When Do You Need A Data Use Agreement

Since a “limited data set” is always an PHI, privacy regulations provide that the privacy of individuals must be protected by requiring covered companies (Hopkins) to enter into data use agreements with recipients of “limited records.” The data use agreement must comply with the standards set out in the privacy policy. A data use agreement must: require the recipient to put in place appropriate safeguards to prevent unauthorized use or disclosure not provided for in the agreement; require recipients to ensure that all agents (including subcontractors) to whom they disclose information agree to the same restrictions set out in the Agreement; And this means that for a record to be considered a limited record, all of the following direct identifiers related to the person or their relatives, employers, or household members must be removed: In addition, affected companies like Stanford must take all reasonable steps to remedy a recipient`s violation of the DUA. For example, if Stanford learns that the data it has provided to a recipient is being used in a way that is not authorized under the DUA, Stanford must work with the recipient to resolve that issue. If these efforts fail, Stanford would be required to cease all further disclosure of PHI to the recipient under the DUA and report the matter to the Federal Office of Public Health and Social Services for Civil Rights. If the data is outside of these problem areas, the data may be transferred without a formal data use agreement being required. However, if the RESEARCHER wishes to use a data use agreement, we may use a number of safeguards. Yes, you will need both a Data Use Agreement (DUA) and a Business Partnership Agreement (BAA), as the relevant entity (covered entity affiliated with Stanford University) provides the recipient with PSRs, which may contain direct or indirect identifiers. For this reason, a BAA may be required before we transmit the direct identifiers to the recipient outside of Stanford. If Stanford is the provider of a limited dataset, Stanford requires a DUA to be signed to ensure that the appropriate provisions to protect the limited dataset are in place. Here are the contacts for different types of research: A business partner contract is a contract between the covered company and the business partner that states these insurances in writing. Under a business partnership agreement, the parties must specify the types of PSR and access to PSR that a business partner will have (and the types of access and access that they may not have) and the safeguards that the business partner will use to maintain the integrity and confidentiality of the PSR. These agreements may be between academic institutions, government agencies and/or companies. DUAs can be divided into two different categories depending on the type of data transferred: The following page provides useful information about who internally manages different types of DUAs and other agreements at Stanford: ico.sites.stanford.edu/who-will-handle-my-agreement A business partner agreement is a contract whose use is required by the HIPAA privacy rule.


This entry was posted in Uncategorized. Bookmark the permalink. Comments are closed, but you can leave a trackback: Trackback URL.