Data Use Agreements

Frequently Asked Questions

A Data Use (Transfer) Agreement (DUA/DTA) is a contractual document that allows Emory University PI's to access, obtain, or transmit patient/human subject data or images from/to an outside party for use in research. The data or images may be full Protected Health Information (PHI), a Limited Data Set or de-identified within the meaning of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule. The outside party may be a non-profit or for-profit institution or entity, government agency, or other public entity. A DUA is required for human subject/patient data exchange of any type, aside from de-identified data in aggregate form. Aggregated data does not require a DUA although an Emory University Investigator may wish to protect such data by means of another type of agreement such as a Confidentiality Agreement or Collaboration Agreement.

Human subjects’ data may be shared as part of (1) an ongoing funded collaboration between the Emory University and the outside party; (2) as part of a vendor contract; or (3) independent research by the outside party. In the case of scenarios 1 or 2, data terms are typically incorporated into the sponsored agreement/grant or vendor contract by the appropriate contracting office, if so, no separate DUA is needed. But, please confirm with the appropriate contracting office to make sure the data transfer terms are incorporated into such agreements.

Below are some general, frequently asked questions regarding data use (transfer) agreements. If you don't find the answer to your question please reach out to Emory OTT at

Note: for the purposes of this FAQ, data refers to data derived from human subjects intended to be used for research. This FAQ does not address non-human research data or use of data for non-research purposes.

Per Emory policy, a DUA is required prior to sharing patient/participant-level data outside of Emory. A DUA is needed regardless of whether the data being shared is de-identified or anonymized data, a Limited Data Set or full Protected Health Information (PHI). A stand-alone DUA is appropriate when only data is being exchanged and not, for example, sponsored funding or materials.

If Emory is receiving de-identified data from a domestic entity, a DUA needs to be put into place if the holder of the data requires a DUA. HIPAA does not compel a DUA in this scenario, each holder institution applies their own policies to the exchange.

If Emory is receiving data from an international entity, we must be careful with restrictive laws surrounding data privacy and will likely require DUA or some other form of agreement to receive data.

If data is being exchanged with a sponsor, pass-through entity or subcontractor in the context of a funded project, the appropriate Emory contracting office will include the terms governing data exchange in the funding agreement.

If a PI would like to establish an unfunded collaborative research project between two or more academic parties (e.g., one party analyzing the results of a data exchange and returning it for possible co-publication) Office of Technology Transfer (OTT) will issue an unfunded Collaborative Research Agreement (CRA) to govern the collaborator’s scope of work. OTT will include sufficient data use language within the CRA.

Data is de-identified when all 18 HIPAA identifiers have been removed from the dataset and it is stripped of all possible identifiable information. None of the 18 HIPAA identifiers can be present in a de-identified dataset.

De-identified data may NOT include identifiable data elements such as full dates (day/month/year), initials or images that include any of the identifiers, but MAY include non-identifiable elements such as sex, race, birth year or age under 90.

Radiological images are considered data and can be de-identified (carefully); please check with Emory IRB if you are uncertain as to whether the images you want to exchange are de-identified.

You may hear the terms “anonymized” or “coded” in reference to data. Anonymized means that the data cannot be tied back to an individual. Coded means that a randomized code has been assigned to each person in the dataset; the party holding the key to the code (the data providing party) may then tie that data back to a patient/subject; the provider of the data must agree not to share the key with the data recipient.

De-identified data can be sub-classified as either anonymized or coded. However, coded may also apply to a Limited Data Set so be careful not to equate “coded” with de-identified.

Emory must ensure data derived from Emory research subjects and patients is used in a manner consistent with its mission and various legal/regulatory requirements. Moreover, data derived from patients and research participants is a valuable Emory asset. De-identified data may only be shared when the below criteria are met.

  • The Emory IRB has determined that a consent or appropriate exemption or waiver is in place to share the data.
  • The data recipient agrees in a written contract that the data will be used for a specific purpose approved by the PI (data holder) and the IRB and that they will not attempt to re-identify the data.

An LDS contains PHI but the type of PHI included is broad enough such that tracing any specific elements back to one individual would be difficult (but not impossible). An LDS can only contain any of the below data elements.

  • Dates of admission, discharge or other services
  • Dates of birth or death
  • Five-digit zip-codes (four digit extensions are not allowed in a LDS) and any geographic subdivision smaller than a state but bigger than a street address, such as county, city, or precinct.

See the FDP Tool for Classifying Human Subjects Data.

Under HIPAA, PHI means any identifiable information included in the 18 HIPAA identifiers list. Sharing full PHI requires participant consent or waiver of authorization from Emory or approved cede IRB.

