2.0 PRIVACY
ACT AND RELATED REQUIREMENTS
2.1 The contractor shall ensure
that beneficiary Personally Identifiable Information (PII) collected
in TRICARE records is limited to that which is legally authorized
and necessary.
2.2 The contractor shall ensure
PII is maintained in a manner which assures its confidentiality.
When confidentiality is not assured, a privacy breach may have occurred,
which triggers requirements under the Privacy Act. When the PII
is in electronic form, additional requirements under the Federal
Information Security Modernization Act of 2014 (FISMA) apply. When
the PII includes Protected Health Information (PHI), requirements under
the HIPAA Privacy, Breach, and Security Rules apply.
2.3 Electronic
PII and Security Compliance
The contractor shall follow
applicable FISMA and DoD cybersecurity requirements, including information
security compliance under the National Institute of Standards and
Technology (NIST) program as stated in the TRICARE Systems Manual
(TSM),
Chapter 1, Section 1.1. These requirements
are concerned with not only confidentiality, but also integrity
and availability of PII.
2.4 Breach
Response - General Requirements
2.4.1 The contractor shall establish
internal procedures to address the following areas of breach response: containment,
mitigation (which includes individual notification), eradication,
recovery, and follow-up.
2.4.2 The contractor shall assign
an investigator to report and respond to breaches and cybersecurity incidents.
The investigator will conduct an investigation immediately upon
discovery of a possible or confirmed breach or cybersecurity incident.
2.4.2.1 The contractor shall provide
notification if a potential or actual breach, defined as an actual
or possible loss of control, unauthorized disclosure of, or unauthorized
access to, personal information where persons other than authorized
users gain access or potential access to such information for other
than authorized purposes occurs with respect to personally identifiable
information or protected health information that has been created, received,
maintained or transmitted by the contractor.
2.4.2.2 The contractor shall notify
the DHA Privacy Office within 24 hours, at dha.privacyofficer@mail.mil.
If such breach is a cybersecurity incident, the discovering party
shall report this to the National Cybersecurity and Communications
Integration Center (NCCIC) (formerly known as United States Computer
Emergency Readiness Team (US-CERT)) within one hour of the potential
cybersecurity incident; and will complete the breach response actions
required by DHA guidance.”
2.4.3 The contractor
shall consult with the DHA Privacy Office where guidance is needed,
such as when the contractor is uncertain whether a discovered breach
is the contractor’s responsibility (e.g., if the contractor discovers
a breach not caused by the contractor), or how the contractor is
to classify an incident (breach vs. non-breach, confirmed vs. possible).
2.4.4 The contractor
shall consider relevant factors in determining whether an unauthorized
access should be treated as a suspected breach; including, but not
limited to:
• How the event was discovered.
• Did the information stay within
the covered entity’s control.
• Was the information actually
accessed or viewed.
• Ability to ensure containment
(e.g., recovered, destroyed, or deleted).
2.4.5 For reporting
requirements, see DD Form 1423, Contract Data Requirements List
(CDRL), located in Section J of the applicable contract.
2.4.6 Incidents
Involving Electronic PII/PHI
2.4.6.1 The contractor shall report
incidents (confirmed or potential) within one hour of confirmation
to the NCCIC Incident Reporting System at
https://forms.us-cert.gov/report/,
as required by the Department of Homeland Security (DHS)).
2.4.6.2 The contractor shall record
the NCCIC incident reporting number, which shall be included in
the initial report to the DHA Privacy Office. Information may not
be known or complete, but available information shall be reported
within the one-hour deadline for submission to NCCIC.
2.4.6.3 The contractor shall provide
any updates to the initial NCCIC report by email to soc@us-cert.gov, with
the “Reporting Number” in the subject line.
2.4.6.4 The contractor shall provide
a copy of the initial or updated NCCIC report to the DHA Privacy
Office. Any questions about NCCIC reporting shall be directed to
the DHA Privacy Office, not the NCCIC office.
