Skip to main content
University of Wisconsin–Madison

Guidance on External Sharing of Human Subjects Research Data

This guidance provides information about sharing individual level human subjects research data with outside parties. It does not cover situations like the sharing of aggregate data within publications. This guidance identifies when human subjects data can be shared; describes the various types of data-sharing agreements that may be necessary to comply with applicable laws, policies, or contractual agreements; and outlines the process for entering into data-sharing agreements when needed. 

When are data-sharing agreements needed?
Is sharing permitted? 
What type of agreement do I need?
What is the process for obtaining an agreement?
What are my responsibilities?
What do I need to do once I’ve obtained an agreement?
What are approved methods for transferring data?
Best practices for an efficient process?
Who else may be involved in the process?

When are data-sharing agreements needed?

Contractual agreements are required by law and/or UW-Madison policy in order to share individual level human subjects research data. These agreements establish terms and conditions to protect the interests of researchers and the institution, and importantly - to protect the confidentiality of the human subjects involved. Data sharing agreements cover a variety of important issues, including restrictions on permitted uses and further disclosures of data, authorship, attribution, warranties, confidentiality, liability, and intellectual property. The need for agreements stems from privacy laws (e.g. HIPAA, FERPA, GDPR), contractual obligations, and institutional policy requirements (including UW-Madison's Policy on Research Data Stewardship, Access, and Retention).

The specific type of agreement needed varies based on the nature of the data. Of note, only authorized signatories (e.g. authorized individuals at RSP) have the authority to sign contractual agreements on behalf of the university. Deans, Center Directors, Department Chairs, and Principal Investigators do not generally have this authority. 

Clinical Trials Agreements, Material Transfer Agreements, Consortium Agreements, or Sponsored Research Agreements may cover the necessary provisions for data sharing. However, this may not be the case, particularly if multiple parties are involved. Providing your research administrators up front with information about all parties with whom data may be shared can help ensure the necessary data sharing language is included in agreements early on. 

Is data-sharing permitted?

To determine if sharing is permitted, you must ask the two questions below:

Is sharing legally permitted under the relevant research protocol(s)?

Various mechanisms can address legal requirements needed for data-sharing:

  • Signed informed consent/assent forms and HIPAA authorization forms
  • Waivers of informed consent and waivers of HIPAA authorization
  • Data-sharing agreements

Your IRB-approved application/protocol (“protocol”) and corresponding consent/assent ("consent") and/or authorization form (or waivers thereof), must allow for the sharing of the data. Additionally, the intended sharing must align with the way you describe the data-sharing in the protocol, consent, and HIPAA authorization. If you are uncertain  whether the intended sharing is permitted for your study, please consult with the appropriate IRB office (ED/SBS IRB or HS IRBs). If your study - as approved by your reviewing IRB - does not account for the data-sharing, you must seek a Change of Protocol prior to sharing any data. For this reason, when drafting your research materials, it is important to consider future uses of data and to draft them with sharing in mind and with language that allows for flexibility.

Are there contractual limitations on sharing your data? 

Even if the data you would like to share can be shared per your approved study materials, if the data originated outside UW-Madison or in connection with sponsored research, contractual limits may impact your ability to share the data. Any contracts covering the acquisition of the data need to be reviewed to determine if further sharing is permitted. If you are uncertain about whether the existing contract allows for your intended sharing, your Dean's Office or Research Administrator can assist in interpreting the contract language.

If data-sharing is not allowed per the applicable contracts, you will need to seek approval from the other party or parties to the contract. Your Dean’s Office or Research Administrator can assist in renegotiating the terms of the agreement to obtain permission for data-sharing.

Please be aware that even when data-sharing is permitted by an existing contract, the contract may obligate you to provide notifications to the other party or parties or to transfer the data in a particular way - so you will need to closely review the contract to ensure you comply with all provisions.

What type of agreement do I need?

There are various types of agreements that may need to be used. The type of agreement needed is largely driven by the classification of the data that you wish to share. Misclassifying the data set can lead to significant delays, so it is important to reach out to your reviewing IRB, your HIPAA Privacy Coordinator, your Dean’s Office, or your Research Administrator if you have questions. 

