You will find additional documentation instructions to include in your application and helpful advice on how to use the application of the agreement in the DUA submission manual and the DUA guide. This means that all of the following direct identifiers, which relate to the person or their relatives, employers or members of the household, must be removed so that a data set can be considered a limited data set: the following page contains useful information about the people who manage different types of DUAs and other internal agreements at Stanford: ico.sites.stanford.edu/who-will-handle-my-agreement determination of authorized uses and disclosure of the limited data set; To obtain data from third parties, Harvard researchers should follow the steps described above (and go to the DUA Job Aids below): DUAs are often used when a researcher wishes to access restricted archives or data sets that may contain identifiable information about individuals for the purposes of such projects. The IRB should be contacted when the use of archived protected health data falls within the definition of « research » in the IRB. Investigations directly related to personal identifier data may be permitted to use and/or disclose PPIs (for individual access rights to the PHI) or to discontinue hipa authorization (for large sample requests for which individual authorizations are not practical and where the requirement is in accordance with the specifications of the data protection policy). Application forms should look at the safeguards provided to protect the identity of individuals and assess the security of procedures for protecting these identities. A Data Use Agreement (ACA) is a contractual document between a « data user » (usually the UMBC reviewer requesting access to information) and the Data Set Source (the organization or institution that provides the data) and describes the provisions relating to the transfer of confidential, protected or restricted data. For example, records of government agencies or companies, information on student data, existing data on people in human research, and limited datasets. A limited data set is a data set that is deprived of certain direct identifiers indicated in the data protection rule. A limited set of data can only be transmitted to an external provider without a patient`s permission if the purpose of disclosure is for research, health or health purposes and if the person or entity receiving the information signs a data use agreement (AEA) with the company or its counterpart. When conducting searches with data containing personal identifiers, but not within the IRB definition of the above research (z.B. Other sponsored activities), the IRB would not be involved. However, the HIPPA privacy rule applies when researchers wish to obtain, create, use and/or disclose identifiable health information (see Health Information Privacy Rule – Research Use Purposes – Rule Application to Research Projects). OSP believes that the data owner has already been waived from HIPPA, as described in an agreement between UMBC and the data owner.
Yes, you need both a DATA Use Agreement (DUA) and a Business Associate Agreement (BAA) because the covered entity (Stanford University Affiliated Covered Entity) provides the PHI recipient, which may contain direct or indirect identifiers. For this reason, a BAA may be required before disclosing direct identifiers to the recipient outside of Stanford. Not all data exchanges require an AEA, but many outbound records require certain restrictions to prevent data from being used inappropriately or illegally.