DHA Home About DHA Human Resources Contact Us FOIA Site Map
 
Skip Navigation LinksDHA Home > Clinical Operations and Patient Care > TMA Privacy Office > Prerequisites to TMA Privacy Board Review
Infinite Menus, Copyright 2006, OpenCube Inc. All Rights Reserved.

Prerequisites to TRICARE Management Activity (TMA) Privacy Board Review

Before the TMA Privacy Board reviews a research project for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Department of Defense (DoD) Health Information Privacy Regulation (DoD 6025.18-R), the requirements set forth below and illustrated in the flowchart entitled Prerequisites to TMA Privacy Board Review must be initiated.

Institutional Review Board (IRB) and TMA Human Research Protection Program (HRPP) Review

All research projects must be reviewed in accordance with the Federal Policy for the Protection of Human Subjects, also known as the “Common Rule.” If the project does not meet the criteria of human subject research as determined by either an IRB or the TMA HRPP Office in accordance with the Common Rule, the TMA Privacy and Civil Liberties Office (TMA Privacy Office) will process the Data Sharing Agreement Application (DSAA) requesting Military Health System (MHS) data managed by TMA for the purpose of the research project. Information regarding DSAAs is available at http://www.tricare.mil/tma/privacy/DSAAReviews.aspx.

If the project does meet the criteria of human subject research, then the next steps depend on whether the research is conducted within DoD or outside of DoD.

  1. If the research is conducted outside of DoD, then an IRB must exempt or approve the project protocol in accordance with the Common Rule. Exemption means that the project will not be required to undergo IRB review; however, the investigators are still required to adhere to the regulatory provisions of the Common Rule. Approval means that the research project may be conducted within the constraints set forth by the IRB and federal requirements. Once the IRB makes a determination, the TMA HRPP Office reserves the right to review and approve for compliance with human subject research requirements, including the Common Rule and any applicable DoD requirements, such as training. The TMA Privacy Office cannot complete processing of the researcher’s DSAA until approval is received from the TMA HRPP Office.


  2. If the research is conducted within the DoD, then the research protocol must be submitted to the TMA HRPP Office or an IRB within DoD, also known as “Local IRB.” The TMA HRPP Office or Local IRB will determine whether the research meets any of the six exemption criteria identified in the Common Rule, implemented by DoD through 32 CFR 219.101(b). When exemption criteria are met, the TMA HRPP Office or Local IRB will provide written documentation of the exemption. Even if the protocol is determined exempt, the researcher must still adhere to requirements under the approved protocol. The TMA Privacy Office cannot complete processing of the researcher’s DSAA until this determination is received.

    When the research project does not meet the exemption criteria, then an IRB must approve the protocol in accordance with the Common Rule and DoDI 3216.02. Once the IRB makes a determination, the TMA HRPP Office reserves the right to review and approve the protocol for compliance with human subject research requirements, including the Common Rule and any applicable DoD requirements, such as training.

    The TMA HRPP Office also ensures that any research conducted under the Defense Federal Acquisition Regulation Supplement adheres to the terms therein. The TMA Privacy Office cannot complete processing of the researcher’s DSAA until the protocol is approved.

Further information regarding HRPP reviews and requirements can be found at the TMA HRPP website.

Additional Requirements for Surveys or Information Collection Requests (ICRs)

  • When a project involves the use of surveys, interviews, focus groups, or similar ICRs and the TMA HRPP Office or an IRB has determined the project to be research, the research project will need to meet other requirements. In addition to satisfying the IRB and TMA HRPP reviews as outlined above, the project will need to comply with the Defense Health Cost Analysis and Program Evaluation’s (DHCAPE’s) TRICARE Survey Program and may require licensing and/or approval from the Washington Headquarters Services and/or the Office of Management and Budget. Information regarding TRICARE Survey Program is available at http://www.tricare.mil/hpae/surveys/survey.cfm. The TMA Privacy Office cannot complete the processing of the researcher’s DSAA until the additional requirements are met.


  • When the TMA HRPP Office or IRB has determined the project involving the use of surveys or ICRs is not research, the project will still need to comply with DHCAPE’s TRICARE Survey Program. The TMA Privacy Office cannot complete processing of the researcher’s DSAA until the survey or ICR requirements referenced above are met.

Data Sharing Agreement Application (DSAA)

In order to request data for a particular project, researchers must submit a DSAA as instructed on the Data Sharing Agreement Section of the TMA Privacy Office’s Webpage. The Principal Investigator (PI) is the lead researcher for a particular project and must be identified as instructed in the DSAA. The PI is contacted regarding any questions, concerns, and/or follow-up needs. The TMA Privacy Office promptly reviews the data elements requested to determine whether or not the request appears to meet the HIPAA Privacy Rule’s minimum necessary standard. The TMA Privacy Office then considers the type of information needed by the research project as set forth below:

Information Considered in Determining Legal Compliance Requirements

  • Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, biometric records, including any other personal information that is linked or linkable to a specified individual.


  • Protected Health Information (PHI) is a subset or smaller grouping of PII and is defined as individually identifiable health information that is transmitted or maintained by electronic or any other form or medium, except as otherwise contained in employment records held by a HIPAA covered entity in its role as an employer.


  • Limited Data Set (LDS) is a small grouping or subset of PHI that excludes specific data elements created for the purposes of research, public health, or health care operations as set forth in the HIPAA Privacy Rule at 45 CFR 164.514(e)(2) and DoD 6025.18-R at C8.3.2.


  • De-identified data is information that does not identify an individual, and there is no reasonable basis to believe that the information can be used to identify an individual. The criteria for de-identified data are set forth in the HIPAA Privacy Rule at 45 CFR 164.514(b) and DoD 6025.18-R at C8.1.3.

In considering the above data types, The TMA Privacy Office categorizes a research project’s informational needs into one of the following four types for compliance review:

  1. De-identified data;
  2. PII excluding PHI;
  3. LDS; or
  4. PHI greater than an LDS.

Projects that seek de-identified data, PII excluding PHI, or an LDS, do not require TMA Privacy Board review. A research project that seeks PHI greater than an LDS, however, is sent to the TMA Privacy Board for HIPAA Privacy Rule review and documentation. The TMA Privacy Board will reach out to the PI and Sponsor and begin the HIPAA Privacy Rule review process.

“On October 1, 2013, the Department of Defense established the Defense Health Agency (DHA) to manage the activities of the Military Health System. These activities include those previously managed by TRICARE Management Activity (TMA), which was disestablished on the same date. During the next several months, all TMA websites will change to reflect the new DHA. We appreciate your patience during this transition."
DoD Seal
7700 Arlington Boulevard, Suite 5101, Falls Church, VA 22042-5101
The appearance of hyperlinks to external Web sites does not constitute endorsement by the TRICARE Management Activity of these Web sites or the information, products or services contained therein. For other than authorized government activities, TRICARE Management Activity does not exercise any editorial control over the information you may find at other locations. Such links are provided consistent with the stated purpose of this DoD Web site. Accessibility/Section 508