Skip to main content
University of Wisconsin–Madison

Guidance on Receiving Human Subjects Research Data from an External Entity

When are data-sharing agreements needed?

In order for an external entity to share individual level human subjects research data with UW-Madison, contractual agreements may be required by federal or state law or by external parties’ policies.  Even when not required by law or institutional policy, agreements are recommended because they establish terms and conditions to protect the interests of researchers and the institutions, and importantly, the confidentiality of the human subjects involved. Data sharing agreements cover a variety of important issues, including restrictions on permitted uses and further disclosures of data, authorship, attribution, warranties, confidentiality, liability, and intellectual property. The need for agreements stems from privacy laws (e.g. Health Information Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), General Data Protection Regulation (GDPR)), contractual obligations, and institutional policy requirements.   

While it is generally the responsibility of the providing institution to ensure the proper agreements are in place for the type of data shared, UW-Madison investigators should not accept individual-level human subjects research data from outside parties without an agreement when such agreement is required by law. An agreement may be required by law if the data you are receiving are covered by HIPAA, FERPA, or GDPR. Furthermore, the data may be covered by state laws, depending on the location of the providing entity. If you have questions about whether an agreement is legally required, you may contact your Dean’s Office or Research Administrator, Privacy Coordinator, Research and Sponsored Programs (RSP), or the Office of Legal Affairs for guidance.  

For the purposes of this guidance, we will focus on identifying when an agreement is needed per HIPAA, FERPA, and GDPR. To determine if an agreement is required per those regulations, you must first classify the data you will receive. See the section “When HIPAA applies” if the data you will receive includes individually identifiable health information and one of the following applies: (1) you or one of the study team members in your application to the IRB is employed by part of the UW-Madison Health Care Component or the UW-Madison/UW Health Affiliated Covered Entity or (2) the providing entity belongs to a covered entity and you are receiving the data as part of a collaboration with that entity. If that does not describe your situation, see the “When HIPAA does not apply” section. 

When HIPAA applies:

See the below to determine whether the data you will receive should be classified as De-identified Data, a Limited Data Set of Protected Health Information (LDS), or Protected Health Information (PHI) exceeding a LDS and what requirements apply for those types of datasets. Assistance determining the classification of your data can be obtained from your Privacy Coordinator.

If the data you will receive are classified as de-identified, a data-sharing agreement is not required for HIPAA compliance. 

Data is considered to be de-identified if the information does not identify an individual and there is no reasonable basis to believe it can be used to identify an individual. HIPAA allows information to be de-identified through the "Safe Harbor" method or the "Expert Determination" method. Safe Harbor de-identification is most common because it can often be achieved without the cost of arranging for a de-identification expert to become involved to review your data.

 Data may be deemed de-identified under the Safe Harbor method by removing all of the following identifiers relating to the individual or relatives, employers, or household members of the individual:

  1.   Names;
  2.   All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geographical codes;
  3.   All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4.   Telephone numbers;
  5.   Fax numbers;
  6.   Electronic mail addresses;
  7.    Social security numbers;
  8.    Medical record numbers;
  9.   Health plan beneficiary numbers;
  10.   Account numbers;
  11.   Certificate/license numbers;
  12.   Vehicle identifiers and serial numbers, including license plate numbers;
  13.   Device identifiers and serial numbers;
  14.   Web Universal Resource Locators (URLs);
  15.   Internet Protocol (IP) address numbers;
  16.   Biometric identifiers, including finger and voice prints;
  17.   Full face photographic images and any comparable images
  18.   Other unique numbers, characteristics, or codes, unless permitted by HIPAA.

 
 Keep in mind the following:

  • If the data or biospecimen contains dates of service or collection, they are not de-identified (see LDS below).
  • Dates more specific than year (e.g. month/year) are considered identifiers.
  • If data are fully de-identified as described above, they are no longer subject to HIPAA.
  • If the data provider will be removing all HIPAA identifiers from the dataset and assigning a code (which allows the data provider to re-identify the individuals) before sending it to you AND you will never have access to the code, the dataset you receive is considered de-identified as to you.

A LDS of PHI includes certain "limited identifiers" and MAY INCLUDE:

  1. Dates related to the individual, including dates of services (birth date, death date, admission date, discharge date, date of diagnostic services/imaging).
  2. Geographic information at the level of town or city, state and 5-digit zip code (but not street name or number, or 9-digit zip code). Whether a data set which includes other geocoding or other identifiers not listed may quality as a LDS will depend upon the circumstances. 9-digit zip codes and geocoding information which allow specificity of location to a “street” level may not be included in a LDS of PHI.
  3. Other unique numbers, characteristics, or codes not listed as direct identifiers.

