Understanding Data Use Agreements (DUAs) for Sponsored Projects

Slide Note
Embed
Share

A Data Use Agreement (DUA) is a crucial contract facilitating the secure transfer of non-public data between providers and recipients, especially in projects subject to restrictions like HIPAA. This informative content delves into the significance, requirements, and scenarios where DUAs are essential, ensuring proper data protection and liability avoidance for all parties involved.

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

jacques
jacques Follow

Uploaded on Mar 26, 2024 | 2 Views

Presentation Transcript

  1. DATA USE AGREEMENTS (DUAS) SPONSORED PROJECTS OFFICE (SPO)

  2. What is a DUA? A Data Use Agreement is a contractual agreement, between the provider of the data and the recipient of the data, used for the transfer of non-public data, or data that is subject to some restrictions on its use (i.e. HIPAA and/or Security Requirements). DUAs typically address issues around limitations on use, liability for harm arising from use of data, publication, how data will be exchanged, accessed, stored, used and protected.

  3. HIPAA Requirements Data that qualifies as identifiable Protected Health Information (PHI) or is a limited data set, HIPAA requires that the information be appropriately secured at all times (in-transit and at rest). The data must be secured against any inappropriate or unauthorized use/access or further disclosures (i.e. system hacks) There is a requirement that any unauthorized use/access be reported to the data provider within strict timelines. This is due to HIPAA s timing requirements for notifying patients of any breach related to their PHI. For de-identified data (data that cannot be used to connect information with a person s identity), the recipient must not try to identify the patients and, if the data is coded, must not access that code.

  4. Why is a DUA Needed? UNMHSC and PI have a responsibility to appropriately safeguard all data that we collect, store and share with any third party. Ensures that appropriate restrictions on use of data are maintained. Protects the investigator and UNMHSC from any liability or loss arising from a recipient s use of UNMHSC data.

  5. When is a DUA needed? A Data Use Agreement is often times required for any incoming or outgoing data related to human research. The DUA process is initiated when the Institutional Review Board (IRB) protocol is submitted through Click IRB and human subject data transfer is identified. A DUA for non-human subject data transfers might be required and is initiated by the PIs reaching out to SPO (272-9383). In order to determine if a DUA is required or another type of agreement is required, IRB and SPO may ask a series of questions. Occasionally, a DUA will not be required but another type of collaboration agreement will.

  6. DUA Needed? Scenario 1 UNMHSC PI collaborates on a project with an investigator from University X. UNMHSC will receive de-identified data from University X. Is a DUA needed? YES! A DUA is needed between UNMHSC (recipient) and University X (provider) for the de-identified data.

  7. DUA Needed? Scenario 2 UNMHSC PI collaborates on a project with an investigator from University X. UNMHSC PI provides University X access to the UNMHSC RedCap system for data entry/management for University X participants. UNMHSC will have access to de- identified data from University X through the RedCap system. Is a DUA needed? YES! A DUA is needed since University X (provider) is allowing access to UNMHSC (recipient) to their de-identified data.

  8. DUA Needed? Scenario 3 UNMHSC PI collaborates on a subaward with an investigator from University X (outgoing $ s to University X). The subaward issued to University X includes data language for de-identified data to be received by UNMHSC. Is a DUA needed? No. A DUA is not needed since the subaward agreement includes reference to the transfer of the de-identified data and how it will be received.

  9. DUA Needed? Scenario 4 UNMHSC PI collaborates with University X on a project that will only require the UNMHSC PI and study team to provide their participants with a link to an on-line anonymous survey hosted on University X s database. Is a DUA needed? No. Since there is no UNMHSC data that is being shared, there is no DUA needed. The participants are directly entering their information into University X s database.

  10. DUA Process

  11. DUA Process Continued DUA s are typically triggered through the IRB. If during the IRB Protocol review there is reference to data transfer, the IRB will trigger their Ancillary Process and advise PIs they might require a DUA. PIs are asked to complete a DUA Questionnaire and send to SPO. SPO will then review the questionnaire with the Privacy Officer and IT Security to determine if a DUA is required. If so, the DUA will be drafted and executed by SPO. IRB does require an executed DUA to be in place before final approval of an IRB study protocol. At times it is determined a DUA is not required, especially in those cases when another agreement already describes the data use requirements (e.g., Clinical Trial Agreements, Non Disclosure Agreements, Subawards, etc.)

  12. DUA Process Continued SPO has various DUA templates that can be used depending on the type of data that is being exchanged. DUA templates that we use include: HIPPA covered patient protected health information (PHI) (most risk and required safeguards) Limited Data Sets (as defined by HIPPA) De-Identified PHI (requires the removal of the 18 identifiers as defined by HIPPA) Personally Identifiable Information (not PHI but includes name, SSN, banking information, etc.) DUAs REQUIRES Institutional authorized signature, which is the Vice Chancellor for Research.

  13. Definitions HIPPA acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPPA does the following: Requires the protection and confidential handling of protected health information Mandates industry-wide standards for health care information on electronic billing and other process Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs; and Reduces health care fraud and abuse PHI acronym for Protected Health Information. PHI is information that is created or received by a health care provider and that relates to the physical or mental health condition of an individual; the provision of health care to the individual; and the payment information for the individual s receipt of health care

  14. Definitions Contd LDS acronym for a limited data set. A limited data set is a limited set of identifiable patient information as defined in the Privacy Regulations issued under HIPPA. In order for the data to be classified as a LDS, the following information pertaining to patient, his or her employer, relatives and household members must be removed: Name, address, and phone number Medical identification or account number Health plan or insurance numbers Social Security numbers Web and IP addresses Vehicle identification information such as license plate numbers Serial numbers or identifiers from devices Fingerprint records or voice records Facial photographs *A limited data set may include the following: dates such as admission, discharge, service, DOB, DOD; city, state, five digit or more zip code; and ages in years, months or days or hours

  15. Definitions Contd De-identified data data that has been stripped of all direct identifiers or all information that can be used to identify the patient from whose medical record the health information was derived. Per HIPPA, there are 18 direct identifiers that are to be removed: Names Geographic subdivisions smaller than a state (e.g. street address, city and ZIP code) All dates that are related to individual (e.g. date of birth, admission) Telephone numbers Fax numbers Email addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web universal locators (URLs) IP address numbers Biometric identifiers such as fingerprints and voice prints Full-face photographic images Other unique identifying numbers, characteristics or codes PII acronym for personally identifiable information. Any data that could potentially identify a specific individual.

  16. Information Needed to Draft DUA? A fulsome description of the data (which type is it? E.g., PHI, De-identified, etc.). Description of the data flow which includes, for example, whether it is incoming our outgoing, whether a third party honest broker is involved, or if the collaboration includes collaborating sites. Summary of how the information will be accessed and by whom and whether any special system is needed (e.g. RedCap, etc.). Specific restrictions or requirements by third party. Security Restrictions. DUA and IRB Protocol MUST have the same data information or it can delay the process

  17. Security and Institutional Requirements IT/Security will review the safeguards and systems involved in any data transfer to assure their security. UNMHSC s current requirement is that all incoming data be sent directly to Central/IT to be secured and then provide access to the PI in accordance with the DUA. The more information we have regarding the data flow, data type and any special or unique requirements, the faster the DUA can be finalized.

  18. Who Does What? Sponsored Projects Office Human Research Protections Office (HRPO/IRB) Privacy IT Security Review data questionnaire and data elements for potential PHI/HIPPA issues Review data questionnaire and protocol for potential security risks with transfer of data Assist PI through the DUA process, to include update on status Review/approve proposed data transfer in protocols Review Data Questionnaire to determine type of template Determine/confirm that DUA template is appropriate, and that the data elements are de- identified, a limited data set, PHI or other Ensure data is both sent/received through central IT, unless it is directly entered into a system Trigger DUA review to SPO Draft and forward DUA template to Privacy and IT for review Ensure information in protocol aligns and conforms to IT Security requirements Ensure that proposed systems to be used are approved Receive Legal approval, when needed Advise SPO on information needed to be included in the DUA template Advise SPO on information needed to be included in the DUA template Ensure data elements are noted in protocol Negotiate DUA with collaborating institution Obtain Signatures Track DUA in Click ERA Liaison between Compliance/ PI/Collaborating Institution **DUAs sent to Legal for review, when necessary.

  19. Who to Contact? HSC Sponsored Projects Office (SPO) Phone: 272-9383 Email: HSC-PreAward@salud.unm.edu Human Research Protections Office (IRB) Phone: 272-1129 Email: HRPO@salud.unm.edu

Related


Understanding Data Use Agreements (DUAs) in Sponsored Projects Office

Understanding Data Use Agreements (DUAs) in Sponsored Projects Office

helene
Office of Sponsored Programs - Agreements and Contracts Update

Office of Sponsored Programs - Agreements and Contracts Update

mirabel
Understanding Virtual Incident Procurement (VIPR) in Government Agencies

Understanding Virtual Incident Procurement (VIPR) in Government Agencies

travis
Understanding Folio Agreements and Resource Management

Understanding Folio Agreements and Resource Management

branwen
NCI Data Collections BARPA & BARRA2 Overview

NCI Data Collections BARPA & BARRA2 Overview

karol
Potential Role of Big Data in Economic Policy

Potential Role of Big Data in Economic Policy

montague
Understanding Restrictive Agreements and EU Competition Law

Understanding Restrictive Agreements and EU Competition Law

kelsey
Challenges and Solutions in Cross-Border Data Transfers: A Privacy Perspective

