Data Use Agreements (DUA)

For use under the HIPAA policies of the University

What is a Data Use Agreement (DUA)

Data Use Agreement (DUA) - is a specific type of agreement that is required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a Limited Data Set (defined below) from a medical record to an outside institution or party for one of the three purposes: (1) research, (2) public health, or (3) health care operations purposes.  A Limited Data Set is still Protected Health Information (PHI), and for that reason, HIPAA Covered Entities or Hybrid Covered Entities like University of Colorado must enter into a DUA with any institution, organization or entity to whom it discloses or transmits a Limited Data Set.

What is NOT a Data Use Agreement

A Data Use Agreement is not every agreement that deals with the use of any sort of data.  If the data you are dealing with is not "HIPAA data," then this type of Data Use Agreement is not applicable.

The DUA Must

The University’s DUA template meets all of these qualifications.

It is important to note that this information is PHI under HIPAA. It is not de-identified information and is still subject to the requirements of HIPAA.



Form is submitted to the University’s Privacy Officer for review and approval


When approved form is returned, research project may begin.


Copies of signed DUA need to be kept by both parties.


Subsequent DUAs signed by subcontractors must be kept by contracted parties.

HIPAA Contacts

Lori Hopper

HIPAA Privacy Official
  • Regulatory Compliance


Primary Phone:303-724-0983