Download:
pdf |
pdfINSTRUCTIONS FOR COMPLETING THE DISPROPORTIONATE SHARE HOSPITAL (DSH) DATA USE
AGREEMENT (DUA) FORM CMS-R-0235D2
For Cost Reporting Periods Prior to Those that Include December 8, 2004
FOR USE OF CENTERS FOR MEDICARE & MEDICAID SERVICES (CMS) DATA CONTAINING INDIVIDUAL
IDENTIFIERS
This agreement must be executed prior to the disclosure of data from a CMS Systems of Records
containing personally identifiable information (PII) to ensure that the disclosure will comply and the data
will be protected in accordance with the requirements of the Privacy Act, the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the Federal Information Security
Management Act of 2002 (FISMA) and CMS data release policies.
Note:
1) The language contained in this agreement may not be altered in any form.
2) For further details regarding Disproportionate Share Hospital data requests refer to
http://www.cms.gov/AcuteInpatientPPS/05_dsh.asp
Section #1, enter one (1) Provider Reimbursement Review Board (PRRB) name and Medicare Provider
Number and in section 1a enter the PRRB case No.
Section #4, enter the Project/Study Name and Federal contract number if applicable.
Section #5, enter the Provider Cost Reporting Period being requested unless unavailable, the update
version of the Medicare Provider Analysis and Review (MEDPAR) file extract that will be
provided will be the update file that was used to calculate the User’s disproportionate patient
percentages for the period covered by the request (e.g., the June 1997 update version of the
Federal Fiscal Year [FFY] 1996 MEDPAR file) for a provider’s cost year.
Section #6, enter the Project/Study’s anticipated date of completion.
Section #16, is to be completed by the Requestor.
Section #17, is to be completed by the Custodian, defined as that person who will have actual
possession of and responsibility for the data files (such as a consulting firm and/or attorney who
is prosecuting the appeal on behalf of the User-Provider). This section must be completed even
if the Custodian and Requestor are the same individual.
Section #18, shall be completed by the CMS Privacy staff representative.
Section #19, is intentionally left blank for DSH DUAs.
Section #20, shall be completed by a CMS representative.
Addendum, CMS-R-0235A, shall be completed when additional custodians will be accessing CMS PII
data.
Once the DUA is received and reviewed for privacy and policy issues, a completed and signed copy will
be sent to the Requestor and CMS or Federal Project Officer, if applicable, for their files.
Form CMS-R-0235D2 (proposed 04/11)
1
DISPROPORTIONATE SHARE HOSPITAL (DSH) DATA USE AGREEMENT
For Cost Reporting Periods Prior to Those that Include December 8, 2004
for the use of Centers for Medicare & Medicaid Services (CMS) Data Containing Individual Identifiers
DUA #
1. PURPOSE: In order to secure data that resides in a CMS Privacy Act System of Records (SOR), and to
ensure the confidentiality, integrity and availability of information maintained by CMS, and to permit
appropriate disclosure and use of such data as permitted by law, this Agreement is by and between the
Centers for Medicare & Medicaid Services (CMS), a component of the U.S. Department of Health and
Human Services (DHHS), and ____________________(Provider Name and Number)_____________________,
hereinafter termed “User.” The User represents that it currently has pending before the Provider
Reimbursement Review Board (PRRB) a jurisdictionally proper appeal(s) on the issue of the calculation
of the User’s ratio of Medicare/SSI days to total Medicare covered days. CMS agrees to provide the
User with data that reside in a CMS Privacy Act SOR as identified in this Agreement. In exchange, the
User agrees to:
a) use the data only for purposes that support the User’s Provider Reimbursement Review
Board (PRRB) case No. ____________________________________________________;
b) ensure the integrity and confidentiality of the data by complying with the terms of this
Agreement and applicable law, including the Privacy Act, the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) and the Federal Information Security
Management Act of 2002 (FISMA); and
c) pay any applicable fees.
