DHA Home About DHA Human Resources Conferences TRICARE Contacts Feedback Site Map
 
Skip Navigation LinksDHA Home > Clinical Operations and Patient Care > TMA Privacy Office > TMA Privacy Board Review Process
Infinite Menus, Copyright 2006, OpenCube Inc. All Rights Reserved.

The TRICARE Management Activity (TMA) Privacy Board Review Process

The TMA Privacy Board reviews research related data requests for protected health information (PHI) about individual research participants for Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule compliance. This process is described below and illustrated in the flowchart entitled TMA Privacy Board Review Process for Research Related Data Requests. The Standard Operating Procedures (SOP) provide further detail regarding the internal operations of the TMA Privacy Board.

Required Representations for Research on Decedent’s Information

If researchers seek the use or disclosure of PHI solely for research on decedents, the TMA Privacy Board will provide the Principal Investigator (PI) with the Required Representations for Research on Decedent’s Information template. The PI must initial and sign this template to document compliance with the following representations required by the HIPAA Privacy Rule at 45 CFR 164.512(i)(1)(iii) and DoD 6025.18-R at C7.9.1.3:

  • Use or disclosure is sought solely for research on the PHI of decedents;
  • Documentation of the death of each of the individuals whose information will be used for this project can and will be provided to TMA immediately upon request; and
  • The PHI for which use or disclosure is sought is necessary for the research purposes.

Required Representations for Review Preparatory to Research

If researchers seek the use or disclosure of PHI from TMA solely for review as necessary to prepare a research protocol or for similar purposes preparatory to research and agree not to remove the PHI from TMA in the course of the review, the TMA Privacy Board will provide the PI with the Required Representations for Review Preparatory to Research template. The PI must initial and sign this template to document compliance with the following representations required by the HIPAA Privacy Rule at 45 CFR 164.512(i)(1)(ii) and DoD 6025.18-R at C7.9.1.2:

  • Use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;
  • No PHI is to be removed from TMA by the researcher in the course of the review; and
  • The PHI for which use or access is sought is necessary for the research purposes.

Projects That Must Obtain HIPAA Authorizations

Where the PI is able to obtain a written and signed HIPAA Authorization, also known as “Authorization,” from every participant in a research project, the TMA Privacy Board requires the PI to submit a Research Authorization Review template along with a copy of the Authorization(s) that will be provided to each participant for signature. The TMA Privacy Board reviews the Authorization(s) to ensure all of the required elements and core statements outlined in the HIPAA Privacy Rule at 45 CFR 164.508(c) and DoD 6025.18-R at C5.3 are included. In order to be valid, the Authorization(s) must include the following:

  • Core Elements
    • A description of the PHI to be used or disclosed that identifies the information in a specific and meaningful manner
    • A statement indicating that the individual authorizes TMA, or a specific office within TMA, to make the requested use or disclosure
    • The name(s) or other specific identification of the person(s), or class of persons, to whom TMA may make the requested use or disclosure
    • A description of each purpose of the requested use or disclosure - Researchers should note that this element must be study specific, and not for future unspecified research
    • An expiration date or event that relates to the individual or to the purpose of the use or disclosure - The statement "end of the research study," "none,” or similar language is sufficient if the Authorization is for a use or disclosure of PHI for research, including for the creation and maintenance of a research database or research repository
    • Signature of the individual and date - If the Authorization is signed by an individual's personal representative, a description of the representative's authority to act for the individual must also be provided
  • Required Statements
    • A statement that the individual has the right to revoke his/her Authorization in writing, and either:
      (1) The exceptions to the right to revoke and a description of how the individual may revoke the Authorization, or
      (2) Reference to the corresponding section(s) of the Military Health System’s Notice of Privacy Practices (applicable to TMA)
    • A statement that provides notice of TMA’s or DoD's ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the Authorization, including research-related treatment, and, if applicable, any consequences of refusing to sign the Authorization
    • A statement that there is the potential for the PHI disclosed pursuant to the Authorization to be subject to re-disclosure by the recipient and no longer protected under the HIPAA Privacy Rule - This statement does not require an analysis of risk for re-disclosure; rather, it may be a general statement that the HIPAA Privacy Rule may no longer protect health information

If the TMA Privacy Board approves the Authorization(s) and Research Authorization Review template, the PI will be required to initial and sign the Principal Investigator Certification template, assuring that the signed Authorization of each research participant whose PHI is used or disclosed in the project will be maintained electronically and/or in hard copy for a period of six years from the date the Authorization expires and that any and all of the signed Authorizations will be provided to TMA immediately upon request.

Projects That Require a Waiver of Authorization or an Altered Authorization

Where it is impossible or impracticable to obtain a written Authorization from each and every research participant, the PI must seek to obtain a waiver or alteration of the Authorization requirement from an IRB or the TMA Privacy Board.

If the PI is able to obtain HIPAA Privacy Rule review and appropriate documentation from an IRB or HIPAA Privacy Board, the PI must provide the TMA Privacy Board with a copy of the IRB or HIPAA Privacy Board approved HIPAA waiver of Authorization or an altered Authorization. The TMA Privacy Board will rely on approved waivers/alterations from an IRB or HIPAA Privacy Board, provided that the approval documentation contains all required elements, as set forth in the HIPAA Privacy Rule at 45 CFR at 164.512(i)(2) and DoD 6025.18-R at C.7.9.2. The TMA Privacy Board staff will work with the PI when the approved waiver/alteration is deficient and will give the IRB or HIPAA Privacy Board an opportunity to update its documentation to include all required elements.

