For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Data Agreements

At Drexel University, the processing of personal information happens every day. At times, members of the Drexel community are asked to sign agreements that cover how that information is processed. Agreements include BAAs, DUAs, DSAs, DTAs and DPAs. This group of acronyms can be hard to understand, and knowing what agreement to use when is confusing even for the most astute experts.

Drexel’s Privacy Program Services department reviews, approves, and signs data agreements involving sharing Drexel’s institutional data with external entities.

We have developed this chart to help you understand these data-sharing agreements and when they are required for your proposed engagements. Please note that this chart is only a guide and may not fit every privacy agreement you encounter. Before entering into any such agreement, please contact us at We are here to help, and remember, It’s Okay to Ask!

Table of Contents

Agreement Type


When Required

Business Associate Agreement (BAA) or Business Associate Contract

The HIPAA Rules generally require that covered entities and business associates* enter contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information (PHI). The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose PHI only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic PHI in accordance with the HIPAA Security Rule.

*A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.
If you are a Drexel covered health care component looking to share PHI with a business associate, or if you have been asked to sign a BAA by a covered entity that Drexel is providing services involving PHI to, please contact us at

Drexel University has a template Business Associate Agreement available here: Business Associate Agreement [PDF].

For questions about our business associate policies, please refer to Drexel Business Associate Policies for more information or contact us at

Data Use Agreement (DUA)

HIPAA permits a covered entity to disclose a limited data set (LDS)* of PHI for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met. The covered entity must have a data use agreement (DUA) in order to disclose the LDS for these purposes.

A DUA establishes who is permitted to use and receive an LDS, and the permitted uses and disclosures of such information by the recipient. The DUA provides that the recipient of the LDS will (1) not use or disclose the information other than as permitted by the DUA or as otherwise required by law, (2) use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the DUA, (3) report to the covered entity uses or disclosures that are in violation of the DUA, of which it becomes aware, (4) ensure that any agents to whom it provides the LDS agree to the same restrictions and conditions that apply to the LDS recipient, with respect to such information, and (4) not re-identify the information or contact the individual.

*An LDS is health information that may include an individual’s city, state, ZIP code, certain elements of date, and other numbers, characteristics, or codes not listed as direct identifiers, such as: (1) Names, (2) Postal address information, other than town or city, State, and zip code, (3) Telephone numbers, (4) Fax numbers, (5) Electronic mail addresses, (6) Social Security numbers, (7) Medical record numbers, (8) Health plan beneficiary numbers, (9) Account numbers, (10) Certificate and license numbers, (11) Vehicle identifiers and serial numbers, including license plate numbers, (12) Device identifiers and serial numbers, (13) Web Universal Resource Locators (URLs), (14) Internet Protocol (IP) address numbers, (15) Biometric identifies including fingerprints and voice prints, and (16) Full-face photographic images and any comparable images.
DUAs are most often used in research; however, as the definition describes, DUAs may be used for public health and healthcare operations purposes, including certain emergency preparedness activities.

If you are looking to share personal information or an LDS for research, public health or health care operations purposes, or have questions, contact us at

Drexel University has a template DUA for sharing a limited data set with external entities available via this PDF.

Drexel University also has a template DUA for sharing de-identified (stripped of all PHI identifiers) data sets with external entities available via this PDF. De-identified data that is shared without a code, key, or other means to re-identify the data does not require a DUA to be exchanged under HIPAA. However, Drexel encourages the use of DUAs with external entities to ensure the parties mutually agree to the terms of the data’s use, subsequent disclosure, and disposal as best practice.

Data Sharing Agreement (DSA)

Data sharing agreements (DSA) are formal, legal contracts entered into by parties who wish to share personal information they maintain with other parties. DSAs set out the purpose of the data sharing, cover what happens to the data at each stage, set standards and help all parties involved in sharing to be clear about their roles and responsibilities. Data sharing agreements protect against data misuse and promote early communication among parties about questions of data handling and use.

DSAs are often required by local, state, federal government agencies and regulators, public entities, and international authorities when parties or entities enter into certain agreements that involve the sharing of personal information.
If you are looking to enter into agreement with a public entity, or entering an agreement with an entity that will involve the sharing of personal information, contact us at

Data Transfer Agreement (DTA)

A Data Transfer Agreement (DTA) is a formal, legal contract governing the transfer of non-human subject (research) data or completely de-identified human subject data. It sets out the related protections, rights and obligations of both parties and delineates the specific purposes for which the personal information or data may be used.

Under the General Data Protection Regulation (GDPR), a DTA is required when personal data is being transferred or accessed outside the European Economic Area (EEA). A DTA in place between the parties needs not only to address the legality of the transfer itself but also consider the processing of personal data generally and incorporate any associated GDPR requirements. For example, for data exports to a processor or sub-processor, the GDPR sets out detailed requirements that an agreement must include in addition to addressing the transfer.
If you are sharing personal information, or personal data, outside the United States — especially with an entity or organization in the EEA, a DTA may be required. Before entering into any such agreement, or sharing personal information, contact us at

Data Processing Agreement (DPA)

General Data Protection Regulation (GDPR) compliance requires data controllers, entities that own and control data of EEA citizens, to sign a Data Processing Agreement (DPA) with any parties that act as data processors* on their behalf.

*Typically, a data processor is another company or entity that a data controller uses to help the data controller store, analyze, or communicate personal information. For example, if the data controller is a health insurance company and the data controller shares personal information about clients via encrypted email, then that encrypted email service is a data processor.
If you are working with companies or organizations in which personal information of citizens of the EEA is processed, or if you are asked to sign an agreement such as a DPA, before entering into the agreement or signing the agreement, contact us at