A Data Use Agreement (DUA) is a legally binding contract that establishes the specific terms, conditions, and permitted uses for a shared dataset, typically involving limited datasets or de-identified data exchanged between a data provider and a data recipient. Unlike a broad data sharing agreement, a DUA strictly prohibits the re-identification of individuals and explicitly defines the authorized research scope, ensuring compliance with regulations like the HIPAA Privacy Rule.
Glossary
Data Use Agreement

What is a Data Use Agreement?
A Data Use Agreement (DUA) is a legally binding contract that governs the terms, conditions, and permitted uses of a limited or de-identified dataset shared between institutions for research purposes.
In the context of federated clinical analytics, a DUA is a foundational governance instrument that legally codifies the boundaries of a distributed query or computation. It specifies the permitted analytical methods, the required privacy-preserving computation techniques, and the intellectual property rights over derived aggregate statistics, effectively transforming a handshake between institutions into an auditable, enforceable compliance framework.
Core Components of a Data Use Agreement
A Data Use Agreement (DUA) is a legally binding contract that governs the terms, conditions, and permitted uses of a limited or de-identified dataset shared between institutions for research purposes. The following components define the operational boundaries for federated clinical analytics.
Data Elements and De-Identification Standards
Specifies the exact data fields covered by the agreement and the required de-identification methodology. This section defines whether the dataset meets the HIPAA Safe Harbor method (removal of 18 specific identifiers) or the Expert Determination standard. It explicitly lists permitted data elements such as structured diagnosis codes, laboratory results, and imaging metadata while prohibiting the inclusion of direct identifiers like names, medical record numbers, and full ZIP codes.
Permitted Uses and Research Scope
Defines the specific research purposes for which the data can be utilized, prohibiting repurposing without amendment. This clause binds the recipient to a precise protocol, such as federated cohort discovery for a specific disease phenotype or federated survival analysis for a defined treatment pathway. Any attempt to re-identify individuals, link the data to other datasets without authorization, or use it for commercial product development outside the agreed scope constitutes a material breach.
Data Security and Access Controls
Mandates the technical safeguards required to protect the dataset from unauthorized access, use, or disclosure. Requirements typically include:
- Encryption at rest and in transit using FIPS 140-2 validated modules
- Role-based access controls limiting data visibility to named investigators
- Audit logging of all data access events
- Prohibition of storage on personally owned devices or unsecured cloud environments
Publication and Intellectual Property Rights
Establishes the terms for disseminating research findings derived from the data. This section balances the provider's interest in confidentiality review with the recipient's academic freedom to publish. It typically grants the data provider a period (e.g., 30 days) to review manuscripts for inadvertent disclosure of proprietary information or potential re-identification risks before submission, while explicitly preventing the provider from blocking publication of unfavorable results.
Term, Termination, and Data Disposition
Defines the agreement's duration and the legally required actions upon expiration or termination. The recipient must certify the irreversible destruction or secure return of the dataset and all derivative copies. This clause often requires a formal written confirmation from the recipient's institutional official, and may specify that the provider retains the right to audit compliance with data disposition obligations.
Liability, Indemnification, and Breach Notification
Allocates risk between the parties in the event of a data security incident or unauthorized use. The recipient assumes liability for its own violations and must agree to immediate notification (often within 24-48 hours) of any suspected breach. This section requires the recipient to cooperate fully with the provider's incident response, forensic analysis, and mandatory reporting obligations to regulatory bodies such as the Office for Civil Rights (OCR).
Frequently Asked Questions
Essential questions about the legal frameworks governing shared clinical data in federated research networks.
A Data Use Agreement (DUA) is a legally binding contract that governs the terms, conditions, and permitted uses of a limited or de-identified dataset shared between institutions for research purposes. In the context of federated clinical analytics, the DUA is the foundational legal instrument that makes multi-site collaboration possible without centralizing protected health information (PHI). It strictly defines the permitted purpose—such as federated cohort discovery or survival analysis—and explicitly prohibits re-identification of patients, linking the data to other sources, or using it for non-approved commercial purposes. Without a properly executed DUA, the transfer of even de-identified limited datasets between covered entities would violate HIPAA regulations, as the agreement establishes the administrative, physical, and technical safeguards required by the Privacy Rule. The DUA also allocates liability, specifies breach notification timelines, and dictates data destruction schedules upon project completion.
DUA vs. Business Associate Agreement (BAA)
Key distinctions between a Data Use Agreement governing limited datasets for research and a HIPAA-mandated Business Associate Agreement governing protected health information processing by vendors.
| Feature | Data Use Agreement (DUA) | Business Associate Agreement (BAA) |
|---|---|---|
Governing Regulation | HIPAA Privacy Rule (45 CFR §164.514(e)) | HIPAA Privacy & Security Rules (45 CFR §164.504(e)) |
Primary Purpose | Governs sharing of limited datasets for research, public health, or healthcare operations | Governs PHI processing by vendors performing functions on behalf of a covered entity |
Data Type Covered | Limited Data Set: excludes 16 direct identifiers but may include dates, geography, and unique codes | Protected Health Information (PHI): includes all 18 HIPAA identifiers |
Parties Involved | Covered entity to researcher or another covered entity | Covered entity to business associate (vendor, contractor, service provider) |
Permitted Uses | Research, public health activities, healthcare operations only | Treatment, payment, healthcare operations, or services specified in the agreement |
Re-identification Prohibition | ||
Required by Law for Data Sharing | ||
Requires Individual Authorization |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
A Data Use Agreement (DUA) sits at the intersection of law, privacy, and clinical analytics. These related terms define the technical and regulatory infrastructure required to execute a DUA in a federated research network.
Limited Data Set (LDS)
A stripped-down clinical dataset defined by the HIPAA Privacy Rule that excludes 16 specific direct identifiers of the patient, relatives, employers, or household members. Key characteristics include:
- Retains: Dates of admission, discharge, birth, and death; city, state, and 5-digit ZIP code.
- Excludes: Names, street addresses, phone numbers, social security numbers, and full-face photographs.
- Purpose: An LDS is the specific data object governed by a Data Use Agreement, allowing research without individual authorization.
Honest Broker System
A neutral intermediary software architecture that de-identifies clinical data before it is released to researchers or federated networks. The honest broker:
- Strips direct identifiers to create a Limited Data Set or fully de-identified data.
- Maintains a secure mapping key to re-identify data if clinically necessary.
- Enforces the terms of the Data Use Agreement by acting as a technical gatekeeper, ensuring only permitted data elements leave the institution's firewall.
Institutional Review Board (IRB)
An administrative body established to protect the rights and welfare of human research subjects. The IRB reviews research protocols to ensure ethical compliance. In the context of a Data Use Agreement, the IRB often determines whether the proposed use of a Limited Data Set qualifies for an exemption or requires a waiver of authorization, directly influencing the permitted uses specified in the DUA.
HIPAA Safe Harbor Method
A precise de-identification standard requiring the removal of 18 specific identifiers from health data. Unlike a Limited Data Set, Safe Harbor data contains no dates or geographic subdivisions smaller than a state. Data de-identified via this method is no longer considered PHI and is not subject to a Data Use Agreement or HIPAA regulations, making it a preferred format for purely statistical federated queries where temporal precision is not required.
Data Provenance
The documented lineage of a dataset that records its origin, transformations, and chain of custody. In federated clinical analytics, robust data provenance is critical for enforcing a Data Use Agreement because it:
- Audits that only approved algorithms touched the data.
- Verifies that data was not re-identified or cross-linked.
- Provides an immutable record for regulatory compliance reporting.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us