Download:
pdf |
pdfINSTRUCTIONS FOR COMPLETING THE DATA USE AGREEMENT (DUA) FORM CMS-R-0235
FOR USE OF CENTERS FOR MEDICARE & MEDICAID SERVICES (CMS) DATA CONTAINING INDIVIDUAL
IDENTIFIERS
This agreement must be executed prior to the disclosure of data from a CMS Systems of Records
containing personally identifiable information (PII) to ensure that the disclosure will comply and the data
will be protected in accordance with the requirements of the Privacy Act, the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the Federal Information Security
Management Act of 2002 (FISMA) and CMS data release policies.
Note:
1) The language contained in this agreement may not be altered in any form.
2) Researchers must contact the CMS contractor, Research Data Assistance Center (ResDAC), on
the web at www.resdac.org, via e-mail at [email protected], or by calling 1-888-973-7322 for
assistance in completing and submitting this form. CMS will not accept forms directly from
researchers. CMS will only accept researcher forms that have been processed through
ResDAC.
3) Federal contractors/grantees and State representatives should contact their CMS
representative for assistance.
Section #1, enter the Requestor’s Organization Name.
Section #4, enter the Project/Study Name and Federal contract number (if applicable).
Section #5, enter the file(s) and year(s) the User is requesting. (see note 2 and 3 above)
Section #6, enter the Project/Study’s anticipated date of completion.
Section #16, is to be completed by the Requestor.
Section #17, is to be completed by the Custodian, defined as that person who will have actual
possession of and responsibility for the data files. This section must be completed even if the
Custodian and Requestor are the same individual.
Section #18, shall be completed by the CMS Privacy staff representative.
Section #19, for federally funded (other than CMS) projects only, enter the Federal Agency name. The
Federal Project Officer sh all complete and sign the remaining portions of this section.
Section #20, shall be completed by a CMS representative.
Attachment A Research Application Summary, must be completed by all Users with the exception of
Oversight Agencies, CMS contractors and States. Attachment A generally should be between 1
and 4 pages in length.
Addendum, CMS-R-0235A, shall be completed when additional custodians will be accessing CMS PII
data.
Once the DUA is received and reviewed for privacy and policy issues, a completed and signed copy will
be sent to the Requestor and CMS or Federal Project Officer, if applicable, for their files.
Form CMS-R-0235 (proposed 04/11)
1
�DATA USE AGREEMENT
for the use of Centers for Medicare & Medicaid Services (CMS) Data Containing Individual Identifiers
DUA #
1. PURPOSE: In order to secure data that resides in a CMS Privacy Act System of Records (SOR), and to
ensure the confidentiality, integrity and availability of information maintained by CMS, and to permit
appropriate disclosure and use of such data as permitted by law, this Agreement is by and between the
Centers for Medicare & Medicaid Services (CMS), a component of the U.S. Department of Health and
Human Services (DHHS), and ___________________(Requestor’s Organization)_________________________________ ,
hereinafter termed “User.” CMS agrees to provide the User with data that reside in a CMS Privacy Act
SOR as identified in this Agreement. In exchange, the User agrees to:
a) use the data only for purposes that support the User’s project or study referenced in
this Agreement, which has been determined by CMS to provide assistance to CMS in
monitoring, managing and improving the Medicare and Medicaid programs or the
services provided to beneficiaries;
b) ensure the integrity and confidentiality of the data by complying with the terms of this
Agreement and applicable law, including the Privacy Act, the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) and the Federal Information Security
Management Act of 2002 (FISMA); and
c) pay any applicable fees.
2. CONDITIONS: This Agreement addresses the conditions under which CMS will disclose and the User
will obtain, use, reuse and disclose the CMS data file(s) specified herein, and/or any derivative file(s)
that contain direct individual identifiers or elements that could be used in concert with other
information to identify individuals. This Agreement supersedes any and all agreements between the
parties with respect to the use of data from the file(s) specified herein and preempts and overrides any
instructions, directions, agreements, or other understanding in or pertaining to any grant award or other
prior communication from the Department of Health and Human Services (DHHS) or any of its
components with respect to the data specified herein. Further, the terms of this Agreement may be
changed only by a written modification to this Agreement or by the parties adopting a new agreement.
