Personally Identifiable Information (PII), Protected Health by pptfiles


									 DUA #[DUA Number]                                                       Date Effective

 Contract Number [DoD Contract Number]                                   Expiration Date

                   TRICARE Management Activity (TMA)
                          Data Use Agreement (DUA)
                                for the use of
Personally Identifiable Information (PII), Protected Health Information (PHI)
                        and/or Limited Data Set (LDS)
PURPOSE: In order to secure data that resides in a DoD Privacy Act System of Records, and in
order to ensure the confidentiality, integrity and availability of information maintained by the
DoD, and to ensure appropriate use or disclosure of such data, the DoD and [Requesting
Organization / Contracting Company Name] enter into this agreement to comply with the
following stipulations outlined in this agreement.

APPENDICES: 1. References

Type of DUA Request:              New DUA                DUA Renewal

1. Data Requested. The following DoD data file(s) is/are covered under this Agreement.
Specific file names and data elements must be identified (If these are unknown, you may
contact your DoD sponsor for additional information). Only those approved data system, files,
years and data elements will be authorized for access. This DUA does not authorize any
access or extraction to any other information. As required in Reference (Ref.) 12, C.8.2, the
minimum data necessary will be provided to perform tasks as outlined in the described project.

       1a. This data request is for (select one):          PII     PHI       LDS

NOTE: If the data request is for PHI, then the primary contract or cooperative agreement
must contain Business Associates Agreement (BAA) language.

       1b. Data requested is for (Select one):
     Army data            Air Force data               Navy Data            Tri-Service Data
  Only                Only                          Only                 (Army, Air force or Navy)

        1c. Specifics of data requested.
  Data system            File                              Year(s)        Specific Data Elements
  (e.g., M2, MDR)        (e.g., DEERS, PITE, etc.)                        (i.e., name, SSN,

                                                    1                          Revised 22 July 2010
            These files will be       Select     Frequency of data            Select
            Received                  One        request                      One
            Directly accessed via                Bi-Weekly
            Received as an                       Weekly
            On Disk                              Monthly
            On Tape                              Once a year
            By Courier (Courier                  One time only
            Template must be
            Other Explain below                  Other explain below

      1e. Explain how files will be received.

       1f. Explain the frequency of data request.

       1g. Are you teleworking?        Yes      No (i.e. personal computer at home)

      1h. If yes, please explain:

2. Method of Transportation

NOTE: Requestors shall encrypt all PHI, personally identifiable information (PII), and
Limited Data Set information in transit in accordance with Ref. 6. Requestor shall not
store PHI, PII, and limited data set information on mobile computing devices.

If a System Security Verification (SSV) will be completed, please proceed to Question 3.

       2a. Does this request require PII or PHI to be transported or stored offsite?
          Yes      No

       2b. If yes, what are your policies and procedures that address the requirements of Ref. 4?

       2c. Will files be transmitted over e-mail or stored on a mobile computing device or
       removable storage media? (Mobile computing device means laptop computer, personal
       digital assistant (PDA) or any similar device. Removable storage media means compact
       disc (CD), backup tape, or any other DoD-approved removable media.)
           Yes       No

       If files are transmitted over e-mail or stored on a mobile computing device or removable

                                                2                           Revised 22 July 2010
       storage media, files must be encrypted.

       2d. Describe the process and procedure for encrypting files to be stored on a mobile
       computing device or removable storage media.

       2e. Will sensitive or identifiable data in any form be accessed remotely?         Yes      No

       2f. If yes, describe what safeguards are in place to protect data being accessed remotely?

       Refer to Ref. 4. All questions must be answered if data is accessed remotely or
       transported offsite.

NOTE: The TMA Privacy Office is not responsible for providing extractions. It is the
responsibility of the Requestor/Custodian and the DoD Sponsor listed on this DUA.

3. Project Information: Study/Project/Plan Name:

4. Explain the purpose, expected outcome and objectives of the study/project/plan for which the
data will be used:

5. Provide the Justification for Need to Know. Why is this study/project/plan required? Provide
documentation, when applicable, to indicate the organization requiring this study/project/plan
(e.g., Congressional mandate). Why is PHI required?

       5a. How will this study/project/plan benefit the DoD and its beneficiaries?

