Within the Division of Research, Research Agreements and Contracting (RAC) facilitates review and approval of DUAs, including modifications to previously executed agreements. RAC is also responsible for informing the appropriate parties of any breaches of security or unauthorized access to data as reported by the Brown research team or Information Technology.  

Additionally, RAC supports the Brown research community by providing guidance, education and resources to facilitate the conduct of ethical research in accordance with governing federal and state regulations and University policies. For more information, contact researchcontracts@brown.edu.

RAC centrally manages the administrative procedures for DUAs that involve research data, with one exception. Brown’s School of Public Health (SPH) leadership has authorization to review DUAs for Centers for Medicare and Medicaid Services data when such data are being used for an SPH research project. SPH then submits the agreement to RAC for approval and signature.

The Brown principal investigator (PI) is responsible for compliance with Brown University’s DUA review and signature procedures as well as the data protection and use requirements outlined in the agreement. Overall PI responsibilities include: 

• Ensure that the agreement is reviewed and signed by the appropriate institutional official using established submission channels 
• Approve the final language of the agreement by co-signing the agreement and acknowledging all PI and other research team members’ responsibilities as indicated by the agreement
• Ensure that all research team members are aware of and comply with their responsibilities under the agreement
• Administer or otherwise arrange for any required training set forth in the DUA and retain records documenting such training
• Ensure that an Institutional Review Board (IRB)-approved protocol is in place to cover the work if it involves human subjects, including facilitating an amendment to an existing IRB-approved protocol, when needed, to add the incoming data to the project
• Work with the appropriate departmental information technology (IT) support consultant, as needed, to identify the appropriate data risk level and adhere to all data security, storage and destruction requirements of the DUA
• As necessary, promptly notify their respective IT support consultant or IT contact who manages access to the data in the event of any changes in composition of the study team 

When the DUA lists specific research team members with access to the data, the PI must also promptly notify RAC of any changes to the research team to facilitate an amendment to the agreement, if needed.

Each research team member accessing the data is responsible for meeting and complying with the specific DUA security, confidentiality and access requirements.

In some instances, research team members must sign security pledge agreements within a DUA acknowledging obligations related to use of the data. It is each research team member’s personal responsibility to adhere to any security and/or confidentiality agreements signed in an individual capacity; 

Research team members shall promptly notify the appropriate parties (the PI, Brown Technology Innovations and Information Technology) if they become aware of any breaches of security or unauthorized data access.

Researcher team members are not authorized to sign agreements on behalf of the University.

The Brown data requester may be the Brown PI or a member of the Brown research team. This individual initiates the DUA Request Form and corresponds with RAC to provide additional information, as needed, to facilitate review and negotiation of the agreement.

The recipient data requester is typically an external researcher collaborating with a Brown PI on a research study in which there is a request to access or receive data to be provided by Brown.

The data provider is an entity or individual seeking to transfer data or enable access to data that has certain restrictions associated with its use, thereby necessitating a DUA. It is the data provider’s responsibility to establish an agreement outlining terms and conditions for data sharing.

The vice president for research is authorized to enter into research agreements, including DUAs, on behalf of the University. All agreements will be executed by the vice president for research or their designee(s) once all terms are negotiated to the satisfaction of the University.

RAC may consult with the Office of General Counsel (OGC), if necessary, to negotiate legal terms in a DUA. If the data provider is a foreign government or the data being provided to Brown are subject to the General Data Protection Regulation, the PI should be prepared for the agreement to undergo OGC review.

RAC may also consult with the Strategic Procurement and Contracts (SPC), if necessary, to review insurance terms embedded within DUAs.

RAC consults with the Office of Information Technology (OIT) to ensure that data security requirements set forth in the DUA related to processes and systems that will be used to transfer, access, store and destroy the data can be met by Brown.

The Brown data requester may also consult with OIT to determine the appropriate data risk classification level for their research data and verify their ability to meet the minimum security standards as set forth in the DUA. 

OIT also supports the use of Stronghold for risk Level 3 data. Stronghold is a secure computing and storage environment that enables Brown researchers to analyze sensitive data while complying with regulatory or contractual requirements.

The University Library helps faculty and student researchers with writing data management and sharing plans for sponsored research proposals and with digital curation. It assists researchers with retaining data by documenting and depositing data sets in long-term repositories for public discovery, access and reuse.

Aggregate data is data that has been gathered, processed and expressed in a summary or report form for reporting purposes such as making comparisons, predicting trends or other statistical analyses. Aggregate data is collected from multiple sources and/or measures, variables or individual human subjects. Since aggregate data is the consolidation of data from multiple sources, it is typically not able to be traced back to a specific human subject.

Anonymous data cannot be linked directly or indirectly by anyone to their source(s). Personally identifiable information was not collected or, if it was collected, identifiers were not retained and cannot be retrieved.

