Data Use Agreement Project Glossary of Terms


Accounting of Disclosures
Business Associate
Business Associate Agreement (or Business Associate Contract)
Classified Information
Clinical Study
Code of Federal Regulations (CFR)
Coded Data
Common Rule
Confidential Disclosure Agreements
Covered Entity
Data Classification
Data Classification, Government Designations
Data Use Agreement (DUA)
Data Breach
Federal Acquisition Regulations (FAR)
Fair Credit Reporting Act
Fair Information Practices (and Fair Information Practices Principles)
Federal Food, Drug and Cosmetic Act
Federal Register
Food and Drug Administration (FDA)
Foreign Corrupt Practices Act
Health Care Clearinghouse
Health Care Provider
Health Information
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Human Subject
Human Subjects Review Board
Hybrid Entity
Institutional Review Board (IRB)
Limited Dataset
Material Transfer Agreement (MTA)
Non-Disclosure Agreement
Open Access (OSTP Policy)
Personal Data
Principal Investigator: (PI)
Privacy Board
Protocol Amendment
Protected Health Information (PHI)
Public Access
Record retention
Regulatory Authorities
Research data
Selection Bias
Sensitive Human Subjects Data
Sensitive data
Vulnerable populations
Waiver of Authorization


Accounting of Disclosures: This provision of the Privacy Rule gives individuals the right to receive a list of certain disclosures that a covered entity has made of their protected health information in the past 6 years, including disclosures made for research purposes. (AOD). This term is specific to data use agreements covering protected heath information.

Authorization: When referring to a study participant an individual’s written permission to allow a covered entity to use or disclose specified protected health information (PHI) for a particular purpose. Authorization states how, why, and to whom the PHI will be used and/or disclosed for research, and seeks permission for that use or disclosure. This term in this context is specific to data use agreements covering protected health information. This term may also be used in the more general sense of permission, for instance an authorization by one party of the data use agreement to allow the other party to provide the data to additional third parties. Care should be taken to establish the appropriate context when using this term.

Back to top


Business Associate: Per 45CFR§160.103, a person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of protected health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule. Business associates are also persons or entities performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity where performing those services involves disclosure of protected health information by the covered entity or another business associate of the covered entity to that person or entity. Special attention should be paid to the term “on behalf of” in the definition. Academic Institutions are rarely Business Associates since the term is not applicable to collaborative relationships.

Business Associate Agreement (or Business Associate Contract): An agreement that contractually defines the rights and responsibilities between a covered entity and a Business Associate that would not otherwise be bound by HIPAA. A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). ( A Business Associate Agreement or Contract is not appropriate when a covered entity is disclosing PHI to another entity for use in a research project.

Back to top


Classified Information: Per FAR clause 2.101, “Classified information” means any knowledge that can be communicated or any documentary material, regardless of its physical form or characteristics, that: (1) is owned by, is produced by or for, or is under the control of the United States Government or has been classified by the Department of Energy as privately generated restricted data following the procedures in 10 CFR 1045.21; and (2) Must be protected against unauthorized disclosure according to Executive Order 12958, Classified National Security Information, April 17, 1995, or classified in accordance with the Atomic Energy Act of 1954. See also Data Classification.

Clinical Study: A research study using human subjects or data from living human subjects to evaluate the effect of interventions or exposures on biomedical or health-related outcomes. Two types of clinical studies are interventional studies (or clinical trials) and observational studies.

Code of Federal Regulations (CFR): A codification of the general and permanent rules published in the Federal Register by the Executive departments and agencies of the Federal Government in the United States. Coded Data: See Data Classification

Common Rule: The federal rule that governs most federally funded research conducted on living human subjects and aims to ensure that the rights of human subjects are protected during the course of a research project, historically focusing on protection from physical and mental harm by stressing autonomy and consent.

