CMS-R-235 State Agency Supplement

Data Use Agreement (DUA) Form, Research Identifiable Files Request Packet Packet, and Data Management Plan (CMS-R-235)

06State-Agency-Supplement-final

OMB: 0938-0734

Document [pdf]
Download: pdf | pdf
RESEARCH IDENTIFIABLE FILE (RIF) REQUEST APPLICATION: STATE AGENCY SUPPLEMENT
Requester
Must match the individual specified in the RIF DUA.
Requesting Organization
Must match the organization specified in the RIF DUA.
Study Title
Must match the study title specified in section 3 of the RIF DUA.

As outlined in the State Data Request Policy, CMS is offering States a choice in how they obtain CMS data for research purposes.
Please indicate your selection below:
1.

Opt-out of data sharing: States that choose to opt-out of the data sharing may not reuse the data without prior written
authorization from CMS and will incur the standard CMS data re-use fees for any requests to re-use the data.
of data sharing (one research DUA per project). We understand that we may not reuse the data without prior
□ Opt-out
written authorization from CMS.

2.

Opt-in to data sharing: A state agency that opts-in to data sharing will request Medicare data from CMS to fulfill their research
purposes for a broad range of research activities and research programs. For purposes of such requests, research has the
meaning of the same term defined in the HIPAA Privacy Rule at 45 C.F.R. sec. 164.501. The requesting state agency will enter
into a single DUA with CMS for the data. The requesting agency will be able to reuse the data for additional research, and will be
able to further disseminate the data with appropriate measures to ensure the privacy and security of the data to other state
agencies conducting research or entities with a contractual relationship with the state that are conducting research that is
directed and funded by the state. The requesting state agency will sign a single Data Use Agreement (DUA) for the data,
eliminating the need for the state to sign a DUA for each distinct research-related use of the data. Instead, the requesting
agency will be required to contractually bind all recipients of CMS’ protected health information to the terms of the DUA related
to use, re-use, and re-disclosure of the data, as well as the privacy and security of the data.

□ Opt-in to data sharing. We understand the following terms of the DUA are modified as shown below:
1.

USE AND REUSE OF THE DATA
Section 8 of the DUA states: The Requesting Organization shall not use, disclose, market, release, show, sell, rent,
lease, loan, or otherwise grant access to the data set files specified in Attachment A – RIF Request Application,
except as permitted by sections 3, 5, and 6 of this Agreement or other documents governing this data disclosure
or otherwise required by law.
Section 8 of the DUA is replaced in its entirety by the following: The requesting organization may use, reuse or redisclose original or individually identifiable derivative data without prior written authorization from CMS to
conduct its own additional research, and will be able to further disseminate the data with appropriate measures to
ensure the privacy and security of the data to other state agencies conducting research or entities with a
contractual relationship with the state that are conducting research that is directed and funded by the state if such
research is of a nature that would allow for a Privacy Board or an IRB to make the findings listed at 45 CFR
164.512(i)(2)(ii) if the anticipated data recipient were to apply for the data from CMS directly. If the use, reuse, or
redisclosure does not meet the conditions described in the preceding sentence, the Requesting Organization shall
not use, disclose, market, release, show, sell, rent, lease, loan, or otherwise grant access to the data set files
specified in Attachment A – RIF Request Application, except as permitted by sections 3, 5, and 6 of this Agreement
or other documents governing this data disclosure or otherwise required by law. The Requesting Organization
agrees to contractually bind all sub-recipients of individually identifiable health information from the file(s)
specified in Attachment A – RIF Request Application of the DUA to the terms of the DUA related to use, reuse, and
re-disclosure of the data.

~ s.
OfflCF

or L.,,. . ,..,u o.ou & .,.unocs

1

RESEARCH IDENTIFIABLE FILE (RIF) REQUEST APPLICATION: STATE AGENCY SUPPLEMENT
2.

DATA LINKING
Section 7 of the DUA states: Absent express written authorization from CMS, the Requesting Organization agrees not to
link or attempt to link beneficiary-level records included in the file(s) listed in Attachment A – RIF Request Application to
any other source of information. A RIF Request Application that includes the linkage of specific files that has been
approved in accordance with section 3 constitutes express authorization from CMS to link files as described in the
protocol.
Section 7 of the DUA is replaced in its entirety by the following: As long as the resulting data files are only used for
research projects as described in paragraph 1 above, nothing in the DUA, including, but not limited to Section 7, shall
prohibit the Requesting Organization from linking records included in the file(s) specified in Attachment A – RIF Request
Application of the DUA to other sources of individually identifiable information in accordance with applicable law and
other legally controlling documents.

