Back to Top Skip to main content
Need larger text?

Submit a Data Sharing Application

Data Sharing Agreements (DSAs) are administrative controls used by the Defense Health Agency (DHA) to document that the requested use of data managed by DHA is in compliance with Federal law and implementing Department of Defense (DoD) policies. Note that the DHA Privacy Office does not provide data extractions or grant system access. The System Managers who grant access to data require a DSA. The DHA Privacy and Civil Liberties Office (Privacy Office) reviews and approves DSAs based upon compliance with these policies. The DSA:

  • Documents the responsibilities of the requestors, including the Government Sponsor and Applicant/Recipient
  • Provides the requestors with clear terms and conditions for approval

Who Needs a Data Sharing Agreement

Contractors or non-government researchers seeking to obtain Military Health System (MHS) data managed by DHA to perform a government-sponsored initiative, or government personnel conducting research, are required to submit a Data Sharing Agreement Application (DSAA), which must be approved before a DSA will be executed. 

How to Request a DSA

A DSA is requested by submitting a DSAA endorsed by both an Applicant and a Government Sponsor (the “requestors”). Once the DSAA is approved it becomes part of the final agreement provided to the requestors.

Submit DSAAs to the DHA Privacy Office via Email

Applicant Role

The Applicant is the individual, usually a contractor, who has primary oversight and responsibility for the data. 

  • For projects involving subcontractors, even when the data is solely handled by subcontractors, the DSAA Applicant must be an employee of the prime contractor
  • For projects with more than one prime contractor, a DSAA must be completed for each contracting organization that requires data for the project
  • The Applicant is referred to as the Recipient in the final approved DSA

Government Sponsor Role

The Government Sponsor is the point of contact who assumes responsibility for the project/data use described in the DSAA. This role can be filled by a civilian within DHA or a uniformed Service member. 

Memorandum of Agreement (MOA)

The DHA Privacy Office serves as the main point of contact for data sharing requests, data sharing arrangements with private entities, and research projects. The Support Agreements Manager (SAM) handles MOAs for recurring data sharing arrangements with other DoD agencies, Federal agencies, and state and local governments. The DHA Privacy Office and the SAM have established a process for reviewing MOAs which involve sharing personally identifiable information or protected health information (PII/PHI).

    Frequently Asked Questions

    Q1:

    Why is a Data Sharing Agreement required?

    A:

    The DHA requires an approved DSA when requestors ask to use DHA data. The DHA, as a covered entity, uses the DSA process to:

    • Confirm that data will be used as allowed under the regulations
    • Promote privacy responsibility in the MHS
    • Maintain documentation in case of an investigation or audit
    • Share only the minimum data necessary for the purpose
    Q2:

    Who needs a Data Sharing Agreement?

    A:
    • Business Associates who need DHA data to do work on behalf of the government
    • Government personnel who need DHA data for a research project or a survey
    • Researchers who need DHA data for a research project or survey
    • Students and professionals who need DHA data for an academic research project or for a dissertation
    Q3:

    How is the Data Sharing Agreement request process initiated?

    A:

    Requestors submit a Data Sharing Agreement Application (DSAA) endorsed by both the Applicant and Sponsor.

    Q4:

    How long will it take to obtain an approved Data Sharing Agreement?

    A:

    A DSA may be approved within 10 business days after a DSAA is approved.

    Q5:

    Who should be listed on the Data Sharing Agreement?

    A:

    The Applicant, Government Sponsor, and DHA Privacy and Civil Liberties Office (DHA Privacy Office) are listed on the DSA.

    Q6:

    Does the Data Sharing Agreement Sponsor need to be a member of the MHS?

    A:

    Yes, the DSA Sponsor needs to be a member of the MHS.

    Q7:

    How early should a Data Sharing Agreement Renewal Request be submitted?

    A:

    The DSA Renewal Request should not be submitted until the contract option year (as listed on the Renewal Request) has been granted.

    Q8:

    What is personally identifiable information, or PII?

    A:

    Under DoD 5400.11-R, "Department of Defense Privacy Program," May 14,2007, personally identifiable information (PII) is information about an individual that identifies, links, relates, or is unique to, or describes the individual. Examples are: a social security number; age; military rank; civilian grade; marital status; race; salary; home or office phone numbers; and other demographic, biometric, personnel, medical, and financial information.

    Q9:

    What is protected health information, or PHI?

    A:

    Under DoD 6025.18-R, "Department of Defense Health Information Privacy Regulation, protected health information (PHI) is a subset of PII. PHI is health information, including demographic information collected from an individual, created or received by a health care provider, health plan, employer, or health care clearinghouse, and relating to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

    Q10:

    What is de-identified information?

    A:

    HIPAA defines de-identified data as:

    • Data that does not identify an individual
    • Data that has the 18 categories of direct identifiers removed
    • Data that allows no reason to believe it can be used, alone or in combination with other information to identify an individual
    Q11:

    What is a limited data set?

    A:

    DoD 6025.18-R defines a limited data set as PHI that excludes 16 of the 18 direct identifiers. A limited data set may still include the following (potentially identifying) information: admission dates, discharge dates, service dates, dates of birth, and, if applicable, age at time of death (including decedents age 90 or over). Also, five-digit zip code or any other geographic subdivision, such as state, county, city, precinct, and their equivalent geocodes (except street address) may also remain as part of a limited data set (LDS).

    You also may be interested in...

    Data Sharing Agreement Application (DSAA)

    Form/Template
    4/22/2019

    The Data Sharing Agreement Application (DSAA) is used when requesting data from systems that are owned and/or managed by DHA.

