This website uses cookies

This website uses cookies and similar technologies to understand visitor experiences. By using this website, you consent to UNC-Chapel Hill's cookie usage in accordance with their Privacy Notice.

Improving Systems, Practices, and Outcomes

Data Sharing Agreement Template: Examples from the Early Hearing Detection, and Intervention Program (EHDI) and Early Intervention Programs

Updated July 15, 2024, 11:37 AM

This template provides users with examples of components, descriptions, and language to use for data sharing agreements and memoranda of understanding (MOU) between service providers for children who are deaf and hard of hearing.

Items in this template are from existing state data sharing agreements or MOUs. Users are encouraged to add additional components as required or recommended in their state. Additional resources are also included.

Suggestions when using this template:

  • Use the descriptions and examples included as guidance when developing your state agreement language.
  • Refer to the complete agreements for any examples provided in this template as well as additional state data sharing agreements at: https://infanthearing.org/privacy/data-sharing-partnerships.html
  • Review the Individuals with Disabilities Education Act (IDEA), Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and other federal and state laws and regulations specific to your state when developing your agreement.
  • Consult with the appropriate legal authority within your state, such as your department's or program's legal team.

The suggested components, descriptions and examples follow.

Description

Introduce the data sharing partners and give the official name of each organization. For this agreement, the most likely parties that need to share data include Part C and EHDI but may also include state school for the deaf, birth defects registry, children with special healthcare needs, autism registry, home visiting, and other programs serving this population.

Example from one existing state agreement

  1. This Data Sharing Agreement ("Agreement") is between the Department of Health (DOH), Early Hearing Detection, and Intervention Program ("EHDI Program") and the Department of Health and Human Services Early Intervention Program ("Part C Program").

Description

Provide the reason(s) and intent for the agreement.

Examples from two existing state agreements

  1. The purpose of this agreement is to enable audits or evaluations of the Part C Program and EHDI Program within the state. Personal identifiable information (PII) from early intervention records and EHDI records are being shared for purposes of program improvement and meeting outcomes for both programs including if newborns in the state are enrolled in Early Intervention before 6 months of age, as recommended by the Joint Committee on Infant Hearing (JCIH) to optimize cognitive, language and social-emotional developmental outcomes.
  2. The purpose of this Agreement is to facilitate the sharing of state Childhood Assessment Data between the state's Sound Beginnings, the state Department of Health (DOH), and Welfare and the state University's Collaborative Assessment Project. This will enable each entity to collect information about children with hearing loss to correlate early identification of hearing loss and entry into early intervention (EI) programs with those children's EI outcomes.

Description

Provide definitions of legal, data, or programmatic terms used in the agreement.

Examples from six existing state agreements

  1. "Disclosure" means to permit access to, or the release, transfer, or other communication of personally identifiable information contained in education records by any means, including oral, written, or electronic means, to any party except the party identified as the party that provided or created the record.
  2. "Authorized Representative" means any entity or individual designated by a State or local educational authority or party designated to conduct any audit or evaluation, or any compliance or enforcement activity in connection with state or federal legal requirements that relate to these programs.
  3. "Data Owner" means the entity that collects the screening, audiologic assessment results, and/or EI assessment data on children with hearing loss.
  4. "Recipient" means the entity that receives newborn hearing screening, audiologic assessment results, and/or EI assessment data on children with hearing loss by the Data Owner.
  5. "Confidential Information" means all tangible and intangible information and materials accessed or disclosed in connection with this Memorandum, in any form or medium, (and without regard to whether the information is owned by the State or by a third party), that satisfy at least one of the following criteria:
    1. Personally Identifiable Information;
    2. Individually Identifiable Health Information; or
    3. Information designated as confidential in writing by the State
  6. "Breach of Confidentiality" means unauthorized access, use or disclosure of information received under this agreement. Disclosure may be oral or written, in any form or medium.

