Data Use and Business Associate Agreements

Data Use Agreement

A Data Use Agreement (DUA) is typically required to share non-public or restricted use data with another entity. A DUA is a legally binding contract that specifies the terms and conditions governing the data to be shared.

Usually a DUA is required when a limited data set (LDS) is to be shared or transferred to another party. By definition, an LDS does not contain any HIPAA* defined identifiers (direct identifiers). An LDS can have indirect identifiers like age, dates of treatment, and geographic data elements (city/state/zip code). Note that since a street address is considered to be a direct identifier, it must not be included in an LDS.

A DUA is not required if there is another agreement (e.g. funding agreement) in place that already addresses the terms and conditions of the LDS transfer between the two entities.

Any time Protected Health Information (PHI), other than that which would qualify as an LDS, is to be shared or transferred a Business Associate Agreement (BAA) is required.

Business Associate Agreement

A Business Associate Agreement (BAA) is required when a HIPAA-covered entity like MUSC needs to share or transfer data that contains direct identifiers or Protected Health Information (PHI) with another party. The BAA is a legally binding contract between a HIPAA-covered entity and another party and is used to safeguard Protected Health Information (PHI) in accordance with the HIPAA regulations.

A BAA is required when data is to be transferred or shared and contains direct identifiers or PHI such as the following: names, postal addresses, telephone and fax numbers, e-mail addresses, social security numbers, medical record numbers, vehicle identification/serial numbers, license plate numbers, bio-metric identifiers (e.g. finger or voice prints) and full face photographic images or any comparable images.

*Health Insurance Portability and Accountability Act of 1996

MUSC ORSP October 2016