 
 A LDS of PHI CANNOT INCLUDE the following identifiers of the individual or of relatives, employers, or household members of the individual:

  1.   Names
  2.   Postal address information, other than town or city, state, and 5-digit ZIP code
  3.   Telephone numbers
  4.   Fax numbers
  5.   Electronic mail addresses
  6.   Social security numbers
  7.   Medical record numbers
  8.   Health plan beneficiary numbers
  9.   Account numbers
  10.   Certificate/license numbers
  11.   Vehicle identifiers and serial numbers, including license plate numbers
  12.   Device identifiers and serial numbers
  13.   Web Universal Resource Locators (URLs)
  14.   Internet Protocol (IP) address numbers
  15.   Biometric identifiers, including finger and voice prints
  16.   Full face photographic images and any comparable images

 
If you will be receiving a LDS:

A LDS can be shared if either of the two apply: (1) HIPAA authorization or a waiver of authorization allowing the disclosure has been obtained, or (2) a Data Use Agreement (DUA) or other agreement containing the below provisions is in place.

 If entering into an agreement, it must: 

  • Establish the permitted uses and disclosures of the information by the recipient
  • Establish who is permitted to use or receive the information
  • Provide that the recipient will not use or further disclose the information other than as permitted by the agreement or as otherwise required by law
  • Require the recipient to use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the agreement 
  • Require the recipient report to the covered entity any use or disclosure of the information not provided for by its agreement  of which it becomes aware
  • Require the recipient to ensure that any agents to whom it provides the information agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information
  • Require the recipient not identify the information or contact the individuals.

 
If UW-Madison will be providing the agreement template, please see the Research and Sponsored Program’s (RSP) Data Transfer and Use Agreements page for the “DTUA-HIPAA Limited Data Set” template.

Even in cases when a DUA is not required by law, it is recommended, as a DUA may also establish terms and conditions to protect the interests of researchers and the institutions, and importantly, the confidentiality of the human subjects involved.  As mentioned earlier, data sharing agreements also cover a variety of important issues including restrictions on permitted uses and further disclosures of data, authorship, attribution, warranties, confidentiality, liability, and intellectual property.

If your dataset includes identifiers in excess of those allowed in a LDS, it is considered PHI exceeding a LDS.

If the dataset you will receive constitutes PHI exceeding a LDS, it must be disclosed to you for research purposes under one of the following conditions:

  • The data are disclosed with an individual’s authorization
  • A waiver of HIPAA authorization allowing the disclosure has been obtained.

 
Even in cases when not required by law, an agreement may still be recommended to establish terms and conditions to protect the interests of researchers and the institutions, and importantly, the confidentiality of the human subjects involved.  As mentioned earlier, data sharing agreements also cover a variety of important issues including restrictions on permitted uses and further disclosures of data, authorship, attribution, warranties, confidentiality, liability, and intellectual property.

If you have any questions about HIPAA requirements, please reach out to your HIPAA Privacy Coordinator. If UW-Madison will be providing the agreement template, please see the Research and Sponsored Program’s (RSP) Data Transfer and Use Agreements page for the “DTUA-HIPAA” template.

When HIPAA does not apply:

If the data you will receive are not subject to HIPAA, a data-sharing agreement may be required by law if the data are personally identifiable data subject to FERPA or personal data protected by GDPR.

FERPA applies to data from education records that are personally identifiable, meaning that the information can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information. Data subject to FERPA may include (but is not limited to):

  1. Student name
  2. ID number
  3. Class rosters or grade lists
  4. Place of birth
  5. Ethnicity
  6. Residency status
  7. Advisor’s name
  8. Class schedule
  9. Courses completed
  10. Grades
  11. Disciplinary records
  12. Student info displayed on a computer screen.

 
Please see the ED/SBS FERPA guidance and the Office of the Registrar for more information on whether FERPA applies to your data.

A written agreement is required when receiving personally identifiable information subject to FERPA, unless written consent from the individuals whose information is being obtained.

GDPR was drafted and passed by the European Union in 2018. The law imposes obligations onto organizations that process data related to individuals in the EU.  The concept of “processing” data is defined broadly by GDPR, and includes collecting, recording, organizing, structuring, storing, using, or erasing data. If you will work with data regarding human research subjects in the European Union, please contact RSP or the UW-Madison Office of Legal Affairs. For more information on GDPR, please see the IRB Guidance: GDPR and Research at UW.

FAQs about Data Classification

  • When are dates considered identifiers?
    • Under HIPAA, dates almost always constitute identifiers, including dates of service, dates of collection, and processing dates (unless they refer to year only). If the data you plan to receive will contain dates more specific than a year and you believe they may not be considered identifiers, please contact the HIPAA Privacy Officer for an official determination.
    • Dates may be considered identifiers per the Common Rule if they, on their own or in combination with any other variables, could potentially identify a subject. See the ED/SBS Guidance on Identifiability for more information.