To classify your data, first consider which laws or regulations apply to your data. The Health Information Portability and Accountability Act (known as "HIPAA") applies if the data include individually identifiable health information and you or one of the study team members in your IRB-approved research protocol is employed by part of the UW-Madison Health Care Component or the UW-Madison/UW Health Affiliated Covered Entity.

When HIPAA applies, you will also need to determine whether your data should be classified as De-identified Data, a Limited Data Set of Protected Health Information, or Protected Health Information (see below). Assistance determining the classification of your data can be obtained from your Privacy Coordinator.

When HIPAA does not apply to your data, your data can often be classified as identifiable private information, de-identified data, data subject to the Family Educational Rights and Privacy Act (FERPA), or data subject to the General Data Protection Regulation (GDPR) of the European Union (if your data include information about human subjects who reside in Europe). Assistance determining the classification of your data can be obtained from your IRB office.

Data is considered to be de-identified if the information does not identify an individual and there is no reasonable basis to believe it can be used to identify an individual. HIPAA allows information to be de-identified through the "Safe Harbor" method or the "Expert Determination" method. Safe Harbor deidentification is most common because it can often be achieved without the cost of arranging for a de-identification expert to become involved in review of your data.

Data may be deemed de-identified under the Safe Harbor method by removing all of the following identifiers relating to the individual or relatives, employers, or household members of the individual:

  1. Names;
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geographical codes;
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Telephone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images
  18. Other unique numbers, characteristics, or codes, unless permitted by HIPAA.

Keep in mind the following:

    • If the data or biospecimen contains dates of service or collection, they are not de-identified (see LDS below).
    • Dates more specific than year (e.g. month/year) are considered identifiers. 
    • If data are fully de-identified as described above, they are no longer subject to HIPAA. 
    • If data is coded and the recipient will never have access to the code, then the dataset is considered de-identified to the recipient.

A LDS of PHI includes certain "limited identifiers" and MAY INCLUDE:

  1. Dates related to the individual, including dates of services (birth date, death date, admission date, discharge date, date of diagnostic services/imaging).
  2. Geographic information at the level of town or city, state and 5-digit zip code (but not street name or number, or 9-digit zip code). Whether a data set which includes other geocoding or other identifiers not listed may quality as a LDS will depend upon the circumstances. 9-digit zip codes and geocoding information which allow specificity of location to a “street” level may not be included in a LDS of PHI.
  3. Other unique numbers, characteristics, or codes not listed as direct identifiers.

A LDS of PHI CANNOT INCLUDE  the following identifiers of the individual or of relatives, employers, or household members of the individual:

  1. Names;
  2. Postal address information, other than town or city, state, and ZIP code;
  3. Telephone numbers;
  4. Fax numbers;
  5. Electronic mail addresses;
  6. Social security numbers;
  7. Medical record numbers;
  8. Health plan beneficiary numbers;
  9. Account numbers;
  10. Certificate/license numbers;
  11. Vehicle identifiers and serial numbers, including license plate numbers;
  12. Device identifiers and serial numbers;
  13. Web Universal Resource Locators (URLs);
  14. Internet Protocol (IP) address numbers;
  15. Biometric identifiers, including finger and voice prints;
  16. Full face photographic images and any comparable images

If your dataset includes identifiers in excess of those allowed in a LDS, it is considered PHI exceeding a LDS. PHI exceeding a LDS may be disclosed for research purposes with an individual's authorization, pursuant a waiver of HIPAA authorization, or for research on decedents' information. If PHI exceeding a LDS is disclosed under a waiver of authorization, a log must be used to record the disclosures

PHI exceeding a LDS is typically not shared unless in the context of a Business Associate relationship (see below) or for a multisite research study where both sites need PHI to conduct study procedures (for example, when subjects are enrolled at UW-Madison but another site is contacting the subjects to gather survey data after a procedure). You should remove identifiers from your dataset when possible so that it constitutes an LDS or de-identified data set, in order to reduce the risk level of the data and reduce the number of compliance steps that need to be addressed. 