Description

Describe the obligations of the parties to perform the activities covered by the agreement. This should include a description of the activities related to data transfer, data storage, how the data will be used, and specific responsibilities of each party.

Examples from four existing state agreements

  1. Individual data will be shared by the Department of Health (DOH) one time annually for the period of July 1 through June 30 of each year. DOH will provide the Department of Education the following data to match with the Department of Education records for individuals.
  2. Provide Newborn Hearing Screening, audiologic assessment results, and/or EI assessment data to the Recipient. The Data Owner agrees to provide all the data elements specified in Attachment A for families who have signed the ICAP consent form.
  3. Provide data on an annual basis and/or within ten (10) working days upon request.
  4. Complete a request for information form when seeking any personally identifiable information beyond that allowed to be shared for notification purposes without parental consent.

Description

Indicate the authorized representative(s) and names of key contacts within both participating parties.

Examples from one existing state agreement

  1. Authorized representatives from [insert Part C Program name] include:
    1. [insert representative name or role here]
    2. [insert representative name or role here]
  2. Authorized representatives from [insert EHDI Program name] include:
    1. [insert representative name or role here]
    2. [insert representative name or role here]

Description

Describe the processes for securely transmitting and storing data shared between parties, including provisions related to data ownership, stewardship, and access to data.

Examples from three existing state agreements

  1. The Receiving Organization will implement and maintain the Data Management Plan specified in [insert Appendix with Data Management Plan]. The Receiving Organization will not undertake any unsecured telecommunication or transfer of [insert Program name] data.
    The Receiving Organization agrees that [insert Program name] data may not be stored, moved, transmitted or disclosed in any way (other than the way(s) indicated in [insert Policy name, and reference its section]), without written approval from [insert Program name].
    The Receiving Organization will strictly adhere to the provisions of [insert Policy name, and reference its section] in all reports, analyses, displays, products, and other data uses ("Outputs") to prevent identification of individuals.
    The Data Security and Access Policy will be available to the public at [insert URL].
    Interested members of the public will be informed by [insert mechanisms].
    The following [insert Part C Program name] and [insert EHDI Program name] data systems are covered by this [insert data sharing agreement title]:
    1. [insert Part C Program name]
    2. [insert EHDI Program name]
    3. [insert Other Program name, if applicable]
  2. The Department of Education and the Department of Health (DOH) agree to provide the data described in Paragraph 6 via secure electronic data transfer within a reasonable time after it is complete and available to facilitate these studies. The format of the data will be determined prior to data transfer by DOH and Department of Education project staff. DOH will enter, store, and maintain data provided by the Department of Education within DOH Electronic Disease Surveillance System. DOH will use appropriate safeguards to prevent use or disclosure of private student information by its employees, contractors, and agents, including but not limited to implementation of administrative, physical, and technical safeguards to reasonably and appropriately protect the privacy and integrity of student data that it creates, receives, maintains, or transmits under this agreement. Data safeguards at DOH include:
    1. [insert Physical security measures details]
    2. [insert Technical security measures details]
    3. [insert Administrative security measures details]
  3. Provide appropriate administrative, physical, and technical safeguards to ensure the confidentiality and security of the Data and prevent unauthorized use or access to it. Upon request from the Data Owner, the Recipient will identify in writing all of the safeguards that it uses to prevent unauthorized use or access. Safeguards shall include, but are not limited to, storing the Data, if in paper format, in locked files with access limited to authorized individuals only and storing the Data, if in electronic format, by password protecting, encrypting, or otherwise securing all electronic copies of the Data to permit access only by authorized individuals. Both parties shall adhere to the policies and procedures followed by ITP regarding the storage, disclosure to third parties, retention, and destruction of personally identifiable information.

Description

Describe the procedures to be implemented in the event personally identifiable information associated with the shared data is disclosed in ways that are not consistent with this agreement. These procedures should include who will be notified about the breach, how potential adverse effects of the breach will be mitigated, and how similar breaches will be avoided in the future.

