TRICARE Systems Manual 7950.4-M, April 2021
General Automated Data Processing (ADP) Requirements
Chapter 1
Section 1.1
GeneralAutomated Data Processing (ADP) Requirements
Revision:C-1, April 26, 2024
1.0General
1.1The TRICARESystems Manual (TSM) describes how TRICARE business functions areimplemented technically via system-to-system interactions and Governmentprovided applications. The TSM also describes the technical conceptof operations, including the responsibilities associated with variousInformation Systems (IS) including Defense Enrollment EligibilityReporting System (DEERS), the contractor systems, and selected Direct Care(DC) IS.
1.2The contractorshall comply with the Department of Defense (DoD) guidance regardingdirected Ports, Protocols, and Services (PPS).
1.3The DoD will providedirection to the contractor accessingDoD systems will be provided direction from DoD onconnectivity requirements that comply with PPS in accordance withDoD Instructions (DoDIs).
1.4The contractorshall ensure that laptops, flash drives, and other portable electronicdevices do not contain Personally Identifiable Information (PII)/ProtectedHealth Information (PHI) unless the device is fully encrypted andaccredited per National Institute of Standards and Technology (NIST)standards.
1.5Portable electronic devices areoften used to transmit reference materials and data of a generalnature at meetings and conferences. The contractor shall ensurethat their computer systems can accept and load all such information,regardless of the media used to transmit it. All Thecontractor shall maintain all materials provided to contractors atmeetings, workgroups, and/or training sessions sponsored by or reimbursedby the Government shall be maintained inaccordance with the Records Management requirements in the TRICAREOperations Manual (TOM), Chapter 9.
1.6This chapter addresses majoradministrative, functional, and technical requirements related tothe flow of health care related Automated Data Processing/InformationTechnology (ADP/IT) information between the contractor and the DoD/DefenseHealth Agency (DHA). The contractor shall submit TRICAREEncounter Data (TED) records as well as provider information shallbe submitted to DHA in electronic media. This informationis essential to both the accounting and statistical needs of DHAin the management of the TRICARE program and in required reportsto DoD, Congress, other governmental entities, and to the public.Technical requirements for the transmission of data between thecontractor and DHA are presented in this section. The requirementsfor submission of TED records and resubmission of TED records areoutlined in the Chapter 2, Section 1.1, and the Governmentrequirements related to submission and updating of provider informationare outlined in Chapter 2, Section 1.2.
1.7DoD/DHA data includes all information(e.g., test or production data) provided to the contractor for the purposesof determining eligibility, enrollment, disenrollment, capitation,fees, claims, Catastrophic Cap And Deductible (CC&D), patienthealth information, protected as defined by DoD 6025.18-R, or anyother information for which the source is the Government. Any informationreceived by a contractor or other functionary or system(s), whetherGovernment owned or contractor owned, in the course of performingGovernment business is also DoD/DHA data. DoD/DHA data means anyinformation, regardless of form or the media on which it may berecorded.
1.8The ADP requirements shallincorporate standards mandated by the Health Insurance Portabilityand Accountability Act (HIPAA) Privacy, Security, and Breach Rules,45 Code of Federal Regulations (CFR) Parts 160 and 164 (collectively,“HIPAA Rules”), and the DoD HIPAA Issuances identified below. Contractorcompliance with the HIPAA Rules and DoD HIPAA Issuances and relatedprivacy requirements is addressed in the TOM, Chapter 1, Section 5 and Chapter 19, Section 3 and paragraph 1.12.
1.9Management and quality controlsspecific to the accuracy and timeliness of transactions associatedwith ADP and financial functions are addressed in the TOM, Chapter1. In addition to these requirements, DHA also conductsreviews of ADP and financial functions for data integrity purposesand may identify issues specific to data quality (e.g., catastrophiccap issue).
1.10The contractor shall participatein development of a resolution for the issue(s) identified as appropriate uponnotification of data quality issues by DHA. If DHA determines correctiveactions are required as a result of Government reviews and determinations,the Contracting Officer (CO) will notify the contractor of the actionsto be taken by the contractor to resolve the data issues. Corrective Thecontractor shall take corrective actions shallbe taken by the contractor to correct data integrityissues resulting from contractor actions, and are the responsibility ofthe contractor.
1.11Thereferences below relate to the subject matter covered in this section.
1.12The contractor, subcontractorsand other individuals who have access to IS containing PII protectedby the Privacy Act of 1974 and PHI under HIPAA shall meet all requirementsbelow.
•Privacy Act of 1974
•DoD HIPAA Issuances:
•DoD 6025.18-R,“DoD Health Information Privacy Regulation,” current revision
•DoD 8580.02-R,“DoD Health Information Security Regulation,” current revision
•DoD 5200.2-R, “DoD PersonnelSecurity Program,” January 1987
•CFR, Title 32, Part 2002, “ControlledUnclassified Information,” current edition
•48 CFR Parts 204, 212, and252 as amended by 76 Federal Register (FR) 69273-69282 / Vol. 78,No. 222 / Monday, November 18, 2013
•Defense Federal AcquisitionRegulation Supplement (DFARS), Subparts 252.204-7008, 7012, 7019,7020, and 7021, current edition
•Federal Acquisition Regulation(FAR) Clause, Subpart 52.204-21, “Basic Safeguarding of CoveredContractor Information Systems,” current edition
•DFARS, Subpart 252, 239-7018,“Supply Chain Risk,” current edition
•DoD 5200.2-R, “DoD PersonnelSecurity Program,” current revision
•DoD 5400.11-R, “Departmentof Defense Privacy Program,” current revision
•DoD Directive (DoDD) 5015.2,“DoDRecords Management Program,” current revision
•DoD Instruction (DoDI) 8500.01,“Cybersecurity,” current revisionDoD 5015.02-STD, “Electronic RecordsManagement Software Applications Design Criteria Standard,” current revision
•Homeland Security PresidentialDirective 12 (HSPD-12),“Policy for a Common Identification Standardfor Federal Employees and Contractors,” current revision
•Federal Information ProcessingStandards Publication 201 (FIPS 201-1), “Personal Identify Verification(PIV) of Federal Employees and Contractors,” current revision
•Directive Type Memorandum (DTM)08-006, “DoD Implementation of Homeland Security Presidential Directive-12(HSPD-12),” current revision
•DoDI 8582.01, “Security ofNon-DoD Information Systems Processing Unclassified Nonpublic DoDInformation,” current revision
•NIST Special Publication (SP)800-53, “Security and Privacy Controls for Federal Information Systemsand Organizations,” current revision
•NIST SP 800-53A, “”Guide forAssessing the Security Controls in Federal Information Systems and Organizations,”current revision
•NIST SP 800-171, “ProtectingControlled Unclassified Information in Nonfederal Systems and Organizations,” currentrevision
•NIST SP 800-171A, “AssessingSecurity Requirements for Controlled Unclassified Information,”current revision
•NIST SP 800-88, “Guidelinesfor Media Sanitization,” current revision
•DoDD 5239.09, “Clearance ofDoD Information for Public Release,” current revision
•DoDI 5200.48, “Controlled UnclassifiedInformation (CUI),” current revision
•“Health Insurance Portabilityand Accountability Act (HIPAA), Security Standards, Final Rule,”current revision
1.13CUIand DoD Information Contractor IS
CUI is defined in 32 CFR Section2002.4. DoD information, nonpublic DoD information, and DoD CUIare defined in DoDI 8582.01. See also DoDD 5230.09, “Clearance ofDoD Information for Public Release,” current revision. PII/PHI thatis DoD information constitutes DoD CUI because PII/PHI requiressafeguarding and dissemination controls unless it has been clearedfor public release. Nonpublic DoD information includes Federal ContractInformation (FCI) that relates to a DoD contract.
2.0CYBERSECURITYCOMPLIANCE PROGRAMS
The NIST-basedcybersecurity program, commonly referred as the “NIST Program”,authorized under the DoDI 8582.01, is designed to ensure the minimumsecurity requirements to protect the confidentiality of unclassified nonpublicDoD information, including covered defense information (i.e., DoDCUI), on a contractor’s covered information system(s) are implemented. Contractorsoperating their covered information systems to store, process, ortransmit unclassified nonpublic DoD information or DoD CUI Thecontractor shall implement the NIST SP 800-171, “ProtectingControlled Unclassified Information in Nonfederal Information Systemsand Organizations” as prescribed in the DFARS Clause 252.204-7012 tooperate their covered information systems to store, process, or transmitunclassified nonpublic DoD information or DoD CUI. Toeffectively track the flow of covered defense information and assesscompliance of the contractor’s known Tier 1 Level suppliers, itis imperative for the contractor to shall identifyand track the flow of unclassified nonpublic DoD information orDoD CUI.
2.1Compliance with Federal Programs
2.1.1The NISTProgram leverages a contractor’s compliance with existing FederalInformation Security-related measures (i.e., HIPAA, Federal InformationSecurity Management Act (FISMA), etc.) to attest to its readiness toprocess, store, or transmit unclassified nonpublic DoD CUI. The NISTProgram requires participating contractors to shall documentcompliance with the security requirements described in the NISTSP 800-171.
2.1.2The contractor shall, with respectto HIPAA Security Rule compliance, follow the TOM, Chapter 19, Section 3, including the requirementfor the contractors todesignate a Security Official with specified responsibilities. Thoseresponsibilities involve compliance with HIPAA Security Rule andDHA’s NIST Program requirements under this section.
2.2RiskManagement
2.2.1Contractors attestingcompliance with the NIST ProgramThe contractorshall accept sole responsibility for the risks associatedwith developing and maintaining cybersecurity readiness posture whenthey attest compliance with the NIST Program.
2.2.2NISTCompliance Requirement
2.2.2.1The contractor shall provideand maintain its NIST compliance as required by the contract inorder to store, process, or transmit unclassified nonpublic DoDinformation, including covered defense information (i.e., DoD CUI),and to obtain approvals to connect to a DoD IS.