Confidentiality: When referring to a study participant addresses the issue of how personal data that have been collected for one approved person may be held and used by the organization that collected the data, what other secondary or further uses may be made of the data, and when the permission of the individual is required for such uses. This term in this context is specific to data use agreements covering protected health information. This term may also be used in the more general sense of limiting access, for instance the providing party of the data use might want to stress the confidentiality of data relating to a pending patent request. Care should be taken to establish the appropriate context when using this term.

Confidential Disclosure Agreements: See Non-Disclosure Agreement

Covered Entity: Per 45 CFR § 160.103, A health plan, a health care clearinghouse, or a health care provider that transmits health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted a standard. Note: This term is specific to data use agreements covering protected health information (PHI).

Back to top


Data Classification: government or legal classifications for certain types of data and information. Government may elect through legislation or practice to codify certain groups of data by classifying them to facilitate consistent data management in accordance with government expectations and needs. Data Classification, HIPAA: HIPAA (defined under H) requires entities performing a covered function to identify and classify data based on these identifiers:
1. names (including initials),
2. geographic location smaller than a state (i.e. address),
3. any dates specific to an individual except year (i.e. date of birth, hospital admission and discharge dates, date of death, et cetera) and for those over 89 must aggregate into a single category of age 90 or older any year that might be indicative of age;
4. telephone numbers;
5. fax numbers;
6. e-mail addresses;
7. social security number;
8. medical record number;
9. health plan number;
10. account numbers of any kind;
11. certificate or license number(s);
12. Vehicle identifiers and serial numbers, including license plates;
13. device identifiers and/or serial numbers;
14. web URLs;
15. IP addresses,
16. biometric identifiers,
17. photographic images;
18. and any other unique identifier. Data Classification, Government Designations:

Controlled Unclassified Information (CUI) is information that laws, regulations, or government-wide policies require to have safeguarding or dissemination controls, excluding classified information.

Sensitive but Unclassified (SBU) means any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled, but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. (32 CFR 149.3)

Controlled Technical: technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure or dissemination. This could include information that is transferred out of the U.S. or within the U.S. to a foreign person (“deemed export”). Export-Controlled Information is controlled under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Controlled Unclassified Information - (CUI): is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Data Use Agreement (DUA): is a contractual agreement used to define how access to and/or exchanged data may be used. The primary consideration is the protection of protected health data (PHI) in accordance with HIPAA Regulations (45 CFR Part 160-164). However, DUAs can be used in other situations where the exchange of data is necessary, and the agreement should be modified accordingly.
The DUA details:
1. Permitted use(s) and disclosure of the data, primarily thought publication of research results of the provided data and sets forth the data recipient’s responsibilities with respect to them.
2. Establishes a term for the use of the provided data and conditions which would be considered to breach the agreement.

A DUA should always be put in place when: the data to be transferred is from human subjects; and or The Data to be transferred is HIPAA protected. Please note that if the data to be provided is completely de-identified and there is no means to re-identify, a DUA is not needed. To meet this qualification the data must be stripped of the data elements cited above in personally identifiable information. If the data contains any of these identifiers, then a DUA must be in place. DUA’s must also be in place if sponsored funding was involved and there are data ownership and/or dissemination requirements.

Data Breach: Back to top



Federal Acquisition Regulations (FAR): The Federal Acquisition Regulations System is established for the codification and publication of uniform policies and procedures for acquisition by all executive agencies. The Federal Acquisition Regulations System consists of the Federal Acquisition Regulation (FAR), which is the primary document, and agency acquisition regulations that implement or supplement the FAR.

Fair Credit Reporting Act: The Fair Credit Reporting Act (FCRA) is a federal law that regulates how consumer reporting agencies use personal information. In many ways, the FCRA is designed to help consumers understand their rights.

Fair Information Practices (and Fair Information Practices Principles): Guidelines developed by the FTC that focus on individuals’ right to control the collection, use, and disclosure of information, and imposing affirmative responsibilities to safeguard information on those who collect it. Core principles include: notice/awareness; choice/consent; access/participation; integrity/security; enforcement/redress.

