HIPAA Data Use Agreement
Researchers who want access to de-identified data must sign a data use agreement which includes:
Specific permitted uses and disclosures of the limited data set by the recipient consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the Privacy Rule).
Identify who is permitted to use or receive the limited data set.
Stipulations that the recipient will
Not use or disclose the information other than permitted by the agreement or otherwise required by law.
Use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the recipient becomes aware.
Hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the data use agreement with respect to the information.
Not identify the information or contact the individuals.[ HIPAA Research at 19.]