Sample Data Use Agreement Hipaa

6. require recipients to ensure that all representatives (including subcontractors) to whom they transmit the information accept the same restrictions as those provided for in the agreement; and a data use agreement defines who can use and obtain the LDS, as well as the authorized uses and disclosures of this information by the recipient and provides that the recipient will do the following: A data use agreement (DUA) is a particular type of agreement that is required and must be concluded under the DE LIPPA data protection rule before using or disclosing a limited (defined) registration below) from a medical record to an institution or to a party external to one of the three objectives: (1) research, (2) public health or (3) health institutions. A limited data set is always Protected Health Information (PHI) and, therefore, HIPAA covered entities or hybrid covered entities, such as the University of Arizona (UA), must enter into a DUA with any institution, organization, or entity to which UA discloses or transfers a limited set of data. 3.dem to prohibit recipients from the further use or disclosure of the information, unless the agreement so permits, or the law permits it; 1. If the AU transmits or transfers a limited set of data to another institution, organization or entity, UA requires that a DUA be signed in order to ensure that the appropriate provisions for the protection of the restricted data set are in place in accordance with the HIPC data protection rule. Contracting Services maintains a DUA model. If UA discloses or transfers a limited set of data, if significant changes are made to the UA template form, or if another party`s version of a data use agreement is used, Contracting Services must verify and sign the terms of the agreement. Send contracting@email.arizona.edu an email to request a DUA. Yes, you need both a Data Use Agreement (DUA) and a counterparty agreement (Business Association Agreement, BAA), because the covered entity or hybrid covered entity (UA) makes PHI available to the recipient with direct identifiers. Therefore, a BAA would be required to transmit the direct identifiers to the recipient.

Once the restricted data set has been established under the BAA, all IHP, with the exception of IHP, which are qualified as a limited dataset in accordance with the DUA, must be returned to UA. This means that, in order for a dataset to be a limited data set, all subsequent direct identifiers that relate to the person or their relatives, employer or household member must be deleted, with all subsequent direct identifiers relating to certain direct identifiers specified in the HIPC data protection rule. A limited set of data may only be transmitted to an external party without a patient`s permission if the purpose of the disclosure is for research, public health or public health purposes and if the person or organisation receiving the information signs a Data Use Agreement (DUA) with the relevant entity or its counterparty. In addition, covered or hybrid covered entities such as UA must take all appropriate measures to remedy a recipient`s violation of the DUA.