Federal Food, Drug and Cosmetic Act: Legislation passed in the United States in 1938 to specifically give authority to the Food and Drug Administration to oversee the safety of food, drugs, and cosmetics. Under this legislation manufacturers were required to test drugs for safety and present the evidence of safety testing to the FDA prior to marketing.

Federal Register: The official daily publication in the United States for federal rules, proposed rules, and notices of federal agencies and organizations, as well as Executive Orders and Presidential Documents.

Federal Information Security Management Act of 2002 ("FISMA") provides information security standards for resources that support federal operations and assets.

Food and Drug Administration (FDA): An agency of the U.S. government in the Department of Health and Human Services with the primary purpose of protecting citizens against harmful, unsanitary, or falsely labeled foods, drugs, cosmetics, or therapeutic devices; responsible for the approval of all new drugs and for the final product labeling; also responsible for reviewing safety data for marketed drugs. Food and Drug Administration Amendments Act, Section 801 (FDAAA 801): Section 801 of U.S. Public Law 110-85, enacted on September 27, 2007, which amends Section 402 of the U.S. Public Health Service Act to expand the clinical study registry known as and create a clinical study results database. Actual law:

Foreign Corrupt Practices Act: The Foreign Corrupt Practices Act of 1977 (amended 1988 and 1998) contains rules prohibiting bribery of foreign officials.

FTC: The Federal Trade Commission (FTC) is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act, which has responsibility for advancing competition and protecting consumers.

Back to top



Health Care Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and value-added networks and switches, that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.

Health Care Provider: A provider of services (as defined in Section 1861(u) of HIPAA, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in Section 1861(s) of HIPAA, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

Health Information: Any information, whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Health Insurance Portability and Accountability Act of 1996 (HIPAA): A Federal Act that requires, among other things, under the Administrative Simplification subtitle, the adoption of standards for protecting the privacy and security of personally identifiable health information.

Human Subject: means a living individual about whom an investigator (whether professional or student) conducting research obtains
1. data through intervention or interaction with the individual, or
2. identifiable private information

Human Subjects Review Board: see Institutional Review Boards

Hybrid Entity: A single legal entity that is a covered entity, performs business activities that include both covered and non-covered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, non-health care components of a hybrid entity may be business associates of one or more of its health care components, depending on the nature of the relationship.

Back to top


Institutional Review Board (IRB): “An administrative body established to protect the rights and welfare of human research subjects recruited to participate in research activities conducted under the auspices of the institution with it is affiliated. The IRB has the authority to approve, require modification in, or disapprove all research activities that fall within its jurisdiction as specified by both the federal regulations and local institutional policy” (Department of Health and Human Services IRB Guidebook). (IRB, IRBs)

Investigator – see Principal Investigator

Back to top




Limited Dataset: See Data Classification

Back to top


Material Transfer Agreement (MTA): is a contract, generally without funding, which provides a legal framework to govern the exchange of research materials between academic, government, and commercial organizations. The types of materials transferred under MTAs may include anything from software to cell lines, cultures, plasmids, nucleotides, proteins, bacteria, pharmaceuticals, chemicals, and other proprietary physical materials and transgenic animals. MTAs are important because they delineate the rights, obligations, and restrictions of both the providing and receiving scientists with respect to issues such as: See also UBMTA

It’s possible that a project could require both a DUA and an MTA. If your institution allows for it, the terms can be combined into a single agreement. If this is done, please ensure terms covering both types of transfers are included.