The parties agree further that instructions or interpretations issued to the User concerning this
Agreement or the data specified herein, shall not be valid unless issued in writing by the CMS signatory
in section 20 below. The parties agree further that CMS makes no representation or warranty, either
implied or expressed, with respect to the accuracy of any data in the file(s).
3. OWNERSHIP RIGHTS: The parties mutually agree that CMS retains all ownership rights to the data
file(s) referred to in this Agreement, and that the User does not obtain any right, title, or interest in any
of the data furnished by CMS.
4. PROJECT IDENTIFICATION: The User represents, and in furnishing the data file(s) specified in section 5
below, CMS relies upon such representation, that such data file(s) will be used solely for the following
purpose(s).
__________ Project/Study Name____________________________________
__________ Federal Contract/Grant Number (if applicable)___________________
Form CMS-R-0235 (proposed 04/11)
2
�Research Users must provide a summary explanation of the research project using the template in
Attachment A which is incorporated by reference into this Agreement. Only direct CMS contractors and
States are exempt from the Attachment A requirement to this Agreement.
The User represents further that, except as specified in an Enclosure to this Agreement or except as CMS
shall authorize in writing, the User shall not reuse, disclose, release, reveal, show, sell, rent, lease, loan,
or otherwise grant access to the data covered by this Agreement to any person(s) or organization(s). The
User affirms that the requested data is the minimum necessary to achieve the purposes stated in this
section. The User agrees that, within the User’s organization, access to the data covered by this
Agreement shall be limited to the minimum number of individuals necessary to achieve the purpose
stated in this section and only to those individuals on a need-to-know basis. Disclosure of this data is
made pursuant to:
• Privacy Act of 1974 5 U.S.C. Section 552a as amended;
• Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503);
• Freedom of Information Act 5 U.S.C. Section 552 as amended by P.L. 104-231, 110 Stat. 3048;
• Section 1106 of the Social Security Act (42 U.S.C. Section 1306);
• Section 1843 of the Social Security Act (42 U.S.C. Section 1395v); and
• Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (45 C.F.R. Parts 160
and 164).
The User represents further that the facts and statements made in any study or research protocol or
project plan(s) submitted to CMS for each purpose are complete and accurate. Further, the User
represents that said study protocol(s) or project plan(s) that have been approved by CMS or other
appropriate entity as CMS may determine, represent the total use(s) to which the data file(s) specified in
section 5 below will be put.
5. DATA DESCRIPTION: The following CMS data file(s) is/are covered under this Agreement.
6. EXPIRATION DATE: The parties mutually agree that the aforesaid files(s) and/or any derivative file(s),
including those files that directly identify individuals or maintains continued identification of individuals,
may be retained by the User until __________________________, hereinafter known as the “Expiration
Date.” The User agrees to provide CMS, within 15 days of the completion of the purpose specified in
section 4 above, but no later than the expiration date, as amended, in the method prescribed by CMS, a
Form CMS-R-0235 (proposed 04/11)
3
�certification of the disposition of all the data as specified in section 5 above and as applicable all
derivative files. The User agrees that no data from CMS records, or any parts thereof, shall be retained
when the aforementioned certification has been provided to CMS. The User acknowledges that
stringent adherence to the aforementioned information outlined in this paragraph is required. The User
acknowledges that the date is not contingent upon action by CMS.
The Agreement may be terminated by either party at any time for any reason upon 30 days written
notice. Immediately, upon notice of termination by the User, CMS will cease releasing data from the
file(s) to the User under this Agreement and will notify the User to destroy such data file(s). Sections 3,
4, 6, 8, 9, 10, 11, 13, 14 and 15 shall survive termination of this Agreement.
7. DATA PROTECTION: The User agrees to establish appropriate management, operation and technical
controls to protect the confidentiality, integrity and availability of the data and to prevent unauthorized
use or disclosure. The safeguards shall provide a level and scope of security that is not less than the
level and scope of protection as established by the Office of Management and Budget (OMB) in OMB
Circular No. A-130, Appendix III--Security of Federal Automated Information Systems,
http://www.whitehouse.gov/omb/circulars_a130, as well as Federal Information Processing Standard
200, “Minimum Security Requirements for Federal Information and Information Systems”,
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf, and National Institute of
Science and Technology (NIST) Special Publication 800-53, “Recommended Security Controls for Federal
Information Systems”, http://csrc.nist.gov/publications/nistpubs/800-53A/SP800-53A-final-sz.pdf,
including any revisions as applicable. The User acknowledges that the use of unsecured
telecommunications, including the Internet, to transmit individually identifiable, or deducible
information derived from the file(s) specified in section 5 above is prohibited. Further, the User agrees
that the data must not be physically moved, transmitted or disclosed in any way from or by the site
indicated in section 17 below without written approval from CMS unless such movement, transmission
or disclosure is required by law.
