What is a data use agreement?
A data use agreement (DUA) is an agreement that is required under the Privacy Rule and must be entered into before there is any use or disclosure of a limited data set (defined below) to an outside institution or party. A limited data set is still protected health information (PHI), and for that reason, covered entities like Stanford must enter into a data use agreement with any recipient of a limited data set from Stanford.
At a minimum, any DUA must contain provisions that address the following:
Establish the permitted uses and disclosures of the limited data set;
Identify who may use or receive the information;
Prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as otherwise permitted by law;
Require the recipient to use appropriate safeguards to prevent an unauthorized use or disclosure not contemplated by the agreement;
Require the recipient to report to the covered entity any use or disclosure to which it becomes aware;
Require the recipients to ensure that any agents (including any subcontractors) to whom it discloses the information will agree to the same restrictions as provided in the agreement; and
- Prohibit the recipient from identifying the information or contacting the individuals.
Additionally, covered entities such as Stanford must take all reasonable steps to cure a recipient's breach of the DUA. For example, if Stanford learns that data it provided to a recipient is being used in a manner not authorized under the DUA, Stanford should work with the recipient to correct this problem. If these efforts are unsuccessful, Stanford would be required to cease any further disclosures of PHI to the recipient under the DUA and report the matter to the federal Department of Health and Human Services Office for Civil Rights.
What is a limited data set?
A limited data set is a data set that is stripped of certain direct identifiers specified in the Privacy Rule. A limited data set may be disclosed to an outside party without a patient’s authorization only if the purpose of the disclosure is for research, public health, or health care operations purposes and the person or entity receiving the information signs a data use agreement (DUA) with the covered entity or its business associate.
Limited data sets may include only the following identifiers:
- Dates, such as admission, discharge, service, and date of birth (DOB)
- City, state, and zip code (not street address)
- Any other unique code or identifier that is not listed as a direct identifier.
This means that in order for a data set to be considered a limited data set, all of the following direct identifiers as they relate to the individual or his/her relatives, employers, or household members must be removed:
- Street addresses (other than town, city, state, and zip code)
- Telephone and fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/driver’s license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- URLs and IP addresses
- Biometric identifiers
- Full face photographic images and any comparable images.
How are limited data sets created?
A covered entity (such as Stanford) may use of a member of its own workforce to create the "limited data set." On the other hand, the recipient may also create the "limited data set," so long as the person or entity is acting as a business associate of the covered entity.
When do I need to obtain a DUA?
A DUA must be entered into before there is any use or disclosure of a limited data set to an outside institution or party.
If the intended recipient of a limited data set is also creating the limited data set as my business associate, do I need both a data use agreement and business associate agreement?
Yes, you will need both a data use agreement (DUA) and business associate agreement (BAA) because the covered entity (Stanford) is providing the recipient with PHI that includes direct identifiers. For that reason, a BAA would be required to disclose the direct identifiers to the recipient. Once the limited data set is created under the BAA, all of the PHI, other than the PHI qualifying as the limited data set under the DUA, must be returned to Stanford.
Do I have to account for disclosures when I'm using a limited data set?
No, disclosures of "limited data sets" are not subject to the HIPAA accounting of disclosures requirements. DHHS has taken the position that the privacy of individuals with respect to PHI disclosed in a "limited data set" can be adequately protected through a single DUA.
Where do I obtain a DUA?
When Stanford is the provider of a limited data set, Stanford requires that a DUA must be signed to ensure that the appropriate provisions are in place to protect the limited data set. Here are the contacts for different types of research:
If your research will involve collaborating with or you will receive funding from industry, or you will need research materials from labs outside of Stanford, the Industrial Contract Office (ICO) can assist you with drafting the appropriate collaboration agreement and data use/data sharing agreement with outside industry partners.
If your research involves a limited data set with an outside party but by the nature of the collaboration it will not involve either ICO, OSR or RMG, please contact the University Privacy Office and/or the Office of General Counsel (OGC) and we will assist you with ensuring that an appropriate DUA is put in place.
- If a Stanford researcher is the recipient of a limited data set from a non-Stanford source, the Stanford researcher will most likely be asked to sign the other party's DUA, but the Stanford researcher should consult with the University Privacy Office to determine if it complies in material terms with Stanford's DUA.