Skip to main content
Login to MyChart

Help us elevate and expand our care, make breakthroughs in biomedical science and improve community health and wellness.

Donate today

Search UVM Health

DMO Webform

DMO Webform

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas finibus erat a enim porta eleifend. 

About this form

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas finibus erat a enim porta eleifend. Nam imperdiet hendrerit velit eu mattis. Aliquam bibendum enim sed neque molestie molestie. Morbi fringilla gravida congue. Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Ut commodo sagittis luctus. Praesent bibendum a elit vitae aliquam. Mauris at mauris nisi. Morbi sed ante vitae nunc suscipit laoreet et at mauris. Sed sapien massa, tincidunt ut rhoncus vel, rutrum viverra nunc. Quisque ex ante, congue in nunc at, varius sodales mauris. Nam ultrices blandit velit, ullamcorper sagittis est. Maecenas magna lorem, condimentum ac magna at, congue venenatis quam. Vestibulum volutpat orci ac mi dignissim pharetra.

saving this space for introductory information about this form. 

Covered Entity
  1. 1. Unless otherwise specified in this Agreement, all capitalized terms used but not otherwise defined in this Agreement shall have the same meaning established under the Health Insurance Portability and Accountability Act of1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009 and codified at 45 CFR 160-164 

  1. 2. For purposes of the Agreement, the following terms have the meanings ascribed to them below: 

  1. a. “Authorized Agents” collectively refers to the Recipient, Collaborating Personnel, or any agent or authorized subcontractor   

  1. b. “Collaborating Personnel does not mean the Data Recipient; it means the faculty, employees, fellows, or students of a third-party entity/institution, listed under Exhibit A, with which the entity/institution 1) has agreed to collaborate on the Project, 2) has faculty, employees, fellows, or students who have a need to use or provide a service with respect to the Data in connection with its collaboration on the Project, and 3) has been made aware of the terms of this Agreement and has agreed to comply, and to cause its personnel to comply, with such terms, or, has executed an agreement that is substantially similar to this Agreement. 

  1. c. “Data” means to the data the Covered Entity is providing to the Recipient for the purpose of the Project.  

  1. d. “Project” means the work described herein which may apply to Health Care Operations, Public Health, or Research. 

  1. The purpose of this Agreement is to provide the Recipient with access to Data for the Project.
  2. Except as otherwise specified herein, the Recipient shall use the Data for the performance of the Project, and any subsequently agreed purposes.
  3. The data-specific terms and conditions specified in Exhibit B describe the type of Data that will be used or disclosed as authorized under this Agreement. These data types encompass PHI and de-identified data. 
  1. 1. Unless terminated earlier or extended via a modification, the provisions of this Agreement shall be effective as of the Effective Date and shall terminate on the Project Expiration Date noted under Exhibit A. The Recipient shall be responsible for notifying the Covered Entity that the Data is deleted, destroyed, or otherwise rendered unreadable by submitting in writing a notification of destruction to the Covered Entity, or the Data must be returned to the Covered Entity as directed by the Covered Entity, within thirty (30) days of the Expiration Date or the termination of this Agreement.  

  1. 2. Either party may terminate this Agreement with thirty (30) days of written notice to the other party’s Authorized Official. Upon expiration or early termination of this Agreement, the Recipient shall follow the disposition instructions provided in Exhibit A, provided, however, that the Recipient may retain one (1) copy of the Data to the extent necessary to comply with the records retention requirements: 

  • under any applicable laws, regulations, or Recipient institutional policies, or 

  • for the purposes of research integrity and verification in accordance with funding and/or publication requirements; such retention may not exceed 6 years. 

The restrictions set forth in this Agreement (as applicable) shall survive and apply to such archival copy so long as the Recipient holds the Data. After completion or termination of the Project, the Recipient may not retain the Data for future unspecified purposes that have not been agreed upon by the Covered Entity nor permitted under this Agreement. 

  1. 1. The Covered Entity shall provide the Data described in Exhibits A and B to the Recipient for the purpose of the Project.  

  1. 2. The Covered Entity shall retain ownership of any rights it may have in the Data, and the Recipient does not obtain any rights in the Data other than as set forth herein. 

  1. 3. In preparing the Data, the Covered Entity shall include the data fields specified in Exhibit A by the parties from time to time, which are the minimum necessary to accomplish the purposes set forth in this Agreement. 