Examples from three existing state agreements

  1. The Department of Health (DOH) and the Department of Education will report any known data security or data privacy incidents as soon as they become known. For purposes of this agreement, "security incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. "Privacy incident" means violation of the Government Data Practices Act including, but not limited to, improper and/or unauthorized use or disclosure of not public data and incidents in which the confidentiality of the information maintained by the Department of Education, or DOH has been compromised. The Department of Education must report within one (1) day of discovery of the privacy or security incident.
  2. Mitigating Unauthorized Uses or Disclosures of Data. The Receiving Organization agrees to report any unauthorized use, reuse, or disclosure of Department of Health (DOH) data to DOH within 24 hours of becoming aware of the incident. The report will include the date of the incident; any harmful effects that may or have been caused by the unauthorized use or disclosure; details about the most likely causes of the incident and how it occurred; and a description of DOH data accessed, used, or disclosed.
    1. If DOH has a reasonable belief that the Receiving Organization has made use, reuse, or disclosure of DOH data, DOH may, in its sole discretion, require the Receiving Organization to do one or more of the following:
    2. Investigate and report to DOH the Receiving Organization's determinations regarding any alleged or actual unauthorized use or disclosure.
    3. Promptly resolve any issues or problems identified by the investigation.
    4. Submit a corrective action plan outlining the steps that the Receiving Organization will take to prevent future unauthorized use or disclosure; or
    5. Return or destroy DOH data.
  3. Provide telephone and written notice to the Data Owner as soon as possible, but no longer than 48 hours, after becoming aware of a violation of this Agreement or any unauthorized access to the data. The notification must provide a full description of the breach and corrective action taken or to be taken. The Recipient shall take corrective action, to the extent practicable, to mitigate any harmful effect that is known to it.

Description

Describe the timeline and process for destroying personally identifiable information when the agreement is no longer valid or when the data are no longer needed. The process should include destroying data stored on hard copy, tapes, hard drives, servers, and/or other forms of electronic media so that it is completely unreadable and cannot be accessed or used for unauthorized purposes.

Examples from three existing state agreements

  1. Both parties will destroy any data received from the other upon completion, expiration or termination of the agreement or when the data are no longer needed, whichever comes first. Summary data, summary analysis and research projects created from the data are not subject to this requirement.
  2. Data Recipient agrees that, upon termination or expiration of the Agreement, it shall erase, destroy, and render unreadable all data from all computer systems and backups, and certify in writing that these actions have been completed within thirty (30) days of the termination of the Agreement or within seven (7) days of the request, whichever shall come first.
  3. Upon termination of the Agreement, the Recipient must destroy all data and all data work products containing Protected Health Information (PHI). Recipient shall provide a Certificate of Data Destruction in the form shown in Exhibit C, attached hereto, and incorporated herein by reference, detailing all records that were destroyed, the type of media that contained the records, the method of destruction, the name of the individuals performing the destruction and the date, time, and location of the destruction.
    1. The Recipient shall provide the Certificate of Data Destruction by the termination date. Acceptable destruction methods for various types of media include:
      1. For paper documents containing confidential or sensitive information, a contract with a recycling firm to recycle confidential documents is acceptable, provided the contract ensures that the confidentiality of the data will be protected. Such documents may also be destroyed by on-site shredding, pulping, or incineration.
      2. If data has been stored on server or workstation data hard drives or similar media, the Data Recipient shall destroy the data by using a "wipe" utility which will overwrite the data at least three (3) times using either random or single character data, degaussing sufficiently to ensure that the data cannot be reconstructed, or physically destroying disk(s).

Description

Set the terms by which each party may further disclose the shared data to other entities.