2.4.6.5 The contractor shall immediately
take steps to minimize any adverse repercussions from the occurrence
and proceed with further investigation of any relevant details such
as root causes, vulnerabilities exploited, or actions needed (e.g.,
containment, mitigation, eradication, recovery and follow-up).
2.5 The contractor
shall require subcontractors who discover a potential or confirmed
breach or cybersecurity incident to initiate the incident response
requirements herein by reporting the incident to the contractor
immediately after discovery.
2.5.1 The contractor shall report
to DHA Privacy Office within 24 hours of receiving the subcontractor’s report
of a potential or confirmed breach. If a cybersecurity incident
is involved, the contractor’s deadline for NCCIC reporting (one-hour)
runs from the time the incident is confirmed.
2.5.2 The contractor
shall require the subcontractor to meet deadlines, maintain records,
and otherwise enable the contractor to complete the breach response
requirements herein.
2.5.3 The contractor and subcontractor
may agree that the subcontractor shall report incidents directly
to NCCIC and the DHA Privacy Office, and that the subcontractor
shall be responsible for completing the response process, provided
that such agreement requires the subcontractor to inform the contractor
of the incident and the subsequent response actions.
2.5.4 The contractor
shall maintain records of all breach and cybersecurity incident
investigations, regardless of the outcome. Investigations identifying
unauthorized disclosures must be logged in accordance with HIPAA
and Privacy Act requirements.
2.5.5 The contractor,
when acting as a HIPAA-covered entities (rather than as a business
associate), is not subject to the breach response requirements of
this Manual. However, the contractor is subject to both the HIPAA Breach
Rule (applicable to the contractor in its capacity as covered entities)
and DoD cybersecurity requirements (applicable to the contractor
in its capacity as a DoD contractor).
2.5.6 The contractor
shall send the breach report form (required within 24 hours) to: dha.privacyofficer@mail.mil.
Encryption is not required since reports and notices shall not contain
PII/PHI. If electronic mail is not available, telephone notification
is also acceptable, but all notifications and reports delivered telephonically
must be confirmed in writing as soon as technically feasible.
2.5.7 The contractor
shall prepare the breach reports required within the 24 hour deadline
by completing the Breach Reporting DD Form 2959 (Breach of PII Report),
available at the Breach Response link on the DHA Privacy Office
website,
https://www.esd.whs.mil/Directives/forms/dd2500_2999/.
2.5.8 The contractor
shall assign an internal tracking number and include that number
in Box 1.e of the DD Form 2959 for non-cyber incidents without an
NCCIC number.
2.5.9 The contractor shall coordinate
with the DHA Privacy Office for subsequent action such as beneficiary notification,
and mitigation. For reporting requirements, see the DD Form 1423,
CDRL, located in Section J of the applicable contract provides guidance
on completing and updating the Breach Reporting DD Form 2959.
2.5.10 The contractor shall update
the DD Form 2959 as new information becomes available.
2.5.11 The contractor shall draft
a notification letter for DHA Privacy Office review and endorsement
prior to sending to the affected beneficiaries should the DHA Privacy
Office determine that beneficiary notification is required.
2.5.11.1 The contractor shall send the
draft notification letter to DHA Privacy within 10 business days
from discovery of the breach and affected beneficiary(ies) ascertainment.
The 10 business day period begins when the contractor is able to
determine the identities (including addresses) of the beneficiaries
whose records were affected; however, in no case will notification
take placed later than 60 calendar days following the discovery
of a breach.
2.5.11.2 The beneficiary notification
letter shall include, but is not limited to, the following:
• Specific data elements.
• Basic facts and circumstances.
• Recommended precautions the
beneficiary can take.
• Federal Trade Commission (FTC)
identity theft hotline information.
• Any mitigation support services
offered such as credit monitoring.
