Health Services Research (HSR) Methods
Print Page
Privacy Tools: Guidance on HIPAA Data Use Agreements

Derived from HIPAA Regulation Section 164.514 (e)

I. What is a Data Use Agreement (DUA)?

  • A covered entity may use or disclose a “limited data set” if that entity obtains a data use agreement from the potential recipient; in our case, the health services researcher. 164.514 (e) (1)

  • This information can only be used for:
    • Research;
    • Public health; or
    • Health care operations.

164.514 (e) (3) (i)

  • A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: 164.514 (e) (2)

    • Names;
    • Postal address information, except town or city, State, and zip code;
    • Telephone numbers;
    • Fax numbers;
    • Email Addresses;
    • Social Security Numbers;
    • Medical record numbers;
    • Health plan beneficiary numbers;
    • Account numbers;
    • Certificate/ license numbers;
    • Vehicle identifiers and serial number, including license plate numbers;
    • Web URL’s;
    • IP addresses;
    • Biometric identifiers, including finger and voice prints; and
    • Full face photographic images and any comparable images.

II: What must be in a DUA?

164.514 (e) (4) (ii)

  • A DUA must do the following:
    • Establish what the data will be used for, as permitted above. The DUA must not violate this principle.
    • Establish who is permitted to use or receive the limited data set.
    • Provide that the limited data set recipient will:
      • Not use the information in a matter inconsistent with the DUA or other laws.
      • Employ safeguards to ensure that this does not happen.
      • Report to the covered entity any use of the information that was not stipulated in the DUA.
      • Ensure that any other parties, including subcontractors, agree to the same conditions as the limited data set recipient in the DUA.
      • Not identify the information or contact the individuals themselves.

A covered entity is not in compliance with the regulation if: 164.514 (e) (4) (iii) (A)

    • The entity knew of a pattern of activity by the limited data set recipient that violates the DUA unless they attempted to resolve the violation. The measures they must take are to:
      • Discontinue disclosure of the protected health information to the recipient; and
      • Report the problem to the Secretary.

model Data Use Agreement is available.