Data Use Agreements

A Data Use Agreement (DUA) is an agreement that is required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a limited data set (defined as a data set that is from which direct identifiers have been removed) to an outside institution.  A limited data set is still protected health information (PHI), and for that reason, covered entities like Fox Chase must enter into a data use agreement with any recipient of a Fox Chase limited data set.

Fox Chase has a template DUA that contains provisions that: (a) establish the permitted uses and disclosures of the limited data set; (b) identify who may use or receive the information; (c) prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as otherwise permitted by law; (d) require the recipient to use appropriate safeguards to prevent an unauthorized use or disclosure not contemplated by the agreement; (e) require the recipient to report to the covered entity any use or disclosure to which it becomes aware; (f) require the recipients to ensure that any agents (including any subcontractors) to whom it discloses the information will agree to the same restrictions as provided in the agreement and (g) prohibit the recipient from identifying the information or contacting the individuals.

For further information about sponsored research at Fox Chase, please contact John McNeill.