Inside DHMH - DHMH Policies

Most Requested Info

Medicaid
Consumer Product Safety

Home> Inside DHMH > Procedural Guidelines for DHMH Information Assurance Policies & Programs

Procedural Guidelines for DHMH Information Assurance Policies and Programs

DHMH Guidelines

Title: Procedural Guidance for DHMH Information Assurance Policies and Programs
Short Title: Information Assurance Guidelines

I. EXECUTIVE SUMMARY

These procedures accompany policy 02.01.06 to provide further guidance and direction on its implementation to assure confidentiality, integrity, and availability of DHMH information assets. It further clarifies the responsibilities of personnel to protect the interests of DHMH and consumers with regard to the release of non-protected information and safeguarding of DHMH protected and proprietary information. DHMH Information Resources Management Administration maintains and periodically updates these mandatory guidelines as required.

II. PROCEDURES

General Security Procedures

"Information Must Be Protected."

This section describes procedures considered minimum security practice to maintain the security of Protected or Proprietary Information.

1. Staff in cubicles clear desks of protected and proprietary materials and lock contents when not present.

2. Protected and proprietary information shall be maintained in a secure manner with access limited to designated personnel. All client records are kept in a manner consistent with applicable federal and State regulations.

3. File cabinets, desk drawers, and doors to areas that contain protected and proprietary information are to be locked during non-working hours or when staff are not in the immediate area.

4. Any protected or proprietary materials containing names or other identification shall be kept in locked, secure storage when not in use, and shall be maintained and/or disposed of in accord with applicable federal or State statute or regulations or Department policies, procedures, and protocols. When sent to storage, these materials will be accompanied by an authorized state employee or agent, stored at state or other authorized facilities, and must be transmitted according to COMAR.

When sent to disposal, such materials will be maintained in a secure manner, and shredded so that the information is neither readable or recoverable. These materials will be destroyed under the supervision of state personnel, or under contract with non-state entities who assure that the methods used are appropriate for such destruction.

5. Avoid the random display of protected or proprietary information where it can be easily observed.

6. When working with computerized confidential data, computer screens are to be kept in such a way as to prevent others from easily viewing the data. The use of a screen saver that is password protected and activated at a minimal time interval is highly recommended, but must be in accord with applicable DHMH security policies and procedures.

7. Access to protected or proprietary information is granted by the custodian, data steward, or the designated responsible party. This information is to be maintained as a secure user group on a secure portion of the LAN/WAN. Automated access logs are to be maintained in accordance with applicable State and DHMH policies. Attempts to gain unauthorized access to protected or proprietary information are subject to disciplinary action in accord with DHMH policy or other more restrictive federal or State laws.

8. Conversations with clients should be conducted in private areas.

9. Telephone conversations with clients should be conducted in a discreet manner using a level voice to protect confidentiality.

10. Staff will not identify themselves in such a way as to jeopardize confidentiality of a client or other person when leaving messages or sending correspondence.

11. Staff should avoid the use of voice mail, electronic recording devices, E-mail, and fax machines as mechanisms to transmit and/or receive protected or proprietary information. Protected information shall only be faxed with prior arrangement to (a) verify the correct fax number, and (b) assure the recipient or authorized agent is present during the transmission and receipt of the document. Fax machines that are used to regularly receive or transmit protected information shall be located in a secured space or cabinet appropriate for such use.

12. When authorized, documents or media containing protected or proprietary information shall be hand transported by a DHMH employee, State courier, or other authorized courier service. A tracking system shall be established to assure proper receipt of each transported item.

13. Laptop and off-site computing equipment and associated media shall be transported, operated, and stored in accord with DHMH protocols. Special measures must be taken to assure protected information does not remain on processing units when shared with other staff, or when such information is placed on processing equipment not under the direct control or ownership of the Department.

14. Avoid general discussion(s) of protected or proprietary information except as required to perform the job.

15. Staff will first ensure that protected and proprietary information are not viewable or obtainable before admitting any outside person (e.g., guest, client, housekeeper) to an office or cubicle.

16. Staff will maintain the confidentiality of vendor information in a manner consistent with COMAR regulations and other public regulations and laws.

17. Staff will clarify any situation not covered by this policy with their supervisor prior to acting in a way that may in any way compromise protected or proprietary information. When in doubt, ASK!

18. When the safety or security of protected or proprietary information has been, or is suspected to have been, compromised, mishandled, lost and/or stolen, staff shall immediately inform designated personnel in accord with applicable DHMH policies, procedures, and protocols.

