If you are collaborating in your research with other parties, organizations or institutions, you may need to execute one or more types of legal agreements to protect your research or document how you will work together. To assist researchers, FSU is implementing a central, integrated portal to enhance and modernize research administration business processes, including research-related agreements, which launched in November 2019.
The Research Administration Management Portal (RAMP) provides standardized templates for various agreements. These include Clinical Trial Agreements, Data Use Agreements, Memorandums of Understanding and Non-Disclosure Agreements, among others.
OCRA can offer guidance on the types of agreements required for certain activities, and assist with the RAMP submission process. In addition, numerous Quick Reference guides and videos on the various types of agreements can be found on the RAMP site by clicking on “Help Center” under the “Agreements” tab at the top of the page. FAQs on RAMP agreements may also be found here.
Data Use Agreements
A Data Use Agreement (DUA) is generally required when sharing and/or providing a Limited Data Set to external, as well as internal (see Note 1 below) research personnel. A Limited Data Set excludes all 18 HIPAA “identifiers” (see Note 2 below) except for the following:
1. City, state, zip code
2. Dates of Admission, discharge, service, date of birth/death
3. Unique numbers, characteristics, or codes that are not expressly listed as “identifiers”.
A Data Use Agreement:
(a) Establishes the permitted uses and disclosures of information by the limited data set (the purpose of which is limited to research, public health activities or health care operations).
(b) Establishes who is permitted to use or receive the limited data set; and
(c) Provides that the limited data set recipient will:
(1) Not use or further disclose the information other than as permitted by the data use agreement or as otherwise permitted by law;
(2) Use appropriate safeguards to prevent use or disclosure of the information other than as provided by the data use agreement;
(3) Report any use or disclosure of the information not provided for by the data use agreement;
(4) Ensure that agents, including subcontractors, to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient; and
(5) Not identify the information or contact individuals whose information is included with the limited data set.
A DUA is generally not required when sharing and/or providing De-Identified Data. In order for data to be considered de-identified, all 18 HIPAA “identifiers” must be removed, with exception of the following:
1. All geographic subdivisions smaller than a state, except for the initial three digits of the zip code: (a) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (b) The initial three digits of the zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
2. Ages in years and for those older than 89, all ages must be aggregated into a single category of 90 or older
Note 1: The Preamble of the HIPAA Privacy Rule is clear that a covered entity that wants to create and use a limited data set for its own research purposes must have its workforce member (i.e. employee) enter into an agreement containing the requirements of a data use agreement.
Note 2: (1) Name (including initials)
(2 Address (all geographic subdivisions smaller than state: street address, city, county, zip code)
(3) All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
(4) Telephone numbers
(5) Fax number
(6) E-mail address
(7) Social Security Number
(8) Medical Record Number
(9) Health Plan Beneficiary Number
(10) Account Number
(11) Certificate of License Number
(12) Any vehicle identifiers, including license plate
(13) Device Identifiers and serial numbers
(14) Web URL
(15) Internet Protocol (IP) Address
(16) Finger or voice print
(17) Photographic image—Photographic images are not limited to images of the face
(18) Any other characteristic that could uniquely identify the individual