When referring to a study participant, “authorization” indicates an individual’s written permission to allow a HIPAA-covered entity to use or disclose specified protected health information for a particular purpose. Authorization states how, why and to whom the protected health information will be used and/or disclosed for research and seeks permission for that use or disclosure. This term in this context is specific to data use agreements covering protected health information. 

This term may also be used in the more general sense of permission, for instance, an authorization by one party of the DUA to allow the other party to provide the data to additional third parties. Care should be taken to establish the appropriate context when using this term. 

Per the U.S. Code of Federal Regulations (45 CFR § 160.103), a business associate is a person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of protected health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule. 

Business associates are also persons or entities performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for a covered entity where performing those services involves disclosure of protected health information by the covered entity or another business associate of the covered entity to that person or entity. Special attention should be paid to the term “on behalf of” in the definition. 

Academic institutions are rarely business associates because the term is not applicable to collaborative relationships.

The business associate agreement contractually defines the rights and responsibilities between a covered entity and a business associate that would not otherwise be bound by HIPAA. A business associate agreement or contract is not appropriate when a covered entity is disclosing protected health information to a noncovered entity (like Brown) for use in a research project. 

With coded data, direct personal identifiers have been removed from the data and replaced with words, letters, figures, symbols or a combination of these (not derived from or related to the personal information) for purposes of protecting the identity of the source(s). The original identifiers are retained in such a way that they can be traced back to the source(s) by someone with the code. A code is sometimes also referred to as a “key,” “link” or “map.” 

Information Technology has classified its information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access. It is the data and service owner’s responsibility to ensure appropriate security measures are taken depending on the risk classification.

With de-identified data, all direct personal identifiers are permanently removed from the data, no code or key exists to link the data to their original source(s), and the remaining information cannot reasonably be used by anyone to identify the source(s). Protected health information is de-identified when it does not contain any of the 18 identifiers specified by the HIPAA Privacy Rule at 45 CFR Part 164 (or has been determined to be de-identified by a statistician in accordance with the standards established by the Privacy Rule).

The Family Educational Rights and Privacy Act (FERPA) is a federal U.S. law that protects the privacy of student education records.

FERPA

The General Data Protection Regulation (GDPR) is a European law that went into effect on May 25, 2018, and establishes protections for privacy and security of "personal data" about individuals in European Economic Area (EEA)-based operations and certain non-EEA organizations that process personal data of individuals in the EEA. 

This law applies in the U.S. for activities involving identifiable information if personal data is being collected from one or more research participants physically located in the EEA at the time of data collection, regardless of whether the individual is an EEA resident. It also applies to activities involving the transfer of personal data collected under the GDPR from an EEA country to a non-EEA country (like the U.S.). 

DUAs with GDPR-related terms (such as “data controller” or “data processor”) will take longer to negotiate and execute and will be referred to Brown General Counsel for review. 

A limited data set is defined as health information that excludes certain direct identifiers.

HIPAA Privacy Rule limited data set provisions requiring the removal of direct identifiers apply both to information about the individual and to information about the individual's relatives, employers or household members. 

The following identifiers must be removed to qualify as a limited data set: 

• names
• postal address information, other than town or city, state and zip code
• telephone numbers
• fax numbers
• email addresses
• Social Security numbers
• medical record numbers
• health plan beneficiary numbers
• account numbers
• certificate/license numbers
• vehicle identifiers and serial numbers, including license plate numbers
• device identifiers and serial numbers
• web URLs
• Internet Protocol (IP) address numbers
• biometric identifiers, including finger and voice prints
• full-face photographic images and any comparable images
• any other unique identifying number, characteristic or code except as specifically permitted by HIPAA

A limited data set may include the following information:

• dates such as admission, discharge, service, date of birth and date of death
• city, state and zip code
• age in years, months, days or hours

Personally identifiable information can be used to distinguish or trace an individual’s identity and includes:

• name (full name, maiden name, mother’s maiden name or alias)
• Social Security number
• date and place of birth
• mother’s maiden name 
• biometric records
• passport or driver’s license number
• taxpayer identification number
• patient identification number
• financial account or credit card numbers

Personally identifiable information also includes any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information. 

If the information cannot be linked to a living individual, is considered public or is given with the expectation that it will be made public and that it will be linked to the individual (e.g., biography or news story), then it is not considered private identifiable information. 

When allowing access to personally identifiable information, care should be taken that the data or combination of data elements when linked (i.e., taken in combination) do not allow the individual to be distinguished or traced.

Under the HIPAA Privacy Rule, "protected health information" is considered to be individually identifiable information relating to the past, present or future health status of an individual that is created, collected, transmitted or maintained by a HIPAA-covered entity in relation to the provision of health care, payment for health care services, or use in health care operations. Information is only considered protected health information when an individual could be identified from the information. 

Personal health information includes one or more of the identifiers listed under Personally Identifiable Information. If these identifiers are removed, the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule.

Sensitive information has the potential to damage an individual’s reputation, employability, financial standing or educational advancement; place them at risk for criminal or civil liability; etc.