When is a DUA Needed?

Generally speaking, a DUA is needed any time confidential information (data) is exchanged between entities.* A DUA provides assurances to the institution releasing the data that the data will be protected and will be used only for a specific purpose. This is especially important when the data being exchanged is subject to HIPAA regulations.

Certain entities, including NIH and the International Cancer Genome Consortium, require that a DUA be executed before granting a researcher access to their databases. These Data Access Agreements do not require any negotiation, but they do require institutional approval. For this reason, the process for obtaining institutional approval is the same as for other DUAs.

When applicable, IRB Approval is required before a DUA will be signed at the institution level.

Data Use / Data Access Agreements address issues such as:

  • Publication Rights and Authorship Requirements
  • Data Security/ Data Protection Obligations
  • HIPAA Compliance
  • Permitted Uses of the Data
  • Reporting Requirements
  • Sponsor’s Audit Rights
  • Termination of an Agreement

*PLEASE NOTE: When a VCU investigator is receiving HIPAA-covered data from the VCU Health System via a Limited Data Set, a different type of DUA is needed. That agreement is executed between the PI and the VCU IRB. It can be found on the VCU IRB website.