Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Sharing In Accordance with HIPAA Rita DeShields Data Sharing Compliance Officer TMA Privacy and Civil Liberties Office (Privacy Office) Phone: 703-681-7500.

Similar presentations

Presentation on theme: "Data Sharing In Accordance with HIPAA Rita DeShields Data Sharing Compliance Officer TMA Privacy and Civil Liberties Office (Privacy Office) Phone: 703-681-7500."— Presentation transcript:

1 Data Sharing In Accordance with HIPAA Rita DeShields Data Sharing Compliance Officer TMA Privacy and Civil Liberties Office (Privacy Office) Phone:

2 Purpose The purpose of this presentation is to describe: The Privacy Offices function when TMA owned or managed data (TMA data) are requested The Data Sharing Agreements (DSA), the Data Sharing Agreement Application (DSAA) and Supplemental DSA-related templates Key supporting elements that may be required System of Record Notice Business Associate Agreement Contract or other arrangement Verification of System Security FOR OFFICIAL USE ONLY 2

3 When a contractor or member of a non-government entity requests access to TMA data, including de-identified data, a DSA is required. The DSA serves as an agreement between a recipient of data and the Privacy Office. Documents the agreed upon responsibilities of the government sponsor and of the recipient Outlines permitted uses and disclosures Documents compliance with DoD privacy and security regulations Identifies the data that is required to meet a specified need The DSA is executed when signed by a Government Sponsor, the data Recipient and the TMA Privacy Office. FOR OFFICIAL USE ONLY 3 DSA

4 The DSAA is the application used to initiate a request for access to TMA data. A completed DSAA contains the information to enable the Privacy Office to determine whether the data use is in compliance with applicable guidance. Necessary information includes: Contract information Data specifications including data systems / files / elements Method of access (login or extraction) Description of data use, storage, and disclosure System security information FOR OFFICIAL USE ONLY 4 DSAA

5 The DSAA lists the following Points of Contact (POCs): Applicant: The individual (normally from the organization contracted to support the project) who will provide primary oversight and responsibility for the handling of the requested data Government Sponsor: The government POC within TMA, or the respective Armed Service, having overall responsibilities regarding the data use for the project funded by the referenced contract, grant, project, or Cooperative Research and Development Agreement FOR OFFICIAL USE ONLY 5 DSAA

6 Signatures: 1.Before submitting a DSAA, the Applicant and Sponsor must initial the application to certify that the information provided is accurate. 2.After the DSAA is approved, the DSA will be sent to the Recipient (previously referred to as the Applicant on the DSAA) and Sponsor for signature. 3.After the Recipient and Sponsor sign and return the DSA, the Privacy Office will provide final signature. 4.The executed DSA, incorporating the approved DSAA, will be sent to the Recipient and Sponsor as the final step of an executed DSA. FOR OFFICIAL USE ONLY 6 DSAA & DSA

7 What is a Data Request Template (DRT)? In compliance with HIPAAs minimum necessary rule, the Privacy Office created three DRTs to prompt Applicants to list the requested data elements and or data categories. -Templates specific to Data Extraction: MHS Data Repository DRT (enable macros for submission) General DRT (for TMA systems other than MDR ) -Template applicable to access via direct login: DRT for direct Access (for any TMA system to which access will be used) If the requested data are attached to the DSAA using a document other than the DRT, it will be reviewed instead of requiring a DRT. FOR OFFICIAL USE ONLY 7 Data request templates (DRTs)

8 The Privacy Office requires that contracts include specific language when: the work involves the use of personal information (PII/PHI language) the contract is awarded in support of a function or activity involving the use of PHI (Business Associate Agreement (BAA) language) the contractor utilizes PHI in any form (HIPAA language) records are collected, maintained and retrieved by personal identifier (system of record (SOR) language) a system or project collects, maintains, or disseminates PII from or about members of the public totaling at least ten individuals (PIA language) The contract language can be found on the Privacy Office website at 8 Contract requirements

9 A system or records notice (SORN), published in the Federal Register, provides public notice that data is collected and stored under the control of a federal agency. If the requested data will be stored as a system of records, a SORN is required prior to the approval of a DSA. A SORN describes: how the data are retrieved by personal identifier (e.g., name, SSN, date of birth) the purpose of the data collection (the internal uses) the routine uses of the data (disclosures external to the DoD) FOR OFFICIAL USE ONLY 9 Systems of Records (SOR)

10 To confirm that the requested data are protected using appropriate procedural, administrative, technical and physical safeguards, the Privacy Office requires: Confirmation of a current Authority to Operate (ATO) or an Interim Authority to Operate (IATO) if data are accessed, used or stored on A DoD network or system Government furnished equipment (GFE) Submission and approval of the Privacy Offices System Security Verification (SSV) if data will be accessed, used or stored on a Non-DoD network Non-DoD computer (i.e., contractor-owned network or system) FOR OFFICIAL USE ONLY 10 Security of PII / PHI

11 Change of Applicant/Recipient Change of Government Sponsor Addendum for Services Renewal Request Modification Request Extension Request Certification of Disposition of Data (CDD) No-Action Notice FOR OFFICIAL USE ONLY 11 Supporting Documents Supporting documents corresponding with the DSAs include:

12 Summary & Questions FOR OFFICIAL USE ONLY 12 Conclusion

13 DoD R, DoD Health Information Privacy Regulation, January 24, 2003 DoD R, DoD Health Information Security Regulation, July 12, 2007 DoD R, DoD Privacy Program, May 14, 2007 Privacy Office Web site to subscribe to the Privacy Office E-News for subject matter FOR OFFICIAL USE ONLY 13 Resources

14 Data Sharing Agreements Barbara Hazzard Data Sharing Contractor Support Navy Medicine Office of the CIO Phone:

15 Introduction Data Sharing Agreements (DSA) Submit a DSA Application if contractors need to obtain TMA and or Navy Medicine (NM) data to perform a government sponsored initiative Defines roles and responsibilities of the Applicant/Recipient of NM and/or TMA data and the Government Sponsor Reviewed to ensure request is in compliance with Federal regulations to include Privacy Act of 1974 and HIPAA FOR OFFICIAL USE ONLY 15

16 Mirrors TMA Privacy and Civil Liberties Offices DSA requirements and templates Reduces requesters need to complete redundant forms and potential for re-work of submissions Reduces amount of time for review and approval Consolidates requests for NM and TMA data on one form providing consolidated view of data needs for the project/study. FOR OFFICIAL USE ONLY 16 Navy Medicine DSA Program

17 DSA Approvals NM issues separate DSA number and approval letter for NM owned and managed data TMA issues separate DSA number and approval letter for TMA owned and managed data Two DSAs, one DSAA, as applicable FOR OFFICIAL USE ONLY 17

18 NM DSA Process Submit DSAAs to NM Office of the CIO Endorses for approval requests for TMA owned and managed data to TMA Approves requests for Navy Medicine owned and managed data A NM policy is under review to formalize the adoption of TMAs DSA requirements and templates FOR OFFICIAL USE ONLY 18

19 DoD R, DoD Health Information Privacy Regulation, January 24, 2003 SECNAVINST E: DON Privacy Program, 28 Dec 2005 SECNAVINST E TMA Privacy Office Web site NM Share Point Site: Questions: FOR OFFICIAL USE ONLY 19 Resources

Download ppt "Data Sharing In Accordance with HIPAA Rita DeShields Data Sharing Compliance Officer TMA Privacy and Civil Liberties Office (Privacy Office) Phone: 703-681-7500."

Similar presentations

Ads by Google