  1. 4. Except as provided below or prohibited by law, any Data delivered pursuant to this Agreement is understood to be provided “As Is.” The Covered Entity makes no representations and extends no warranties of any kind, either expressed or implied. There are no intended third-party beneficiaries to this Agreement, or express or implied warranties of merchantability or fitness for a particular purpose, or that the use of the data will not infringe any patent, copyright, trademark, or other proprietary rights. Notwithstanding, the Covered Entity, to the best of its knowledge and belief, has the right and authority to provide the Data to Recipient for use in the Project. 

  1. 1. The Recipient will not use the Data, either alone or in concert with any other information, in a manner that may enable the identification of one or more entities or individuals for whom data has been provided. The Recipient will not make any effort to identify or contact individuals who are or may be the sources of Data without specific written approval from the Covered Entity and appropriate Institutional Review Board (IRB) approval, when required pursuant to 45 CFR 46. Should the Recipient inadvertently receive identifiable information or otherwise identify a subject, the Recipient shall promptly notify the Covered Entity and follow the Covered Entity’s reasonable written instructions, which may include return or destruction of the identifiable information. 

  1. 2. The Recipient shall not use the Data except as authorized under this Agreement. The Data will be used solely to conduct the Project and solely by the Recipient and Collaborating Personnel, or Authorized Agents that have a need to use, or provide a service in respect of, the Data in connection with the Project and whose obligations of use are consistent with the terms of this Agreement.  

  1. 3. Unless otherwise required by law or legal process, the Recipient shall not use or further disclose the Data other than as permitted by this Agreement. If the Recipient believes it is required by law or legal process to use or disclose the Data, it will promptly notify the Covered Entity, to the extent allowed by law, prior to such use or disclosure and will disclose the least possible amount of Data necessary to fulfill its legal obligations. 

  1. 4. In the event the Recipient becomes aware of any use or disclosure of the Data not provided for by this Agreement, the Recipient shall take any appropriate steps to minimize the impact of such unauthorized use or disclosure as soon as practicable and shall notify the Covered Entity of such use or disclosure as soon as possible, but no later than five (5) business days after discovery of the unauthorized use or disclosure. The Recipient shall cooperate with the Covered Entity to investigate, correct, and/or mitigate such unauthorized use or disclosure. The Recipient acknowledges that the Covered Entity may have an obligation to make further notifications under applicable laws and shall cooperate with the Covered Entity to the extent necessary to enable Covered Entity to meet all such obligations. 

  1. 5. Except as authorized under this Agreement or otherwise required by law, the Recipient agrees to retain control over the Data at all times and shall not disclose, release, sell, rent, lease, loan, or otherwise grant access to the Data to any third party, except Authorized Agents, without the prior written consent of the Covered Entity. The Recipient agrees to establish appropriate administrative, technical, and physical safeguards to prevent unauthorized use of or access to the Data and comply with any other special requirements relating to safeguarding of the Data as may be set forth in Exhibits A and B. 

  1. 6. By signing this Agreement, the Recipient provides assurance that the access and use of the Data will not violate any relevant institutional policies or applicable federal, state, or local laws and that any relevant regulations have been followed, including the completion of any IRB review or approval that may be required prior to Recipient’s use of the Data. In the event the Covered Entity should provide a written request to the Authorized Official of the Recipient identified in the signature block, the Recipient shall provide documentation of the project’s IRB-Approved protocol.

  1. 7. Except to the extent prohibited by law, the Recipient assumes all liability for damages which may arise from its use, storage, disclosure, or disposal of the Data. The Covered Entity will not be liable to the Recipient for any loss, claim, or demand made by the Recipient, or made against the Recipient by any other party, due to or arising from the use of the Data by the Recipient, except to the extent permitted by law when caused by the gross negligence or willful misconduct of the Covered Entity. No indemnification for any loss, claim, damage, or liability is intended or provided by either party under this Agreement. 

1. The Recipient is encouraged to make publicly available the results of the Project. Before the Recipient submits a paper or abstract for publication or otherwise intends to publicly disclose information about the results of the Project, the Covered Entity will have thirty (30) days from receipt to review proposed manuscripts and ten (10) days from receipt to review proposed abstracts to ensure that the Data is appropriately protected. The Covered Entity may request in writing that the proposed publication or other disclosure be delayed for up to thirty (30) additional days as necessary to protect proprietary information. 

