Sample Hipaa Data Use Agreement

prohibit the recipient from further using or disclosing the information, except to the extent permitted by the Agreement or otherwise permitted by law; The following page provides useful information about who internally manages different types of DUAs and other agreements at Stanford: ico.sites.stanford.edu/who-will-handle-my-agreement If a Stanford researcher is the recipient of a limited data set from a source other than Stanford, the Stanford researcher may be asked to sign the other party`s DUA. In such a case, the Stanford researcher should contact the appropriate contracts office to determine if it is substantially compliant with the Stanford DUA. Limited records can contain only the following identifiers: an affected entity (such as Stanford) can use a member of its own staff to create the “limited record.” On the other hand, the recipient can also create the “limited registration” as long as the natural or legal person acts as a business partner of the registered entity. A Data Use Agreement (DUA) is an agreement required under the confidentiality rule and must be entered into before a limited record (defined below) is used or disclosed to an external institution or party. A limited record is always protected by Health Information (PHI), and for this reason, covered companies like Stanford must enter into a data use agreement with each recipient of a limited Stanford record. determine the permitted uses and disclosures of the limited data set; Yes, you will need both a Data Use Agreement (DUA) and a Business Partnership Agreement (BAA), as the relevant entity (covered entity affiliated with Stanford University) provides the recipient with PSRs, which may contain direct or indirect identifiers. For this reason, a BAA may be required before we transmit the direct identifiers to the recipient outside of Stanford. In addition, affected companies such as Stanford must take all reasonable steps to remedy a recipient`s violation of the DUA. For example, if Stanford learns that the data it has provided to a recipient is being used in a way that is not authorized under the DUA, Stanford must work with the recipient to resolve that issue. If these efforts fail, Stanford would be required to stop any further disclosure of PHI to the recipient under the DUA and report the matter to the Federal Office of Public Health and Social Affairs for Civil Rights. A DUA must be completed before a limited file is used or disclosed to an institution or external party. No, disclosure of “limited records” is not subject to HIPAA accounting requirements.

DHHS has taken the position that the privacy of individuals with respect to PSR disclosed in a “limited record” can be adequately protected by a single DUA. A restricted record is a record that is exempt from certain direct identifiers specified in the privacy policy. A limited data set may only be shared with an external party without a patient`s permission if the purpose of the disclosure is for research, public health or healthcare operations purposes, and the person or organization receiving the information signs a Data Use Agreement (DUA) with the relevant company or its business partner. Require the recipient to take appropriate safeguards to prevent unauthorized use or disclosure that is not provided for in the Agreement; Require recipients to ensure that all agents (including all subcontractors) to whom information is shared agree to the same restrictions set out in the Agreement; And this means that for a record to be considered a limited record, all of the following direct identifiers related to the person or their relatives, employers, or household members must be removed: If Stanford is the provider of a limited record, Stanford requires a DUA to be signed to ensure that the appropriate provisions to protect the limited record are in place. Here are the contacts for different types of research: A data use agreement determines who is authorized to use and receive LDS, as well as the authorized uses and disclosures of this information by the recipient, and provides that the recipient: The covered entity may disclose the information reasonably necessary! Each DUA contains at least provisions concerning: requiring the recipient to report to the covered entity any use or disclosure of which he is aware;. . . . . .