19. Examples of job functions in which Personnel may inadvertently learn of or be exposed to protected or proprietary information which is governed by the provisions of this policy or other more restrictive federal or State laws include, but are not limited to: project site monitoring; patient chart review; program rosters or audits; prevention workshops, support groups, or use of training strategies which facilitate self-disclosure; telephone and facsimile communications with outside agencies or the general public; opening/delivery of mail; taking/relaying phone or other messages; document filing, scanning or data entry; handling or processing of laboratory results or medical claims data; writing or reviewing reports; and maintaining electronic information systems.

Custodians To Be Appointed - No further information is provided in this version.

Information Classification - See Section Attachment G, Definitions, Section 2.

Protection Levels Required Based on Risk Assessment - See Section Attachment G, Definitions, Roles and Responsibilities - Section 2pg 36

Access Based on "Need to Know" No further information is provided in this version.


III. PROCEDURAL GUIDANCE LINKED TO POLICY STATEMENTS

This guidance is listed categorically by section and closely mirrors the structure of the policy 02.01.06.

Personal Access and Use
Personal access and use of DHMH information resources shall be limited to levels appropriate for job requirements, reasonably protected, and used only within legitimate job specifications.

PROCEDURAL GUIDANCE


i. Personnel shall use State-owned data and information only as authorized for specifically approved purposes limited to the conduct of State business.

ii. Personnel shall endeavor to ensure reasonable precautions are taken so that no state data or information will be fraudulently revised, altered, or destroyed.

iii. Personnel shall not access, or attempt to access protected or proprietary information that they are not authorized to handle in the conduct of State business.

iv. Personnel shall use protected or proprietary information only as needed to conduct legitimate State business.

v. Personnel are not relieved, upon separation from State service, of the responsibilities and duties as provided herein and under law as per SG ' 15-101 through ' 15-1001.

Separation of Duties - See Section Attachment G, Definitions, Roles and Responsibilities - Section 2pg 36

Employee and Contractor Awareness and Ethics Training - No further information is provided in this version.

Personnel Must Know Their Obligations to Information Protection - See below: " Other Responsibilities of All Personnel"

IRMA Maintains this document - Version 1, September 2000

Personnel Must Know Obligations to Protect Information

Roles And Responsibilities - See Section H below Roles and Responsibilities - Section 2pg 36

See also below: "Personnel Requirements and Security Procedures for Information Assurance."

Other Responsibilities of All Personnel
The maintenance of the confidentiality of certain records is required by laws and policies, and it is the responsibility of personnel to know, or to determine, the specific protective requirements, to understand their obligations to protect these records, and to report any suspected or realized violations.

PROCEDURAL GUIDANCE

i. Personnel understand that the confidentiality of patient records is required by law, and that there are statutes or policy reasons specifically mandating the confidentiality of, among other areas, mental health, HIV, and drug and alcohol-related treatment records. Nothing in this policy overrides other, more restrictive policies or laws, governing the authorized release of confidential information. Nor should this policy be construed as prohibiting or limiting authorized responses to inquiries governed by the Public Information Act.

ii. Personnel have the responsibility to become familiar with and adhere to the laws, regulations, policies, and procedures that apply to their specific Administration, Division, Office, Program, and the protected information maintained thereby. Any Personnel who are unsure of his/her obligations under this policy shall be responsible to consult with his/her supervisor. If uncertain how to proceed in a particular situation, Personnel have the responsibility to seek instruction from his/her supervisor to avoid potential liability.

iii. Personnel have the responsibility to report any known or suspected violations of this policy.

Proprietary Interest Concerns of Non-protected and Protected Information
Specific Personnel shall take appropriate steps to assure the Department's proprietary interest in information are protected through legal and administrative means, and shall describe and document the qualities and limitations of DHMH information in their custody.

POLICY PROCEDURAL GUIDANCE

i. DHMH Copyright - For all non-protected and protected data formats and file configurations in which the Department has a proprietary interest, the custodian, data steward, and designated responsible party may seek copyright protection and shall assure that this proprietary information bear a legally sufficient notice or designation of copyright. This shall be coordinated with the Director of the Information Resources Management Administration and the designated member of the Attorney General's Office. (Refer to additional guidance on Copyright Basics in Attachment D).

ii. Licensing Agreements - The custodian, data steward, and designated responsible party shall prepare a licensing agreement for all proprietary information. Each licensing agreement shall provide the following sections:
(a) Creation of the Data Files
(b) Grant of License
(c) Security Requirements
(d) Restrictions on Use
(e) Restrictions on Derived Products
(f) Limited Warranty and Licensee Remedies
(g) Licensee Breach or Threatened Breach of Agreement
(h) Fees
(i) Authority and Acknowledgment
(j) Laws of the State of Maryland

iii. General Information Packet and Disclaimer of Warranties- The custodian, data steward, and designated responsible party shall prepare a general information packet including a disclaimer of warranties for all proprietary information. Each packet shall provide a general overview and the procedures for obtaining or purchasing the data file. For example, the packet shall provide a general overview of the data fields, collection procedures, response rates, editing strategies, data file formats, security requirements, data discontinuities, and known shortcomings of questions, responses, coding, etc.

