The DHA requires an approved DSA when requestors ask to use DHA data. The DHA, as a covered entity, uses the DSA process to:

• Confirm that data will be used as allowed under the regulations
• Promote privacy responsibility in the MHS
• Maintain documentation in case of an investigation or audit
• Share only the minimum data necessary for the purpose

• Business Associates who need DHA data to do work on behalf of the government
• Government personnel who need DHA data for a research project or a survey
• Researchers who need DHA data for a research project or survey
• Students and professionals who need DHA data for an academic research project or for a dissertation

Requestors submit a Data Sharing Agreement Application (DSAA) endorsed by both the Applicant and Sponsor.

A DSA may be approved within 10 business days after a DSAA is approved.

The Applicant, Government Sponsor, and DHA Privacy and Civil Liberties Office (DHA Privacy Office) are listed on the DSA.

Yes, the DSA Sponsor needs to be a member of the MHS.

The DSA Renewal Request should not be submitted until the contract option year (as listed on the Renewal Request) has been granted.

Under DoD 5400.11-R, "Department of Defense Privacy Program," May 14,2007, personally identifiable information (PII) is information about an individual that identifies, links, relates, or is unique to, or describes the individual. Examples are: a social security number; age; military rank; civilian grade; marital status; race; salary; home or office phone numbers; and other demographic, biometric, personnel, medical, and financial information.

Under DoD 6025.18-R, "Department of Defense Health Information Privacy Regulation, protected health information (PHI) is a subset of PII. PHI is health information, including demographic information collected from an individual, created or received by a health care provider, health plan, employer, or health care clearinghouse, and relating to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

HIPAA defines de-identified data as:

• Data that does not identify an individual
• Data that has the 18 categories of direct identifiers removed
• Data that allows no reason to believe it can be used, alone or in combination with other information to identify an individual

DoD 6025.18-R defines a limited data set as PHI that excludes 16 of the 18 direct identifiers. A limited data set may still include the following (potentially identifying) information: admission dates, discharge dates, service dates, dates of birth, and, if applicable, age at time of death (including decedents age 90 or over). Also, five-digit zip code or any other geographic subdivision, such as state, county, city, precinct, and their equivalent geocodes (except street address) may also remain as part of a limited data set (LDS).