2. CONDITIONS: This Agreement addresses the conditions under which CMS will disclose and the User
will obtain, use, reuse and disclose the CMS data file(s) specified herein, and/or any derivative file(s)
that contain direct individual identifiers or elements that could be used in concert with other
information to identify individuals. This Agreement supersedes any and all agreements between the
parties with respect to the use of data from the file(s) specified herein and preempts and overrides any
instructions, directions, agreements, or other understanding in or pertaining to any grant award or other
prior communication from the Department of Health and Human Services (DHHS) or any of its
components with respect to the data specified herein. Further, the terms of this Agreement may be
changed only by a written modification to this Agreement or by the parties adopting a new agreement.
The parties agree further that instructions or interpretations issued to the User concerning this
Agreement or the data specified herein, shall not be valid unless issued in writing by the CMS signatory
in section 20 below. The parties agree further that CMS makes no representation or warranty, either
implied or expressed, with respect to the accuracy of any data in the file(s).
3. OWNERSHIP RIGHTS: The parties mutually agree that CMS retains all ownership rights to the data
file(s) referred to in this Agreement, and that the User does not obtain any right, title, or interest in any
of the data furnished by CMS.
4. PROJECT IDENTIFICATION: The User represents, and in furnishing the data file(s) specified in section 5
below, CMS relies upon such representation, that such data file(s) will be used solely for the following
purpose of calculating the User’s Medicare fraction of the disproportionate patient percentage.
Form CMS-R-0235D2 (proposed 04/11)
2
The User represents further that the User shall not reuse, disclose, release, reveal, show, sell, rent,
lease, loan, or otherwise grant access to the data covered by this Agreement to any person(s) or
organization(s). Exception: The User may disclose, release, reveal or show individually identifiable data
to the following entities (including individuals employed by or under contract with such entities) and
individuals, to the extent necessary to calculate the User’s Medicare fraction of the disproportionate
patient percentage:
(1) CMS;
(2) A fiscal intermediary under contract with CMS;
(3) The PRRB;
(4) A consultant or attorney or other representative under contract with the User to prosecute,
or assist in the prosecution of, an administrative and/or judicial appeal of CMS’ calculation
of its disproportionate patient percentage;
(5) The Department of Justice
(6) A Federal court.
Any such grant of access by the User to individually identifiable data under the foregoing Exception shall
be strictly limited to the extent necessary for the User to calculate its Medicare fraction of the
disproportionate patient percentage – the User is expected to redact individually identifiable data
and/or use code identifiers wherever possible. The User affirms that the requested data is the minimum
necessary to achieve the purposes stated in this section. The User agrees that, within the User’s
organization, access to the data covered by this Agreement shall be limited to the minimum number of
individuals necessary to achieve the purpose stated in this section and only to those individuals on a
need-to-know basis. Disclosure of this data is made pursuant to:
• Privacy Act of 1974 5 U.S.C. Section 552a as amended;
• Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503);
• Freedom of Information Act 5 U.S.C. Section 552 as amended by P.L. 104-231, 110 Stat. 3048;
• Section 1106 of the Social Security Act (42 U.S.C. Section 1306);
• Section 1843 of the Social Security Act (42 U.S.C. Section 1395v); and
• Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (45 C.F.R. Parts 160
and 164).
5. DATA DESCRIPTION: The following CMS data file(s) is/are covered under this Agreement. (note for
form creator - change the header column for System of Record to “Charge Per Year*” and add a “Total”
on bottom line) (the file will be prefilled in with “MEDPAR File Extract – Provider # _____”)
“Medicare Provider Analysis and Review (MEDPAR), HHS/CMS/OIS, 09-70-0514” Privacy Act System of
Records, published at 71 Fed. Reg. 17470 (April 06, 2006)
Form CMS-R-0235D2 (proposed 04/11)
3
6. EXPIRATION DATE: The parties mutually agree that the aforesaid files(s) and/or any derivative file(s),
including those files that directly identify individuals or maintains continued identification of individuals,
may be retained by the User no more than 90 days after the date of termination of the User’s appeal of
CMS’ calculation of its disproportionate patient percentage. For purposes of this paragraph, “date of
termination of the User’s appeal” shall be the date upon which any of the following events occur:
(1) the User abandons its appeal;
(2) an order rendered by the PRRB, the CMS administrator or court upholding CMS’ calculation
of the User’s disproportionate patient percentage has become final and non-appealable;
(3) an order rendered by the PRRB, the Administrator or court awarding additional payment to
the User with respect to the disproportionate patience percentage (including an order approving a
settlement) has become final and non-appealable and such payment has been made to the User;
(4) an administrative resolution satisfactory to the User and to the fiscal intermediary is reached
on the appeal and any additional payment provided for by such resolution, with respect to the
disproportionate patient percentage, has been made to the User. The User agrees to destroy the file(s)
and any derivative file(s) which includes any file that maintains or continues identification of individuals
after the date of termination of the User’s appeal. The User agrees that no data from CMS records, or
any parts thereof, shall be retained when the aforementioned file(s) is/are destroyed unless authorized
in writing from the CMS signatory in section 20 below.. The User acknowledges that stringent
adherence to the aforementioned information outlined in this paragraph is required. The User
acknowledges that the date is not contingent upon action by CMS.
