HIPAA defines de-identified data as:

• Data that does not identify an individual
• Data that has the 18 categories of direct identifiers removed
• Data that allows no reason to believe it can be used, alone or in combination with other information to identify an individual

Coded data is not considered to be de-identified data. Additionally, the following unofficial MHS Quasi-identifiers must be excluded from the data set:

• Age, duty location, race, rank, ethnicity, pay grade, training site, unit identification code (UIC)

DODM 6025.18, March 13, 2019 defines a limited data set as PHI that excludes 16 of the 18 direct identifiers. A limited data set may still include the following (potentially identifying) information: admission dates, discharge dates, service dates, dates of birth, and, if applicable, age at time of death (including decedents age 90 or over). Also, five-digit zip code or any other geographic subdivision, such as state, county, city, precinct, and their equivalent geocodes (except street address) may also remain as part of a limited data set (LDS).

• Business Associates who need DHA data to do work on behalf of the government (there may be exceptions)
• Government personnel who need DHA data for a research project or a survey (there may be exceptions)
• Researchers who need DHA data for a research project or survey
• Students and professionals who need DHA data for an academic research project or for a dissertation

The Applicant, Government Sponsor, and DHA PCLO are listed on the DSA.

Under DOD 5400.11-R, "Department of Defense Privacy Program," May 14,2007, personally identifiable information (PII) is information about an individual that identifies, links, relates, or is unique to, or describes the individual. Examples are: a social security number; age; military rank; civilian grade; marital status; race; salary; home or office phone numbers; and other demographic, biometric, personnel, medical, and financial information.

Under DODM 6025.18, March 13, 2019, protected health information (PHI) is a subset of PII. PHI is health information, including demographic information collected from an individual, created or received by a health care provider, health plan, employer, or health care clearinghouse, and relating to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

No, the IRB must approve the research project before a DSA submission can be submitted for review.

• Social Security Justification (SSNJ) - reviews the use of SSN for a project.
• Privacy Act Review - to make sure proposed data use is allowed under SORN.
• HIPAA Safeguard Review (HSR) - information system security review for contractor equipment.
• Data Evaluation Workgroup (DEW) - data experts determination data type and reviews for minimum necessary.
• HIPAA Privacy Rule Compliance review - review of HIPAA documentation and repository review to ensure HIPAA compliance with repositories.

If the DHA data is provided to the project team from a third-party as an extract, then a DSA is not required. If the data is coded, then a DSA is still required because coded data is not de-identified data.

Using any form of the SSN must go through the Social Security Number Justification (SSNJ) process due to guidelines stated within DODI 1000.30, Reduction of SSN Use within DOD, requires the reduction or elimination of SSN usage wherever possible. If Social Security Numbers are required, project team must provide a justification and use as to why it is used and explain why a substitution cannot be used. Answering the following questions can assist the project team in providing a justification:

• Why is SSN needed to combine the data? In other words, if alternatives to SSN (e.g., EDIPNs or pseudo person IDs) are sufficient in other instances, are those alternatives to SSN sufficient to respond to Congressional inquiries and/or Senior DoD stakeholders inquiries
• Are alternatives to SSN used first? Further, in response to Congressional inquiries and/or Senior DOD stakeholders inquiries, are alternatives to SSN used first and if not sufficient to respond, then SSN is used
• Are those alternatives to SSN insufficient to combine data from multiple data sources? Do some individuals not have alternatives to SSN and SSN is the only way to identify them?

The data flow should reflect how the project team will obtain and secure storing DHA data. It should specifically address the following questions:

• Is it clear who is pulling/extracting/logging in to see the data?
• Is it clear how data will be transferred from Data Extractor to applicant organization and/or to other parties?
• Is it clear how data will be securely stored once extracted from the DHA system?

The Privacy Office does not determine within an applicant or sponsor organization who must sign the DSA submission. The requestors must determine who has the authority to sign for their organization and take on the responsibilities outline in the previously mentioned “Applicant Responsibility” and “Government Responsibility” documents.

A system of record (SOR) consists of a group of records from which personal information about an individual is retrieved by the name of the individual or by some other identifying number, symbol, or other identifying characteristic unique to the individual.

• The determination of whether the intended use is permitted by the System of Records Notice (SORN) will be made during the DSAA review, so you are encouraged to check the websites below to ensure that there will not be an issue at the time of review.
• Check compliance by accessing the DOD SORNs at https://dpcld.defense.gov/Privacy/SORNs/.
• Check compliance by accessing the DOD PIAs at https://dpcld.defense.gov/Privacy/Privacy-Impact-Assessment/.

DHA data is data maintained on DHA systems or systems that are determined to fall under the purview of the DHA Chief Information Officer. The DHA PCLO has a list of frequently accessed systems that contain DHA data to assist data requestors in determining whether data are DHA data. If the data request includes data from an information system not on the list, the DSAA Applicant or DOD Sponsor must ask DHA Cybersecurity Division whether the information system is one managed by DHA.