HIPAA Data Use Agreement (DUA): What It Is, Requirements, and Template

Definition of Data Use Agreement

A HIPAA Data Use Agreement (DUA) is a binding contract required by the HIPAA Privacy Rule when a covered entity or business associate discloses a Limited Data Set of Protected Health Information (PHI) to another party. It authorizes specific uses and disclosures of that data while contractually restricting everything else.

In plain terms, a DUA lets you share a Limited Data Set for research, public health, or health care operations without individual authorization, provided the recipient accepts strict conditions. Core elements include defined purposes, clear access limitations, Data Use Safeguards, and an explicit Re-identification Prohibition.

Purpose of a Data Use Agreement

The DUA balances two goals: enabling responsible data sharing and protecting individual privacy. It operationalizes the HIPAA Privacy Rule by telling recipients exactly what they may do with a Limited Data Set and how they must protect it.

• Enable necessary data flows for research, public health surveillance, quality improvement, and other health care operations.
• Document “minimum necessary” disclosures and align stakeholders around permitted uses and users.
• Impose Data Use Safeguards, incident reporting, and oversight so you can manage risk throughout the data lifecycle.
• Provide accountability and remedies if terms are violated, including misuse or attempted re-identification.

Requirements of a Data Use Agreement

Under the HIPAA Privacy Rule, a DUA must, at minimum, include these commitments for Limited Data Set disclosures:

Required terms

• Permitted uses and disclosures: precisely describe allowed purposes (e.g., specified research, public health, or health care operations) and prohibit all others.
• Authorized users and recipients: identify who is permitted to use or receive the Limited Data Set (e.g., named organization, department, and agents).
• Re-identification Prohibition and no-contact: ban any attempt to identify or contact individuals whose data is included.
• Data Use Safeguards: require appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure.
• Reporting obligations: require prompt reporting of any use or disclosure not provided for by the DUA.
• Downstream controls: require the recipient to ensure that any agents or subrecipients agree to the same restrictions and conditions.
• Return or destruction: require return or destruction of the Limited Data Set when the project ends or the data is no longer needed, or document why doing so is infeasible and continue protections.

Strongly recommended terms

• Security expectations for electronic data (e.g., encryption in transit and at rest, role-based access, logging, secure disposal).
• Incident and breach escalation procedures, including timelines and points of contact.
• Data retention schedule, audit rights, and cooperation during Institutional Review or compliance inquiries.
• Publication and disclosure review processes to minimize residual re-identification risk in outputs.
• Governing law, dispute resolution, and termination-for-cause provisions.

Components of a Data Use Agreement

An effective HIPAA Data Use Agreement follows a clear structure so each obligation is easy to find and enforce. Use the outline below to draft or evaluate your contract.

• Parties and contacts: legal names, addresses, and notice contacts for each organization.
• Purpose and scope: reference the approved Data Sharing Request and describe the project or activity.
• Definitions: Limited Data Set, PHI, recipient, agent, and other key terms.
• Data description: specific elements to be disclosed, frequency of transfer, format, and timeframe covered.
• Permitted uses and disclosures: narrow, purpose-bound authorization consistent with the HIPAA Privacy Rule.
• Restrictions: Re-identification Prohibition, no-contact clause, and prohibition on unauthorized linkage.
• Data Use Safeguards: required controls for storage, transmission, access, auditing, and disposal.
• Subrecipients/agents: prior approval, flow-down obligations, and oversight.
• Incident management: reporting, containment, investigation, and remediation.
• Retention, return, and destruction: timelines and documented infeasibility if data cannot be destroyed.
• Review and oversight: Institutional Review requirements, compliance audits, and cooperation duties.
• Publications and data outputs: review steps to mitigate re-identification risk before release.
• Term, termination, and remedies: triggers, cure periods, and consequences for breach.
• Signatures: authorized signatories and effective date.

Sample HIPAA Data Use Agreement Template

Use this high-level template as a starting point and tailor it to your project and institutional policies.

1. Parties. This Data Use Agreement is between [Disclosing Party] and [Recipient] (together, the “Parties”). Notices to: [Names, Titles, Emails].
2. Purpose. Recipient will use the Limited Data Set solely for [Research/Public Health/Health Care Operations] described in [Protocol/Workplan Title] (“Project”).
3. Limited Data Set. The data will include [describe elements and time period] and exclude all direct identifiers as required under HIPAA.
4. Permitted Uses/Disclosures. Recipient may use the Limited Data Set only to perform the Project and may disclose it only to its authorized agents who are bound to these terms.
5. Prohibitions. Recipient will not attempt re-identification, will not contact any individual, and will not use or disclose the data except as permitted or required by law.
6. Safeguards. Recipient will implement administrative, physical, and technical safeguards appropriate to the data’s sensitivity, including access controls, encryption, and secure disposal.
7. Reporting. Recipient will promptly report any use or disclosure not permitted by this DUA, including security incidents, and cooperate in mitigation.
8. Agents/Subrecipients. Recipient will ensure that any agent agrees in writing to the same restrictions and conditions.
9. Retention and Disposition. Upon Project completion or upon request, Recipient will return or destroy the Limited Data Set. If infeasible, Recipient will explain why and continue protections.
10. Oversight. Recipient will cooperate with Institutional Review and compliance assessments related to this DUA.
11. Term/Termination. This DUA is effective on [Date] and remains in effect until [Date/Event]. Either Party may terminate for breach after [Cure Period] notice.
12. Signatures. Authorized signatures: [Names/Titles/Signatures/Dates].

