Prerequisites to TRICARE Management Activity (TMA) Privacy Board Review
Before the TMA Privacy Board reviews a research project for compliance with the Health Insurance
Portability and Accountability Act (HIPAA) Privacy Rule and Department of Defense (DoD) Health Information Privacy Regulation (DoD
6025.18-R), the requirements set forth below and illustrated in the flowchart entitled
Prerequisites to TMA Privacy Board Review must be initiated.
Institutional Review Board (IRB) and TMA Human Research Protection Program (HRPP)
All research projects must be reviewed in accordance with the Federal Policy for the Protection of Human
Subjects, also known as the “Common Rule.” If the project does not meet the criteria of human subject research as determined by either
an IRB or the TMA HRPP Office in accordance with the Common Rule, the TMA Privacy and Civil Liberties Office
(TMA Privacy Office) will process the Data Sharing Agreement Application (DSAA) requesting Military Health System (MHS) data
managed by TMA for the purpose of the research project. Information regarding DSAAs is available at
If the project does meet the criteria of human subject research, then the next steps depend on
whether the research is conducted within DoD or outside of DoD.
- If the research is conducted outside of DoD, then an IRB must exempt or approve the project protocol in accordance with the Common
Rule. Exemption means that the project will not be required to undergo IRB review; however, the investigators are still required to adhere to
the regulatory provisions of the Common Rule. Approval means that the research project may be conducted within the constraints set forth
by the IRB and federal requirements. Once the IRB makes a determination, the TMA HRPP Office reserves the right to review and
approve for compliance with human subject research requirements, including the Common Rule and any applicable DoD requirements,
such as training. The TMA Privacy Office cannot complete processing of the researcher’s DSAA until approval is received from the
TMA HRPP Office.
- If the research is conducted within the DoD, then the research protocol must be submitted to the TMA HRPP Office or an IRB within
DoD, also known as “Local IRB.” The TMA HRPP Office or Local IRB will determine whether the research meets any of the six
exemption criteria identified in the Common Rule, implemented by DoD through 32 CFR 219.101(b). When exemption criteria are met, the
TMA HRPP Office or Local IRB will provide written documentation of the exemption. Even if the protocol is determined exempt, the
researcher must still adhere to requirements under the approved protocol. The TMA Privacy Office cannot complete processing of the
researcher’s DSAA until this determination is received.
When the research project does not meet the exemption criteria, then an IRB must approve the protocol in accordance with the Common
Rule and DoDI 3216.02. Once the IRB makes a determination, the TMA HRPP Office reserves the right to review and approve the protocol
for compliance with human subject research requirements, including the Common Rule and any applicable DoD requirements, such as
The TMA HRPP Office also ensures that any research conducted under the Defense Federal Acquisition Regulation Supplement
adheres to the terms therein. The TMA Privacy Office cannot complete processing of the researcher’s DSAA until the protocol is
Further information regarding HRPP reviews and requirements can be found at the
TMA HRPP website.
Additional Requirements for Surveys or Information Collection Requests (ICRs)
- When a project involves the use of surveys, interviews, focus groups, or similar ICRs and the TMA HRPP Office or an IRB has
determined the project to be research, the research project will need to meet other requirements. In addition to satisfying the IRB and
TMA HRPP reviews as outlined above, the project will need to comply with the Defense Health Cost Analysis and Program Evaluation’s
(DHCAPE’s) TRICARE Survey Program and may require licensing and/or approval from the Washington Headquarters Services and/or
the Office of Management and Budget. Information regarding TRICARE Survey Program is available at
The TMA Privacy Office cannot complete the processing of the researcher’s DSAA until the additional requirements are met.
- When the TMA HRPP Office or IRB has determined the project involving the use of surveys or ICRs is not research, the project will
still need to comply with DHCAPE’s TRICARE Survey Program. The TMA Privacy Office cannot complete processing of the researcher’s
DSAA until the survey or ICR requirements referenced above are met.
Data Sharing Agreement Application (DSAA)
In order to request data for a particular project, researchers must submit a DSAA as instructed on the
Data Sharing Agreement Section of the
TMA Privacy Office’s Webpage. The Principal Investigator (PI) is the lead researcher for a
particular project and must be identified as instructed in the DSAA. The PI is contacted regarding any questions, concerns, and/or
follow-up needs. The TMA Privacy Office promptly reviews the data elements requested to determine whether or not the request
appears to meet the HIPAA Privacy Rule’s minimum necessary standard. The TMA Privacy Office then considers the type of
information needed by the research project as set forth below:
Information Considered in Determining Legal Compliance Requirements
- Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual’s
identity, such as name, social security number, date and place of birth, mother’s maiden name, biometric records, including any other
personal information that is linked or linkable to a specified individual.
- Protected Health Information (PHI) is a subset or smaller grouping of PII and is defined as individually identifiable
health information that is transmitted or maintained by electronic or any other form or medium, except as otherwise contained in employment
records held by a HIPAA covered entity in its role as an employer.
- Limited Data Set (LDS) is a small grouping or subset of PHI that excludes specific data elements created for the
purposes of research, public health, or health care operations as set forth in the HIPAA Privacy Rule at 45 CFR 164.514(e)(2) and
DoD 6025.18-R at C8.3.2.
- De-identified data is information that does not identify an individual, and there is no reasonable basis to believe that
the information can be used to identify an individual. The criteria for de-identified data are set forth in the HIPAA Privacy Rule at 45 CFR
164.514(b) and DoD 6025.18-R at C8.1.3.
In considering the above data types, The TMA Privacy Office categorizes a research project’s informational
needs into one of the following four types for compliance review:
- De-identified data;
- PII excluding PHI;
- LDS; or
- PHI greater than an LDS.
Projects that seek de-identified data, PII excluding PHI, or an LDS, do not require TMA Privacy Board review. A research project that seeks PHI greater than an LDS, however, is sent to the TMA Privacy Board for HIPAA Privacy Rule review and documentation. The TMA Privacy Board will reach out to the PI and Sponsor and begin the HIPAA Privacy Rule review process.