The Agreement may be terminated by either party at any time for any reason upon 30 days written
notice. Immediately, upon notice of termination by the User, CMS will cease releasing data from the
file(s) to the User under this Agreement and will notify the User to destroy such data file(s). Sections 3,
4, 6, 8, 9, 10, 11, 13, 14 and 15 shall survive termination of this Agreement.
7. DATA PROTECTION: The User agrees to establish appropriate management, operation and technical
controls to protect the confidentiality, integrity and availability of the data and to prevent unauthorized
use or disclosure. The safeguards shall provide a level and scope of security that is not less than the
level and scope of protection as established by the Office of Management and Budget (OMB) in OMB
Circular No. A-130, Appendix III--Security of Federal Automated Information Systems,
http://www.whitehouse.gov/omb/circulars_a130, as well as Federal Information Processing Standard
200, “Minimum Security Requirements for Federal Information and Information Systems”,
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf, and National Institute of
Science and Technology (NIST) Special Publication 800-53, “Recommended Security Controls for Federal
Information Systems”, http://csrc.nist.gov/publications/nistpubs/800-53A/SP800-53A-final-sz.pdf,
including any revisions as applicable. The User acknowledges that the use of unsecured
telecommunications, including the Internet, to transmit individually identifiable, or deducible
information derived from the file(s) specified in section 5 above is prohibited. Further, the User agrees
that the data must not be physically moved, transmitted or disclosed in any way from or by the site
indicated in section 17 below without written approval from CMS unless such movement, transmission
or disclosure is required by law.
8. SECURITY COMPLIANCE OVERSIGHT: The User agrees that the authorized representatives of CMS, the
DHHS Office of the Inspector General, or the Comptroller General, will be granted access to premises
where the aforesaid file(s) is/are kept for the purpose of inspecting security arrangements confirming
whether or not the User is in compliance with the security requirements specified in section 7 above.
Form CMS-R-0235D2 (proposed 04/11)
4
9. MINIMUM CELL SIZE DISCLOSURE: The User agrees not to disclose direct findings, listings, or
information derived from the file(s) specified in section 5 above, with or without direct identifiers, if
such findings, listings, or information may, by themselves or in combination with other data, be used to
deduce an individual’s identity. Examples of such data elements include, but are not limited to
geographic location, age if > 89, sex, diagnosis and procedure, admission/discharge date(s), or date of
death. The User agrees further that CMS shall be the sole judge as to whether any finding, listing, or
information, or any combination of data extracted or derived from CMS’ files identifies or would, with
reasonable effort, permit one to identify an individual or to deduce the identity of an individual with a
reasonable degree of certainty.
The User agrees that any use of CMS data in the creation of any document (manuscript, table, chart,
study, report, etc.) concerning the purpose specified in section 4 above (regardless of whether the
report or other writing expressly refers to such purpose, to CMS, or to the file(s) specified in section 5 or
any data derived from such file(s)) must adhere to CMS’ current cell size suppression policy. This policy
stipulates that no cell size (e.g. admittances, discharges, patients, services) less than 11 may be
displayed. Also, no use of percentages or other mathematical formulas may be used if they result in the
display of a cell of less than 11. By signing this Agreement the User hereby agrees to abide by these rules
and, therefore, will not be required to submit any written documents for CMS review. If the User is
unsure, they may submit their product to CMS for review prior to publication. CMS agrees to make a
determination about approval and to notify the user within 4 to 6 weeks after receipt of findings. CMS
may withhold approval for publication only if it determines that the format in which data are presented
may result in identification of individual beneficiaries.
