The role of data use agreements in specifying legally compliant software requirements

Security and privacy requirements are often not explicitly stated and are often not easy to elicit. In this paper, we discuss data use agreements (DUAs) as a source of security and privacy requirements that can be leveraged by requirements engineers. Within the healthcare domain, regulations created pursuant to the U.S. Health Insurance Portability and Accountability Act (HIPAA) specify that a DUA must exist for certain uses and disclosures of protected health information as a limited data set. For compliance reasons, it is important for requirements engineers to ask for and evaluate DUAs, as they are legally binding on the parties. We discuss HIPAA-governed DUAs and the information contained within them. Using four DUAs, we apply commitment, privilege, and right (CPR) analysis to identify legally compliant requirements. Through this work, we have identified contractual compliance requirements while also identifying compliance problems in relation to DUAs.