2. The Covered Entity shall have the right, consistent with academic standards, to publish the results of the Project. Prior to submission for publication or presentation, the Covered Entity will provide the Recipient at least thirty (30) days for review and comment upon the manuscript or other material for such publication. All amendments to the manuscript or material resulting from the review by the Recipient shall be made in cooperation with the Covered Entity. At the same time, if deemed necessary by the Recipient, the Recipient shall have the right to delay the Covered Entity's publication of any of the results of the Project for up to thirty (30) days. Expedited reviews for abstracts or poster presentations may be arranged if mutually agreeable to the Recipient and the Covered Entity.

3. The Recipient agrees to recognize the contribution of the Covered Entity as the source of the Data in all written, visual, or oral public disclosures concerning the Recipient’s research using the Data, as appropriate in accordance with scholarly standards and any specific format that has been indicated in Exhibit A. 

  1. 1. Neither party shall use the other party’s name, trademarks, or other logos in any publicity, advertising, or news release without the prior written approval of an authorized representative of that party. The parties agree that each party may disclose factual information regarding the existence and purpose of the relationship that is the subject of this Agreement for other purposes without written permission from the other party provided that any such statement shall accurately and appropriately describe the relationship of the parties and shall not in any manner imply endorsement by the other party whose name is being used. 

  1. 2. Unless otherwise specified, this Agreement and the below listed Exhibit A and B embody the entire understanding between the Covered Entity and the Recipient regarding the transfer and use of the Data provided to the Recipient for the Project: 

  • Exhibit A: Project-Specific Information 

  • Exhibit B: Data-Specific Terms & Conditions 

  1. 3. No modification or waiver of any provision in this Agreement shall be valid unless in writing and executed by duly authorized representatives of both parties. A waiver of any term or provision shall not be construed as a waiver of any other term or provision. 

  1. 4. In the event of any conflict between the terms and conditions stated within this Agreement and those contained within any other agreement or understanding between the parties, written, oral or implied, the terms of this Agreement shall govern. 

  1. 5. The parties agree to take such action as is necessary to amend this Agreement, from time to time, in order for the Covered Entity to remain in compliance with the requirements of relevant institutional policies and applicable federal, state, or local laws and regulations. Any reference in this Agreement to a specific section in any federal, state, or local laws and regulations means the section as amended or as renumbered. 

  1. 6. The undersigned Data Recipient, and Authorized Officials of the Covered Entity and Recipient Institution expressly represent and affirm that the contents of any statements made herein are truthful and accurate and that they are duly authorized to sign this Agreement; no further approvals are necessary to create a binding Agreement. 


UVMHN Partner & Role
UVMHN Employee institution
Student/In-Training role
Indicate whether or not Collaborating Personnel will be involved with the Project (check only one)

Provide sufficient information such that each party understands the Project and activities that the Recipient will perform using the Data; this section is analogous to the Statement of Work used in other agreements. Describe the following: 

Include whether the Recipient is permitted to link the Data with other data sets and describe the linkage process and source(s) or the linked data. If data will be linked, be sure to include any special disposition requirements related to the linked data sets in Section 4 of Exhibit A below.
Please indicate the type(s) of data that will be shared with the Recipient (choose all that apply). Refer to Exhibit B for a full description of the types of data and the additional terms and conditions that apply

Description of the Data. Complete the following sections below, providing sufficient information such that each party understands the Data that will be transmitted under this Agreement: 

If checked, the Data is covered under a Certificate of Confidentiality, which must be asserted against compulsory legal demands, such as court orders and subpoenas for identifying information or characteristics of a research participant. Refer to this link here for further information. for further information.
Specify the method(s) or system(s) utilized to collect the data/information, for example, Epic chart review for UVMMC patients, data extract provided by the Clinical Data Enclave for CVMC patients, data sourced from UVMMC Tumor Registry and via chart review by Project Lead.
Provide a summary of the inclusion and exclusion criteria applied to the source information to identify this Data.

Data Time Period. The start date(s) and end date(s) of the period(s) from which this Data originated.

Provide the number of unique individuals represented within the Data.
Provide a comprehensive list of variables/data elements provided to the Recipient by the Covered Entity.

Data Storage, Data Transfer, and Covered Entity Support. The Covered Entity shall transmit the Data to the Data Recipient upon execution of this Agreement. The Covered Entity shall provide support and send any specific instructions necessary to complete the transfer of the Data to the Recipient as described herein: 

Describe the Covered Entity Personnel designated to transfer data to the Recipient. Provide the Name of the person transferring the Data and the UVMHN Clinic/Department they represent.
Describe the format of the Data being transferred (e.g., encrypted Excel file, paper questionnaires, electronic file containing survey responses).
Describe the technical and/or physical method(s) used to transfer the Data to the Recipient. Include the website/URL for any web-based or cloud-based service as relevant (i.e., shared via Electronic Data Capture (EDC), direct upload from UVMHN Data Management Office to approved secure cloud-based service, securely transferred using an SFTP, Excel file shared with Recipient via guest access to secure UVMHN SharePoint folder.