2.5.11.3 The contractor shall ensure
that envelopes containing written notifications to affected beneficiaries are
clearly labeled to alert the recipient to the importance of its
contents, i.e., “Data Breach Information Enclosed,” and that the
envelope is marked with the identity of the contractor and/or subcontractor
organization that suffered the breach.
2.5.12 The contractor shall notify
the DHA Privacy Office to determine needed follow-up actions if
notification cannot be accomplished within 10 business days.
2.6 The contractor
shall, following the discovery of a breach involving 500 or more
residents of a State or jurisdiction and after approval by the DHA
Privacy Office, notify prominent media outlets serving the State
or jurisdiction.
2.7 The contractor shall, should
media notice be required, submit a proposed notice and recommended media
outlets for DHA Privacy Office review (which will include coordination
with the DHA Communications Division) and approval within five business
days, and in no case later than 60 calendar days following the discovery of
a breach.
2.8 System of Records (SOR) Maintained
or Operated by Contractors
2.8.1 Contractor activity is typically
associated with the SOR described in System of Records Notice (SORN) EDTMA
04 - Medical/Dental Claim History Files (note that physical location
of records in this SOR may be decentralized). However, some contractor
records may instead be associated with the following SORs:
• EDTMA 01 - Health Benefits
Authorization Files
• EDTMA 02 - Medical/Dental Care
and Claims Inquiry Files
• EDHA 06 - Designated Provider
Managed Care System Records, formerly known as Uniformed Service Treatment
Facility (USTF) Managed Care System,
• EDHA 07 - Military Health Information
System, and
• EDHA 08 - Health Affairs Survey
and Study Database
2.8.2 The contractor
shall not disclose any record contained in an SOR to any person
or agency outside DoD without prior written consent or request of
the beneficiary to whom the record pertains except for “routine
use” disclosures and other authorized disclosures as provided in
DoD 5400.11-R, C4.1.1.3 and C4.2.
2.8.3 The Privacy
Act permits use of PII throughout the Military Health System (MHS)
for legitimate mission purposes, including when a TRICARE contractor
has a need for the records in the performance of its duties.
2.8.3.1 TRICARE contractors should
be aware that TRICARE Beneficiary Counseling and Assistance Coordinators
(BCACs), Debt Collection Assistance Officers (DCAOs), and Uniformed
Services Claims Officers (USCOs) are employees of the DoD authorized
to receive information from TRICARE records if they have a need
for the information in the performance of their duties.
2.8.3.2 A TRICARE BCAC, DCAO, USCO,
or other authorized DHA/MHS representative who is assisting a beneficiary
may receive TRICARE information pertaining to that beneficiary,
provided that the identity and authority of such representative
is verified (e.g., through the Customer Service Community Directory).
The restriction on disclosure of only that information directly
releasable to the beneficiary also applies to the BCAC, DCAO, USCO,
or other representative.
2.8.4 The contractor
shall coordinate through the DHA Privacy Office, regarding any needed
updates following proper SORN publication and Government confirmation
of contractor authority to operate the applicable system(s).
2.8.5 The contractor
shall advise the DHA Privacy Office within 30 calendar days of changes
in SORs or their use that may require a change in the applicable
SORN, whether EDTMA 04 or otherwise.
2.9 Collecting
Information
2.9.1 The Privacy Act requires personal
information to be collected, to the greatest extent practicable, directly
from the subject beneficiary when the information may result in
adverse determinations about the beneficiary’s rights, benefits,
or privileges under federal programs. The collection of information
from third parties shall be minimized except where there is a need
to obtain the information directly from a third party, such as a need
to verify information provided by the subject beneficiary.
2.9.2 The contractor
shall provide a Privacy Act Statement (PAS) whenever PII is solicited
and collected (by paper, electronic, or verbal means) from a beneficiary
for an SOR. The PAS informs the beneficiary of the authority for
soliciting and collecting PII, the principal purposes for which
that PII will be used, where that PII may be disclosed outside of
DoD, whether furnishing that information is voluntary or mandatory,
and the effects on the beneficiary of choosing not to provide all
or part of that requested PII. The PAS must be conspicuously posted before
the point of collection. On paper forms this usually means placing
the PAS at the beginning of the form, immediately following the
title, before the first official heading or selection, or immediately
prior to the first collection field. On electronic forms, this means
placing the PAS so that the beneficiary sees it before providing information.
