Skip Navigation

Defense Health Agency

"On October 1, 2013, the Department of Defense established the Defense Health Agency (DHA) to manage the activities of the Military Health System. These activities include those previously managed by TRICARE Management Activity (TMA), which was disestablished on the same date. During the next several months, all TMA websites will change to reflect the new DHA. We appreciate your patience during this transition."

DHA Privacy and Civil Liberties Office Standard Contract Language

The Military Health System (MHS) must comply with federal law protecting the privacy and security of Personally Identifiable Information (PII) and Protected Health Information (PHI), as well as with other federal information laws. Therefore, standard language to require compliance must be included whenever a solicitation is issued or a contract awarded (or other agreement is entered into) if performance involves PII/PHI. The required language is provided at the “standard contract language” and “BAA language” links below. Please note that the linked documents are subject to change.

For contracts awarded by or for DHA, see the heading below, “DHA Standard Contract Language,” and PGI 224.1-90 on the DHA Procurement Directorate website.

For contracts or other agreements used by MHS components other than DHA, see the heading below “HIPAA Compliant Business Associate Agreement (BAA) for the MHS.”

DHA Standard Contract Language
This standard contract language must be included in solicitations and contracts whenever a contractor is required to collect, use, copy, access, or store PII (including but not limited to PHI). The contract language (or appropriate paragraphs, as determined by the PGI 224.1-90 Matrix) must be incorporated in its entirety from the above link into the contract requirements, if any of the following apply to performance by the contractor (including subcontractors and consultants):

  • If the contractor accesses PII/PHI in any form, include Health Insurance Portability and Accountability Act (HIPAA) contract language (including breach response provisions).
  • If records of PII/PHI collected from individuals are retrieved by personal identifiers, include Systems of Record (SOR) contract language.
  • If an information technology (IT) system or project collects, maintains, or disseminates PII about members of the public, federal personnel, contractors or certain foreign nationals, include Privacy Impact Assessment (PIA) contract language.
  • If the contractor requires access, use, disclosure or storage of PII/PHI to perform its contract, include Data Sharing Agreement (DSA) contract language.
  • If the contractor is required to collect, use, copy, access, or store PII/PHI, include the contract language on training.

Further, the standard contract language on the Freedom of Information Act (FOIA) and records management from the above link is mandatory whether or not the contractor accesses PII/PHI.

To determine which solicitations or contracts require which portions of the approved contract language, contact the responsible Contract Operations Division (COD-Aurora, COD-Falls Church, or COD-Integrated Program Office) for more information, while developing the requirements for the PWS/RFP. If necessary, the responsible COD office will consult with the DHA Privacy Office to make these determinations.

For questions, e-mail ContractPolicyDivision@dha.mil.

HIPAA-Compliant Business Associate Agreement (BAA) for the MHS
This BAA language complies with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Breach and Enforcement Rules (HIPAA Rules). The BAA language has been updated to reflect the 2013 “HITECH Act” modifications to the HIPAA Rules issued by the Department of Health and Human Services (HHS). Provisions on breach response are included. The BAA language is required after 23 September 2013 when any solicitation or contract modification (or other agreement) includes functions, activities, or services involving the use and/or disclosure of PHI. Note that the BAA language only covers HIPAA requirements. For language on other federal privacy and information laws, please consult the applicable contracting officials.

For questions, e-mail PrivacyMail@tma.osd.mil.

Contractor Access to Health Affairs (HA)/DHA Network/DoD Systems
Please find all pertinent information at:
Administration and Management Directorate (A&MD)
Mission Assurance Division
Personnel Security Branch
7700 Arlington Blvd
Falls Church, VA 22042
Phone: (703) 681-6777
Secure Fax: (703) 681-0810
E-mail Address: DHAPSB@dha.mil