Steps 4 and 5: Data Exchange, Maintenance and Closing out Process 

How will the data be transferred?
Generally, a Secured File Transfer Program (SFTP) will be used to securely transfer the Medicaid data. If another secured method is preferred and meets the State’s security requirements, it may be used.
What format will the data be in?
Data can be transferred in a variety of formats including, but not limited to, SAS, SPSS, STATA, Excel, etc.
Who is responsible for maintaining the data?
Each party to the DUA will name a Project Manager to ensure the data remains secured. The Project Managers’ responsibilities shall include:  serving as liaison in negotiating any procedures necessary for the implementation of this Agreement, including establishing the project plan and implementation strategy; coordinating requests for information and other cooperative activities between the Parties; and communicating and working with information technology staff to resolve logistical and technical problems related to accessing the Covered Data.  As previously mentioned, each party must establish a DMP and the Covered Data must be maintained consistent according to the terms of the DMP. Maryland follows the data protection and technology guidelines published by National Institute of Standards and Technology (NIST). The NIST guidelines detailing the minimum requirements for data maintenance, sanitization of covered data, and other data management guidelines are available here.
Am I required to notify the Maryland Medicaid Office of Planning Administration of the final disposition of the shared data file(s)?
When the principal investigator notifies the Maryland Medicaid Office of Planning Administration that the protocol is officially closed, the principal investigator is required to either return the previously shared data files to the data provider or to submit a completed Certificate of Data Destruction. The Certificate of Data Destruction form is available here.
How should I report an unanticipated problem, such as a breach of sensitive information?
The Project Manager, listed in an Attachment to the DUA, is required to report the occurrence or suspicion of any unanticipated problems as defined above immediately both to the Maryland Medicaid Office of Planning Administration and the IRB. One such unanticipated problem may be a breach of sensitive information, e.g., the unauthorized sharing of PHI or PII.
Am I expected to share work products with the Maryland Medicaid Office of Planning Administration?
Yes. The principal investigator is expected to share in a timely manner with the Maryland Medicaid Planning Administration key work products resulting from an IRB-approved investigation. Such products may include a comprehensive final narrative project report and/or PowerPoint presentation; one or more published research articles, monographs, book chapters or books; etc. Products that provide key findings and implications related to prospective advances in health practices and policies are of particular interest.
Am I required to notify the Maryland Medicaid Office of Planning Administration when my protocol is closed; that is, is no longer open and active?
Yes. In all cases, whether the protocol has been deemed to be exempt or non-exempt from further review by the MDH IRB, when the protocol is no longer open and active, the PI is required to complete and submit a Certificate of Study Closure to MDH. In the case of a non-exempt MDH IRB-approved protocol (protocol for which an annual review by the IRB is required), such notification is indicated on the MDH IRB Continuing Review Form II (MDH 2125) when the final annual review packet is submitted to the IRB. As part of this notification, the principal investigator is to provide a Closing Summary of project-related activities and accomplishments, and is to clarify in writing as a required aspect of this Closing Summary whether released Medicaid data have been either (a) returned to the Medicaid Planning Administration, Office of Health Care Financing or to the data provider or (b) have been destroyed or sanitized.  The Certificate of Study Closure form is available here, and Certificate of Data Destruction form is available here.