A PAS may not be displayed via a hyper-link or pop-up that the beneficiary
could bypass. When information is collected by telephone, a brief
oral explanation of the Privacy Act shall be given to the beneficiary.
2.9.3 The contractor
shall use the following language for an oral PAS, showing the mandatory
portion of the PAS:
• This information is being collected
to: Process your request to change your provider.
• Providing this information
is: Voluntary. However, failure to provide all requested information
may result in a delay or denial of your request to change your provider.
• This information may be disclosed
for routine uses consistent with why it was collected.
• This information is being collected
under the authority of: 10 USC Chapter 55; 32 CFR 199; and
E.O. 9397 (SSN), as amended.
• To hear this again please
tell me / press 1 [If answer is “yes,” repeat script.].
• If you do not want it
repeated, please tell me / press 2 [If answer is “yes,” continue
with script.].
• If you would like to
hear a full list of routine uses which may be made of your information,
and the complete legal authorities for collecting this information,
please tell me / press 9 now.
Note: The last few lines may change
depending on whether the PAS is being provided by a human or automated
system and on how that system would operate. The point is to actively
ask whether the beneficiary (1) would like the PAS to be repeated,
and (2) would like to hear the routine uses and authority titles.
2.9.4 The contractor
shall process claims for payment that do not indicate that the claimant
received a PAS.
2.9.5 The contractor shall, if requiring
additional claim information from the beneficiary, include the appropriate
PAS language.
2.10 Access
To Contractor Records Under The Privacy Act
2.10.1 The contractor shall develop
policies and procedures by which a beneficiary is permitted access
to records pertaining to him or her under the Privacy Act.
2.10.2 The contractor shall treat
any record request as a HIPAA request if the following exists:
• The record contains any individually
identifiable health information.
• Is transmitted or maintained
in any form or medium including identifiable demographic.
• The information relating to
the past, present, or future physical or mental health condition
of an individual.
• The provision or payment of
healthcare to an individual.
2.10.3 Upon request, a beneficiary
must be informed whether or not the Medical and Dental Claim History Files
contain a record pertaining to him or her. If the beneficiary so
desires, he or she shall be permitted to review such record. Furthermore,
a beneficiary is permitted to obtain a copy of such record in a
form which is comprehensible to him or her.
2.10.4 The contractor shall act on
a request for access no later than 30 calendar days after receipt
of the request.
2.10.5 The contractor shall not require
the beneficiary or personal representative to provide a reason or justification
before granting the beneficiary or personal representative access
to a record containing his or her PII.
2.10.5.1 However, the beneficiary or
personal representative shall be required to provide such information
as is necessary to determine where and how to look for the records
2.10.5.2 The beneficiary or personal
representative shall also be required to provide reasonable identity verification,
in accordance with 45 CFR 164.514(h), before access is granted.
2.10.5.3 Since most records in the Medical
and Dental Claim History Files relate to medical information, a beneficiary
or personal representative may be required to submit a written request
for access to the file. This allows the contractor time to review
the medical information in accordance with the following procedures
to determine if direct access by the beneficiary or personal representative
to the medical information would have an adverse effect on the beneficiary.
2.10.6 Neither the Privacy Act nor
the HIPAA Privacy Rule distinguish between custodial and non-custodial parents
in cases involving separation or divorce. A minor’s PII/PHI may
be released to either parent, unless the contractor is informed
of divorce or legal separation or a court order or other documentation
potentially affecting parental authority with respect to the minor’s
health care.
2.10.6.1 The contractor shall review
the documentation to verify which parent has authority with respect
to the minor’s health care and whether disclosure of the minor’s
PHI to either parent is restricted.
