A Data Use Agreement (DUA) is a specific type of agreement that is required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a Limited Data Set (defined below) from a medical record to an outside institution or party for one of the three purposes: (1) research, (2) public health, or (3) health care operations purposes. A Limited Data Set is still Protected Health Information (PHI), and for that reason, HIPAA Covered Entities or Hybrid Covered Entities like The University of Arizona (UA) must enter into a DUA with any institution, organization or entity to whom UA discloses or transmits a Limited Data Set.
At a minimum, any DUA must contain provisions that address the following:
1. Establish the permitted uses and disclosures of the Limited Data Set--narrowly describes the use/disclosure and outlines parameters of specific purpose (research, public health or health care operations).
2. Identify who may use or receive the information;
3. Prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as otherwise permitted by law;
4. Require the recipient to use appropriate safeguards to prevent an unauthorized use or disclosure not contemplated by the agreement;
5. Require the recipient to report to UA any use or disclosure to which it becomes aware;
6. Require the recipients to ensure that any agents (including any subcontractors) to whom it discloses the information will agree to the same restrictions as provided in the agreement; and
7. Prohibit the recipient from identifying the information or contacting the individuals.
Additionally, Covered Entities, or Hybrid Covered Entities like UA, must take all reasonable steps to cure a recipient's breach of the DUA. For example, if UA learns that data it provided to a recipient is being used in a manner not authorized under the DUA, then notify the UA Privacy Officer and UA will work with the recipient to correct this problem. If these efforts are unsuccessful, UA would be required to cease any further disclosures of PHI to the recipient under the DUA and report the matter to the federal Department of Health and Human Services Office for Civil Rights.