The Military Health System (MHS) must comply with federal law protecting the privacy and security of Personally Identifiable Information
(PII) and Protected Health Information (PHI), as well as with other federal information laws. Therefore, standard language to require
compliance must be included whenever a solicitation is issued or a contract awarded (or other agreement is entered into) if performance
involves PII/PHI. The required language is provided at the “standard contract language” and “BAA language” links below. Please note
that the linked documents are subject to change.
For contracts awarded by or for DHA, see the heading below, “DHA Standard Contract Language,” and
PGI 224.1-90 on the
DHA Procurement Directorate website.
For contracts or other agreements used by MHS components other than DHA, see the heading below “HIPAA Compliant Business
Associate Agreement (BAA) for the MHS.”
DHA Standard Contract Language
This standard contract language must be included in solicitations and contracts whenever a contractor is required to collect, use, copy,
access, or store PII (including but not limited to PHI). The contract language (or appropriate paragraphs, as determined by the
PGI 224.1-90 Matrix) must be incorporated in its entirety from the above link into the contract requirements, if any of the following
apply to performance by the contractor (including subcontractors and consultants):
Further, the standard contract language on the Freedom of Information Act (FOIA) and records management from the above link is mandatory whether or not the contractor accesses PII/PHI.
To determine which solicitations or contracts require which portions of the approved contract language, contact the responsible Contract Operations Division (COD-Aurora, COD-Falls Church, or COD-Integrated Program Office) for more information, while developing the requirements for the PWS/RFP. If necessary, the responsible COD office will consult with the DHA Privacy Office to make these determinations.
For questions, e-mail ContractPolicyDivision@dha.mil.
HIPAA-Compliant Business Associate Agreement (BAA) for the MHS
This BAA language
complies with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Breach and Enforcement Rules (HIPAA Rules). The BAA language has been updated to reflect the 2013 “HITECH Act” modifications to the HIPAA Rules issued by the Department of Health and Human Services (HHS). Provisions on breach response are included. The BAA language is required after 23 September 2013 when any solicitation or contract modification (or other agreement) includes functions, activities, or services involving the use and/or disclosure of PHI. Note that the BAA language only covers HIPAA requirements. For language on other federal privacy and information laws, please consult the applicable contracting officials.
For questions, e-mail PrivacyMail@tma.osd.mil.
Contractor Access to Health Affairs (HA)/DHA Network/DoD Systems
Please find all pertinent information at:
Administration and Management Directorate (A&MD)
Mission Assurance Division
Personnel Security Branch
7700 Arlington Blvd
Falls Church, VA 22042
Phone: (703) 681-6777
Secure Fax: (703) 681-0810
E-mail Address: DHAPSB@dha.mil
“On October 1, 2013, the Department of Defense established the Defense Health Agency (DHA) to manage the activities of the Military Health System. These activities include those previously managed by TRICARE Management Activity (TMA), which was disestablished on the same date. During the next several months, all TMA websites will change to reflect the new DHA. We appreciate your patience during this transition."
7700 Arlington Boulevard, Suite 5101, Falls Church, VA 22042-5101
The appearance of hyperlinks to external Web sites does not constitute
endorsement by the Defense Health Agency of these Web sites or the
information, products or services contained therein. For other than
authorized government activities. The Defense Health Agency does not
exercise any editorial control over the information you may find at other
locations. Such links are provided consistent with the stated purpose of
this DoD Web site. Accessibility/Section 508