1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August.

Slides:



Advertisements
Similar presentations
Data Sharing In Accordance with HIPAA
Advertisements

Data Sharing Agreements TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Minimum Necessary Standard Version 1.0
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
NATIONAL FORUM ON YOUTH VIOLENCE PREVENTION: HIPAA PRIVACY RULE CONSIDERATIONS November 1, 2011 Iliana L. Peters, JD, LLM HHS Office for Civil Rights.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
Office of Research Oversight. Working Group Report Slide 2.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.
Health Insurance Portability and Accountability Act (HIPAA)
2012 VA IRB Administrators Meeting Stephania H. Griffin, JD, RHIA, CIPP/G VHA Privacy Officer Director, Information Access and Privacy Privacy Officer.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Paula Peyrani, MD Medical/Project Director, HIV Program at the 550 Clinic Assistant Director, Research Design and Development Clinical and Translational.
HIPAA PRIVACY AND SECURITY AWARENESS.
1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.
1 Defense Health Agency Privacy and Civil Liberties Office HIPAA Privacy Board Overview August 6, 2015.
Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
DATA SHARING and DATA SHARING AGREEMENTS Teresa Mulford MDCH, Office of Legal Affairs.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
1 Personnel Security 2007 Data Protection Seminar TMA Privacy Office HEALTH AFFAIRS TRICARE Management Activity.
HIPAA – How Will the Regulations Impact Research?.
Office of the Secretary Office for Civil Rights (OCR) The HITECH NPRM: Overview of Research Comments October 19, 2010 Christina Heide, JD HHS Office for.
H I P A A T R A I N I N G Self Directed Module 7 Research Disclosures For Data Custodians START Click to begin…
HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
A Professional Corporation Stinson, Mag & Fizzell (402) Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D.
1 Role of the Privacy Officer on the IRB Stephania H. Griffin, RHIA, CIPP/G VHA Privacy Officer.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
HIPAA Privacy Rule Implementation Status Report Richard M. Campanelli, J.D. Director, Office for Civil Rights Before the The Tenth National HIPAA Summit.
Privacy Act United States Army (Managerial Training)
VETERANS HEALTH ADMINISTRATION SLIDE 0 New Requirements for VA ORD Investigators: Implementation of Data Management and Access Plans.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
Contract Compliance Training. Department Personnel Office of the General Counsel (OGC) Mario K. Castillo General Counsel John Guest Deputy General Counsel.
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.
Rationale, Policies and Procedures OSP Seminar May 27, 2014.
Contract Compliance Training
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
The HIPAA Privacy Rule: Implications for Medical Research
HIPAA Administrative Simplification
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
Contract Compliance Training
Contract Review and Processing
Disability Services Agencies Briefing On HIPAA
The HIPAA Privacy Rule and Research
Purchasing Contracts Training
National Congress on Health Care Compliance
HIPAA Policy & Procedure Strategies
Making Your IRBs and Clinical Investigators HIPAA-Ready
Export Controls – Export Provisions in Research Agreements
Research with Human Subjects
Presentation transcript:

1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August 6, 2015

2 ∎ Provide an overview of the DHA Privacy and Civil Liberties Office (Privacy Office) Data Sharing Program, as it relates to research including:  The Privacy Office's use of the Data Sharing Agreement (DSA)  The parties involved in the DSA Process  How the Privacy Office utilizes the DSA Application (DSAA) and DSA-related supporting documentation Data Sharing Program Overview Objectives The purpose of this presentation is to:

3 Data Sharing Program Overview The Privacy Office's use of the DSA ∎ Confirm that DHA data will be used or disclosed in compliance with:  DoD Privacy Program (DoD R), which implements the Privacy Act of 1974, as amended  DoD Health Information Privacy Regulation (DoD R), which implements the HIPAA Privacy Rule  DoD Health Information Security Regulation (DoD R), which implements the HIPAA Security Rule  DoD Instruction , “Security of Unclassified DoD Information on Non-DoD Information System” ∎ DHA data is defined as personal information, including health information, maintained on a DHA managed system, as documented in the Defense Health Program System Inventory Reporting Tool (DHP SIRT) *Currently under Office of General Counsel (OGC) review The DSA process allows the Privacy Office to:

