The Defense Health Agency (DHA) Privacy and Civil Liberties Office (DHA Privacy Office) oversees the protection of personally identifiable information, including protected health information, within the DHA and safeguards its use and disclosure.  The goal of the Research Streamlining Initiative is to make the DHA Privacy Office data sharing process more efficient when data managed by DHA (DHA data) is sought for the purpose of conducting research, while still maintaining uniform and compliant Health Insurance Portability and Accountability Act reviews of data requests.  The expected outcome is a decrease in the amount of time required to obtain a Data Sharing Agreement.

Currently, for studies involving the use or disclosure of data managed by Defense Health Agency (DHA) data, the DHA Data Evaluation Workgroup (DEW) reviews each study, works with the data requestor to ensure the data request meets the minimum necessary standard, and determines the type of data being requested. In addition, for data requests involving protected health information (PHI), the DHA Privacy Board conducts a Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule review or conducts an administrative review if a HIPAA Privacy Rule review has already been conducted by an Institutional Review Board (IRB). The DHA Privacy Board also conducts a HIPAA Privacy Rule review for studies intending to put PHI or a limited data set (LDS) into a research repository for future research use.

Under the Research Streamlining Initiative, Department of Defense (DOD) IRBs will ensure that research studies meet the minimum necessary standards and make the data determinations currently being made by the DEW. The DOD IRBs will also conduct the HIPAA Privacy Rule reviews for all studies requesting PHI and studies intending to put PHI or an LDS into a research repository. DOD IRBs will be able to make these determinations at the same time they conduct Common Rule reviews of non-exempt studies. For studies considered exempt under the Common Rule, since HIPAA does not allow exemption, DOD IRBs or Exemption Determination Officials (EDOs) will still be required to conduct data determinations of any study requesting DHA data. DOD IRBs will be required to conduct HIPAA Privacy Rule reviews of any study requesting PHI or intending to put PHI or an LDS into a research repository. One exception is when a non-DOD IRB has reviewed a study involving a request for DHA data and has approved a Waiver of HIPAA Authorization, and the study does not include a plan to put the DHA data into a repository.

DOD IRBs will document their findings on the Institutional Review Board (IRB) HIPAA Compliance Review Findings on Data Requests (IRB Findings Document), which the researchers will submit to the DHA PCLO with their Data Sharing Agreement Applications (DSAAs) as documentation of the data determinations and HIPAA Privacy Rule reviews. The DHA PCLO will accept the data and documentation determinations made by the IRBs and will not conduct an administrative review of the IRBs’ findings. Eliminating reviews by the DEW and the DHA Privacy Board will result in significant time saving in the overall DSA review process.

The Defense Health Agency (DHA) Privacy and Civil Liberties Office (DHA PCLO) uses the DSA as an administrative control to document that the requested use of data managed by DHA (DHA data) complies with federal privacy laws and Department of Defense (DOD) privacy policies. As part of the data sharing program, the DHA Privacy Office reviews data requests for compliance with privacy and security laws as well as DOD policies and obtains assurances from data requestors that they will protect DHA data in accordance with the requirements.  As part of the assurances provided in the DSA, both the recipient of DHA data and the DOD sponsor must agree to meet a list of documented responsibilities related to the management of the DHA data.

Contractors and non-government researchers or public health officials or agents seeking to obtain data managed by the Defense Health Agency (DHA data) as well as government personnel conducting research are required to obtain an approved DSA. 

It depends. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits a covered entity’s workforce members to use and disclose protected health information (PHI) for healthcare operations (HCOs), including quality and process improvement activities that are necessary to support business activities as part of their work functions. Therefore, Military Health System (MHS) workforce members may use and disclose PHI for HCO activities to support the mission of MHS without submitting a Data Sharing Agreement Application (DSAA) to the Defense Health Agency (DHA) Privacy and Civil Liberties Office (DHA Privacy Office). However, when HCO activities are conducted by contractors providing a service to the MHS, the contractors are considered business associates under HIPAA and they would be required to submit a DSAA to the DHA Privacy Office for approval to receive any data managed by DHA before the work begins.