Contact the HIPAA Privacy Officer, your HPAA Privacy Coordinator or the SMPH Honest Broker for assistance in reducing the identifiers in your data set or if you hope to share a dataset containing direct identifiers. It is highly recommended that you do this prior to IRB Review, if possible.

Please note: HIPAA does not apply to individually identifiable health information in employment/personnel records (which are protected under confidentiality provisions of the Americans with Disabilities Act, known as "ADA") or to student education records covered by the Family Educational Rights and Privacy Act (FERPA). If your data are more appropriately classified as employment records or education records, please see the applicable section below. 

Data are individually identifiable per the Federal Policy for the Protection of Human Subjects (codified at 45 CFR part 46, and known as the "Common Rule") when the identity of a subject is, or may be, readily ascertained by the investigator or associated with the information.

A data set may be identifiable under the Common Rule if it contains:

  1. initials
  2. Address
  3. Zip code
  4. Phone number
  5. Birth date
  6. Occupation
  7. Employer
  8. Date of sample
  9. Type of biopsy performed
  10. Diagnosis
  11. Primary care physician
  12. Referring physician
  13. Genealogy may be identifiers if working with a small subject population.

Additionally, age, ethnicity/race, and gender may be identifiers if fewer than 5 individuals possess a particular cluster of traits. 

Overall, data may be identifiable if any combination of variables could potentially identify a subject. If your data include personally identifiable information from education records, it may be more appropriately categorized as data covered by FERPA (see below). 

De-identified data sets do not contain direct or indirect identifiers, such as those listed above (under Individual Private Information). Please note that a data set may be considered identifiable if your sample size is small, if few subjects share a cluster of traits, if free notes (such as transcripts of interviews) are included, or if the data will be combined with other data sets. If any of those factors apply to your data set, the IRB office can assist you with appropriately classifying your data. 

FERPA applies to data from education records that are personally identifiable, meaning that the information can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information. Data subject to FERPA may include (but is not limited to):

  1. Student name
  2. ID number
  3. Class rosters or grade lists
  4. Place of birth
  5. Ethnicity
  6. Residency status
  7. Advisor’s name
  8. Class schedule
  9. Courses completed
  10. Grades
  11. Disciplinary records
  12. Student info displayed on a computer screen.

Please see the ED/SBS FERPA guidance and the Office of the Registrar for more information on whether FERPA applies to your data.

GDPR was drafted and passed by the European Union in 2018. The law imposes obligations onto organizations that process data related to individuals in the EU.  The concept of “processing” data is defined broadly by GDPR, and includes collecting, recording, organizing, structuring, storing, using, or erasing data. If you work with data regarding human research subjects in the European Union, please contact RSP or the UW-Madison Office of Legal Affairs.

When are dates considered identifiers?

Under HIPAA, dates almost always constitute identifiers, including dates of service, dates of collection, and processing dates (unless they refer to year only). If the data you plan to share contains dates more specific than a year and you believe they may not be considered identifiers, please contact the HIPAA Privacy Officer to make an official determination. 

Dates may be considered identifiers per the Common Rule if they, on their own or in combination with any other variables, could potentially identify a subject. See the ED/SBS Guidance on Identifiability for more information. 

Are initials identifiers under HIPAA? 

Initials are considered identifiers per the HIPAA Privacy Rule. 

What if my data are coded? 

If you have coded a dataset that otherwise constitutes PHI or an LDS of PHI under HIPAA, the data can be considered de-identified as to the recipient if the recipient does not have access to the code and will never have access to the code. 

What should I do if the receiving entity disagrees with how we’ve classified the data set or determines a different agreement type should be used?

Typically, receiving entities rely on our determination of data classification. However, should there be disagreement with the recipient institution, you may want to involve UW HIPAA or IRB personnel into the conversation.

Agreement Types

Once data are classified, you can determine which agreement type is appropriate. The following provides information on the various agreements and when they would be used.