Examples from three existing state agreements

  1. Limit access to the data to only those staff and personnel with a need to know, that are authorized to have access, who have agreed in writing to not further disclose this data and to abide by the terms of this Agreement. Re-release of Newborn Hearing Screening, audiologic assessment data, and/or EI assessment data is the strictly prohibited except for aggregate data. Any other releases must be approved in writing by the Data Owner or the data subject. The parties acknowledge that ICAP will use a contractor for purposes of data visualization and the contractor will receive de-identified data only.
  2. Notify the Data Owner if the Recipient receives a subpoena or other compulsory legal process that requires disclosure of any of that data. The Recipient agrees to provide such notification as soon as possible, but no later than 48 hours, after recipient of such subpoena or other compulsory legal process or prior to the return date specified in the subpoena or other compulsory legal process, whichever is sooner, and agrees to take all legal steps reasonably necessary to oppose the disclosure of the Data Owner's Newborn Hearing Screening, audiologic assessment data, and/or EI data.
  3. The Receiving Organization agrees that DOH owns and retains ownership of all DOH Data released to the Receiving Organization under this Agreement. The Receiving Organization will not disclose, release, reveal, show, sell, rent, lease, loan, submit, present, or otherwise grant access to DOH Data unless specifically approved in this agreement.

Description

Define the start and end dates for the agreement, provisions for modifying or amending the agreement, provisions for termination or severability, and resolution of disputes.

Examples from eight existing state agreements

  1. Either the [insert Party One] or the [insert Party Two] may terminate this Agreement at any time by giving written notice to the other party of such termination and specifying the effective date thereof at least thirty (30) days before the effective date of such termination.
  2. Should any term or provision of this Agreement be found to be prohibited by the laws of the United States or the [insert State, Commonwealth, or Jurisdiction], or should any term or provision be declared invalid or void by a court of competent jurisdiction, the remaining terms, conditions, and obligations shall be valid and enforceable, to the fullest extent permitted by law, and shall not be affected by the invalidity of any other provision.
  3. This Agreement may be modified or amended by mutual consent of the parties. Any modification or amendment shall be made in writing, clearly state the changes being affected, and shall be duly executed by an authorized representative of each party.
  4. The dispute resolution process established under this Agreement shall not affect, replace, or diminish any procedural safeguards provided to parents or individuals under any Federal or State statutes or regulations governing the respective parties. In the event of a difference of opinion between or among the signatory parties of the Agreement relative to the implementation of this Agreement, the parties agree that the State division or program directors, within ten (10) days from receipt of a complaint, will review the issues and develop recommendations for resolution. If resolution is not achieved at the State division or program director level, the issue will be referred to the party heads of the [insert Party One] and the [insert Party Two] within five (5) business days of the meeting to reach a determination on the matter.
  5. Indemnification. The Receiving Organization agrees to indemnify, hold harmless and defend DOH, [insert State, Commonwealth, or Jurisdiction] and its affiliates, from and against any and every claim, cause of action, obligation, liability, judgment, damage, loss, cost, expense, and fee (including without limitation reasonable attorneys' and court fees) arising out of or relating to the Receiving Organization's breach of this Agreement, willful negligence, or failure to perform its obligations under this Agreement. If DOH, in its sole discretion, determines that the risk of harm created by such a breach or alleged breach of DOH Data requires notification of affected individuals and/or other remedies, the Receiving Organization agrees to carry out such remedies under the direction of and without cost to DOH. No other agreement between the parties alters a party's liability under this Agreement, but this Agreement does not limit a party's liability under any other agreement.
  6. Neither party will be liable for violations of any applicable laws, or the terms of this agreement, indirectly or directly arising out of or resulting from, or in any manner attributable to the actions of the other party. Each party's individual liability shall be governed by the provisions of the applicable laws.
  7. Subcontractors. If subcontractors are utilized, the Receiving Organization agrees to enter into a written contract with each agent and subcontractor receiving or accessing DOH Data, binding the subcontractor to the terms and conditions of this Agreement.
  8. The terms of this Agreement shall take effect upon signature by the authorized representative of each party and will remain in effect to [insert end date] unless sooner terminated or amended by agreement of the Parties.

