access intranet after hours circle-arrow apply blog caret circle arrow close closer look community outreach community outreach contact contact us down arrow facebook lock solid find a provider find a clinical trial find a provider find a researcher find faculty find-a-service how to apply join leadership left arrow locations logo make a gift map location maximize minimize my chart my chart notification hp notification lp next chevron right nxt prev pay your bill play previous quality and safety refer a patient request a speaker request appointment request an appointment residents corner rss search search jobs Asset 65 submit a story idea symptom checker Arrow Circle Up twitter youtube Dino Logo External Link University Logo Color University Logo Solid Health Logo Solid Arrow Right Circle Book Calendar Date Calendar Search Date Diploma Certificate Dollar Circle Donate Envelope Graduation Cap Map Pin Map Search Phone Pills Podcast

Data Use and Business Associate Agreements

Data Use Agreement

A Data Use Agreement (DUA) is typically required to share non-public or restricted use data with another entity. A DUA is a legally binding contract that specifies the terms and conditions governing the data to be shared.

Usually a DUA is required when a limited data set (LDS) is to be shared or transferred to another party. By definition, an LDS does not contain any HIPAA* defined identifiers (direct identifiers). An LDS can have indirect identifiers like age, dates of treatment, and geographic data elements (city/state/zip code). Note that since a street address is considered to be a direct identifier, it must not be included in an LDS.

A DUA is not required if there is another agreement (e.g. funding agreement) in place that already addresses the terms and conditions of the LDS transfer between the two entities.

Any time Protected Health Information (PHI), other than that which would qualify as an LDS, is to be shared or transferred a Business Associate Agreement (BAA) is required.

Business Associate Agreement

A Business Associate Agreement (BAA) is required when a HIPAA-covered entity like MUSC needs to share or transfer data that contains direct identifiers or Protected Health Information (PHI) with another party. The BAA is a legally binding contract between a HIPAA-covered entity and another party and is used to safeguard Protected Health Information (PHI) in accordance with the HIPAA regulations.

A BAA is required when data is to be transferred or shared and contains direct identifiers or PHI such as the following: names, postal addresses, telephone and fax numbers, e-mail addresses, social security numbers, medical record numbers, vehicle identification/serial numbers, license plate numbers, bio-metric identifiers (e.g. finger or voice prints) and full face photographic images or any comparable images.

*Health Insurance Portability and Accountability Act of 1996

MUSC ORSP October 2016