Data Use Agreement for Limited Data Set
This Data Use Agreement (the “Agreement”) is effective as of ______, (the “Agreement Effective Date”) between ______(“Data Provider”) and the UNIVERSITY OF THE PACIFIC (“Recipient”).
WHEREAS, Data Provider possesses Individually Identifiable Health Information that is protected under HIPAA (as hereinafter defined) and the HIPAA Privacy Rule (as hereinafter defined), and wishes to use or disclose such information only in accordance with HIPAA and the HIPAA Privacy Rule;
WHEREAS, Data Provider wishes to disclose a Limited Data Set (as hereinafter defined) to Recipient for use by Recipient in performance of the Activities (as hereinafter defined);
WHEREAS, Data Provider wishes to ensure that Recipient will appropriately safeguard the Limited Data Set in accordance with HIPAA and the HIPAA Privacy Rule; and
WHEREAS, Recipient agrees to protect the privacy of the Limited Data Set in accordance with the terms and conditions of this Agreement, HIPAA and the HIPAA Privacy Rule;
NOW THEREFORE, Data Provider and Recipient agree as follows:
1. Definitions. The parties agree that the following terms, when used in this Agreement, shall have the following meanings, provided that the terms set forth below:
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
“HIPAA Privacy Rule” means the regulations promulgated under HIPAA by the United States Department of Health and Human Services, including, but not limited to, 45 C.F.R. Part 160 and 45 C.F.R. Part 164.
“Individually Identifiable Health Information”, and “Protected Health Information” or “PHI” shall have the same meanings as defined in the HIPAA Privacy Rule.
“Required by Law” shall have the meaning as defined in the HIPAA Privacy Rule.
2. Disclosure of Limited Data Set by Data Provider. Data Provider agrees to disclose to Recipient the data set forth on Exhibit A to this Agreement (the "Limited Data Set"). Such Limited Data Set shall not contain any of the following identifiers of the individual who is the subject of Protected Health Information, or of relatives, employers or household members of the individual: names; postal address information, other than town or city, State, and zip code; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; biometric identifiers, including finger and voice prints; and full face photographic images and any comparable images.
3. Obligations of Recipient.
a. Performance of Activities. Recipient may use and disclose the Limited Data Set received from Data Provider only in connection with the performance of the research activities set forth in Exhibit B to this Agreement (the “Activities”). Recipient shall limit the use or receipt of the Limited Data Set to the following individuals or classes of individuals who need the Limited Data Set for the performance of the Activities:
______.
b. Nondisclosure Except As Provided In Agreement. Recipient shall not use or further disclose the Limited Data Set except as permitted or required by this Agreement. Recipient may disclose, without restriction, information based upon the Limited Data Set if such disclosed information is de-identified in conformance with 45 CFR §164.514(a)
c. Use Or Disclosure. Recipient may not use or disclose the Limited Data Set in any manner that would violate the requirements of HIPAA or the HIPAA Privacy Rule if Recipient were Data Provider. Data Provider shall apprise Recipient of any restrictions on use or disclosure of the Limited Data Set to which Data Provider has agreed and with which Recipient must subsequently comply.
d. Identification Of Individual. Recipient may not use the Limited Data Set to identify or contact any individual who is the subject of the PHI from which the Limited Data Set was created.
e. Disclosures Required By Law. Recipient shall not, without the prior written consent of Data Provider, disclose the Limited Data Set on the basis that such disclosure is required by law without notifying Data Provider so that Data Provider shall have an opportunity to object to the disclosure and to seek appropriate relief. If Data Provider objects to such disclosure, Recipient shall refrain from disclosing the Limited Data Set until Data Provider has exhausted all alternatives for relief.
f. Safeguards. Recipient shall use any and all appropriate safeguards to prevent use or disclosure of the Limited Data Set other than as provided by this Agreement.
g. Agreement By Parties To Whom Information Disclosed. Before disclosing the Limited Data Set to any party for the Activities, Recipient shall secure the agreement of such party to be bound by the same restrictions and conditions that apply to Recipient with respect to such Limited Data Set. Recipient further agrees that any agent, including a subcontractor, to whom it provides the Limited Data Set agrees to the same restrictions and conditions that apply through this Agreement to the Recipient with respect to such information.
h. Reporting. Recipient shall report to Data Provider any use or disclosure of the Limited Data Set in violation of this Agreement or applicable law.