Description

Include the authorized parties and their signature.

Examples from two existing state agreements

  1. Each signatory agrees by signing below that it has the authority to sign this Agreement on behalf of the party the signatory represents. Each entity agrees to be bound by the terms and conditions of this Agreement.
  2. The Department of Education and the Department of Health (DOH) each designate one or more authorized representatives for purposes of this Agreement, as described below. Each representative shall have final authority for acceptance of services of the other party.

Description

Include a list of data elements to be shared by both parties and whose use is dictated by the terms of this Agreement. Initially, this may be a limited set of elements which may evolve over time with agreement of both parties. Also include business rules defining each element for accuracy.

Examples from one existing state agreement

  1. Individual education data will be shared by the Department of Health (DOH) one time annually for the period of July 1 through June 30 of each year. DOH will provide the Department of Education (Part C) the following data to match with the Department of Education records for individuals:
    1. Child's first name
    2. Child's last name
    3. Child's date of birth
    4. Child's sex
    5. Date of referral to Part C Infant and Toddler Intervention
    6. Date of Diagnosis by clinical audiologist
  2. The Department of Education will use the date of referral and date of diagnosis to monitor timeliness of evaluation, development of Individualized Service Plans (IFSPs), and Part C service initiation for children with hearing loss.
  3. The Department of Education will provide the Department of Health (DOH) the following data only for the children submitted by DOH:
    1. Age of child at time of identification
    2. Service start date
    3. Exit dates
    4. Reason for exit
    5. Race/Ethnicity
    6. Home primary language
    7. Eligibility and enrollment Status for Part C Infant and Toddler Intervention
    8. Early Childhood and D/HH Outcomes
  4. The Department of Health (DOH) will use:
    1. Eligibility and enrollment status to confirm that a referral was made.
    2. Eligibility and enrollment status to evaluate if children with hearing loss are receiving Early Intervention services.
    3. Service start and exit date to evaluate the timeliness and length of enrollment in services.
    4. Race/Ethnicity and Home Primary Language information to identify potential disparities in access to Part C Infant and Toddler Intervention.
    5. Early Childhood and D/HH Outcomes to assess factors that impact improved outcomes.
  5. The Department of Health (DOH) will include Part C enrollment information for children reported to DOH with hearing loss in a limited data set submitted to the Centers for Disease Control annually. The limited data set will be submitted and handled in accordance with an existing Data Use Agreement between DOH and CDC. DOH will report aggregate Part C enrollment status to the EHDI Advisory Committee and other EHDI stakeholders.

Additional Resources

The National Center for Hearing Assessment and Management (NCHAM) provides additional information regarding data sharing agreements and memoranda of understanding between Part C and EHDI programs, as well as examples of state data sharing agreements.

Technical assistance for states involved in data sharing initiatives is available from DaSy and ECTA. For more information, contact Sharon Walsh: sharon.walsh@unc.edu

Produced in collaboration with:

  • The Early Childhood Technical Assistance Center (ECTA)
  • The Center for IDEA Early Childhood Data Systems (DaSy)
  • The National Center for Hearing Assessment and Management (NCHAM)

The contents of this document were developed:

  • Under a grant, #H373Z190002, and a cooperative agreement, #H326P170001, from the Office of Special Education Programs, U.S. Department of Education. DaSy Center Project Officers: Meredith Miceli and Amy Bae ECTA Center Project Officer: Julia Martin Eile
  • Under a cooperative agreement funded in part by the Maternal and Child Health Bureau (MCHB) of the Health Resources and Services Administration (HRSA) as part of award U52MC04391.

However, the content does not necessarily represent the policy of, official views or an endorsement by the U.S. Department of Education, or the Department of Health and Human Services.