Data Sharing In Accordance with HIPAA Rita DeShields Data Sharing Compliance Officer TMA Privacy and Civil Liberties Office (Privacy Office) Phone: 703-681-7500.

Data Sharing In Accordance with HIPAA

Rita DeShieldsData Sharing Compliance Officer

TMA Privacy and Civil Liberties Office (Privacy Office)Phone: 703-681-7500

[email protected]

Purpose

The purpose of this presentation is to describe:

The Privacy Office’s function when TMA owned or managed data (TMA data) are requested

The Data Sharing Agreements (DSA), the Data Sharing Agreement Application (DSAA) and Supplemental DSA-related templates

Key supporting elements that may be required − System of Record Notice− Business Associate Agreement− Contract or other arrangement − Verification of System Security

FOR OFFICIAL USE ONLY2

When a contractor or member of a non-government entity requests access to TMA data, including de-identified data, a DSA is required.

The DSA serves as an agreement between a recipient of data and the Privacy Office.

Documents the agreed upon responsibilities of the government sponsor and of the recipient

Outlines permitted uses and disclosures

Documents compliance with DoD privacy and security regulations

Identifies the data that is required to meet a specified need

The DSA is executed when signed by a Government Sponsor, the data Recipient and the TMA Privacy Office.

FOR OFFICIAL USE ONLY3

DSA

The DSAA is the application used to initiate a request for access to TMA data.

A completed DSAA contains the information to enable the Privacy Office to determine whether the data use is in compliance with applicable guidance. Necessary information includes:

Contract information

Data specifications including data systems / files / elements

Method of access (login or extraction)

Description of data use, storage, and disclosure

System security information

FOR OFFICIAL USE ONLY4

DSAA

The DSAA lists the following Points of Contact (POCs):− Applicant: The individual (normally from the organization

contracted to support the project) who will provide primary oversight and responsibility for the handling of the requested data

− Government Sponsor: The government POC within TMA, or the respective Armed Service, having overall responsibilities regarding the data use for the project funded by the referenced contract, grant, project, or Cooperative Research and Development Agreement

FOR OFFICIAL USE ONLY5

DSAA

Signatures:

1.Before submitting a DSAA, the Applicant and Sponsor must initial the application to certify that the information provided is accurate.

2.After the DSAA is approved, the DSA will be sent to the Recipient (previously referred to as the Applicant on the DSAA) and Sponsor for signature.

3.After the Recipient and Sponsor sign and return the DSA, the Privacy Office will provide final signature.

4.The executed DSA, incorporating the approved DSAA, will be sent to the Recipient and Sponsor as the final step of an executed DSA.

FOR OFFICIAL USE ONLY6

DSAA & DSA

What is a Data Request Template (DRT)?

In compliance with HIPAA’s “minimum necessary rule,” the Privacy Office created three DRTs to prompt Applicants to list the requested data elements and or data categories.

-Templates specific to Data Extraction: MHS Data Repository DRT (enable macros for submission)General DRT (for TMA systems other than MDR )

-Template applicable to access via direct login: DRT for direct Access (for any TMA system to which access will be used)

If the requested data are attached to the DSAA using a document other than the DRT, it will be reviewed instead of requiring a DRT.

FOR OFFICIAL USE ONLY7

Data request templates (DRTs)

The Privacy Office requires that contracts include specific language when:− the work involves the use of personal information (PII/PHI language)

− the contract is awarded in support of a function or activity involving the use of PHI (Business Associate Agreement (BAA) language)

− the contractor utilizes PHI in any form (HIPAA language)

− records are collected, maintained and retrieved by personal identifier (system of record (SOR) language)

− a system or project collects, maintains, or disseminates PII from or about members of the public totaling at least ten individuals (PIA language)

The contract language can be found on the Privacy Office website at http://www.tricare.mil/tma/privacy/contractlanguage.aspx

  8

Contract requirements

A system or records notice (SORN), published in the Federal Register, provides public notice that data is collected and stored under the control of a federal agency. If the requested data will be stored as a system of records, a SORN is required prior to the approval of a DSA.

A SORN describes: − how the data are retrieved by personal identifier (e.g., name, SSN, date of birth)

− the “purpose” of the data collection (the “internal” uses)

− the “routine uses” of the data (disclosures external to the DoD)

 FOR OFFICIAL USE ONLY

9

Systems of Records (SOR)

To confirm that the requested data are protected using appropriate procedural, administrative, technical and physical safeguards, the Privacy Office requires:

Confirmation of a current Authority to Operate (ATO) or an Interim Authority to Operate (IATO) if data are accessed, used or stored on−A DoD network or system

−Government furnished equipment (GFE)

Submission and approval of the Privacy Office’s System Security Verification (SSV) if data will be accessed, used or stored on a−Non-DoD network

−Non-DoD computer (i.e., contractor-owned network or system)

 FOR OFFICIAL USE ONLY

10

Security of PII / PHI

FOR OFFICIAL USE ONLY11

Supporting Documents

Supporting documents corresponding with the DSAs include:

Summary

&

Questions

FOR OFFICIAL USE ONLY12

Conclusion

DoD 6025.18-R, “DoD Health Information Privacy Regulation”, January 24, 2003

DoD 8580.02-R, “DoD Health Information Security Regulation”, July 12, 2007

DoD 5400.11-R, “DoD Privacy Program”, May 14, 2007

Privacy Office Web site http://www.tricare.mil/tma/privacy/default.aspx

http://www.tricare.mil/tma/privacy/mailinglist.aspx to subscribe to the Privacy Office E-News

E-mail [email protected] for subject matter questions

FOR OFFICIAL USE ONLY13

Resources

Data Sharing Agreements

Barbara HazzardData Sharing Contractor Support

Navy Medicine Office of the CIOPhone: 703-681-2475

[email protected]

IntroductionData Sharing Agreements

(DSA) Submit a DSA Application if contractors need to

obtain TMA and or Navy Medicine (NM) data to perform a government sponsored initiative

Defines roles and responsibilities of the Applicant/Recipient of NM and/or TMA data and the Government Sponsor

Reviewed to ensure request is in compliance with Federal regulations to include Privacy Act of 1974 and HIPAA

FOR OFFICIAL USE ONLY15

Mirrors TMA Privacy and Civil Liberties Office’s DSA requirements and templates Reduces requester’s need to complete redundant

forms and potential for re-work of submissions

Reduces amount of time for review and approval

Consolidates requests for NM and TMA data on one form providing consolidated view of data needs for the project/study.

FOR OFFICIAL USE ONLY16

Navy Medicine DSA Program

DSA Approvals

NM issues separate DSA number and approval letter for NM owned and managed data

TMA issues separate DSA number and approval letter for TMA owned and managed data

Two DSAs, one DSAA, as applicable

FOR OFFICIAL USE ONLY17

NM DSA Process

Submit DSAAs to NM Office of the CIO Endorses for approval requests for TMA owned

and managed data to TMA

Approves requests for Navy Medicine owned and managed data

A NM policy is under review to formalize the adoption of TMA’s DSA requirements and templates

FOR OFFICIAL USE ONLY18

DoD 6025.18-R, “DoD Health Information Privacy Regulation,” January 24, 2003

SECNAVINST 5211.5E: DON Privacy Program, 28 Dec 2005

TMA Privacy Office Web site http://www.tricare.mil/tma/privacy/default.aspx

NM Share Point Site: https://es.med.navy.mil/bumed/m6/m62

Questions: [email protected]

 FOR OFFICIAL USE ONLY

19

Resources