Metadata: is used to describe data so that it can be easily retrieved from a larger database or data set. There are many metadata standards to choose from which are subject driven. One example is the DDI Data Document Initiative, designed to document numeric data files used in the social and behavioral sciences. When thinking about collecting data the Investigator should consider developing a hierarchy that will allow them to sort the data into its most meaningful categories. Some common metadata categories are listed below. Misconduct: means fabrication, falsification or plagiarism in proposing, performing, or reviewing research, or in reporting research results. Fabrication is making up data or results and recording or reporting them. Falsification is manipulating research materials, equipment, or processes, or changing or omitting data or results such that the research is not accurately represented in the research record. Plagiarism is the appropriation of another person's ideas, processes, results, or words without giving appropriate credit. Central to the review and evaluation of allegations of research misconduct due to fabrication or falsification of data is the ability to have access to the original data from the research. IHE’s share with their research investigators the responsibility for ensuring that research records are accessible and complete. The research data for any project must be kept for a period of 5 years beyond the end of the project. Unavailable, incomplete, or inaccurate research data is frequently cited in findings of research misconduct. Research investigators also share with the IHE the responsibility for ensuring the integrity and objectivity of research conducted at their institution. Accordingly, proper data management is critical. Click here for access to: The University of Tennessee policy on Misconduct policy.

Back to top


Non-Disclosure Agreement: Non-Disclosure Agreements (NDAs) have many titles: Confidentiality Agreements, Proprietary Information Agreements, Secrecy Agreements, and the like. No matter its title, an NDA is a binding contract, commonly used when two or more parties wish to enter into discussions about specific confidential processes, methods or technology, to consider a potential, future or current relationship, and to agree to restrict the usage and additional disclosure of the shared information, knowledge, or materials., and between universities and industry while exploring potential research partnership opportunities. A non-disclosure agreement (NDA) is a signed formal agreement in which one party agrees to give a second party confidential information, such as about its technology, ongoing or planned projects, business or products, and the second party agrees not to share this information with anyone else for a specified period of time. Non-disclosure agreements are common in technology companies where products are sometimes jointly developed.

Back to top


Open Access (OSTP Policy): In February 2013, the United States Office of Science and Technology Policy (OSTP) issued a Memorandum directing federal agencies with over $100M in annual R&D expenditures to develop plans to provide increased public (a/k/a “open”) access to the results of federally funded research. The OSTP policy requires that grant recipients whose research results are published in peer-reviewed journals submit the final, accepted manuscript of such articles to the federal granting agency or a designated repository upon acceptance of the article for publication or the final published version if approved by the publisher. Articles are to be made freely, publicly available following an agency-determined embargo period, with agencies commonly calling for a 12-month embargo period. Agency public access plans, initially voluntary programs, are expected to be made mandatory for more and more agencies, eventually all agencies. Other major outside funding sources such as foundations have supported open access for their funded data generation in research.

Back to top


Personal Data: are data which relate to a living person who can be identified from the data and other information that could potentially identify that person, it may be of a financial or medical nature or be the person's name, address or social security number. If medical in nature the information may need to be treated in accordance with HIPAA. When such data is used in as research data special protections must be in place to protect the individuals' identity Personally Identifiable Information (PII): any information maintained by an agency, including: (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.1 When allowing access to PII care should be taken that the data or combination of data elements when linked (i.e. taken in combination) do not allow the individual to be distinguished or traced.

    Examples of PII Data Principal Investigator: (PI): the individual officially responsible for the conduct of a sponsored project, or the individual officially responsible for the conduct of any funded project. On research projects the PI is usually a faculty member; on other types of awards, the PI may have an administrative appointment. The PI is always an investigator. Investigator 2 is defined as the principal investigator and any other person, regardless of their position or title, who is responsible for the design conduct, or reporting of a sponsored research award or proposal for such funding.

Privacy: The collection of PII and overall privacy of information are of concern to both the individual and the organization collecting the data. Treatment of PII is distinct as it needs to be collected, maintained, used, retained (stored) and destroyed in accordance with federal Privacy Act of 1974 (applicable only to Federal agencies this Act forms the statuary basis for Fair Information Practices ; as well as other federal laws and regulations. Privacy requires the adoption of internal policies and procedures which ensure that the data is kept secure and used for the purposes for which it was collected. Privacy requires that the individual who provides data is aware of their rights. Also see PII and Personal Data.

