prohibit the recipient from using or disclosing the information unless the agreement permits or otherwise allows it; An agreement to use the data (or provisions applicable in another agreement) is required when a researcher wishes to have access to archives or restricted data sets that may contain identifiable information about individuals for the purpose of carrying out such projects. The IRB should be contacted when the use of archived protected health data falls within the definition of „research” in the IRB. Investigations directly related to personal identifier data may be permitted to use and/or disclose PPIs (for individual access rights to the PHI) or to discontinue hipa authorization (for large sample requests for which individual authorizations are not practical and where the requirement is in accordance with the specifications of the data protection policy). Application forms should look at the safeguards provided to protect the identity of individuals and assess the security of procedures for protecting these identities. Yes, you need both a DATA Use Agreement (DUA) and a Business Associate Agreement (BAA) because the covered entity (Stanford University Affiliated Covered Entity) provides the PHI recipient, which may contain direct or indirect identifiers. For this reason, a BAA may be required before disclosing direct identifiers to the recipient outside of Stanford. No, information about „limited data sets” is not covered by THE HIPAA accounting of advertising obligations. DHHS considered that the privacy protection of individuals with respect to PHIs, which are disclosed in a „limited data set,” can be properly protected by a single AAU. 1. When the AU transmits or transmits a limited set of data to another institution, organization or entity, UA requires that a DUA be signed to ensure that appropriate provisions are in place to protect the limited data set in accordance with the HIPAA privacy rule. Contracting Services has a DUA model.

If UA discloses or transmits a limited set of data, if substantial changes are made to the AU submission form, or if the version of a data contract is used by another party, contract services must verify and sign the terms of the agreement.