2.2.2.2The contractor shall employ,Audit Review, Analysis, and Reporting through proper Integration/ Scanningand Continuous Monitoring Capabilities (i.e., continuous monitoringfor vulnerabilities) that identify the breadth, depth, and rigorof coverage during the security review process for submission oftheir security documentation.
2.2.2.3The contractor shall ensurethat the security requirements required by the contract are implemented correctly,operating as intended, and support the security policies of theDHA.
2.3NIST SP 800-171 DoD AssessmentMethodology
2.3.1Requirement
2.3.1.1The NIST SP 800-171 DoD AssessmentMethodology, as required by DFARS Clause 252.204-7019, builds onDFARS Clauses 252.204-7008 and 252.204-7012 for contractors to representthey will implement NIST SP 800-171 security requirements in orderto be considered for contract award. A “Basic” assessment, as definedin DFARS clause 252.204-7020, is a contractor’s self-assessmentof their implementation of the NIST SP 800-171. The Basic assessmentis based on a review of the System Security Plan(s) (SSP(s)) associatedwith the covered contractor IS, and conducted in accordance withprocedures outlined in DFARS Clause 252.204-7020.
2.3.1.2The contractor shall ensureto include the substance of DFARS Clause 252.204-7020, including paragraph(g) therein, in all subcontracts and other contractual instruments,including subcontracts for the acquisition of commercial items (excludingcommercially available off-the-shelf (COTS) items)). The “NIST SP800-171 DoD Assessment Methodology Scoring Template” is publiclyavailable on the Office of the Undersecretary of Defense for Acquisitions& Sustainment (OUSD A&S) website or may be acquired fromthe CO or Contracting Officer Representative (COR).
2.3.2Process
2.3.2.1The contractor shall attestall covered IS that store, process, or transmit unclassified nonpublicDoD information or DoD CUI have the adequate safeguard controlsin place as prescribed in the DFARS Clause 252.204-7012 (i.e., NISTSP 800-171) by submitting and maintaining a current (i.e., no lessthan one year) Basic assessment for each covered contractor IS thatis relevant to the contract in the Supplier Performance Risk System(SPRS), or an authorized government Government definedapplication, as described in DFARS clause 252.204-7020. Detailsfor reporting are identified in DD Form 1423, Contract Data RequirementsList (CDRL), located in Section J of the applicable contract.
2.3.2.2The contractor shall submit,via a government Government definedapplication, an SSP, or an extract thereof, and any associated PlansOf Action (POAs) developed to satisfy the adequate security requirements prescribedin the NIST SP 800-171. It should be noted the SSP and POAs areNIST SP 800-171 security requirements (i.e., #3.12.4 and #3.12.2).Details for reporting are identified in DD Form 1423, CDRL, locatedin Section J of the applicable contract.
2.3.2.3The contractor shall provideaccess to its facilities, systems, and personnel to support government Government strategiclevel (i.e., Medium or High) assessments or reassessments in accordancewith DFARS Clause 252.204-7020. It should be noted, High level assessmentsdepend on the government’s Government’s resource availability.The government Government willoffer opportunity for rebuttal and adjudication prior to postingthe strategic summary level score(s) to the SPRS. The contractor has shallprovide additional information to the Government within 14business days to provide government additional information todemonstrate they meet any security requirements not observed bythe government Government orrebut the findings that may be in question.
2.3.3CybersecurityMaturity Model Certification (CMMC) Requirement
2.3.3.1The CMMC is a framework thatmeasures a contractor’s cybersecurity maturity to include the implementationof cybersecurity practices and institutionalization of processes.
2.3.3.2When required by contract,the contractor shall maintain a current (i.e., not older than threeyears) CMMC certificate at the CMMC level required by contract andmaintain the CMMC certificate at the required level for the durationof the contract.
2.3.3.3The contractor shall ensureto insert the substance of the DFARS Clause 252.204-7021, including paragraph(c) therein, in all subcontracts and other contractual instruments,including subcontracts for the acquisition of commercial items,excluding COTS items.
2.3.3.4The contractor shall verifythe current CMMC certificate is made available in the SPRS or an authorized government Government definedapplication.
2.4Operation and ConnectivityDecisions
2.4.1The contractor shall complete,sign, and submit their SSP and any applicable POAs, via the government Government definedapplication. For plan submission requirements, see DD Form 1423,CDRL, located in Section J of the applicable contract.
2.4.2The contractorshall maintain a current Basic assessment and verify a summary levelscore is posted in SPRS or an authorized government Government definedapplication. For assessment submission requirements, see DD Form1423, CDRL, located in Section J of the applicable contract.
2.4.3The contractorshall maintain a current CMMC certificate at the CMMC level requiredby contract posed in the SPRS or an authorized government Government definedapplication when required by the contract.
2.5CloudComputing
The contractorshall follow the cloud computing requirements as prescribed in DFARSClause 252.204-7012. For DoD CUI constituting PHI, the contractorshall ensure the external Cloud Service Provider (CSP) is FederalRisk and Authorization Management Program (FedRAMP) authorized atthe appropriate baseline/impact level and maintains compliance throughoutduration of the applicable contract.
2.6Documentation
For a server-to-server connectionrequirement to a DoD IS, the Government will providethe contractor will be provided withthe most current version of the DHA Business-to-Business (B2B) Questionnairewithin 10 calendar days of contract award.
2.7CyberIncident Reporting and Handling of DoD CUI
The contractor shall followthe cyber incident reporting and handling requirements as prescribedin DFARS Clause 252.204-7012, paragraph (c), and the TRICARE OperationsManual (TOM), Chapter 1, Section 5, and ensure to immediately(within 24 hours) notify their CO or COR upon discovery of the cyberincident.
2.8Dissemination and Disposingof DoD CUI
2.8.1The contractor shall followthe DoD standards, guidance, and procedures to properly mark, monitor, disseminate,de-identify, and dispose of DoD CUI shared from DoD or generated,managed, or transmitted by the contractor via their contractor ISs,as appropriate, in accordance with DoDI 5200.48 and NIST SP 800-88.
2.8.2The contractorshall ensure to flow-down this requirement to their applicable Tier-1level subcontractors.
2.9SupplyChain Risk
The contractorshall identify and assess compliance of their Tier-1 level subcontractorsthat process, store, or transmit unclassified nonpublic DoD information,to include DoD CUI, in order to mitigate supply chain risk.
3.0E-COMMERCEEXTRANET REQUIREMENTS
3.1The contractor shall access theapplication via the Internet through a workstation browser. The applicationis a “thin client”, meaning that no software needs to be installedon the client workstation and no software is downloaded into thebrowser. Javascript and cookies must to be enabled in the browserto utilize use theapplication.
3.2The application is best viewedat a resolution of 1024 x 768 pixels in a Microsoft Internet Explorer(MSIE) browser (Version 8 and higher). The Extranet applicationalso supports the use of Google Chrome.
3.3The contractorshall access the application using the Secure Socket Layer (SSL)protocol (https://) and a Common Access Card (CAC) with the PIVAuthentication certificate. The Extranet application is InternetProtocol (IP) address restricted, i.e., it only allows communicationsfrom user organizations using defined and known IP addresses.
3.4The contractorshall request access to the Extranet using the E-Commerce User AccessRequest-External which will be provided by the Government. The contractorshall list the organization IP address from which the data is transferredto/from the Extranet application on the User AccessRequest must list the organization IP address fromwhich data is transferred to/from the Extranet application. Access TheGovernment grants access to deliverables isgranted to users at the contract level and deliverablessubmitted by one contractor will are not be accessibleto any other contractor.
3.5ContractorsThecontractor shall follow the DoD standards, guidance,and procedures to properly mark, monitor, disseminate, and disposeof DoD CUI shared from DoD or generated, managed, or transmittedby the contractor via their information systems, as appropriate,in accordance with DoDI 5200.48 and NIST SP 800-88. Contractors Thecontractor shall ensure to flow-down these requirementsto their applicable subcontractors.
4.0PERSONNELSECURITY ADP/IT REQUIREMENTS
4.1FormalDesignations Required
The contractorshall ensure that its personnel requiring access to the followingmust be in positions designated as ADP/ IT-I (critical sensitive)or ADP/IT-II (non-critical sensitive):
•Access to a secure DoD facility.
•Access to a DoD IS or a DoDCAC-enabled network.
•Access to DEERS or the B2BGateway.
4.2ADP/ITPosition Sensitivity Designations
4.2.1An ADP/ITposition category includes access to DoD IS. It is a designatorthat indicates the level of IT access required to fulfill the responsibilitiesof the position, including the potential risk for an individualassigned to the position to adversely impact DoD missions or functions.
4.2.2The contractor’s Facility SecurityOfficer (FSO) shall use the guidance below to determine a contractor employee’sspecific ADP/IT level.
4.2.3Contractorpersonnel designated for assignment to an ADP/IT position shallundergo a successful background security screening before beinggranted access to DoD IT systems and/or any DoD/DHA data directly extractedfrom those contained on any system (e.g., test and/or production)that contains sensitive data.
4.3ADP/IT-I:Critical Sensitive Position
A position where the individualis responsible for the development and administration of MilitaryHealth System (MHS) IS/network security programs and has the directionand control of risk analysis and/or threat assessment. The requiredinvestigation is a Single Scope Background Investigation (SSBI)or equivalent. Responsibilities include:
4.3.1Significantinvolvement in life-critical or mission-critical systems.
4.3.2Responsibility for the preparationor approval of data for input into a system, which does not necessarilyinvolve personal access to the system, but with relatively highrisk for effecting severe damage to persons, properties or systems,or realizing significant personal gain.