4 ∎ Confirm that DHA data will be used as permitted or required ∎ Exercise administrative, technical and physical safeguards to protect the privacy of PHI, as required by HIPAA ∎ Determine the HIPAA-defined category of data intended for use (i.e., PHI, a limited data set, or de-identified PHI)  HIPAA permits a covered entity to use or disclose a limited data set (LDS) for research, public health, or health care operations purposes  If the covered entity enters into a data use agreement (DUA) with the data recipient ∎ Maintain records to confirm compliance in case of an investigation Data Sharing Program Overview The Privacy Office's use of the DSA The DSA is as an administrative control measure, used to:

5 ∎ A DSA for Protected Health Information (PHI) ∎ A DSA for Personally Identifiable Information (PII) excluding PHI ∎ A DSA for De-Identified Information ∎ A DUA for a LDS Data Sharing Program Overview The Privacy Office's use of the DSA "Data Sharing Agreements” is an umbrella term, used by the Privacy Office, when referring to the following agreements:

6 ∎ The DHA Privacy Office: performs a compliance review to determine whether the intended data use complies with all applicable requirements ∎ The DHA Privacy Board: reviews proposed research-specific uses of DHA PHI to confirm that the data will be used in compliance with HIPAA research requirements ∎ The System Program Office: approves access to DHA data systems, and has the final say as to the feasibility of obtaining DHA data from a system within their area of responsibility ∎ The DSA Requesting Parties: for research-related purposes, the requesting parties may include both non-DoD researchers and government personnel Data Sharing Program Overview Parties involved in the DSA Process Parties involved in the DSA Process include:

7 ∎ The point of contact (civilian or uniformed Service member) from within the covered entity's sponsoring organization  Assumes overall responsibility, on behalf of the government, for the projected data use and protection  Confirms that the information provided in the DSAA is accurate Data Sharing Program Overview The parties involved in the DSA Process The DSA Government Sponsor

8 ∎ The individual who has primary responsibility for safeguarding the DHA data during its expected use  If non-DoD support is involved (i.e., contractor or non-DoD grant recipient) the Applicant be an employee of the primary supporting organization  Even when a project involves subcontractors, and the data is solely handled by those subcontractors Data Sharing Program Overview The parties involved in the DSA Process The DSA Applicant/Recipient  When a project’s data use involves more than one primary contractor or grant recipient organization, a DSAA must be completed for each primary organization that requires data for the project  The Applicant is referred to as the Recipient in the executed DSA

9 ∎ The DSAA is an application, designed by the Privacy Office, to prompt data requestors to accomplish the following objectives before a DSA will be executed: Data Sharing Program Overview How the Privacy Office utilizes the DSAA and supporting documentation  Make reasonable efforts to verify that DHA data are limited to the to the minimum necessary for achieving the intended purpose  Obtain satisfactory assurance that the DHA data will be appropriately safeguarded  Verify that the use of DHA data is permitted by the responsible DHA system program office What is a DSAA?

10 ∎ DHA data will be used according to the permitted uses defined in the applicable System of Records Notice (SORN) ∎ Information system(s) and networks, intended for data processing and/or storage, have appropriate safeguards Data Sharing Program Overview How the Privacy Office utilizes the DSAA and supporting documentation The DSAA also allows the Privacy Office to confirm the following key compliance points: ∎ Research-related data uses have been reviewed by the applicable compliance offices, and have obtained the respective determinations, including:  Institutional Review Board (IRB)  DHA Human Research Protection Program (HRPP)  When DHA data will be used for research purposes, and the protocol was not reviewed by a primary IRB within DoD  DHA Privacy Board

