A data use agreement (DUA) is an agreement that is required under the Privacy Rule and must be entered into before there is any use or disclosure of a limited data set (defined below) to an outside institution or party. A limited data set is still protected health information (PHI), and for that reason, covered entities like UNLV must enter into a data use agreement with any recipient of a limited data set from UNLV.
At a minimum, any DUA must contain provisions that address the following:
- Establish the permitted uses and disclosures of the limited data set;
- Identify who may use or receive the information;
- Prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as otherwise permitted by law;
- Require the recipient to use appropriate safeguards to prevent an unauthorized use or disclosure not contemplated by the agreement;
- Require the recipient to report to the covered entity any use or disclosure to which it becomes aware;
- Require the recipients to ensure that any agents (including any subcontractors) to whom it discloses the information will agree to the same restrictions as provided in the agreement; and
- Prohibit the recipient from identifying the information or contacting the individuals.
Additionally, covered entities such as UNLV must take all reasonable steps to cure a recipient's breach of the DUA. For example, if UNLV learns that data it provided to a recipient is being used in a manner not authorized under the DUA, UNLV should work with the recipient to correct this problem. If these efforts are unsuccessful, UNLV would be required to cease any further disclosures of PHI to the recipient under the DUA and report the matter to the federal Department of Health and Human Services Office for Civil Rights.