Skip to site content

Security Agreements

Before the Indian Health Service (IHS) and an external party share data, with or without a direct and persistent connection to IHS systems, both parties must sign either a Data Exchange Agreement (DEA) or an Interconnection Security Agreement (ISA). Agreements between IHS and an external party, which may be a Tribal or Urban entity, a corporation, another agency, or other person or organization, may include only one IHS Area or may include multiple Areas.

Interconnection Security Agreements

This agreement defines procedures of reciprocal cooperation and coordination between IHS and a non-IHS entity. “All Tribal IT or Urban IT systems that will be connected to the IHS network, regardless of the nature of the connection, require… an ISA to be submitted and approved prior to activation of the connection." Indian Health Manual, Part 8 Chapter 15.

ISAs are implemented at the multi-Area, Area, or facility level. Partners conducting business with a single Area or facility should have an agreement with the local Area and/or facility. Partners with multi-Area contracts, or separate contracts operating within multiple IHS areas, should have a multi-Area agreement with the IHS Office of Information Technology.

Federal regulations require this type of agreement if the business entity has direct access to IHS information resources (e.g., ability to log in to the IHS network directly, or through a VPN connection).

Data Exchange Agreement

This agreement is used when sharing or exchanging sensitive IHS information and/or data (e.g., financial, protected health information, or other IHS records) without connecting to the IHS network. For more information, please contact the Security Agreements Team.