It depends. The HIPAA Privacy Rule permits covered entities to disclose protected health information (PHI), without an authorization, to public health authorities who are legally authorized to receive such information for public health purposes. Therefore, if the Human Research Protection Program determines that the activity is for public health surveillance and not research, the data request may be permitted under the HIPAA public health exception if the data request is from an officially designated public health authority, or a public health official or agent working on behalf of a public health authority.  If a data request is not from a public health authority or official, then the data request would not be permitted under the HIPAA public health exception. The data request would instead fall under the HIPAA research exception (regardless of whether the Common Rule review determines it is public health surveillance) and would require an Institutional Review Board (IRB) member to conduct the data determination and HIPAA Privacy Rule review under the Research Streamlining Initiative delegation of these reviews to IRBs.

Non-Department of Defense (DOD) public health authorities or contractors acting as agents to any public health authority must submit a Data Sharing Agreement Application (DSAA) to the Defense Health Agency (DHA) Privacy and Civil Liberties Office (PCLO) for other compliance reviews, such as Privacy Act and security reviews. DOD employees acting on behalf of a public health authority are not required to submit a DSAA to the DHA PCLO. 

Within the DOD, DHA Office of General Counsel has given approval for the designation of public health authorities. Contact the DHA PCLO at DHA.PrivacyBoard@mail.mil for assistance determining if a data requester is an officially designated public health authority or is acting on behalf of a public health authority.

No. An MOA and an MOU cannot be used in place of a DSA.  Pursuant to Department of Defense Instruction (DODI) 4000.19, Support Agreements, an MOU and MOA are types of support agreements to be used as explained in DODI 4000.19. A DSA is a Defense Health Agency (DHA) Privacy and Civil Liberties Office (PCLO) administrative control used to document that the request for data managed by DHA (DHA data) complies with federal privacy laws and DOD privacy issuances. Researchers and government contractors as well as public health officials or agents seeking to use DHA data must submit a Data Sharing Agreement Application regardless of whether they have a support agreement that is an MOU or MOA.

A DSA is requested by submitting a completed and signed DSA Pre-Requisites Checklist and a Data Sharing Agreement Application (DSAA) endorsed by both the Applicant and the Department of Defense Sponsor to the Defense Health Agency (DHA) Privacy and Civil Liberties Office (DHA Privacy Office) via email at DHA.DataSharing@mail.mil. Refer to the Data Sharing Agreements website for additional information.

Data managed by the DHA (commonly referred to as DHA data) is data maintained on DHA systems or systems that are determined to fall under the purview of the DHA Chief Information Officer. The DHA Privacy and Civil Liberties Office (DHA Privacy Office) has a list of frequently accessed systems that contain DHA data to assist data requestors in determining whether data are DHA data. If the data request includes data from an information system not on the list, the Data Sharing Agreement Application (DSAA) Applicant or Department of Defense Sponsor must ask DHA Cybersecurity Division whether the information system is one managed by DHA.   

Yes.  In addition to verifying compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Department of Defense (DOD) Manual 6025.18, the DHA PCLO is responsible for verifying compliance with other privacy laws and policies, such as the Privacy Act of 1974 and DOD Regulation 5400.11, Department of Defense Privacy Program.  Also, if digital DHA data is being stored on a non-federal information system, a HIPAA Safeguards Review (previously known as a System Security Verification) must be conducted to ensure the system on which the data is being stored meets DOD security requirements.  For these reviews to be conducted, a DSAA must be submitted to the DHA PCLO.

No. Researchers may not start research activities that involve the use of data managed by DHA until the researchers have an approved DSA for the research. Without the approved DSA, the use of the DHA data may violate privacy and/or security regulatory requirements as the DSA process involves several compliance reviews. These violations may potentially constitute a breach.

The Defense Health Agency’s (DHA’s) HIPAA templates are available on the DHA Privacy and Civil Liberties Office website (https://health.mil/Military-Health-Topics/Privacy-and-Civil-Liberties).  The templates are also available in the help section of the Electronic Institutional Review Board (EIRB) system.  They can be accessed by clicking on the orange question mark in the upper right corner of any screen in EIRB and going to Section e.