2.10.6.2 The contractor shall make disclosure
to minors in accordance with State law in the jurisdiction in which
the minor resides.
2.10.6.3 The contractor shall disclose
to the minor only if the minor consents to care and parental consent
is not required under state law, or the minor and parent have agreed
that the minor may have a confidential relationship with the provider
of the care about which the disclosure is requested, or if the minor
has been granted a legal emancipation.
2.10.6.4 The contractor shall provide
the appropriate disclosures to the court or appointee if the minor obtains
care at the direction of a court or guardian or other court appointee.
2.10.6.5 The contractor shall not disclose
a minor’s PII/PHI to the minor’s parent if the contractor reasonably believes,
in the exercise of professional judgment, that disclosure would
not be in the minor’s best interest (e.g., due to risk of abuse
or neglect by the parent or other risk of endangerment to the minor,
or where the minor has signed a claim related to sensitive matters
such as abortion, substance abuse or sexually transmitted disease). Questions
regarding custodial parent issues shall be addressed to DHA Privacy
Office.
2.10.6.6 The contractor shall acknowledge
a request for information within 10 business days from the date
of receipt. A beneficiary’s request for access to records pertaining
to him or her shall receive concurrent consideration both under
the Privacy Act, HIPAA, and the Freedom of Information Act (FOIA),
if appropriate.
2.10.6.7 The contractor may consult
the DHA FOIA Service Center if needed at DHA.FOIA@mail.mil.
The requested FOIA information shall be furnished within 20 business
days, be informed in writing of the reason for delay and when it
is anticipated that the information will be furnished.
2.10.6.8 The contractor shall forward
the request to DHA, Attention: Office of General Counsel (OGC),
within 10 business days of receipt of the request if the contractor
does not agree to access as requested.
2.10.6.9 Per the Department of Justice
(DOJ), all third party requests shall be processed solely under
FOIA.
2.11 Corrections To Records
2.11.1 The contractor shall act on
the individual’s request for an amendment no later than 60 calendar
days after receipt of such request.
2.11.2 The contractor may extend the
time for such action by no more than 30 calendar days if the contractor is
unable to act on the amendment within the time required, provided
that:
• The contractor provides the
individual with a written statement of the reasons for the delay
and the date by which it will complete its action on the request;
and
• The contractor may only have
one such extension of time for action on a request for an amendment.
2.11.3 The contractor shall amend
the record if it agrees with allowing any portion of the beneficiary’s
request.
2.11.3.1 The contractor shall make reasonable
efforts to inform previous recipients of the uncorrected record identified
by the beneficiary or by a disclosure of accounting as required
below.
2.11.3.2 The contractor shall inform
previous recipients of any amended text.
2.11.3.3 The contractor shall provide
the individual with a written denial if the requested amendment
is denied in whole or in part.
2.11.3.4 The contractor’s denial letter
must use plain writing and contain:
• The basis for the denial;
• The individual’s right to submit
a written statement disagreeing with the denial and how the individual
may file such a statement;
• A statement that, if the individual
does not submit a statement of disagreement, the individual may
request that the contractor provide the individual’s request for
amendment and the denial with any future disclosures of the protected
health information that is the subject of the amendment; and
• A description of how the individual
may submit a complaint to the contractor. The description must include
the name, or title, and telephone number of the contact person or
office.
2.11.3.4.1 Statement of Disagreement
The contractor shall permit
the individual to submit to the covered entity a written statement
disagreeing with the denial of all or part of a requested amendment
and the basis of such disagreement. The covered entity may reasonably
limit the length of a statement of disagreement.
2.11.3.4.2 Rebuttal
Statement
The covered
entity may prepare a written rebuttal to the individual’s statement
of disagreement. Whenever such a rebuttal is prepared, the covered
entity must provide a copy to the individual who submitted the statement
of disagreement.
