Page Updated: October 12th, 2021
Research conducted at the University of Wisconsin-Madison generates significant volumes of valuable data. Exchanging this data with other researchers is an important way to increase the ability of our researchers to analyze and translate the data in into meaningful reports and knowledge; sharing data may also help prevent duplication of efforts, or allow for greater collaborative comparisons of data. We support the sharing of data to advance research goals – and want to help facilitate the sharing of data in a way that complies with laws and policies that might limit subsequent use of the data. These laws and policies include HIPAA (which applies to Protected Health Information), FERPA (which applies to student records), and our UW-Madison Policy of Data Stewardship, Access, and Retention. A Data Transfer and Use Agreement (DTUA) is one type of contract that we can use to comply with these laws and policies and also protect the rights of the subjects of the data and the University’s interest in the value of the data.
Data Transfer and Use Agreements (DTUAs) are contracts written to govern how data is shared. These agreements include provisions to address various legal requirements imposed by HIPAA or FERPA, and also outline use limitations that protect the institutional provider of the data. UW-Madison enters into DTUAs when it is the provider or the recipient of data. UW-Madison now uses the Data Transfer and Use Agreement templates developed by the Federal Demonstration Project. The templates and other helpful resources are available at this website, and will be used by RSP wherever possible to help minimize the amount of negotiation involved in developing DTUAs. Your RSP negotiator will work with you to craft any unique language that needs to be added to a template – but keep in mind that the goal of participating in the Federal Demonstration Project is to minimize the number of changes which need to be ironed out prior to finalizing a DTUA.
In practice, whenever data is being transferred off campus to another person, an agreement on the sharing of data should be used. This could be done through an existing agreement, such as the funding agreement, or through a separate DTUA. The need to have an agreement regarding access and use of data comes from the University of Wisconsin-Madison’s Policy on Data Stewardship, Access, and Retention (Section 4.3).
Notwithstanding the Policy on Data Stewardship, Access, and Retention, there are instances where federal law makes an agreement absolutely necessary, such as when Protected Health Information (PHI) is involved. During those times that the University shares PHI, the Federal Health Insurance Portability and Accountability Act (HIPAA) compels us to follow certain requirements in sharing that data, including having an agreement in place that imposes certain obligations before the data is shared. Failure to comply with HIPAA may result in penalties to the University and its employees.
If your data includes data gathered from human subjects research, an important first step in the DTUA process is confirming that your original IRB protocol authorizes the sharing of the data with your proposed recipient. Often new uses for data not contemplated at the beginning of a study are discovered during the research. If your IRB protocol does not authorize your planned data sharing, you should begin the change of protocol process at the same time or before you seek a DTUA from RSP. This will greatly expedite the process. Information on requesting a change to an IRB protocol can be found here. Additional guidance on sending and receiving individual level human subjects research data can be found here (for sending) and here (for receiving).
Whether your human subjects data is fully de-identified, a limited dataset, or full PHI is often a complicated question. Your school’s HIPAA Privacy Coordinator is often a good first stop for answers to questions about PHI. In addition, the Federal Demonstration Project has created this tool to help determine what type of data you are sharing, and thus what agreement below will best fit your needs.
In certain circumstances, it is necessary to share datasets that that include personally identifiable information. Which DTUA is appropriate depends upon whether your data set is covered by HIPAA, or is only covered by the Common Rule.
If the provider of the dataset is a health care provider or health insurer, and the recipient of the dataset is a non-profit or academic institution, then the DTUA for Personally Identifiable Information - HIPAA template is used.
For purposes of HIPAA, your dataset includes personally identifiable information covered by HIPAA if one or more of the eighteen HIPAA direct or indirect identifiers remain in the dataset. These identifiers are:
A copy of the agreement can be found here: DTUA - HIPAA.
If the provider of the data set is not a covered entity, and the recipient of the dataset is a non-profit or academic institution, then the DTUA for Personally Identifiable Information - Common Rule template is used.
For purposes of the Common Rule, your data set includes personally identifiable information if the identity of the subject is or may readily be ascertained by the investigator or is otherwise associated with the information.
A copy of the agreement to be used can be found here: DTUA – Common Rule.
This type of agreement is used in situations where Protected Health Information (PHI) is being exchanged after the removal of specific identifiers in order to create a Limited Data Set (often referred to simply as an “LDS”). Under HIPAA, PHI which does not include the following 16 identifiers comprises a Limited Data Set which may be shared under an agreement that addresses specific requirements stated in HIPAA:
Once an LDS has been created and a HIPAA-compliant DTUA is in place, the LDS may be shared in accordance with the DTUA. See the UW-Madison policy about the Creation of a Limited Data Set for more information. A copy of the agreement to be used can be found here: DTUA – HIPAA Limited Data Set.
This type of agreement is used in situations where data is being exchanged which has been de-identified by removing specific identifiers. Under HIPAA, data which does not include the following 18 identifiers is deemed de-identified and may be shared and used without taking any further measures to comply with HIPAA:
Once the data has been de-identified and a DTUA is in place, the data may be shared in accordance with the DTUA. See the UW-Madison policy about the De-identification of Protected Health Information for more information. A copy of the agreement to be used can be found here: DTUA – De-Identified Data.
This type of agreement is used in situations where the data to be shared does not comprise a Limited Data Set under HIPAA or de-identified human subjects data. A copy of the agreement to be used can be found here: DTUA – General.
When researchers wish to share their datasets with for-profit organizations, if an FDP template is used it will likely need additional terms and conditions added to cover the sharing. In addition, some entities will not agree to use the FDP template. In these situations, please work with your Dean's Office or the HIPAA Risk Executive for your area of campus to discuss the circumstances regarding the sharing involved. If sharing is approved by appropriate leadership, you may use a UW-Madison template available through our Office of Compliance (at https://compliance.wisc.edu/policies-and-forms/); alternatively, RSP can help craft terms and conditions to add to an FDP template or a unique data-sharing agreement that fits the particular situation.