Data Sharing Agreements

TRICARE Management ActivityHEALTH AFFAIRS

2009 Data Protection Seminar

TMA Privacy Office

TRICARE Management ActivityHEALTH AFFAIRS

22

Data Sharing Agreements

Purpose

The purpose of this presentation is to review the role of the TRICARE Management Activity (TMA) Privacy Office, the current Data Use Agreement (DUA) process, and provide an update on the status of the data sharing restructuring initiative

TRICARE Management ActivityHEALTH AFFAIRS

33

Data Sharing Agreements

Objectives Upon completion of this presentation, you should be able to:

− Explain the role of the TMA Privacy Office in authorizing access to Military Health System (MHS) corporate data

− Understand the current DUA process

− Recognize the status of the data sharing restructuring initiative

TRICARE Management ActivityHEALTH AFFAIRS

44

Data Sharing Agreements

Role of the TMA Privacy Office The role of the TMA Privacy Office is to authorize use and

disclosure of Military Health System (MHS) data that are owned and/or managed by Health Affairs (HA) and TMA and ensure compliance with applicable privacy regulations, including:

− DoD 6025.18-R (implementing the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule)

− DoD 5400.11-R (implementing the Privacy Act of 1974)

− DoD 8580.02-R (implementing the HIPAA Security Regulations)

There is a separate process managed by Defense Health Services Systems (DHSS) that is required in order to obtain access to information system applications

TRICARE Management ActivityHEALTH AFFAIRS

55

Data Sharing Agreements

Who Must Submit a Request? A person or entity that seeks to obtain MHS data that are

owned and/or managed by HA and TMA must submit a request to the TMA Privacy Office

A person or entity seeking data from the Army, Navy, or Air Force data must direct their request to the respective service as follows:

− Army DUA Submissions: ARMY.DUA@pasba2.amedd.army.mil

− Navy DUA Submissions: dua.bumed@med.navy.mil

− Air Force Submissions: AF_SGDataUseAgreement@pentagon.af.mil

TRICARE Management ActivityHEALTH AFFAIRS

66

Data Sharing Agreements

Current Types of DUAs Two types of frequently used DUAs

− Protected Health Information (PHI) and Beneficiary Encrypted Files

− De-Identified Files

TRICARE Management ActivityHEALTH AFFAIRS

77

Data Sharing Agreements

Overview of Current Process The term DUA is currently used in a broad sense and includes

different types of agreements for the sharing of MHS data

The purpose of DUAs under the current structure is to:

− Serve as an agreement between a recipient of MHS data and the TMA Privacy Office

− Document compliance with DoD regulations and applicable privacy laws

− Identify the minimally necessary data required to meet a specific data request

− Outline the permitted uses and disclosures

TRICARE Management ActivityHEALTH AFFAIRS

88

Data Sharing Agreements

Restructuring Initiative

TRICARE Management ActivityHEALTH AFFAIRS

99

Data Sharing Agreements

Purpose of the Restructuring Initiative To more closely align the data sharing process with DoD

Health Information Privacy Regulation (DoD 6025.18-R)

To streamline the process and provide more targeted data sharing agreements, and

To enhance regulatory compliance and accountability

TRICARE Management ActivityHEALTH AFFAIRS

1010

Data Sharing Agreements

Focusing on the Different Needs Who is the recipient?

− DoD, Government (non-DoD), Non-government

Why is the request being made?

− Quality Assurance

− Research

− Maintenance of an MHS system

− Other – to be reviewed by the TMA Privacy Office

TRICARE Management ActivityHEALTH AFFAIRS

11

What data is used/disclosed?

− De-identified data

− Sensitive information

− Limited data set

− Personally Identifiable Information (PII) and/or Protected Health Information (PHI)

Data Sharing Agreements

Focusing on the Different Needs (continued)

TRICARE Management ActivityHEALTH AFFAIRS

1212

Data Sharing Agreements

Laying a Strong Foundation The TMA Privacy Office is analyzing all different types of data

sharing requests in order to ultimately improve clarity, regulatory compliance, and ease-of-use; this has included:

− Taking a close look at research-related requests and collaborating with others

− Streamlining collaboration with DHSS to help expedite access

− Reviewing different needs and requirements for de-identified data, limited data sets, quality assurance purposes, health care operations, managed care support contracts, public health, etc.

− Clearly identifying contract verification needs for business associates

− Updating the current System Assurance Questionnaire

TRICARE Management ActivityHEALTH AFFAIRS

1313

Data Sharing Agreements

Next Steps Reformat the current DUA (interim step)

Finalize the System Security Verification, which will replace the current System Assurance Questionnaire

Continue collaboration and effort to finalize an improved process for research-related requests

Complete a data sharing questionnaire which will lead to different agreements and verifications, as required, to meet all needs within the three Ws (slide 10)

Explore the use of Health Program Analysis & Evaluation Division (HPA&E) web portal for launching the new restructure

TRICARE Management ActivityHEALTH AFFAIRS

1414

Data Sharing Agreements

Summary You should now be able to:

− Explain the role of the TMA Privacy Office in authorizing access to MHS corporate data

− Understand the current DUA process

− Recognize the status of the data sharing restructuring initiative

TRICARE Management ActivityHEALTH AFFAIRS

1515

Data Sharing Agreements

Resources DoD 6025.18-R, “DoD Health Information Privacy Regulation”,

January 2003

DoD 5400.11-R, “DoD Privacy Program”, May 14, 2007

DoD 8580.02-R, “DoD Health Information Security Regulation”, July 12, 2007