10. RECORD LINKAGE: The User shall not attempt to identify or contact any specific individual whose
record is included in the files listed in section 5 above. The User agrees that, absent express written
authorization from the CMS signatory designated in section 20 below, the User shall not attempt to link
records included in the file(s) specified in section 5 above to any other individually identifiable source of
information. This includes attempts to link the data to other CMS data. A protocol that includes the
linkage of specific files that has been approved in accordance with section 4 above constitutes expressed
authorization from CMS to link files as described in the protocol.
11. DATA RE-USE: The User understands and agrees that they may not reuse original or derivative data
files without prior written approval from the CMS signatory in section 20 below.
12. ENCLOSURES: The parties mutually agree that the following specified Enclosure(s) is part of this
Agreement: ___________________________________________________________________________
13. DATA BREACHES: The User agrees that in the event CMS determines or has a reasonable belief that
the User has made or may have made a use, reuse or disclosure of the aforesaid file(s) that is not
authorized by this Agreement or another written authorization from the CMS signatory in section 20
below, CMS, at its sole discretion, may require the User to:
(a) Promptly investigate and report to CMS the User’s determinations regarding any alleged or
actual unauthorized use, reuse or disclosure;
(b) Promptly resolve any problems identified by the investigation;
(c) Submit a formal response to an allegation of unauthorized use, reuse or disclosure;
(d) Submit a corrective action plan with steps designed to prevent any future unauthorized uses,
reuses or disclosures; and
(e) Return data files to CMS or destroy the data files it received from CMS under this agreement.
Form CMS-R-0235D2 (proposed 04/11)
5
The User understands that as a result of CMS’ determination or reasonable belief that unauthorized
uses, reuses or disclosures have taken place, CMS may refuse to release further CMS data to the User
for a period of time to be determined by CMS.
The User agrees to report within one (1) hour, any breach of personally identifiable information (PII)
from the CMS data file(s), loss of these data or disclosure to any unauthorized persons to the CMS IT
Service Desk by telephone at (410) 786-2580 or by e-mail notification at
[email protected] and to cooperate fully in the federal security incident process.
While CMS retains all ownership rights to the data file(s), as outlined in section 3 above, the User shall
bear the cost and liability for any breaches of PII from the data file(s), or as applicable any derivative
file(s), while they are entrusted to the User. Furthermore, if CMS determines that the risk of harm
requires notification of affected individual persons of the security breach and/or other remedies, the
User agrees to carry out these remedies without cost to CMS.
14. DISCLOSURE PENALITIES
a. The User hereby acknowledges that criminal penalties under §1106(a) of the Social Security
Act (42 U.S.C. § 1306(a)), including a fine not to exceed $10,000 or imprisonment not exceeding 5 years,
or both, may apply to disclosures of information that are covered by § 1106 and that are not authorized
by regulation or by Federal law.
b. The User further acknowledges that criminal penalties under the Privacy Act (5 U.S.C. §
552a(i) (3)) may apply if it is determined that the Requestor or Custodian, or any individual employed or
affiliated therewith, knowingly and willfully obtained the file(s) under false pretenses. Any person found
to have violated sec. (i)(3) of the Privacy Act shall be guilty of a misdemeanor and fined not more than
$5,000.
c. The User also acknowledges under HIPAA, “General Penalty for Failure to Comply with
Requirements and Standards” Section 1176, that the DHHS Secretary may impose fines for
noncompliance as high as $100 per offense, with a maximum of $25,000 per year on any person who
violates a provision of this part; “Wrongful Disclosure of Individually Identifiable Health Information”
Section 1177, that a person who knowingly:
(A) uses or caused to be used a unique health identifier;
(B) obtains individually identifiable health information relating to an individual;
or
(C) discloses individually identifiable health information to another person,
• shall be fined not more than $50,000, imprisoned not more than 1 year, or both;
• if the offense is committed under false pretenses, be fined not more than $100,000,
imprisoned not more than 5 years, or both; and
• if the offense is committed with intent to sell, transfer, or use individually
identifiable health information for commercial advantage, personal gain, or
malicious harm, be fined not more than $250,000, imprisoned not more than 10
years, or both.
