Data Transfer and Use Agreements

Page Updated: July 2nd, 2020

Overview

Research conducted at the University of Wisconsin-Madison generates significant volumes of valuable data. Exchanging this data with other researchers is an important way to increase the ability of our researchers to analyze and translate the data in into meaningful reports and knowledge; sharing data may also help prevent duplication of efforts, or allow for greater collaborative comparisons of data. We support the sharing of data to advance research goals – and want to help facilitate the sharing of data in a way that complies with laws and policies that might limit subsequent use of the data. These laws and policies include HIPAA (which applies to Protected Health Information), FERPA (which applies to student records), and our UW-Madison Policy of Data Stewardship, Access, and Retention. A Data Transfer and Use Agreement (DTUA) is one type of contract that we can use to comply with these laws and policies and also protect the rights of the subjects of the data and the University’s interest in the value of the data.

What is a DTUA?

Data Transfer and Use Agreements (DTUAs) are contracts written to govern how data is shared. These agreements include provisions to address various legal requirements imposed by HIPAA or FERPA, and also outline use limitations that protect the institutional provider of the data. UW-Madison enters into DTUAs when it is the provider or the recipient of data. UW-Madison now uses the Data Transfer and Use Agreement templates developed by the Federal Demonstration Project. The templates and other helpful resources are available at this website, and will be used by RSP wherever possible to help minimize the amount of negotiation involved in developing DTUAs. Your RSP negotiator will work with you to craft any unique language that needs to be added to a template – but keep in mind that the goal of participating in the Federal Demonstration Project is to minimize the number of changes which need to be ironed out prior to finalizing a DTUA.

Why and When would you need a DTUA?

In practice, whenever data is being transferred off campus to another person, an agreement on the sharing of data should be used. This could be done through an existing agreement, such as the funding agreement, or through a separate DTUA. The need to have an agreement regarding access and use of data comes from the University of Wisconsin-Madison’s Policy on Data Stewardship, Access, and Retention (Section 4.3).

Notwithstanding the Policy on Data Stewardship, Access, and Retention, there are instances where federal law makes an agreement absolutely necessary, such as when Protected Health Information (PHI) is involved. During those times that the University shares PHI, the Federal Health Insurance Portability and Accountability Act (HIPAA) compels us to follow certain requirements in sharing that data, including having an agreement in place that imposes certain obligations before the data is shared. Failure to comply with HIPAA may result in penalties to the University and its employees.

DTUAs and the IRB

If your data includes data gathered from human subjects research, an important first step in the DTUA process is confirming that your original IRB protocol authorizes the sharing of the data with your proposed recipient. Often new uses for data not contemplated at the beginning of a study are discovered during the research. If your IRB protocol does not authorize your planned data sharing, you should begin the change of protocol process at the same time or before you seek a DTUA from RSP. This will greatly expedite the process. Information on requesting a change to an IRB protocol can be found here.

Determining the Type of Data you are Sharing

Whether your human subjects data is fully de-identified, a limited dataset, or full PHI is often a complicated question. Your school’s HIPAA Privacy Coordinator is often a good first stop for answers to questions about PHI. In addition, the Federal Demonstration Project has created this tool to help determine what type of data you are sharing, and thus what agreement below will best fit your needs.

Types of DTUAs

DTUAs - Identifiable Human Subject Data

In certain circumstances, it is necessary to share datasets that that include personally identifiable information. Which DTUA is appropriate depends upon whether your data set is covered by HIPAA, or is only covered by the Common Rule.

DTUA - Personally Identifiable Information - HIPAA

If the provider of the dataset is a health care provider or health insurer, and the recipient of the dataset is a non-profit or academic institution, then the DTUA for Personally Identifiable Information - HIPAA template is used.

For purposes of HIPAA, your dataset includes personally identifiable information covered by HIPAA if one or more of the eighteen HIPAA direct or indirect identifiers remain in the dataset. These identifiers are:

  1. Names
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census:
    1. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people; and
    2. The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
  4. Telephone numbers
  5. Facsimile numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web universal resource locators (URLs)
  15. Internet protocol (IP) address numbers
  16. Biometric identifiers, including fingerprints and voiceprints
  17. Full-face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification

A copy of the agreement can be found here: DTUA - HIPAA.

DTUA - Personally Identifiable Information - Common Rule

If the provider of the data set is not a covered entity, and the recipient of the dataset is a non-profit or academic institution, then the DTUA for Personally Identifiable Information - Common Rule template is used.

For purposes of the Common Rule, your data set includes personally identifiable information if the identity of the subject is or may readily be ascertained by the investigator or is otherwise associated with the information.

A copy of the agreement to be used can be found here: DTUA – Common Rule.

DTUA – HIPAA Limited Data Set

This type of agreement is used in situations where Protected Health Information (PHI) is being exchanged after the removal of specific identifiers in order to create a Limited Data Set (often referred to simply as an “LDS”). Under HIPAA, PHI which does not include the following 16 identifiers comprises a Limited Data Set which may be shared under an agreement that addresses specific requirements stated in HIPAA:

  1. Names
  2. Postal address information, other than town or city, state, and ZIP Code
  3. Telephone numbers
  4. Fax numbers
  5. Electronic mail addresses
  6. Social security numbers
  7. Medical record numbers
  8. Health plan beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers and serial numbers, including license plate numbers
  12. Device identifiers and serial numbers
  13. Web universal resource locators (URLs)
  14. Internet protocol (IP) address numbers
  15. Biometric identifiers, including fingerprints and voiceprints
  16. Full-face photographic images and any comparable images

Once an LDS has been created and a HIPAA-compliant DTUA is in place, the LDS may be shared in accordance with the DTUA. See the UW-Madison policy about the Creation of a Limited Data Set for more information. A copy of the agreement to be used can be found here: DTUA – HIPAA Limited Data Set.

DTUA – De-identified Human Subject Data

This type of agreement is used in situations where data is being exchanged which has been de-identified by removing specific identifiers. Under HIPAA, data which does not include the following 18 identifiers is deemed de-identified and may be shared and used without taking any further measures to comply with HIPAA:

  1. Names
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census:
    1. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
    2. The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
  4. Telephone numbers
  5. Facsimile numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web universal resource locators (URLs)
  15. Internet protocol (IP) address numbers
  16. Biometric identifiers, including fingerprints and voiceprints
  17. Full-face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification.

Once the data has been de-identified and a DTUA is in place, the data may be shared in accordance with the DTUA. See the UW-Madison policy about the De-identification of Protected Health Information for more information. A copy of the agreement to be used can be found here: DTUA – De-Identified Data.

DTUA – General Data

This type of agreement is used in situations where the data to be shared does not comprise a Limited Data Set under HIPAA or de-identified human subjects data. A copy of the agreement to be used can be found here: DTUA – General.

What about sharing with for-profit organizations or entities that do not want to use the FDP template?

When researchers wish to share their datasets with for-profit organizations, if an FDP template is used it will likely need additional terms and conditions added to cover the sharing. In addition, some entities will not agree to use the FDP template. In these situations, please work with your Dean's Office or the HIPAA Risk Executive for your area of campus to discuss the circumstances regarding the sharing involved. If sharing is approved by appropriate leadership, you may use a UW-Madison template available through our Office of Compliance (at https://compliance.wisc.edu/policies-and-forms/); alternatively, RSP can help craft terms and conditions to add to an FDP template or a unique data-sharing agreement that fits the particular situation.