4.3.3Relativelyhigh risk assignments associated with or directly involving theaccounting, disbursem*nt, authorization for disbursem*nt from systemsof:
•Dollar amounts of 10 milliondollars per year, or greater; or
•Lesser amounts if the activitiesof the individuals are not subject to technical review by higherauthority in the ADP/IT-I category to ensure the integrity of thesystem.
4.3.4Positionsinvolving major responsibility for the direction, planning, design,testing, maintenance, operation, monitoring, and/or management ofsystems hardware and software.
4.3.5Otherpositions as designated by the Designated Approving Authority (DAA)that involve a relatively high risk for causing severe damage topersons, property or systems, or potential for realizing a significantpersonal gain.
4.4ADP/ITII: Non-Critical-Sensitive Position
A position where an individualis responsible for systems design, operation, testing, maintenance,and/or monitoring that is carried out under technical review ofhigher authority in the ADT/IT-I category. The required investigationis a National Agency Check with Law Enforcement and Credit (NACLC)or equivalent. Responsibilities include, but are not limited to:
4.4.1Access to and/or processingof proprietary data, information requiring protection, or government Government-developedprivileged information involving the award of contracts.
4.4.2Accounting, disbursem*nt, orauthorization for disbursem*nt from systems of dollar amounts lessthan 10 million dollars per year.
4.4.3Otherpositions as designated by the DAA that involve a degree of accessto a system that creates a significant potential for damage or personalgain less than that in ADP/IT-I positions.
4.5Employee Prescreening
4.5.1The contractor shall conductthorough reviews of information submitted on an individual’s application foremployment in a position that requires either an ADP/IT backgroundinvestigation or involves access via a contractor system to dataprotected by either the Privacy Act of 1974, as amended, or theHHS HIPAA Privacy and Security Final Rule.
4.5.2The contractorshall include reviews for contractors working in the United States(US) and the District of Columbia, that include:
•VerifyVerified UScitizenship.
•VerifyVerified education(degrees and certifications) required for the position in question.
•Screen for negative criminalhistory at all levels (federal, state, and local).
•Screen for egregious financialhistory; for example, where adverse actions by creditors over timeindicate a pattern of financial irresponsibility or where the applicanthas taken on excessive debt or is involved in multiple disputeswith creditors.
4.5.3The contractorshall include prescreening reviews for contractors working outsidethe US and District of Columbia that:
•VerifyVerified UScitizenship.
•VerifyVerified education(degrees and certifications) required for the position in question.
•Screen for negative criminalhistory, to the maximum extent possible as permitted by local lawsof the host Government.
•Screen for egregious financialhistory, to the maximum extent possible as permitted by local lawsof the host Government.
4.5.4The contractor shallconduct prescreening shall be conducted aspart of the pre-employment screening, and shall be completed prescreening before theassignment of assigning anypersonnel to a position requiring the aforementioned ADP/IT accesses.The pre-screening can be performed by the contractor’s personnel securityspecialists, human resource manager, hiring manager, or similarindividual.
4.6ProcessingPersonnel Security Requirements and Granting Interim Access to DoDIS
4.6.1ContractorThecontractor shall submit requests for a NACLC/SSBI typeof security investigation are submitted tothe federal investigating agency, Office of Personnel Management(OPM), via the electronic Questionnaires for Investigations Processing(e-QIP) system. Contractor personnel who do not have an investigationor appropriate level of investigation to obtain access to DoD/DHAIT data, systems or networks shall complete the SF 86 in e-QIP.
4.6.2The DHA Personnel SecurityBranch (PSB) may grant DHA contractor personnel who are US citizens interimADP-IT/CAC access upon confirmation of favorable results from theadvance National Agency Check (NAC), Federal Bureau of Investigation(FBI) fingerprint check and a scheduled/open investigation at OPM.
4.7e-QIP Training and Access
4.7.1The contractor FSO shall completee-QIP training to access and use e-QIP.
4.7.2The contractorFSO shall complete the e-QIP Access User Form for e-QIP user accountsto be created.
4.7.3FSO Roles and Responsibilities
The contractor FSO shall:
•Be a US citizen.
•Possess a favorably adjudicatedNACLC or equivalent investigation.
•Provide list of applicantsto PSB for verification of security eligibility.
•Initiate applicant’s securityquestionnaire in e-QIP.
•Select the appropriate AgencyUse Block (AUB) template in e-QIP.
•Notify the COR by email thatan e-QIP request has been initiated and requires their approval.
•Inform applicant to completesecurity questionnaire in e-QIP within 10 calendar days.
•Perform initial review of applicationsfor required information.
•Capture and transmit e-fingerprintsto OPM via Secured Web Fingerprint Transmission (SWFT) or mail two FD258fingerprint cards to PSB.
•Verify applicant’s citizenshipand upload proof of citizenship document to investigation requestbefore releasing case to PSB.
•Serve as the main Point OfContact (POC) for the applicant.
•Monitor the e-QIP request,which includes ensuring the applicant completes the e-QIP form indesignated time period.
•Cancel or delete an e-QIP requeston an applicant.
•Act as POC if DoD Central AdjudicationFacility (CAF) requires additional information on contractor employees.
4.8Additional Requirements/Information
4.8.1Background Investigation Requestfor ADP/IT-I
The contractorshall have their FSOs coordinate and submit a written request oncompany letterhead to the DHA COR for endorsem*nt for their personnelrequiring an ADP/IT-I investigation. The request letter shall besigned by, at a minimum, the FSO or other appropriate executive.It shall include a detailed job description which justifies the requirementfor the ADP/IT-I. The contractor shall email the justificationletter shall be emailed to a company assignedPOC in PSB.
4.8.2ReinvestigationRequirements
4.8.2.1The contractor shall have reinvestigationrequirements if personnel are in positions designated as ADP/IT-Iand ADP/IT-II.
4.8.2.2ADP/IT-I positions are criticalsensitive and shall be re-investigated every five years. ADP/ IT-II positionsare non-critical sensitive and shall be re-investigated every 10years. The reinvestigation shall be initiated within 60 calendardays of the closed date of the last investigation.
4.8.2.3The FSO shall track the reinvestigationrequirement for contractor employees and initiate new investigations,as required above. Fingerprints are not required for re-investigationsunless specifically requested.
4.8.3ReciprocalAcceptance of Prior Investigation
An investigation is reciprocatedwhen a new contractor employee has an existing favorably adjudicated investigationthat meets the appropriate level of investigation required; andthe break in service has been two years or less. The FSO shall verifyprior investigation and if valid, provide PSB new employee’s name,Social Security Number (SSN), and Date of Birth (DOB).
4.8.4Requests for Additional Information
PSB may require additional informationwhile the contractor employee’s investigation is in progress. The PSBwill notify the FSO will be notified toprovide the information by a specified date or the investigationmay be rejected or returned unacceptable. The FSOs shall reviewapplications for required information prior to release, to reducecase rejections and requests for additional information.
4.8.5Notification of Employee Terminationand Unfavorable Personnel Security Determination
4.8.5.1The contractor FSO shall notifyPSB immediately when a contractor employee is terminated from a DHAcontract. Email notification shall include the employee’s name andtermination date.
4.8.5.2The contractor shall notifyPSB if a contractor moves a contractor employee to another one itsDHA contracts.
4.8.5.3The contractor shall notifyPSB immediately, especially when a contractor employee is beingmoved from an unclassified contract to a classified contract.
4.8.5.4PSB will notify FSOs when a contractoremployee has received an unfavorable personnel security determination.Upon receipt of a denial letter from PSB, the FSO shall immediatelyterminate the employee’s access to DoD IT systems. The contractorshall send the return receipt letter included with thedenial letter from PSB shall be returned toPSB one week after receipt of the letter to show compliance withterminating employee’s access.
4.8.6Transfers Between Contractors
4.8.6.1When contractor employees transferemployment from one DHA contractor to another DHA contractor whiletheir investigation for ADP/IT trustworthiness determination isin process, the scheduled investigation may be applied to the newemploying contractor.
4.8.6.2ItThegaining contractor shall be the responsibilityof the new employer to provide notification to PSB whenthis type of transfer occurs. The notification shall contain employee’sname and effective date of transfer.
4.8.7Electronic Fingerprint Captureand Submission
4.8.7.1The contractor shall capturee-fingerprints and transmit via SWFT as it improves processing timeand securely transmits fingerprints.
4.8.7.2The contractor and subcontractorshall meet these requirements for those who have access to DoD IS containinginformation protected by the Privacy Act of 1974 and PHl under HIPAA.
4.8.8Foreign Nationals
The requirements above mustbe met by US citizens who have access to DoD IS containing informationprotected by the Privacy Act of 1974 and PHI under HIPAA. The requiredinvestigation must be completed and favorably adjudicated priorto authorizing ADP/IT access to DoD system/networks.
4.8.9Notification and Mailing
4.8.9.1The contractor shall use thefollowing information to contact the PSB.
Mailing Address:
Defense Health Agency
ATTN: Personnel SecurityBranch
7700 Arlington Blvd,Suite 5101
Falls Church, VA 22042-5101
e-QIP Help Desk: (703)681-6508
Email address: dhapsb@mail.mil
4.8.9.2The contractor shall handlesensitive information according to applicable laws and DoD policies relatedto privacy and confidentiality.
4.8.9.3The contractor shall transmitPII or PHI via encrypted email or the OPM secure portal.
Mailing Address:
Defense HealthAgency
ATTN: PersonnelSecurity Branch
7700 ArlingtonBlvd, Suite 5101
Falls Church, VA22042-5101
e-QIP Help Desk:(703) 681-6508
Email address: dhapsb@mail.mil
4.9References
•DoDD 5136.01, “Assistant Secretaryof Defense for Health Affairs (ASD(HA)),” September 30, 2013.
•DoDD 5136.13, “Defense HealthAgency (DHA).”
•DoDI 5025, “DoD Issuances Program,”June 6, 2014, as amended.
•DoDD 52002.2-R, “PersonnelSecurity Program,” January 1987, as amended, http://www.dtic.mil/whs/directives/corres/pdf/520002r.pdf.