iv. Overview Documentation - The custodian, data steward, and designated responsible party shall maintain a Data System Outline that provides: (a) identification of a data set in each version, (b) classification of a data set (e.g., non-protected, protected, or proprietary), and (c) identification of individuals with key roles and responsibilities. This information shall be provided to Information Resources Management Administration for posting and viewing by authorized DHMH personnel on the Intranet. (Refer to Attachment E).

v. User Documentation
(a) The custodian, data steward, and designated responsible party shall prepare user documentation including a disclaimer of warranties for all non-protected, protected, and proprietary computer data files.

(b) The custodian, data steward, and designated responsible party shall provide to Information Resources Management Administration the necessary documentation to enable the establishment of appropriate security and confidentiality protocols, data standards, and knowledge management activities. These activities shall be in accord with federal and State infrastructure goals of promoting efficiency in government and the Paperwork Reduction Act.

Authorized Collection, Maintenance, Protection, and Transfer of Information
Collection of information must be necessary, diligent, in accord with applicable laws and regulations to protect DHMH interests and consumer rights, and may not be transmitted electronically unless permitted by previously approved written procedures.

PROCEDURAL GUIDANCE

i. Personnel shall collect information only as necessary for the authorized conduct of State business and in accord with existing laws, regulations, and policies.

ii. Personnel shall ensure that all individuals are informed of the legal authorization or specific purpose, intended use, and right to refuse to provide without penalty, any information the collection of which is not mandated by law.

iii. DHMH websites may not collect personal information without notice about how the information is being used. Links to the current version of the DHMH standard Website Terms of Use/Privacy Statement shall be provided from all Department or Department-related pages. Personal information collected from websites shall be collected and protected from disclosure in accordance with SG '' 10-624 and 10-626 or other more restrictive federal or State law, regulation, or policy, or applicable DHMH policy.

iv. Personnel may not misuse, or carelessly handle information or fail to safeguard protected information pursuant to this policy and other federal or State laws, regulations, or policies or applicable DHMH policy.

v. Personnel shall comply with all administrative, technical, and procedural policies, physical safeguards, and security standards established to protect the DHMH information and to prevent unauthorized access. (Refer to the Examples of Standard Security Procedures for Protected or Proprietary Information in Attachment A).

vi. Except in the authorized conduct of State business and as provided by laws, regulations, policies or applicable DHMH policy and procedures designed to minimize unauthorized access to protected or proprietary information, Personnel shall not release, share, disclose, copy, alter, or destroy any information.

vii. State personnel may not electronically transfer protected or proprietary information to any unauthorized person, including unauthorized Personnel. (Refer to the DHMH 02.01.01 - Policy on the Use of DHMH Electronic Information Systems) Because of the increased possibility of breaches of confidentiality, electronic transfer requires written procedures in accordance with DHMH policy and the Information Resources Management Administration (IRMA) approval as necessary.

Passwords
The use and protection of passwords is required, and must follow DHMH and other applicable guidelines or requirements.

PROCEDURAL GUIDANCE

i. Personnel shall be responsible for safeguarding and not disclosing passwords or any other data or information access authorization in compliance with the applicable version of the DHMH 02.01.01 - Policy on the Use of DHMH Electronic Information Systems. Actions that may result in violations or breaches of confidentiality may result in disciplinary, civil, and criminal consequences for the responsible Personnel.

ii. Personnel understand that passwords are the property of DHMH and may, along with access privileges, be revoked at any time. User IDs/Passwords shall be inactivated upon notification of separation of service, loss of DHMH access privileges, or when job duties no longer require access to that data system(s). Any subsequent attempt to access a data system shall be deemed unauthorized.

Encryption
The use of approved encryption schemes are required when transferring certain information, as detailed in DHMH 02.01.01 and other applicable guidelines or requirements.

PROCEDURAL GUIDANCE

i. Personnel shall be responsible for using and safeguarding DHMH authorized encryption schemes when handling or transferring protected or proprietary information as detailed in DHMH 02.01.01 - Policy on the Use of DHMH Electronic Information Systems.

ii. Encryption of information is required under certain circumstances when using portable or off-premise data processing equipment, whether or not the equipment used is state property. (DHMH Laptop Protocol, IRMA Document)

Authorized Release of Non-protected Information and Associated Communications with the Public
Specific Personnel shall classify information in their custody, authorize certain personnel and procedures to prevent unintended disclosure, and facilitate and clarify the decision-making processes related to release or sharing.