Limited Data Set Definition

A Limited Data Set is PHI that excludes specific direct identifiers of the individual and of relatives, employers, or household members. Unlike fully de-identified data, it may retain certain details (such as dates) that are critical for analysis, but it can be shared only under a DUA.

What may remain in a Limited Data Set

• Dates related to an individual (e.g., birth, death, admission, discharge, service) and relevant time stamps.
• Geographic information at the city, state, and ZIP code level.
• Clinical and administrative details necessary for the approved purpose (e.g., diagnoses, procedures, lab values, utilization metrics).
• Ages in years (including 90 and over), counts, and derived variables that do not directly identify a person.

What must be removed (direct identifiers)

• Names.
• Street address and other postal address information (other than city, state, and ZIP code).
• Telephone and fax numbers; email addresses.
• Social Security numbers; medical record and health plan beneficiary numbers; account numbers.
• Certificate and license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs and IP addresses.
• Biometric identifiers (e.g., finger or voice prints).
• Full-face photographs and comparable images.

Because a Limited Data Set is still PHI, it remains subject to HIPAA. You must have a DUA in place, follow the Privacy Rule, and honor the Re-identification Prohibition at all times.

DUA Process Overview

Most organizations follow a structured pathway from request to closeout. Mapping your steps upfront speeds reviews and reduces rework.

1. Data Sharing Request: you describe the purpose, population, data elements, timeframe, and justification (minimum necessary).
2. Feasibility and scoping: the data owner confirms availability, data quality, and whether a Limited Data Set is appropriate.
3. Privacy review: determine HIPAA pathway (Limited Data Set under a DUA versus other mechanisms) and verify that identifiers are excluded.
4. Institutional Review: obtain IRB or Privacy Board review if required for human subjects research or institutional policy.
5. Security evaluation: complete a security questionnaire and agree on Data Use Safeguards and transfer methods.
6. Drafting and negotiation: legal teams finalize DUA language, including re-identification, reporting, and return/destruction terms.
7. Execution: authorized signatories sign; effective date is recorded; project teams are onboarded to the obligations.
8. Data preparation and transfer: extract, validate, and securely deliver the Limited Data Set; document what was sent and when.
9. Monitoring and amendments: track compliance, update the DUA if scope changes, and manage subrecipients.
10. Closeout: return or destroy data, verify disposition, and archive required records of compliance activities.

DUA vs Business Associate Agreement

Although they both protect PHI, a DUA and a Business Associate Agreement (BAA) address different situations and obligations.

• Use a DUA when you disclose a Limited Data Set to a recipient for research, public health, or health care operations. The DUA focuses on purpose-bound use, Restricted fields, and the Re-identification Prohibition.
• Use a BAA when a third party performs services or functions on your behalf that involve PHI (often beyond a Limited Data Set). The BAA imposes full HIPAA duties on the business associate, including Security Rule compliance and breach notification.
• You may need both when a vendor both performs services as a business associate and receives a Limited Data Set for a distinct analysis purpose. In that case, keep scopes clear and ensure both agreements align.

Conclusion

A HIPAA Data Use Agreement lets you share a Limited Data Set responsibly by defining permitted uses, enforcing Data Use Safeguards, and prohibiting re-identification. Pair a precise scope with a clear template and a disciplined review process—including Institutional Review where applicable—to protect privacy while advancing legitimate research, public health, and operations.

FAQs

What information is excluded from a Limited Data Set?

A Limited Data Set must remove direct identifiers of the individual and related persons. Excluded items include names; street address (other than city, state, and ZIP code); telephone and fax numbers; email addresses; Social Security numbers; medical record, health plan beneficiary, and account numbers; certificate and license numbers; vehicle and device identifiers; web URLs and IP addresses; biometric identifiers; and full-face photographs or comparable images.

How does a DUA differ from a Business Associate Agreement?

A DUA governs the disclosure and use of a Limited Data Set for research, public health, or health care operations and embeds a Re-identification Prohibition. A Business Associate Agreement applies when a third party performs services on behalf of a covered entity that involve PHI, imposing broader HIPAA duties (including Security Rule and breach obligations). Some relationships require both, with distinct scopes.

What are the key requirements of a HIPAA Data Use Agreement?

At minimum, your DUA must define permitted uses/disclosures, identify authorized users/recipients, prohibit re-identification and contact, require appropriate Data Use Safeguards, mandate reporting of improper uses/disclosures, flow down obligations to agents, and require return or destruction of the data when no longer needed or upon termination.

How is a DUA reviewed and approved?

Approval typically follows a documented Data Sharing Request, a privacy determination that a Limited Data Set is appropriate, security due diligence, and—when applicable—Institutional Review by an IRB or Privacy Board. Legal teams then negotiate and execute the DUA, after which the data is prepared, securely transferred, monitored during use, and properly disposed of at closeout.