Skip to main content
. 2014 Apr 23;2(1):1057. doi: 10.13063/2327-9214.1057

Table 2.

Types, Definitions, and Components of Data Sharing Agreements

Type of Agreement Definition Components
Data Use Agreement (DUA) Data Use Agreement (DUA): A covered entity may use or disclose a limited data set if that entity obtains a data use agreement from the potential recipient. This information can only be used for: Research, Public Health, or Health Care Operations.
A limited data set is protected health information that excludes direct identifiers of the individual or of relatives, employers, or household members of the individual.12

  • Establishes what the data will be used for, as permitted above. The DUA must not violate this principle.

  • Establishes who is permitted to use or receive the limited data set.

  • Provides that the limited data set recipient will:
    • – Not use the information in a matter inconsistent with the DUA or other laws.
    • – Employ safeguards to ensure that this does not happen.
    • – Report to the covered entity any use of the information that was not stipulated in the DUA.
    • – Ensure that any other parties, including subcontractors, agree to the same conditions as the limited data set recipient in the DUA.
    • – Not identify the information or contact the individuals themselves.
Business Associate Agreement (BAA) A business associate is a person or entity that performs certain functions or activities involving the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e).11

  • Describes the permitted and required uses of protected health information by the business associate.

  • Provides that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.

  • Requires the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
Data Use and Reciprocal Support Agreement (DURSA) The DURSA is the legal, multi-party trust agreement that is entered into voluntarily by all entities, organizations and Federal agencies that desire to engage in electronic health information exchange with each other using an agreed upon set of national standards, services and policies developed in coordination with the Office of the National Coordinator for Health IT (ONC) in the U.S. Department of Health and Human Services.27
  • Multi-party agreement that specifies:
    • – Participants actively engaged in health information exchange
    • – Privacy and security obligations
    • – Requests for information based on a permitted purpose
    • – Duty to respond
    • – Future use of data received from another participant
    • – Respective duties of submitting and receiving participants
    • – Autonomy principle for access
    • – Use of authorizations to support requests for data
    • – Participant breach notification
    • – Mandatory non-binding dispute resolution
    • – Allocation of liability risk
Participation Agreement (PA) Designed to ensure that participants comply with the data sharing policies and procedures, Participation Agreements spell out the terms of the relationship, including the roles, rights and responsibility of each party as they pertain to the initiative.4 May include or reference one or more of the above-named agreements.