The HIPAA requires Data Use Agreements (“DUA”). DUAs are commercial agreements that are used to convey non-public data that is subject to use limitations. DUA agreements define the terms and circumstances of the transfer and must be signed before any data is used or disclosed to a third party.
HIPAA outlines the circumstances under which covered organisations may use or disclose protected health information (PHI) for research purposes. The definition of research is “a systematic examination, encompassing research formulation, testing, and evaluation, with the goal of developing or contributing to generalizable information.” (See 45 CFR 164.501 for details.) HIPAA safeguards the privacy of an individual’s identifiable health information while also guaranteeing that researchers continue to have access to medical information required to undertake essential research.
DUAs should, at a minimum, incorporate the following important provisions:
Table of Contents
A. Define the constrained data set and handle data use constraints:
A restricted data collection is one that has been stripped of certain HIPAA-specified direct identifiers.
Establish the boundaries of use and closely describe the uses or disclosures for a given purpose to be as exact and thorough as feasible (i.e. research, public health, or health care operations).
B. Determine who will use or receive the information:
In the case of scientific research, for example, choose whether the data is to be utilised only by the Principal Investigator (PI) or whether rights are extended to the PI’s research team.
Furthermore, unless as allowed and/or otherwise authorised by law, restrict the receiver from using or disclosing the information.
If the receiver is permitted to share data with project subcontractors, insert a condition requiring the subcontractors to adhere to the same limits outlined in the agreement.
C. Obligations to preserve data and privacy rights associated with confidential or protected data transfers:
Require the receiver to take adequate precautions to avoid unauthorised use or disclosure.
If the data comes from human subjects, you must get informed permission from the individuals or obtain an appropriate Institutional Review Board waiver of consent that allows disclosure for the proposed DUA.
Check to check whether the info is HIPPA compliant (i.e. if the data is de-identified within the meaning of HIPPA and not disclosed with a code or any other means used to identify the data). To be de-identified, there must be zero awareness that any information, alone or in combination with any other information, might be used to identify a person. Name, date of birth, address, telephone numbers, email addresses, social security numbers, medical record numbers, URL linkages, and IP addresses are examples of data that might be used to identify a person.
D. Liability for damage caused by the data’s use:
Require the receiver to notify any unauthorised use, disclosure, or data breach as soon as they become aware of it.
The Bottom Line
Every data transmission is unique to the data that is being sent. Consult with an attorney to handle your individual requirements in order to reduce risk and responsibility.