Data Use Agreements (“DUA”) are required under the HIPAA. DUAs are contractual agreements used for the transfer of non-public data that is subject to restrictions of use. DUA agreements outline the terms and conditions of the transfer and must be entered into before there is any use or disclosure of such data to an outside party.
At a minimum, DUAs should include the following key provisions:
A. Define the limited data set and address limitations on use of data:
- A limited data set is a data set that is stripped of certain direct identifiers specified by HIPAA.
- Be as specific and detailed as possible by establishing the parameters of use and by narrowly describing the uses or disclosures for a specific purpose (i.e. research, public health, or health care operations).
B. Identify who may use or receive the information:
- For example, in matters of scientific research, identify if the data is to be used only by the Principal Investigator (PI) or if permissions are extended to the PI’s research team.
- Additionally, prohibit the recipient from using or further disclosing the information, except as permitted and/or otherwise authorized by law.
- If the recipient is allowed to share data with subcontractors of their project, be sure to include a clause that requires the subcontractors to agree to the same restrictions provided in the agreement.
C. Obligations to safeguard data and privacy rights associated with transfers of confidential or protected data:
- Require the recipient to use appropriate safeguards to prevent an unauthorized use or disclosure.
- If data is derived from human subjects, you must obtain informed consent from the subjects or via a relevant Institutional Review Board waiver of consent that permits disclosure for the contemplated DUA.
- Check to see whether the data is HIPPA protected (i.e. if the data is de-identified within the meaning of HIPPA and not disclosed with a code or any other means used to identify the data). In order to be de-identified, there must be zero knowledge that any information could be used either alone or in conjunction with any other information to identify an individual. Data that could used to identify an individual includes, but is not limited to: name, date of birth, address, telephone numbers, email addresses, social security numbers, medical record numbers, URL links and IP addresses.
D. Liability for harm arising from the use of the data:
- Require the recipient to report any use, disclosure, or data breach as soon as the recipient becomes aware of it.
Every data transfer is specific to the data being transferred. Be sure to consult an attorney to address your specific needs in order to minimize risk and liability.