Under the HIPAA Privacy Rule, a limited data set is a set of identifiable healthcare information that covered entities are permitted to share with certain entities for research purposes, public health activities, and healthcare operations, without obtaining prior patient written authorization. A limited data set excludes specified direct identifiers (identifiers constituting protected health information, or PHI, that directly identifies research subjects) of the individual or of relatives, employers, or household members of the individual. A HIPAA data use agreement is an agreement entered into by a covered entity and a researcher, under which the covered entity may disclose a limited data set to the researcher for research, public health, or healthcare operations.
When is a HIPAA Data Use Agreement Required?
A DUA is required when covered entities and researchers share data that is not de-identified in a manner that was not explicitly covered in a patient’s written authorization form. Sharing a de-identified data set does itself not require a DUA, but limited data sets may be shared only after a DUA is in place.
Are you adequately protecting patient data? Find out now with our HIPAA compliance checklist.
What Must the HIPAA Data Use Agreement Contain?
The HIPAA data use agreement must:
- Establish the permitted uses and disclosures of the limited data set by the recipient (i.e., the researcher), consistent with the purposes of the research. The agreement may not include any use or disclosure that would violate the HIPAA Privacy Rule if the use or disclosure was made or done by the covered entity.
- Limit who can use or receive the data; and
- Require the recipient to agree to the following:
- Not to use or disclose the information other than as permitted by the data use agreement or as otherwise required by law;
- Use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement;
- Report to the covered entity any use or disclosure of the information not provided for by the HIPAA data use agreement of which the recipient becomes aware;
- Ensure that any agents, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the recipient with respect to the limited data set; and
- Not to identify the information or contact the individual.