Put in Place a Data Use Agreement

A data use agreement (DUA) is an agreement that is required under the Privacy Rule and must be entered into before there is any use or disclosure of a limited data set (defined below) to an outside institution or party.  A limited data set is still protected health information (PHI), and for that reason, covered entities like Stanford must enter into a data use agreement with any recipient of a limited data set from Stanford. 

For More Information go to the Data Use Agreement FAQS

At a minimum, any DUA must contain provisions that address the following:

1. Establish the permitted uses and disclosures of the limited data set; 

2. Identify who may use or receive the information;

3. Prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as otherwise permitted by law;

4. Require the recipient to use appropriate safeguards to prevent an unauthorized use or disclosure not contemplated by the agreement;

5. Require the recipient to report to the covered entity any use or disclosure to which it becomes aware;

6. Require the recipients to ensure that any agents (including any subcontractors) to whom it discloses the information will agree to the same restrictions as provided in the agreement; and

7. Prohibit the recipient from identifying the information or contacting the individuals.

Additionally, covered entities such as Stanford must take all reasonable steps to cure a recipient's breach of the DUA.  For example, if Stanford learns that data it provided to a recipient is being used in a manner not authorized under the DUA, Stanford should work with the recipient to correct this problem.  If these efforts are unsuccessful, Stanford would be required to cease any further disclosures of PHI to the recipient under the DUA and report the matter to the federal Department of Health and Human Services Office for Civil Rights.