defining the permitted uses and advertisements of the limited data set; General provision. The data protection rule requires that a covered entity receive satisfactory assurances from its counterparty that the counterparty adequately protects the protected health information it receives or produces on behalf of the covered entity. Satisfactory assurances must be made in writing, whether in the form of a contract or other agreement between the covered entity and the counterparty. A Data Use Agreement (DUA) is a particular type of agreement that is necessary and must be entered into under the HIPC Data Protection Rule before a limited data set (defined below) from a medical record is used or disclosed to an external institution or party to any of the three purposes: (1) research, (2) public health or (3) health care. A limited data set is always Protected Health Information (PHI) and, therefore, HIPAA covered entities or hybrid covered entities, such as the University of Arizona (UA), must enter into a DUA with any institution, organization, or entity to which UA discloses or transfers a limited set of data. In contrast, a data use agreement is an agreement between a covered entity and a researcher, for example. B a genetics researcher or an infectious disease researcher. Under the HIPC confidentiality rule, a covered company is allowed to disclose medical information to a researcher. “Research” is defined as any systematic study aimed at developing or contributing to the generalization of knowledge. 1. If the AU transmits or transfers a limited set of data to another institution, organization or entity, UA requires that a DUA be signed in order to ensure that the appropriate provisions relating to the protection of the restricted data set are in place in accordance with the HIPC data protection rule. Contracting Services maintains a DUA model. If UA discloses or transfers a limited set of data, if substantial changes are made to the UA template form, or when the version of a data use agreement is used by another party, Contracting Services must verify and sign the terms of the agreement.
. . .