d. Finally, the User acknowledges that criminal penalties may be imposed under 18 U.S.C. § 641,
Protection of Government Property, if it is determined that the User, or any individual employed or
affiliated therewith, has taken or converted to their own use data file(s), or received the file(s) knowing
that they were stolen or converted. Under such circumstances, they shall be fined under Title 18 or
imprisoned not more than 10 years, or both; but if the value of such property does not exceed the sum
of $1,000, they shall be fined under Title 18 or imprisoned not more than 1 year, or both.
Form CMS-R-0235D2 (proposed 04/11)
6
15. USER AGREEMENT: By signing this Agreement, the User agrees to abide by all provisions set out in
this Agreement and acknowledges having received notice of potential criminal or administrative
penalties for violation of the terms of the Agreement.
16. REQUESTOR: The parties mutually agree that the individual identified in this section is designated as
“Requestor” of the file(s) on behalf of the User and hereby attests that he or she is authorized to legally
bind the User to the terms of this Agreement and agrees to all the terms specified herein. The User
agrees to notify CMS, in the method prescribed by CMS, within fifteen (15) days of any change of
Requestor.
Name (typed or printed)
Company/Organization
Street Address City
Office Telephone (Include Area Code) extension
(if applicable)
Signature
Title
State ZIP Code
E-Mail Address
Date
17. CUSTODIAN: The parties mutually agree that the following named individual is designated as
Custodian of the file(s) on behalf of the User and will be the person responsible for the observance of all
conditions of use and for establishment and maintenance of security arrangements as specified in this
Agreement to prevent unauthorized use or disclosure. The User agrees to notify CMS within fifteen (15)
days of any change of custodianship. The parties mutually agree that CMS may disapprove the
appointment of a custodian or may require the appointment of a new custodian at any time.
The Custodian hereby acknowledges his/her appointment as Custodian of the aforesaid file(s) on behalf
of the User, and agrees to comply with all of the provisions of this Agreement on behalf of the User.
Name (typed or printed)
Company/Organization
Street Address City
Office Telephone (Include Area Code) extension
(if applicable)
Signature
Title
State ZIP Code
E-Mail Address
Date
18. PRIVACY ACT DISCLOSURE PROVISION: The disclosure provision(s) that allows the discretionary
release of CMS data for the purpose(s) stated in section 4 above is: (To be completed by CMS Privacy
staff) _Routine Use 2 -__________________________________.
19. This section intentionally left blank for DSH DUAs.
Form CMS-R-0235D2 (proposed 04/11)
7
20. CMS REPRESENTATIVE: The parties mutually agree that the following named individual will be
designated as point-of-contact for the Agreement on behalf of CMS. On behalf of CMS the undersigned
individual hereby attests that he or she is authorized to enter into this Agreement and agrees to all the
terms specified herein.
Name of CMS Representative (typed or printed)
Title/Component Street Address
City
Office Telephone (Include Area Code)
Signature of CMS Representative
Mail Stop
State
ZIP Code
E-Mail Address
Date
According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of
information unless it displays a valid OMB control number. The valid OMB control number for this
information collection is 0938-0734. The time required to complete this information collection is
estimated to average 20 minutes per response, including the time to review instructions, search existing
data resources, gather the data needed, and complete and review the information collection. If you
have any comments concerning the accuracy of the time estimate(s) or suggestions for improving this
form, please write to: CMS, 7500 Security Boulevard, Attn: Reports Clearance Officer, Baltimore,
Maryland 21244-1850.
Form CMS-R-0235D2 (proposed 04/11)
8
File Type | application/pdf |
Author | CMS |
File Modified | 2011-07-06 |
File Created | 2011-07-06 |