Low Risk Outgoing Data Use (Transfer) Agreements

Overview

Emory OTT is responsible for the processing of all outgoing data use (transfer) agreements (DUA/DTA) on behalf of Emory University. In an effort to simplify the approach to executing some of these DUAs there is a classification which can be considered low-risk. The criteria and process for executing these low-risk outgoing data use agreements is outlined below. The benefits of this approach is the reduced turnaround time, which is estimated to be 1-2 days if Emory OTT receives a complete and accurate package from our faculty partner. Additionally, the PI is able to gain more control over the process and timeline.

Low-Risk Criteria

  • The recipient type is a non-profit U.S. entity.
  • The Institutional Review Board has reviewed and approved the data exchange (or provided an exemption determination) and confirmed the data type below.
  • The data type is either De-Identified or Limited Data Set per the criteria below.
    • De-identified: In order to qualify as fully de-identified, all of the 18 HIPAA identifiers listed below (referred to as “Protected Health Information” or “PHI”) that could be used to identify the individual or the individual's relatives, employers, or household members must be removed and also there must have been no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information.
      • Names
      • All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census, is either of the below.
        • The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
        • The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.
      • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
      • Telephone numbers
      • Facsimile numbers
      • Electronic mail addresses
      • Social security numbers
      • Medical record numbers
      • Health plan beneficiary numbers
      • Account numbers
      • Certificate/license numbers
      • Vehicle identifiers and serial numbers, including license plate numbers
      • Device identifiers and serial numbers
      • Web universal resource locators (URLs)
      • Internet protocol (IP) address numbers
      • Biometric identifiers, including fingerprints and voiceprints
      • Full-face photographic images and any comparable images
      • Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification
    • Limited Data Set: Can ONLY contain the below elements of PHI
      • Dates of admission, discharge or other services
      • Dates of birth or death
      • Exact age over 89 (exact age 89 and under is considered de-identified)
      • Five-digit zip-codes (four-digit extensions are not allowed in a LDS)
      • Any geographic subdivision such as county, city, or precinct but not street addresses (See the FDP Tool for Classifying Human Subjects Data)
  • The details of the data exchange meet all of the below criteria listed below.
    • Data does NOT represent a majority of data available for that condition or patient population.
    • Data is NOT being accessed by any industry/for-profit party.
    • Data is NOT being used for machine learning/artificial intelligence purposes.
    • Data is NOT being used to develop or improve tangible intellectual property (IP) such as a patentable invention, medical device, or software.
    • Data is NOT being sent to a registry.
    • Data is NOT being exchanged as part of an existing collaboration/funding agreement with the Recipient.
    • PI is NOT the same on both sides of the DUA.
    • Data is NOT from more than 10,000 distinct patients or subjects.
    • Data is NOT derived from a third party (i.e., the data is only Emory patients/subjects).
    • Data transmittal is NOT restricted by a third party (i.e., an industry sponsor).
    • Data is NOT being actively gathered in an intervention/interaction clinical research.

If the Criteria 1-4 above is not met, the PI, or their designated representative, must complete an outgoing DUA questionnaire form found in Emory OTT contractConnect.

Low-Risk Process

  1. Emory PI may need to obtain determinations from the Emory IRB in order to send data to the recipient. On the IRB website page under "Access the Non-human Subject Research Determination Form" or contact the IRB office for more information: irb@emory.edu.
  2. Download either the FDP DTUA de-identified for PIs or FDP DTUA LDS for PIs template, depending on the data type.
  3. Complete the open template fields using the directions provided; PIs must validate the completed DUA.
  4. DO NOT SIGN THE DUA. Send the draft DUA to the Recipient for Recipient's institutional signature if any questions arise as to how to complete the template or regarding changes to terms, contact ott-mta@emory.edu.
  5. Prior to the PIs first submission of a Low-Risk DUA, they must take the Low-Risk DUA Training in the Emory Brainier and print the completion certificate for inclusion with attestation form.
  6. Emory PI's will then log into Emory OTT contractConnect to complete the Low-Risk DUA Attestation Form, upload the partially executed DUA, and the training certificate from Brainier.
  7. Based on the attestation form, OTT will sign, and return a copy of the fully executed agreement to all parties.

Additional Resources