POLICY PROCEDURAL GUIDANCE

i. The custodian, data steward, and designated responsible party shall establish written policies that clearly identify non-protected information, the procedures by which a member of the public can access or acquire this information, and the formats and charges for this information.

ii. Absent Department policy or guidelines, the custodian, data steward, and designated responsible party shall establish written procedures for communications with the public and the media. These procedures shall identify the individuals authorized to release non-protected information.

iii. The release of public information must follow applicable laws, regulations, or other requirements including DHMH copyrighted material or matters. Information in any form or format in which the Department has a proprietary interest established through a copyright may not be released as non-protected.

iv. Authorized Personnel may release non-protected (public) data or information, however, the release shall follow all laws, regulations, and applicable written release and communication policies and procedures. (Refer to DHMH Media Protocol 6/99, Attachment C and as updated periodically).

v. The custodian, data steward, and designated responsible party shall ensure the de-identification of data by redaction (removing all explicit individual identifiers) and, as appropriate, by preparing data so that it is not easily associated with an identifiable individual (e.g., aggregating data to satisfy bin/cell size requirements, changing singletons to median values, inserting complementary records, generalizing codes, swapping entries, scrambling records, suppressing and encrypting fields, and other appropriate and recognized confidentiality procedures).

Unauthorized Sharing of Protected and Proprietary Information
DHMH protected or proprietary information resources may be shared with others if necessary and appropriate, in accordance with an explicit written understanding, but may not be physically or electronically removed or shared without appropriate authorization.

PROCEDURAL GUIDANCE

i. Personnel shall not share with other DHMH Personnel, State agencies, or outside parties, protected or proprietary information in any form or format unless the information is necessary for the legal conduct of lawful State business, the individual is authorized to receive the information, and the sharing is made pursuant to a formal Memorandum of Understanding (Work for Hire or Chain of Trust Agreement) or Contract that is in accord with applicable federal and State laws, regulations, and policies, and DHMH policy.

ii. Personnel may not remove protected or proprietary information (in electronic, paper, or other format) from DHMH premises unless authorized to do so by the assigned custodian or designated responsible party for official business purposes. Special custody provisions shall be observed at all times which include, but are not limited to, those identified in Attachment A, the DHMH Laptop Protocol, or other applicable DHMH policies, protocols, and procedures.

Unauthorized Disclosure of Protected and Proprietary Information
DHMH protected or proprietary information may be disclosed to others if necessary and appropriate, only if authorized by the official custodian of record or designee.

PROCEDURAL GUIDANCE

i. Only a custodian or a designated responsible party is officially authorized to disclose or direct the disclosure of protected or proprietary information.

ii. Ownership of Protected and Proprietary Information

DHMH 02.01.01 - Policy on the Use of DHMH Electronic Information Systems states that the Department has a proprietary interest in maintaining the integrity of its State-owned systems, software, and related data and information. Furthermore, any and all information, as well as the media, database structure, and architecture, transmitted by, received from, or stored therein is the property of the Department.

Authorized Sharing of Protected or Proprietary Information
Specific Personnel shall establish and follow written procedures that hold all subsequently approved users to the same Department and/or other requirements and responsibilities for the sharing and life-cycle management of certain information with internal and external entities, including strict adherence to rules that require submission to an Institutional Review Board.

POLICY PROCEDURAL GUIDANCE

i. In accord with this policy, the custodian, data steward, and designated responsible party shall establish written procedures and shall execute a Memorandum of Understanding for the legal sharing of protected or proprietary information with another authorized unit, subdivision, agency, Department, etc. of the State.

ii. The Memorandum of Understanding shall identify the individuals authorized to transfer and receive the protected or proprietary information, the applicable security and confidentiality requirements, the procedures for the return or destruction of DHMH protected or proprietary information, and data remanence eradication.

iii. When protected data are requested for the purpose of conducting additional research involving human subjects (refer to DHMH Policy 11100), the approval of the appropriate authorized Institutional Review Board shall be obtained by the custodian, data steward, and designated responsible party prior to the development of a Memorandum of Understanding and the conveyance of any confidential research data.


Authorized Disclosure of Protected and Proprietary Information
Specific Personnel, as defined in this policy, are permitted to disclose protected or proprietary information only if the requirements of this policy, or other more stringent requirements, are met before such disclosure.

