Back to Top Skip to main content

Prerequisites to Privacy Board

Before the DHA Privacy Board reviews a research project for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Department of Defense (DoD) Health Information Privacy Regulation (DoD 6025.18-R), the requirements set forth below and illustrated in the flowchart entitled Prerequisites to DHA Privacy Board Review must be initiated.

Institutional Review Board (IRB) and DHA Human Research Protection Program (HRPP) Review

All research projects must be reviewed in accordance with the Federal Policy for the Protection of Human Subjects, also known as the “Common Rule.” If the project does not meet the criteria of human subject research as determined by either an IRB or the DHA HRPP Office in accordance with the Common Rule, the DHA Privacy and Civil Liberties Office (Privacy Office) will process the Data Sharing Agreement Application (DSAA) requesting Military Health System (MHS) data managed by DHA for the purpose of the research project. Information regarding DSAAs can be found in the Data Sharing Agreement section.

Further information regarding HRPP reviews and requirements can be found at the DHA HRPP website.

Additional Requirements for Surveys or Information Collection Requests (ICRs)

There are additional requirements for Surveys or Information Collection Requests (ICRs) that must be followed. The DHA Privacy Office cannot complete the processing of the researcher’s DSAA until the additional requirements are met.

When the DHA HRPP Office or IRB has determined the project involving the use of surveys or ICRs is not research, the project will still need to comply with DHCAPE’s TRICARE Survey Program. The DHA Privacy Office cannot complete processing of the researcher’s DSAA until the survey or ICR requirements referenced above are met.

Data Sharing Agreement Application (DSAA)

In order to request data for a particular project, researchers must submit a DSAA as instructed on the Data Sharing Agreement section of the DHA Privacy Office’s webpage. The Principal Investigator (PI) is the lead researcher for a particular project and must be identified as instructed in the DSAA. The PI is contacted regarding any questions, concerns, and/or follow-up needs. The DHA Privacy Office promptly reviews the data elements requested to determine whether or not the request appears to meet the HIPAA Privacy Rule’s minimum necessary standard. The DHA Privacy Office then considers the type of information needed by the research project.

Information Considered in Determining Legal Compliance Requirements

The Privacy Office categorizes a research project’s informational needs into one of the following four types for compliance review:

  1. De-identified data;
  2. PII excluding PHI;
  3. LDS; or
  4. PHI greater than an LDS.

Projects that seek de-identified data, PII excluding protected health information (PHI), or an LDS, do not require DHA Privacy Board review. A research project that seeks PHI greater than an LDS, however, is sent to the DHA Privacy Board for HIPAA Privacy Rule review and documentation. The DHA Privacy Board will reach out to the PI and Sponsor and begin the HIPAA Privacy Rule review process.

DHA Address: 7700 Arlington Boulevard | Suite 5101 | Falls Church, VA | 22042-5101

Some documents are presented in Portable Document Format (PDF). A PDF reader is required for viewing. Download a PDF Reader or learn more about PDFs.