     

  • Are initials identifiers under HIPAA? 
    • Initials are considered identifiers per the HIPAA Privacy Rule.

     

  • What should I do if I disagree with how the providing entity has classified the dataset or I determine a different agreement type should be used? 
    • Typically, we rely on the providing entity's determination of data classification. However, should there be disagreement, you may want to bring your HIPAA Privacy Coordinator, IRB staff, or Dean’s Office or Research Administrator into the conversation.

What type of agreement do I need?

When receiving data from an external entity, that entity typically drives the format and choice of template of the agreement, though UW-Madison templates are available in the event an external entity does not propose an agreement. 

The data-providing institution typically determines which type of agreement(s) and which template(s) will be used. These agreements may go by a variety of names, such as Data Transfer and Use Agreements, Data Use Agreements, Data Transfer Agreements, Data Terms of Use Agreements, and Data Release Agreements. It is also possible that other types of agreements such as Material Transfer Agreements, Clinical Trials Agreements, and Sponsored Research Agreements may contain provisions related to providing and receiving data.

As mentioned above, if UW-Madison will be providing the agreement template, please see the Research and Sponsored Program’s (RSP) Data Transfer and Use Agreements page.

What is the process for entering into an agreement to receive external data?

The process for obtaining an agreement may differ depending on your department, division, school or college. In general, agreements are reviewed by your Research Administrator or Dean’s Office then routed to RSP using WISPER.  Depending on the complexity of your data-receiving agreement and any subsequent plans to further share the data, consultation with additional offices may be necessary.

See the below list for initial contact information for your unit.

Contacts are listed by unit. Some links will direct you to the RSP "College and School Research Contacts" page, which can be used to find your unit's Division & Dean's Office Pre-Award Contact or Departmental Research Administrator.

Business
Division & Dean's Office Pre-Award Contact

CALS
Division & Dean's Office Pre-Award Contact

Continuing Studies
Division & Dean's Office Pre-Award Contact

Education
Division & Dean's Office Pre-Award Contact (for WCER, contact James Lyne)

Engineering
Departmental Research Administrator Contact

Human Ecology
Division & Dean's Office Pre-Award Contact

International Division
Division & Dean's Office Pre-Award Contact

Law School
Division & Dean's Office Pre-Award Contact

L&S
Technology Transfer Specialist

Nelson Institute
Assistant Dean for Administration 

Nursing
Division & Dean's Office Pre-Award Contact

OVCRGE
Center Research Administrator

Pharmacy
Division & Dean's Office Pre-Award Contact

SMPH
Contact Ben Tiller (BCTiller@wisc.edu) or Andy Chen (IChen23@wisc.edu) for a link to the SMPH DUA tool

Veterinary Medicine
Division & Dean's Office Pre-Award Contact

WSLH
Finance Administrator

Who can sign an agreement for receiving data?

Only authorized signatories (e.g. authorized individuals at RSP or Purchasing Services) have the authority to sign contractual agreements on behalf of the university. Deans, Center Directors, Department Chairs, and Principal Investigators do not generally have this authority. If you personally sign an agreement, you may lose the legal protections offered by the University. 

Some agreements include a signature block for a “data recipient.” Although you, as an investigator, may be receiving the data, UW-Madison is ultimately the recipient of the data. If there are multiple signature lines in an agreement, please consult with your Dean’s Office or Research Administrator to determine if it is appropriate for you to sign in addition to the authorized signatory.

What do I need to do once I’ve obtained an agreement? 

Once the agreement has been executed, it is the responsibility of the Principal Investigator to ensure compliance with the agreed upon terms and conditions.

Where can I store the incoming data?

Data from an external entity that will be used for human subjects research must be used and stored in line with the IRB-approved study protocols. It is best to be as flexible as possible in your protocol when describing your data use and storage. If you plan to modify your data storage from what is written in the application to the IRB or in an approved study protocol, a Change of Protocol may need to be submitted prior to making that change. If you are unsure whether a Change of Protocol is needed, please consult with the appropriate IRB office. 

The appropriate storage location for the data depends on the type of data you are receiving. The UW Data Storage Finder tool can be used to determine which data storage services are available for your particular use case.

To store incoming data using a tool not identified in the Data Storage Finder, additional actions may be needed. For data subject to HIPAA (i.e. PHI), investigators should request a Joint Security and Privacy Review (JSPR) to evaluate their storage proposal. This is because the HIPAA Security Rule requires validation of storage mechanisms to ensure that the appropriate security controls are in place. 