Prior to sending/receiving patient or participant level data, the Emory IRB (or other IRB of record in the case of a cede review) must be consulted to determine whether a new protocol or protocol amendment is required to exchange the data. If a new protocol or amendment is required, it must be completed prior to a DUA being signed for sending Emory data outside of Emory. If no action is needed, an IRB determination of exemption must be provided to the office signing the DUA.

A new application or amendment to a protocol must be initiated by the PI (and ideally approved by the IRB) prior to the PI requesting a DUA draft or review. The drafting/review of the DUA by the contracting office and the Emory IRB review may proceed in parallel, however, note that the DUA negotiation may be substantially impacted by the results of the IRB review. For example, the IRB may approve a different data type or scope of data than what is described in the DUA draft. Therefore, it is suggested that an Emory IRB approval for the accurate type of data to be shared is obtained (or very far along in the Emory IRB process) before a DUA is initiated. In all cases, a DUA will not be signed until the IRB review has been completed and sharing data has been approved.

If the Emory IRB is withholding final approval until the PI has a DUA in place, forward the IRB preliminary approval to the contracting office to ensure both the approval and DUA can proceed.

Emory OTT handles DUA requests to and from non-profit/academic institutions, industry collaborators, foundation and government entities when data is being shared for research purposes and doesn't involve any transfer of funds.

Data transfer terms and conditions that are encompassed in sponsored agreement/grant are handled by Emory OSP (

Outgoing Data Use Agreements (1) in which the data to be transferred is obtained directly from Emory Healthcare (EHC) records or collected in the principal investigator’s capacity as an EHC clinician and (2) are not encompassed in or pursuant to a current sponsored award and (3) are not under Emory IRB purview are handled by EHC (

Note: Some data sharing requests require review of the Emory Data Governance Committee particularly, but not exclusively, when data is being shared to support commercial development, the data is being used for advance analytical techniques such as deep learning or machine learning, the data set is large, the data set constitutes a large proportion of a dataset regarding a rare disease or rare population, or a dual appointee is leveraging their appointment to transfer data. The Emory contracting office handling this request will direct the PI to this Committee as needed.

First contact the office that handled the sponsor agreement for the research project. For example, if you generated the data under an industry clinical trial agreement (CTA) or a federally sponsored study, contact Emory OSP (

If you want to share data that was generated by an outside party, contact the office that negotiated the original data sharing, or other agreement, with the outside party that provided the data for the original project. The terms must be reviewed by the contracting office to determine if Emory is allowed to sub-share the data.

With many federal data sharing mechanisms, like Genome-Wide Association Study (GWAS)/dbGaP or Centers for Medicaid & Medicare Services (CMS), the data provider requires that each recipient entity must submit their own application to the data provider. Therefore, Emory cannot sub-share the data.

Many data providers insert data security terms within the incoming DUA and will require that these terms are met prior to releasing data to a PI. For example, dbGaP and other National Institutes of Health (NIH) DUAs often contain specific data security terms. Some data holders may also require a Data Security Plan to be included as part of the application for use of the data, such as CMS and Center for Health Information and Analysis (CHIA).

If required, all data security requirements must be reviewed and all data users will ensure that the data security requirements are met through a Data Use Certification or other similar document. The Emory contracting office handling this request will direct the PI regarding data security.

If you are sharing data with a researcher at another Emory affiliate because that person(s) is a collaborator working on your existing protocol, consult with the Emory IRB to ensure that this person(s) is appropriately added as study staff on the protocol. A DUA is likely not required. If you are sharing data with someone at an affiliate, for secondary use, outside of your existing protocol, consult with the Emory IRB ( Your protocol will likely need to be amended, or a new protocol written, to govern the secondary study.

If the individual is hired as an independent contracto,work with the offcie that handled the independent contractor agreement to ensure that data sharing authorization is represented in the consulting/independent contractor agreement.

If the individual is not being onboarded as an independent contractor, a DUA is required. Consult with Emory OTT ( regarding next steps and obtaining the appropriate DUA template and approval.

Please follow the process outlined on the Emory OTT website for transfers under a MTA/DUA. Note that radiological images are NOT considered materials, they are considered data.

There are several data sources available at Emory such as the Emory Healthcare Clinical Data Warehouse or the Center for AIDS Research Registry. To find out more about data available, services, etc. refer to the websites listed below.

There is training specific to the new low risk process in the Emory Brainier site called "Data Use Agreements: Training for the Processing of Low-Risk Outgoing Data Use Agreements (DUA)".

There is also a course in Brainier called "Using Clinical Data within Research."