In the DUA, the researchers receiving the LDS provide satisfactory assurances that they will use or disclose the PHI in the data set only for specified purposes.
- Specific permitted uses and disclosures of the limited data set by the recipient consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the Privacy Rule).
- Identify who is permitted to use or receive the limited data set.
- Stipulations that the recipient will
- Not use or disclose the information other than permitted by the agreement or otherwise required by law.
- Use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the recipient becomes aware.
- Hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the data use agreement with respect to the information.
- Not identify the information or contact the individuals.
Michigan Medicine Policy 01-04-032 on Limited Data Sets (level-2 login required) describes implementation of these requirements.
- Sharing LDS within U-M: Use the internal template linked from the policy
- Sending LDS outside U-M: Use the external template linked from the policy
- Receiving LDS from outside institutions: generally the other institution provides the DUA template.
External DUAs (sending data to, or obtaining from, outside the University) should be processed through the Unfunded Agreement (UFA) form in eResearch Proposal Management (eRPM). ORSP Data Sharing Resource Center, UMMS Data Office for Clinical and Translational Research, and UMHS Compliance Office are available to assist with DUAs.