SMPH Contract Solutions
Answers, Contacts, and Tools

Data Use Agreements (DUA or DTUA)

Posted on

Data Transfer and Use Agreements 

The School of Medicine and Public Health generates large volumes of data through our bench and human subjects research.  The exchange of such data allows for broader insights by tapping into larger and broader population pools, which in turn results in more reliable and meaningful research outcomes.  It may also help prevent duplication of efforts, and allow for greater collaborative comparisons of data.  SMPH facilitates such transfers in a way that complies with federal law and UW policy, which include HIPAA (which applies to Protected Health Information), and our UW-Madison Policy of Data Stewardship, Access, and Retention.  

What is a DTUA? 

Data Transfer and Use Agreements (DTUAs) are contracts used to govern how data can be shared between parties.  These agreements include provisions to address various legal requirements imposed by federal law, and also outline limitations that protect the provider of the data. SMPH uses the Federal Demonstration Partnership (FDP) Agreement, which was designed to increase consistency in the terms and format of DTUAs, and to simplify negotiation between research institutions.  The FDP templates allow for the sharing of multiple types of data, and for sharing with one or more parties.  Additionally, depending on the nature of the data and the recipients involved, compliance with international and national regulations such as the General Data Protection Regulation (GDPR) and the Family Educational Rights and Privacy Act (FERPA) may also be required. 

When is a DTUA Needed? 

An agreement should be used when transferring data to a third party. This could be done through an existing agreement, such as the funding agreement, or through a separate DTUA.  Campus policy dictates the need for such an agreement. 

Federal law may require the use of a data agreement, such as when Protected Health Information (PHI) is disclosed to a third party.  When PHI is disclosed, the Health Insurance Portability and Accountability Act (HIPAA) compels us to follow certain requirements in sharing that data, including having an agreement in place that imposes certain obligations before the data is shared. Failure to comply with HIPAA may result in penalties to the UW and its employees. 

Types of Data 

  1. De-identified means that the health information or data set does not identify an individual and that there is no reasonable basis to believe that the information in the data set can be used to identify an individual. Under HIPAA, health information is considered “de-identified” if 18 criteria are removed from the data set. These criteria include direct identifiers, such as name and address, but also include other indirect identifiers, such as dates directly related to the individual (e.g. date of birth, admission date, discharge date) and zip code. For more information, see UW-Madison’s policy on de-identification. 
  2. A Limited Data Set (LDS) can contain dates related to the individual (birth date, death date, etc.) and dates of services as well as geographic information at the level of town or city, state and 5-digit zip code. A LDS is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: 
    1. Names 
    2. Postal address information (other than town or city, state, and 5-digit zip code) 
    3. Telephone numbers 
    4. Fax numbers 
    5. Electronic mail addresses 
    6. Social security numbers 
    7. Medical record numbers 
    8. Health plan beneficiary numbers 
    9. Account numbers 
    10. Certificate/license numbers 
    11. Vehicle identifiers and serial numbers, including license plate numbers 
    12. Device identifiers and serial numbers 
    13. Web Universal Resource Locators (URLs) 
    14. Internet Protocol (IP) address numbers 
    15. Biometric identifiers, including finger and voice prints 
    16. Full face photographic images and any comparable images 
  3. For purposes of HIPAA, your dataset includes personally identifiable information covered by HIPAA if one or more of the eighteen HIPAA direct or indirect identifiers remain in the dataset. These identifiers are: 
    1. Names 
    2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census: 
    3. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people; and 
    4. The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000. 
    5. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older. 
    6. Telephone numbers 
    7. Facsimile numbers 
    8. Electronic mail addresses 
    9. Social security numbers 
    10. Medical record numbers 
    11. Health plan beneficiary numbers 
    12. Account numbers 
    13. Certificate/license numbers 
    14. Vehicle identifiers and serial numbers, including license plate numbers 
    15. Device identifiers and serial numbers 
    16. Web universal resource locators (URLs) 
    17. Internet protocol (IP) address numbers 
    18. Biometric identifiers, including fingerprints and voiceprints 
    19. Full-face photographic images and any comparable images 
    20. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification 

DTUAs and the IRB 

If data was gathered from a human subjects study, the study team should review the IRB protocol to confirm whether the application allows for the disclosure of such data with the anticipated recipient.  The study team should consult with the Health Sciences IRB for clarity on this matter.  If a change of protocol is needed, the study team should begin the process prior to submitting the DTUA in RAMP. 

Information on requesting a change to an IRB protocol can be found here. Additional guidance on sending and receiving individual level human subjects research data can be found here (for sending) and here (for receiving).