It depends. All researchers, public health officials and agents, and Department of Defense contractors must submit a DSAA if they are requesting data managed by the DHA. If a Human Research Protection Program determines an activity is not research, the DHA PCLO will accept this determination and not accept a DSAA from the data requestor that indicates that the purpose of the data request is for research. The data requestor will have to submit the DSAA for another permissible purpose, which includes providing services as a business associate to the Military Health System, conducting public health activities, or providing services directed through a military command authority to meet the military mission. If the HRPP determines that research does not involve human subjects, the data request should be for de-identified data as determined by the HRPP using the DHA PCLO Data Determination Template. In this case, the Health Insurance Portability and Accountability Act Privacy Rule requirements would not apply to the DHA data request, but the researcher must still submit a DSAA because Privacy Act and system security reviews are required. 

Note: If the HRPP determines that the study is research not involving human subjects under the Common Rule, but the data is identifiable, the DHA PCLO will question the inconsistency of the determinations.

No. The HIPAA Privacy Rule, 45 C.F.R section 164.512 (i)(1)(i)(B) and Department of Defense Manual 6025.18 paragraph 4.4.i.(1)(a)2, set forth specific criteria to establish a HIPAA Privacy Board. The HIPAA Privacy Rule requires that a HIPAA Privacy Board have at least two members of varying backgrounds and expertise to review the effect of a research protocol on individual privacy rights and related interests. Further, at least one member must be unaffiliated with the covered entity and the entity conducting or sponsoring the research, and unrelated to any person who is affiliated with such entities. Additionally, no HIPAA Privacy Board member may review any project if that person has a conflict of interest.

It depends. If a non-DOD IRB approves a Health Insurance Portability and Accountability Act Waiver of Authorization, the Defense Health Agency Privacy and Civil Liberties Office will accept the non-DOD IRB Waiver of Authorization. However, there are two cases when the DOD Human Research Protection Official will have to send the study to a DOD IRB for review. First, if the HRPO reviews the study and determines that the study is or may be requesting protected health information and the researcher has not submitted a non-DOD IRB Waiver of HIPAA Authorization, then the HRPO must send the study to a DOD IRB to conduct a data determination and, if needed, a HIPAA Privacy Rule compliance review. This review is required even if the study intends to use a non-DOD HIPAA  Authorization to obtain data because only DHA  Authorization templates may be used to obtain data managed by DHA data.

The second instance when the DOD IRB will have to conduct a HIPAA Privacy Rule review of the study is when the HRPO determines that the researcher intends to put DHA data into a research repository. The HRPO must send all studies reviewed by non-DOD IRBs that intend to put DHA data into a repository to a DOD IRB for a data determination and, if necessary, a HIPAA Privacy Rule compliance review using the Research Repository Template. The DOD IRB will conduct the reviews and provide the researcher with an Institutional Review Board HIPAA Compliance Review Findings on Data Requests IRB Findings Document to submit to the DHA Privacy Office along with the Data Sharing Agreement Application. Review by a fully convened IRB or HIPAA Privacy Board is not required. The Chair or a designated board member can conduct the necessary review.

Yes. An “honest broker” or data manager is an individual acting on behalf of the researcher(s) to collect and provide de-identified information or data sets to the research team.

Often, researchers use data managers or honest brokers as part of the research team to de-identify data or to limit the use of identifiers by researchers conducting studies. Although this is a good privacy practice, the data determination for data managed by the Defense Health Agency (DHA data) is determined by the type of data provided by the DHA and not the type of data provided by the data manager or honest broker. If DHA provides protected health information (PHI) to the research team, that includes the honest broker or data manager, the data request is a PHI request, even if the study’s data manager or honest broker limits the identifiable data provided to the researcher. All data requests involving PHI must receive a HIPAA compliance review by a Department of Defense (DOD) Institutional Review Board (IRB).

If the data request involves a request for PHI or a limited data set to be put into a repository managed by an honest broker or data manager, then, each time the data manager or honest broker provides DHA data from the repository to a researcher for a separate study, the researcher’s data request must be reviewed by the DOD IRB and the DOD IRB’s findings must be recorded in the Institutional Review Board (IRB) HIPAA Compliance Review Findings on Data Requests (IRB Findings Document). The researcher must submit the IRB Findings Document along with a Data Sharing Agreement Application to the DHA Privacy and Civil Liberties Office for the use of the DHA data

It depends. Unless the institutional statistician or Defense Health Agency (DHA) Privacy Officer is a member of a Department of Defense (DOD) Institutional Review Board (IRB), they cannot be used to confirm that data is de-identified. The Health Insurance Portability and Accountability Act permits an institution to use an individual with the appropriate knowledge and experience in statistical principles/methodologies to de-identify data. However, for requests involving data managed by DHA (DHA data), a DOD IRB will make the final data determinations currently made by DHA data experts by using the Data Determination Guides (DDGs) as guidance and documentation of the decision. The DOD IRB may use an institutional statistician or Privacy Officer to assist in determining whether data is de-identified, but the DOD IRB must indicate its final data determination by documenting the determination in the DDG.

