Data Use Agreements
What is a Data Use Agreement? (DUA)
A Data Use Agreement (DUA) is a specific type of agreement that is required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a Limited Data Set (defined below) from a medical record to an outside institution or party for one of the three purposes: (1) research, (2) public health, or (3) health care operations purposes. A Limited Data Set is still Protected Health Information (PHI), and for that reason, HIPAA Covered Entities or Hybrid Covered Entities like The University of Florida must enter into a DUA with any institution, organization, or entity to whom UF discloses or transmits a Limited Data Set.
A data use agreement provides that the recipient will:
- not use or disclose the information other than as permitted by the DUA or as otherwise required by law,
- use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the DUA,
- report to the covered entity uses or disclosures that are in violation of the DUA, of which it becomes aware
- ensure that any agents to whom it provides the LDS agree to the same restrictions and conditions that apply to the LDS recipient, with respect to such information, and
- not re-identify the information or contact the individual.
What is a limited data set?
A limited data set is a data set that is stripped of certain direct identifiers specified in the Privacy Rule. A limited data set may be disclosed to an outside party without a patient’s authorization only if the purpose of the disclosure is for research, public health, or health care operations purposes and the person or entity receiving the information signs a data use agreement (DUA) with the covered entity or its business associate.
Limited data sets may include only the following identifiers:
- Dates such as date of birth, admission, discharge, or service
- City, state, and/or zip code (with street address removed)
- Age
- Any other unique code or identifier that is not listed as a direct identifier.
This means that in order for a data set to be considered a limited data set, all of the following direct identifiers as they relate to the individual or his/her relatives, employers, or household members must be removed:
- Names
- Street addresses (other than town, city, state, and zip code)
- Telephone and fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/driver’s license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- URLs and IP addresses
- Biometric identifiers
- Full face photographic images and any comparable images.