Data Agreements

Privacy Program Services handles the review, approval and signature of data sharing agreements that control outgoing Drexel institutional data and all HIPAA Business Associate Agreements (BAAs).

• If you are a Drexel covered health care component looking to share PHI with a business associate or you have been asked to sign a BAA by a covered entity that Drexel is providing services involving PHI to, or
• If you are planning to share data derived from or located within records owned by Drexel University with an external entity for research purposes

Please contact privacy@drexel.edu for review, approval, and signature of the proposed agreement.

Requests for the review, approval and signature of a data agreement that the Chief Privacy Officer is the authorized to sign must follow the below process:

1. A Drexel requestor* must contact PPS at privacy@drexel.edu to initiate a request for the review, approval, or signature of a data agreement.
2. PPS staff provides the Drexel requestor with our data sharing request form to complete. This form requests details on the context of the engagement, including the external party or parties involved in the data exchange, the purpose of the data exchange, the type of data, and planned uses of the data.
3. Once the Drexel requestor completes and submits the form, PPS staff reviews the form and determines the appropriate data agreement that is required for the engagement.
4. PPS then provides the Drexel requestor with an approved template data agreement for the external party to review and sign. Please note that if the external party to the data exchange prefers to use their own template, PPS will require additional time to review and, or negotiate terms prior to signing.
5. Once the external party has approved the terms of the data agreement and signed it, the Drexel requestor must return the partially executed document to PPS for final signature from the Chief Privacy Officer.
6. The Chief Privacy Officer then signs the data agreement and the final executed document is returned to the Drexel requestor.

Please note that Drexel requestors include Drexel faculty, professional staff and students as well as individuals performing research on behalf of St. Christopher's Hospital for Children.

The Drexel University Chief Privacy Officer is not the designated signatory for data agreements for Drexel's receipt of an external entity's data. As a result, PPS does not approve, or sign data agreements for the use and disclosure of an external entity's data.

It’s Okay To Ask!

PPS can help you understand the terms and conditions of Drexel’s use of external entity data; please contact us at privacy@drexel.edu to submit a request for assistance. Please be advised that Drexel University units are required to comply with all Drexel University policies and procedures, including but not limited to privacy policies.

If you would like PPS to review a data agreement for Drexel’s receipt of external data, please note that PPS review may be limited to the terms controlling how the external recipient may use and disclose Drexel institutional data. Please see the template data agreements below for guidance on Drexel’s preferred terms for the use, processing, and retention of Drexel institutional data.

Please note that PPS cannot answer operational questions regarding a particular business unit’s ability to comply with an external entity’s data privacy or other contractual or reporting requirements. Those types of questions are best directed to the business unit authorized to approve and sign the agreement. Drexel business units are reminded that they are required to comply with all Drexel University policies and procedures, including but not limited to privacy policies.

At Drexel University, the processing of personal information happens every day. At times, members of the Drexel community are asked to sign agreements that cover how that information is processed. Agreements include BAAs, DUAs, DSAs, DTAs and DPAs. This group of acronyms can be hard to understand, and knowing which agreement to use and when can be confusing for even the most astute experts.

We have developed this chart to help you understand these data-sharing agreements and when they are required for your proposed engagements. Please note that this chart is only a guide and may not fit every privacy agreement you encounter. Before entering into any such agreement, please contact us at privacy@drexel.edu. We are here to help, and remember, It’s Okay to Ask!

Definition

The HIPAA Rules generally require that covered entities and business associates* enter contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information (PHI). The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose PHI only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic PHI in accordance with the HIPAA Security Rule.

*A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.

When Required

If you are a Drexel covered health care component looking to share PHI with a business associate, or if you have been asked to sign a BAA by a covered entity that Drexel is providing services involving PHI to, please contact us at privacy@drexel.edu.

Drexel University has a template Business Associate Agreement [PDF] available.

For questions about our business associate policies, please refer to Drexel Business Associate Policies for more information or contact us at privacy@drexel.edu.

Definition

HIPAA permits a covered entity to disclose a limited data set (LDS)* of PHI for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met. The covered entity must have a data use agreement (DUA) in order to disclose the LDS for these purposes.

