he Privacy Act of 1976, ?552a requires
the Centers for Medicare & Medicaid Services (CMS) to track all
disclosures of the agency's Personally Identifiable Information
(PII) and the exceptions for these data releases. CMS is also
required by the Health Insurance Portability and Accountability Act
(HIPAA) of 1996 and the Federal Information Security Management Act
(FISMA) of 2002 to properly protect all PII data maintained by the
agency. When entities request CMS PII data, they enter into a Data
Use Agreement (DUA) with CMS. The DUA stipulates that the recipient
of CMS PII data must properly protect the data according to FISMA
and also provide for its appropriate destruction at the completion
of the project/study or the expiration date of the DUA. The DUA
form enables the data recipient and CMS to document the request and
approval for release of CMS PII data. The form requires the
submitter to provide the Requestor's organization; project/study
name; CMS contract number (if applicable); data descriptions and
the years of the data; retention date; attachments to the
agreement; name, title, contact information to include address,
city, state, zip code, phone, e-mail, signature and date signed by
the requester and custodian; disclosure provision; name of Federal
Agency sponsor; Federal Representative name, title, contact
information, signature, date; CMS representative name, title,
contact information, signature and date; and
concurrence/non-concurrence signatures and dates from 3 CMS System
Manager or Business Owners. While the data elements collected are
not subject to change, the individualized clauses that are
incorporated into any specific DUA are subject to change based on a
specific case or situation such as disclosures to states, oversight
agencies or DUAs for disproportionate share hospital (DSH) data
requests as well as updates to DUAs with additional data
descriptions, changes to the requestor or adding custodians to
current DUAs.
US Code:
5
USC 552(a) Name of Law: The Privacy Act of 1974
Burden has been altered due to
the removal of the Medicaid Agency DUA form and the state DUA form
since they are no longer in use. We also slightly increased the
estimate to complete an LDS DUA based on feedback from requestors.
Changes have resulted in increase in Annual Burden.
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
Form R-0235a Data Use Agreement Information Collection Requirements, Model Language, and Supporting Regulations in 45 CFR Section 5b
CMS-R-235 DUA Supporting_Statement 30 day.docx
Change crosswalk.xlsx
Data Use Agreement Information Collection Requirements, Model Language, and Supporting Regulations in 45 CFR Section 5b