Stony Brook Medicine - Data Use Agreements
Stony Brook Medicine integrates and elevates all of Stony Brook University’s health-related initiatives: education, research and patient care. It includes six Health Sciences schools — Dental Medicine, Health Technology and Management, Medicine, Nursing, Social Welfare, and Pharmacy & Pharmaceutical Sciences — as well as Stony Brook University Hospital, Stony Brook Southampton Hospital, Stony Brook Children’s Hospital and more than 90 community-based healthcare settings throughout Suffolk County. To learn more, visit www.stonybrookmedicine.edu.
Researchers using Stony Brook Medicine (SBM) patient data must complete the Application for Approval to Conduct Research at Stony Brook University Hospital (all Article 28 locations) in accordance with SBM's Limited Data Set/Data Use Agreement Policy RC0034.
Procedures:
- SBUH may use Protected Health Information (PHI) to create a limited data set for disclosures; including but not limited to our business associates, for quality purposes, for regulatory reporting purposes, etc.
- SBUH may disclose a limited data set (LDS), upon receipt of satisfactory assurances from the intended recipient in the form of a Data Use Agreement (DUA). The recipient is permitted to use and/or disclose the data for the specified, limited purposes as set forth in the DUA such as research, public health, etc. (Data Use Agreement can be obtained by contacting the Privacy Officer).
- All research requests to use and/or disclose a LDS require SBU Institutional Review Boards/Privacy Board (Committee on Research Involving Human Subjects - IRB) approval.
- When the request to use and/or disclose a LDS is approved by IRB and a DUA is required for the disclosure to a sponsor the agreement between the sponsor and the Research Foundation contains specific language to permit the disclosure of the LDS to the sponsor. IRB instructs the Principle Investigator (PI) to contact the SBUH Privacy Officer to initiate and implement the DUA.
- When a requested DUA is denied by the SBUH Privacy Officer an appeal may be filed by the requester for review by the HIPAA Privacy and Security Committee and a response to the appeal is sent to the requester with the final determination.
- Any known or suspected violations or a breach of the limitations defined in the DUA by the data recipient are reported without delay to the SBUH Privacy Officer. Reasonable steps are implemented to remedy the breach or mitigate the violation and if unsuccessful, the DUA is terminated and the incident reported to the Secretary to the Department of Health and Human Services. (refer to the HIPAA Privacy/Security Breach Notification policy IM 0067)
- When SBUH is in receipt of a LDS the SBUH recipient(s) abide by the terms and conditions of the DUA executed with the entity disclosing the limited data set.
- The SBUH Privacy Officer is contacted for questions or concerns related to this policy or the use and/or disclosure of a LDS.
Useful tips:
When disclosing/sharing data with a sponsor, collaborator or external data user, and subject consent is obtained, the confidentiality section of the consent must address this disclosure.
When a limited data set is being disclosed/shared with a sponsor, collaborator or external data user, and waiver of consent/authorization for the disclosure is granted, a Data Use Agreement must be implemented to ensure the confidentiality of the data being disclosed.
When disclosing/sharing completely de-identified data in accordance with HIPAA, a Data Use Agreement is not necessary.
The SBM Data Use Agreement template can be obtained from the SBM Chief Privacy Officer by calling 4-5796 or emailing hipaa@stonybrookmedicine.edu.
Incoming Data Use Agreements for researchers in the School of Medicine are reviewed and endorsed by John H. Riley, Jr., Associate Vice President, Health Sciences, Vice Dean, Administration and Finance, Stony Brook University, School of Medicine.
A list of existing Privacy Officers can be accessed by contacting the HIPAA Privacy Office by calling 4-5796 or emailing hipaa@stonybrookmedicine.edu. Privacy Officers act as privacy leaders in their home departments and can answer any related questions. Note that only the SBM Chief Privacy Officer has the authority to endorse DUAs on behalf of Stony Brook Medicine.