Privacy Tools: Guidance on HIPAA Data Use Agreements
Derived from HIPAA Regulation Section 164.514 (e)
I. What is a Data Use Agreement (DUA)?
- A covered entity may use or disclose a “limited data set” if that entity obtains a data use agreement from the potential recipient; in our case, the health services researcher. 164.514 (e) (1)
- This information can only be used for:
- Public health; or
- Health care operations.
164.514 (e) (3) (i)
- A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: 164.514 (e) (2)
- Postal address information, except town or city, State, and zip code;
- Telephone numbers;
- Fax numbers;
- Email Addresses;
- Social Security Numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/ license numbers;
- Vehicle identifiers and serial number, including license plate numbers;
- Web URL’s;
- IP addresses;
- Biometric identifiers, including finger and voice prints; and
- Full face photographic images and any comparable images.
II: What must be in a DUA?
164.514 (e) (4) (ii)
- A DUA must do the following:
- Establish what the data will be used for, as permitted above. The DUA must not violate this principle.
- Establish who is permitted to use or receive the limited data set.
- Provide that the limited data set recipient will:
- Not use the information in a matter inconsistent with the DUA or other laws.
- Employ safeguards to ensure that this does not happen.
- Report to the covered entity any use of the information that was not stipulated in the DUA.
- Ensure that any other parties, including subcontractors, agree to the same conditions as the limited data set recipient in the DUA.
- Not identify the information or contact the individuals themselves.
A covered entity is not in compliance with the regulation if: 164.514 (e) (4) (iii) (A)
- The entity knew of a pattern of activity by the limited data set recipient that violates the DUA unless they attempted to resolve the violation. The measures they must take are to:
- Discontinue disclosure of the protected health information to the recipient; and
- Report the problem to the Secretary.
A model Data Use Agreement is available.
**Please note: THIS REPORT HAS NOT BEEN APPROVED BY THE AGENCY FOR HEALTH CARE RESEARCH AND QUALITY (AHRQ).