Skip to main content

Military Health System

Data Sharing Agreements

The DHA Privacy and Civil Liberties Office (PCLO) is responsible for ensuring that the release of DHA data complies with federal privacy laws, regulations, and Department of Defense (DOD) policies. This includes the disclosure of data to a research repository. In general, a Data Sharing Agreement (DSA) is an administrative control used by DHA to document that the requested use of data is in compliance with the previously mentioned Federal laws and DOD policies. The DSA:

  • Documents the responsibilities of the requestors, including the Government Sponsor and Applicant/Recipient
  • Confirms that DHA data will be used as permitted or required
  • Exercises administrative, technical, and physical safeguards to protect the privacy of PHI, as required by the Health Insurance Portability and Accountability Act (HIPAA)
  • Determines the HIPAA-defined category of data intended for use (i.e., protected health information (PHI), a limited data set, or de-identified PHI)
    • HIPAA permits a covered entity to use or disclose a limited data set (LDS) for research, public health, or health care operations purposes
  • Maintains records to confirm compliance in case of an investigation

Note that the DHA PCLO does not provide data extractions or grant system access. The System Managers who grant access to data require a DSA.

Who Needs a Data Sharing Agreement?

A DHA DSA or Data Use Agreement (DUA) is needed if contractors or non-government researchers seek to obtain Military Health System (MHS) data, managed by DHA, to perform a government-sponsored initiative. Government personnel conducting research may also need to obtain a DHA DSA or DUA. These individuals are required to submit a DSA Application, which must be approved before a DSA will be executed.

A DSA is not required for those requesting De-identified Data provided as a third-party extract.

How Do I Request a DSA?

A DSA is requested by submitting a Data Sharing Agreement Application (DSAA) or a Prerequisite Checklist (PRC) endorsed by both an Applicant/Requestor and a Government Sponsor. Once the DSAA is approved it becomes part of the executed agreement provided to the Requestor and a Government Sponsor. Once a PRC is approved, a No Action Letter is issued once the compliance check has been completed.

To request a DSAA, a PRC, a DSA Renewal, or a DSAA Modification, email DHA.DataSharing@mail.mil. You can also find these forms on Inside DHA (CAC-enabled)

Applicant Role

The Applicant is the individual, usually a contractor, who has primary oversight and responsibility for the data.

  • For projects involving subcontractors, even when the data is solely handled by subcontractors, the DSAA Applicant must be an employee of the prime contractor.
  • For projects with more than one prime contractor, a DSAA must be completed for each contracting organization that requires data for the project.
  • The Applicant is referred to as the Recipient in the final approved DSA.

Applicant Responsibilities

Government Sponsor Role

The Government Sponsor is the point of contact who assumes responsibility for the project/data use described in the DSAA. This role can be filled by a civilian within the government or a uniformed service member.

Government Sponsor Responsibilities

Memorandum of Agreement (MOA) and Memorandum of Understanding (MOU)

The DHA PCLO serves as the main point of contact for data sharing requests, data sharing arrangements with private entities, and research projects. The DHA Agreements and Partnerships Management Office (APMO) handles MOAs and MOUs for recurring data sharing arrangements with other DOD agencies, Federal agencies, and state and local governments. The DHA PCLO and the DHA APMO have established a process for reviewing MOAs and MOUs which involve sharing PII/PHI.

Frequently Asked Questions

Q1:

What is de-identified information?

A:

HIPAA defines de-identified data as:

  • Data that does not identify an individual
  • Data that has the 18 categories of direct identifiers removed
  • Data that allows no reason to believe it can be used, alone or in combination with other information to identify an individual

Coded data is not considered to be de-identified data. Additionally, the following unofficial MHS Quasi-identifiers must be excluded from the data set:

  • Age, duty location, race, rank, ethnicity, pay grade, training site, unit identification code (UIC)

Q2:

Can a DSA be submitted before an IRB approves a research project?

A:

No, the IRB must approve the research project before a DSA submission can be submitted for review.

Q3:

What is a limited data set?

A:

DODM 6025.18, March 13, 2019 defines a limited data set as PHI that excludes 16 of the 18 direct identifiers. A limited data set may still include the following (potentially identifying) information: admission dates, discharge dates, service dates, dates of birth, and, if applicable, age at time of death (including decedents age 90 or over). Also, five-digit zip code or any other geographic subdivision, such as state, county, city, precinct, and their equivalent geocodes (except street address) may also remain as part of a limited data set (LDS).

