HIPAA Privacy Program

Who is responsible for obtaining a Data Use Agreement (DUA)?

UA must enter into a Data Use Agreement (DUA) whenever it is transmitting or receiving a Limited Data Set, a type of Protected Health Information (PHI), for research, public health activities or health care operations. 

UA Contract Offices and Principal Investigators (PIs)/Business Owners are responsible for:

1. Determining if a Limited Data Set is involved for a specific purpose (research, public health activities, health care operations), and if so;

2. Determining whether:

(a) UA is TRANSMITTING/DISCLOSING a Limited Data Set to a third party (company, sponsor, institution). 

(b) UA is RECEIVING a Limited Data Set from a third party (company, sponsor, instiuttion). 

3. Submitting a request to the Contracting Services email address contracting@email.arizona.edu when a Data Use Agreement is needed.

What is a Data Use Agreement?

A Data Use Agreement (DUA) is a specific type of agreement that is required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a Limited Data Set (defined below) from a medical record to an outside institution or party for one of the three purposes: (1) research, (2) public health, or (3) health care operations purposes.  A Limited Data Set is still Protected Health Information (PHI), and for that reason, HIPAA Covered Entities or Hybrid Covered Entities like The University of Arizona (UA) must enter into a DUA with any institution, organization or entity to whom UA discloses or transmits a Limited Data Set. 

At a minimum, any DUA must contain provisions that address the following:

1.    Establish the permitted uses and disclosures of the Limited Data Set--narrowly describes the use/disclosure and outlines parameters of specific purpose (research, public health or health care operations).

2.    Identify who may use or receive the information;

3.    Prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as otherwise permitted by law;

4.    Require the recipient to use appropriate safeguards to prevent an unauthorized use or disclosure not contemplated by the agreement;

5.    Require the recipient to report to UA any use or disclosure to which it becomes aware;

6.    Require the recipients to ensure that any agents (including any subcontractors) to whom it discloses the information will agree to the same restrictions as provided in the agreement; and

7.    Prohibit the recipient from identifying the information or contacting the individuals.

Additionally, Covered Entities, or Hybrid Covered Entities like UA, must take all reasonable steps to cure a recipient's breach of the DUA.  For example, if UA learns that data it provided to a recipient is being used in a manner not authorized under the DUA, then notify the UA Privacy Officer and UA will work with the recipient to correct this problem.  If these efforts are unsuccessful, UA would be required to cease any further disclosures of PHI to the recipient under the DUA and report the matter to the federal Department of Health and Human Services Office for Civil Rights.

What is a Limited Data Set?

A Limited Data Set is a data set that is stripped of certain direct identifiers specified in the HIPAA Privacy Rule.  A Limited Data Set may be disclosed to an outside party without a patient’s authorization only if the purpose of the disclosure is for research, public health, or health care operations purposes and the person or entity receiving the information signs a data use agreement (DUA) with the covered entity or its business associate.

Limited data sets may include only the following identifiers:

  • Dates, such as admission, discharge, service, and date of birth (DOB)
  • City, state, and zip code (not street address)
  • Age
  • Any other unique code or identifier that is not listed as a direct identifier.

This means that in order for a data set to be a Limited Data Set, all of the following direct identifiers as they relate to the individual or his/her relatives, employers, or household members must be removed:

  • Names
  • Street addresses (other than town, city, state, and zip code)
  • Telephone and fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/driver’s license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • URLs and IP addresses
  • Biometric identifiers
  • Full face photographic images and any comparable images.

NOTE: a Limited Data Set is still Protected Health Information (PHI) under HIPAA.  It is not De-Identified Data, as that term is defined under HIPAA, and thus, must be safeguarded and protected as required under the Privacy Rule.  For more information about the different between Fully Identifiable Data, a Limited Data Set and a De-Identified Data Set, check out the following HIPAA Data Reference Guide.

How are Limited Data Sets created?

A HIPAA Covered Entity, or a Hybrid Covered Entity like UA, may use a member of its own workforce to create the "Limited Data Set."  Alternatively, the recipient may create the "Limited Data Set," so long as the recipient is acting as a Business Associate or Subcontractor (pursuant to a Business Associate Agreement) of the Covered Entity or Hybrid Covered Entity.  

Where do I obtain a DUA?

1.    When UA is disclosing or transmitting a Limited Data Set to another institution, organization or entity, UA requires that a DUA must be signed to ensure that the appropriate provisions are in place to protect the Limited Data Set as required under the HIPAA Privacy Rule.  Contracting Services maintains a template DUA.  When UA is disclosing or transmitting a Limited Data Set, if any material change is made to the UA template form, or if another party’s version of a Data Use Agreement is going to be used, Contracting Services must review and sign-off on the terms of the agreement.  Email contracting@email.arizona.edu to request a DUA.

2.    If a UA researcher is the recipient of a Limited Data Set from a non-UA source, the UA researcher will most likely be asked to sign the other party's DUA.  In such instance, the UA researcher should consult with Contracting Services who will work to determine if it complies in material terms with UA’s DUA template. Email contracting@email.arizona.edu to request a DUA.

Tags

If the intended recipient of a limited data set is also creating the limited data set as my business associate, do I need both a Data Use Agreement and Business Associate Agreement?

Yes, you will need both a Data Use Agreement (DUA) and Business Associate Agreement (BAA) because the Covered Entity or Hybrid Covered Entity (UA) is providing the recipient with PHI that includes direct identifiers.  For that reason, a BAA would be required to disclose the direct identifiers to the recipient.  Once the Limited Data Set is created under the BAA, all of the PHI, other than the PHI qualifying as the limited data set under the DUA, must be returned to UA.   

Who is responsible for ensuring that BAAs are in place?

UA’s Contract Offices and Business Owners are responsible for:

  1. Determining if PHI is being shared with another entity, and if so;
  2. Determining whether:
    1. (a) UA is sharing its PHI (or the PHI UA holds on behalf of another Covered Entity in its capacity as a Business Associate) with a third party (company, sponsor, institution) and the third party is the Business Associate.
    2. (b) The third party (company, sponsor, institution) is sharing its PHI and UA is the Business Associate

Submit the Business Associate Intake Form to the UA HIPAA Privacy Office when a Business Associate Agreement is needed.

Who is a Business Associate?

A Business Associate is a person or entity who, on behalf of a HIPAA Covered Entity, or Hybrid Covered Entity like UA, performs or assists in the performance of a function or activity or provides support services, while not a member of the workforce, to the Covered Entity involving the use or disclosure of individually identifiable health information.  

Some Business Associate functions or activities that may be performed on behalf of a Covered Entity/Hybrid Covered Entity include:

    • data processing
    • data analysis
    • utilization review
    • billing
    • cloud storage vendor services
    • transcription services
    • legal services
    • data aggregation
    • administrative functions
    • financial services
    • management services
    • consulting services
    • accounting services
    • legal services
    • actuarial services
    • accreditation services 

An individual or organization is only considered a Business Associate if they perform a function or service on behalf of the Covered Entity/Hybrid Covered Entity (such as UA) and handle or are expected to Protected Health Information (PHI) as a part of the job function or service they perform/provide on behalf of the Covered Entity/Hybrid Covered Entity.

In some cases, UA may serve as a Business Associate of another Covered Entity if UA is performing services, functions or activities on behalf of the other Covered Entity and handling PHI as part of the services performed.  When UA is acting in its capacity as a Business Associate and will be disclosing any of the Covered Entity’s PHI to a third party, a Subcontractor, to perform any of its services—UA is required to enter into Business Associate Agreement with any downstream Subcontractor that will have access to the Covered Entity’s PHI.