•FIPS Publication 140-2, SecurityRequirements for Cryptographic Modules, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.
•CFR, Title 5, Part 731, “SuitabilityRegulations,” January 9, 2009, as amended.
•DoD Administrative Instruction15, “Office of the Secretary of Defense Records and InformationManagement Program,” May 3, 2013.
•Executive Order 12968, “Accessto Classified Information,” August 4, 1995.
•DoDD 5102.21, “Sensitive CompartmentedInformation Administrative Security Manual,” October 2012.
•Intelligence Community Directive(ICD) 704, “Personnel Security Standards and Procedures Governing Eligibilityfor Access to Sensitive Compartmented Information and Other ControlledAccess Program Information,” October 1, 2008.
•United States Code (USC), Title5, “The Privacy Act of 1974,” December 31, 1974.
5.0PUBLIC KEY INFRASTRUCTURE (PKI)REQUIREMENTS
DoD hasinitiated a PKI policy to support enhanced risk mitigation strategiesin support of the protection of DoD’s system infrastructure anddata. DoD’s implementation of PKI requirements is specific to theidentification and authentication of users and systems within DoD(DoDI 8520.02). The following paragraphs provide current DoD PKI requirements.
5.1User Authentication
5.1.1The contractorshall ensure all personnel accessing DoD applications and networkshave obtained PKI enabled and PIV-compliant Government acceptedcredentials. Contractor personnel with access limited to internal contractorsystems and applications are not required to obtain PKI enabledand PIV-compliant credentials. Such credentials shall follow thePIV trust model (FIPS 201-2) and be acceptable to the Government.
5.1.2The contractorshall obtain Government-issued CACs to meet this requirement. PIV-compliant credentialsare required for access to DoD systems, networks and data. Alternate TheGovernment will not grant alternate sign on access willnot be granted. Encryption Thecontractor shall use encryption and digital signatures shallbe used for information transmitted electronicallythat includes DoD/DHA data covered by the Privacy Act, HIPAA, andIS and network requirements.
5.2CACIssuance
5.2.1The CAC is the standard identificationfor Service members, DoD civilian employees, and eligible DoD contractorpersonnel. It is the principal card used to enable both physicalaccess to a DoD facility and access, via logon, to DoD networkson-site or remotely. Access to the DoD network requires the useof a computer with Government-controlled configuration or use ofa DoD-approved remote access procedure in accordance with the DISASecurity Technical Implementation Guide.
5.2.2TrustAssociated Sponsorship System (TASS), is a web-based system thatallows eligible DoD contractors to apply for a CAC through the Internet.Government sponsors (also known as Trusted Agent (TA)) approve theapplication to receive government Government credentials.
5.2.3CACs Issued On or After January6, 2017
5.2.3.1The contractor shall obtainCACs from Real-Time Automated Personnel Identification Systems (RAPIDS)sites.
5.2.3.2The contractor shall buildin the distance and appointment capacity for obtaining CACs in accordancewith TOM, Chapter 2 transitionrequirements.
5.2.3.3The contractor shall use theRAPIDS locator website (https://idco.dmdc.osd.mil/idco/)for scheduling personnel who require CACs.
5.2.3.4CACs issued, reissued, or replacedon or after January 6, 2017, will be issued with a blank email certificateunless the CAC holder already has a DoD approved email address.Instructions for requesting an approved email address are availablein paragraph 5.2.3.3. Without an approved Governmentemail address (and the accompanying DoD email certificate), theCAC holder will be unable to use the capabilities afforded by sucha certificate, including digital signatures, digital encryption,and/or to access government Government systemsthat require a DoD approved email certificate authentication.
5.2.3.5CAC capabilities that do notrequire a DoD approved email certificate for authentication willstill function. If a CAC owner requires a DoD approved email certificateto perform their duties, the DHA’s DoD approved email is DefenseEnterprise Email (DEE). Not all contractors require DoD approvedemail certificates on their CAC to perform their duties.
5.2.3.6The contractor shall referencethe specific requirements outlined in paragraph 5.2.3.2.
5.2.3.7The contractor shall referencethe specific requirements outlined in the contract for clarification.
5.2.4Email Address Certificateson CACs
5.2.4.1CACowners will require a DoD approved email address certificate ontheir CAC in order to perform certain functions, such as the abilityto digitally sign, digitally encrypt, and/or access government Government systemsthat require a DoD approved email address certificate. Some currentCAC users may already have another type of email certificate thatcomplies with DoD requirements.
5.2.4.2The contractor shall obtain aDEE account, as described below, if a contractor requires the capabilities affordedby a DoD approved email certificate on their CAC. The DEE accountprovides the CAC holder with the required DoD approved email certificatesneeded for the CAC. It also creates an email in-box that allowsthe user to send/receive encrypted emails and send/receive government Government correspondence,among other capabilities. Once a CAC holder obtains their DEE account,the user may access their account maybe accessed using Outlook Web Access (OWA) at https://web.mail.mil.
5.2.4.3TheCOR/Program Manager (PM) will email the contractor’s FSO requestinga list of users’ first and last names, personnel type codes (Civilian,Military, Contractor) and DoD Identification (ID) Number, locatedon the back of the user’s CAC be provided to the COR.
5.2.4.4Upon receipt, the COR/PM willforward the information to Global Service Center (GSC) DHA.ITCallCenter@mail.mil and requesting DEEaccounts be provided for each userlisted. A DHA Add User Form is not required to only obtain DEE accountsfor CAC owners.
5.2.4.5GSC will create a DEE accountfor each contractor request submitted, and provide the COR/PM acknowledgmentof the account creation. The COR/PM will forward the account informationto the FSO, who shall provide the CAC owners the new account informationwith instructions on how to create or update their DEERS/RAPIDSOnline profiles as described below.
5.2.4.6When the CAC holder receivestheir DEE account information, they shall:
•Update the email certificateassociated with their CAC:
•Sign in to the following link(do not select the DoD EMAIL certificate option): https://www.dmdc.osd.mil/self_service/rapids/unauthenticated?execution=e1s1
•Within CAC Maintenance, selectChange CAC Email.
•Update the DoD approved emailaddress on the CAC to reflect the DEE (@mail.mil) account. Thiswill create the DoD Certs needed for the digital signature and encryption.(This may take up to 72 hours for the settings to update and bereflected in the system.)
•Update their Global AddressList (GAL) properties:
•Sign in to the following link: https://www.dmdc.osd.mil/milconnect/
•Select Update Work ContactInfo (GAL).
•Updatecontact information accordingly.
•Access their DEE account usingOWA at https://web.mail.mil.
Note:The amount of time requiredto obtain a DEE account is contingent upon the independent steps performedby the parties outlined above. Activities are typically completedin hours.
5.2.5FSORoles and Responsibilities
5.2.5.1Obtaininga CAC
The contractorFSO shall:
•Identify contractor supportpersonnel who require a CAC for accessing DoD networks and facilities.
•Verify the applicant’s backgroundinvestigation by submitting a request to PSB.
•Complete Sections I and IIIof the DHA Form 33, the initial and/or renewal CAC.
•Submit DHA Form 33 to the CORfor approval.
•Fax the completed form to (703-681-5207),ATTN: PSB/TASS/Common Access Card Branch (CACB) or email to: dha.ncr.security.mbx.personnel-security-tass@mail.mil.
5.2.5.2Obtaining Email Address Certificate
The contractor FSO shall:
•Assist the CAC owner with obtaininga DoD approved email address (and the accompanying email certificate) fortheir CAC, if one is required to perform their job duties.
•Submit to the COR a list ofuser’s first and last names, persona type codes (Civilian, Military,Contractor) and DoD ID Number, for those requiring an email certificate.
5.2.5.3Out-Processing Procedures
The FSO shall:
•Establish out-processing proceduresto collect the CAC when an employee quits, is terminated from the companyor when the CAC is no longer required.
•Notify the TA to revoke theapplicant’s CAC.
•Return CACs shallbe returned in accordance with paragraph 5.2.6.8.
5.2.6CAC Guidelines and Restrictions
5.2.6.1Any person willfully altering,damaging, lending, counterfeiting, or using these cards in any unauthorizedmanner is subject to fine or imprisonment or both, as prescribedin Sections 499, 506, 509, 701, and 1001 of Title 18, USC. Section701 prohibits photographing or otherwise reproducing or possessingDoD ID cards in an unauthorized manner, under penalty of fine orimprisonment or both. Unauthorized or fraudulent use of ID cardswould exist if bearers used the card to obtain benefits and privilegesto which they are not entitled. Examples of authorized photocopyinginclude photocopying of DoD ID cards to facilitate medical careprocessing, check cashing, voting, tax matters, compliance withAppendix 501 of Title 50, USC (also known as “The Service member’s CivilRelief Act”), or administering other military-related benefits toeligible beneficiaries. When possible, the ID card will be electronicallyauthenticated in lieu of photographing the card.
5.2.6.2ID cards shall not be amended,modified, or overprinted by any means. No stickers or other adhesive materialsare to be placed on either side of an ID card. Holes shall not bepunched into ID cards, except when a CAC has been requested by thenext of kin for an individual who has perished in the line of duty.A CAC provided to next of kin shall have the status of the cardrevoked in DEERS, have the certificates revoked, and have a holepunched through the integrated circuit chip before it is releasedto the next of kin.
5.2.6.3Access
The granting of access is determinedby the contractor or system owner as prescribed by the DoD.
5.2.6.4Accountability
CAC holders shall maintainaccountability of their CAC at all times while affiliated with theDoD.
5.2.6.5Multiple Cards
In instances where an individualhas been issued more than one ID card (e.g., an individual thatis eligible for an ID card as both a Reservist and as a contractoremployee), only the ID card that most accurately depicts the capacityin which the individual is affiliated with the DoD should be utilized used atany given time.