6. Describe how the data will be used. Discuss the methodology for analysis. What type of PHI
data will be utilized?

7. Does this project involve Research?     Yes       No. Ref. 2 and Ref. 10 apply.

       7a. If yes, has this project been reviewed by your Institutional Review Board or Privacy
       Board?       Yes       No

       7b. Has the IRB protocol been        Approved or     Exempted. A copy of the approval
       letter and approved protocol or the exemption determination and the protocol/information
       upon which determination was made must be attached.

       7c.   Does this study/project/plan involve a survey that requires an approved Report

                                                 3                         Revised 22 July 2010
       Control Symbol (RCS) from OMB or DMDC? Ref. 14 and Ref. 11 apply.               Yes       No

               7c.1 If yes, provide the RCS No___________________________

               7c.2 Retention Date ________________ A copy of the approved RCS and a
               copy of the survey must be included with this DUA and submitted to the TMA
               Privacy Office.

       7d. Does this study or research project involve data that already exist in on DoD MHS
       data files?   Yes       No

8. Custodians/Requestor. The Custodian of files is defined as that person(s)/organization(s)
who will have actual possession of and responsibility for the data files. This shall include the
prime company/organization, and all subcontracted entities who will have access to the data.
This section shall be completed even if the Custodian and Requestor are the same. By
completing this Agreement I acknowledge that I have read and agree to comply with the laws,
instructions, regulations and guidelines in Appendix 1 and 2.

       (Name of Custodian)


       (Street Address)

       (City/State/ZIP Code)

       (Phone No. - Including Area Code and E-Mail Address)

       8a. Additional Custodians/Requestors working on the same Project.

       (Name of Custodian)


       (Street Address)

       (City/State/ZIP Code)

       (Phone No. - Including Area Code and E-Mail Address)

       8b. Additional Custodians/Requestors working on the same Project.

       (Name of Custodian)


       (Street Address)

                                               4                          Revised 22 July 2010
       (City/State/ZIP Code)

       (Phone No. - Including Area Code and E-Mail Address)

NOTE: Subcontractors working under the same DUA must provide the same information as
Section 9 on the primary custodian’s company letterhead with original signatures. See page 9
for Subcontractor template.
If Courier transports data, you must notify the TMA Privacy Office, complete the DUA Courier
Template, which is available at: and
submit it with this request.
9. Point of Contact/Sponsor: To be completed and signed by the Program/Project Manager
from the Program Office sponsoring the request. By signing this agreement, the person agrees to
be responsible for the use of the data by a non-DoD agency. The parties mutually agree that the
following named individual will be designated as “point-of-contact/sponsor” for the Agreement
on behalf of the DoD.

       (Name of Contact)


       (Street Address)

       (Mail Stop)

       (City/State/ZIP Code)

       (Phone No. - Including Area Code and E-Mail Address)



       (Signature)                               (Date)

10. Authority to Operate (ATO) and System Security Verification (SSV). Will the data be
stored on a computer system that has been approved by DoD with the Authority to Operate
(ATO)?      Yes    No

One of the following must be attached.

       Authority to Operate (ATO)
       Interim Authority to Operate certificate (IATO)
       System Security Verification (SSV)

Failure to attach one of the required documents will only hold up the process and review of your
request. An ATO must be on organization letterhead. Submissions of updated IATO or SSV

                                               5                           Revised 22 July 2010
may be required upon renewal of the DUA until proof of an ATO approval can be provided.

11. System of Records. This is a required Document if you are requesting PHI or PII data.
Please provide the “System of Records” identifying number and date it was published and attach
a copy to this DUA.

For more information, please see If the
requesting organization is found to be in violation of the systems of records provisions, this DUA
will be immediately rescinded.

If an actual or possible compromise of PII/PHI data contained within a system of records occurs,
the event must be treated as a breach and required mitigation activities must be initiated. Such
requirements have been established by the DoD 5400.11-R and the OSD Memorandum
“Safeguarding Against and Responding to the Breach of PII”, which is updated periodically.
Breaches must be reported to the TMA Privacy Office via email at, and additional information on reporting
timelines and notification requirements can be found on the TMA Privacy Office Web site:    Certain breaches are subject to special
notification and reporting requirements under section 13402 of the HITECH Act, which the
TMA Privacy Office will determine.

