Posted inwhat

What is a Data Use Agreement (DUA)? A Comprehensive Guide

No Comments

A Data Use Agreement (DUA) is a legally binding contract mandated by the Privacy Rule. It’s essential before any limited data set (explained below) is shared with an external institution or party. Even though a limited data set has some identifiers removed, it’s still considered Protected Health Information (PHI). Therefore, organizations like Stanford must have a DUA in place before sending a limited data set to anyone outside the organization.

Key Provisions of a Data Use Agreement

At a minimum, every DUA must include clauses that cover the following points:

  1. Permitted Uses and Disclosures: Clearly define what the limited data set can and cannot be used for.
  2. Authorized Recipients: Specify exactly who is allowed to access and use the data.
  3. Usage Restrictions: Forbid the recipient from using or sharing the data further, unless the agreement or the law explicitly allows it.
  4. Data Safeguards: Mandate that the recipient implement appropriate security measures to prevent unauthorized use or disclosure beyond what’s outlined in the DUA.
  5. Reporting Obligations: Require the recipient to promptly report any unauthorized use or disclosure to the covered entity.
  6. Agent and Subcontractor Agreements: Ensure that any agents or subcontractors who receive the data also agree to the same restrictions as the original recipient.
  7. Prohibition of Re-Identification: Strictly prohibit any attempts to identify the individuals in the data or to contact them.

Furthermore, covered entities like Stanford must take swift and reasonable action to address any breaches of the DUA by the recipient. For instance, if Stanford discovers that data is being used in an unauthorized manner, they must collaborate with the recipient to resolve the issue. If these efforts fail, Stanford is obligated to stop all further data disclosures to the recipient and report the incident to the Department of Health and Human Services Office for Civil Rights.

Understanding Limited Data Sets

So, What Is The Dua protecting? It protects the privacy of individuals whose information is contained in a limited data set.

A limited data set is a collection of data where certain direct identifiers have been removed, as defined by the Privacy Rule. This type of dataset can be shared with external parties without explicit patient authorization, but only if the purpose aligns with research, public health initiatives, or healthcare operations. In these cases, the recipient must sign a DUA with the covered entity or its business associate.

  • Permissible Identifiers: Limited data sets can include the following:

    • Dates (e.g., birth, admission, discharge, service dates)
    • City, state, and zip code (excluding street addresses)
    • Age
    • Other unique codes or identifiers not classified as direct identifiers.

  • Prohibited Identifiers: To qualify as a limited data set, all of the following direct identifiers related to individuals, their relatives, employers, or household members must be removed:

    • Names
    • Street addresses (beyond city, state, and zip code)
    • Telephone and fax numbers
    • Email addresses
    • Social security numbers
    • Medical record numbers
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/driver’s license numbers
    • Vehicle identifiers (including license plates)
    • Device identifiers and serial numbers
    • URLs and IP addresses
    • Biometric identifiers
    • Full-face photographs and comparable images

Creating Limited Data Sets: Who’s Responsible?

A covered entity, like Stanford, can authorize its own employees to create limited data sets. Alternatively, the recipient can create the limited data set, provided they are acting as a business associate of the covered entity.

When is a DUA Necessary?

A DUA is mandatory before any limited data set is used or shared with an external institution or party. This proactive approach ensures data privacy and compliance with regulations. It’s crucial to understand what is the dua’s role in protecting sensitive information before sharing data.

DUA and Business Associate Agreements: Do I Need Both?

Yes, you’ll need both a DUA and a Business Associate Agreement (BAA) if the recipient of a limited data set is also creating the data set as your business associate. This is because the covered entity (e.g., Stanford) is providing the recipient with PHI, which may include direct or indirect identifiers. A BAA addresses the handling of PHI with direct identifiers, while the DUA focuses on the specific restrictions and safeguards for the limited data set. This ensures all aspects of data privacy and security are covered.

Accounting for Disclosures and Limited Data Sets

Disclosures of “limited data sets” are exempt from the HIPAA accounting of disclosures requirements. The Department of Health and Human Services (DHHS) believes that the privacy of individuals in a “limited data set” can be adequately protected through a well-executed DUA.

Obtaining a Data Use Agreement at Stanford

For information on internal DUA handling procedures at Stanford, visit https://ico.sites.stanford.edu/who-will-handle-my-agreement.

When Stanford provides a limited data set, a DUA is always required to ensure appropriate safeguards. If a Stanford researcher is receiving a limited data set from an external source, they may be asked to sign the other party’s DUA. In this case, the researcher should consult with the appropriate contracts office to ensure compliance with Stanford’s DUA terms. Understanding what is the dua is crucial for researchers to protect the integrity of their work.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *