CMS-R-235 DUA Supporting_Statement_-_Part_A May 2014

Supporting Statement For Paperwork Reduction Act Submissions

CMS Form 0235 Data Use Agreement

A. Background

The Privacy Act of 1974, §552a requires the Centers for Medicare & Medicaid Services (CMS) to track all disclosures of the agency’s Personally Identifiable Information (PII) and the exceptions for these data releases. CMS is also required by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Federal Information Security Management Act (FISMA) of 2002 to properly protect all PII data maintained by the agency. When entities request CMS PII data, they enter into a Data Use Agreement (DUA) with CMS. The DUA stipulates that the recipient of CMS PII data must properly protect the data according to FISMA and also provide for its appropriate destruction at the completion of the project/study or the expiration date of the DUA. The DUA form enables the data recipient and CMS to document the request and approval for release of CMS PII data. The form requires the submitter to provide the Requestor’s organization; project/study name; CMS contract number (if applicable); data descriptions and the years of the data; retention date; attachments to the agreement; name, title, contact information to include address, city, state, zip code, phone, e-mail, signature and date signed by the requester and custodian; disclosure provision; name of Federal Agency sponsor; Federal Representative name, title, contact information, signature, date; CMS representative name, title, contact information, signature and date; and concurrence/non-concurrence signatures and dates from 3 CMS System Manager or Business Owners. While the data elements collected are not subject to change, the individualized clauses that are incorporated into any specific DUA are subject to change based on a specific case or situation such as disclosures to states, oversight agencies or DUAs for disproportionate share hospital (DSH) data requests as well as updates to DUAs with additional data descriptions, changes to the requestor or adding custodians to current DUAs.

B. Justification

1 . Need and Legal Basis

The Privacy Act of 1974 allows for discretionary releases of data maintained in Privacy Act protected systems of records under §552a(b) (Conditions of Disclosure). The mandate to account for disclosures of data under the Privacy Act is found at §552a(c)(Accounting of Certain Disclosures). This section states that certain information must be maintained regarding disclosures made by each agency. This information is: Date, Nature, Purpose, and Name/Address of Recipient. Section 552a(e) sets the overall Agency Requirements that each agency must meet in order to maintain records under the Privacy Act. The Data Use Agreement (DUA) form is needed as part of the review of each CMS data request to ensure compliance with the requirements of the Privacy Act for disclosures that contain PII. The DUA form also provides data requestors and custodians with a formal means to agree to the data protection and destruction statutory and regulatory requirements of CMS’ PII data. The Health Insurance Portability and Accountability Act (HIPAA) of 1996, §1173(d) (Security Standards for Health Information) requires CMS to protect Personally Identifiable Information (PII). Additionally, the Federal Information Security Management Act (FISMA) of 2002, §3544 (b) (Federal Agency Responsibilities – Agency Program) also requires CMS to develop policies and procedures for the protection and destruction of sensitive data to include PII.

2. Information Users

The information collected by the DUA form is used by CMS to track disclosures, conditions for disclosure, accounting of disclosures and agency requirements dictated by the Privacy Act, HIPAA and FISMA.

3. Use of Information Technology

The DUA form may be filled in on-line and then must be printed and signed. The signed form may be submitted to CMS as a scanned document (e.g. .pdf, .jpg, .tif) attached to an e-mail. It is estimated that 99% of all DUA forms will be submitted to CMS via e-mail attachment. CMS is beginning to encourage the use of digital signatures on the forms.

4. Duplication of Efforts

This information collection does not duplicate any other effort and the information cannot be obtained from any other source

5. Small Businesses

No special considerations are given to small businesses; however, the burden to any User/Requestor of data is minimal.

6. Less Frequent Collection

Data is collected only once at the onset of the study/project and then only again if there are changes initiated by the Requestor. There are no additional means for reducing the data collection burden and still be compliant with statutes and CMS policy/procedures.

7. Special Circumstances

No special circumstances.

8. Federal Register/Outside Consultation

The 60-day Federal Register notice was published on June 27, 2014.

9. Payments/Gifts to Respondents

There were no payments/gifts to respondents.

10. Confidentiality

The files are maintained electronically in Microsoft Outlook .pst files. Files containing DUA forms or information will be safeguarded in accordance with Departmental standards and National Institute of Standards and Technology (NIST) Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations which limits access to only authorized personnel. The safeguards shall provide a level of security as required by Office of Management and Budget (OMB) Circular No. A-130 (revised), Appendix III – Security of Federal Automated Information Systems for moderate level sensitive systems.

11. Sensitive Questions

There are no sensitive questions arising from this data collection.

12. Burden Estimates (Hours & Wages)

We used the General Schedule (GS) 13 step 5 pay scale with locality pay adjustment for the Washington/Baltimore/Northern Virginia area ($ 101,914.00 / annum or $48.83 / hour) as our basis for the cost burden.

1. Form 0235 DUA - We estimate the time to complete the DUA form is 30 minutes per requestor. We estimate that it will take 25 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 3,600 DUA forms for an annual total of 1,800 hours burden for a total annual cost burden of $84,780.

2. Form 0235a Addendum - We estimate the time to complete the Addendum form is 10 minutes per requestor. We estimate that it will take 5 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 4,000 Addendums for an annual total of 2,000 hours burden for a total cost burden of $32,880.

3. Form 0235l Limited Data Set (LDS) DUA – We estimate the time to complete the LDS DUA is 10 minutes per requestor. We estimate that it will take 5 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 600 LDS DUAs for an annual total of 100 hours burden for a total cost burden of $4,932.

4. Form 0235m Medicaid Agency DUA – We estimate the time to complete the Medicaid Agency DUA is 10 minutes per requestor. We estimate that it will take 5 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 20 Medicaid Agency DUAs for an annual total of 3 hours burden for a total cost burden of $164.

5. Form 0235st State Agency DUA – We estimate the time to complete the State Agency DUA is 10 minutes per requestor. We estimate that it will take 5 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 20 State Agency DUAs for an annual total of 3 hours burden for a total cost burden of $164.

6. Form 0235u Update DUA – We estimate the time to complete the Update DUA is 10 minutes per requestor. We estimate that it will take 5 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 1,000 Update DUAs for an annual total of 167 hours burden for a total cost burden of $8,220.

Reporting Requirement

1. 0235 DUA = 3,600 respondents x (30 min) = 1,500 hours

2. 0235a DUA = 4,000 respondents x (5 min = 333 hours

3. 0235l DUA = 600 respondents x (5 min) = 50 hours

4. 0235m DUA = 20 respondents x (5 min) = 2 hours

5. 0235st DUA = 20 respondents x (5 min) = 2 hours

6. 0235u DUA = 1,000 respondents x (5 min) = 84 hours

Recordkeeping Requirement

1. 0235 DUA = 3,600 respondents x (5 min) = 300 hours

2. 0235a DUA = 4,000 respondents x (5 min) = 333 hours

3. 0235l DUA = 600 respondents x (5 min) = 50 hours

4. 0235m DUA = 20 respondents x (5 min) = 2 hours

5. 0235st DUA = 20 respondents x (5 min) = 2 hours

6. 0235u DUA = 1,000 respondents x (5 min) = 84 hours

Cost Burden

1. 0235 DUA =3,600 respondents x $23.55 x 30 minutes each = $84,780

2. 0235a DUA = 4,000 respondents x $8.22 per hour x 10 minutes each = $32,880

3. 0235l DUA = 600 respondents x $8.22 per hour x 10 minutes each = $4,932

4. 0235m DUA = 20 respondents x $8.22 per hour x 10 minutes each = $164

5. 0235st DUA = 20 respondents x $8.22 per hour x 10 minutes each = $164

6. 0235u DUA = 1,000 respondents x $8.22 per hour x 10 minutes each = $8,220

13. Capital Costs

There are no capital costs.

14. Cost to Federal Government

We used the General Schedule (GS) 13 step 5 pay scale with locality pay adjustment for the Washington/Baltimore/Northern Virginia area ($ 101,914 / annum or $48.83 / hour) as our basis for calculating the annual cost

1. 0235 DUA = 3,600 respondents x $48.83 per hour x 25 minutes each = $175,788

2. 0235a DUA = 4,000 respondents x $48.83 per hour x 10 minutes each = $97,660

3. 0235l DUA = 600 respondents x $48.83 per hour x 10 minutes each = $14,649

4. 0235m DUA = 20 respondents x $48.83 per hour x 10 minutes each = $488

5. 0235st DUA = 20 respondents x $48.83 per hour x 10 minutes each = $488

6. 0235u DUA = 1,000 respondents x $48.83 per hour x 10 minutes each = $24,415

15. Changes to Burden

The burden has increased due to numerous new CMS sponsored programs which are aimed at getting data out to the health care community to encourage innovative changes to reduce the cost of health care for Medicare and Medicaid beneficiaries. These new programs have increased our work load for new data use agreements with corresponding increases to the number of data use agreement addendums and updates.

16. Publication/Tabulation Dates

There are no publication and tabulation dates associated with this collection.

17. Expiration Date

CMS would like an exemption from displaying the expiration date as these forms are used on a continuing basis. To include an expiration date would result in having to discard a potentially large number of forms.

18. Certification Statement

There are no exceptions to the certification statement.