5.2.6.6Renewaland Reissuance
The contractorshall require the applicant for CAC renewal or reissuance shallbe required to surrender the current CAC card thatis up for renewal. The contractor shall ensure the CAC shallbe is renewed 90 calendardays prior to the CAC expiring.
5.2.6.7Replacement
The applicant shall providea letter from the local security office confirming the CAC has beenreported lost, stolen confiscated or destroyed, and a valid (unexpired)State or Federal Government-issued picture ID.
5.2.6.8Retrieval
The CAC is property of the USGovernment and the contractor shall be retrieved andreturned the CAC toTASS-CACB when the card has expired, is damaged, compromised, whenthe applicant is no longer affiliated with the DoD contractor orno longer meets the eligibility requirements for the card.
Defense Health Agency
Mission Assurance Division
Personnel Security Branch
ATTN: TASS/CACB
7700 Arlington Blvd, Suite5101
FallsChurch, VA 22042-5101
5.2.7PersonalIdentification Number (PIN) Resets
5.2.7.1Should an individual’s CAC becomelocked after attempting three times to access it, the usershall reset the PIN shall be reset ata RAPIDS facility or by with designatedindividuals authorized CAC PIN Reset (CPR) applications. These individualsmay be contractor personnel, if approved by the Government representative. The contractorshall not do PIN resets cannot be done remotely.
5.2.7.2The contractor shall provideall hardware for the workstation (personal computer (PC), card readers, fingerprintcapture device)., the The Governmentwill provide CPR software licenses.
5.2.7.3The contractor shallnot use the CPR workstation shall notbe used for other applications, as the Governmenthas not tested the CPR software for compatibility.
5.2.7.4The contractor shallensure the CPR software shall runs onthe desktop and cannot be run from not on theLocal Area Network (LAN).
5.2.7.5The contractor shall installthe CPR hardware and software, and provide the personnel neededto run the workstation.
5.2.8Systems Requirements for CACAuthentication
5.2.8.1The contractor shall procure,install, and maintain desktop level CAC readers and middleware.The contractor shall run the middleware software mustrun on the desktop and cannot be run not fromthe LAN. Technical Specifications for CACs and CAC readers may beobtained at https://www.dmdc.osd.mil/appj/dwp/contractor_civ_roles.jsp.
5.2.9The contractor shall ensure thatCACs are only used by the individual to whom the CAC was issued. Individuals must shall protecttheir PIN and not allow it to be discovered or allow theuse of others to use theirCAC by anyone other than him or herself.
5.2.10The contractor shall ensureaccess to DoD systems applications and data is only provided toindividuals who have been issued a CAC and whose CAC has been validatedby the desktop middleware, including use of a card reader. Sharingof CACs, PINs, and other access codes is expressly prohibited.
5.2.11The contractor shall providelocations and approximate number of contractor personnel at eachsite who will require the issuance of a CAC upon contract award.
5.2.12The contractor shall identifyto DHA and DMDC the personnel that require access to the DMDC ContractorTest environment in support of systems testing activities.
5.3System Authentication
5.3.1The contractorshall obtain DoD-acceptable PKI server certificates for identityand authentication of the servers upon direction of the CO. Theseinterfaces include, but are not limited to, the following:
5.3.2Contractorsystems for inquiries and responses with DEERS.
5.3.3Contractorsystems and the TED Processing Center.
6.0SYSTEMS COMMUNICATION
6.1MHS Demilitarized Zone (DMZ)Medical Community of Interest (MedCOI) B2B Gateway
6.1.1The contractor shall, in accordancewith contract requirements, connect to the B2B Gateway via a contractorprocured Internet Service Provider (ISP) connection.
6.1.2The contractor shall assumeall responsibilities for establishing and maintaining its connectivityto the B2B Gateway. This shall include acquiring and maintainingthe circuit used to connect to the B2B Gateway and the acquisitionof a Virtual Private Network (VPN) device and maintenance agreementand license compatible with the VPN device. The list of compatibledevices are detailed in the DHA B2B/MedCOI Gateway questionnaire.
6.1.3The contractor shall submita completed current version of the DHA B2B/MedCOI Gateway questionnaireto their Government sponsor or Government Program Office within10 calendar days after new requirements have been provided to thecontractor.
6.2ContractorProvided IT Infrastructure
6.2.1PlatformsshallThe contractor shall ensure its platforms supportHypertext Transfer (Transport) Protocol Secure (HTTPS), web-derivedJava Applets, and Secure File Transfer Protocols (SFTPs) (e.g.,STFP, Secure Socket Layer (SSL)/Transport Layer Security (TLS)),and ensure all proposed software thatthe contractor proposes to use to interconnects withDoD facilities.
6.2.2The contractorshall configure their networks to support access to Government systems(e.g., configure ports and protocols for access).
6.2.3The contractor shall providefull time connections to a Tier 1 or Tier 2 ISP. Dial Thecontractor shall not use dial-up ISP connections arenot acceptable. All Thecontractor shall ensure all its IP addresses needto be are publicly routable. Private Thecontractor shall not allow private address space usingNetwork Address Translation (NAT) will not be permitted.
6.2.4The contractor shall maintaina valid maintenance contract and pertinent licenses for all devices connectingto the MHS B2B Gateway.
6.3SystemAuthorization Access Request (SAAR) Defense Department (DD) Form2875
6.3.1The contractor shall submit themost current version of DD Form 2875 in accordance with CO guidance forall contractors that use the DoD Gateways to access Government ITsystems and/or DoD applications. A The contractorshall complete a DD Form 2875 shall becompleted for each contractor employee who will accessany system and/or application on a DoD network. The contractorshall ensure the DD Form 2875 shall clearly specify specifies thesystem and/or application name and justification for access to thatsystem and/or application.
6.3.2The contractorshall submit the completed DD Form 2875 to the DHA DPCLO for verificationof ADP Designation. The DHA DPCLO will verify that the contractoremployee has the appropriate background investigation completedor a request for background investigation has been submitted tothe OPM. Acknowledgment from DHADPCLO will verify OPM acknowledgment thatthe request for a background investigation has been received andthat an investigation has been scheduled will be verifiedby the DHA DPCLO prior to approving access beingapproved.
6.3.3DHA willnotify the user via secure/encrypted e-mail email uponthe establishment of a user account. User accounts will be establishedfor individual use and may not be shared by multiple users or forsystem generated access to any DoD application. Misuse of user accountsby individuals or contractor entities will result in terminationof system access for the individual user account.
6.3.4The contractor shall conducta monthly review of all contractor employees who have been granted accessto DoD IS’/networks to verify that continued access is required.
6.3.5The contractor shall providethe DHA DPCLO with a report of the findings of their review by the10th day of each month following the review. Reports identifyingchanges to contractor employee access requirements shall includethe name, DoD ID number from CAC, Company, IS/network for whichaccess is no longer required and the date access will be terminated.For reporting requirements, see DD Form 1423, CDRL, located in SectionJ of the applicable contract.
6.4MHSSystems Communications
6.4.1The contractor shallensure its primary communication links shallbe are via encrypted tunnels(i.e., Secure Internet Protocol (IPSEC), GetVPN, or SSL) betweenthe contractor’s primary site and the MHS B2B Gateway.
6.4.2The contractor shall procurea primary and auxiliary VPN device for backup purposes to minimizeany downtime associated with problems of the primary VPN.
6.4.3The contractor shall send devicesto the MHS VPN management authority (e.g., DHA) via postage paid andinclude prepaid return shipping arrangements for the devices(s).
6.4.4The MHS VPN management authority(e.g., DHA) will remotely configure and manage the VPN applianceonce installed by the contractor.
6.4.5The contractorshall place the VPN appliance device outside the contractor’s firewallsand shall allow full management access to this device (e.g., inrouter access control lists) to allow Central VPN Management servicesprovided by DHA or other source of service as designated by theMHS to remotely manage, configure, and support this VPN device aspart of the MHS VPN domain.
6.4.6The contractorshall be responsible for the maintenance maintain andrepair of contractor procured VPN equipment.
6.4.7The Government will beresponsible for the troubleshootingof VPN equipment.
6.5Establishmentof System Communications
6.5.1The contractorshall establish system communications with the MHS through coordinationwith DHA.
6.5.2The DHA/MedCOI B2B GatewayQuestionnaire identifies the required System Communication infrastructurebetween the contractor and the MHS systems. This includes all WideArea Network (WAN), LAN, VPN, Web DMZ, and B2B Gateway access requirements.
6.5.3The contractor shall completetheir applicable portion of the questionnaire and shall return itto the DHA designated POC for review and approval.
6.5.4The contractor shall, uponGovernment request, provide technical experts to provide any clarification ofinformation provided in the questionnaire. DHA will review and processthe questionnaire when it is received.
6.5.5DHA willcoordinate any requirements for additional information with thePOC and schedule any meetings required to review the Questionnaire.Upon approval of the Questionnaire, DHA will coordinate a testing meetingwith appropriate stakeholders.
6.5.6DHA willnotify the contractor POC of the meeting schedule. The purpose ofthe testing meeting is to complete a final review of the SystemsCommunication requirements and establish testing dates.
6.6Contractors Located On MilitaryInstallations
6.6.1The contractor shall coordinate/obtainthe connections with the local Markets/Military Medical TreatmentFacilities (MTFs) and Base/Post/Camp communication personnel locatedon a military installation who require direct access to Governmentsystems.
6.6.2The Government shall will furnishthese connections.
6.6.3The contractorlocated on military installations that require direct connectionsto their networks shall provide an isolated IT infrastructure.
6.6.4The contractor shall coordinatewith the Base/Post/Camp communications personnel and the Market/MTFin order to get approval for a contractor procured circuit priorto installation to ensure the contractor is within compliance withthe respective organizational security policies, guidance and protocols.
Note:In some cases, the contractormay not be allowed to establish these connections due to local administrative/securityrequirements.
