This standard contract language must be included in solicitations and contracts whenever a contractor is required to collect, use, copy, access, or store personally identifiable information (PII) (including but not limited to protected health information (PHI)). The contract language (or appropriate paragraphs, as determined by the PGI 224.1-90) must be incorporated in its entirety from the above link into the contract requirements, if any of the following apply to performance by the contractor (including subcontractors and consultants):

• If the contractor accesses PII/PHI in any form, include Health Insurance Portability and Accountability Act (HIPAA) contract language (including breach response provisions for compliance with HIPAA and other Federal laws). Most such contractors are HIPAA business associates, who are required to have HIPAA-compliant contract language. In some cases, however, contractors with PII/PHI access are not acting on behalf of a DOD HIPAA covered entity and thus are not acting as HIPAA business associates. Such contractors must comply with non-HIPAA Federal breach response requirements. Their contracts need not include the HIPAA business associate provisions in section 8 but must include the Breach Response provisions in section 9 of the DHA standard contract language. If it is not certain whether a contractor is acting as a HIPAA business associate, then the section 8 business associate provisions may be included with qualifying language such as “if applicable to this contract.”
• If records of PII/PHI collected from individuals are retrieved by personal identifiers, include Systems of Record (SOR) contract language.
• If an information technology (IT) system or project collects, maintains, or disseminates PII about members of the public, federal personnel, contractors or certain foreign nationals, include Privacy Impact Assessment (PIA) contract language.
• If the contractor requires access, use, disclosure or storage of PII/PHI to perform its contract, include Data Sharing Agreement (DSA) contract language.
• If the contractor is required to collect, use, copy, access, or store PII/PHI, include the contract language on training.

The standard contract language on the Freedom of Information Act (FOIA) and records management from the above link is mandatory whether or not the contractor accesses PII/PHI.

To determine which solicitations or contracts require which portions of the approved contract language, contact the responsible Contracting Office (Contracting Office-Aurora, Contracting Office-Falls Church, Contracting Office-National Capital Region, Contracting Office-Medical “Q” Services, Contracting Office-Health Information Technology, and Contracting Office-Defense Healthcare Management Systems) for more information, while developing the requirements for the PWS/RFP.  If necessary, the responsible Contracting Officer will consult with the DHA Privacy and Civil Liberties Office to make these determinations.