A DUA establishes who is permitted to use and receive an LDS, and the permitted uses and disclosures of such information by the recipient. The DUA provides that the recipient of the LDS will (1) not use or disclose the information other than as permitted by the DUA or as otherwise required by law, (2) use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the DUA, (3) report to the covered entity uses or disclosures that are in violation of the DUA, of which it becomes aware, (4) ensure that any agents to whom it provides the LDS agree to the same restrictions and conditions that apply to the LDS recipient, with respect to such information, and (4) not re-identify the information or contact the individual.

*An LDS is health information that may include an individual’s city, state, ZIP code, certain elements of date, and other numbers, characteristics, or codes not listed as direct identifiers, such as: (1) Names, (2) Postal address information, other than town or city, State, and zip code, (3) Telephone numbers, (4) Fax numbers, (5) Electronic mail addresses, (6) Social Security numbers, (7) Medical record numbers, (8) Health plan beneficiary numbers, (9) Account numbers, (10) Certificate and license numbers, (11) Vehicle identifiers and serial numbers, including license plate numbers, (12) Device identifiers and serial numbers, (13) Web Universal Resource Locators (URLs), (14) Internet Protocol (IP) address numbers, (15) Biometric identifies including fingerprints and voice prints, and (16) Full-face photographic images and any comparable images.

When Required

DUAs are most often used in research; however, as the definition describes, DUAs may be used for public health and healthcare operations purposes, including certain emergency preparedness activities.

If you are looking to share personal information or an LDS for research, public health or health care operations purposes, or have questions, contact us at privacy@drexel.edu.

Drexel University has a template DUA for sharing a limited data set with external entities available via this PDF.

Drexel University also has a template DUA for sharing de-identified (stripped of all PHI identifiers) data sets with external entities available via this PDF. De-identified data that is shared without a code, key, or other means to re-identify the data does not require a DUA to be exchanged under HIPAA. However, Drexel encourages the use of DUAs with external entities to ensure the parties mutually agree to the terms of the data’s use, subsequent disclosure, and disposal as best practice.

Definition

Data sharing agreements (DSA) are formal, legal contracts entered into by parties who wish to share personal information they maintain with other parties. DSAs set out the purpose of the data sharing, cover what happens to the data at each stage, set standards and help all parties involved in sharing to be clear about their roles and responsibilities. Data sharing agreements protect against data misuse and promote early communication among parties about questions of data handling and use.

DSAs are often required by local, state, federal government agencies and regulators, public entities, and international authorities when parties or entities enter into certain agreements that involve the sharing of personal information.

When Required

If you are looking to enter into agreement with a public entity, or entering an agreement with an entity that will involve the sharing of personal information, contact us at privacy@drexel.edu.

Definition

A Data Transfer Agreement (DTA) is a formal, legal contract governing the transfer of non-human subject (research) data or completely de-identified human subject data. It sets out the related protections, rights and obligations of both parties and delineates the specific purposes for which the personal information or data may be used.

Under the General Data Protection Regulation (GDPR), a DTA is required when personal data is being transferred or accessed outside the European Economic Area (EEA). A DTA in place between the parties needs not only to address the legality of the transfer itself but also consider the processing of personal data generally and incorporate any associated GDPR requirements. For example, for data exports to a processor or sub-processor, the GDPR sets out detailed requirements that an agreement must include in addition to addressing the transfer.

When Required

If you are sharing personal information, or personal data, outside the United States — especially with an entity or organization in the EEA, a DTA may be required. Before entering into any such agreement, or sharing personal information, contact us at privacy@drexel.edu.

Definition

General Data Protection Regulation (GDPR) compliance requires data controllers, entities that own and control data of EEA citizens, to sign a Data Processing Agreement (DPA) with any parties that act as data processors* on their behalf.

*Typically, a data processor is another company or entity that a data controller uses to help the data controller store, analyze, or communicate personal information. For example, if the data controller is a health insurance company and the data controller shares personal information about clients via encrypted email, then that encrypted email service is a data processor.

When Required

If you are working with companies or organizations in which personal information of citizens of the EEA is processed, or if you are asked to sign an agreement such as a DPA, before entering into the agreement or signing the agreement, contact us at privacy@drexel.edu.