What is a Data Use Agreement (DUA)?
A Data Use Agreement (DUA) is a specific type of agreement that is required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a Limited Data Set (defined below) from a medical record to an outside institution or party for one of the three purposes: (1) research, (2) public health, or (3) health care operations purposes. A Limited Data Set is still Protected Health Information (PHI), and for that reason, HIPAA Covered Entities or Hybrid Covered Entities like University of Colorado must enter into a DUA with any institution, organization or entity to whom it discloses or transmits a Limited Data Set.
What is NOT a Data Use Agreement?
A Data Use Agreement is not every agreement that deals with the use of any sort of data. If the data you are dealing with is not "HIPAA data," then this type of Data Use Agreement is not applicable.
The DUA must:
1. Establish the permitted uses and disclosures of the limited data set by the recipient, consistent with the purposes of the research, and which may not include any use or disclosure that would violate the Rule if done by the covered entity;
2. Limit who can use or receive the data; and
3. Require the recipient to agree to the following:
a. Not to use or disclose the information other than as permitted by the data use agreement or as otherwise required by law;
b. Use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement;
c. Report to the covered entity any use or disclosure of the information not provided for by the data use agreement of which the recipient becomes aware;
d. Ensure that any agents, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the recipient with respect to the limited data set; and
e. Not to identify the information or contact the individual.
The University’s DUA template meets all of these qualifications.
It is important to note that this information is PHI under HIPAA. It is not de-identified information and is still subject to the requirements of HIPAA.
See also DUA flow chart.