POLICY PROCEDURAL GUIDANCE

i. Only a custodian, a data steward, or a designated responsible party is officially authorized to disclose or direct the disclosure of protected or proprietary information. The disclosure must be necessary for the conduct of authorized State business or with the express written consent of the person in interest (client, patient, Personnel, etc.).

ii. A custodian, data steward, or designated responsible party shall, before disclosure, verify that the individual obtaining the information is authorized to receive protected or proprietary information pursuant to a properly executed Memorandum of Understanding or contract that is in accord with applicable federal, and State laws, regulations, and policy, and DHMH policy.

iii. A custodian, a data steward, or a designated responsible party shall be responsible for ensuring that disclosure of protected or proprietary information that is delegated to staff is performed in compliance with DHMH policy or other more restrictive federal or State laws, regulations, or policies.

iv. DHMH Contracts & Memoranda of Understanding - In order to protect DHMH, maintain ownership and rights in data, and establish liability for security and inappropriate or unlawful disclosure, the custodian, data steward, and designated responsible party shall ensure the language provided in Attachment B is incorporated into all DHMH contracts and Memoranda of Understanding. All disputes shall be handled by a specified member of the Attorney General's staff and any waivers shall require written approval from the Secretary or Secretary's designee.

v. The Institutional Review Board (IRB) -

(a) The custodian, data steward, and designated responsible party shall ensure that data requests for confidential research data have been referred to the appropriate authorized IRB for review prior to disclosure of any information. An authorized DHMH Institutional Review Board shall review and approve all proposed research projects (including those submitted by another unit of State government), which entail DHMH funding, confidential research data, or involvement in human subject research in accord with applicable federal and State laws, regulations, and policies and DHMH policies. Projects involving data collection in which there is identifiable linkage to the subject or involving physical, social, psychological, or privacy risks to the subject require IRB review. The IRB is charged with the responsibility of determining if a project qualifies as being exempt from its review requirements.

(b) The Custodian of Record or designee may disclose protected information to a researcher for a stated research purpose provided that prior approval of the appropriate authorized DHMH Institutional Review Board has been obtained and the researcher agrees to comply with all applicable protections for security, confidentiality, and privacy specified by this policy or other more restrictive federal or State laws, regulations, policies and other Department policies, protocols, and procedures.

(c) The custodian may deny inspection of a public record that contains the specific details of a research project that an institution of the State or political subdivision is conducting, except for name, title, expenditures, and date when the final project summary will be available, in accord with SG '10-618(d).

Procurement & Contract Monitoring
Specific Personnel involved in the preparation and monitoring of DHMH contracts and memoranda of understanding (MOU) shall ensure that vendors, agents, or other entities who provide work-for-hire or for in-kind service, understand and comply with all applicable requirements for the protection of DHMH information when shared, maintained, changed or developed.

PROCEDURAL GUIDANCE

i. Personnel involved in contract and MOU preparation shall ensure that all applicable federal and State laws, regulations, and policies, and Department policies, protocols, and procedures for electronic information system security and confidentiality requirements are sufficiently detailed in each solicitation issued and contract awarded.

ii. Personnel involved in contract and MOU preparation shall include a statement in the RFP/RPB requiring offerors to present for approval a detailed outline of their present or proposed electronic information systems security and confidentiality procedures in their proposals.

iii. Personnel involved in contract and MOU preparation shall include a statement in the RFP/RFB that offerors are required to comply with the Statement of Work (SOW) and with all DHMH electronic information systems security and confidentiality requirements.

iv. Personnel involved in contract and MOU preparation shall furnish to offerors who respond to the RFP/RFB, copies of the applicable federal and State laws, regulations, and policies, and Department policies, protocols, and procedures, including this policy.

v. DHMH contract monitors shall forward copies of any submitted forms required in the RFP/RFB that were obtained by the successful bidder to verify personnel security clearances (e.g., staff working on the project) to the DHMH Information Assurance Coordinator.

vi. DHMH contract monitors shall ensure the contractor's compliance with the security and confidentiality requirements, and shall ensure that the technical evaluation reports either detail any electronic information system security deficiencies or confirm that the proposals are in compliance with the requirements.

vii. DHMH contract monitors shall ensure compliance with the DHMH (Service Contracts) Procurement Manual and other applicable State, Department, and federal policies and procedures.

Enforcement and Compliance Responsibility for Personal Access and Use
Persons designated or acting in the capacity of a custodian, data steward, designated responsible party, database administrator, and network (system) administrator(s) (hereafter referred to in this policy as Specific Personnel) shall be responsible to take any and all reasonable and appropriate and legal steps ensure the compliance of Personnel with the terms of this policy.

Disciplinary, Civil, and Criminal Consequences
Violation of this policy may result in disciplinary action up to and including separation from State service, and may include civil or criminal penalties. These remedies include but are not limited to those specified in SG ' 10-626 through ' 10-628, HG ' 4-309, and Crimes and Punishments Article 27'45A.