2.12 Accounting
For Disclosures
2.12.1 The Privacy Act requires an
accurate accounting for disclosures of PII to third parties outside
the DoD that are not disclosures under the FOIA or disclosures to
DoD personnel for use in official duties. Such accounting requires
tracking:
2.12.1.1 The name and address of the
person and, if appropriate, the agency to whom the disclosure is
made.
2.12.1.2 The date, nature, and purpose
of each disclosure.
2.12.1.3 For disclosures requiring consent,
the consent of the beneficiary to whom the record pertains.
2.12.2 The contractor shall keep a
record of each disclosure or be able to reconstruct from its system
the required accounting information when needed.
2.12.3 Accounting records must be
retained for at least six years after the last disclosure, to assure
compliance with HIPAA as well as the Privacy Act. If the PII to
which the accounting request applies includes PHI, then the contractor
shall apply the disclosure accounting requirements of the HIPAA
Privacy Rule and DoDM 6025.18, in such a manner that both the Privacy
Act and the HIPAA Privacy Rule are satisfied.
2.13 Safeguards
2.13.1 The contractor shall implement
administrative and physical safeguards to protect Medical and Dental Claim
History Files from unauthorized or unintentional access, disclosure,
modification, or destruction.
2.13.2 The contractor shall educate
all persons whose official duties require access to or processing
and maintenance of personal information of the proper safeguarding
and use of such information.
2.13.3 The contractor shall advise
all employees of their responsibilities under the Privacy Act.
2.14 General
Correspondence
2.14.1 The contractor shall send general
correspondence replies to the beneficiary regardless of who made the
inquiry.
2.14.2 The contractor shall not return
the inquiry to the spouse or family member unanswered if a spouse
or other family member makes an inquiry concerning a beneficiary.
2.14.3 The contractor shall send the
response to the beneficiary with an explanation that under the Privacy Act
the reply could not be made to the spouse or family member who made
the inquiry.
2.14.4 The contractor shall reply
to the beneficiary, not the beneficiary’s spouse (Service member)
or parent, including an eligible family member regardless of age.
The only exceptions are when:
2.14.4.1 A parent writes on behalf of
a minor child (under 18 years of age) unless State law allows a
minor to seek medical care without parental consent; or
2.14.4.2 When a guardian writes on behalf
of a physically or mentally incompetent beneficiary.
2.14.5 The contractor shall follow
the procedures outlined under Access to Contractor Records (
paragraph 2.10.6.3) in responding to a parent
of a minor or guardian of an incompetent for disclosure of sensitive
information (e.g., abortion, alcohol and substance abuse, venereal
disease) or information which, if released, would have an adverse
effect on the beneficiary.
2.14.6 The contractor shall not send
copies of the response to any family member, spouse or other person who
may have made the inquiry.
2.15 Release
of Information to Members of Congress
2.15.1 The contractor shall not release
any PHI to Congressional offices without a valid and signed HIPAA authorization
(DD Form 2870) from the individual.
2.15.2 The contractor shall not release
any PHI to a Congressional office at the request of a third party
unless the subject of the PHI authorizes the disclosure using a
valid HIPAA authorization form or the third party has legal authority
to act for the individual such as a parent of a minor.
2.15.3 The contractor shall not release
beneficiary records to a Congressional office that would not be releasable
directly to the beneficiary (i.e., psychotherapy notes).
2.15.4 Replies to members of Congress
must be made expeditiously and must be documented. For responses that
include PHI, the contractor shall keep PHI to the minimum amount
necessary to fulfill the request. The contractor shall verify the
completed DD Form 2870 and any limits placed by the individual on
the release of PHI. The contractor may opt to disclose the requested
PHI directly to the individual and subsequently notify the Congressional
office without providing the PHI to the Congressional Member that
the contractor has replied directly to the individual.
7.0 FEDERAL
NON-DISCRIMINATION LAWS
7.1 Title VI of the Civil Rights
Act of 1964 provides that no person shall, on the grounds of race,
color or national origin, be excluded from participation under any
program or activity receiving federal financial assistance.