8. SECURITY COMPLIANCE OVERSIGHT: The User agrees that the authorized representatives of CMS, the
DHHS Office of the Inspector General, or the Comptroller General, will be granted access to premises
where the aforesaid file(s) is/are kept for the purpose of inspecting security arrangements confirming
whether or not the User is in compliance with the security requirements specified in section 7 above.
9. MINIMUM CELL SIZE DISCLOSURE: The User agrees not to disclose direct findings, listings, or
information derived from the file(s) specified in section 5 above, with or without direct identifiers, if
such findings, listings, or information may, by themselves or in combination with other data, be used to
deduce an individual’s identity. Examples of such data elements include, but are not limited to
geographic location, age if > 89, sex, diagnosis and procedure, admission/discharge date(s), or date of
death. The User agrees further that CMS shall be the sole judge as to whether any finding, listing, or
information, or any combination of data extracted or derived from CMS’ files identifies or would, with
reasonable effort, permit one to identify an individual or to deduce the identity of an individual with a
reasonable degree of certainty.
The User agrees that any use of CMS data in the creation of any document (manuscript, table, chart,
study, report, etc.) concerning the purpose specified in section 4 above (regardless of whether the
report or other writing expressly refers to such purpose, to CMS, or to the file(s) specified in section 5 or
any data derived from such file(s)) must adhere to CMS’ current cell size suppression policy. This policy
stipulates that no cell size (e.g. admittances, discharges, patients, services) less than 11 may be
Form CMS-R-0235 (proposed 04/11)
4
�displayed. Also, no use of percentages or other mathematical formulas may be used if they result in the
display of a cell of less than 11. By signing this Agreement the User hereby agrees to abide by these rules
and, therefore, will not be required to submit any written documents for CMS review. If the User is
unsure, they may submit their product to CMS for review prior to publication. CMS agrees to make a
determination about approval and to notify the user within 4 to 6 weeks after receipt of findings. CMS
may withhold approval for publication only if it determines that the format in which data are presented
may result in identification of individual beneficiaries.
10. RECORD LINKAGE: The User shall not attempt to identify or contact any specific individual whose
record is included in the files listed in section 5 above. The User agrees that, absent express written
authorization from the CMS signatory designated in section 20 below, the User shall not attempt to link
records included in the file(s) specified in section 5 above to any other individually identifiable source of
information. This includes attempts to link the data to other CMS data. A protocol that includes the
linkage of specific files that has been approved in accordance with section 4 above constitutes expressed
authorization from CMS to link files as described in the protocol.
11. DATA RE-USE: The User understands and agrees that they may not reuse original or derivative data
files without prior written approval from the CMS signatory in section 20 below.
12. ENCLOSURES: The parties mutually agree that the following specified Enclosure(s) is part of this
Agreement: ___________________________________________________________________________
13. DATA BREACHES: The User agrees that in the event CMS determines or has a reasonable belief that
the User has made or may have made a use, reuse or disclosure of the aforesaid file(s) that is not
authorized by this Agreement or another written authorization from the CMS signatory in section 20
below, CMS, at its sole discretion, may require the User to:
(a) Promptly investigate and report to CMS the User’s determinations regarding any alleged or
actual unauthorized use, reuse or disclosure;
(b) Promptly resolve any problems identified by the investigation;
(c) Submit a formal response to an allegation of unauthorized use, reuse or disclosure;
(d) Submit a corrective action plan with steps designed to prevent any future unauthorized uses,
reuses or disclosures; and
(e) Return data files to CMS or destroy the data files it received from CMS under this agreement.
The User understands that as a result of CMS’ determination or reasonable belief that unauthorized
uses, reuses or disclosures have taken place, CMS may refuse to release further CMS data to the User
for a period of time to be determined by CMS.