Covered Entity Support for Data Transfer & Storage. Describe the level of support provided by the Covered Entity to the Recipient to facilitate transfer and/or secure storage of the data described within this Agreement. Provide information on the following topics:

Covered Entity Support for Data Transfer & Storage

Describe the level of support provided by the Covered Entity to the Recipient to facilitate transfer and/or secure storage of the data described within this Agreement. Provide information on the following topics: 

A data dictionary will be provided by the Covered Entity to assist the Recipient in understanding the data structure (e.g., variables, code, lists, etc.)
Describe if revisions if the Covered entity will provide revisions to the Data if errors are found by the Recipient, and the process by which the remediation of these errors will occur.
Provide any other specific instructions necessary to complete the transfer of the Data from the Covered Entity to the Recipient. 
Provide sufficient information such that each party understands the Recipient’s obligations with regard to the Data upon the expiration or early termination of this Agreement. If the Recipient is permitted to link the Data with other data sets, be sure to include any special disposition requirements related to the linked data sets in this attachment.
as set forth herein:

Exhibit B provides the additional terms and conditions that are applicable to the specific type(s) of data being shared with the Recipient for the Project, as indicated under Section 3a of Exhibit A of the Agreement. Please carefully review the terms and conditions for the specific type(s) of data that apply to the Project, the possible types being the following: 

  • PHI with Direct Identifiers (i.e. Full Data Set) 

  • PHI with Indirect Identifiers (i.e. Limited Data Set) 

  • De-Identified Data   

  1. 1. The Data is PHI which contains directly identifiable information that can be used to identify an individual without reliance on other information and is not a Limited Data Set. 

2. Nothing herein shall authorize the Recipient to use or further disclose the Data in a manner that would violate the requirements of the Covered Entity under HIPAA.  

3. The Covered Entity shall prepare and furnish the Recipient the Data with PHI (Full Data Set). The Data can include the following direct and indirect identifiers of the individual or of relatives, employers, or household members of the individual: 

  1. i. Names 

  1. ii. All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: 

  1. a. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and 

  1. b. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. 

  1. iii. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older 

  1. iv. Telephone numbers 

  1. v. Fax numbers 

  1. vi. Electronic mail addresses 

  1. vii. Social security numbers 

  1. viii. Medical record numbers 

  1. ix. Health plan beneficiary numbers 

  1. x. Account numbers 

  1. xi. Certificate/license numbers 

  1. xii. Vehicle identifiers and serial numbers, including license plate numbers 

  1. xiii. Device identifiers and serial numbers 

  1. xiv. Web Universal Resource Locators (URLs) 

  1. xv. Internet Protocol (IP) address numbers 

  1. xvi. Biometric identifiers, including finger and voice prints 

  1. xvii. Full face photographic images and any comparable images 

  1. xvii. Any other unique identifying number, characteristic, or code (e.g., clinical trial subject ID, accession number) 

4. Notwithstanding any statement herein to the contrary, the Covered Entity represents that it has full authority to share the Data with the Recipient and has confirmed that the Project is consistent with such consents or authorizations or waivers of such authorizations, if any, as the Covered Entity has obtained from, or on behalf of, individuals who are the subjects of the Data. 

5.     The Recipient agrees to implement reasonable safeguards to store Data with security controls adequate to protect the PHI sufficient to meet the standards of HIPAA, to limit incidental and to avoid prohibited, uses and disclosures of the Data, to ensure that only Authorized Agents have access to the Data, and to maintain appropriate control over the Data at all times. 

6.   The parties agree to take such action as is necessary to amend this Agreement, from time to time, in order for the Covered Entity to remain in compliance with the requirements under HIPAA. 

  1. 1. The Data is PHI that excludes direct identifiers, as that term is defined under HIPAA. 
     

  1. 2. Nothing herein shall authorize the Recipient to use or further disclose the Limited Data Set in a manner that would violate the requirements of the Covered Entity under HIPAA. 
     