A DUA is a particular type of agreement that is required by HIPAA prior to disclosing a LDS of PHI. A DUA must be executed prior to the disclosure and must: 

  • Establish the permitted uses and disclosures of the information by the recipient
  • Establish who is permitted to use or receive the information
  • Provide that the recipient will not use or further disclose the information other than as permitted by the DUA or as otherwise required by law
  • Require the recipient to use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the DUA
  • Require the recipient report to the covered entity any use or disclosure of the information not provided for by its DUA of which it becomes aware
  • Require the recipient to ensure that any agents to whom it provides the information agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information
  • Require the recipient not identify the information or contact the individuals.

 

HIPAA authorization or a waiver of authorization is not required by HIPAA if a DUA containing the above provisions is in place. Additionally, per HIPAA, a LDS of PHI can be shared if an authorization or a waiver of authorization allowing for the disclosure is obtained, without needing a DUA. However, to provide protections to researchers, their data, and the institution (such as ownership, authorship, data security) and comply with UW-Madison policy, a DUA should still be executed if authorization from subjects or a waiver of authorization is obtained. Of note, disclosures of Limited Data Sets are not subject to HIPAA accounting of disclosures requirements.

Please see RSP’s Data Transfer and Use Agreements page for a DTUA-HIPAA Limited Data Set template.

BAAs may be necessary for studies involving data subject to HIPAA, if a third party is providing services on the covered entity’s behalf in the course of the research and will have access to PHI (e.g., a commercial laboratory that processes samples on behalf of the researcher, or a direct-mail company will use PHI to prepare and mail research recruitment letters on behalf of a study team). HIPAA authorization is not needed in order to execute a BAA. If a third party is creating a LDS from PHI for the third party's or another entity's use for research purposes, you may need both a BAA and DUA. See the Office of Compliance’s Business Associates page for more detailed information. When PHI is  transferred to collaborators or sponsors who are part of a research project, this usually does not constitute a service and requiring a BAA --see Data Transfer and Use Agreements below.

A DTUA, as used in this guidance, refers broadly to a data sharing agreement that may be used to cover the transfer of the following types of data sets:

  • De-identified data
  • Identifiable private information (subject to Common Rule; not subject to HIPAA) (also referred to as personally identifiable information)
  • Personally identifiable data subject to FERPA
  • PHI exceeding a LDS (subject to HIPAA)

Of note, other institutions may use different names to refer to this type of agreement, such as Data Use Agreement, Data Sharing Agreement, Data Release Agreement, or Data Transfer Agreement. Please see the Research and Sponsored Program’s (RSP) DTUA templates to obtain a copy of the appropriate template for your data set.

 

If you are sharing materials, an MTA is typically needed. Oftentimes, materials are shared alongside data associated with those materials (such as biospecimens being labeled with dates of collection, which are identifiers per HIPAA). If you plan to share data alongside materials, data sharing language may be able to be incorporated into the MTA. Please work with your Dean’s Office or Research Administrator to determine if this is possible. For more information on MTAs, please see RSP’s guidance regarding MTAs.

What is the process for obtaining an agreement to share data externally?

The process for obtaining an agreement may differ depending on your department, division, school or college. In general, agreements are reviewed by your Dean’s Office or Research Administrator then routed to RSP using WISPER. However, depending on the complexity of your situation, consultation with additional offices may be necessary. See the below list for initial contact information for your unit.

What are my responsibilities? 

Ultimately, the PI is responsible for ensuring the following:

  • Sharing is permitted per any third-party or sponsored research contracts and any obligations agreed to in such contracts are met with regard to sharing (this may require looking back at any existing contracts to confirm the potential sharing is in line). Please reach out to your Dean’s Office/Research Administrator contact, if you have any questions or need assistance.
  • Sharing is permitted per the approved research protocol, consent, and authorization -- or that the necessary waivers have been obtained. Please contact the appropriate IRB office if you need assistance in making these determinations.
  • The data have been accurately classified. If you need assistance, please contact your HIPAA Privacy Coordinator for studies subject to HIPAA or the appropriate IRB office for non-HIPAA studies.
  • The appropriate agreement type has been selected. If you need assistance, please work with your Dean’s Office or Research Administrator.
  • The data are transferred via a secure method. Please reach out to your IT office or the UW-Madison Office of Cybersecurity if you need assistance in determining a secure method of transfer.