The User agrees to report within one (1) hour, any breach of personally identifiable information (PII)
from the CMS data file(s), loss of these data or disclosure to any unauthorized persons to the CMS IT
Service Desk by telephone at (410) 786-2580 or by e-mail notification at
[email protected] and to cooperate fully in the federal security incident process.
While CMS retains all ownership rights to the data file(s), as outlined in section 3 above, the User shall
bear the cost and liability for any breaches of PII from the data file(s), or as applicable any derivative
file(s), while they are entrusted to the User. Furthermore, if CMS determines that the risk of harm
requires notification of affected individual persons of the security breach and/or other remedies, the
User agrees to carry out these remedies without cost to CMS.
Form CMS-R-0235 (proposed 04/11)
5
�14. DISCLOSURE PENALITIES
a. The User hereby acknowledges that criminal penalties under §1106(a) of the Social Security
Act (42 U.S.C. § 1306(a)), including a fine not to exceed $10,000 or imprisonment not exceeding 5 years,
or both, may apply to disclosures of information that are covered by § 1106 and that are not authorized
by regulation or by Federal law.
b. The User further acknowledges that criminal penalties under the Privacy Act (5 U.S.C. §
552a(i) (3)) may apply if it is determined that the Requestor or Custodian, or any individual employed or
affiliated therewith, knowingly and willfully obtained the file(s) under false pretenses. Any person found
to have violated sec. (i)(3) of the Privacy Act shall be guilty of a misdemeanor and fined not more than
$5,000.
c. The User also acknowledges under HIPAA, “General Penalty for Failure to Comply with
Requirements and Standards” Section 1176, that the DHHS Secretary may impose fines for
noncompliance as high as $100 per offense, with a maximum of $25,000 per year on any person who
violates a provision of this part; “Wrongful Disclosure of Individually Identifiable Health Information”
Section 1177, that a person who knowingly:
(A) uses or caused to be used a unique health identifier;
(B) obtains individually identifiable health information relating to an individual;
or
(C) discloses individually identifiable health information to another person,
• shall be fined not more than $50,000, imprisoned not more than 1 year, or both;
• if the offense is committed under false pretenses, be fined not more than $100,000,
imprisoned not more than 5 years, or both; and
• if the offense is committed with intent to sell, transfer, or use individually
identifiable health information for commercial advantage, personal gain, or
malicious harm, be fined not more than $250,000, imprisoned not more than 10
years, or both.
d. Finally, the User acknowledges that criminal penalties may be imposed under 18 U.S.C. § 641,
Protection of Government Property, if it is determined that the User, or any individual employed or
affiliated therewith, has taken or converted to their own use data file(s), or received the file(s) knowing
that they were stolen or converted. Under such circumstances, they shall be fined under Title 18 or
imprisoned not more than 10 years, or both; but if the value of such property does not exceed the sum
of $1,000, they shall be fined under Title 18 or imprisoned not more than 1 year, or both.
15. USER AGREEMENT: By signing this Agreement, the User agrees to abide by all provisions set out in
this Agreement and acknowledges having received notice of potential criminal or administrative
penalties for violation of the terms of the Agreement.
Form CMS-R-0235 (proposed 04/11)
6
�16. REQUESTOR: The parties mutually agree that the individual identified in this section is designated as
“Requestor” of the file(s) on behalf of the User and hereby attests that he or she is authorized to legally
bind the User to the terms of this Agreement and agrees to all the terms specified herein. The User
agrees to notify CMS, in the method prescribed by CMS, within fifteen (15) days of any change of
Requestor.
Name (typed or printed)
Company/Organization
Street Address City
Office Telephone (Include Area Code) extension
(if applicable)
Signature
Title
State ZIP Code
E-Mail Address
Date
17. CUSTODIAN: The parties mutually agree that the following named individual is designated as
Custodian of the file(s) on behalf of the User and will be the person responsible for the observance of all
conditions of use and for establishment and maintenance of security arrangements as specified in this
Agreement to prevent unauthorized use or disclosure. The User agrees to notify CMS within fifteen (15)
days of any change of custodianship. The parties mutually agree that CMS may disapprove the
appointment of a custodian or may require the appointment of a new custodian at any time.
The Custodian hereby acknowledges his/her appointment as Custodian of the aforesaid file(s) on behalf
of the User, and agrees to comply with all of the provisions of this Agreement on behalf of the User.