It depends. For consistency and ease of review, the DHA PCLO requires the use of DHA’s HIPAA Authorization template to obtain data managed by DHA (DHA data). DHA’s HIPAA Authorization template is HIPAA compliant and, therefore, reduces the potential for non-compliance. The DHA HIPAA Authorization template also facilitates uniform reviews and documentation throughout the Department of Defense (DOD). If a researcher has obtained a HIPAA Waiver of Authorization from a non-DOD Institutional Review Board (IRB) and the researcher does not intend to put the DHA data into a repository, the DHA PCLO will accept the non-DOD IRB Waiver of Authorization, but the researcher must provide a completed and signed IRB Waiver of HIPAA Authorization Certification from the non-DOD IRB confirming that the Waiver of Authorization is HIPAA compliant.

It depends. The Common Rule (2018 Requirements) allows exemption for research that involves the use of protected health information when that use is regulated under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requirements for the use of PHI. If DHA data is requested for a study that is exempt under the Common Rule, a data determination must be made.  An Exemption Determination Official (EDO) may make a data determination using the EDO Data Determination Template.  If the EDO determines that the data is PHI, the EDO must send the study to a Department of Defense (DOD) IRB for a HIPAA Privacy Rule review because only IRBs and HIPAA Privacy Boards, set up in compliance with the HIPAA Privacy Rule 45 C.F.R. section 164.512 (i)(1)(i)(B) and DOD Manual 6025.18 paragraph 4.4.i.(1)(a)2, may conduct HIPAA Privacy Rule reviews. Therefore, if PHI is requested for a study that is exempt under the Common Rule, a DOD IRB will have to review the study to conduct a HIPAA Privacy Rule review.  Review by a fully convened IRB or HIPAA Privacy Board is not required.  The Chair or a designated board member can conduct the necessary review.   

It depends. HIPAA only allows Institutional Review Boards (IRBs) and HIPAA Privacy Boards to conduct HIPAA Privacy Rule reviews.  If the Privacy Officer is a member of the IRB or HIPAA Privacy Board, set up in compliance with the HIPAA Privacy Rule 45 C.F.R. section 164.512 (i)(1)(i)(B) and Department of Defense Manual 6025.18 paragraph 4.4.i.(1)(a)2, the Privacy Officer can conduct a HIPAA Privacy Rule review and approve a HIPAA Waiver of Authorization.  Otherwise, the institutional Privacy Officer cannot conduct a HIPAA Privacy Rule review.

It depends. All researchers, public health officials and agents, and Department of Defense (DOD) contractors must submit a DSAA if they are requesting data managed by the DHA (DHA data). If a Human Research Protection Program (HRPP) determines an activity is not research, the DHA PCLO will accept this determination and not accept a DSAA from the data requestor that indicates that the purpose of the data request is for research. The data requestor will have to submit the DSAA for another permissible purpose, which includes providing services as a business associate to the Military Health System, conducting public health activities, or providing services directed through a military command authority to meet the military mission. If the HRPP determines that research does not involve human subjects, the data request should be for de-identified data as determined by the HRPP using the DHA PCLO Data Determination Template. In this case, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requirements would not apply to the DHA data request, but the researcher must still submit a DSAA because Privacy Act and system security reviews are required. 

Note: If the HRPP determines that the study is research not involving human subjects under the Common Rule, but the data is identifiable, the DHA PCLO will question the inconsistency of the determinations.

No. The HIPAA Privacy Rule, 45 C.F.R section 164.512 (i)(1)(i)(B) and Department of Defense Manual 6025.18 paragraph 4.4.i.(1)(a)2, set forth specific criteria to establish a HIPAA Privacy Board. The HIPAA Privacy Rule requires that a HIPAA Privacy Board have at least two members of varying backgrounds and expertise to review the effect of a research protocol on individual privacy rights and related interests. Further, at least one member must be unaffiliated with the covered entity and the entity conducting or sponsoring the research, and unrelated to any person who is affiliated with such entities. Additionally, no HIPAA Privacy Board member may review any project if that person has a conflict of interest.

