Data Use Agreements (DUA)

For use under the University's HIPAA policies

What is a Data Use Agreement?

Data Use Agreement is a specific type of agreement required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a Limited Data Set (defined below) from a medical record to an outside institution or party for one of the three purposes: (1) research, (2) public health, or (3) health care operations purposes.  A Limited Data Set is still Protected Health Information (PHI), and for that reason, HIPAA Covered Entities or Hybrid Covered Entities like University of Colorado must enter into a DUA with any institution, organization or entity to whom it discloses or transmits a Limited Data Set.

What is NOT a Data Use Agreement:

A Data Use Agreement is not every agreement that deals with the use of any sort of data. If the data you are dealing with is not "HIPAA data," then this type of Data Use Agreement is not applicable.

The DUA Must

The University’s DUA template meets all of these qualifications.

It is important to note that this information is PHI under HIPAA. It is not de-identified information and is still subject to the requirements of HIPAA.



REDCap sends email notification to appropriate staff advising that a new DUA request has been submitted


Staff review the DUA submission and contact requestor with any questions. DUA will be reviewed and negotiated in accordance with institutional compliance and legal standards


Final DRAFT of the agreement is reviewed and signed off in REDCap by ORC staff


ORC staff route the final version of the agreement to ORC Signing Official for review, approval and signature


Copy of fully executed agreement is electronically distributed to all stakeholders by ORC

HIPAA Contacts

Lori Hopper

HIPAA Privacy Official
  • Regulatory Compliance


Primary Phone:303-724-0983

CMS Login