Skip to main content

Data Use Agreement Fact Sheet

Download Fact Sheet
Download DUA Example

Purpose

Colorado Perinatal Care Quality Collaborative (CPCQC) is a non-profit perinatal quality improvement organization established in 1975 by Governor Richard Lamm to provide broad-based leadership in planning and coordinating statewide perinatal health care delivery. Since 2015, CPCQC has worked with hospitals across Colorado to implement perinatal quality improvement programming, which provides education, technical assistance, and data support to improve the quality of perinatal care in Colorado.

CPCQC programming is supported by grant funding from the Centers for Disease Control and Prevention (CDC), Health Resources and Services Administration (HRSA), American College of Obstetricians and Gynecologists (ACOG), Colorado Department of Public Health and Environment (CDPHE), and Colorado Behavioral Health Administration (BHA), among others.

As outlined in the Colorado Maternal Mortality Prevention Act: House Bill 19-1122 and reenacted through the Maternal Health Providers Act: Senate Bill 21-194, CDPHE must consult with CPCQC to develop and implement recommendations for clinical quality improvement approaches that could reduce the incidence of pregnancy-related deaths or maternal mortality or morbidity in prenatal, perinatal, and postnatal clinical settings and recommendations for how to spread best practices to clinical settings across the state.

As an organization, our goal is to improve perinatal safety, quality of care, and outcomes for women, birthing people, and infants. In furtherance of this goal, we have established a central repository of data provided by organizations’ voluntary participation to support and evaluate quality improvement initiatives on hospital processes and outcomes.

Purpose of this Data Use Agreement

To further our mission, we collect and analyze clinical data through a “Limited Data Set.” A “Limited Data Set” is a data set stripped of certain direct identifiers specified in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. For example, a Limited Data Set may NOT include directly identifying information (like name, SSN, or address). However, Limited Data Sets MAY include the following indirect identifiers:

  • Dates, such as admission, discharge, service, and date of birth (DOB)
  • City, state, and zip code (not street address)
  • Age
  • Any other unique code or identifier that is not listed as a direct identifier.

A Limited Data Set may be disclosed to an outside party without a patient’s authorization if certain conditions are met. First, the purpose of the disclosure may only be for research, public health, or healthcare operations. Second, the third party receiving the information must sign a Data Use Agreement (DUA). CPCQC meets these two conditions upon execution of this DUA.

The current DUA template has been used with many quality improvement initiatives and hospitals covering over 75% of Colorado births. The DUA’s purpose is to specify the data elements being collected from the hospital and how the data will be used by the CPCQC to improve healthcare quality while protecting individual patients and hospitals.

Compliance with HIPAA

Because a Limited Data Set is still Protected Health Information (PHI) under HIPAA, we safeguard and protect it in accordance with the HIPAA Privacy Rule. This means we will:

  • not use or disclose the data other than as permitted by the DUA or as otherwise required by law,
  • use appropriate safeguards to prevent uses or disclosures of the data that are inconsistent with the DUA,
  • report to the covered entity uses or disclosures that violate the DUA, of which we become aware,
  • ensure that any agents to whom we provide the information agree to the same restrictions and conditions that apply to us, with respect to such information, and
  • not re-identify the information or contact the individual.

Additional Protections of Patient and Hospital Confidentiality

Maintaining patient and hospital confidentiality is a major CPCQC priority. In addition to compliance with HIPAA, as outlined above, CPCQC implements the following protocols:

  • Secure data entry through REDCap: CPCQC offers data entry online via REDCap, a secure, password-protected, HIPAA-compliant data collection system. CPCQC creates login credentials for verified hospital contacts.
  • Secure hospital data reports viewed via a password-protected, HIPAA-compliant data analytics platform: CPCQC creates login credentials for verified hospital contacts. Hospital-specific reports are only accessed via this platform and never in emails or PDFs.
  • Discussion of hospital data and performance via Zoom for Healthcare, HIPAA-compliant teleconferencing software.
  • Privacy in Aggregate Reporting: CPCQC only presents hospital data to the public in aggregate reports, avoiding any form of individual hospital data exposure, unless given express permission in writing by the hospital to do so (generally for hospital-initiated promotional purposes to celebrate achievements). Public-facing reports contain only cohort averages across all participating hospitals, without identifying the data of specific hospitals.

Need a BAA?

CPCQC does not act as a “Business Associate” as defined by HIPAA. CPCQC functions as a collaborative partner and does not perform business associate functions on behalf of, or provide services to, Covered Entities. Your hospital’s participation in this initiative is without payment. No product exchanges are involved. As such, CPCQC exclusively executes DUAs and does not enter into Business Associate Agreements (BAAs).

DUA Revisions

The current DUA template has been used with many initiatives and hospitals covering over 75% of Colorado births. While CPCQC is open to considering minor DUA edits by hospitals, CPCQC is not willing to accept major changes to the DUA given the large number of participating hospitals.

Questions?

Please contact us if you have questions or need further assistance at info@cpcqc.org.

Return to the Knowledge Base