Data Sharing In Accordance with HIPAA Rita DeShields Data Sharing Compliance Officer TMA Privacy and Civil Liberties Office (Privacy Office) Phone: 703-681-7500 Rita.DeShields@tma.osd.mil
Purpose The purpose of this presentation is to describe: The Privacy Office’s function when TMA owned or managed data (TMA data) are requested The Data Sharing Agreements (DSA), the Data Sharing Agreement Application (DSAA) and Supplemental DSA-related templates Key supporting elements that may be required System of Record Notice Business Associate Agreement Contract or other arrangement Verification of System Security FOR OFFICIAL USE ONLY
DSA When a contractor or member of a non-government entity requests access to TMA data, including de-identified data, a DSA is required. The DSA serves as an agreement between a recipient of data and the Privacy Office. Documents the agreed upon responsibilities of the government sponsor and of the recipient Outlines permitted uses and disclosures Documents compliance with DoD privacy and security regulations Identifies the data that is required to meet a specified need The DSA is executed when signed by a Government Sponsor, the data Recipient and the TMA Privacy Office. FOR OFFICIAL USE ONLY
DSAA The DSAA is the application used to initiate a request for access to TMA data. A completed DSAA contains the information to enable the Privacy Office to determine whether the data use is in compliance with applicable guidance. Necessary information includes: Contract information Data specifications including data systems / files / elements Method of access (login or extraction) Description of data use, storage, and disclosure System security information FOR OFFICIAL USE ONLY
DSAA The DSAA lists the following Points of Contact (POCs): Applicant: The individual (normally from the organization contracted to support the project) who will provide primary oversight and responsibility for the handling of the requested data Government Sponsor: The government POC within TMA, or the respective Armed Service, having overall responsibilities regarding the data use for the project funded by the referenced contract, grant, project, or Cooperative Research and Development Agreement FOR OFFICIAL USE ONLY
DSAA & DSA Signatures: Before submitting a DSAA, the Applicant and Sponsor must initial the application to certify that the information provided is accurate. After the DSAA is approved, the DSA will be sent to the Recipient (previously referred to as the Applicant on the DSAA) and Sponsor for signature. After the Recipient and Sponsor sign and return the DSA, the Privacy Office will provide final signature. The executed DSA, incorporating the approved DSAA, will be sent to the Recipient and Sponsor as the final step of an executed DSA. FOR OFFICIAL USE ONLY
Data request templates (DRTs) What is a Data Request Template (DRT)? In compliance with HIPAA’s “minimum necessary rule,” the Privacy Office created three DRTs to prompt Applicants to list the requested data elements and or data categories. Templates specific to Data Extraction: MHS Data Repository DRT (enable macros for submission) General DRT (for TMA systems other than MDR ) Template applicable to access via direct login: DRT for direct Access (for any TMA system to which access will be used) If the requested data are attached to the DSAA using a document other than the DRT, it will be reviewed instead of requiring a DRT. FOR OFFICIAL USE ONLY
Contract requirements The Privacy Office requires that contracts include specific language when: the work involves the use of personal information (PII/PHI language) the contract is awarded in support of a function or activity involving the use of PHI (Business Associate Agreement (BAA) language) the contractor utilizes PHI in any form (HIPAA language) records are collected, maintained and retrieved by personal identifier (system of record (SOR) language) a system or project collects, maintains, or disseminates PII from or about members of the public totaling at least ten individuals (PIA language) The contract language can be found on the Privacy Office website at http://www.tricare.mil/tma/privacy/contractlanguage.aspx
Systems of Records (SOR) A system or records notice (SORN), published in the Federal Register, provides public notice that data is collected and stored under the control of a federal agency. If the requested data will be stored as a system of records, a SORN is required prior to the approval of a DSA. A SORN describes: how the data are retrieved by personal identifier (e.g., name, SSN, date of birth) the “purpose” of the data collection (the “internal” uses) the “routine uses” of the data (disclosures external to the DoD) FOR OFFICIAL USE ONLY
Security of PII / PHI To confirm that the requested data are protected using appropriate procedural, administrative, technical and physical safeguards, the Privacy Office requires: Confirmation of a current Authority to Operate (ATO) or an Interim Authority to Operate (IATO) if data are accessed, used or stored on A DoD network or system Government furnished equipment (GFE) Submission and approval of the Privacy Office’s System Security Verification (SSV) if data will be accessed, used or stored on a Non-DoD network Non-DoD computer (i.e., contractor-owned network or system) FOR OFFICIAL USE ONLY
Supporting Documents Supporting documents corresponding with the DSAs include: Change of Applicant/Recipient Modification Request Extension Request Change of Government Sponsor Certification of Disposition of Data (CDD) Addendum for Services No-Action Notice Renewal Request FOR OFFICIAL USE ONLY
Conclusion Summary & Questions FOR OFFICIAL USE ONLY
Resources DoD 6025.18-R, “DoD Health Information Privacy Regulation”, January 24, 2003 DoD 8580.02-R, “DoD Health Information Security Regulation”, July 12, 2007 DoD 5400.11-R, “DoD Privacy Program”, May 14, 2007 Privacy Office Web site http://www.tricare.mil/tma/privacy/default.aspx http://www.tricare.mil/tma/privacy/mailinglist.aspx to subscribe to the Privacy Office E-News E-mail DSA.mail@tma.osd.mil for subject matter questions FOR OFFICIAL USE ONLY
Data Sharing Agreements Barbara Hazzard Data Sharing Contractor Support Navy Medicine Office of the CIO Phone: 703-681-2475 Barbara.hazzard.ctr@med.navy.mil
Introduction Data Sharing Agreements (DSA) Submit a DSA Application if contractors need to obtain TMA and or Navy Medicine (NM) data to perform a government sponsored initiative Defines roles and responsibilities of the Applicant/Recipient of NM and/or TMA data and the Government Sponsor Reviewed to ensure request is in compliance with Federal regulations to include Privacy Act of 1974 and HIPAA FOR OFFICIAL USE ONLY
Navy Medicine DSA Program Mirrors TMA Privacy and Civil Liberties Office’s DSA requirements and templates Reduces requester’s need to complete redundant forms and potential for re-work of submissions Reduces amount of time for review and approval Consolidates requests for NM and TMA data on one form providing consolidated view of data needs for the project/study. FOR OFFICIAL USE ONLY
Two DSAs, one DSAA, as applicable DSA Approvals NM issues separate DSA number and approval letter for NM owned and managed data TMA issues separate DSA number and approval letter for TMA owned and managed data Two DSAs, one DSAA, as applicable FOR OFFICIAL USE ONLY
Submit DSAAs to NM Office of the CIO NM DSA Process Submit DSAAs to NM Office of the CIO Endorses for approval requests for TMA owned and managed data to TMA Approves requests for Navy Medicine owned and managed data A NM policy is under review to formalize the adoption of TMA’s DSA requirements and templates FOR OFFICIAL USE ONLY
Resources DoD 6025.18-R, “DoD Health Information Privacy Regulation,” January 24, 2003 SECNAVINST 5211.5E: DON Privacy Program, 28 Dec 2005 TMA Privacy Office Web site http://www.tricare.mil/tma/privacy/default.aspx NM Share Point Site: https://es.med.navy.mil/bumed/m6/m62 Questions: dua.bumed@med.navy.mil FOR OFFICIAL USE ONLY