Personnel Requirements and Security Procedures for Information Assurance
Specific Personnel are directed to take measures as required or directed to assure appropriate Personnel, Department, and other required practices are followed, and to report any known or suspected violations throughout the lifecycle of DHMH information in their custody.

POLICY PROCEDURAL GUIDANCE

i. The custodian, data steward, designated responsible party, database administrator, and network (system) administrator(s) shall be responsible to ensure compliance with the terms of this policy. This includes but is not limited to monitoring Personnel practices and reporting known or suspected breaches of confidentiality as required by DHMH policy and written data system procedures.

ii. The custodian, data steward, designated responsible party, database administrator, and network (system) administrator(s) shall ensure compliance with approved practices for the electronic transfer of information in accordance with DHMH policy or with approval of the Director of the Information Resources Management Administration or designee.

iii. The custodian, data steward, designated responsible party, database administrator, and network (system) administrator(s) shall be responsible for conducting monthly access reviews. These reviews are to ensure that only authorized Personnel with a continued need to access protected information for the lawful conduct of State business may have access to all or part of any DHMH data system. Each access review shall include, but not be limited to, an examination of:
(a) Personnel separated from State service
(b) Compliance with encryption, monthly password changes and other security measures
(c) Investigations of reported breaches of security and confidentiality, and
(d) Compliance with retrieval or destruction of protected information in accord with contracts or Memoranda of Understanding.

iv. The custodian, data steward, and designated responsible party shall be responsible, together and separately, for ensuring that all Public Information Act (PIA) requests are reviewed, researched, and receive a written response.

v. In accord with SG ' 10-631 through ' 634 and DHMH Policy 02.03.07 - Policy on the Management of Records, the custodian, data steward, and designated responsible party shall ensure that all record and non-record material, in any format both electronic and/or paper, containing protected or proprietary information that is remanded for retention or disposal is maintained with requisite security.

vi. In accord with SG 10-624(b), the custodian, data steward, and designated responsible party shall prepare and submit an annual report to the Secretary of General Services on any data set that keeps personal records.

vii. The custodian, data steward, and designated responsible party shall ensure compliance with all applicable federal or State laws, regulations, or policies and the DHMH policy, protocols, and procedures for data remanence eradication.

IV. REFERENCES

•Governor's Executive Order 01.01.1983.18 - State Data Security Committee, State Agency Information Security Practices

•Article 27, Sections 45A and 146 of the Annotated Code of Maryland Subject: Prevention of Software Copyright Infringement Maryland Department of Budget and Fiscal Planning Manual, #95-1, effective date: June 1, 1995

•DHMH Policy 02.01.02 (formerly Policy DHMH 9170) -Policy On The Use Of And Copying Of Computer Software And The Prevention Of Computer Software Copyright Infringement, effective May 12, 1998.

•DHMH Policy 02.01.01, Policy On The Use Of DHMH Electronic Information Systems, effective June 5, 1998

• Other References are included in context of this document.


*************


Approved:____________________________________________ __________________
Georges C. Benjamin, M.D. Date
Secretary

ATTACHMENTS

ATTACHMENT A

Language to be Incorporated in all DHMH Contracts

1. Rights in Data

A. Work produced as a result of this contract with DHMH is and shall remain the sole property of DHMH. As sole owner, DHMH shall have a royalty-free, nonexclusive, and irrevocable license to use, duplicate, disclosure in any manner and for any purpose whatsoever, publish, translate, reproduce, deliver, perform, dispose of, and to authorize others to do so, and have others so do, all data delivered under this contract except where such use may contravene federal or state law.

B. All documents, equipment, and materials, including but not limited to, reports, drawings, studies, specifications, estimates, texts, computer software including software documentation and related materials, maps, photographs, designs, graphics, mechanicals, artwork, computations and data prepared by or for, or purchased by or for, the vendor because of the contract shall, at any time during the term of the contract, be available to DHMH and shall become and remain the exclusive property of DHMH during and upon termination or completion of the services required to be performed under the contract. DHMH shall have the right to use same without restriction and without compensation other than that provided in the contract.

C. The vendor agrees that, at all times during the term of the contract and thereafter, the works created and services performed shall be "works made for hire" as that term is interpreted under U.S. copyright law. To the extent that any products created under this contract are not works for hire for DHMH, the vendor hereby transfers and assigns to DHMH all of its rights, title, and interest (including all intellectual property rights) to all such products created under the contract, and will cooperate reasonably with DHMH in effectuating and registering any necessary assignments.

D. The vendor shall exert all reasonable effort to advise DHMH, at the time of delivery of data furnished under this contract, of all invasions of the right of privacy contained therein and of all portions of such data copied from work not composed or produced in the performance of this contract and not licensed under this clause.

E. The vendor shall report to DHMH, promptly and in written detail, each notice or claim of copyright infringement received by the vendor with respect to all data delivered under the contract.

F. The vendor shall not affix any restrictive markings upon any data and if such markings are affixed, DHMH shall have the right at any time to modify, remove, obliterate, or ignore such markings.

G. Equipment, including but not necessarily limited to computers and computer software (including software documentation and related materials), which is lent or otherwise provided to the vendor by DHMH or which is purchased by or for the vendor with DHMH funding expressly for purposes of accomplishing the goals set forth in this contract shall be available to DHMH without restriction during the term of the contract and ownership of same shall remain with DHMH during contract execution and upon termination.

H. After written request and upon receipt of express written approval of DHMH (including, but not limited to, approval by the appropriate authorized DHMH Institutional Review Board), the vendor may publish all or part of the findings derived from work directly resulting from this contract, provided: 1) the State of Maryland, Department of Health and Mental Hygiene is given credit for having funded the project; and 2) co-authorship shall be afforded the Secretary and other staff providing direct and substantive assistance, if so requested by DHMH. Failure to obtain written approval may result in Institutional Review Board sanctions, DHMH procurement sanctions, and civil or criminal penalties.

II Patents, Copyrights, Trade Secrets, and Associated Indemnification

A. If the vendor furnished any design, device, material, process or other item which is covered by a patent or copyright or which is proprietary to or a trade secret of another, it is solely the responsibility of the vendor to obtain the necessary permission or license to use such item or items.

B. The vendor will defend or settle, at its own expense, any claim or suit against the State alleging that any such item furnished by the vendor infringes any patent, trademark, copyright, or trade secret. The vendor also will pay all damages and costs that by final judgement might be assessed against the State due to such infringement and all attorney fees and litigation expenses reasonably incurred by the State to defend against such a claim or suit. The obligations of this paragraph are in addition to those stated in the paragraph below.

C. If any products furnished by the vendor become, or in the vendor's opinion are likely to become, the subject of a claim of infringement, the vendor will, at its option: a) procure for the State the right to continue using the applicable item, b) replace the product with a non-infringing product substantially complying with the item's specifications, or c) modifying the item so that it becomes non-infringing and performs in a substantially similar manner to the original item.

D. If the vendor obtains or uses for purposes of this contract (or any subcontracts) any design, device, material, process, supplies, equipment, text, instructional material, services or other work, the vendor shall indemnify the State, DHMH, their officials, agents, and Personnel with respect to any claim, action, cost, or judgement for patent, trademark, or copyright infringement, arising out of the possession or use of any design, device, material, process, supplies, equipment, text, instructional material, services or other work covered by any contract awarded as a result of this contract.

III Document Retention and Inspection Clause

Unless specified by a documents retention and inspection clause in the contract and approved by the DHMH Information Assurance Coordinator, the vendor shall eradicate any and all data remnants from their electronic information systems in compliance with the stricter of DHMH policy or federal or state laws, regulations, and policies.

IV Transfer of Non-protected, Protected, or Proprietary Information

A. The transfer of data increases the possibility of breaches of confidentiality and, therefore, requires written procedures in accordance with DHMH policy and Information Resources Management Administration approval as necessary.

B. The vendor may not transfer protected or proprietary information electronically to any unauthorized person, including unauthorized Personnel.

C. The vendor shall follow Department approved procedures for using and safeguarding DHMH authorized encryption schemes when storing or transferring protected or proprietary information.

V Security

A. The vendor shall present a detailed outline of its present or proposed electronic information systems security and confidentiality procedures for securing DHMH non-protected, protected, or proprietary information from unauthorized access, loss, or theft.

B. The vendor may request a copy of the applicable federal and State laws, regulations, and policies, and Department policies, protocols, and procedures from the contract monitor.

C. The vendor shall submit to the contract monitor any required forms to verify or obtain personnel security clearances.

D. The vendor shall comply with the Statement of Work (SOW) and with all DHMH electronic information systems security and confidentiality requirements.

VI Liability for Loss of Data or Breach of Confidentiality

In the event of loss of data or records necessary for the performance of this contract, where such loss is due to the error or negligence of the vendor, the vendor shall be responsible, irrespective of cost to the vendor, for recreating such lost data or records in a manner, format, and time-frame acceptable to DHMH.

