2019 n2c2 Shared-Task and Workshop

Data Use and Confidentiality Agreement (DUA) for n2c2/OHNLP Tracks 1 and 2

The following is a preview of the Data Use and Confidentiality Agreement that you will be required to sign for participation in Track 1 and/or Track 2.


MAYO DATA USE AGREEMENT

THIS AGREEMENT is made effective the ________ day of ____________, 20____ (“EFFECTIVE DATE”) by and between ______________________ (Institution name, denoted as “RECIPIENT”) and MAYO CLINIC, a Minnesota nonprofit corporation, on its own behalf and for the benefit of all present and future entities that are legal affiliates of Mayo Clinic, a Minnesota nonprofit corporation (Mayo Clinic and all of its affiliates are herein individually and collectively referred to as “MAYO”). The purpose of this Agreement is to satisfy certain obligations of Mayo under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (45 C.F.R. Parts 160-64) (“HIPAA”) to ensure the integrity and confidentiality of Protected Health Information exchanged in the form of a Limited Data Set for the protocol “THYME” (“Protocol”). The data has been collected under Mayo Clinic IRB approval: #17-003030: Open Health Natural Language Processing Collaboratory. The PI at ______________________(Institution) is ______________________ and the PI at Mayo Clinic is Dr. H. Liu.

In consideration of the foregoing and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Recipient and Mayo agree as follows:

