Skip main navigation

Military Health System

Hurricane Milton & Hurricane Helene

Emergency procedures are in place in multiple states due to Hurricane Milton & Hurricane Helene. >>Learn More

Skip subpage navigation

Prerequisites to Privacy Board

Before the DHA Privacy Board reviews a research project for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Department of Defense (DOD) Health Information Privacy Regulation (DOD 6025.18-R), the requirements set forth below and illustrated in the flowchart entitled Prerequisites to DHA Privacy Board Review must be initiated.

Institutional Review Board (IRB) and DHA Human Research Protection Program (HRPP) Review

All research projects must be reviewed in accordance with the Federal Policy for the Protection of Human Subjects, also known as the “Common Rule.” If the project does not meet the criteria of human subject research as determined by either an IRB or the DHA HRPP Office in accordance with the Common Rule, the DHA Privacy and Civil Liberties Office (PCLO) will process the Data Sharing Agreement Application (DSAA) requesting Military Health System (MHS) data managed by DHA for the purpose of the research project. Information regarding DSAAs can be found in the Data Sharing Agreement section.

Further information regarding HRPP reviews and requirements can be found at the DHA HRPP website.

Additional Requirements for Surveys or Information Collection Requests (ICRs)

There are additional requirements for Surveys or Information Collection Requests (ICRs) that must be followed. The DHA PCLO cannot complete the processing of the researcher’s DSAA until the additional requirements are met.

When the DHA HRPP Office or IRB has determined the project involving the use of surveys or ICRs is not research, the project will still need to comply with DHCAPE’s TRICARE Survey Program. The DHA PCLO cannot complete processing of the researcher’s DSAA until the survey or ICR requirements referenced above are met.

Data Sharing Agreement Application (DSAA)

In order to request data for a particular project, researchers must submit a DSAA as instructed on the Data Sharing Agreement section of the DHA PCLO’s webpage. The Principal Investigator (PI) is the lead researcher for a particular project and must be identified as instructed in the DSAA. The PI is contacted regarding any questions, concerns, and/or follow-up needs. The DHA PCLO promptly reviews the data elements requested to determine whether or not the request appears to meet the HIPAA Privacy Rule’s minimum necessary standard. The DHA PCLO then considers the type of information needed by the research project.

Information Considered in Determining Legal Compliance Requirements

The DHA PCLO categorizes a research project’s informational needs into one of the following four types for compliance review:

  1. De-identified data
  2. Personally Identifiable Information (PII) excluding Protected Health Information (PHI)
  3. LDS
  4. PHI greater than an LDS

Projects that seek de-identified data, PII excluding protected health information (PHI), or a LDS, do not require DHA Privacy Board review. A research project that seeks PHI greater than a LDS, however, is sent to the DHA Privacy Board for HIPAA Privacy Rule review and documentation. The DHA Privacy Board will reach out to the PI and Sponsor and begin the HIPAA Privacy Rule review process.

Last Updated: July 11, 2023
Follow us on Instagram Follow us on LinkedIn Follow us on Facebook Follow us on X Follow us on YouTube Sign up on GovDelivery