Data Sharing In Accordance with HIPAA Rita DeShields Data Sharing Compliance Officer TMA Privacy and Civil Liberties Office (Privacy Office) Phone: 703-681-7500 [email protected]
Jan 19, 2016
Data Sharing In Accordance with HIPAA
Rita DeShieldsData Sharing Compliance Officer
TMA Privacy and Civil Liberties Office (Privacy Office)Phone: 703-681-7500
Purpose
The purpose of this presentation is to describe:
The Privacy Office’s function when TMA owned or managed data (TMA data) are requested
The Data Sharing Agreements (DSA), the Data Sharing Agreement Application (DSAA) and Supplemental DSA-related templates
Key supporting elements that may be required − System of Record Notice− Business Associate Agreement− Contract or other arrangement − Verification of System Security
FOR OFFICIAL USE ONLY2
When a contractor or member of a non-government entity requests access to TMA data, including de-identified data, a DSA is required.
The DSA serves as an agreement between a recipient of data and the Privacy Office.
Documents the agreed upon responsibilities of the government sponsor and of the recipient
Outlines permitted uses and disclosures
Documents compliance with DoD privacy and security regulations
Identifies the data that is required to meet a specified need
The DSA is executed when signed by a Government Sponsor, the data Recipient and the TMA Privacy Office.
FOR OFFICIAL USE ONLY3
DSA
The DSAA is the application used to initiate a request for access to TMA data.
A completed DSAA contains the information to enable the Privacy Office to determine whether the data use is in compliance with applicable guidance. Necessary information includes:
Contract information
Data specifications including data systems / files / elements
Method of access (login or extraction)
Description of data use, storage, and disclosure
System security information
FOR OFFICIAL USE ONLY4
DSAA
The DSAA lists the following Points of Contact (POCs):− Applicant: The individual (normally from the organization
contracted to support the project) who will provide primary oversight and responsibility for the handling of the requested data
− Government Sponsor: The government POC within TMA, or the respective Armed Service, having overall responsibilities regarding the data use for the project funded by the referenced contract, grant, project, or Cooperative Research and Development Agreement
FOR OFFICIAL USE ONLY5
DSAA
Signatures:
1.Before submitting a DSAA, the Applicant and Sponsor must initial the application to certify that the information provided is accurate.
2.After the DSAA is approved, the DSA will be sent to the Recipient (previously referred to as the Applicant on the DSAA) and Sponsor for signature.
3.After the Recipient and Sponsor sign and return the DSA, the Privacy Office will provide final signature.
4.The executed DSA, incorporating the approved DSAA, will be sent to the Recipient and Sponsor as the final step of an executed DSA.
FOR OFFICIAL USE ONLY6
DSAA & DSA
What is a Data Request Template (DRT)?
In compliance with HIPAA’s “minimum necessary rule,” the Privacy Office created three DRTs to prompt Applicants to list the requested data elements and or data categories.
-Templates specific to Data Extraction: MHS Data Repository DRT (enable macros for submission)General DRT (for TMA systems other than MDR )
-Template applicable to access via direct login: DRT for direct Access (for any TMA system to which access will be used)
If the requested data are attached to the DSAA using a document other than the DRT, it will be reviewed instead of requiring a DRT.
FOR OFFICIAL USE ONLY7
Data request templates (DRTs)
The Privacy Office requires that contracts include specific language when:− the work involves the use of personal information (PII/PHI language)
− the contract is awarded in support of a function or activity involving the use of PHI (Business Associate Agreement (BAA) language)
− the contractor utilizes PHI in any form (HIPAA language)
− records are collected, maintained and retrieved by personal identifier (system of record (SOR) language)
− a system or project collects, maintains, or disseminates PII from or about members of the public totaling at least ten individuals (PIA language)
The contract language can be found on the Privacy Office website at http://www.tricare.mil/tma/privacy/contractlanguage.aspx
8
Contract requirements
A system or records notice (SORN), published in the Federal Register, provides public notice that data is collected and stored under the control of a federal agency. If the requested data will be stored as a system of records, a SORN is required prior to the approval of a DSA.
A SORN describes: − how the data are retrieved by personal identifier (e.g., name, SSN, date of birth)
− the “purpose” of the data collection (the “internal” uses)
− the “routine uses” of the data (disclosures external to the DoD)
FOR OFFICIAL USE ONLY
9
Systems of Records (SOR)
To confirm that the requested data are protected using appropriate procedural, administrative, technical and physical safeguards, the Privacy Office requires:
Confirmation of a current Authority to Operate (ATO) or an Interim Authority to Operate (IATO) if data are accessed, used or stored on−A DoD network or system
−Government furnished equipment (GFE)
Submission and approval of the Privacy Office’s System Security Verification (SSV) if data will be accessed, used or stored on a−Non-DoD network
−Non-DoD computer (i.e., contractor-owned network or system)
FOR OFFICIAL USE ONLY
10
Security of PII / PHI
FOR OFFICIAL USE ONLY11
Supporting Documents
Supporting documents corresponding with the DSAs include:
Summary
&
Questions
FOR OFFICIAL USE ONLY12
Conclusion
DoD 6025.18-R, “DoD Health Information Privacy Regulation”, January 24, 2003
DoD 8580.02-R, “DoD Health Information Security Regulation”, July 12, 2007
DoD 5400.11-R, “DoD Privacy Program”, May 14, 2007
Privacy Office Web site http://www.tricare.mil/tma/privacy/default.aspx
http://www.tricare.mil/tma/privacy/mailinglist.aspx to subscribe to the Privacy Office E-News
E-mail [email protected] for subject matter questions
FOR OFFICIAL USE ONLY13
Resources
Data Sharing Agreements
Barbara HazzardData Sharing Contractor Support
Navy Medicine Office of the CIOPhone: 703-681-2475
IntroductionData Sharing Agreements
(DSA) Submit a DSA Application if contractors need to
obtain TMA and or Navy Medicine (NM) data to perform a government sponsored initiative
Defines roles and responsibilities of the Applicant/Recipient of NM and/or TMA data and the Government Sponsor
Reviewed to ensure request is in compliance with Federal regulations to include Privacy Act of 1974 and HIPAA
FOR OFFICIAL USE ONLY15
Mirrors TMA Privacy and Civil Liberties Office’s DSA requirements and templates Reduces requester’s need to complete redundant
forms and potential for re-work of submissions
Reduces amount of time for review and approval
Consolidates requests for NM and TMA data on one form providing consolidated view of data needs for the project/study.
FOR OFFICIAL USE ONLY16
Navy Medicine DSA Program
DSA Approvals
NM issues separate DSA number and approval letter for NM owned and managed data
TMA issues separate DSA number and approval letter for TMA owned and managed data
Two DSAs, one DSAA, as applicable
FOR OFFICIAL USE ONLY17
NM DSA Process
Submit DSAAs to NM Office of the CIO Endorses for approval requests for TMA owned
and managed data to TMA
Approves requests for Navy Medicine owned and managed data
A NM policy is under review to formalize the adoption of TMA’s DSA requirements and templates
FOR OFFICIAL USE ONLY18
DoD 6025.18-R, “DoD Health Information Privacy Regulation,” January 24, 2003
SECNAVINST 5211.5E: DON Privacy Program, 28 Dec 2005
TMA Privacy Office Web site http://www.tricare.mil/tma/privacy/default.aspx
NM Share Point Site: https://es.med.navy.mil/bumed/m6/m62
Questions: [email protected]
FOR OFFICIAL USE ONLY
19
Resources