 

The Dean’s Office/Research Administrator is responsible for:

  • Assisting the study team in determining the appropriate template for sharing
  • Initial review of the draft agreement
    • Confirming fields have been completed and appropriate documents are included, as applicable
    • Identifying potential considerations (e.g. school specific issues) that the school wants RSP to negotiate (this may be applicable if there are non-standard terms)
  • Working with the department on drafting terms, as appropriate 
  • Assisting with obtaining third party permission for sharing, if needed

 

RSP is responsible for:

  • Reviewing the terms and conditions of the agreement to ensure they are compatible with UW policy and applicable law 
  • Negotiating, when needed
  • Finalizing and executing the agreement with the recipient 
  • Acting as authorized institutional signatory*

*Investigators do not have the authority to sign the above agreements on behalf of UW-Madison. However, investigators are responsible for understanding and complying with the terms and conditions of the agreement. 

What is the role of the IRB?

  • The IRB is not responsible for ensuring you have a data sharing agreement. However, they may alert you of the need for a data sharing agreement during IRB review. Additionally, in order to make the appropriate regulatory determinations, the IRB may ask to see a draft or executed data sharing agreement before issuing effective approval of your IRB application.
  • If your study requires IRB approval, you should not share any data under an executed data sharing agreement until you have obtained IRB approval to do so
  • It is the responsibility of the study team to ensure a Change of Protocol is submitted if the nature of the data or the data sharing changes after an IRB determination has been made.

What do I need to do once I’ve obtained an agreement? 

Once the agreement has been executed, it is the responsibility of the Principal Investigator to ensure compliance with the agreed upon terms and conditions.

What are approved methods for transferring data?

The method used for transferring the data depends on the classification of the data. 

Specifically, the HIPAA Security Rule requires the validation of transfer mechanisms to ensure that the appropriate security controls are in place. The currently approved tools for transferring PHI are listed in the Tools for Exchanging and Storing PHI document linked to on the HIPAA page. If you believe that another tool has been validated for use with PHI or would like to inquire about whether a new tool can be validated for use with PHI, please contact your security coordinator.

If your data is protected by FERPA or the Common Rule only, please work with your IT department or the Office of Cybersecurity to determine a secure method of transfer.

Best practices for an efficient process

The amount of time needed to fully execute a contractual agreement depends on many factors, including the type and number of institutions that will be involved, the type of data being shared, and whether consultation with other offices or entities is needed. 

The most important action you can take to promote an efficient process is to plan ahead. Develop a sharing plan at the time of protocol development, and ensure the consent form and/or authorization address any potential future sharing. It is recommended to avoid language that overly restricts possible sharing (e.g. statements such as “only the research team will have access to the data”). For studies approved through the Health Sciences IRBs, it is highly recommended that you use the consent form templates, as the language in the templates was drafted to comply with human subjects protections while also maximizing opportunities for data-sharing. 

Planning ahead can be especially important for complex situations, such as when UW-Madison is the data holder but not a contributing site or when a third party (such as a statistical/data center) is used for the transfer of samples/data. In situations such as those, it is important to alert your contract and data sharing agreement reviewers early on so that they can address IRB, HIPAA, and/or contractual obligations in the subawards or data sharing agreements.

Ensure review efficiency by providing reviewers and consultants with information up front. When applicable, provide copies of the approved informed consent form and/or HIPAA authorization; any existing contracts related to the receipt, collection, or use of the data; and the scope of work for any research collaboration, outlining what the entity receiving the data will do with it. Reviewers may ask for additional information or documentation to ensure the data sharing agreement terms and conditions are appropriate and meet all necessary requirements. 

Who else may be involved in the process?

You may need to work with several offices on campus to achieve your data-sharing goals, including: