data sharing agreements tricare management activity health affairs 2009 data protection seminar tma...
TRANSCRIPT
Data Sharing Agreements
TRICARE Management ActivityHEALTH AFFAIRS
2009 Data Protection Seminar
TMA Privacy Office
TRICARE Management ActivityHEALTH AFFAIRS
22
Data Sharing Agreements
Purpose
The purpose of this presentation is to review the role of the TRICARE Management Activity (TMA) Privacy Office, the current Data Use Agreement (DUA) process, and provide an update on the status of the data sharing restructuring initiative
TRICARE Management ActivityHEALTH AFFAIRS
33
Data Sharing Agreements
Objectives Upon completion of this presentation, you should be able to:
− Explain the role of the TMA Privacy Office in authorizing access to Military Health System (MHS) corporate data
− Understand the current DUA process
− Recognize the status of the data sharing restructuring initiative
TRICARE Management ActivityHEALTH AFFAIRS
44
Data Sharing Agreements
Role of the TMA Privacy Office The role of the TMA Privacy Office is to authorize use and
disclosure of Military Health System (MHS) data that are owned and/or managed by Health Affairs (HA) and TMA and ensure compliance with applicable privacy regulations, including:
− DoD 6025.18-R (implementing the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule)
− DoD 5400.11-R (implementing the Privacy Act of 1974)
− DoD 8580.02-R (implementing the HIPAA Security Regulations)
There is a separate process managed by Defense Health Services Systems (DHSS) that is required in order to obtain access to information system applications
TRICARE Management ActivityHEALTH AFFAIRS
55
Data Sharing Agreements
Who Must Submit a Request? A person or entity that seeks to obtain MHS data that are
owned and/or managed by HA and TMA must submit a request to the TMA Privacy Office
A person or entity seeking data from the Army, Navy, or Air Force data must direct their request to the respective service as follows:
− Army DUA Submissions: [email protected]
− Navy DUA Submissions: [email protected]
− Air Force Submissions: [email protected]
TRICARE Management ActivityHEALTH AFFAIRS
66
Data Sharing Agreements
Current Types of DUAs Two types of frequently used DUAs
− Protected Health Information (PHI) and Beneficiary Encrypted Files
− De-Identified Files
TRICARE Management ActivityHEALTH AFFAIRS
77
Data Sharing Agreements
Overview of Current Process The term DUA is currently used in a broad sense and includes
different types of agreements for the sharing of MHS data
The purpose of DUAs under the current structure is to:
− Serve as an agreement between a recipient of MHS data and the TMA Privacy Office
− Document compliance with DoD regulations and applicable privacy laws
− Identify the minimally necessary data required to meet a specific data request
− Outline the permitted uses and disclosures
TRICARE Management ActivityHEALTH AFFAIRS
88
Data Sharing Agreements
Restructuring Initiative
TRICARE Management ActivityHEALTH AFFAIRS
99
Data Sharing Agreements
Purpose of the Restructuring Initiative To more closely align the data sharing process with DoD
Health Information Privacy Regulation (DoD 6025.18-R)
To streamline the process and provide more targeted data sharing agreements, and
To enhance regulatory compliance and accountability
TRICARE Management ActivityHEALTH AFFAIRS
1010
Data Sharing Agreements
Focusing on the Different Needs Who is the recipient?
− DoD, Government (non-DoD), Non-government
Why is the request being made?
− Quality Assurance
− Research
− Maintenance of an MHS system
− Other – to be reviewed by the TMA Privacy Office
TRICARE Management ActivityHEALTH AFFAIRS
11
What data is used/disclosed?
− De-identified data
− Sensitive information
− Limited data set
− Personally Identifiable Information (PII) and/or Protected Health Information (PHI)
Data Sharing Agreements
Focusing on the Different Needs (continued)
TRICARE Management ActivityHEALTH AFFAIRS
1212
Data Sharing Agreements
Laying a Strong Foundation The TMA Privacy Office is analyzing all different types of data
sharing requests in order to ultimately improve clarity, regulatory compliance, and ease-of-use; this has included:
− Taking a close look at research-related requests and collaborating with others
− Streamlining collaboration with DHSS to help expedite access
− Reviewing different needs and requirements for de-identified data, limited data sets, quality assurance purposes, health care operations, managed care support contracts, public health, etc.
− Clearly identifying contract verification needs for business associates
− Updating the current System Assurance Questionnaire
TRICARE Management ActivityHEALTH AFFAIRS
1313
Data Sharing Agreements
Next Steps Reformat the current DUA (interim step)
Finalize the System Security Verification, which will replace the current System Assurance Questionnaire
Continue collaboration and effort to finalize an improved process for research-related requests
Complete a data sharing questionnaire which will lead to different agreements and verifications, as required, to meet all needs within the three Ws (slide 10)
Explore the use of Health Program Analysis & Evaluation Division (HPA&E) web portal for launching the new restructure
TRICARE Management ActivityHEALTH AFFAIRS
1414
Data Sharing Agreements
Summary You should now be able to:
− Explain the role of the TMA Privacy Office in authorizing access to MHS corporate data
− Understand the current DUA process
− Recognize the status of the data sharing restructuring initiative
TRICARE Management ActivityHEALTH AFFAIRS
1515
Data Sharing Agreements
Resources DoD 6025.18-R, “DoD Health Information Privacy Regulation”,
January 2003
DoD 5400.11-R, “DoD Privacy Program”, May 14, 2007
DoD 8580.02-R, “DoD Health Information Security Regulation”, July 12, 2007