Q4:

What reviews are completed by the Privacy Office when a Data Sharing Agreement application is submitted?

A:
  • Social Security Justification (SSNJ) - reviews the use of SSN for a project.
  • Privacy Act Review - to make sure proposed data use is allowed under SORN.
  • HIPAA Safeguard Review (HSR) - information system security review for contractor equipment.
  • Data Evaluation Workgroup (DEW) - data experts determination data type and reviews for minimum necessary.
  • HIPAA Privacy Rule Compliance review - review of HIPAA documentation and repository review to ensure HIPAA compliance with repositories.
Q5:

Do I need a DSAA for deidentified data?

A:

If the DHA data is provided to the project team from a third-party as an extract, then a DSA is not required. If the data is coded, then a DSA is still required because coded data is not de-identified data.

Q6:

What information is required when submitting a SSNJ review?

A:

Using any form of the SSN must go through the Social Security Number Justification (SSNJ) process due to guidelines stated within DODI 1000.30, Reduction of SSN Use within DOD, requires the reduction or elimination of SSN usage wherever possible. If Social Security Numbers are required, project team must provide a justification and use as to why it is used and explain why a substitution cannot be used. Answering the following questions can assist the project team in providing a justification:

  • Why is SSN needed to combine the data? In other words, if alternatives to SSN (e.g., EDIPNs or pseudo person IDs) are sufficient in other instances, are those alternatives to SSN sufficient to respond to Congressional inquiries and/or Senior DoD stakeholders inquiries
  • Are alternatives to SSN used first? Further, in response to Congressional inquiries and/or Senior DOD stakeholders inquiries, are alternatives to SSN used first and if not sufficient to respond, then SSN is used
  • Are those alternatives to SSN insufficient to combine data from multiple data sources? Do some individuals not have alternatives to SSN and SSN is the only way to identify them?

Q7:

Who needs a Data Sharing Agreement?

A:
  • Business Associates who need DHA data to do work on behalf of the government (there may be exceptions)
  • Government personnel who need DHA data for a research project or a survey (there may be exceptions)
  • Researchers who need DHA data for a research project or survey
  • Students and professionals who need DHA data for an academic research project or for a dissertation
Q8:

What questions should be addressed in the data flow of a DSAA?

A:

The data flow should reflect how the project team will obtain and secure storing DHA data. It should specifically address the following questions:

  • Is it clear who is pulling/extracting/logging in to see the data?
  • Is it clear how data will be transferred from Data Extractor to applicant organization and/or to other parties?
  • Is it clear how data will be securely stored once extracted from the DHA system?

Q9:

Who is responsible for signing a DSA or PRC submission?

A:

The Privacy Office does not determine within an applicant or sponsor organization who must sign the DSA submission. The requestors must determine who has the authority to sign for their organization and take on the responsibilities outline in the previously mentioned “Applicant Responsibility” and “Government Responsibility” documents.

Q10:

What is a System of Record and where do I find the SORN information for a submission?

A:

A system of record (SOR) consists of a group of records from which personal information about an individual is retrieved by the name of the individual or by some other identifying number, symbol, or other identifying characteristic unique to the individual.


Q11:

What is data managed by the DHA and how do I know if the data request involves data managed by the DHA?

A:

DHA data is data maintained on DHA systems or systems that are determined to fall under the purview of the DHA Chief Information Officer. The DHA PCLO has a list of frequently accessed systems that contain DHA data to assist data requestors in determining whether data are DHA data. If the data request includes data from an information system not on the list, the DSAA Applicant or DOD Sponsor must ask DHA Cybersecurity Division whether the information system is one managed by DHA.

Q12:

Who should be listed on the Data Sharing Agreement?

A:

The Applicant, Government Sponsor, and DHA PCLO are listed on the DSA.

Q13:

What is personally identifiable information, or PII?

A:

Under DOD 5400.11-R, "Department of Defense Privacy Program," May 14,2007, personally identifiable information (PII) is information about an individual that identifies, links, relates, or is unique to, or describes the individual. Examples are: a social security number; age; military rank; civilian grade; marital status; race; salary; home or office phone numbers; and other demographic, biometric, personnel, medical, and financial information.

Q14:

What is protected health information, or PHI?