Challenges and Solutions in Cross-Border Data Transfers: A Privacy Perspective

casimir
The Digital Personal Data Protection Act 2023

The Digital Personal Data Protection Act 2023

edelweiss
Funding Requirements for Higher Education Improvement Projects

Funding Requirements for Higher Education Improvement Projects

kora
Effective Use of Data for Educational Improvement

Effective Use of Data for Educational Improvement

anouk
Overview of Data Science: Uncovering Insights from Data

Overview of Data Science: Uncovering Insights from Data

anahita
Understanding Data Lifecycle and Mining for Business Intelligence

Understanding Data Lifecycle and Mining for Business Intelligence

juni
Exploring Data Analytics: Introduction, Terminology, Challenges, Platforms, Tools, Applications

Exploring Data Analytics: Introduction, Terminology, Challenges, Platforms, Tools, Applications

saint
Leveraging Data Warehouse and Cloud Computing for Informed Decision-Making

Leveraging Data Warehouse and Cloud Computing for Informed Decision-Making

carolyn
PROGRAMME 3. PROGRESS ON COMMUNITY AND MAINTENANCE PROJECTS (AS AT 29 FEBRUARY 2024) AS REFLECTED IN THE ANNUAL PERFORMANCE PLAN.

PROGRAMME 3. PROGRESS ON COMMUNITY AND MAINTENANCE PROJECTS (AS AT 29 FEBRUARY 2024) AS REFLECTED IN THE ANNUAL PERFORMANCE PLAN.

franciszek
Evolving 5030 District Projects: Encouraging Innovation, Supporting Growth, and Recognizing Success

Evolving 5030 District Projects: Encouraging Innovation, Supporting Growth, and Recognizing Success

ruan
IEEE CASS News

IEEE CASS News

pallas
Understanding Data Governance and Security in Higher Education Institutions

Understanding Data Governance and Security in Higher Education Institutions

lucius
Understanding Data Types and Summary Statistics in Exploratory Data Analysis

Understanding Data Types and Summary Statistics in Exploratory Data Analysis

dream
Understanding the Importance of SDMX in Statistical Data Exchange

Understanding the Importance of SDMX in Statistical Data Exchange

lazarus
NIH Data Management and Sharing Policy Overview

NIH Data Management and Sharing Policy Overview

chanel
Enhancing Cost Forecasting in Major Capital Projects: Key Findings and Recommendations

Enhancing Cost Forecasting in Major Capital Projects: Key Findings and Recommendations

tymon
Libyan International Medical University Faculty of Business Administration

Libyan International Medical University Faculty of Business Administration

dale

More Related Content

Understanding Termination of Obligations in Civil Law
Understanding Termination of Obligations in Civil Law
Understanding Conditions and Contingencies in Agreements
Understanding Conditions and Contingencies in Agreements
Enhancing Project Management for General Plant Projects at Fermilab
Enhancing Project Management for General Plant Projects at Fermilab
Enhancing Health Data Usage for Transient Populations in Malawi
Enhancing Health Data Usage for Transient Populations in Malawi
Career Education Data Team Organization Guide
Career Education Data Team Organization Guide
Enhancing Educational Leadership Through Data-Driven Decision-Making
Enhancing Educational Leadership Through Data-Driven Decision-Making
Understanding the Distinction Between Data and Information
Understanding the Distinction Between Data and Information
Introduction to Big Data Analysis - National Taipei University Course Overview
Introduction to Big Data Analysis - National Taipei University Course Overview
Machine learning applied to mobile phone data for public statistics prediction
Machine learning applied to mobile phone data for public statistics prediction
Advanced Data Logging Software for Efficient Record Generation
Advanced Data Logging Software for Efficient Record Generation
Simcoe County Data Consortium
Simcoe County Data Consortium
Modernizing Public Health Data in Texas: Strategies and Upgrades
Modernizing Public Health Data in Texas: Strategies and Upgrades
Key requirements and case studies of Subaward Agreements
Key requirements and case studies of Subaward Agreements
Navigating Sustainability Agreements in Competition
Navigating Sustainability Agreements in Competition
The Evolution of EU Climate Policy: Challenges and Achievements
The Evolution of EU Climate Policy: Challenges and Achievements
Hosting Matters Summary: Infrastructure Development and Governance Framework Update
Hosting Matters Summary: Infrastructure Development and Governance Framework Update
Negotiating Working Time Agreements in Educational Institutions
Negotiating Working Time Agreements in Educational Institutions
AFT Local 6262 Achieves Significant Positive Outcomes in Recent Agreements
AFT Local 6262 Achieves Significant Positive Outcomes in Recent Agreements
Progress Update on EU Partnership Agreements and Programme Implementation
Progress Update on EU Partnership Agreements and Programme Implementation
Promoting Private Sector Engagement in Local Governance through PPPs in Zambia
Promoting Private Sector Engagement in Local Governance through PPPs in Zambia
Progress Report on Community and Maintenance Projects
Progress Report on Community and Maintenance Projects
Alabama Capital Projects Fund Program Announcements - February 27, 2024
Alabama Capital Projects Fund Program Announcements - February 27, 2024
Schools’ Capital Programme update
Schools’ Capital Programme update
ROCINANTES Projects in Africa: Transforming Communities Through Health and Education Initiatives
ROCINANTES Projects in Africa: Transforming Communities Through Health and Education Initiatives