    Recommended Content:

    Submit a Data Sharing Application

    Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Compliance in DoD Health Care Programs

    Policy

    This issuance, in accordance with the authority in DoD Directive 5124.02, establishes policy and assigns responsibilities for; DoD compliance with federal law governing health information privacy and breach of privacy; Integrating health information privacy and breach compliance with general information privacy and security requirements in accordance with federal law and DoD issuances; Health information technology, system interoperability, and exchange of electronic health information, in relation to federal law governing health information privacy and breach; and DoD contracting and procurement activities in relation to federal law governing health information privacy and breach.

    Implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in DoD Health Care Programs

    Policy

    This 6025.18 DoD Manual was issued in accordance with the authority in DoD Directive 5124.02. It also implements the policy in DoD Instruction (DoDI) 6025.18, and assigns responsibilities and procedural standards for protecting personally identifiable health information in accordance with parts 160 and 164 of title 45, Code of Federal Regulations (CFR).

    Data Sharing Agreement Application (DSAA)

    Form/Template
    3/6/2017

    The Data Sharing Agreement Application (DSAA) is used when requesting data from systems that are owned and/or managed by DHA.

    Recommended Content:

    Submit a Data Sharing Application

    Data Sharing Agreement (DSA) - Renewal Request

    Form/Template
    3/6/2017

    The Data Sharing Agreement Renewal Request template is used when requesting the renewal of an executed DSA.

    Recommended Content:

    Submit a Data Sharing Application

    DSADHA Certification Data Disposition 20180611

    Form/Template
    1/30/2017

    This template is for the sole purpose of certifying that data used in connection with a Data Sharing Agreement (DSA) that was executed with the DHA Privacy and Civil Liberties Office (Privacy Office) has been appropriately disposed of in a timely manner.

    Recommended Content:

    Submit a Data Sharing Application

    DSA Change of Government Sponsor

    Form/Template
    1/30/2017

    This template shall be used to notify the DHA Privacy and Civil Liberties Office (Privacy Office) that the Government Sponsor listed in an executed Data Sharing Agreement (DSA) has been replaced by a new Government Sponsor.

    Recommended Content:

    Submit a Data Sharing Application

    Data Sharing Agreement (DSA) - Modification Request

    Form/Template
    1/30/2017

    The Data Sharing Agreement Modification Request template is used when requesting the modification of an executed DSA.

    Recommended Content:

    Submit a Data Sharing Application

    System Security Verification (SSV)

    Form/Template
    1/30/2017

    The System Security Verification (SSV) template is used when data obtained through a DSAA will be stored, transmitted, processed, or otherwise maintained on an information system that has not been granted a Department of Defense (DoD) Authorization to Operate (ATO) or an Interim Authorization to Operate (IATO).

    Recommended Content:

    Submit a Data Sharing Application

    Data Sharing Agreement Extension Request

    Form/Template
    1/30/2017

    This template is used to request a 30 day extension in order to continue to use the data in accordance to the executed Data Sharing Agreement (DSA).

    Recommended Content:

    Submit a Data Sharing Application

    DSA Change of Applicant/Recipient

    Form/Template
    1/30/2017

    This template shall be used to notify the DHA Privacy and Civil Liberties Office (Privacy Office) that the Applicant / Recipient listed in an executed Data Sharing Agreement (DSA) has been replaced by a new Applicant / Recipient.

    Recommended Content:

    Submit a Data Sharing Application

    DoD Instruction 8580.02: Security of Individually Identifiable Health Information in DoD Health Care Programs

    Policy

    This instruction establishes policy and assigns responsibilities for security of individually identifiable health information created, received, maintained, or transmitted in electronic form (referred to in this instruction as “electronic protected health information (ePHI)”).

    Instructions Guide and Submission Tips - Data Sharing Agreement Application (DSAA)

    Publication
    11/14/2014

    This Guide offers instructions and tips on how to submit a data sharing agreement application (DSAA).

    Recommended Content:

    Submit a Data Sharing Application

    DoD Directive 5400.11: Department of Defense Privacy Program

    Policy

    This Regulation is reissued under the authority of DoD Directive 5400.11, “DoD Privacy Program,” May 8, 2007. It provides guidance on section 552a of title 5 United States Code (U.S.C.), the Privacy Act of 1974, as amended, and prescribes uniform procedures for implementation of the DoD Privacy Program.

    Data Sharing Agreement Applicant/Recipient Role and Responsibilities

    Fact Sheet
    8/5/2014

    This documents outlines the roles and responsibilities of the applicant/recipient as part of a Data Sharing Agreement (DSA).

    Recommended Content:

    Submit a Data Sharing Application
    << < 1 2 > >> 
    Showing results 1 - 15 Page 1 of 2

    DHA Address: 7700 Arlington Boulevard | Suite 5101 | Falls Church, VA | 22042-5101

    Some documents are presented in Portable Document Format (PDF). A PDF reader is required for viewing. Download a PDF Reader or learn more about PDFs.
    You are leaving Health.mil

    The appearance of hyperlinks does not constitute endorsement by the Defense Health Agency of non-U.S. Government sites or the information, products, or services contained therein. Although the Defense Health Agency may or may not use these sites as additional distribution channels for Department of Defense information, it does not exercise editorial control over all of the information that you may find at these locations. Such links are provided consistent with the stated purpose of this website.

     You are leaving Health.mil View the external links disclaimer. OK Cancel