3 Participation Data Sharing Agreements

Section3.4Select

Section 3Select—Participation Data Sharing Agreements - 1

Participation Data Sharing Agreements

As part of selecting a vendor for your health information exchange (HIE) service or other health information technology (HIT), there will be various agreements you will need to execute.

How to Use

1.Identify the nature of legal agreements into which you must enter to acquire and use HIE and other HIT. (The business associate agreement is discussed extensively in Section 6.2 Privacy and Security Risk Analysis.)

2.Consult with legal counsel to ensure that agreements meet your needs.

Types of Legal Agreements

• Data Use Agreement

A HIPAA requirement for a party to use a limited data set (data that are partially but not fully de-identified) for research, public health, or health care operations. The HIPAA Privacy Rule (available at: provides the specific details of what must be in a data use agreement.

The federal government does not offer a sample data use agreement. Anumber of examples are available on the Internet by searching“data use agreement.”

A sample business Associate Contract/Agreement (BAC/BAA) is available from the federal government’s Office for Civil Rights at: This sample agreement provides a number of options for several of the provisions in the agreement and directions on where such options should be included.

• a Use and Reciprocal Support Agreement (DURSA)

This is the legal, multi-party trust agreement that is entered into voluntarily by all entities, organizations and federal agencies that want to engage in electronic HIE using an agreed upon set of national standards, services and policies developed in coordination with the Office of the National Coordinator for Health IT (ONC).

The DURSA describes the mutual responsibilities, obligations and expectations of all participants under the agreement. This createsa framework for safe and secure health information exchange, and is designed to promote trust among participants and protect the privacy, confidentiality and security of the health data that is shared.

The DURSA is based upon the existing body of federal, state, and local law covering privacy and security of health information. It supports the current policy framework for health information exchange. The DURSA is intended to be a legally enforceable contract. It reflects consensus among the government and private entities that developed DURSA regarding the following issues:

• Multi-Party Agreement
• Participants Actively Engaged in Health Information Exchange
• Privacy and Security Obligations
• Requests for Information Based on a Permitted Purpose
• Duty to Respond
• Future Use of Data Received from Another Participant
• Respective Duties of Submitting and Receiving Participants
• Autonomy Principle for Access
• Use of Authorizations to Support Requests for Data
• Participant Breach Notification
• Mandatory Non-Binding Dispute Resolution
• Allocation of Liability Risk

For additional information on the DURSA, see:

The current version of the DURSA is available at: FINAL_for%20PARTICIPANT%20SIGNATURE.pdf

• State or local health information exchange organization (HIO) equivalent of the DURSA.

Each state or other entity establishing an HIO may opt to establish its own form of DURSA, potentially naming it something else and including additional clauses. Ensure that you consult legal counsel as you consider entering into such an agreement. See an example, the CHIC Data Exchange and Support Agreement (DESA) at:

Copyright © 2014 Stratis Health.Updated 03-14-14

Section 3 Select—Participation Data Sharing Agreements - 1