Data Use Agreements


What is a Data Use Agreement? (DUA)

A Data Use Agreement (DUA) is a specific type of agreement that is required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a Limited Data Set (defined below) from a medical record to an outside institution or party for one of the three purposes: (1) research, (2) public health, or (3) health care operations purposes.  A Limited Data Set is still Protected Health Information (PHI), and for that reason, HIPAA Covered Entities or Hybrid Covered Entities like The University of Florida must enter into a DUA with any institution, organization, or entity to whom UF discloses or transmits a Limited Data Set. 

A data use agreement provides that the recipient will:

  • not use or disclose the information other than as permitted by the DUA or as otherwise required by law,
  • use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the DUA,
  • report to the covered entity uses or disclosures that are in violation of the DUA, of which it becomes aware
  • ensure that any agents to whom it provides the LDS agree to the same restrictions and conditions that apply to the LDS recipient, with respect to such information, and
  • not re-identify the information or contact the individual.

What is a limited data set?

A limited data set is a data set that is stripped of certain direct identifiers specified in the Privacy Rule.  A limited data set may be disclosed to an outside party without a patient’s authorization only if the purpose of the disclosure is for research, public health, or health care operations purposes and the person or entity receiving the information signs a data use agreement (DUA) with the covered entity or its business associate.

Limited data sets may include only the following identifiers:

  • Dates such as date of birth, admission, discharge, or service
  • City, state, and/or zip code (with street address removed)
  • Age
  • Any other unique code or identifier that is not listed as a direct identifier.

This means that in order for a data set to be considered a limited data set, all of the following direct identifiers as they relate to the individual or his/her relatives, employers, or household members must be removed:

  • Names
  • Street addresses (other than town, city, state, and zip code)
  • Telephone and fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/driver’s license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • URLs and IP addresses
  • Biometric identifiers
  • Full face photographic images and any comparable images.