6.6.5The contractorshall be responsible for document allsecurity certification documentation asrequired to support DoD IA requirements for network interconnections.
6.6.6The contractor shall provide,upon request, detailed network configuration diagrams to supportIA accreditation requirements.
6.6.7The contractorshall comply with IA accreditation requirements. All network trafficshall be via Transmission Control Protocol/Internet Protocol (TCP/IP)using ports and protocols in accordance with current Service securitypolicy. All traffic that traverses MHS, DMDC, and/or military ServiceBase/Post/Camp security infrastructure is subject to monitoringby security staff using Intrusion Detection Systems.
6.7DHA/TED
6.7.1PrimarySite
The TED primary processingsite is currently located in San Antonio, TX; and operated by theDISA Defense Enterprise Computing Center (DECC), Detachment SanAntonio, TX.
Note:The location of the primary sitemay be changed. The Government will advise the contractor willbe advised should this occur.
6.7.2General
6.7.2.1The common means of administrativecommunication between Government representatives and the contractoris via telephone and email. An alternate method may be approvedby DHA.
6.7.2.2The contractor shall providethe DHA the name, address, and telephone number of the person who willserve as a technical POC (update when changes occur) at the start-upplanning meeting.
6.7.2.3The contractor shall providea separate computer center (Help Desk) number to DHA which the DHA computeroperator may use for resolution of problems related to data transmissions.
6.7.3TED-Specific Data CommunicationsTechnical Requirements
The contractorshall communicate with the Government’s TED Data Center throughthe MHS B2B Gateway.
6.7.3.1CommunicationProtocol Requirements
6.7.3.1.1FileThecontractor shall use file transfer software shallbe used to support communications with the TED DataProcessing Center. CONNECT:Direct is the current communicationssoftware standard for TED transmissions.
6.7.3.1.2The contractor shall upgrade/complywith any changes to this software.
6.7.3.1.3The contractor shall providethis product and a platform capable of supporting this product with theTCP/IP option included. Details Thecontractor may obtain details on this product maybe obtained from:
Sterling Commerce
4600 Lakehurst Court
P.O. Box 8000
Dublin OH 43016-2000 USA
Phone: (614) 793-7000
Fax: (614) 793-4040
6.7.3.1.4The contractor shall provideTCP/IP communications software incorporating the TN3270 emulation forPorts and Protocol support.
6.7.3.1.5Transmission size is limitedto any combination of 400,000 records at one time.
6.7.3.1.6“As Required” Transfers
AdThecontractor shall coordinate ad hoc movement of datafiles shall be coordinated throughand executed by the network administrator or designated representativeat the source file site. Generally speaking, the requestor needsonly to provide the POC at the remote site, and the source filename. Destination The contractorshall obtain destination file names shallbe obtained from the network administrator at thesite receiving the data. Compliance with naming conventions usedfor recurring automated transfers is not required. Other site specificrequirements, such as security constraints and pool names are generallyknown to the network administrators.
6.7.3.1.7FileNaming Convention
6.7.3.1.7.1All files received by and sentfrom the DHA data processing site shall comply with the following standardswhen using CONNECT:Direct:
| POSITION(S) | CONTENT |
|---|---|
| 1 - 2 | TD |
| 3 - 8 | YYMMDD Date of transmission |
| 9 - 10 | Contractor number |
| 11 - 12 | Sequence number of the filesent on a particular day. Ranges from 01 to 99. Reset with the firstfile transmission the next day. |
6.7.3.1.7.2All files sentfrom theThe DHA data processingsite shall be named after coordination with receivingentities in order coordinates with receivingentities and names all outgoing files to accommodatespecific communication requirements for the receivers.
6.7.3.1.8Timing
6.7.3.1.8.1Under most circ*mstances, thesource file site shall initiate automated processes to cause transmissionto occur. With considerations for timing and frequency, activationof transfers for each application shall be addressed on a case-by-casebasis.
6.7.3.1.8.2Alternate Transmission
The contractor shall notifythe DHA to discuss alternative delivery methods should the contractornot be able to transmit their files through the normal operatingmeans.
6.8DHA/TRICAREDuplicate Claims System (DCS)
6.8.1The DCS is a web applicationaccessible via MSIE, version 6.0, 7.0 or as directed by the Government.
6.8.2The contractorshall provide internal connectivity to the public Internet and isresponsible for shall provide allsystems and operating system software needed internally to supportthe DCS. (See Chapter 4 for DCS Specifications.)
7.0HIPAAREQUIREMENTS
7.1The contractor shall be incompliance with the HIPAA Rules, the DoD HIPAA Issuances, the TOM, Chapter 19, Section 3, and any provisionsof this manual and DoD cybersecurity guidance addressing securityincident response.
7.2The contractor shall bein compliance comply withHIPAA breach response requirements, which are addressed in conjunctionwith DoD breach response requirements in the TOM, Chapter 1, Section 5.
7.3DataSharing Agreements (DSAs)
7.3.1Contractors requiringIfthe contractor requires access to PII, which includesPHI, or access to de-identified data, are subjectto the contractor shall comply with theDHA Defense Privacy and Civil Liberties Office (DPCLO) (PrivacyOffice) Data Sharing Program. This program requires DHA to enterinto DSAs with parties outside the MHS who use or create MHS data.(DHA contracts may use the term Data Use Agreement (DUA) ratherthan DSA.) DSAs assure that outside parties protect MHS data inaccordance with the Privacy Act and the HIPAA Rules. To apply fora DSA, the Prime contractor shall submits aData Sharing Agreement Application (DSAA) to the DHA DPCLO. Thecontractor shall submits theDSAA even if a subcontractor will be the party accessing MHS data.After review and approval of the DSAA, the Privacy Office providesa DSA to the contractor for execution. The DSAA template and otherDSA guidance and forms are available at the following page on thePrivacy Office website: http://health.mil/Military-Health-Topics/Privacy-and-Civil-Liberties.
7.3.2The contractorshall complete an Account Authorization Request Form (AARF) andhave an ADP/IT-II designation for primary contractors and subcontractorsrequiring access to or use of MHS data. Refer to ADP/IT CategoryGuidance below.
7.4DisclosureTracking and Accounting and Other System Capabilities for PrivacyAct and HIPAA Privacy Compliance
The contractor shall maintainsystems (or utilize use MHSsystems) with the capabilities to track and report on disclosurerequests, disclosure restrictions, accounting for disclosure requests,authorizations, PII/PHI amendments, Notice of Privacy Practices(NoPP) distribution management, confidential communications requests,and complaint management. Situation reports may be required to addresscomplaints, inquiries, or unique events related to the foregoingresponsibilities.
8.0CONTINUITYOF OPERATIONS PLAN (COOP) REQUIREMENTS
The contractor shall obtainand maintain adequate hardware, software, personnel, procedures,controls, contingency plans, and documentation to satisfy DHA dataprocessing and reporting requirements. Items requiring special attentionare listed below.
8.1COOP
The contractor shall developa single plan, deliverable to the DHA CO on an annual basis thatensures the continuous operation of their IT systems and data supportof TRICARE. The plan shall provide information specific to all actionsthat will be taken by the Prime and subcontractors in order to continueoperations should an actual disaster be declared for their geographicarea of responsibility. For plan submission requirements, see DDForm 1423, CDRL, located in Section J of the applicable contract.
8.1.1The COOPshall ensure the availability of the system and associated datain the event of hardware, software and/or communications failures.
8.1.2The COOPshall include the Prime and subcontractor’s plans for relocation/recoveryof operations, timeline for recovery, and relocation site informationin order to ensure compliance with the TOM, Chapters1 and 6. Informationspecific to connection to the B2B Gateway to and from the relocation/recoverysite for operations shall also be included in the COOP.
8.1.3The contractorshall ensure all security requirements are met and appropriate processesare followed for the B2B Gateway connectivity for relocation/recoverysites. The contractor’s COOP will shall enablecompliance with all processing standards as defined in the TOM, Chapter1, and compliance with enrollment processing and PrimaryCare Manager (PCM) assignment as defined in TOM, Chapter6.
8.1.4The contractor’s COOP shallinclude restoration of critical functions such as claims and enrollment withinfive calendar days of the disaster. The Government reserves theright to re-prioritize the functions and system interactions proposedin the COOP during the review and approval process for the COOP.
8.2Security Requirements
The contractor shall ensure securityand access requirements are met in accordance with existing contract requirementsfor all COOP and disaster recovery activities. Waivers TheGovernment will not grant waivers of security and accessrequirements will not be granted forCOOP or disaster recovery activities.
8.3AnnualDisaster Recovery Tests
8.3.1The Primecontractor shall coordinate annual disaster recovery testing ofthe COOP with its subcontractor(s) and the Government. Coordinationwith the Government will begin no later than 90 calendar days priorto the requested start date of the disaster recovery test.
8.3.2Each Prime contractor shallensure all aspects of the COOP are tested and coordinated with all contractorsresponsible for the transmission of TRICARE data.
8.3.3Each Prime contractor shallensure major TRICARE functions are tested.
8.3.4The Primecontractor shall also ensure testing support activities (e.g., DEERS,TED, etc.) are coordinated with the responsible Government POC nolater than 90 calendar days prior to the requested start date ofthe annual disaster recovery test.
8.3.5The Primecontractor shall ensure the annual disaster recovery tests evaluateand validate that the COOP sufficiently ensures continuation ofoperations and the processing of TRICARE data in accordance withthe TOM, Chapters 1 and 6.For reporting requirements, see DD Form 1423, CDRL, located in SectionJ of the applicable contract. Including, but not limited to, theannual disaster recovery testing will include the processing of:
•TRICARE Prime enrollments inthe DEERS contractor test geographic area of responsibility to demonstratethe ability to update records of enrollees and disenrollees usingthe Government furnished web-based enrollment system/application.
•Referrals.
•Preauthorizations/authorizations.
•Claims.