If the researcher intends to put de-identified data into a research repository, the DHA PCLO requires the DOD IRB to get assistance and confirmation from the DHA PCLO data experts that the researcher’s de-identification plan for the repository meets the Health Insurance Portability and Accountability Act Privacy Rule compliance requirements. The DHA PCLO data experts can be contacted at DHA.PrivacyBoard@mail.mil

The DSA POC is any person identified by the Department of Defense Institutional Review Board to work with the Defense Health Agency Privacy and Civil Liberties Office to become familiar with the Data Sharing Agreement Application submission and review process, including the requirements for completing the DSAA Pre-Requisites Checklist and the DSAA template. The DSA POC will provide guidance to researchers who must complete and submit the DSAA Pre-Requisites Checklists and the DSAAs to the DHA PCLO. Researchers are responsible for completing and submitting their own DSAAs to the DHA PCLO along with the signature of the DOD sponsors ensuring that the responsibilities outlined in the DSAA have been or will be met.

Yes. A Department of Defense (DOD) Institutional Review Board (IRB) must review the data request prior to accessing the patient records for research purposes. Researchers who work for the Military Health System (MHS) as either an employee or contracted business associate who has a contract that includes services in creating datasets may create the subset of data required for the research project. However, prior to creating the subset of data for research, the DOD IRB must review the research protocol and determine the minimum necessary type of data required for the research project and, if protected health information is required, provide a HIPAA Privacy Rule review that ensures obtaining the relevant documentation necessary for the researcher to access patient records for research purposes.

In addition, if the researcher intends to review patient records to prepare for a clinical research study, such as identifying qualified study participants, the researcher must first get approval from the DOD IRB to access the records for review preparatory to research. If the researcher is an MHS employee or business associate, the researcher may sign Representations for Review Preparatory to Research to conduct the review of records and then contact patients to obtain HIPAA Authorizations to use their records for research. If the researcher is not an MHS employee or business associate, the researcher may sign Representations for Review Preparatory to Research to conduct the review of records but will not be able to contact the patients identified in the review. In this case, the researcher can ask an employee or business associate to obtain the HIPAA Authorizations from patients, or the researcher can obtain a partial Waiver of HIPAA Authorization, which enables the researcher to review the records and contact study participants to obtain a HIPAA Authorization. Finally, if the researcher will not be able to obtain HIPAA Authorizations from study participants, the researcher will need to obtain a full Waiver of Authorization before accessing the patient records for research purposes.

No. In accordance with the Department of Defense Manual (DODM) 6025.18, paragraph 3.3.a.(3) the Military Health System (MHS) is designated as a single HIPAA covered entity under the management responsibility of the Assistant Secretary of Defense, Health Affairs, and for purpose of activities subject to DODM 6025.18, under the management responsibility of the Director, Defense Health Agency (DHA). Pursuant to DODM 6025.18 paragraph 3.3.a, the MHS consists of all DOD health plans and all DOD institutional health care providers that engage in standard electronic transactions and that are organized under the management authority of, or individual providers assigned to or employed by, the DHA, the Department of the Army, the Department of the Navy, or the Department of the Air Force. 

In accordance with Department of Defense Manual (DODM) 6025.18 paragraphs 7.3.c and 7.3.d, Department of Defense (DOD) covered entities must maintain policies and procedures in written or electronic format for six years from the date the document was created, or from when it was last in effect, whichever is later unless a longer period is specified by the National Archives and Records Administration or by DOD or DOD Component records management regulation and guidance or other laws, regulations, and DOD Component issuances.

Since HIPAA requires that all documentation be maintained for six years from the date the document is created or the document is in effect, whichever is later, the Defense Health Agency (DHA) Privacy and Civil Liberties Office (PCLO) requires that the DOD Institutional Review Boards maintain the documentation related to HIPAA Privacy Rule reviews of studies for this same time period, six years after the date the study closes.

It depends. If the researcher is seeking data managed by DHA data or its derivative, then yes, the researcher must submit a Data Sharing Agreement Application to the DHA Privacy and Civil Liberties Office for use of the DHA data for research purposes. More specifically, if the researcher is seeking verbal clinical data from Military Health System patients or providers, the researcher will have to submit a DSAA for protected health information. If the researcher is seeking hard copy medical records data from the MHS, the researcher will have to submit a DSAA. If the researcher is seeking digital data from an information system, the researcher will have to submit a DSAA if the information system contains DHA data. 

It depends. If the DHA data experts have confirmed that the data in the repository is for de-identified data in compliance with the Health Insurance Portability and Accountability Act, then researchers can obtain data from the repository without IRB review or a DSAA. However, if the data in the repository contains protected health information or a limited data set, then even if the researchers and studies are under one protocol for Common Rule review, the HIPAA Privacy Rule requires that each data request under a new study or as a sub-study under the same protocol requires a HIPAA compliance review and documentation. In other words, there must be a Department of Defense IRB HIPAA compliance review to put PHI or an LDS into a repository and each time a data requestor intends to take PHI or an LDS out of a repository. The DHA Privacy Office also requires a new DSAA for each of these studies requesting DHA data from the repository.