Name (typed or printed)
Company/Organization
Street Address City
Office Telephone (Include Area Code) extension
(if applicable)
Signature
Title
State ZIP Code
E-Mail Address
Date
18. PRIVACY ACT DISCLOSURE PROVISION: The disclosure provision(s) that allows the discretionary
release of CMS data for the purpose(s) stated in section 4 above is: (To be completed by CMS Privacy
staff) _________________________________.
Form CMS-R-0235 (proposed 04/11)
7
�19. FEDERAL (NON-CMS) REPRESENTATIVE: On behalf of ______ (Federal Agency name) ________________
the undersigned individual hereby acknowledges that the aforesaid Federal agency sponsors or
otherwise supports the User’s request for and use of CMS data, agrees to support CMS in ensuring that
the User maintains and uses CMS’ data in accordance with the terms of this Agreement, and agrees
further to make no statement to the User concerning the interpretation of the terms of this Agreement
and to refer all questions of such interpretation or compliance with the terms of this Agreement to the
CMS official named in section 20 below (or to his or her successor).
Typed or Printed Name
Street Address
City
Office Telephone (Include Area Code)
Signature
State
Title of Federal Representative
Mail Stop
ZIP Code
E-Mail Address
Date
20. CMS REPRESENTATIVE: The parties mutually agree that the following named individual will be
designated as point-of-contact for the Agreement on behalf of CMS. On behalf of CMS the undersigned
individual hereby attests that he or she is authorized to enter into this Agreement and agrees to all the
terms specified herein.
Name of CMS Representative (typed or printed)
A. Title/Component Street Address
City
State
Office Telephone (Include Area Code)
Signature of CMS Representative
B. Concur/Nonconcur — Printed Name and component
Signature of CMS Business Owner
C. Concur/Nonconcur — Printed Name and component
Signature of CMS Business Owner
D. Concur/Nonconcur — Printed Name and component
Signature of CMS Business Owner
Mail Stop
ZIP Code
E-Mail Address
Date
Date
Date
Date
According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of
information unless it displays a valid OMB control number. The valid OMB control number for this
information collection is 0938-0734. The time required to complete this information collection is
estimated to average 20 minutes per response, including the time to review instructions, search existing
data resources, gather the data needed, and complete and review the information collection. If you
have any comments concerning the accuracy of the time estimate(s) or suggestions for improving this
form, please write to: CMS, 7500 Security Boulevard, Attn: Reports Clearance Officer, Baltimore,
Maryland 21244-1850.
Form CMS-R-0235 (proposed 04/11)
8
�ATTACHMENT A
Research Application Summary
to
DATA USE AGREEMENT
for the use of Centers for Medicare & Medicaid Services (CMS) Data Containing Individual Identifiers
1. Introduction
• Title
• Purpose
o Provide a detailed explanation of the research project. The purpose must demonstrate
the potential to improve the quality of life for Medicare beneficiaries or improve the
administration of the Medicare program, including payment related projects. Under the
Privacy Rule, permitted purposes include research, public health and/or health care
operations.
o Describe the potential uses of this project to Medicare providers of service.
2. Project Issues and Methods
• List and describe the key issues to be studied.
• Describe the plan to analyze the data for the project, including the methodology and procedures
that will be used.
• Provide an outline of project reports, including types of tabulations, aggregations, and other
data presentations.
• State whether any of the methodology or tools contain proprietary information [proprietary
information is exempt from release requirements under the Freedom of Information Act if it
falls within the scope of Exemption 4, 5 U.S.C. § 552(b)(4)].
3. Data Management Safeguards
Describe the procedures that will be used to protect the privacy and identity of an individual.
For example, explain how the privacy of information of beneficiaries in the files will be
safeguarded and guaranteed.
4. Key personnel
List the staff that will have access to the data and their role in the project.
5. Dissemination/Implementation
• Describe how the findings will be used.
• Briefly describe any data dissemination plan that includes how the findings and any reported
data elements will be aggregated to a level that does not permit the identification of the
individual.
• Describe the type of data that will be disseminated, if applicable.
Form CMS-R-0235 (proposed 04/11)
9
�
| File Type | application/pdf |
| Author | CMS |
| File Modified | 2011-07-06 |
| File Created | 2011-07-06 |