It depends. If a non-DOD IRB approves a Health Insurance Portability and Accountability Act (HIPAA) Waiver of Authorization, the Defense Health Agency Privacy and Civil Liberties Office (DHA PLCO) will accept the non-DOD IRB Waiver of Authorization. However, there are two cases when the DOD Human Research Protection Official (HRPO) will have to send the study to a DOD IRB for review. First, if the HRPO reviews the study and determines that the study is or may be requesting protected health information (PHI) and the researcher has not submitted a non-DOD IRB Waiver of HIPAA Authorization, then the HRPO must send the study to a DOD IRB to conduct a data determination and, if needed, a HIPAA Privacy Rule compliance review. This review is required even if the study intends to use a non-DOD HIPAA Authorization to obtain data because only DHA Authorization templates may be used to obtain data managed by DHA (DHA data).

The second instance when the DOD IRB will have to conduct a HIPAA Privacy Rule review of the study is when the HRPO determines that the researcher intends to put DHA data into a research repository. The HRPO must send all studies reviewed by non-DOD IRBs that intend to put DHA data into a repository to a DOD IRB for a data determination and, if necessary, a HIPAA Privacy Rule compliance review using the Research Repository Template. The DOD IRB will conduct the reviews and provide the researcher with an Institutional Review Board (IRB) HIPAA Compliance Review Findings on Data Requests (IRB Findings Document) to submit to the DHA Privacy Office along with the Data Sharing Agreement Application. Review by a fully convened IRB or HIPAA Privacy Board is not required. The Chair or a designated board member can conduct the necessary review.

Yes. An “honest broker” or data manager is an individual acting on behalf of the researcher(s) to collect and provide de-identified information or data sets to the research team.

Often, researchers use data managers or honest brokers as part of the research team to de-identify data or to limit the use of identifiers by researchers conducting studies. Although this is a good privacy practice, the data determination for data managed by the Defense Health Agency (DHA data) is determined by the type of data provided by the DHA and not the type of data provided by the data manager or honest broker. If DHA provides protected health information (PHI) to the research team, that includes the honest broker or data manager, the data request is a PHI request, even if the study’s data manager or honest broker limits the identifiable data provided to the researcher. All data requests involving PHI must receive a HIPAA compliance review by a Department of Defense (DOD) Institutional Review Board (IRB).

If the data request involves a request for PHI or a limited data set to be put into a repository managed by an honest broker or data manager, then, each time the data manager or honest broker provides DHA data from the repository to a researcher for a separate study, the researcher’s data request must be reviewed by the DOD IRB and the DOD IRB’s findings must be recorded in the Institutional Review Board (IRB) HIPAA Compliance Review Findings on Data Requests (IRB Findings Document). The researcher must submit the IRB Findings Document along with a Data Sharing Agreement Application to the DHA Privacy and Civil Liberties Office for the use of the DHA data

It depends. Unless the institutional statistician or Defense Health Agency (DHA) Privacy Officer is a member of a Department of Defense (DOD) Institutional Review Board (IRB), they cannot be used to confirm that data is de-identified. The Health Insurance Portability and Accountability Act permits an institution to use an individual with the appropriate knowledge and experience in statistical principles/methodologies to de-identify data. However, for requests involving data managed by DHA (DHA data), a DOD IRB will make the final data determinations currently made by DHA data experts by using the Data Determination Guides (DDGs) as guidance and documentation of the decision. The DOD IRB may use an institutional statistician or Privacy Officer to assist in determining whether data is de-identified, but the DOD IRB must indicate its final data determination by documenting the determination in the DDG.

If the researcher intends to put de-identified data into a research repository, the DHA PCLO requires the DOD IRB to get assistance and confirmation from the DHA PCLO data experts that the researcher’s de-identification plan for the repository meets the Health Insurance Portability and Accountability Act Privacy Rule compliance requirements. The DHA PCLO data experts can be contacted at DHA.PrivacyBoard@mail.mil

The DSA POC is any person identified by the Department of Defense (DOD) Institutional Review Board to work with the Defense Health Agency (DHA) Privacy and Civil Liberties Office (PCLO) to become familiar with the Data Sharing Agreement Application (DSAA) submission and review process, including the requirements for completing the DSAA Pre-Requisites Checklist and the DSAA template. The DSA POC will provide guidance to researchers who must complete and submit the DSAA Pre-Requisites Checklists and the DSAAs to the DHA PCLO.  Researchers are responsible for completing and submitting their own DSAAs to the DHA PCLO along with the signature of the DOD sponsors ensuring that the responsibilities outlined in the DSAA have been or will be met.

Yes. A Department of Defense (DOD) Institutional Review Board (IRB) must review the data request prior to accessing the patient records for research purposes. Researchers who work for the Military Health System (MHS) as either an employee or contracted business associate who has a contract that includes services in creating datasets may create the subset of data required for the research project. However, prior to creating the subset of data for research, the DOD IRB must review the research protocol and determine the minimum necessary type of data required for the research project and, if protected health information is required, provide a HIPAA Privacy Rule review that ensures obtaining the relevant documentation necessary for the researcher to access patient records for research purposes.

In addition, if the researcher intends to review patient records to prepare for a clinical research study, such as identifying qualified study participants, the researcher must first get approval from the DOD IRB to access the records for review preparatory to research. If the researcher is an MHS employee or business associate, the researcher may sign Representations for Review Preparatory to Research to conduct the review of records and then contact patients to obtain HIPAA Authorizations to use their records for research. If the researcher is not an MHS employee or business associate, the researcher may sign Representations for Review Preparatory to Research to conduct the review of records but will not be able to contact the patients identified in the review. In this case, the researcher can ask an employee or business associate to obtain the HIPAA Authorizations from patients, or the researcher can obtain a partial Waiver of HIPAA Authorization, which enables the researcher to review the records and contact study participants to obtain a HIPAA Authorization. Finally, if the researcher will not be able to obtain HIPAA Authorizations from study participants, the researcher will need to obtain a full Waiver of Authorization before accessing the patient records for research purposes.

No. In accordance with the Department of Defense Manual (DODM) 6025.18, paragraph 3.3.a.(3) the Military Health System (MHS) is designated as a single HIPAA covered entity under the management responsibility of the Assistant Secretary of Defense, Health Affairs, and for purpose of activities subject to DODM 6025.18, under the management responsibility of the Director, Defense Health Agency (DHA). Pursuant to DODM 6025.18 paragraph 3.3.a, the MHS consists of all DOD health plans and all DOD institutional health care providers that engage in standard electronic transactions and that are organized under the management authority of, or individual providers assigned to or employed by, the DHA, the Department of the Army, the Department of the Navy, or the Department of the Air Force. 

In accordance with Department of Defense Manual (DODM) 6025.18 paragraphs 7.3.c and 7.3.d, Department of Defense (DOD) covered entities must maintain policies and procedures in written or electronic format for six years from the date the document was created, or from when it was last in effect, whichever is later unless a longer period is specified by the National Archives and Records Administration or by DOD or DOD Component records management regulation and guidance or other laws, regulations, and DOD Component issuances.

Since HIPAA requires that all documentation be maintained for six years from the date the document is created or the document is in effect, whichever is later, the Defense Health Agency (DHA) Privacy and Civil Liberties Office (PCLO) requires that the DOD Institutional Review Boards maintain the documentation related to HIPAA Privacy Rule reviews of studies for this same time period, six years after the date the study closes.

It depends. If the researcher is seeking data managed by DHA (DHA data) or its derivative, then yes, the researcher must submit a Data Sharing Agreement Application (DSAA) to the DHA Privacy Office for use of the DHA data for research purposes. More specifically, if the researcher is seeking verbal clinical data from Military Health System (MHS) patients or providers, the researcher will have to submit a DSAA for protected health information. If the researcher is seeking hard copy medical records data from the MHS, the researcher will have to submit a DSAA. If the researcher is seeking digital data from an information system, the researcher will have to submit a DSAA if the information system contains DHA data. 

It depends. If the DHA data experts have confirmed that the data in the repository is for de-identified data in compliance with the Health Insurance Portability and Accountability Act (HIPAA), then researchers can obtain data from the repository without IRB review or a DSAA. However, if the data in the repository contains protected health information (PHI) or a limited data set (LDS), then even if the researchers and studies are under one protocol for Common Rule review, the HIPAA Privacy Rule requires that each data request under a new study or as a sub-study under the same protocol requires a HIPAA compliance review and documentation. In other words, there must be a Department of Defense IRB HIPAA compliance review to put PHI or an LDS into a repository and each time a data requestor intends to take PHI or an LDS out of a repository. The DHA Privacy Office also requires a new DSAA for each of these studies requesting DHA data from the repository.