Data Use Agreement (DUA) Compliance Checklist¶
Overview¶
This checklist ensures compliance with Data Use Agreement requirements for sharing and using healthcare data between organizations. DUAs establish the terms and conditions for data access, use, and protection when PHI or other sensitive data is shared for research or operational purposes.
Core DUA Requirements¶
Permitted Uses and Restrictions¶
Clear definition of how shared data may be used and what uses are prohibited:
- Primary Purpose: Specific research or operational purpose for data use
- Secondary Uses: Allowed additional uses beyond primary purpose
- Prohibited Uses: Explicitly forbidden uses of the data
- Commercial Restrictions: Limitations on commercial or for-profit use
- Publication Rights: Terms for publishing research results using the data
U.S.-Only Processing Requirements¶
Geographic restrictions ensuring data remains within U.S. jurisdiction:
- Data Residency: All data must be processed and stored in U.S.-only facilities
- Cloud Provider Restrictions: Use of U.S.-based cloud providers only
- Access Limitations: Data access restricted to U.S.-based personnel
- Egress Controls: Network controls preventing data transfer outside U.S.
- Subcontractor Requirements: Downstream processors must also be U.S.-only
Security Controls and Safeguards¶
Comprehensive security measures to protect shared data:
- Access Controls: Role-based access with unique user identification
- Encryption Requirements: Encryption of data in transit and at rest
- Audit Logging: Complete audit trail of all data access and modifications
- Incident Response: Procedures for security incidents and breach notification
- Physical Security: Facility access controls and environmental protections
Breach Notification Procedures¶
Immediate reporting requirements for security incidents:
- Breach Definition: Any unauthorized access, use, or disclosure of data
- Notification Timeline: Immediate notification to data provider (24-48 hours)
- Investigation Requirements: Root cause analysis and impact assessment
- Mitigation Measures: Steps taken to contain and resolve the breach
- Regulatory Reporting: Assistance with required regulatory notifications
Data Destruction Requirements¶
Secure disposal of data when no longer needed:
- Retention Period: Maximum time data may be retained
- Destruction Timeline: When data must be destroyed after retention period
- Destruction Methods: Approved secure deletion procedures
- Destruction Verification: Confirmation of complete data destruction
- Certificate of Destruction: Documentation of proper disposal
Audit Rights and Compliance Verification¶
Oversight mechanisms to ensure ongoing compliance:
- Audit Rights: Right to audit data recipient's compliance
- Access to Records: Review of security logs and access records
- Compliance Reporting: Regular reports on data use and protection
- Site Visits: On-site inspections of data handling facilities
- Remediation Requirements: Corrective actions for identified issues
DUA Implementation Checklist¶
Pre-Agreement Assessment¶
- Data Classification: Determine sensitivity level of data to be shared
- Recipient Evaluation: Assess recipient's data handling capabilities
- Legal Review: Legal review of proposed DUA terms
- Risk Assessment: Evaluate risks associated with data sharing
- IRB Approval: Ensure data sharing complies with research protocols
DUA Execution Requirements¶
- Standard Template: Use approved DUA template with required provisions
- Scope Definition: Clearly define what data will be shared and for what purpose
- Duration: Specify agreement term and renewal conditions
- Termination Rights: Conditions under which agreement can be terminated
- Governing Law: Specify which laws govern the agreement
Data Transfer Procedures¶
- Secure Transfer: Approved methods for initial data transfer
- Encryption Standards: Required encryption for data in transit
- Chain of Custody: Documentation of data transfer and receipt
- Inventory Tracking: Complete inventory of transferred data
- Transfer Acknowledgment: Confirmation of successful transfer
Ongoing Compliance Monitoring¶
- Usage Monitoring: Track how shared data is being used
- Access Logging: Maintain logs of all data access
- Regular Audits: Periodic compliance audits and assessments
- Compliance Reporting: Quarterly or annual compliance reports
- Issue Resolution: Process for addressing compliance concerns
DUA Template Provisions¶
Standard Contract Language¶
