By UpCounsel Corporate Attorney Valerie Uribe

Data Use Agreements (“DUA”) are required under the HIPAA. DUAs are contractual agreements used for the transfer of non-public data that is subject to restrictions of use. DUA agreements outline the terms and conditions of the transfer and must be entered into before there is any use or disclosure of such data to an outside party.

HIPAA establishes conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes. Research is defined as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” (See 45 CFR 164.501) Where research is concerned, HIPAA protects the privacy of an individual’s identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research.

At a minimum, DUAs should include the following key provisions:

A. Define the limited data set and address limitations on use of data:

  • A limited data set is a data set that is stripped of certain direct identifiers specified by HIPAA.
  • Be as specific and detailed as possible by establishing the parameters of use and by narrowly describing the uses or disclosures for a specific purpose (i.e. research, public health, or health care operations).

B. Identify who may use or receive the information:

  • For example, in matters of scientific research, identify if the data is to be used only by the Principal Investigator (PI) or if permissions are extended to the PI’s research team.
  • Additionally, prohibit the recipient from using or further disclosing the information, except as permitted and/or otherwise authorized by law.
  • If the recipient is allowed to share data with subcontractors of their project, be sure to include a clause that requires the subcontractors to agree to the same restrictions provided in the agreement.

C. Obligations to safeguard data and privacy rights associated with transfers of confidential or protected data:

  • Require the recipient to use appropriate safeguards to prevent an unauthorized use or disclosure.
  • If data is derived from human subjects, you must obtain informed consent from the subjects or via a relevant Institutional Review Board waiver of consent that permits disclosure for the contemplated DUA.
  • Check to see whether the data is HIPPA protected (i.e. if the data is de-identified within the meaning of HIPPA and not disclosed with a code or any other means used to identify the data). In order to be de-identified, there must be zero knowledge that any information could be used either alone or in conjunction with any other information to identify an individual. Data that could used to identify an individual includes, but is not limited to: name, date of birth, address, telephone numbers, email addresses, social security numbers, medical record numbers, URL links and IP addresses.

D. Liability for harm arising from the use of the data:

  • Require the recipient to report any use, disclosure, or data breach as soon as the recipient becomes aware of it.

The Takeaway

Every data transfer is specific to the data being transferred. Be sure to consult an attorney to address your specific needs in order to minimize risk and liability.

Subscribe to the UpCounsel Blog

About the author

Valerie Uribe

Valerie Uribe

Valerie has been reviewing transactional documents and contracts for 10 years. For 6 years, she drafted various estate planning documents. For the past 4 years, she has drafted and negotiated contracts between UCSF and various non-profit sponsors such as: Grant Agreements, Memorandums of Understanding, Confidentiality Agreements, and Data Use Agreements. Additionally, she collaborates with various offices at UCSF such as, risk management, technology transfer, and licensing in order to minimize the risk to UCSF in the areas of intellectual property and indemnification.

Valerie enjoys zealously representing her clients while still collaborating in her negotiations for maximum results.

View all posts Request a Proposal

Post a Job on
UpCounsel and get
high quality legal work done

Post a Job on UpCounsel
Shares