Data Use Agreements (DUA)

For use under the University's HIPAA policies

What is a Data Use Agreement?


Data Use Agreement is a specific type of agreement required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a Limited Data Set (defined below) from a medical record to an outside institution or party for one of the three purposes: (1) research, (2) public health, or (3) health care operations purposes.  A Limited Data Set is still Protected Health Information (PHI), and for that reason, HIPAA Covered Entities or Hybrid Covered Entities like University of Colorado must enter into a DUA with any institution, organization or entity to whom it discloses or transmits a Limited Data Set.

What is NOT a Data Use Agreement:


A Data Use Agreement is not every agreement that deals with the use of any sort of data. If the data you are dealing with is not "HIPAA data," then this type of Data Use Agreement is not applicable.

The DUA Must


The University’s DUA template meets all of these qualifications.

It is important to note that this information is PHI under HIPAA. It is not de-identified information and is still subject to the requirements of HIPAA.

Process


2

REDCap sends email notification to appropriate staff advising that a new DUA request has been submitted

3

Staff review the DUA submission and contact requestor with any questions. DUA will be reviewed and negotiated in accordance with institutional compliance and legal standards

4

Final DRAFT of the agreement is reviewed and signed off in REDCap by ORC staff

5

ORC staff route the final version of the agreement to ORC Signing Official for review, approval and signature

6

Copy of fully executed agreement is electronically distributed to all stakeholders by ORC

HIPAA Contacts


CMS Login