=
AcademyHealth
Health Services Research (HSR) Methods
Print Page
Privacy Tools: Guidance on HIPAA Data Use Agreements

Derived from HIPAA Regulation Section 164.514 (e)

I. What is a Data Use Agreement (DUA)?

  • A covered entity may use or disclose a “limited data set” if that entity obtains a data use agreement from the potential recipient; in our case, the health services researcher. 164.514 (e) (1)

  • This information can only be used for:
    • Research;
    • Public health; or
    • Health care operations.

164.514 (e) (3) (i)

  • A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: 164.514 (e) (2)

  • Names;
  • Postal address information, except town or city, State, and zip code;
  • Telephone numbers;
  • Fax numbers;
  • Email Addresses;
  • Social Security Numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/ license numbers;
  • Vehicle identifiers and serial number, including license plate numbers;
  • Web URL’s;
  • IP addresses;
  • Biometric identifiers, including finger and voice prints; and
  • Full face photographic images and any comparable images.

II: What must be in a DUA?

164.514 (e) (4) (ii)

  • A DUA must do the following:
    • Establish what the data will be used for, as permitted above. The DUA must not violate this principle.
    • Establish who is permitted to use or receive the limited data set.
    • Provide that the limited data set recipient will:
      • Not use the information in a matter inconsistent with the DUA or other laws.
      • Employ safeguards to ensure that this does not happen.
      • Report to the covered entity any use of the information that was not stipulated in the DUA.
      • Ensure that any other parties, including subcontractors, agree to the same conditions as the limited data set recipient in the DUA.
      • Not identify the information or contact the individuals themselves.

A covered entity is not in compliance with the regulation if: 164.514 (e) (4) (iii) (A)

  • The entity knew of a pattern of activity by the limited data set recipient that violates the DUA unless they attempted to resolve the violation. The measures they must take are to:
    • Discontinue disclosure of the protected health information to the recipient; and
    • Report the problem to the Secretary.

model Data Use Agreement is available.

**Please note:  THIS REPORT HAS NOT BEEN APPROVED BY THE AGENCY FOR HEALTH CARE RESEARCH AND QUALITY (AHRQ).