  1. Definitions. Capitalized terms used, but not otherwise defined, in this Agreement shall have the meanings given them in HIPAA. For convenience of reference, the definitions of "Individually Identifiable Health Information," "Limited Data Set," and “Protected Health Information” as of the Effective Date are as follows:
    1. “Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, and (i) is created or received by a healthcare provider, health plan, employer, or health care clearinghouse; and (ii) relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual, or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
    2. “Limited Data Set” means Protected Health Information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: (i) Names; (ii) Postal address information, other than town or city, State, and zip code; (iii) Telephone numbers; (iv) Fax numbers; (v) Electronic mail addresses; (vi) Social security numbers; (vii) Medical record numbers; (viii) Health plan beneficiary numbers; (ix) Account numbers; (x) Certificate/license numbers; (xi) Vehicle identifiers and serial numbers, including license plate numbers; (xii) Device identifiers and serial numbers; (xiii) Web Universal Resource Locators (URLs); (xiv) Internet Protocol (IP) address numbers; (xv) Biometric identifiers, including finger and voice prints; and (xvi) Full face photographic images and any comparable images.
    3. “Protected Health Information” means Individually Identifiable Health Information that Recipient receives from Mayo or from a business associate of Mayo or which Recipient creates for Mayo which is transmitted or maintained in any form or medium. “Protected Health Information” shall not include education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. §1232g, or records described in 20 U.S.C. §1232g (a)(4)(B)(iv), or employment records held by Mayo in its role as employer.
  2. Applicability of Terms; Conflicts. As of the Effective Date, this Agreement automatically amends all existing agreements between Recipient and Mayo involving the use or disclosure of a Limited Data Set for the Protocol. In the event of any conflict or inconsistency between a provision of this Agreement and a provision of any other agreement between Recipient and Mayo regarding the Protocol, the provision of this Agreement shall control unless: (i) Mayo specifically agrees to the contrary in writing, or (ii) the provision in such other agreement establishes additional rights for Mayo or additional duties for or restrictions on Recipient with respect to a Limited Data Set, in which case the provision of such other agreement will control.
  3. Obligations and Activities of Recipient
    1. Non-disclosure: Recipient will not use or disclose a Limited Data Set other than as permitted or required by this Agreement or as Required By Law or as otherwise authorized by Mayo.
    2. Safeguards: Recipient will use appropriate safeguards to prevent use or disclosure of a Limited Data Set other than as provided for by this Agreement. Recipient will develop, implement, maintain and use appropriate administrative, technical and physical safeguards to preserve the integrity and confidentiality of and to prevent non-permitted or violating use or disclosure of a Limited Data Set which is transmitted electronically. Recipient will document and keep these safeguards current.
    3. Mitigation: Recipient will mitigate, to the extent practicable, any harmful effect that is known to Recipient of a use or disclosure of a Limited Data Set by Recipient in violation of the requirements of this Agreement.
    4. Reporting: Recipient will report to the Privacy Officer of Mayo, in writing, any use and/or disclosure of a Limited Data Set that is not permitted or required by this Agreement of which Recipient becomes aware. Such report shall be made as soon as reasonably possible but in no event more than five (5) business days after discovery by Recipient of such unauthorized use or disclosure. This reporting obligation shall include breaches by Recipient, its employees, subcontractors and/or agents. Each such report of a breach will: (i) identify the nature of the non-permitted or violating use or disclosure; (ii) identify the Limited Data Set used or disclosed; (iii) identify who made the non-permitted or violating use or disclosure; (iv) identify who received the non-permitted or violating use or disclosure; (v) identify what corrective action Recipient took or will take to prevent further non-permitted or violating uses or disclosures; (vi) identify what Recipient did or will do to mitigate any deleterious effect of the non-permitted or violating use or disclosure; and (vii) provide such other information as Mayo may reasonably request.
    5. Agents and Subcontractors: Recipient will ensure that any agent, including a subcontractor, to whom it provides a Limited Data Set received from, or created or received by Recipient on behalf of, Mayo agrees to the same restrictions and conditions that apply through this Agreement to Recipient with respect to such information.
    6. Identification and Contact of Individuals: Recipient will not identify or attempt to identify the individuals whose Protected Health Information appears in a Limited Data Set. Recipient will not contact or attempt to contact the individuals whose Protected Health Information appears in a Limited Data Set.
    7. Minimum Necessary: Recipient will use only the minimum amount of a Limited Data Set necessary for the Recipient to accomplish the purposes for which the Limited Data Set was disclosed to Recipient.
  4. Permitted Uses and Disclosures by Recipient.
    1. Health Care Operations, Public Health and Research: Except as otherwise limited in this Agreement or any other agreement between Recipient and Mayo, Recipient may use or disclose a Limited Data Set only for purposes of research, public health or Health Care Operations. Further:
      a) no attempt will be made to re-identify the data
      b) the data will be kept in a secure manner, using restricted passwords and encryption
      c) the data will not be redistributed to anyone else outside of Recipient for any purpose and may only be used for the Protocol
  5. Term and Termination
    1. Term. The term of this Agreement shall commence as of the Effective Date, and shall terminate when all of the Limited Data Set(s) provided by Mayo to Recipient, or created or received by Recipient on behalf of Mayo, are destroyed or returned to Mayo, or, if it is infeasible to return or destroy the Limited Data Set(s), protections are extended to such Limited Data Set(s) in accordance with the provisions of this Section 5.
    2. Termination for Cause. As provided in HIPAA, including 45 C.F.R. §164.504(e)(2)(iii), upon Mayo's reasonable determination that Recipient has breached a material term of this Agreement, Mayo shall be entitled to do any one or more of the following:
      a) Give Recipient written notice of the existence of such breach and give Recipient an opportunity to cure upon mutually agreeable terms. If Recipient does not cure the breach or end the violation according to such terms, or if Mayo and Recipient are unable to agree upon such terms, Mayo may immediately terminate any agreement between Mayo and Recipient which is the subject of such breach.
      b) Immediately terminate any agreement between Mayo and Recipient which is the subject of such breach.
      c) Immediately stop all further disclosures of Limited Data Set(s) to Recipient pursuant to each agreement between Mayo and Recipient which is the subject of such breach.
    3. Effect of Termination. Upon receipt of written demand from Mayo, Recipient agrees to immediately return or destroy, except to the extent infeasible, all of the Limited Data Set(s) demanded by Mayo, including all such Limited Data Set(s) which Recipient has disclosed to its employees, subcontractors and/or agents. Destruction shall include destruction of all copies including backup tapes and other electronic backup medium. In the event the return or destruction of some or all such Limited Data Set(s) is infeasible, the Limited Data Set(s) not returned or destroyed pursuant to this paragraph shall be used or disclosed only for those purposes that make return or destruction infeasible.
    4. Continuing Privacy Obligations. Recipient’s obligation to protect the privacy of the Limited Data Set(s) is continuous and survives any termination, cancellation, expiration, or other conclusion of this Agreement or any other agreement between Recipient and Mayo.
  6. Notices. All notices pursuant to this Agreement must be given in writing and shall be effective when received if hand-delivered or upon dispatch if sent by reputable overnight delivery service, facsimile or U.S. Mail to the appropriate address or facsimile number as set forth on the last page of this Agreement.
  7. Miscellaneous. Recipient and Mayo agree that individuals whose Protected Health Information appears in a Limited Data Set are not third-party beneficiaries of this Agreement. In the event that any provision of this Agreement violates any applicable statute, ordinance or rule of law in any jurisdiction that governs this Agreement, such provision shall be ineffective to the extent of such violation without invalidating any other provision of this Agreement. This Agreement may not be amended, altered or modified except by written agreement signed by Recipient and Mayo. No provision of this Agreement may be waived except by an agreement in writing signed by the waiving party. A waiver of any term or provision shall not be construed as a waiver of any other term or provision. Nothing in Section 3 of this Agreement shall be deemed a waiver of any legally-recognized claim of privilege available to Recipient. The persons signing below have the right and authority to execute this Agreement for their respective entities and no further approvals are necessary to create a binding agreement. Neither Mayo nor Recipient shall use the names or trademarks of the other party or of any of the respective party’s affiliated entities in any advertising, publicity, endorsement, or promotion unless prior written consent has been obtained for the particular use contemplated. All references herein to specific statutes, codes or regulations shall be deemed to be references to those statutes, codes or regulations as may be amended from time to time. This Agreement may be executed in any number of counterparts which, when taken together, will constitute one original, and photocopy, facsimile, electronic or other copies shall have the same effect for all purposes as an ink-signed original.

RECIPIENT

Institution: ______________________________________________

By: ______________________________________________________

Its: ______________________________________________________

Address for notices:

Attn: ____________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
Phone: __________________________________________________
Fax: _____________________________________________________

MAYO

Institution: Mayo Clinic

By: Virginia M. Bruce

Its: Director, Legal Contract Administration

Address for notices:

Mayo Privacy Officer
200 First Street SW
Rochester, MN 55905

Copy to:

Mayo Clinic Legal Department
200 First Street SW
Rochester, MN 55905
Phone: (507) 284-8707
Fax: (507) 284-0929


Back to How to Participate