1
Data Use Agreements
A Data Use Agreement (DUA) is a specific type of agreement required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a Limited Data Set (defined below) from a medical record to an outside institution or party for one of the three purposes: (1) research, (2) public health, or (3) health care operations purposes.
A Limited Data Set (LDS) is still Protected Health Information (PHI), and for that reason, HIPAA Covered Entities or Hybrid Covered Entities like University of Colorado must enter into a DUA with any institution, organization or entity to whom it discloses or transmits a Limited Data Set.
The University’s DUA template meets all of the qualifications above and can be requested via the Data Sharing Request Intake. It is important to note that this information is PHI under HIPAA. It is not de-identified information and is still subject to the requirements of HIPAA.
What is NOT a Data Use Agreement:
A Data Use Agreement is not every agreement that deals with the use of any sort of data. If the data you are dealing with is not "HIPAA data," then this type of Data Use Agreement is not applicable.
The DUA Must
Process
2
REDCap sends email notification to appropriate staff advising that a new DUA request has been submitted
3
Staff review the DUA submission and contact requestor with any questions. DUA will be reviewed and negotiated in accordance with institutional compliance and legal standards
4
Final DRAFT of the agreement is reviewed and signed off in REDCap by ORC staff
5
ORC staff route the final version of the agreement to ORC Signing Official for review, approval and signature
6