7.2 In addition,
Section 1557 of the Patient Protection and Affordable Care Act (PPACA)
(hereafter referred to as the Affordable Care Act or ACA) prohibits
discrimination on the ground of race, color, national origin, sex,
age, or disability under any health program or activity administered
by an Executive agency.
7.3 These federal laws apply to
TRICARE and DHA, including the managed care support and ancillary
services provided under TRICARE and DHA contracts.
7.4 Hospitals,
skilled nursing facilities, residential treatment centers and special
treatment facilities determined to be authorized providers under
TRICARE are subject to the provisions of Title VI and Section 1557.
7.5 The contractor
shall send any discrimination complaints involving Title VI or ACA
Section 1557 to DHA, Attention: OGC, 16401 East Centretech Parkway,
Aurora, Colorado 80011-9066 within two business days of receipt.
7.6 The contractor
shall comply with Section 504 of the Rehabilitation Act of 1973
as amended, regarding qualified handicapped individuals.
7.7 The contractor
shall forward any discrimination complaints involving Section 504
to DHA OGC within two business days of receipt.
8.0 WORKFORCE
TRAINING
8.1 The contractor shall educate
and train its staff on the following programs: Privacy Act (including
DoD breach response); HIPAA Privacy, Security, Breach, and Enforcement
Rules; and FOIA.
8.2 The contractor shall ensure
that it includes a training requirement on the Privacy Act (including
DoD breach response); HIPAA Privacy, Security, Breach, and Enforcement
Rules; and FOIA in each of its subcontracts. The training shall
include the requirements below if the subcontractor has access to
or maintains PII/PHI.
8.3 The contractor’s training and
communication(s) related to privacy, security, breach and FOIA shall
be specific and commensurate with a workforce member’s responsibilities.
Training is required for system testing as well as ordinary system
access if testing would involve PII/PHI access.
8.4 The contractor
shall develop HIPAA Privacy, Security, Breach, and Enforcement Rules
and FOIA training modules.
8.5 The contractor shall educate
and train newly hired staff within 30 business days of onboarding
and before having access to PHI.
8.6 The contractor’s
training modules shall include, but is not limited to the following:
8.6.1 Role-Based
Training
Role based
training to enhance general orientation where a job category requires
access to PII/PHI.
8.6.2 Management Training
Management training provides
managers and decision-makers information that shall be taken into
account when making management decisions affecting compliance with
Privacy Act and HIPAA requirements. Personnel responsible for these
management decisions should receive management training on privacy
compliance when they first enter management positions.
8.6.3 Records
Managers
8.6.3.1 The Government will include
training on PII/PHI breach response requirements in the DHA Annual Records
Management (RM) Training for contractor RM personnel.
8.6.3.2 The Government will provide
the contractor with electronic and hard copies of the RM breach training
slide deck for use in developing the contractor’s own training modules
for non-RM personnel.
8.6.3.3 The contractor shall provide
records managers Privacy Act and FOIA training in conjunction with
their RM training.
8.6.4 Refresher Training and Retraining
8.6.4.1 Refresher training demonstrates
the importance of privacy requirements, and ensures that the workforce
continues to understand current requirements.
8.6.4.2 The contractor shall provide
retraining to inform workforce members whose functions are affected
by changes in applicable rules, policies and procedures. Refresher
training and retraining must be completed within 30 business days
as needed.
8.7 Documentation
8.7.1 The contractor
shall document and maintain records of completed training of each
staff member, including subcontractor staff.
8.7.2 The contractor’s
documented training shall include a signature or electronic signature
or other satisfactory evidence for each trainee, verifying completion
and date of the training and understanding of its pertinence to
his or her position.
8.7.3 The contractor shall provide
records of training completion to the DHA Privacy Office if requested.
8.7.4 These
records are subject to review by Government officials during audits,
reviews and inspections.