  1. 3. The Covered Entity shall prepare and furnish the Recipient a Limited Data Set as set forth under HIPAA. For the Agreement to be valid, the Data must exclude all of the following direct identifiers of the individual or of relatives, employers, or household members of the individual: 
     

  1. i. Names  

  1. ii. Postal address information, other than town or city, State, and zip code 

  1. iii. Telephone numbers 

  1. iv. Fax numbers 

  1. v. Electronic mail addresses 

  1. vi. Social security numbers 

  1. vii. Medical record numbers 

  1. viii. Health plan beneficiary numbers 

  1. ix. Account numbers 

  1. x. Certificate/license numbers 

  1. xi. Vehicle identifiers and serial numbers, including license plate numbers 

  1. xii. Device identifiers and serial numbers 

  1. xiii. Web Universal Resource Locators (URLs) 

  1. xiv. Internet Protocol (IP) address numbers 

  1. Biometric identifiers, including finger and voice prints; and  

  1. xvi. Full face photographic images and any comparable images  
     

  1. 4. If the Data being provided is coded, the Covered Entity will not release the key to the code under this Agreement. 
     

  1. 5. The Recipient will not use the Data, either alone or in concert with any other information, that may enable the identification of one or more entities or individuals for whom data has been provided in the Limited Data Set(s). The Recipient will not make any effort to identify or contact individuals who are or may be the sources of Data without specific written approval from the Covered Entity and appropriate Institutional Review Board approval, when required pursuant to HIPAA. Should the Recipient inadvertently receive identifiable information or otherwise identify a subject, the Recipient shall promptly notify the Covered Entity and follow the Covered Entity’s reasonable written instructions, which may include return or destruction of the identifiable information. 

  1. 1. The Covered Entity shall prepare and furnish the Recipient with Data excluding identifiable information as set forth under HIPAA. In accordance with HIPAA, the following identifiers of the individual or of relatives, employers, or household members of the individual are removed: 
     

  1. i. Names 

  1. ii. All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: 

  1. a. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and 

  1. b. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. 

  1. iii. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older 

  1. iv. Telephone numbers 

  1. v. Fax numbers 

  1. vi. Electronic mail addresses 

  1. vii. Social security numbers 

  1. viii. Medical record numbers 

  1. ix. Health plan beneficiary numbers 

  1. x. Account numbers 

  1. xi. Certificate/license numbers 

  1. xii. Vehicle identifiers and serial numbers, including license plate numbers 

  1. xiii. Device identifiers and serial numbers 

  1. xiv. Web Universal Resource Locators (URLs) 

  1. xv. Internet Protocol (IP) address numbers 

  1. xvi. Biometric identifiers, including finger and voice prints 

  1. xvii. Full face photographic images and any comparable images 

  1. xviii. Any other unique identifying number, characteristic, or code (e.g., clinical trial subject ID, accession number) 
     

2. The Recipient will not use the Data, either alone or in concert with any other information, to make any effort to identify or contact individuals who are or may be the sources of Data without specific written approval from the Covered Entity and appropriate Institutional Review Board (IRB) approval, if required pursuant to HIPAA. Should the Recipient inadvertently receive identifiable information or otherwise identify an individual, the Recipient shall promptly notify the Covered Entity and follow the Covered Entity’s reasonable written instructions, which may include return or destruction of the identifiable information. 

  1.  

Sign above

Thank you for participating in this reseach. Please direct any questions to Nicole Lamphere at nicole.lamphere@uvmhealth.org.

844-UVM-HEALTH

Give to a Healthier Future

Help us elevate and expand our care, make breakthroughs in biomedical science and improve community health and wellness.

Healthier communities. Healthiest lives. Together.

University of Vermont Medical Center

111 Colchester Ave
Burlington, VT 05401

802-847-0000

Golisano Children's Hospital

111 Colchester Ave
Burlington, VT 05401

802-847-0000

Central Vermont Medical Center

130 Fisher Road
Berlin, VT 05602

802-371-4100

Champlain Valley Physicians Hospital

75 Beekman Street
Plattsburgh, NY 12901

518-561-2000

Elizabethtown Community Hospital

75 Park Street
Elizabethtown, NY 12932

518-873-6377

Alice Hyde Medical Center

133 Park Street
Malone, NY 12953

518-483-3000

Porter Medical Center

115 Porter Drive
Middlebury, VT 05753

802-388-4701

Home Health & Hospice

1110 Prim Road
Colchester, VT 05446

802-658-1900

© 2026 University of Vermont Health
Jump back to top