11 ∎ Include the following information on the DSAA, as appropriate:  The DHA HRPP determination reference number and expiration date, if the protocol was not reviewed by a primary IRB within DoD  The survey license number and expiration date, if the data will be used for survey purposes ∎ DSAAs submitted for research involving the use of PHI, greater than LDS, will be forwarded to the DHA Privacy Board for review ∎ DSAAs may be reviewed concurrently with other research- specific compliance reviews (i.e., Privacy Board, DHA HRPP) Data Sharing Program Overview How the Privacy Office utilizes the DSAA and supporting documentation Research-related DSAAs

12 ∎ A completed SSV is required when data will be stored, transmitted, processed, or otherwise maintained on an information system that has not been granted a DoD Authority to Operate (ATO) or Interim Authority to Operate (IATO) in order to review for compliance with DoD R, DoD Health Information Security Regulation” and DoDI , “Security of Unclassified DoD Information on Non-DoD Information Systems” Data Sharing Program Overview How the Privacy Office utilizes the DSAA and supporting documentation System Security Verification (SSV) Template

13 ∎ The Privacy Office created 3 separate DRTs to help DSA Applicants and Government Sponsors list the data elements needed for the project or study  The DRT for MHS Data Repository (MDR) Extractions  The General DRT (for extractions from all other DHA systems)  The DRT for Access by Login (to use for any DHA System) ∎ If the data elements are already listed on another document, and can be provided to support the DSAA, a separate DRT is not necessary Data Sharing Program Overview How the Privacy Office utilizes the DSAA and supporting documentation Data Request Templates (DRTs)

14 ∎ After the DSAA is approved by the Data Sharing Compliance Manager:  The appropriate DSA will be sent to the Recipient (reflected as the Applicant on the DSAA) and the Government Sponsor for signature Data Sharing Program Overview How the Privacy Office utilizes the DSAA and supporting documentation Final Steps  Once the Recipient and Government Sponsor sign and return the DSA, the Privacy Office will provide final signature  The executed DSA, incorporating the approved DSAA, will be sent to the Recipient and Government Sponsor for their records

15 ∎ When the expiration date approaches, a request to renew the executed DSA may be submitted to the Privacy Office if:  There are no substantive changes to the data use, as described in the approved DSA  The project or contract has not ended ∎ If the data use, as described in the approved DSAA, changes:  A DSA modification request template should be completed and submitted to the Privacy Office for review and approval  Examples of changes that need to be submitted for review include staff changes and changes to risk level (i.e., exempt to minimal risk, etc.) Data Sharing Program Overview How the Privacy Office utilizes the DSAA and supporting documentation DSA Maintenance

16 Data Sharing Program Overview How the Privacy Office utilizes the DSAA and supporting documentation

17 Data Sharing Program Overview Additional DSA-Related Information

18 Data Sharing Program Overview Additional DSA-Related Information

19 Use the chart below to determine the appropriate office to direct specific inquiries: Data Sharing Program Overview Additional DSA-Related Information DHA Data Sharing Program Support Agreements Manager (SAM) Office Appropriate System Program Office DHA HRPP DSA & DSAA completion/coordination Support Agreement coordination Data access/extraction coordination Protocol compliance review coordination Determination of Data-Category Personally identifiable information (PII) excluding PHI PHI LDS De-identified Choosing the appropriate Support Agreement: Interagency Agreement Memorandum of Understanding (MOU) Memorandum of Agreement (MOA) Confirmation that data maintained in a specific system may be used for the requested purpose Confirmation that the protocol involves research as defined by the Common Rule General Data Sharing questions/guidance General Support Agreements questions/guidance General system-specific questions/guidance General research questions/guidance

20 Data Sharing Program Overview Additional DSA-Related Information Defense Health Clinical Systems (DHCS): Defense Health Services Systems (DHSS): Support Agreements Manager (SAM) Contract language & Privacy clauses: Systems of Record Notices (SORNs): Department of Health & Human Services (HHS) HIPAA De-identification Guidance: DoD R, DoD Health Information Privacy Regulation: DoD R, DoD Health Information Security Regulation:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.