Define Data Use Agreement
NOTE: A restricted dataset is always protected health information (PHI) under HIPAA. This is not de-identified data, since this term is defined by HIPAA, and must therefore be protected and protected in accordance with the data protection rule. For more information on the differences between fully identifiable data, a limited set of data and an identifier data set, see the HIPAA data reference manual below. A data usage agreement and a matching agreement are common contractual relationships within the framework of HIPAA. Apart from the fact that they both have the word “agreement” in their name, these agreements could not be more different. The difference between a data usage agreement and a matching agreement is explained below. An AED must be completed before a limited data set is used or disclosed to an external institution or an external party. require recipients to ensure that all representatives (including potential subcontractors) to whom they disclose the information accept the same restrictions as those provided by the agreement; and the data protection rule allows a seized company to disclose what the rule calls a “limited data set.” A limited set of data is a set of identifiable health information that seized companies are allowed to share with certain institutions for research, health activities and health operations, without the patient`s prior written authorization. It is important for researchers to read the terms of an ADU before submitting the draft contract to the UMBC Office of Sponsored Programs (OSP). It is the researcher`s responsibility to understand and monitor the conditions of the AEA and to use the data only for specific purposes.
The PSO believes that a researcher who transmits an ASA to PSO has read these terms and agrees to abide by them, whether or not the researcher`s signature is required on the AEA itself. If a researcher signs such an agreement, they could be exposed to legal and financial risks. A researcher must not sign an ASA until the PSO is approved. Yes, you need both a DATA Use Agreement (DUA) and a Business Associate Agreement (BAA) because the covered entity (Stanford University Affiliated Covered Entity) provides the PHI recipient, which may contain direct or indirect identifiers. For this reason, a BAA may be required before disclosing direct identifiers to the recipient outside of Stanford. In addition, covered companies such as Stanford must take all reasonable steps to remedy a beneficiary`s violation of the AEA. For example, if Stanford learns that the data it has provided to a recipient is being used in a way that is not authorized by the AEC, Stanford should work with the recipient to resolve this issue. If these efforts were not successful, Stanford would be required to terminate any further disclosure of PHI to the recipient, in accordance with the AEA, and to notify the Federal Office of Health and Human Services for Civil Rights. Require the recipient to adopt appropriate security measures to prevent unauthorized use or disclosure that is not included in the agreement; This means that all of the following direct identifiers, relating to the person or their loved ones, the employer or members of the household, must be deleted so that a data set can be considered a limited set of data: DUAs are often used when a researcher wishes to access restricted archives or datasets that may contain identifiable information about individuals for the purposes of such projects.