🔍 Which Agreement Do You Need?
The type of agreement required depends on the data category and how it will be used.
Protected Health Information (PHI)
Individually identifiable health information including names, dates, diagnoses, treatments, and any data that could identify a patient.
Requires BAALimited Data Set (LDS)
PHI with direct identifiers removed but retaining dates, geographic data (city, state, zip), and ages. Still considered PHI under HIPAA.
Requires Data Use AgreementDe-identified Data (Safe Harbor)
All 18 HIPAA identifiers removed. Not considered PHI. May be shared with NDA protection for business confidentiality.
NDA May Be SufficientSynthetic or Aggregated Data
Artificially generated data or population-level statistics with no individual records. Not PHI.
NDA Sufficient📈 Data Category Comparison
| Feature | PHI | Limited Data Set | De-identified | Synthetic |
|---|---|---|---|---|
| Contains patient names | Yes | No | No | No |
| Contains exact dates | Yes | Yes | No (year only) | May |
| Contains geographic data | Yes | City/State/Zip | State only | May |
| HIPAA applies | Yes | Yes | No | No |
| Agreement required | BAA | DUA | NDA | NDA |
| Re-identification risk | N/A | Medium | Low | None |
🚨 Re-identification Prohibition
Critical NDA Provision: Even with properly de-identified data, NDAs must prohibit any attempts to re-identify individuals. De-identified data can become PHI again if combined with external data sources.
Your NDA should explicitly prohibit:
- Attempting to identify any individual from the data
- Linking data with external databases that could enable identification
- Contacting individuals who might be identifiable
- Sharing data with parties who might attempt re-identification
📝 Essential Patient Data NDA Provisions
Data Categorization
Clear definition of data types covered, distinguishing PHI, LDS, de-identified, and aggregate data.
Purpose Limitation
Specific permitted uses (research, analytics, product development) with restrictions on other uses.
Access Controls
Requirements for limiting data access to authorized personnel with need-to-know.
Security Safeguards
Technical and administrative security measures appropriate to data sensitivity.
Retention & Destruction
Time limits on data retention and certified destruction procedures.
Audit Rights
Right to audit compliance with data handling requirements.
Breach Notification
Timelines and procedures for reporting any unauthorized access or disclosure.
Indemnification
Allocation of liability for data breaches and unauthorized use.
🔬 Common Research & Analytics Use Cases
Population Health Analytics
Analyzing health trends across patient populations to improve care delivery.
Usually requires DUA or BAAAI/ML Model Training
Training algorithms on patient data for diagnostic or predictive tools.
Often requires BAAClinical Benchmarking
Comparing outcomes and quality metrics across providers.
De-identified: NDAMarket Research
Understanding treatment patterns and market opportunities.
Aggregated: NDADrug Safety Studies
Post-market surveillance and pharmacovigilance research.
Usually requires BAAAcademic Research
IRB-approved studies using patient data for scientific inquiry.
LDS: Requires DUAGenerate Your Patient Data NDA
Customize provisions for your specific data type, research purpose, and compliance requirements.
Generate Patient Data NDA →⚖️ Consult a Healthcare Privacy Attorney
Determining whether data is PHI, LDS, or de-identified requires careful analysis. The consequences of misclassification include HIPAA violations and significant penalties. We strongly recommend consulting healthcare privacy counsel before accessing patient data. Request a consultation.