A data use agreement (DUA) allows researchers to access a limited data set for research purposes without subject authorization. The terms of a DUA are specified in HIPAA and include:
- Establishing the permitted uses and disclosures (as allowed under HIPAA);
- Using appropriate safeguards to secure the data;
- Reporting inappropriate uses or disclosures to the covered entity; and
- Not attempting to re-identify individuals who are the subjects of the data.
Researchers are prompted within ARROW to the Internal Data Use Agreement for those UW employees receiving a limited data set from within UW-Madison or UW Health for their own use; limited data will not be shared outside the UW-Madison HCC. A completed Internal DUA should be uploaded to ARROW.
A Data Transfer and Use Agreement is needed for receipt or disclosure of a limited data set from/to an institution outside of UW-Madison or UW Health. When disclosing a limited data set, the DUA template should be uploaded to ARROW to confirm an acceptable template will be used; a signed copy does not need to be included in ARROW. When receiving a limited data set from outside the UW-Madison HCC, the data provider determines whether a DUA is necessary. If a limited data set is not covered by a DUA, it’s appropriate to request a waiver of authorization instead.
UW-Madison has Master DUAs with UW Health, including UW Health Northern Illinois (formerly called SwedishAmerican), and Access Community Health Centers. UW-Madison also has a System Access Agreement with UnityPoint Health – Meriter. More information on who may access data and for what purposes under these agreements is available here: UW Health; Access Community Health Centers; UnityPoint Health – Meriter.