Yes, you will need both a Data Use Agreement (DUA) and Business Associate Agreement (BAA) because the Covered Entity or Hybrid Covered Entity (UA) is providing the recipient with PHI that includes direct identifiers. For that reason, a BAA would be required to disclose the direct identifiers to the recipient. Once the Limited Data Set is created under the BAA, all of the PHI, other than the PHI qualifying as the limited data set under the DUA, must be returned to UA.
FAQ Page