HIPAA Policy Section 6.4: Agreements With Recipients of a Limited Data Set
System EGI shall require a person to agree to a Data Use Agreement prior to Disclosure of a Limited Data Set created or maintained by System to such a person.
6.4(1) Use and Disclosure of a Limited Data Set
To the extent System’s Use or Disclosure of PHI would be permissible under Section 4.4 of this Manual as a Limited Data Set, System may Use or Disclose such Limited Data Set to a recipient only if the recipient has agreed to a Data Use Agreement that meets the requirements set forth in this Section.
6.4(2) Data Use Agreement
A Data Use Agreement shall:
- restrict the recipient from Using or Disclosing the Limited Data Set for a purpose other than Health Care Operations, research, public health activities, or as otherwise required by law;
- not authorize the recipient to Use or Disclose the Limited Data Set in a manner that would violate the HIPAA Privacy Standards if performed by EGI;
- establish the identity of the person or classes of persons permitted to Use or receive the Limited Data Set;
- require the recipient to use appropriate safeguards to prevent Use or Disclosure of the Limited Data Set other than as provided for by the data use agreement;
- require the recipient to report to System any Use or Disclosure of the Limited Data Set not provided for by its data use agreement of which the recipient becomes aware;
- require the recipient to ensure that any agents, including a subcontractor, to whom the recipient provides the Limited Data Set agree to the same restrictions and conditions that apply to the recipient with respect to such information; and
- prohibit the recipient from identifying the information or contacting the individuals.
6.4(3) Monitoring Recipients of a Limited Data Set
If System learns that a recipient of a Limited Data Set has performed a material violation of its Data Use Agreement, System shall take reasonable steps to end the violation and mitigate the violation’s harmful effects in accordance with Section 8.4 of this Manual.
6.4(4) Documentation of Data Use Agreements
System shall retain any Data Use Agreement entered into with any person. Such documentation shall be retained in accordance with Section 9.2 of this Manual.
45 C.F.R. § 164.514(e)
67 Fed. Reg. at 53,234-38 (Aug. 14, 2002)