The following elements are required to be in documentation from an IRB or HIPAA Privacy Board that approves waiver/alteration:

  • Identity of the IRB or HIPAA Privacy Board and date on which the alteration or waiver of Authorization was approved
  • A determination that the use/disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on at least the presence of:
    • An adequate plan to protect the identifiers from improper use and disclosure
    • An adequate plan to destroy the identifiers at the earliest opportunity consistent with the content of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law
    • Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for oversight of the study, or for other permitted research authorized by the regulation
  • A statement that the research could not be practicably conducted without the waiver or alteration
  • A statement that the research could not be practicably conducted without access to and use of the PHI
  • A brief description of the PHI determined to be necessary by the IRB or HIPAA Privacy Board
  • A statement indicating whether review and approval was under expedited or normal review procedures
  • A signature by the chair or designated member of the IRB or HIPAA Privacy Board

If the PI is not able to obtain HIPAA Privacy Rule review and appropriate documentation from an IRB or HIPAA Privacy Board, the PI will be asked to complete the TMA Privacy Board’s Application for a Waiver of Authorization or an Altered Authorization. Once the application is complete, it will be assigned to a TMA Privacy Board member to determine which, if any, of the following are acceptable under the HIPAA Privacy Rule and DoD 6025.18-R: (1) Full Waiver; (2) Partial Waiver; or (3) Altered Authorization.

Full Waiver

A full waiver enables a research project to obtain PHI about research participants without getting signed Authorizations from the participants at any point during the project. The TMA Privacy Board will only provide a full waiver when the waiver criteria set forth in the HIPAA Privacy Rule at 45 CFR at 164.512(i)(2) and DoD 6025.18-R at C.7.9.2, as outlined above, are met. The answers to the questions in the Application for a Waiver of Authorization or an Altered Authorization provided by the PI form the basis for review and determination in this regard. For example, if a project needs the use of PHI pertaining to numerous individuals for whom contact information is unknown, and it would be impracticable to conduct the research if obtaining Authorizations were required, then the TMA Privacy Board may consider waiving the Authorization requirement, so long as all of the waiver criteria have been satisfied.

Partial Waiver

A partial waiver enables a project to obtain PHI about research participants from HIPAA covered entities without getting signed Authorizations from the participants for part of the project; that is, the partial waiver applies for a time period that is shorter than the time required for the entire research project. This time period generally expires when either access to PHI is no longer needed for completing the research project or it becomes feasible during the course of the research project to obtain an Authorization from every individual research participant. The TMA Privacy Board will consider a partial waiver of the Authorizations when a project needs to obtain PHI to recruit or screen potential research participants, provided that certain criteria set forth in the HIPAA Privacy Rule at 45 CFR at 164.512(i)(2) and DoD 6025.18-R at C.7.9.2, as outlined above, are met.

Where PHI is required for an entire project, the TMA Privacy Board will work with the PI to determine whether it is possible to obtain written Authorizations from every individual research participant after the recruitment/screening phase of the project. If it is not possible to obtain Authorizations, the TMA Privacy Board will consider whether the waiver application justifies the need for a full waiver pursuant to the HIPAA Privacy Rule and DoD 6015.18-R standards. On the other hand, if it is feasible to obtain an Authorization from each participant after the recruitment/screening phase of the project, the TMA Privacy Board will require the PI to submit a Research Authorization Review template and a sample Authorization that the PI plans to use for the research project. The PI must obtain Authorizations from all research participants before using or disclosing any PHI with regard to a research participant after the recruitment/screening phase of the project. The TMA Privacy Board will review the Authorization that will be used in the project, as explained above, to ensure all core elements and required statements are included.

Altered Authorization

PIs can seek an Altered Authorization under the HIPAA Privacy Rule and DoD 6025.18-R, when the research project requires a need to modify or remove some, but not all, required elements from an Authorization. For example, an alteration of the Authorization might be requested to remove the element that describes each purpose of the requested use or disclosure where the identification of the specific research project would affect the results of the project. The TMA Privacy Board will determine whether all of the regulatory criteria are met prior to providing documented approval of an alteration. An approved alteration only applies to the particular research project for which it is requested. Any subsequent use or disclosure of PHI for a different research project would need an Authorization with all required elements or a separate request for a waiver or alteration from an IRB or HIPAA Privacy Board.

Completion of TMA Privacy Board Review

When reviewing the above-referenced templates, the TMA Privacy Board will contact the PI as necessary in order to complete its review. Once the TMA Privacy Board completes the HIPAA Privacy Rule review, the TMA Privacy Office continues processing the Data Sharing Agreement Application (DSAA) for other compliance requirements.



“On October 1, 2013, the Department of Defense established the Defense Health Agency (DHA) to manage the activities of the Military Health System. These activities include those previously managed by TRICARE Management Activity (TMA), which was disestablished on the same date. During the next several months, all TMA websites will change to reflect the new DHA. We appreciate your patience during this transition."
DoD Seal
7700 Arlington Boulevard, Suite 5101, Falls Church, VA 22042-5101
The appearance of hyperlinks to external Web sites does not constitute endorsement by the TRICARE Management Activity of these Web sites or the information, products or services contained therein. For other than authorized government activities, TRICARE Management Activity does not exercise any editorial control over the information you may find at other locations. Such links are provided consistent with the stated purpose of this DoD Web site. Accessibility/Section 508