Please note, we cannot begin to process your agreement until this form is completed.
Any questions, please contact Walid Jalabi at 216.368.2151 or
Please email this form to or fax to 216.368.0196
Is Data being Received or Provided?
Received (1-way transfer)
Provided (1-way transfer)
Both Received and Provided (2-way transfer)
Multiple Locations Receiving/Sending Data Other (Multisite study)
Contact Email:
PI/Investigator Name:
Campus Address:
How do you prefer to be contacted?
Contact Name:
Organization Name:
Contact Name Title:
Contact Phone:
Is Contact an Investigator or Administrator?
If CWRU is receiving the Data, has the other party provided the DUA? If they have, please forward the DUA to
our attention (along with this review form). If they don't have a DUA, CWRU can provide the DUA template.
YES (please forward DUA to our attention)
CWRU will need to provide the DUA template
Not applicable (CWRU is providing data)
Please describe the Data/Data Set to be received or provided (please be thorough)?
*If you need more space, feel free to send in another format (PDF,Word Doc, etc.).
*If the Data/Data Set is human derived, please list all identifiable variables and/or information being received or provided.
Does the Data/Data Set contain any of the following? (Click ALL that apply)
Is the Data/Data Set completely de-identified? In order to qualify as completely de-identified, there must be
no actual knowledge that the information to be shared could be used alone or in combination with other
information to identify an individual.
Data from human subjects research
Protected Health Information (PHI)
Education records
Information protected by law or policy
Proprietary data of CWRU
Data from sponsored research project
I don't know. Can you help me?
NO (The data contains unique identifiers and constitutes a Limited Data Set (LDS), as defined by HIPAA)
NO (The data is Protected Health Information (PHI), and is NOT De-Identified or Limited Data Set (LDS))
I don't know. Can you help me?
*If you have questions about LDS vs. de-identified data, please see the definitions at the end of this form.
HIPAA Protected Data
Personal Identifying Information (PII)
Restricted Information
Proprietary Personally Identifiable Data
Data from a 3rd Party
PI wishes to restrict use of Data
None of the above
For what purpose is CWRU receiving or providing the Data/Data Set? Please provide the research purpose(s).
Please be thorough. If you need more space, feel free to provide the purpose in another format (PDF, Word Doc, etc.)
Have you received IRB Approval for this transfer (CWRU IRB or UH IRB)?
YES (Please attach a copy of the IRB protocol and informed consent document that permits this transfer)
Currently in the process of approval
I don't know. Am I supposed to? Can you help?
Do you have a data security plan in place that has been developed or approved by the IT Security Office?
Is there any contract or grant or sponsored research or service agreement that may restrict you from
sending the Data/Data Set out?
I don't know. I will check and let you know.
Let's discuss.
Maybe? Can you help?
Not applicable (CWRU is Receiving Data)
Are you allowed to share this Data/Data Set?
I think? Let me check.
I don't know. Can you help?
Not applicable (CWRU is Receiving Data)
Not yet. The data security plan is being worked on.
I don't know. Am I supposed to? Can you help?
How will the Data/Data Set be transferred? Please describe.
How will the Data/Data Set be stored and secured? Please describe your data security plan.
Will any other CWRU personnel have access to the Data/Data Set?
If Yes, who and how will they be informed of their responsibilities under the DUA?
If receiving the data, which CWRU Investigator will have primary responsibility for the Data?
If providing the Data, which Investigator at the outside institution will have primary responsibility for the Data?
When will CWRU or outside entity be finished with the Data/Data Set (date or years)?
What is the source of funding for the project using the Data or that was used to collect the Data?
*If you don't want to PRINT, we encourage and accept digital signatures.
Is there anything else that we should be aware of?
Thank you for filling out our DUA
review form. We will contact you if
we have any additional questions.
What is a Limited Data Set?
A Limited Data Set is a limited set of identifiable patient information as defined in the Privacy Regulations
issued under the Health Insurance Portability and Accountability Act, better known as “HIPAA”. A “limited
data set” of information may be disclosed to an outside party without a patient’s authorization if certain
conditions are met. First, the purpose of the disclosure may only be for research, public health or health
care operations. Second, the person receiving the information must sign a data use agreement with CWRU.
A “limited data set” is information from which “facial” identifiers have been removed. Specifically,
as it relates to the individual or his or her relatives, employers or household members, all the
following identifiers must be removed in order for health information to be a “limited data set”:
street addresses (other than town, city, state and zip code);
telephone numbers;
fax numbers;
e-mail addresses;
Social Security numbers;
medical records numbers;
health plan beneficiary numbers;
account numbers;
certificate license numbers;
vehicle identifiers and serial numbers, including license plates;
device identifiers and serial numbers;
IP address numbers;
biometric identifiers (including finger and voice prints); and
full face photos (or comparable images).
The health information that may remain in the information disclosed includes:
dates such as admission, discharge, service, DOB, DOD;
city, state, five digit or more zip code; and
ages in years, months or days or hours.
It is important to note that this information is still protected health information or “PHI” under HIPAA. It is not
de-identified information and is still subject to the requirements of the Privacy Regulations.
What is a De-Identified Data Set?
Identifiers That Must Be Removed to Make Health Information De-Identified:
(i) The following identifiers of the individual or of relatives, employers or household members of the
individual must be removed:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county,
precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip
code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the same three initial
digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000
or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including
date, admission date, discharge date, date of death; and all ages over 89 and all elements of
dates (including year) indicative of such age, except that such ages and elements may be
aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code; and
(ii) The covered entity does not have actual knowledge that the information could be
used alone or in combination with other information to identify an individual who is a
subject of the information.