OMB Control No:	ICR Reference No: 202102-0938-011
Status: Received in OIRA	Previous ICR Reference No:
Agency/Subagency: HHS/CMS	Agency Tracking No: CM-CPC
Title: Data Management Plan Self-Attestation Questionnaire (DMPSAQ) (CMS-10733)
Type of Information Collection: Existing collection in use without an OMB Control Number	Common Form ICR: No
Type of Review Request: Regular	Date Submitted to OIRA: 02/19/2021

	Requested	Previously Approved
Expiration Date	36 Months From Approved
Responses	1,000	0
Time Burden (Hours)	1,500	0
Cost Burden (Dollars)	0	0

Abstract: The Privacy Act of 1974, §552a requires the Centers for Medicare & Medicaid Services (CMS) to track all disclosures of the agencyâs Personally Identifiable Information (PII). CMS is also required by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Federal Information Security Management Act (FISMA) of 2002 to properly protect all PHI data maintained by the agency and account for the disclosure of PHI. When entities, such as academic, federal or state agency researchers or CMS contractors request CMS PII/PHI data, they enter into a Data Use Agreement (DUA) (OMB# 0938-0734) with CMS. The DUA stipulates that the recipient of CMS data must properly protect the data according to all applicable data security standards and also provide for its appropriate destruction at the completion of the project/study or the expiration date of the DUA. The CMS is permitted to disclose CMS data for research purposes to organizations that have been approved through the research data request process. To qualify to receive CMS data, requesting organizations must compile a data request packet. The data request packet's primary components are the Data Use Agreement (DUA) and the Data Management Plan Self-Attestation Questionnaire (DMP SAQ). The DMP SAQ is a technical, evidence-based questionnaire that DUA users must complete as part of the data request packet. The DMP SAQ will enable CMS to evaluate researcher data systems to ensure that CMS data are adequately secured and appropriately protected, as per the Privacy Act and the HIPAA Privacy Rule. The DMP SAQ also allows CMS to measure compliance through the implementation of security and privacy controls as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53 and the Centers for Medicare & Medicaid Services (CMS) Information Security and Acceptable Risk Safeguards (ARS).

ICR Summary of Burden

	Total Request	Change Due to Potential Violation of the PRA
Annual Number of Responses	1,000	1,000
Annual Time Burden (Hours)	1,500	1,500
Annual Cost Burden (Dollars)	0	0

Burden increases because of Program Change due to Agency Discretion: No

Burden Increase Due to:

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement:

Annual Cost to Federal Government: $1,635,000

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination. No

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination. No

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No

Is this ICR related to the Pandemic Response? No

Agency Contact: Stephan McKenzie 410 786-1943 [email protected]

Document	Type	Status	Availability
Form CMS-10733 Data Management Plan Self-Attestation Questionnaire	Form and Instruction	New	Available
CMS-10733_Supporting Statement - Part A_DMP SAQ.docx	Supporting Statement A	Uploaded 2021-02-19	Repair queued

Data Management Plan Self-Attestation Questionnaire (DMPSAQ) (CMS-10733)