# Data Use Agreement Template
**Parties**: This Agreement is between [Data Provider] and [Data Recipient]
**Effective Date**: [Date]
**Data Description**: [Detailed description of data being shared, including data types, volume, date ranges]
**Permitted Uses**:
- [Specific research purpose for which data is being provided]
- [Any approved secondary uses]
- Quality improvement and operational analysis
- De-identified data analysis for publication purposes
**Prohibited Uses**:
- Commercial sale or licensing of the data
- Re-identification of de-identified data
- Sharing data with unauthorized third parties
- Use for marketing or advertising purposes
**Data Security Requirements**:
- Encrypt all data in transit using [TLS 1.3/AES-256]
- Encrypt all data at rest using [AES-256-GCM]
- Implement role-based access controls
- Maintain audit logs of all data access
- Conduct annual security risk assessments
**Breach Notification**:
- Notify Data Provider within 24 hours of suspected breach
- Cooperate with breach investigation and response
- Provide all requested information for regulatory reporting
- Implement corrective actions as directed
Required DUA Elements¶
- Parties and Contact Information: Clear identification of all parties
- Data Description: Detailed description of shared data
- Permitted and Prohibited Uses: Specific use limitations
- Security Requirements: Data protection and access controls
- Breach Notification: Incident reporting procedures
- Data Return/Destruction: End-of-agreement data handling
- Audit Rights: Compliance verification mechanisms
- Term and Termination: Agreement duration and ending conditions
- Governing Law: Applicable laws and dispute resolution
Data Transfer and Handling Procedures¶
Secure Data Transfer Methods¶
- Encrypted File Transfer: Use SFTP or encrypted HTTPS for file transfers
- API-Based Transfer: RESTful APIs with OAuth authentication
- Physical Media: Encrypted hard drives with chain of custody documentation
- Cloud Storage: Approved cloud platforms with access controls
- Database Replication: Secure database connections with encryption
Data Receipt and Validation¶
- Transfer Verification: Confirm successful and complete data transfer
- Integrity Checks: Validate data integrity using checksums or hashes
- Format Validation: Ensure data conforms to agreed specifications
- Security Scan: Scan for malware and unauthorized content
- Inventory Documentation: Create complete inventory of received data
Access Control Implementation¶
- User Authentication: Multi-factor authentication for all users
- Role-Based Access: Different access levels based on user roles
- Data Segmentation: Separate access based on data sensitivity
- Remote Access Controls: Secure VPN or zero-trust access for remote users
- Session Management: Automatic timeout and session monitoring
Breach Response and Notification¶
Breach Detection and Assessment¶
- Incident Identification: Immediate recognition of potential data breaches
- Impact Assessment: Evaluation of breach scope and affected data
- Containment Measures: Isolate affected systems and prevent spread
- Evidence Preservation: Secure relevant logs and system images
- Legal Consultation: Engage legal counsel for breach assessment
Notification Requirements¶
- Internal Notification: Immediate notification to data governance team
- Data Provider Notification: Within 24 hours of breach discovery
- Regulatory Notification: As required by HIPAA and state laws
- Individual Notification: If breach affects individuals' rights
- Media Notification: For large-scale breaches affecting 500+ individuals
Investigation and Remediation¶
- Root Cause Analysis: Identify how breach occurred
- Impact Mitigation: Steps to minimize breach consequences
- System Updates: Implement fixes to prevent recurrence
- Policy Updates: Update policies based on lessons learned
- Training Updates: Provide additional training on breach prevention
Audit and Compliance Verification¶
Audit Preparation¶
- Documentation: Maintain complete DUA compliance documentation
- Access Logs: Keep detailed logs of all data access
- Security Records: Document security measures and incidents
- Training Records: Track completion of required training
- Policy Documentation: Current versions of relevant policies
Audit Process¶
- Pre-Audit Planning: Coordinate audit scope and timing
- Evidence Collection: Gather all required documentation
- On-Site Review: Allow physical inspection if required
- Interviews: Provide access to key personnel