If you would like to purchase a data storage technology that is not already available through UW-Madison, you may submit a Request to Procure (email grc-cybersecurity@cio.wisc.edu) and the Office of Cybersecurity will complete a general  security check prior to its purchase to ensure that technology is a viable option; however, investigators are encouraged to use existing licensed/vetted/supported storage options wherever possible to limit the need for review of or purchases of additional potentially-redundant technologies given the existing menu of storage options available to the campus community. If the purchase of a new technology is deemed necessary and the proposed tool has passed muster with the Office of Cybersecurity through its general review process, the Office of Cybersecurity will need to conduct a follow-up risk assessment to ensure the tool can be securely implemented for use at UW-Madison after its acquisition.

For questions about storing data covered by HIPAA, please contact your respective HIPAA Security Coordinator. If you have questions about storing data covered by HIPAA but are not employed by a unit that is part of the Health Care Component (Non-HCC), please reach out to the Campus HIPAA Security Officer.

IRB Considerations

When data from an external entity will be used in human subjects research, the receipt of the data, the type of information included in the data, and how it will be used and stored should be described in the study protocol submitted to the IRB. It is critical that your descriptions of the data in the protocol and any contractual agreement(s) under which it will be obtained are consistent with the data you will receive because the classification of the data may impact the type of review your study undergoes and the regulations that apply to your research. The IRB may ask to see your data-sharing agreement(s) to ensure the details about the data are consistent with what has been described in the application to the IRB and study protocol. 

If at any point, it is determined that  the data was incorrectly classified, the agreement, IRB application, and/or study protocol  must be amended. For questions, please consult with the appropriate IRB office (ED/SBS IRB, HS IRB, or external IRB), RSP, or the Office of Legal Affairs.

I'm new faculty--What is the process for transferring human subjects research studies to UW-Madison from another institution?

Institutions differ in their processes and requirements for transferring projects and associated data, so you will need to check in with your previous institution to initiate the transfer. Typically, the providing institution drafts the sharing agreement, but RSP can recommend an agreement if your previous institution does not have one. A Material Transfer Agreement may also be needed if specimens will be shared in addition to data.

During this process, you may need to work with the following at UW-Madison:

  • Your Dean’s Office or Departmental Research Administrator
    • They will be your UW-Madison point of contact for data transfer and use agreements and transferring funding, if applicable.

     

  • Office of Cybersecurity or Department IT
    • As mentioned above in the “Where can I store the incoming data?” section, these offices will assist you in securely transferring and storing your research data. 

     

  • UW-Madison IRB office
    • If you are transferring oversight of a study to a UW-Madison IRB, you will need to submit an application in ARROW and indicate that you will be transferring the study from another institution. 

     

  • Reliance and Navigation Team (RELIANT)
    • If investigators at your previous institution will remain engaged in the research and UW-Madison will serve as the Reviewing IRB for those collaborators, notify RELIANT (irbreliance@wisc.edu) to ensure reliance agreements are in place.
    • If IRB oversight will remain with another institution, work with RELIANT (irbreliance@wisc.edu) to ensure reliance agreements are in place, as appropriate. You should also check in with the Reviewing IRB, as an amendment to the protocol may be needed to address changes such as location of investigator(s), new data collection site, sharing of data, etc. with a new institution. 

Best Practices for an Efficient Process

The amount of time needed to fully execute a contractual agreement depends on many factors, including the type and number of institutions involved, the type of data being shared, and whether consultation with other offices or entities is needed.

If you plan to further share the data you receive, you will need to ensure the agreement contains language that allows you to do so. It is recommended you develop a sharing plan at the time of protocol development, and ensure any consent and/or authorization forms address potential future data-sharing. It is recommended to avoid language that overly restricts possible sharing (e.g. statements such as “only the research team will have access to the data”). For studies approved through UW IRBs, it is highly recommended that you use the consent form templates, as the language in the templates was drafted to comply with human subjects protections while also maximizing opportunities for data-sharing. 

Ensure review efficiency by providing contract reviewers and consultants with information up front. When applicable, provide copies of any approved informed consent and/or HIPAA authorization forms; any existing contracts related to the receipt, collection, or use of the data; and the scope of work for the research, outlining what you plan to do with the data. Reviewers may ask for additional information or documentation to ensure the data sharing agreement terms and conditions are appropriate and meet all necessary requirements. 

If you are working with multiple entities in a collaborative nature (e.g. multisite study, consortium, network), it is recommended that data sharing be addressed in the underlying collaboration agreement, if possible, rather than through separate data-sharing agreements. This helps ensure efficient sharing of data and may eliminate the need for additional data-sharing agreements.

Who else may be involved in the process?

You may need to consult with several offices or resources on campus to during this process, including: