The Defense Health Agency Privacy and Civil Liberties Office oversees the protection of personally identifiable information, including protected health information, within the DHA and safeguards its use and disclosure. The goal of the Research Streamlining Initiative is to make the DHA Privacy Office data sharing process more efficient when data managed by DHA data is sought for the purpose of conducting research, while still maintaining uniform and compliant Health Insurance Portability and Accountability Act reviews of data requests. The expected outcome is a decrease in the amount of time required to obtain a data sharing agreement.

Currently, for studies involving the use or disclosure of data managed by Defense Health Agency data, the DHA Data Evaluation Workgroup reviews each study, works with the data requestor to ensure the data request meets the minimum necessary standard, and determines the type of data being requested. In addition, for data requests involving protected health information, the DHA Privacy Board conducts a Health Insurance Portability and Accountability Act Privacy Rule review or conducts an administrative review if a HIPAA Privacy Rule review has already been conducted by an Institutional Review Board. The DHA Privacy Board also conducts a HIPAA Privacy Rule review for studies intending to put PHI or a limited data set into a research repository for future research use.

Under the Research Streamlining Initiative, Department of Defense IRBs will ensure that research studies meet the minimum necessary standards and make the data determinations currently being made by the DEW. The DOD IRBs will also conduct the HIPAA Privacy Rule reviews for all studies requesting PHI and studies intending to put PHI or an LDS into a research repository. DOD IRBs will be able to make these determinations at the same time they conduct Common Rule reviews of non-exempt studies. For studies considered exempt under the Common Rule, since HIPAA does not allow exemption, DOD IRBs or Exemption Determination Officials will still be required to conduct data determinations of any study requesting DHA data. DOD IRBs will be required to conduct HIPAA Privacy Rule reviews of any study requesting PHI or intending to put PHI or an LDS into a research repository. One exception is when a non-DOD IRB has reviewed a study involving a request for DHA data and has approved a waiver of HIPAA Authorization, and the study does not include a plan to put the DHA data into a repository.

DOD IRBs will document their findings on the Institutional Review Board HIPAA Compliance Review Findings on Data Requests IRB Findings Document, which the researchers will submit to the DHA PCLO with their data sharing agreement applications as documentation of the data determinations and HIPAA Privacy Rule reviews. The DHA PCLO will accept the data and documentation determinations made by the IRBs and will not conduct an administrative review of the IRBs findings. Eliminating reviews by the DEW and the DHA Privacy Board will result in significant time saving in the overall DSA review process.

The Defense Health Agency Privacy and Civil Liberties Office uses the DSA as an administrative control to document that the requested use of data managed by DHA data complies with federal privacy laws and Department of Defense privacy policies. As part of the data sharing program, the DHA Privacy Office reviews data requests for compliance with privacy and security laws as well as DOD policies and obtains assurances from data requestors that they will protect DHA data in accordance with the requirements. As part of the assurances provided in the DSA, both the recipient of DHA data and the DOD sponsor must agree to meet a list of documented responsibilities related to the management of the DHA data.

Contractors and non-government researchers or public health officials or agents seeking to obtain data managed by the Defense Health Agency data as well as government personnel conducting research are required to obtain an approved DSA. 

It depends. The Health Insurance Portability and Accountability Act Privacy Rule permits a covered entity’s workforce members to use and disclose protected health information for healthcare operations, including quality and process improvement activities that are necessary to support business activities as part of their work functions. Therefore, Military Health System workforce members may use and disclose PHI for HCO activities to support the mission of MHS without submitting a Data Sharing Agreement Application to the Defense Health Agency Privacy and Civil Liberties Office. However, when HCO activities are conducted by contractors providing a service to the MHS, the contractors are considered business associates under HIPAA and they would be required to submit a DSAA to the DHA Privacy Office for approval to receive any data managed by DHA before the work begins.

It depends. The HIPAA Privacy Rule permits covered entities to disclose protected health information, without an authorization, to public health authorities who are legally authorized to receive such information for public health purposes. Therefore, if the Human Research Protection Program determines that the activity is for public health surveillance and not research, the data request may be permitted under the HIPAA public health exception if the data request is from an officially designated public health authority, or a public health official or agent working on behalf of a public health authority.  If a data request is not from a public health authority or official, then the data request would not be permitted under the HIPAA public health exception. The data request would instead fall under the HIPAA research exception regardless of whether the Common Rule review determines it is public health surveillance and would require an Institutional Review Board member to conduct the data determination and HIPAA Privacy Rule review under the Research Streamlining Initiative delegation of these reviews to IRBs.

Non-Department of Defense public health authorities or contractors acting as agents to any public health authority must submit a Data Sharing Agreement Application to the Defense Health Agency Privacy and Civil Liberties Office for other compliance reviews, such as Privacy Act and security reviews. DOD employees acting on behalf of a public health authority are not required to submit a DSAA to the DHA PCLO. 

Within the DOD, DHA Office of General Counsel has given approval for the designation of public health authorities. Contact the DHA PCLO at [email protected] for assistance determining if a data requester is an officially designated public health authority or is acting on behalf of a public health authority.

No. An MOA and an MOU cannot be used in place of a DSA.  Pursuant to Department of Defense Instruction 4000.19, Support Agreements, an MOU and MOA are types of support agreements to be used as explained in DODI 4000.19. A DSA is a Defense Health Agency Privacy and Civil Liberties Office administrative control used to document that the request for data managed by DHA data complies with federal privacy laws and DOD privacy issuances. Researchers and government contractors as well as public health officials or agents seeking to use DHA data must submit a data sharing agreement application regardless of whether they have a support agreement that is an MOU or MOA.

A DSA is requested by submitting a completed and signed DSA Pre-Requisites Checklist and a Data Sharing Agreement Application endorsed by both the applicant and the Department of Defense Sponsor to the Defense Health Agency Privacy and Civil Liberties Office via email at [email protected]. Refer to the Data Sharing Agreements website for additional information.

Data managed by the DHA commonly referred to as DHA data is data maintained on DHA systems or systems that are determined to fall under the purview of the DHA Chief Information Officer. The DHA Privacy and Civil Liberties Office has a list of frequently accessed systems that contain DHA data to assist data requestors in determining whether data are DHA data. If the data request includes data from an information system not on the list, the Data Sharing Agreement Application. Applicant or Department of Defense Sponsor must ask DHA Cybersecurity Division whether the information system is one managed by DHA.   

Yes. In addition to verifying compliance with the Health Insurance Portability and Accountability Act Privacy Rule and Department of Defense Manual 6025.18, the DHA PCLO is responsible for verifying compliance with other privacy laws and policies, such as the Privacy Act of 1974 and DOD Regulation 5400.11, Department of Defense Privacy Program. Also, if digital DHA data is being stored on a non-federal information system, a HIPAA Safeguards Review (previously known as a System Security Verification) must be conducted to ensure the system on which the data is being stored meets DOD security requirements. For these reviews to be conducted, a DSAA must be submitted to the DHA PCLO.

No. Researchers may not start research activities that involve the use of data managed by DHA until the researchers have an approved DSA for the research. Without the approved DSA, the use of the DHA data may violate privacy and/or security regulatory requirements as the DSA process involves several compliance reviews. These violations may potentially constitute a breach.

The Defense Health Agency’s (DHA’s) HIPAA templates are available on the DHA Privacy and Civil Liberties Office website (https://health.mil/Military-Health-Topics/Privacy-and-Civil-Liberties).  The templates are also available in the help section of the Electronic Institutional Review Board (EIRB) system.  They can be accessed by clicking on the orange question mark in the upper right corner of any screen in EIRB and going to Section e.

It depends. For consistency and ease of review, the DHA PCLO requires the use of DHA’s HIPAA Authorization template to obtain data managed by DHA (DHA data). DHA’s HIPAA Authorization template is HIPAA compliant and, therefore, reduces the potential for non-compliance. The DHA HIPAA Authorization template also facilitates uniform reviews and documentation throughout the Department of Defense (DOD). If a researcher has obtained a HIPAA Waiver of Authorization from a non-DOD Institutional Review Board (IRB) and the researcher does not intend to put the DHA data into a repository, the DHA PCLO will accept the non-DOD IRB Waiver of Authorization, but the researcher must provide a completed and signed IRB Waiver of HIPAA Authorization Certification from the non-DOD IRB confirming that the Waiver of Authorization is HIPAA compliant.

It depends. The Common Rule (2018 Requirements) allows exemption for research that involves the use of protected health information when that use is regulated under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requirements for the use of PHI. If DHA data is requested for a study that is exempt under the Common Rule, a data determination must be made.  An Exemption Determination Official (EDO) may make a data determination using the EDO Data Determination Template.  If the EDO determines that the data is PHI, the EDO must send the study to a Department of Defense (DOD) IRB for a HIPAA Privacy Rule review because only IRBs and HIPAA Privacy Boards, set up in compliance with the HIPAA Privacy Rule 45 C.F.R. section 164.512 (i)(1)(i)(B) and DOD Manual 6025.18 paragraph 4.4.i.(1)(a)2, may conduct HIPAA Privacy Rule reviews. Therefore, if PHI is requested for a study that is exempt under the Common Rule, a DOD IRB will have to review the study to conduct a HIPAA Privacy Rule review.  Review by a fully convened IRB or HIPAA Privacy Board is not required.  The Chair or a designated board member can conduct the necessary review.   

It depends. HIPAA only allows Institutional Review Boards (IRBs) and HIPAA Privacy Boards to conduct HIPAA Privacy Rule reviews.  If the Privacy Officer is a member of the IRB or HIPAA Privacy Board, set up in compliance with the HIPAA Privacy Rule 45 C.F.R. section 164.512 (i)(1)(i)(B) and Department of Defense Manual 6025.18 paragraph 4.4.i.(1)(a)2, the Privacy Officer can conduct a HIPAA Privacy Rule review and approve a HIPAA Waiver of Authorization.  Otherwise, the institutional Privacy Officer cannot conduct a HIPAA Privacy Rule review.