Section 3.9 Select
Participation, Data Sharing, Data Use,
Business Associate Agreements for HIE and
EHR
As part of selecting a vendor for your electronic health record (EHR), health information exchange
(HIE) service, or other health information technology (HIT) there will be various agreements you
will need to execute.
Time needed: 2 hours
Suggested other tools: NA
How to Use
1. Identify the nature of legal agreements in which you must enter to acquire and use EHR, HIE,
and other HIT.
2. Ensure any EHR or HIT technology systems meet minimum certified, qualified or
interoperability mandates required by your State or other mandated program initiatives
3. Consult with legal counsel to ensure that agreements meet your needs.
Identify Required legal or Mandated Program Requirements
It’s important to understand and ensure the business relationships and legal requirements of all EHR
and HIT technology system vendors participating in your data use and data sharing. The types of
required legal agreements are outlined below.
In addition consideration should be given to ensure any system requirements for mandated program
initiative(s) that you may be participating in – or State interoperability program requirements – are
reviewed for standards compliance as a part of selecting an EHR/HIE or HIT vendor. Example of
mandated program initiatives are provided in table below.
Program Mandate
State of Minnesota Interoperability
Mandate
Meaningful Use Certified EHR
Technology (CHPL)
ONC Voluntary 2015 Edition EHR
Certification Proposed Rule – Fact Sheet
ONC Policy, Regulation, & Strategy for
Behavioral Health
Behavioral Health Data Exchange
URL
http://www.health.state.mn.us/e-health/hitimp/index.html
http://www.cms.gov/Regulations-andGuidance/Legislation/EHRIncentivePrograms/Certification.html
http://healthit.gov/sites/default/files/final2015certedfactsheet.0221
14.pdf
http://healthit.gov/policy-researchers-implementers/behavioralhealth
http://healthit.gov/policy-researchers-implementers/behavioralhealth-data-exchange
Section 3 Select—Participation, Data Sharing, Data Use, Business Associate Agreements for HIE and EHR- 1
Types of Legal Agreements
 Business Associate Contract/Agreement (BAA)



Requirement of HIPAA Privacy and Security Rules when other businesses require
access to protected health information (PHI) on a routine basis in the performance of
work for a covered entity.

Under the Omnibus Rule that became effective 2013, business associates are now
held directly accountable to the HIPAA Security Rule and certain provisions of the
Privacy Rule. Although many business associates have in the past requested that their
form of business associate agreement be signed by the provider receiving the
services, this is likely to become even more prevalent as a result of this change. As a
covered entity, however, you still have the right and responsibility to ensure that any
BAA you sign conforms to the HIPAA requirements and that you are comfortable
with any additional clauses included.
Data Use Agreement

A HIPAA requirement for a party to use a limited data set (data that are partially but
not fully de-identified) for research, public health, or health care operations. The
HIPAA Privacy Rule provides specific details of what must be in a data use
agreement.

The federal government does not offer a sample data use agreement although
additional explanations are cited and available within Health Information Privacy
FAQ’s for further clarification.
Data Use and Reciprocal Support Agreement (DURSA)

The legal, multi-party trust agreement that is entered into voluntarily by all entities,
organizations and federal agencies that want to engage in electronic HIE using an
agreed upon set of national standards, services and policies developed in coordination
with the Office of the National Coordinator for Health IT (ONC).

The DURSA describes the mutual responsibilities, obligations and expectations of all
participants under the agreement. This creates a framework for safe and secure health
information exchange, and is designed to promote trust among Participants and
protect the privacy, confidentiality and security of health data that is shared.

The DURSA is based upon the existing body of federal, state and local law covering
privacy and security of health information. It supports the current policy framework
for health information exchange. The DURSA is intended to be a legally enforceable
contract. It reflects consensus among the government and private entities that
developed DURSA regarding the following issues:
 Each state or other entity establishing an HIO may opt to establish their own
form of DURSA or Data Exchange Support Agreement (DESA) including
additional clauses.
 Ensure that you obtain legal counsel as you consider entering into such an
agreement. Sample Minnesota Data Exchange and Support Agreement
(DESA) is provided in table below.
Section 3 Select—Participation, Data Sharing, Data Use, Business Associate Agreements for HIE and EHR - 2
Resource Name
Sample Business Associate Agreement
and Provisions
HIPAA Privacy Rule – Data Use
Agreement Definitions
Data Use and Reciprocal Support
Agreement (DURSA)
URL
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentiti
es/contractprov.html
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/i
ndex.html
DURSA – Current Version in Effect
(2011)
http://www.nationalehealth.org/ckfinder/userfiles/files/Restatemen
t%20I__DURSA_5_3_11_FINAL_for%20PARTICIPANT%20SI
GNATURE.pdf
http://www.hiebridge.org/PDF/CHIC%20HIEBridge%20DESA%
20Agreement%20-%20FINAL%2011-29-2011.pdf
Sample State Data Exchange Support
Agreement – Minnesota/CHIC
http://www.nationalehealth.org/dursa
Note: all types of agreements should be reviewed with your legal counsel prior to executing the
agreement.
Copyright © 2014 Stratis Health.
Updated 04-17-14
Section 3 Select—Participation, Data Sharing, Data Use, Business Associate Agreements for HIE and EHR - 3