For use under the University's HIPAA policies
Data Use Agreement is a specific type of agreement required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a Limited Data Set (defined below) from a medical record to an outside institution or party for one of the three purposes: (1) research, (2) public health, or (3) health care operations purposes. A Limited Data Set is still Protected Health Information (PHI), and for that reason, HIPAA Covered Entities or Hybrid Covered Entities like University of Colorado must enter into a DUA with any institution, organization or entity to whom it discloses or transmits a Limited Data Set.
The University’s DUA template meets all of these qualifications.
It is important to note that this information is PHI under HIPAA. It is not de-identified information and is still subject to the requirements of HIPAA.