Failure to secure DHMH non-protected, protected, or proprietary information in any form or format from unauthorized access, loss, or theft is a serious offense. Breach of non-protected, protected, or proprietary information by the vendor or any sub-vendor shall entitle DHMH to immediately terminate the contract upon written notice to the vendor of such breach and to such other remedies that may result in civil or criminal penalties. Liability for breach of confidentiality or privacy resulting from negligence, gross negligence, or failure to comply with required security protocols by the vendor or sub-vendor shall be incurred by the vendor. Under security provisions, DHMH may retain information on any such breach of non-protected, protected, or proprietary information by the vendor and may use this knowledge when assessing the vendor's ability to meet the requirements established in future contracts.

ATTACHMENT B

VENDOR ACKNOWLEDGMENT AND CONFIDENTIALITY STATEMENTS

The vendor, by signature of an authorized agent below, acknowledges receipt and review of the Department of Health and Mental Hygiene policy governing Rights in Data; Patents, Copyrights, Trade Secrets, and Associated Indemnification; Document Retention and Inspection Clause; Transfer of Non-protected, Protected, or Proprietary Information; Security; and Liability for Loss of Data or Breach of Confidentiality, and consents to comply with this policy and to abide by the consequences should a breach of this policy occur. More specifically, the vendor agrees as follows:

All non-protected, protected or proprietary information obtained, gathered, produced, or derived from or in connection with the contract shall remain confidential and shall be released by the vendor only with advance, specific, written permission of DHMH. Failure of the vendor or any sub-vendor to obtain written approval shall entitle DHMH to immediately terminate the contract upon written notice to the vendor of such breach and to such other remedies that may result in Institutional Review Board sanctions, DHMH procurement sanctions, and civil or criminal penalties.

All non-protected, protected, or proprietary information obtained may be used only to assist the vendor in the performance of its duties and responsibilities under the contract. The vendor will not, at any time, use the data or information in any fashion, form, or manner except in furtherance of the duties of the vendor in its capacity as an independent vendor to DHMH under the contract.

The vendor agrees to maintain the confidentiality of all non-protected, protected, or proprietary information in the same manner that the confidentiality of the vendor's proprietary products of like kind is protected and in accord with DHMH policy.

DHMH protected, or proprietary information may not be copied or reproduced without DHMH advance written consent.

All non-protected, protected, or proprietary information made available to the vendor in any form or format, including copies thereof, shall be returned to DHMH upon the first to occur of (1) completion of the project or (2) request of DHMH.

The foregoing shall not prohibit or limit the vendor's use of the non-protected, protected, or proprietary information (including, but not limited to, data, ideas, concepts, know-how, techniques, and methodologies) (1) previously known to it, (2) independently developed by it, (3) acquired by it from a third party, or (4) which is or becomes part of the public domain through no breach of this contract by the vendor.

The Vendor Acknowledgment and Confidentiality Statement shall become effective as of the date that non-protected, protected, or proprietary information is first made available to the vendor and shall survive the contract and be a continuing requirement. This statement is incorporated into and made a part of the contract for all purposes.

Vendor & Address_________________________________________ Vendor Phone:_____________

Signature of Vendor: ______________________________________ Date:________________

ATTACHMENT C

Language to be Incorporated in all DHMH Memoranda of Understanding

I Rights in Data

A. Work produced as a result of this agreement with DHMH is and shall remain the sole property of DHMH. As sole owner, DHMH shall have a royalty-free, nonexclusive, and irrevocable license to use, duplicate, disclosure in any manner and for any purpose whatsoever, publish, translate, reproduce, deliver, perform, dispose of, and to authorize others to do so, and have others so do, all data delivered under this contract except where such use may contravene federal or state law.

B. All documents, equipment, and materials, including but not limited to, reports, drawings, studies, specifications, estimates, texts, computer software including software documentation and related materials, maps, photographs, designs, graphics, mechanicals, artwork, computations and data prepared by or for, or purchased by or for, the vendor because of the agreement shall, at any time during the term of the agreement, be available to DHMH and shall become and remain the exclusive property of DHMH during and upon termination or completion of the services required to be performed under the agreement. DHMH shall have the right to use same without restriction and without compensation other than that provided in the agreement.

C. The vendor agrees that, at all times during the term of the agreement and thereafter, the works created and services performed shall be "works made for hire" as that term is interpreted under U.S. copyright law. To the extent that any products created under this agreement are not works for hire for DHMH, the vendor hereby transfers and assigns to DHMH all of its rights, title, and interest (including all intellectual property rights) to all such products created under the agreement, and will cooperate reasonably with DHMH in effectuating and registering any necessary assignments.

D. The vendor shall exert all reasonable effort to advise DHMH, at the time of delivery of data furnished under this agreement, of all invasions of the right of privacy contained therein and of all portions of such data copied from work not composed or produced in the performance of this agreement and not licensed under this clause.

E. The vendor shall report to DHMH, promptly and in written detail, each notice or claim of copyright infringement received by the