Privacy Board: A board that is established to review and approve requests for waivers or alterations of authorization in connection with a use or disclosure of protected health information as an alternative to obtaining such waivers or alterations from an Institutional Review Board. A Privacy Board consists of members with varying backgrounds and appropriate professional competencies as necessary to review the effect of the research protocol on an individual’s privacy rights and related interests. The board must include at least one member who is not affiliated with the covered entity, is not affiliated with any entity conducting or sponsoring the research, and is not related to any person who is affiliated with any such entities. A Privacy Board cannot have any member participating in a review of any project in which the member has a conflict of interest.

Protocol: A document that describes the objective(s), design, methodology, statistical considerations, and organization of a trial. The protocol usually also gives the background and rationale for the trial, but these could be provided in other protocol-referenced documents. Throughout the ICH GCP Guideline, the term protocol refers to protocol and protocol amendments.

Protocol Amendment: A written description of a change (s) to or formal clarification of a protocol.

Protected Health Information (PHI) - see Data Classification

Public Access: See Open Access

Back to top



Record retention: The period of time a document(s) should be kept or retained, whether in electronic format or physical format. Retention period usually depends on the record type and the business, legal and compliance requirements associated with the record. Retention periods may be determined by both federal and state law.

Regulatory Authorities: Bodies having the power to regulate. In the ICH GCP guideline, the expression “Regulatory Authorities” includes the authorities that review submitted clinical data and those that conduct inspections. These bodies are sometimes referred to as competent authorities.

Research: a systematic investigation, study or experiment designed to develop or contribute to generalizable knowledge. The term encompasses basic and applied research (e.g., a published article, book, or book chapter) and product development (e.g., a diagnostic test or drug). The term includes any such activity for which sponsored funding is available such as a research grant, career development award, center grant, individual fellowship award, infrastructure award, institutional training grant, program project, research resources award, or other contractual mechanism.

Research data: Research data is factual material commonly retained, collected, observed or created by and accepted in the scientific community as necessary to validate research findings. Research data is irrespective of the format in which it is created.

Back to top


Security: “The procedural and technical measures required (a) to prevent unauthorized access, modification, use, and dissemination of data stored or processed in a computer system, (b) to prevent any deliberate denial of service, and (c) to protect the system in its entirety from physical harm” (Turn and Ware, 1976)

Selection Bias: This phenomenon occurs when data are more likely to be collected from one subset of the population than from a representative sample of the entire population. This can cause systematic differences between the characteristics of the individuals included in a study and the individuals not included.

Sensitive Human Subjects Data: Sensitive Human Subjects Data is defined as information that is protected against unwarranted disclosure. Access to sensitive data should be safeguarded. Protection of sensitive data may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations. Sensitive Human Subjects Data includes all data, in its original and duplicate form, which contains: Sensitive data: Sensitive data may also include any information that is protected by institutional policy from unauthorized access. This information must be restricted to those with a legitimate business need for access. Examples of sensitive information may include, but are not limited to, some types of research data (such as research data that is personally identifiable or proprietary), public safety information, financial donor information, information concerning select agents, system access passwords, information security records, and information file encryption keys.

Back to top




Vulnerable populations: Vulnerable Populations generally include the economically disadvantaged, racial and ethnic minorities, the uninsured, low income children, the elderly, the homeless, those with human immunodeficiency virus (HIV), prisoners and those with other chronic health conditions, including mental illness.

Back to top


Waiver of Authorization: The documentation that the covered entity obtains from a researcher or an IRB or a Privacy Board that states that the IRB or Privacy Board has waived or altered the Privacy Rule’s requirement that an individual must authorize a covered entity to use or disclose the individual’s protected health information for research purposes.

Back to top
1 Even of an organization determines that the information is not PII, the organization should still consider whether the information is sensitive or has organizational or individual risks associated with it and determine the appropriate protections. NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information PII :(April 2101). P. 2-1.

2 See the NIH Conflict of Interest Frequently Asked Questions (FAQ) at: