HIPAA Concepts

HIPAA Data Use Agreement vs. Business Associate Agreement: What's the Difference?

Q: When is a DUA required instead of a BAA?

A DUA is required when you share a Limited Data Set (LDS) — PHI stripped of most direct identifiers — for research, public health, or healthcare operations. A BAA is required when you share fully identifiable PHI with a business associate who performs services on your behalf.

By BAA Generator Editorial · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 5 min read

Key Takeaways

✓ A DUA covers Limited Data Sets (LDS) — PHI with most direct identifiers removed
✓ A BAA covers relationships involving fully identifiable PHI shared with business associates
✓ An LDS removes 16 of 18 identifiers but retains dates and geographic data
✓ DUAs are required under 45 CFR § 164.514(e); BAAs are required under 45 CFR § 164.504(e)

Direct answer: A Data Use Agreement (DUA) governs use of a Limited Data Set — PHI with most direct identifiers removed. A BAA governs relationships with business associates who access fully identifiable PHI. DUAs and BAAs serve different HIPAA functions and are not interchangeable.

What Is a Limited Data Set?

A Limited Data Set (LDS) is a specific category of protected health information defined under 45 CFR § 164.514(e). It is health information from which 16 of the 18 HIPAA safe harbor identifiers have been removed. What makes an LDS different from de-identified data is that it still contains some information that could, in combination, identify individuals — specifically dates and geographic subdivisions.

Limited Data Sets are typically used for research, public health activities, and healthcare operations where precise dates and geographic context are necessary but full identification is not required. A common example is a hospital sharing admission and discharge records with a research institution to study readmission patterns — the records include dates and zip codes, but names, Social Security numbers, and contact information are stripped out.

What Identifiers Does a DUA Remove?

A Limited Data Set must have the following 16 identifiers removed (per 45 CFR § 164.514(e)(2)):

Names
Postal address information (street address, city is retained only at town/city level or larger)
Telephone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate and license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
Web URLs
IP addresses
Biometric identifiers (finger and voice prints)
Full-face photographs and comparable images

What remains: dates (birth, death, admission, discharge, service), and geographic data at the city/town level or larger (e.g., zip codes, counties, states). These retained elements are why an LDS is still considered PHI and why a DUA is required — it is not fully de-identified data.

When to Use a DUA vs. a BAA

The choice between a DUA and a BAA depends entirely on what type of PHI you are sharing and for what purpose:

Use a DUA when you are sharing a Limited Data Set for research, public health, or healthcare operations, and the recipient is an external entity that needs to analyze the data.
Use a BAA when you are sharing fully identifiable PHI with a vendor or partner who will create, receive, maintain, or transmit that PHI as part of services they perform on your behalf. See what is a business associate agreement for a full breakdown.

The distinction matters because DUAs permit a recipient who is not a business associate to receive LDS data — but only for specified purposes. A BAA, by contrast, establishes an ongoing compliance relationship with an entity that handles your patients' fully identifiable information.

Can You Use a DUA Instead of a BAA?

No. If you share fully identifiable PHI with an outside vendor — one that performs services on your behalf — you need a BAA, not a DUA. Attempting to use a DUA for an arrangement that requires a BAA is a HIPAA violation, regardless of whether a breach occurs.

Similarly, a BAA does not substitute for a DUA when you are sharing an LDS. The regulatory citations are distinct (§ 164.514(e) for DUAs vs. § 164.504(e) for BAAs), the required elements differ, and the permitted uses are governed by different standards.

This is also distinct from a HIPAA Authorization — which involves patient consent — vs. a BAA. See HIPAA authorization vs. BAA for that comparison.

DUA vs. BAA: Side-by-Side Comparison

Feature	Data Use Agreement (DUA)	Business Associate Agreement (BAA)
PHI type covered	Limited Data Set (16 identifiers removed)	Fully identifiable PHI
Regulatory citation	45 CFR § 164.514(e)	45 CFR § 164.504(e)
Primary purpose	Research, public health, healthcare operations	Any service involving PHI access on behalf of a CE
Who signs	Covered entity + data recipient (may not be a BA)	Covered entity + business associate
Required elements	Permitted uses, identity of recipients, data safeguards, no re-identification	Permitted uses, safeguards, breach notification, subcontractor BAAs, termination, return/destruction of PHI
Can substitute for the other?	No	No

Frequently Asked Questions

What is a HIPAA Data Use Agreement?

A HIPAA Data Use Agreement (DUA) is a contract required under 45 CFR § 164.514(e) when a covered entity shares a Limited Data Set — PHI with 16 of the 18 direct identifiers removed — with another party for research, public health, or healthcare operations purposes. The DUA must identify the permitted uses, the recipient, and require that the recipient not re-identify the data or contact the individuals.

When is a DUA required instead of a BAA?

A DUA is required when you share a Limited Data Set for research, public health, or healthcare operations. A BAA is required when you share fully identifiable PHI with a business associate who performs services on your behalf. If the data you're sharing still contains names, record numbers, or contact information, you need a BAA — a DUA is not sufficient.

Can a DUA replace a BAA?

No. A Data Use Agreement applies only to Limited Data Sets and cannot substitute for a Business Associate Agreement when fully identifiable PHI is involved. Using a DUA when a BAA is required is a HIPAA violation, regardless of whether any breach or harm occurs. OCR has cited organizations for exactly this type of structural compliance failure.

What identifiers remain in a Limited Data Set?

A Limited Data Set removes 16 of the 18 HIPAA safe harbor identifiers but retains dates (admission, discharge, service, birth, death dates) and geographic data at the town or city level or larger (e.g., zip codes, counties, states). Names, contact information, Social Security numbers, medical record numbers, and account numbers are all removed from a Limited Data Set.

Need a HIPAA-Compliant BAA for Identifiable PHI?

Generate a customized Business Associate Agreement in minutes — free, no account required.

Generate Your BAA Free →