AI Review for Data Use Agreements

What is a Data Use Agreement?

Data Use Agreements (DUAs) are contracts, pertaining to the use and disclosure of partially de-identified protected health information ("Limited Data Sets"), that are legally mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, and its implementing regulations.

They are to be used by healthcare providers, health plans, and health care clearinghouses ("Covered Entities") when they are disclosing Limited Data Sets to Recipients. Limited Data Sets may only be used or disclosed for the purposes of public health, health care operations, or research. DUAs are also to be used between a Limited Data Set Recipient and its permitted subcontractors or agents. We refer to these Limited Data Set disclosing entities as "Data Providers".

A DUA must include specific information and language that is set forth in Title 45, Section 164.514(e) of the Code of Federal Regulations ("C.F.R."). Some of these mandated provisions pertain to who is permitted to use and receive the Limited Data Sets, the permitted uses by the Recipient, the protection to be afforded the Limited Data Sets, reporting unauthorized use or disclosure of the Limited Data Sets, and the prohibition that the Recipient does not identify the Limited Data Set information or contact the individuals about whom the information was collected. The parties may also choose to include additional clauses such as data ownership, audit rights, and indemnification.

Key Considerations in Data Use Agreements

A DUA should include all legally required provisions, including those mentioned above. Additionally, other are other provisions often included in DUAs as best practice. Some of these key provisions include:

1. Definitions: Though the definitions of most terms of art used in a DUA can be found in the regulations, definitions in DUAs may misdescribe the regulatory definition (modifying the meaning of provisions in which they are included) and thus, DUA definitions sections should be thoroughly reviewed.
2. Data Ownership: Data Providers will often specify that though they are transferring or disclosing the Limited Data Sets to the Recipient, no transfer of ownership of the Limited Data Sets is occurring.
3. Audit: The Data Provider may demand the right to inspect and audit Recipient's facilities, systems, books, and records to monitor compliance with the agreement and cooperation by the Recipient in that endeavor.
4. Cybersecurity Measures: While the federal regulations mandate that both parties implement and document administrative, physical, and technical safeguards in order to protect Limited Data Sets, a Data Provider may choose to specifically state in the DUA the types of cybersecurity measures that it will require of the Recipient, a standard which may be greater than the minimum standards set forth in the regulations.
5. Indemnification: A Data Provider will likely want to protect themselves from claims arising out of the Recipient's activities under the Agreement, including any unauthorized use or disclosure of the Limited Data or breach of the DUA by the Recipient, or its employees, agents or subcontractors.
6. Term: It is important that the DUA sets forth when the Agreement becomes effective and when it ends.
7. Termination for Cause: It is important that at least the Data Provider can terminate the DUA if it determines the Recipient has materially breached the agreement. A Recipient will also probably want that right, but will likely try to condition termination on the breaching party having had an opportunity to cure.
   

In addition to these key provisions, a comprehensive Data Use Agreement should also include:

8. Scope and Purpose: A clear description of the Limited Data Set and the specific purposes for which it can be used by the Recipient.
9. Recipient's Obligations: Detailed obligations of the Recipient, including maintaining the confidentiality of the Limited Data Set, using it only for the specified purposes, and not attempting to re-identify the information or contact the individuals.
10. Data Provider's Rights: The rights of the Data Provider, such as the right to audit the Recipient's compliance with the agreement and the right to terminate the agreement if the Recipient breaches its obligations.
11. Reporting Requirements: The Recipient's obligations to report any unauthorized use, access, or disclosure of the Limited Data Set to the Data Provider.
12. Return or Destruction of Data: Requirements for the Recipient to return or destroy the Limited Data Set upon termination of the agreement, unless there is a legal requirement to keep it.
13. Governing Law and Jurisdiction: Specification of the governing law and jurisdiction for the agreement, which is particularly important if the Data Provider and Recipient are located in different states.

Checklist for a Good Data Use Agreement

To ensure that your Data Use Agreement is effective, comprehensive, and legally compliant, use this checklist:

•  Include all legally required provisions per HIPAA regulations
•  Thoroughly review and define terms and definitions
•  Specify data ownership rights
•  Include audit rights for the Data Provider
•  Specify required cybersecurity measures
•  Include indemnification provisions to protect the Data Provider
•  Clearly define the term of the agreement
•  Include termination for cause provisions
•  Clearly define the scope and purpose of data use
•  Detail the Recipient's obligations for data protection and use
•  Specify the Data Provider's rights
•  Include reporting requirements for unauthorized data use or disclosure
•  Address requirements for data return or destruction upon termination
•  Specify governing law and jurisdiction
•  Have the agreement reviewed by legal counsel specializing in healthcare and data privacy
•  Ensure the agreement is signed by authorized representatives of both parties
•  Securely store executed copies of the agreement

AI Contract Review for Data Use Agreements

To give you a sense for the benefits of leveraging legal contract ai trained by lawyers, we’ve selected some sample language our software presents to customers during a review. Keep in mind that these are static in this overview, but dynamic in our software - meaning our AI identifies the key issues and proactively surfaces alerts based on importance level and position (company, 3rd party, or neutral) and provides suggested revisions that mimic the style of the contract and align with party names and defined terms.

These samples represent a small sample of the pre-built, pre-trained Legal AI Contract Review solution for Data Use Agreements. If you’d like to see more, we invite you to book a demo.

PROVISION OF LIMITED DATA SET

For: Recipient

Alert: May be missing a clause requiring the data provider to remove direct identifiers from the PHI data set.

Guidance: The primary legal principle in the given suggestion is the safeguarding of privacy, particularly concerning PHI. The suggestion proposes the removal of direct identifiers from PHI in Limited Data Set(s), a measure aimed at preserving the privacy of individuals whose data is being utilized.

This suggestion is crucial as it ensures compliance with privacy laws and regulations, and protects individual rights. In the context of a Data Use Agreement, it is essential to handle data in a way that respects privacy and confidentiality.

For instance, in a research study using patient data, the proposed modification would necessitate researchers to eliminate any direct identifiers from the PHI they are using. This could include names, addresses, social security numbers, and any other information that could directly identify the individuals whose data is being used. This allows the research to continue while still protecting the privacy of the individuals involved.

HIPAA, specifically 45 C.F.R. § 164.514(e)(2), is the relevant statute in this context. This regulation mandates the removal of certain direct identifiers from PHI for it to be used in a Limited Data Set.

An important exception to this primary legal principle is the requirement for a Data Use Agreement (DUA). Under 45 C.F.R. § 164.514(e)(3), before a covered entity or its business associate can use or disclose a Limited Data Set, they must obtain satisfactory assurance, in the form of a DUA, that the recipient will only use or disclose the PHI for limited purposes. The DUA must establish who is permitted to use or receive the Limited Data Set, and provide that the recipient will not use or further disclose the information other than as permitted by the agreement or as otherwise required by law.

Sample Language:

PROVISION OF LIMITED DATA SET

Subject to the terms and conditions of this Agreement, DATA PROVIDER will provide RECIPIENT with one (or more) Limited Data Set(s):

1. that contains the minimum amount of Protected Health Information reasonably necessary for the purposes, as set forth below, for which RECIPIENT is to receive the Limited Data Set, and

2. from which all of the direct identifiers, as specified in 45 C.F.R. § 164.514(e)(2), of the individuals whose Protected Health Information is included in the Limited Data Set(s) and of the relatives, household members, and employers of those individuals have been removed.

PERMITTED USES AND DISCLOSURES BY RECIPIENT

For: Data Provider

Alert: May be missing a clause regarding the prohibition of using the PHI data set in a manner that would violate the privacy rule if done by the data provider. 

Guidance: The primary legal principle in the given suggestion is the prohibition of unauthorized use or disclosure of Limited Data Set(s) in violation of the Privacy Rule, 45 C.F.R. Part 164, Subpart E. This principle is crucial in ensuring the protection of individuals' medical records and other personal health information.

In practical terms, this principle serves to prevent unauthorized use or disclosure of the data, which could harm individuals and potentially result in legal penalties for the recipient. For instance, a research institution receiving a Limited Data Set from a healthcare provider for a study must adhere to this principle. The Data Use Agreement should clearly state that the institution is prohibited from using or disclosing the data in a way that violates the Privacy Rule.

Furthermore, it is of critical importance to consider the Privacy Rule, 45 C.F.R. Part 164, Subpart E, which is part of HIPAA. This rule sets standards for the protection of individuals' medical records and other personal health information.

Additionally, the ""Minimum Necessary"" standard under the Privacy Rule should be considered. This standard requires that reasonable efforts be made to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. However, this standard does not apply to the use or disclosure of Limited Data Sets, as they are considered a form of de-identified information. Therefore, the use and disclosure of Limited Data Sets are not subject to the Minimum Necessary standard.

Sample Language:

PERMITTED USES AND DISCLOSURES BY RECIPIENT

1. Except as otherwise limited in this Agreement or any other agreement between RECIPIENT and DATA PROVIDER, RECIPIENT is permitted to use and disclose the Limited Data Set(s) only for the following purposes (which must be limited to Health Care Operations, public health, or Research): [●●] (the “Purpose”). Further, RECIPIENT shall not re-disclose such data to anyone outside of RECIPIENT, including subcontractors and non-employee agents, for any purpose without the prior written consent of DATA PROVIDER.

2. RECIPIENT is not authorized to use or disclose the Limited Data Set(s) in a manner that would violate the Privacy Rule, 45 C.F.R. Part 164, Subpart E, if done by DATA PROVIDER.

3. RECIPIENT will neither use nor disclose the Limited Data Set(s) for any purpose other than as permitted by this Agreement, as otherwise permitted in writing by Data Provider, or as Required by Law.

INFORMATION SAFEGUARDS

For: Both

Alert: May be missing a clause specifically requiring the recipient to implement administrative, technical, and physical safeguards to maintain the integrity and confidentiality of the data set.

Guidance: The primary legal principle in the given suggestion highlights the significance of data confidentiality and security. It is essential for the Recipient to establish appropriate safeguards to protect the limited data set from unauthorized access, use, or disclosure.

This suggestion is particularly crucial for maintaining compliance with data protection regulations, avoiding potential legal liabilities, and preserving the Recipient's reputation. By providing a clear framework for data protection, the Recipient can prevent legal issues, maintain trust with data providers, and ensure responsible handling of sensitive information.

For instance, a healthcare organization receiving a limited data set containing patient information for research purposes should implement safeguards such as access controls, encryption, and regular audits. This ensures compliance with regulations like HIPAA and protects patient privacy.

Relevant statutes or laws to consider include HIPAA for healthcare-related data, FERPA for educational data, and state-specific data breach notification laws. These laws emphasize the importance of data protection and the implementation of safeguards to prevent unauthorized access, use, or disclosure of sensitive information.

A significant exception or specific regulation that applies to the primary legal principle of protecting personal information and privacy is the HIPAA Privacy Rule's ""minimum necessary"" standard. This standard requires limiting the use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose. In the context of a Data Use Agreement (DUA), the minimum necessary standard requires the Recipient to implement safeguards that restrict access to the data to only those individuals who need it for the permitted purposes and limit the use and disclosure of the data to achieve those purposes.

Sample Language:

INFORMATION SAFEGUARDS

RECIPIENT will use appropriate safeguards to prevent the use or disclosure of a Limited Data Set other than as provided for by this Agreement. RECIPIENT will develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards to preserve the integrity and confidentiality of the Limited Data Set(s) and to prevent unauthorized use or disclosure of the Limited Data Set(s). RECIPIENT will document and keep these safeguards current.

Best Practices for Using Data Use Agreements

To make the most of your Data Use Agreements and ensure their effectiveness, follow these best practices:

1. Use DUAs Consistently: Whenever you share Limited Data Sets, ensure that you have a DUA in place. Consistency in your data sharing practices is key to maintaining HIPAA compliance.
2. Tailor to the Specific Data and Purpose: Each DUA should be specific to the Limited Data Set and the purposes for which it is being shared. Avoid using overly broad or generic language.
3. Educate Recipients: Make sure that the Recipients of your Limited Data Sets understand their obligations under the DUA. Provide training or educational materials if necessary.
4. Monitor Compliance: Regularly monitor Recipients' compliance with the terms of the DUA. This may involve conducting audits, requesting reports, or requiring regular certifications of compliance.
5. Act Quickly on Breaches: If you become aware of an unauthorized use or disclosure of a Limited Data Set, act quickly to mitigate any potential harm and ensure that the Recipient takes appropriate corrective action.
6. Keep Good Records: Maintain signed copies of all DUAs, along with any related correspondence or documentation. Good recordkeeping is essential for demonstrating HIPAA compliance.
7. Review and Update Regularly: HIPAA regulations and guidance can change over time. Regularly review your DUAs and update them as needed to ensure ongoing compliance.

Conclusion

Data Use Agreements are a critical tool for healthcare providers, health plans, and health care clearinghouses looking to share Limited Data Sets while maintaining compliance with HIPAA regulations. By clearly defining the permitted uses of the data, the obligations of the Recipient, and the rights of the Data Provider, DUAs help to ensure that sensitive health information is appropriately protected.

To ensure the effectiveness of your Data Use Agreements, it's important to include all legally required provisions, as well as key optional provisions such as data ownership, audit rights, cybersecurity requirements, indemnification, and termination conditions. The agreement should be tailored to your specific data sharing situation, reviewed by healthcare legal counsel, and regularly updated to maintain compliance.

By following best practices for executing and managing DUAs, healthcare organizations can facilitate important data sharing for public health, health care operations, and research purposes, while safeguarding the privacy and security of protected health information.