4. Term; Termination.
a. Term. This Agreement shall be effective as of the Agreement Effective Date, and shall remain in effect until the Activities (defined in Section 3.a) have been completed and all of the PHI received from Data Provider, or created or received by Recipient on behalf of Data Provider, is destroyed or returned to Data Provider in accordance with Section 4.c; or, if it is infeasible to return or destroy the Limited Data Set, protections are extended to such information, in accordance with the termination provisions in this Section.
b. Termination. Upon Data Provider’s knowledge of a material breach by Recipient, Data Provider shall at its discretion, either:
(1) Provide an opportunity for Recipient to cure the breach or end the violation and terminate the Agreement if Recipient does not cure the breach or end the violation within the time specified by Data Provider; or
(2) Immediately terminate the Agreement if Recipient has breached a material term of this Agreement and cure is not possible; or
(3) If neither termination nor cure is feasible, Data Provider shall report the violation to the Secretary of the U. S. Department of Health and Human Services, and Recipient agrees that it shall not have or make any claim(s), whether at law, in equity, or under this Agreement, against Data Provider with respect to such report(s).
c. Effect of Termination.
(1) Except as provided in Section 4.c(2), upon termination of the Agreement, for any reason, Recipient shall return or destroy all PHI (including any Limited Data Set) received from Data Provider, or created or received by Recipient on behalf of Data Provider. This Data Provider provision shall apply to PHI that is in the possession of subcontractors or agents of Recipient. Recipient shall retain no copies of such PHI.
(2) In the event that Recipient determines that returning or destroying the PHI is infeasible, Recipient shall provide to Data Provider notification of the conditions that make return or destruction infeasible. If, in the parties’ judgment, such return or destruction of PHI is infeasible, Recipient shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Recipient maintains such PHI.
5. Miscellaneous.
a. Ownership of Limited Data Set. The parties mutually agree that Data Provider retains all ownership rights to the data file(s) referred to in this Agreement, and that the Recipient does not obtain any right, title or interest in any of the data furnished by Data Provider.
b. Data Provider’s Rights of Access and Inspection. From time to time upon reasonable notice, or upon a reasonable determination by Data Provider that Recipient has breached this Agreement, Data Provider may inspect the facilities, systems, books and records of Recipient to monitor compliance with this Agreement. The fact that Data Provider inspects, or fails to inspect, or has the right to inspect, Recipient’s facilities, systems and procedures does not relieve Recipient of its responsibility to comply with this Agreement, nor does Data Provider’s (1) failure to detect or (2) detection of, but failure to notify Recipient or require Recipient’s remediation of, any unsatisfactory practices constitute acceptance of such practice or a waiver of Data Provider’s enforcement or termination rights under this Agreement.
c. Knowledge of Non-Compliance. Any non-compliance by Recipient with this Agreement or with HIPAA or the HIPAA Privacy Rule automatically will be considered a breach or violation of a material term of this Agreement if Recipient knew or reasonably should have known of such non-compliance and failed to immediately take reasonable steps to cure the non-compliance.
d. Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section currently in effect or as amended.
e. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Data Provider to comply with the Privacy Rule. All references to statutory or regulatory code sections herein shall be as amended from time to time, and this Agreement shall be deemed automatically amended to refer to and incorporate the most current version of those code sections.
f. Survival. Recipient’s obligations to protect the privacy of the data subjects and PHI it created or received in connection with services provided under this Agreement shall survive termination, cancellation or expiration of the Agreement.
g. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Data Provider to comply with the requirements of the HIPAA Privacy Rule and Security Rule or other applicable law.
h. State Law. In the event that the mandatory terms of the HIPAA Privacy Rule or this Agreement conflict with obligations imposed under State Law relating to the privacy of individually identifiable health information and State Law is more stringent than this Agreement or the Privacy Rule, Recipient shall follow the State Law with regard to proper uses and disclosures of the data set forth on Exhibit A.
j. Complaints and Inquiries. If Recipient receives a complaint or inquiry concerning Recipients activities pursuant to this Agreement or concerning Data Provider’s privacy practices, Recipient will forward this complaint to the Data Provider Privacy Office the same day it is received, using a method that is likely to ensure delivery to the Data Provider Privacy Office by the next business day (e.g., fax, e-mail, express mail, hand delivery).
IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement as of the Effective Date, ______, 201__.
Provider: ______Recipient: UNIVERSITY OF THE PACIFIC
______
Signature of Authorized Representative Signature of Authorized Representative
______
Title of Authorized Representative Title of Authorized Representative
______
Name of Authorized Representative Name of Authorized Representative
EXHIBIT A
LIMITED DATA SET
Objective: The purpose of the use of the data:
How Data Received:
Common Participant Data Code:
Description of Data received:
Pacific IRB Protocol Number:
EXHIBIT B
THE RESEARCH ACTIVITIES
{00099702.1} 7