Data Use Agreement

UA must enter into a Data Use Agreement (DUA) whenever it is transmitting or receiving a Limited Data Set, a type of Protected Health Information (PHI), for research, public health activities or health care operations. 

UA Contract Offices and Principal Investigators (PIs)/Business Owners are responsible for:

1. Determining if a Limited Data Set is involved for a specific purpose (research, public health activities, health care operations), and if so;

A Data Use Agreement (DUA) is a specific type of agreement that is required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a Limited Data Set (defined below) from a medical record to an outside institution or party for one of the three purposes: (1) research, (2) public health, or (3) health care operations purposes.  A Limited Data Set is still Protected Health Information (PHI), and for that reaso

A Limited Data Set is a data set that is stripped of certain direct identifiers specified in the HIPAA Privacy Rule.  A Limited Data Set may be disclosed to an outside party without a patient’s authorization only if the purpose of the disclosure is for research, public health, or health care operations purposes and the person or entity receiving the information signs a data use agreement (DUA) with the covered entity or its business associate.

A HIPAA Covered Entity, or a Hybrid Covered Entity like UA, may use a member of its own workforce to create the "Limited Data Set."  Alternatively, the recipient may create the "Limited Data Set," so long as the recipient is acting as a Business Associate or Subcontractor (pursuant to a Business Associate Agreement) of the Covered Entity or Hybrid Covered Entity.  

A DUA must be entered into before there is any use or disclosure of a Limited Data Set to an outside institution or party. 

No, disclosures of "limited data sets" are not subject to the HIPAA accounting of disclosures requirements.  The Department of Health and Human Services (DHHS) has taken the position that the privacy of individuals with respect to PHI disclosed in a "Limited Data Set" can be adequately protected through a single DUA.

1.    When UA is disclosing or transmitting a Limited Data Set to another institution, organization or entity, UA requires that a DUA must be signed to ensure that the appropriate provisions are in place to protect the Limited Data Set as required under the HIPAA Privacy Rule.  Contracting Services maintains a template DUA.  When UA is disclosing or transmitting a Limited Da

Yes, you will need both a Data Use Agreement (DUA) and Business Associate Agreement (BAA) because the Covered Entity or Hybrid Covered Entity (UA) is providing the recipient with PHI that includes direct identifiers.  For that reason, a BAA would be required to disclose the direct identifiers to the recipient.