Skip to content

Data Use Agreement (DUA) Compliance Checklist

Overview

This checklist ensures compliance with Data Use Agreement requirements for sharing and using healthcare data between organizations. DUAs establish the terms and conditions for data access, use, and protection when PHI or other sensitive data is shared for research or operational purposes.

Core DUA Requirements

Permitted Uses and Restrictions

Clear definition of how shared data may be used and what uses are prohibited:

  • Primary Purpose: Specific research or operational purpose for data use
  • Secondary Uses: Allowed additional uses beyond primary purpose
  • Prohibited Uses: Explicitly forbidden uses of the data
  • Commercial Restrictions: Limitations on commercial or for-profit use
  • Publication Rights: Terms for publishing research results using the data

U.S.-Only Processing Requirements

Geographic restrictions ensuring data remains within U.S. jurisdiction:

  • Data Residency: All data must be processed and stored in U.S.-only facilities
  • Cloud Provider Restrictions: Use of U.S.-based cloud providers only
  • Access Limitations: Data access restricted to U.S.-based personnel
  • Egress Controls: Network controls preventing data transfer outside U.S.
  • Subcontractor Requirements: Downstream processors must also be U.S.-only

Security Controls and Safeguards

Comprehensive security measures to protect shared data:

  • Access Controls: Role-based access with unique user identification
  • Encryption Requirements: Encryption of data in transit and at rest
  • Audit Logging: Complete audit trail of all data access and modifications
  • Incident Response: Procedures for security incidents and breach notification
  • Physical Security: Facility access controls and environmental protections

Breach Notification Procedures

Immediate reporting requirements for security incidents:

  • Breach Definition: Any unauthorized access, use, or disclosure of data
  • Notification Timeline: Immediate notification to data provider (24-48 hours)
  • Investigation Requirements: Root cause analysis and impact assessment
  • Mitigation Measures: Steps taken to contain and resolve the breach
  • Regulatory Reporting: Assistance with required regulatory notifications

Data Destruction Requirements

Secure disposal of data when no longer needed:

  • Retention Period: Maximum time data may be retained
  • Destruction Timeline: When data must be destroyed after retention period
  • Destruction Methods: Approved secure deletion procedures
  • Destruction Verification: Confirmation of complete data destruction
  • Certificate of Destruction: Documentation of proper disposal

Audit Rights and Compliance Verification

Oversight mechanisms to ensure ongoing compliance:

  • Audit Rights: Right to audit data recipient's compliance
  • Access to Records: Review of security logs and access records
  • Compliance Reporting: Regular reports on data use and protection
  • Site Visits: On-site inspections of data handling facilities
  • Remediation Requirements: Corrective actions for identified issues

DUA Implementation Checklist

Pre-Agreement Assessment

  • Data Classification: Determine sensitivity level of data to be shared
  • Recipient Evaluation: Assess recipient's data handling capabilities
  • Legal Review: Legal review of proposed DUA terms
  • Risk Assessment: Evaluate risks associated with data sharing
  • IRB Approval: Ensure data sharing complies with research protocols

DUA Execution Requirements

  • Standard Template: Use approved DUA template with required provisions
  • Scope Definition: Clearly define what data will be shared and for what purpose
  • Duration: Specify agreement term and renewal conditions
  • Termination Rights: Conditions under which agreement can be terminated
  • Governing Law: Specify which laws govern the agreement

Data Transfer Procedures

  • Secure Transfer: Approved methods for initial data transfer
  • Encryption Standards: Required encryption for data in transit
  • Chain of Custody: Documentation of data transfer and receipt
  • Inventory Tracking: Complete inventory of transferred data
  • Transfer Acknowledgment: Confirmation of successful transfer

Ongoing Compliance Monitoring

  • Usage Monitoring: Track how shared data is being used
  • Access Logging: Maintain logs of all data access
  • Regular Audits: Periodic compliance audits and assessments
  • Compliance Reporting: Quarterly or annual compliance reports
  • Issue Resolution: Process for addressing compliance concerns

DUA Template Provisions

Standard Contract Language

# Data Use Agreement Template

**Parties**: This Agreement is between [Data Provider] and [Data Recipient]

**Effective Date**: [Date]

**Data Description**: [Detailed description of data being shared, including data types, volume, date ranges]

**Permitted Uses**:

- [Specific research purpose for which data is being provided]
- [Any approved secondary uses]
- Quality improvement and operational analysis
- De-identified data analysis for publication purposes

**Prohibited Uses**:

- Commercial sale or licensing of the data
- Re-identification of de-identified data
- Sharing data with unauthorized third parties
- Use for marketing or advertising purposes

**Data Security Requirements**:

- Encrypt all data in transit using [TLS 1.3/AES-256]
- Encrypt all data at rest using [AES-256-GCM]
- Implement role-based access controls
- Maintain audit logs of all data access
- Conduct annual security risk assessments

**Breach Notification**:

- Notify Data Provider within 24 hours of suspected breach
- Cooperate with breach investigation and response
- Provide all requested information for regulatory reporting
- Implement corrective actions as directed

Required DUA Elements

  • Parties and Contact Information: Clear identification of all parties
  • Data Description: Detailed description of shared data
  • Permitted and Prohibited Uses: Specific use limitations
  • Security Requirements: Data protection and access controls
  • Breach Notification: Incident reporting procedures
  • Data Return/Destruction: End-of-agreement data handling
  • Audit Rights: Compliance verification mechanisms
  • Term and Termination: Agreement duration and ending conditions
  • Governing Law: Applicable laws and dispute resolution

Data Transfer and Handling Procedures

Secure Data Transfer Methods

  1. Encrypted File Transfer: Use SFTP or encrypted HTTPS for file transfers
  2. API-Based Transfer: RESTful APIs with OAuth authentication
  3. Physical Media: Encrypted hard drives with chain of custody documentation
  4. Cloud Storage: Approved cloud platforms with access controls
  5. Database Replication: Secure database connections with encryption

Data Receipt and Validation

  • Transfer Verification: Confirm successful and complete data transfer
  • Integrity Checks: Validate data integrity using checksums or hashes
  • Format Validation: Ensure data conforms to agreed specifications
  • Security Scan: Scan for malware and unauthorized content
  • Inventory Documentation: Create complete inventory of received data

Access Control Implementation

  • User Authentication: Multi-factor authentication for all users
  • Role-Based Access: Different access levels based on user roles
  • Data Segmentation: Separate access based on data sensitivity
  • Remote Access Controls: Secure VPN or zero-trust access for remote users
  • Session Management: Automatic timeout and session monitoring

Breach Response and Notification

Breach Detection and Assessment

  1. Incident Identification: Immediate recognition of potential data breaches
  2. Impact Assessment: Evaluation of breach scope and affected data
  3. Containment Measures: Isolate affected systems and prevent spread
  4. Evidence Preservation: Secure relevant logs and system images
  5. Legal Consultation: Engage legal counsel for breach assessment

Notification Requirements

  • Internal Notification: Immediate notification to data governance team
  • Data Provider Notification: Within 24 hours of breach discovery
  • Regulatory Notification: As required by HIPAA and state laws
  • Individual Notification: If breach affects individuals' rights
  • Media Notification: For large-scale breaches affecting 500+ individuals

Investigation and Remediation

  • Root Cause Analysis: Identify how breach occurred
  • Impact Mitigation: Steps to minimize breach consequences
  • System Updates: Implement fixes to prevent recurrence
  • Policy Updates: Update policies based on lessons learned
  • Training Updates: Provide additional training on breach prevention

Audit and Compliance Verification

Audit Preparation

  • Documentation: Maintain complete DUA compliance documentation
  • Access Logs: Keep detailed logs of all data access
  • Security Records: Document security measures and incidents
  • Training Records: Track completion of required training
  • Policy Documentation: Current versions of relevant policies

Audit Process

  1. Pre-Audit Planning: Coordinate audit scope and timing
  2. Evidence Collection: Gather all required documentation
  3. On-Site Review: Allow physical inspection if required
  4. Interviews: Provide access to key personnel
  5. Findings Review: Respond to audit findings and recommendations

Corrective Actions

  • Finding Acknowledgment: Accept audit findings
  • Action Plan Development: Create plan to address findings
  • Implementation Timeline: Schedule for corrective actions
  • Progress Monitoring: Track implementation of fixes
  • Verification: Confirm effectiveness of corrective actions

DUA Lifecycle Management

Agreement Monitoring

  • Usage Tracking: Monitor how data is being used against permitted uses
  • Compliance Reviews: Regular reviews of DUA compliance
  • Performance Metrics: Track key compliance metrics
  • Issue Identification: Early detection of potential compliance issues
  • Stakeholder Communication: Regular updates to all parties

Agreement Renewal

  • Expiration Tracking: Monitor agreement expiration dates
  • Performance Review: Evaluate success of data sharing arrangement
  • Terms Negotiation: Review and update agreement terms
  • Renewal Decision: Determine if agreement should be renewed
  • Transition Planning: Plan for agreement end if not renewing

Agreement Termination

  1. Termination Notice: Provide required notice of termination
  2. Data Return: Return or destroy all shared data
  3. Destruction Verification: Confirm complete data destruction
  4. Final Audit: Conduct final compliance audit
  5. Certificate of Compliance: Document compliance through termination

Specialized DUA Considerations

Limited Data Sets (LDS)

For sharing limited data sets under HIPAA:

  • LDS Definition: Data with 16 specific identifiers removed
  • Purpose Limitation: Use only for research, public health, or healthcare operations
  • Minimum Necessary: Include only fields required for intended purpose
  • Re-identification Risk: Assessment of re-identification potential
  • IRB Requirements: IRB approval for research use of LDS

De-Identified Data Sharing

For sharing de-identified data:

  • De-identification Standards: Compliance with HIPAA Safe Harbor or Expert Determination
  • Re-identification Risk: Assessment of re-identification probability
  • Usage Restrictions: Permitted uses for de-identified data
  • Future Contact: Prohibition on re-contacting data subjects
  • Publication Rights: Terms for publishing research results

Multi-Party Data Sharing

For agreements involving multiple organizations:

  • Party Coordination: Clear roles and responsibilities for each party
  • Data Flow Management: Tracking data movement between parties
  • Joint Compliance: Shared responsibility for compliance oversight
  • Dispute Resolution: Process for resolving disagreements between parties
  • Exit Strategies: Terms for individual parties to exit the agreement

Regulatory Compliance Framework

HIPAA Compliance Requirements

  • Privacy Rule: Compliance with individual rights and data use limitations
  • Security Rule: Implementation of required administrative, physical, and technical safeguards
  • Breach Notification Rule: Proper notification procedures for data breaches
  • Minimum Necessary: Limitation of data to minimum necessary for intended purpose
  • Authorization: Proper authorization for uses beyond treatment, payment, and operations

Common Rule Compliance

For research data sharing:

  • IRB Oversight: IRB review and approval of data sharing arrangements
  • Informed Consent: Compliance with consent requirements for data use
  • Risk/Benefit Assessment: Evaluation of risks and benefits of data sharing
  • Vulnerable Populations: Additional protections for vulnerable research subjects
  • Data Security: Appropriate security measures for research data

State Law Considerations

  • State Privacy Laws: Compliance with state-specific privacy requirements
  • Medical Records Laws: State regulations governing medical data
  • Research Regulations: State requirements for research data handling
  • Breach Notification: State-specific breach notification requirements
  • Data Residency: State requirements for data storage location

DUA Resources and Templates

Regulatory References

Internal Resources

  • Golden Age Technologies Data Governance Policy
  • Information Security Standards
  • Privacy Program Guidelines
  • Compliance Training Materials

External Templates and Tools


This DUA checklist ensures compliant and secure sharing of healthcare data between organizations, protecting patient privacy while enabling valuable research and operational collaborations.

Last Updated: 9/28/2025 Version: 1.0.0