- Findings Review: Respond to audit findings and recommendations
Corrective Actions¶
- Finding Acknowledgment: Accept audit findings
- Action Plan Development: Create plan to address findings
- Implementation Timeline: Schedule for corrective actions
- Progress Monitoring: Track implementation of fixes
- Verification: Confirm effectiveness of corrective actions
DUA Lifecycle Management¶
Agreement Monitoring¶
- Usage Tracking: Monitor how data is being used against permitted uses
- Compliance Reviews: Regular reviews of DUA compliance
- Performance Metrics: Track key compliance metrics
- Issue Identification: Early detection of potential compliance issues
- Stakeholder Communication: Regular updates to all parties
Agreement Renewal¶
- Expiration Tracking: Monitor agreement expiration dates
- Performance Review: Evaluate success of data sharing arrangement
- Terms Negotiation: Review and update agreement terms
- Renewal Decision: Determine if agreement should be renewed
- Transition Planning: Plan for agreement end if not renewing
Agreement Termination¶
- Termination Notice: Provide required notice of termination
- Data Return: Return or destroy all shared data
- Destruction Verification: Confirm complete data destruction
- Final Audit: Conduct final compliance audit
- Certificate of Compliance: Document compliance through termination
Specialized DUA Considerations¶
Limited Data Sets (LDS)¶
For sharing limited data sets under HIPAA:
- LDS Definition: Data with 16 specific identifiers removed
- Purpose Limitation: Use only for research, public health, or healthcare operations
- Minimum Necessary: Include only fields required for intended purpose
- Re-identification Risk: Assessment of re-identification potential
- IRB Requirements: IRB approval for research use of LDS
De-Identified Data Sharing¶
For sharing de-identified data:
- De-identification Standards: Compliance with HIPAA Safe Harbor or Expert Determination
- Re-identification Risk: Assessment of re-identification probability
- Usage Restrictions: Permitted uses for de-identified data
- Future Contact: Prohibition on re-contacting data subjects
- Publication Rights: Terms for publishing research results
Multi-Party Data Sharing¶
For agreements involving multiple organizations:
- Party Coordination: Clear roles and responsibilities for each party
- Data Flow Management: Tracking data movement between parties
- Joint Compliance: Shared responsibility for compliance oversight
- Dispute Resolution: Process for resolving disagreements between parties
- Exit Strategies: Terms for individual parties to exit the agreement
Regulatory Compliance Framework¶
HIPAA Compliance Requirements¶
- Privacy Rule: Compliance with individual rights and data use limitations
- Security Rule: Implementation of required administrative, physical, and technical safeguards
- Breach Notification Rule: Proper notification procedures for data breaches
- Minimum Necessary: Limitation of data to minimum necessary for intended purpose
- Authorization: Proper authorization for uses beyond treatment, payment, and operations
Common Rule Compliance¶
For research data sharing:
- IRB Oversight: IRB review and approval of data sharing arrangements
- Informed Consent: Compliance with consent requirements for data use
- Risk/Benefit Assessment: Evaluation of risks and benefits of data sharing
- Vulnerable Populations: Additional protections for vulnerable research subjects
- Data Security: Appropriate security measures for research data
State Law Considerations¶
- State Privacy Laws: Compliance with state-specific privacy requirements
- Medical Records Laws: State regulations governing medical data
- Research Regulations: State requirements for research data handling
- Breach Notification: State-specific breach notification requirements
- Data Residency: State requirements for data storage location
DUA Resources and Templates¶
Regulatory References¶
- HIPAA Privacy Rule
- HIPAA Security Rule
- Common Rule (45 CFR Part 46)
- NIH Data Sharing Policies
- FDA Guidance on Data Sharing
Internal Resources¶
- Golden Age Technologies Data Governance Policy
- Information Security Standards
- Privacy Program Guidelines
- Compliance Training Materials
External Templates and Tools¶
This DUA checklist ensures compliant and secure sharing of healthcare data between organizations, protecting patient privacy while enabling valuable research and operational collaborations.
Last Updated: 9/28/2025 Version: 1.0.0