•Claims and catastrophic capinquiries will be made against production DEERS and the CatastrophicCap and Deductible Database (CCDD) from the relocation/recoverysite.
•The contractor shall test theirability to successfully submit claims inquiries and receive DEERSclaim responses and catastrophic cap inquiries and responses.
•The contractor shall not performcatastrophic cap updates in the CCDD and DEERS production for testclaims.
•The contractor shall processa number of claims using the DEERS contractor test geographic areaof responsibility successfully demonstrate the ability to performcatastrophic cap updates and the creation of newborn placeholderrecords on DEERS.
•The contractor shall demonstratethe ability to process provider, institutional and non-institutionalclaims. The contractor shall create TED records willbe created for every test claim processed duringthe claims processing portion of the disaster recovery test. These Thecontractor shall submit the test claims willbe submitted to the DHA TED landing area.
8.3.6The contractor shall maintainstatic B2B Gateway connections or other Government approved connectionsat relocation/recovery sites that may be activated in the eventa disaster is declared for their geographic area of responsibility.
8.3.7The contractor shall submit itsresults of the review and/or test results to the DHA ContractOperations Division-Aurora (COD-A) ManagedCare Contract Division (MC-CD) within 10 business daysof the test conclusion of thetest.
8.3.8The contractorshall include if any additional testing is required or if correctiveactions are required as a result of the disaster recovery test withinthe report. The contractor shall submit the noticeof additional testing requirements or corrective actions to be taken shallbe submitted along with the proposed date for retestingand the completion date for any corrective actions required.
8.3.9Upon completion of the retest, thecontractor shall provide a report of the results ofthe actions taken shall be provided tothe COD-A MC-CD within10 business days of completion. See Section J of the contract for informationspecific to deliverables, milestones, and due dates.
9.0SYSTEMsINTEGRATION AND TESTING MEETING REQUIREMENTS
9.1The DHAhosts regularly scheduled meetings, via teleconference, with contractorand Government representatives. Government attendees may include,but are not limited to, DMDC and DHA program and policy offices.These meetings will:
•Review the status of systemconnectivity and communications.
•Identify new DEERS applicationsor modifications to existing applications, e.g., Government furnishedweb-based enrollment systems/applications.
•Issue software enhancements.
•Implement system changes requiredfor the implementation of new programs and/or benefits.
•Review data correction issuesand corrective actions to be taken (e.g., catastrophic cap effort-review,research and adjustments).
•Monitor results of contractortesting efforts.
•Other activities as appropriate.
9.2The contractor shall ensurerepresentatives participating in the calls are subject matter expertsfor the identified agenda items and are able to provide the currentstatus of activities for their organization. DHA provides a standingagenda for the teleconference with the meeting announcement. Additionalsubjects for the meetings are identified as appropriate.
9.3The contractor shall ensuretesting activities are completed within the scheduled time framesand any problems experienced during testing are reported via theGovernment defined application for review and corrective actionby DHA or their designee.
9.4The contractorshall retest the scenario upon the provision of a corrective actionstrategy or implementation of a modification to a software applicationby DHA (to correct the problem reported by the contractor), to determineif the resolution is successful. Retesting shall be accomplishedwithin the agreed upon timeframe.
9.5The contractorshall update the Government defined application upon completionof retesting activities.
9.6The contractorshall retest the scenario upon the provision of a corrective actionstrategy or implementation of a modification to a software applicationby the contractor (to correct the problem reported by DHA), to determineif the resolution is successful. DHA will also document system issuesand deficiencies into the Government defined application relatedto testing and production analysis of the contractors systems and processes. Retestingshall be accomplished The contractor shallaccomplish retesting within the agreed upon time frames.
9.7The contractor shall correctinternal system problems that negatively impact their interfacewith the B2B Gateway, MHS, DMDC, etc. and/or the transmission ofdata, at their own expense.
9.8Each organization (contractor) identifiedshall provide two POCs to DHA to include telephone numbers and emailsto be used for call back purposes, notification of planned and unplannedoutages and software releases. POCs will be notified via email inthe event of an unplanned outage using the POC notification list,so it is incumbent upon each organization to thecontractor shall notify DHA of changes to the POC list.
10.0UNIFORMED SERVICES PAY CENTERREQUIREMENTS
10.1EnrollmentBeneficiariesmay pay enrollment fees/premium payments for specifiedTRICARE Programs may be paid by electronicmonthly allotments from military payroll. The availability of thispayment option is determined by the Program requirements and theService member’s duty status and may not be available for all TRICAREPrograms. Payroll allotment data is exchanged between military UniformedServices payroll centersand the DHA purchased privatesector care contractors.
10.2The contractorshall process allotment information exchanged with military UniformedServices payroll centersin accordance with the TOM, Chapter 6, Section 1. The following allotmentprocessing guidance is provided for retirement pay processing inaccordance with the Memorandum of Understanding (MOU) establishedbetween the DHA and Defense Finance and Accounting Service (DFAS), theUS Air Force (USAF), and Public Health Service (PHS) for allotmentsfrom retired or the Uniformed Services pay center.
10.3Exchange of Payroll AllotmentData
The contractorshall exchange payroll allotment data with the DFAS,US Coast Guard (USCG) and PHS, USAF and the US Navy (USN) andthe Uniformed Services using a specified transmissionprotocol.
10.3.1DFAS
10.3.1.1PayrollThecontractor shall transmit payroll allotment data forthe US Army, Air Force, Navy, and Marines shall betransmitted to DFAS via the B2B Gateway using SFTPor a secure Internet file transfer, e.g., Multi-Host Internet AccessPortal (MIAP). The use of the B2B Gateway or a Government identifiedsecure file transfer requires compliance with all security requirementsin this Chapter.
10.3.1.2The contractor shall separatelyprovide DFAS with an SAAR DD Form 2875 requesting access to DFAS systems.This is in addition to what may have already been submitted foraccess to the B2B Gateway.
10.3.2PayCenter Specific Allotment Data - US Coast Guard (USCG) and PublicHealth Services (PHS)
10.3.2.1PayrollThecontractor shall transmit payroll allotment data forthe USCG and PHS shall be transmitted viathe SilkWeb (SFTP) and Titan web application (see instructions in Addendum A). All security and data handling requirementsin this Chapter remain in effect.
10.3.2.2The contractor shall obtainUser IDs and passwords from the designated POC at the PHS.
10.3.3USAF
10.3.3.1PayrollThecontractor shall transmit payroll allotment data forthe USAF shall be transmitted via a Governmentidentified secure file transfer requires compliance with all securityrequirements in this Chapter.
10.3.3.2The contractor shall separatelyprovide USAF with an SAAR DD Form 2875 requesting access to the AirForce Integrated Personnel and Pay System (AFIPPS) (see instructionsin Addendum B).
10.4Data Transmission Requirements
10.4.1The contractor shall provideDFAS/USAF/USN/USCG/PHS with a monthly file of retirees who have selectedTRICARE Prime for their health benefit and elected monthly allotmentsas the methodology for paying enrollment fees.
10.4.2DFAS will return feedback filesto the contractor providing determinations of the actions, acceptanceor rejection and whether the item is paid or unpaid.
10.4.3The contractor shall provideDFAS/USAF/USN/USCG/PHS with POCs for testing, system and ongoing businessrequirements. The contractor shall maintain POCinformation shall be maintained andinclude: name, title, contractor name, address, electronic mailaddress and telephone number. Updated Thecontractor shall provide updated information shallbe provided to DFAS when the POC or contact informationchanges.
10.4.4DFAS/USAF/USN/USCG/PHS willprovide the contractor with start/stop and change allotment requests receiveddirectly from TRICARE beneficiaries.
10.4.5The contractor shall processthese requests and submit an initial file containing informationfor all allotments selected in time for the first submission. Subsequent Thecontractor shall include only new allotments, stops and changesin subsequent files shall contain onlynew allotments and stops and/or changes.
10.4.6The contractor shall send thefile (initial and subsequent) using the appropriate transmissionprotocol determined by the receiving payroll center, e.g., DFAS,USAF, USN, USCG, or PHS.
10.4.7The contractor shall submitan electronic mail notification to DFAS/USAF/USN/USCG/PHS notifying themof the file transmission.
10.5FileLayout
10.5.1The contractor shall exchangethe following files with DFAS:
•Input data
•Reject Report
•Deduction Report
10.5.2The contractor shall exchangethe following files with USAF:
•Premium Deduction File
•No Match File
•Deduct/No Deduct File
10.5.3The contractor shall exchangethe following files with USN:
•Premium Deduction File
•No Match File
•Deduct/No Deduct File
10.5.4The DFAS file layout is providedat Addendum A. The contractor will be notifiedof any changes to the file layout by the CO.
10.5.5The USAF file layout is providedat Addendum B. The contractor will be notifiedof any changes to the file layout by the CO.
10.5.6The contractor shall submitfiles using the naming convention designated by DFAS.
10.5.7Data Transmission Schedule
10.5.7.1The contractor or their designatedsubcontractor shall transmit data on the business day immediately priorto the eighth day of each month (or on the previous Thursday, shouldthe eighth fall on a Saturday or Sunday), for allotments due onthe first day of the upcoming month.
Note:The only exception to this scheduleis for the month of December when the contractor shalltransmit all data shall be transmitted soit is received on the first business day of December.
10.5.7.2The contractor shall, duringmonths when no monthly beneficiary data exists, continue to submita file without data in accordance with the eighth day of the monthrule. The file shall consist of a header and trailer record withno data in between. The electronic mail notification shall indicatethe file contains no member data.
10.5.7.3Within 24 hours of file processingby DFAS/USAF/USN/USCG/PHS, the contractor will receive a file fromthe pay center identifying all “rejected” submissions and the reasonsfor the rejection.
10.5.7.4The contractor shall researchthe rejected submissions and resubmit resolved transactions on the followingmonth’s file.
