This Data Sharing Agreement (the “Agreement”) is entered into and
between the Regents of the University of Michigan (the
“Provider”) and __________________________(the “Recipient”).
This Agreement will become effective upon the date of the last
signature affixed below (the “Effective Date”).
WHEREAS, the Provider and Recipient desire to collaborate on a
research project entitled: ________________________________
for the following identified purpose(s):
WHEREAS, in performing activities of this collaboration, Provider
will disclose to Recipient certain identifiable Protected Health
WHEREAS Provider and Recipient wish to enter into this Data Sharing
Agreement for the purpose of addressing obligations arising from the
disclosure of Protected Health Information; for the following
in consideration of the foregoing, the parties agree as follows:
following terms are defined for purposes of this Agreement. Terms
used, but not otherwise defined in this Agreement shall have the same
meaning as those terms in the Privacy Rule.
HIPAA means the Health Insurance Portability and
Accountability Act of 1996, Public Law 104-191.
Covered Entity: Per 45 CFR 160.103 (“Definitions”), is a
health plan, health care clearinghouse, or health care provider that
is subject to the standards, requirements, and implementation
specifications of the HIPAA Privacy Rule. Covered Entity in this
Agreement shall mean the Provider.
Individual: Per 45 CFR 160.103 (“Definitions”), is the
person who is the subject of protected health information and shall
include a person who qualifies as a personal representative in
accordance with 45 CFR 164.502(g).
Privacy Rule shall mean the Standards for Privacy of
Individually Identifiable Health Information at 45 CFR part 160 and
part 164, subparts A and E.
Protected Health Information or PHI: Per 45 CFR 160.103
(“Definitions”), means information, maintained or transmitted in
any form or medium, that: (i) relates to the past, present, or
future physical or mental health or condition of an individual; the
provision of health care to an individual; or the past, present, or
future payment for the provision of health care to an individual,
and (ii) identifies the individual or with respect to which there is
a reasonable basis to believe the information can be used to
identify the individual.
Required by Law: Per 45 CFR 164.103 (“Definitions”) means
a mandate contained in law that compels an entity to make a use or
disclosure of protected health information and that is enforceable
in a court of law.
Secretary shall mean the Secretary of the Department of
Health and Human Services or his designee.
OBLIGATIONS OF THE RECIPIENT
To not use or disclose Provider’s Protected Health Information in
any manner other than as permitted by this Agreement or as required
by applicable law.
To not contact or attempt to contact individuals whose data is
contained in Provider’s Protected Health Information for any
purpose not authorized by this Agreement.
To use appropriate administrative, technical, and physical
safeguards, including compliance with security provisions at 45 CFR
§§ 164.308, 310, 312, and 316 pursuant to Section 3401(a) of the
HITECH Act to prevent any use or disclosure of Provider’s
Protected Health Information not authorized under this Agreement.
To ensure that any agent, including subcontractors, to whom
Recipient authorizes to use or disclose Provider’s Protected
Health Information are held to the same HIPAA privacy and HITECH
security standards that apply to Recipient.
To report to the Provider, through its Health Systems Privacy
Officer (Privacy Officer), any use or disclosure of Provider’s
Protected Health Information not authorized by this Agreement that
Recipient or its agents become aware of within ten (10) days of
To mitigate any harmful effect caused by Recipient’s wrongful use
or disclosure of Provider’s Protected Health Information in
violation of this Agreement.
To make available, at the Provider’s request, any internal
practices, books, and recordings, including policies and procedures,
relating to the use, disclosure, and security of the Protected
Health Information for purposes of determining Recipient’s
compliance with this Agreement and to the HIPAA privacy standards.
To provide written notification to Provider if it receives a
subpoena, court or administrative order or other discovery request
or mandate pertaining to the release of any part of Provider’s
Protected Health Information within five (5) days of the receipt of
such a request. Written notification must occur before the
Recipient responds to the request so to enable Provider time to
TERM AND TERMINATION
Term. The Term of this Agreement shall commence as of the
Effective Date and will terminate when all of Provider’s Protected
Health Information is destroyed and certified as destroyed, in
writing, to the Provider through its Privacy Officer.
Termination. In the event that the Provider becomes aware of
any use of Provider’s Protected Health Information that is not
authorized under this Agreement or required by applicable law, the
Provider may (i) terminate this Agreement upon notice, (ii)
disqualify (in whole or in part) the Recipient or Recipient’s
authorized agents from receiving Provider’s Protected Health
Information in the future, and (iii) report the inappropriate use or
disclosure to the Secretary of the Department of Health and Human
Services, as appropriate.
Effect of Termination. Recipient will destroy all of
Provider’s Protected Health Information and provide written
certification to the Provider through its Privacy Officer that it
was destroyed, including all of Provider’s Protected Health
Information that is in the possession of Recipient’s agents. No
copies of Provider’s Protected Health Information may be retained.
Breach or Violation. Provider is not responsible for
Recipient’s violations of the HIPAA Privacy Rule unless Provider
knows of a pattern of activity or practice that constitutes a
material breach or violation of the HIPAA Privacy Rule. HIPAA
defined violations, including those rising to the level of a breach
will be reported to the Secretary of the Department of Health and
Human Services (“DHHS”).
Amendment. The Parties agree to take such action as is
necessary to amend this Agreement from time to time as is necessary
for Provider to comply with the requirements of the Privacy Rule and
Survival. The respective rights and obligations of Recipient
shall survive the termination of this Agreement.
Interpretation. Any ambiguity in this Agreement shall be
interpreted in a manner consistent with the HIPAA Privacy Rule.
Indemnity. Recipient shall indemnify and hold harmless
Provider and its officers, trustees, employees, and agents from any
and all claims, penalties, fines, costs, liabilities or damages,
including but not limited to reasonable attorney fees, incurred by
Provider arising from a violation of Recipient’s obligations under
Injunctive Relief. Recipient stipulates that its
unauthorized use or disclosure of the Protected Health Information
would cause irreparable harm to the Provider, and in such an event,
Provider shall be entitled to institute proceedings in any court of
competent jurisdiction to obtain damages and injunctive relief.
Assignment. This Agreement may not assigned.
IN WITNESS WHEREOF, the parties have caused this Data Sharing
Agreement to be executed by their respective duly authorized
representatives effective as of the day and year set forth below.