The HIPAA privacy rule allows a covered entity to use and disclose a limited data set (LDS) for research without obtaining an authorization or a waiver of

50 KB – 17 Pages

PAGE – 1 ============
Purpose and Description This guide was created to facilitate the establishment of Data Use Agreements (DUAs) between HCSRN sites . It includes information about: When DUAs are needed The steps involved in putting a DUA in place Tools and res ources related to DUAs and PHI disclosures Best practices and common pitfalls DUA TOOLKIT A Guide to Data Use Agreements

PAGE – 2 ============
2 TABLE OF CONTENTS What is a Data Use Agreement? 3 Advantages of a DUA Important up front considerations Permissions outlined in a DUA Assurances outlined in a DUA When do I need a DUA? . 4 Do I h ave a de -identified data set? Do I have a limited data set? Flow Diagram: Do I need a DUA? My data set exceeds a limited data set –What now? Disclosure tracking Setting up a DUA ––––––––––––––––––––––––––– –..7 Step 1: Identify the DUAs that are needed Step 2: Build from a template or previous DUA Step 3: Finalize the paperwork Proactively Planning for Success –––––––––––––––––––– –.9 Tips and best practices Issues commonly leading to delays APPENDICES More about PHI and Data Disclosure ––––––––––––––––– –.–. 11 Frequently Asked Questions –––––––––––––––––– –––––.. 12 Glossary of Terms Used –––––––––––––––––––––––––. 15

PAGE – 3 ============
3 WHAT IS A DATA USE AGREEMENT? A Data Use Agreement ( DUA ) is an agreement that governs the sharing of data between research collaborators who are covered entities under the HIPAA privacy rule. A DUA establis hes the ways in which the information in a limited data set may be used by the intended recipient , and how it is protected. Advantages of a DUA The HIPAA privacy rule allows a covere d entity to use and disclose a l imited data set (LDS) for research wit hout obtaining an authorization or a waiver of authorization. A covered entity (e.g., a health plan) may disclose a LDS to another entity or researcher who is not a covered entity when a DUA is in place. Important upfront c onsiderations 1) Expect that ana lyses and manuscript authors hip will be spread across sites, and e nsure all potential authors will have access to data. Permissions outlined in a DUA 1) Who may receive and use the limited data set 2) Allowable uses and disclos ure s by the recipient Assurances outlined in a DUA 1) The recipient will not try to identify or contact subjects represented in the LDS . 2) The recipient will not use or disclose/share the data in ways other than stated in the agreement, or as otherwise required by law. 3) The recipient will safe guard the data to prevent such misuse or unauthorized disclosures . 4) The recipient will report any misuse or unauthorized disclosure as soon as known. 5) The recipient will ens ure that any agents, including subcontractor s, agree and are bound to the restriction s an d conditions of the DUA. DUAs ARE ALWAYS STUDY SPECIFIC Blanket DUAs do not exist between organizations

PAGE – 4 ============
4 WHEN DO I NEED A DUA? To put it simply, you need a DUA anytime you are sharing data that are not de -identified in a manner that was not explicitly covered in the consent form. Sharing a de -identified data set does not requi re a DUA, but l imited data sets may be shared only after a DUA is in place. The first step is to determine what type of data set you are working with . Flow Diagram: Do I need a DUA? IRB waiver of consent/authorization granted for data to be shared with the recipient(s)Signed consent/authorization did not cover this data OR sharing data w/ this recipientSigned consent/authorization form explicitly covered this release of data.No DUA, Business Associate Agreement or Disclosure Tracking neededIs it a limited data set (LDS)?No Πdata are de-identified (no PHI)Yes Πdata meet LDS definitionNo Πdata exceed LDS definitionWill need DUAs.No Disclosure Tracking needed.This is uncommon, since one should always release the minimum necessary.Speak to your local DUA contact about your situation and possible solutions.Disclosure Tracking will be needed.

PAGE – 5 ============
5 Working out the terms of a DUA sometimes takes more time and effort than foreseen. CONSIDERATION Is aggregated data or a de-identified data set an option for your study? Do I have a de -identified data set? Data are considered de -identified if there™s no reasonable way they could be used to identify a person. Thus, de -identified data sets may NOT contain any of the following 18 elements that HIPAA identifies as protected health information (PHI): 1. Names 2. All ge ographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census: a. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people b. The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are ch anged to 000 3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, exce pt that such ages and elements may be aggregated into a single category of age 90 or older 4. Telephone numbers 5. Facsimile numbers 6. Electronic mail addresses 7. Social security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web universal resource locators (URLs) 15. Internet protocol (IP) address numbers 16. Biometric identifiers, including fi ngerprints and voiceprints 17. Full -face photographic images and any comparable images 18. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re -identification Do I have a limited data set? Limited data sets are NOT de -identified and may contain some (but not all) of the 18 elements that qualify as PHI . For example, a limited data set may NOT include directly identifying information (like name , SSN, or address). However, limited data sets MAY contai n the following indirect identifiers: town or city, state, zip code; ages in years up to 90 years (must aggregate all ages 90 or older);

PAGE – 6 ============
6 Step 1 and/or 2 ma y require a great deal of time and resources. CONSIDERATION Is it possible to alter your analysis plan so only a LDS is sent? dates directly related to an individual Œ such as birth date, date of death, admission date, discharge date, visit dat e, diagnosis date, etc. (Limiting to m onth/year is preferred). A unique study ID can be included in both limited and de -identified data sets Œ but the number can NOT be an encoded identifier, such as a scrambled birth date, patient initials, last four of social security number, and so on. My data set exceeds a limited data s et–What now ? Remember to release only the minimum necessary data , defined as the least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request . If you do NOT have a signed written consent authorizing data sharing with the recipient AND you exceed the definition of LDS: 1) Obtain an IRB Waiver of Authorization . 2) Work out contractual solutions between sites, e.g., Business Associate Agreement (BAA), Memorandum of Understanding (MOU) , Non -disclosure Agreement, etc. 3) If the data exceed the LDS definition, report both the patients and type of PHI sent outside of the covered entity according to local Disclosure Tracking procedures . Disclosure t racking Disclosures must be tracked any time protected health information is disclosed and either of the following apply : Authorization or a waiver of authorization has not been granted. Data exceed the definition of a limited data set. YesYesWill the information remain inside the health plan?Is there written consent/authorization for this release?Is it a LDS?Disclosure must be documentedNo disclosure tracking neededNoNoNoYesNo disclosure tracking neededNo disclosure tracking needed

PAGE – 8 ============
8 Scenario 3 This scenario is the same as Scenario 2 above, except that site D will compile the LDS with PHI included to send back to the other sites for local analyses. Site D needs DUAs with A, B , and C before the new LDS can be sent. Site D will us e its own DUA form since they house the new master LDS being sent. Step 2: Build from a template or p revious DUA The HCSRN has developed a pre -negotiated 3-page data use agreement (DUA) template that can be used for projects with (a) straightforward d ata sharing schemes and (b) that use the HCSRN ‘s pre -negotiated sub -award agreement template. The HCSRN is also currently pre -negotiating a bidirectional DUA template. Find pre -negotiated HCSRN templates at: If you cannot use one of the Network™s pre -negotiated templates, it can be helpful to find past or current DUAs between your site and the recipient (s) . Th ese may provide useful precedents. Step 3: Finalize the paperwork Extra time may be needed for negotiating the terms of the DUA based on the number and nature of the institutions involved, the sensitivity of the data to be shared, the complexity of the data sharing scheme across/between/among sites, and whether or not a pre -negotiated template can be used. Once the negotiations are completed, the final signed DUA can be distributed to sites for their files. Master LDS compiled at site D .PHI included . File to be sent to sites A , B, and C.Site A uses own DUA form and sends LDS to site D Site B uses own DUA form and sends LDS to site D Site C uses own DUA form and sends LDS to site D Site D uses own DUA form and sends LDS back to site A Site D uses own DUA form and sends LDS back to site B Site D uses own DUA form and sends LDS back to site C

PAGE – 9 ============
9 PROACTIVELY PLANNING FOR SUCCESS Tips a nd best p ractices 1) If data -related issues are already addressed in a subaward agreement, time and resources can be saved when putting together the DUA. The HCSRN™s pre -negotiated sub -award agreement template includes many data use and ownership terms up front. 2) Ensure as much time as possible to allow for interpretation and possible reaction to legal wording in the agreements. Set your DUAs up early in the life of the project. 3) Ensure all authors will have access to data. Anticipate opportunities to spread analyses and manuscript authorship broadly across sites and write the DUAs to reflect this. 4) Follow communication pathways set up at individual sites. Circumventing the proce ss causes confusion and adds time. 5) Clarify specific data elements needed for the analysis up front. 6) Required components of a DUA are spelled out in HIPAA. Avoid using a DUA to insert additional requirements that are more appropriate for a contract. 7) Keep th e following documents in the project files at each site: Fully signed DUA. Signed Data Release Checklist (or similar documentation required by your site) Documentation of content of the data sent/received (e.g., SAS proc contents report). Cover letter or email documenting data transfer.

PAGE – 10 ============
10 Issues commonly leading to delay s Variations in expectations and practices at the local level are a factor in every multi -site study. It can help both Investigators and Project Managers to be aware of the types of proble ms encountered by others. The DUA was written narrowly and uni -directionally. It did not account for the possibility of new analytic plans. For example, only the prime site could send pooled data to subcontractors. The DUA did not address sub -to -sub data s haring for secondary analyses, etc ., or the addition of a new site. Local interpretation of regulations by legal counsel varied across sites , making mutual agreement much more difficult . o Agreement on which state (or site ) has j urisdiction , should dispu tes arise . o One site may require more stringent security protections than another site . State laws prohibited sites from reaching mutual agreement on some DUA terms. o Minnesota, Washington, and Oregon all have state laws pertaining to certain types of data (e.g., the Oregon Genetic Privacy Law) which may supersede federal regulations in the HIPAA Privacy Rule. Receipt of aggregated summary data only may preclude certain analyses. Sites may hesitate to stray from language used in past DUAs or may not want to make changes to a pre -approved template . Trying to involve a non -HCSRN -based Investigator or business associate s prolonged negotiations. o Example: Data c ollection or data entry service Sites have differing views on the degree of assumed risk to the healt h plan (e.g ., in the event of an unauthorized disclosure) when data are shared. o Example: Some health plans may view q uality of care data as being a greater risk tha n data on use of preventive services .

PAGE – 11 ============
11 APPENDICES More about PHI and Data Disclosure Unde r HIPAA, the general rule is that researchers must have valid authorization for all uses and disclosures of PHI in connection with research. A valid authorization must include specific elements: A description of the PHI being used A statement of the purpo se of the use of PHI A list of those who can use the PHI A list of those who can receive the PHI, including the possibility of re -disclosure Information about the expiration of the authorization Information about the right to revoke the authorization If an actual expiration date is not provided, then a note pointing this out is required. A statement explaining an expiration event such as the end of the research project is also acceptable. As to the right to revoke, the authorization must either expla in that right or refer to the covered entity™s privacy notice, if that is applicable. A revocation must be in writing and can be made at any time, but it may not be effective if a research study has already relied on the authorization. This reliance elemen t only affects information gathered before the revocation and does not allow the entity to disclose PHI after the revocation occurs. The covered entity Œ that is, fihealth plans, health providers and health clearinghousesfl or fiany entity in the health sect or that uses health information in the regular course of businessfl Œ may require the authorization as a condition of providing research -related treatment. If a limited data set will be released outside of the covered entity or accessed/used by anyone not employed by the releasing covered entity without a signed authorization or consent form of each individual whose data are used , then documentation of an IRB waiver of authorization must be kept on file by project staff and a DUA signed by the recipient of the data may be required. If any PHI beyond a limited data set will be released outside of the covered entity or accessed/used by anyone not employed by the releasing covered entity without a written authorization signed by each subject whose data are used, then documentation of an IRB waiver of authorization must kept by project staff and project staff must enter pertinent data into a disclosure tracking file. In addition, a business associate agreement may be required.

50 KB – 17 Pages