12. Retention/Renewal/Destruction. The Requestor and the DoD mutually agree that the
previously mentioned file(s) (and/or any derivative file(s) [includes any file that maintains or
information from which identity can be determined]) may be retained by the Requestor until
      , hereinafter known as the “retention date.” The retention of this DUA is for one year or
until the contract end date, whichever comes first. The DUA may be renewed yearly if
necessary. See DUA appendix for more information.

13. Attachments. The parties mutually agree that the following Attachments are part of this
Agreement (list any attachments that the requestor has included):

14. Custodians/Requestors Signatures. The following Custodian/Requestors hereby attests
that he or she is authorized to enter this Agreement and agrees to all the terms specified herein.
(To be completed and signed by requestor.) The Custodian(s), as named in Section 1, hereby
acknowledges his/her appointment(s) as Custodian of the aforesaid file(s) on behalf of the DoD
Sponsor, and agrees personally and in a representative capacity to comply with all of the
provisions of this Agreement.

       (Name and Title of Individual - Typed or Printed)


       (Street Address)

       (City/State/ZIP Code)

       (Phone No. - Including Area Code and E-Mail Address)


                                                6                          Revised 22 July 2010
      (Signature)                                         (Date)

Signatures of Additional Custodian/Requestor working on same Project.


      (Name and Title of Individual - Typed or Printed)


      (Street Address)

      (City/State/ZIP Code)

      (Phone No. - Including Area Code and E-Mail Address)

      (Signature)                               (Date)


      (Name and Title of Individual - Typed or Printed)


      (Street Address)

      (City/State/ZIP Code)

      (Phone No. - Including Area Code and E-Mail Address)

      (Signature)                               (Date)

15. Non-DoD Sponsoring Agency Signature. (To be completed and signed only if the
requestor is working through a non-DoD federal agency.)

      (Name and Title of Individual - Typed or Printed)


                                             7                     Revised 22 July 2010
      (Street Address)

      (City/State/ZIP Code)

      (Phone No. - Including Area Code and e-mail Address, If Applicable)

      (Signature)                               (Date)

Submit pages 1 through 8 and page 9 (if applicable) to the TMA Privacy Office. Failure to
answer any questions will delay approval of your request.

Mailing Address:
TMA Privacy Office
Skyline 6, Ste 212
5109 Leesburg Pike
Falls Church, VA 22041

                                        Appendix 1


1.    5 USC § 552a, as amended, “The Privacy Act of 1974”

2.    32 CFR Part 219, “Protection of Human Subjects”

3.    45 CFR Parts 160 and 164, “The Health Insurance Portability and Accountability Act
      (HIPAA) Privacy and Security Rules.”

4.    Office of Management and Budget (OMB) M-06-16, “Protection of Sensitive Agency
      Information,” June 23, 2006

5.    OMB Circular Number A-130, “Management of Federal Information Resources,
      Appendix III, Security of Federal Automated Information Systems,” November 28, 2002

6.    National Institute of Standards and Technology, Federal Information Processing
      Standards Publication (FIPS) Number 140-2, “Security Requirements for Cryptographic
      Modules,” May25, 2001

7.    Assistant Secretary of Defense Memo “Disposition of Unclassified DoD Computer Hard
      Drives,” June 4, 2001

                                             8                             Revised 22 July 2010
8.    Military Health System (MHS) Information Assurance (IA) Implementation Plan

9.    Health Affairs Policy 06-010, “Health Affairs (HA) HIPAA Security Compliance
      Policy,” June 27, 2006

10.   DoD Directive 3216.02, “Protection of Human Subjects and Adherence to Ethical
      Standards in DoD Supported Research,” March 25, 2002 and certified current as of April
      24, 2007.

11.   DoD Instruction 1100.13, "Surveys of DoD Personnel," November 21, 1996

12.   DoD Instruction 6025.18-R, “DoD Health Information Privacy Regulation,” January

13.   DoD Instruction 8500.2, "Information Assurance (IA) Implementation," February 6, 2003

14.   DoD Instruction 8910.1-M, "DoD Procedures for Management of Information
      Requirements", June 30, 1998

15.   DoD 5400.11-R, “Department of Defense Privacy Program”, May 14, 2007

                                             9                         Revised 22 July 2010

To top