10.5.7.5The contractor shall also notifythe beneficiary in accordance with TOM, Chapter 6, Section 1.
10.5.7.6The contractor will receivea file of the “deduct/no deduct” file that contains the “no deduct”reasons following processing of the “compute pay cycle” by the paycenter.
10.5.7.7The contractor shall researchthese items and resubmit resolved items, as appropriate, on the followingmonth’s file. The “deduct/no deduct” file is informational and shalldocument all payments not collected as well as unfulfilled allotmentrequests (e.g., insufficient pay to cover deduction).
10.5.7.8The contractor’s banking institutionwill receive a Corporate Trade Exchange (CTX) “payment” file fromDFAS on the first business day of the month following the submissionof the files.
11.0SPECIFIED AUTHORIZATION STAFF(SAS) REQUIREMENTS
11.1ADP Protocols
11.1.1The contractor shall providethe capability to edit the status and entry of a 13 digit dispositioncode indicating if the referral was approved for Market/MTF or civiliannetwork treatment (see paragraph 11.2). This disposition code maybe used during the claims adjudication process.
11.1.2The contractor shall providethe logic to automatically approve the referral if the SAS determinationis not received within two business days of referral entry.
11.1.3The contractor shall providethe telecommunications, hardware, and software necessary for dataentry and report printing from the SAS location.
11.1.4The contractor shall provideinitial and ongoing application training and support on an “as needed” basis.
11.1.5The contractor shall providea data dictionary of available data elements to be sent to the SAS automatedIS.
11.1.6The contractor shall send allcare referral records to the SAS in a tab delimited data flat file.The method of transfer can be SFTP or an email attachment.
11.1.7The contractor shall providethe SAS with read-only access to their subcontractor’s claims history database.
11.1.8The contractor shall providethe needed training to the SAS staff in order to access the claimshistory database.
11.2SASReferral Data
11.2.1The format of the referralnumber will be DMISYYJJJNNNS where:
•DMIS = the DMISID Code of the issuing facility (5203 = SAS);
•YY = the yearin which the referral number was issued;
•JJJ = the Juliandate on which the referral number was issued;
•NNN = the FacilitySequence Number;
•S = Status (thetype of provider)
•C =Civilian Care (refer to TOM, Chapter 16, Section 2, paragraph 5.3.2 forreferral requirements)
•M =Military Care (Market/MTF or clinic)
•V =Department of Veterans Affairs (DVA)/Veterans Health Administration(VHA) Care (DVA/VHA hospital or medical facility)
•P =Care rendered under the Department of Defense/Department of VeteransAffairs (DoD/VA) Memorandum of Agreement (MOA) for “Referral ofActive Duty Military Personnel Who Sustain Spinal Cord Injury, TraumaticBrain Injury, or Blindness to Veterans Affairs Medical Facilitiesfor Health Care and Rehabilitative Services” (refer to TOM, Chapter 17, Section 2, paragraph 3.2 for referralrequirements).
11.2.2The format of the effectivedate is YYYYMMDD where:
•YYYY = the yearin which the SAS referral is effective;
•MM = the monthin which the SAS referral is effective; and
•DD = the day onwhich the SAS referral is effective. A retroactive authorizationis indicated by an effective date prior to the issue date.
11.2.3The format of the expirationdate is YYYYMMDD where:
•YYYY = the yearin which the SAS referral expires;
•MM = the monthin which the SAS referral expires; and
•DD = the day onwhich the SAS referral expires.
11.3Data Elements
11.3.1The following data elementsare including, but not limited to the elements required by SAS for determiningfitness-for-duty and for determining if care not covered under TRICAREPrime will be covered under TPR. The SAS will return the data elementsfurnished by the contractor when responding to a request for a fitness-for-dutyor coverage/benefit determination.
11.3.2The contractor shall includethe applicable elements marked with asterisks (*) below if the contractoris asking for a coverage/ benefit determination. If, for example,the contractor cannot authorize the care because itis not a covered benefit under TRICARE, the contractor will include *Nota benefit. If the contractor cannot authorize the care becausethe care is not medically necessary, the contractor will include **Notmedically necessary.
11.3.3The contractor shall include ***Providernot authorized if the contractor cannot authorize the care becausethe provider is not an authorized provider.
| Data Element | ContractorTo SAS | SAS ToContractor |
|---|---|---|
| Patient Name | X | X |
| Patient’s DOB | X | X |
| Patient’s Sex | X | X |
| Contact Date (for retroactiveauthorizations) | X | X |
| Service Member SSN | X | X |
| Service Member Branch of Service | X | X |
| Duty Status | X | X |
| PCM Location Code | X | X |
| DMIS-ID | X | X |
| Contractor’s AuthorizationNumber | X | X |
| Effective Date of Authorization | X | X |
| *Not a Benefit | *If applicable | |
| **Not Medically Necessary | **If applicable | |
| ***Provider Not Authorized | ***If applicable | |
| SAS Fitness-for-Duty ReferralNumber or Benefit Determination Number | X | |
| Effective Date of SAS Referral | X | |
| Expiration Date of SAS Referral | ||
| Status of Authorization (maybe embedded number) | X | |
| Number/Frequency of ServicesRequested for SAS Referral | X | X |
| Diagnosis | X | X |
| Procedure Code Range | X | X |
| Type of Service | X | X |
| Place of Service | X | X |
| Free Text (for available clinicalinformation) | X |
12.0SAS REQUIREMENTS FOR DHA-GREATLAKES (DHA-GL)
12.1ADP Protocols
12.1.1The contractor shall provideaccess for entry and edit of referrals into the contractor’s systemsfor those DHA-GL Government staff who willremotely access the contractor’s system from the DHA-GLlocation.
12.1.2The contractor shall includea status code indicating that SAS review is required.
12.1.3The contractor shall submita standard management report which provides the number of deferred claimsthat SAS staff reviewed and processed during each month. For reportingrequirements, see DD Form 1423, CDRL, located in Section J of theapplicable contract.
12.1.4The contractor shall providethe capability to edit the status and entry of a 16 digit dispositioncode indicating if the referral was approved for civilian networktreatment (see paragraph 12.2). This disposition code maybe used during the claims adjudication process.
12.1.5The contractor shall providethe logic to automatically approve the referral if the SAS determinationis not received within two business days of referral entry.
12.1.6The contractor shall providethe telecommunications, hardware, and software required for dataentry and report printing from the SAS location.
12.1.7The contractor shall provideapplication training and support to the SAS staff who utilize use the contractor’sreferral system.
12.1.8The contractor shall providea data dictionary of available data elements to be sent to the SAS automatedIS.
12.1.9The contractor shall send allcare referral records to the SAS in a tab delimited data flat file.The method of transfer contractor shall be use SFTPor a secure, password-protected email attachment to completethe transfer.
12.1.10The contractor shall providethe SAS with read-only access to their subcontractor’s claims history database.
12.1.11The contractor shall providethe required training to the SAS staff in order to access the claimshistory database.
12.2SASReferral Data
12.2.1The format of the referralnumber shall be DMISYYJJJNNNS where:
12.2.1.1DMIS = the DMISID Code of the issuing facility (5203 = SAS);
12.2.1.2YY = the lasttwo digits of the year in which the referral number was issued;
12.2.1.3JJJ = the Juliandate on which the referral number was issued;
12.2.1.4NNN = the FacilitySequence Number;
12.2.1.5S = Status (thetype of provider)
•C = Civilian Care(refer to TOM, Chapter 16, Section 2, paragraph 5.3.2 forreferral requirements)
•M = Military Care(Market/MTF or clinic)
•V = DVA/VHA Care(DVA/VHA hospital or medical facility)
•P = Care renderedunder the DoD/VA MOA for “Referral of Active Duty Military PersonnelWho Sustain Spinal Cord Injury, Traumatic Brain Injury, or Blindnessto Veterans Affairs Medical Facilities for Health Care and RehabilitativeServices” (refer to TOM, Chapter 17, Section 2, paragraph 3.2 for referralrequirements).
12.2.2The format of the effectivedate is YYYYMMDD where:
•YYYY = the yearin which the SAS referral is effective;
•MM = the monthin which the SAS referral is effective; and
•DD = the day onwhich the SAS referral is effective. A retroactive authorizationis indicated by an effective date prior to the issue date.
12.2.3The format of the expirationdate is YYYYMMDD where:
•YYYY = the yearin which the SAS referral expires;
•MM = the monthin which the SAS referral expires; and
•DD = the day onwhich the SAS referral expires.
12.3Data Elements
The contractor shallprovide the following data elements, areincluding but not limited to the elements required by ata minimum, to the SAS for determining whether to authorizecivilian care. The SAS will return the data elements furnished bythe contractor when responding to a request for authorization determination.
| Data Element | ContractorTo SAS | SAS ToContractor |
|---|---|---|
| Patient Name | X | X |
| Patient’s DOB | X | X |
| Patient’s Sex | X | X |
| Contact Date (for retroactiveauthorizations) | X | X |
| Service Member SSN | X | X |
| Service Member Branch of Service | X | X |
| Duty Status | X | X |
| PCM Location Code | X | X |
| DMIS-ID | X | X |
| Contractor’s AuthorizationNumber | X | X |
| Effective Date of Authorization | X | X |
| *Not a Benefit | *If applicable | |
| **Not Medically Necessary | **If applicable | |
| ***Provider Not Authorized | ***If applicable | |
| SAS Fitness-for-Duty ReferralNumber or Benefit Determination Number | X | |
| Effective Date of SAS Referral | X | |
| Expiration Date of SAS Referral | ||
| Status of Authorization (maybe embedded number) | X | |
| Number/Frequency of ServicesRequested for SAS Referral | X | X |
| Diagnosis | X | X |
| Procedure Code Range | X | X |
| Type of Service | X | X |
| Place of Service | X | X |
| Free Text (for available clinicalinformation) | X |
- END -