A:

Under DODM 6025.18, March 13, 2019, protected health information (PHI) is a subset of PII. PHI is health information, including demographic information collected from an individual, created or received by a health care provider, health plan, employer, or health care clearinghouse, and relating to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

You also may be interested in...

HIPAA Compliant Business Associate Agreement

Policy

The HIPAA Compliant Business Associate Agreement complies with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Breach and Enforcement Rules (HIPAA Rules).

HIPAA Safeguard Review of Non-Federal Systems (HSR)

Form/Template
10/1/2020

The HIPAA Safeguard Review of Non-Federal Systems (HSR) is used when data obtained through a DSAA will be stored, transmitted, processed, or otherwise maintained on a non-federal information system.

Recommended Content:

Data Sharing Agreements

DRT Quick Reference Guide

Publication
8/16/2019

Data Requests Templates

Recommended Content:

Templates | Data Sharing Agreements

DSADHA Certification Data Disposition 20180611

Form/Template
1/30/2017

This template is for the sole purpose of certifying that data used in connection with a Data Sharing Agreement (DSA) that was executed with the DHA Privacy and Civil Liberties Office (Privacy Office) has been appropriately disposed of in a timely manner.

Recommended Content:

Data Sharing Agreements

DSA Change of Applicant/Recipient

Form/Template
1/30/2017

This template shall be used to notify the DHA Privacy and Civil Liberties Office (Privacy Office) that the Applicant / Recipient listed in an executed Data Sharing Agreement (DSA) has been replaced by a new Applicant / Recipient.

Recommended Content:

Data Sharing Agreements

DSA Change of Government Sponsor

Form/Template
1/30/2017

This template shall be used to notify the DHA Privacy and Civil Liberties Office (Privacy Office) that the Government Sponsor listed in an executed Data Sharing Agreement (DSA) has been replaced by a new Government Sponsor.

Recommended Content:

Data Sharing Agreements

Data Sharing Agreement Applicant/Recipient Role and Responsibilities

Fact Sheet
8/5/2014

This documents outlines the roles and responsibilities of the applicant/recipient as part of a Data Sharing Agreement (DSA).

Recommended Content:

Data Sharing Agreements

Data Sharing Agreement Government Sponsor Role and Responsibilities

Fact Sheet
8/5/2014

This documents outlines the roles and responsibilities of the government sponsor as part of a Data Sharing Agreement (DSA).

Recommended Content:

Data Sharing Agreements

Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules (45 C.F.R. Parts 160 and 164)

Policy

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. Refer to 45 C.F.R. Parts 160 and 164 for additional information.

Data Request Template (DRT) - Access by Login (all DHA Systems)

Form/Template
4/30/2014

The Data Request Template for Access by Login for all DHA Systems is required for a Data Sharing Agreement Application.

Recommended Content:

Data Sharing Agreements

General Data Request Template (DRT) Extractions (for all other DHA Systems)

Form/Template
4/30/2014

The Data Request Template for General Extractions is required for a Data Sharing Agreement Application.

Recommended Content:

Data Sharing Agreements

DoD Instruction 4000.19: Support Agreements

Policy

In accordance with the authority in DoD Directive (DoDD) 5134.01 (Reference (a)), this Instruction reissues and renames DoD Instruction (DoDI) 4000.19 (Reference (b)) to establish policy, assign responsibilities, and prescribe procedures for support agreements.

  • Identification #: DoD Instruction 4000.19
  • Date: 4/25/2013
  • Type: Federal Regulations
  • Topics: Data Sharing Agreements

The Privacy Act of 1974 (Privacy Act)

Policy

The Privacy Act of 1974 (Privacy Act) requires agencies to inform the public of the existence of systems of records containing personal information, to give individuals access to records about themselves in a system of records, and to manage those records in a way to ensure fairness to individuals in agency programs.

DoD Instruction 6025.18: Privacy of Individually Identifiable Health Information in DoD Health Care Programs

Policy

This Instruction reissues DoD Directive (DoDD) 6025.18 as a DoD Instruction in accordance with the authority in DoD Directive 5124.02. It also establishes policy and assigns responsibilities for implementation of the standards for privacy of individually identifiable health information in accordance with parts 160 and 164 of title 45, Code of Federal Regulations.

Showing results 1 - 14 Page 1 of 1
Last Updated: September 01, 2022
Follow us on Instagram Follow us on LinkedIn Follow us on Facebook Follow us on Twitter Follow us on YouTube Sign up on GovDelivery