3.

DATA STORAGE
Section 11 of the DUA states: The Requesting Organization agrees to maintain a data security plan with CMS if housing
CMS data that is not aggregate and de-identified as described in 5b and c above that ensures they adhere to the
appropriate administrative, technical, and physical safeguards to protect the confidentiality of the data set file(s) and to
prevent unauthorized use or access to it in accordance with applicable law.
Section 11 of the DUA is replaced in its entirety by the following: The Requesting Organization agrees to maintain a data
security plan with CMS that ensures they adhere to the appropriate administrative, technical, and physical safeguards to
protect the confidentiality of the data set file(s) and to prevent unauthorized use or access to it in accordance with
applicable law. The Requesting Organization may physically move, transmit, or disclose the file(s) specified in Attachment
A – RIF Request Application of the DUA away from the site specified in its Data Management Plan provided that such
action is limited to the disclosures described above in paragraph 1. The Requesting Organization agrees to ensure that
each data storage site includes the appropriate administrative, technical, and physical safeguards to protect the
confidentiality of, and to prevent the unauthorized use or access to the data in accordance with applicable law. The
Requesting Organization also agrees to keep a record of all sites where the file(s) specified in Attachment A – RIF Request
Application of the DUA or any derivative data are stored and provide such information to CMS upon request and in
accordance with paragraph 5 below. The Requesting Organization agrees to contractually bind all sub-recipients to: 1)
immediately report any breach of personally identifiable information to the Requesting Organization; 2) destroy the data
in the event the agreement with the Requesting Organization is terminated unless CMS states in writing that the data
may be retained; 3) take corrective actions for agreement violations that can be adequately mitigated to reasonably
protect the privacy and security interests of the affected individual(s). The Requesting Organization agrees to report its
own and all downstream data recipient violations to CMS and to abide by CMS’ findings and when applicable corrective
actions.

4.

TERMINATION OF THE AGREEMENT
Section 10 of the DUA states: Upon expiration of the Retention Date, the Requesting Organization must destroy all files
specified in Attachment A – RIF Request Application of this agreement. Such destruction shall include any original,
derivative, or back-up files that directly or indirectly identify individual beneficiaries and as well as any such files that can
be used in concert with other information to identify individual beneficiaries. The Requesting Organization may retain
aggregate data results for its own use beyond the Retention date if such data complies with the limits in this paragraph
and those in sections 5 and 6 of this Agreement. For all other data, the Requesting Organization agrees to complete the
required destruction and attestation of destruction within 30 days of the Retention Date.
Section 10 of the DUA is replaced in its entirety by the following: In the event the Agreement is: 1) not renewed prior to
the Retention Date specified in Section 9 of the DUA or 2) terminated for any reason, the Requesting Organization agrees
to destroy or ensure the destruction of all copies of the file(s) specified in Attachment A – RIF Request Application of the
DUA including any individually identifiable derivative data at sites where the Requesting Organization or a downstream
data recipient has physically moved, transmitted, or disclosed the file(s) to conduct additional research as described in
paragraph 1. Upon termination of the DUA, the Requester must also complete certificate of destruction to cover all sites
where the file(s) specified in Attachment A – RIF Request Application of the DUA were physically moved, transmitted, or
disclosed.

~ s.
OfflCF

or L.,,. . ,..,u o.ou &

2

RESEARCH IDENTIFIABLE FILE (RIF) REQUEST APPLICATION: STATE AGENCY SUPPLEMENT
5.

ADDITIONAL REQUIREMENTS
The Requesting Organization agrees to provide CMS with a quarterly report detailing to whom the data has been
disclosed and for what they are using it, as well as any sites where the data has been physically moved, transmitted, or
disclosed. Notwithstanding the preceding sentence, at the request of CMS at any point in the future, the Requester
agrees to notify CMS of a proposed re-disclosure of the file(s) specified in Attachment A – RIF Request Application of the
DUA or any individually identifiable derivative data and allow a 30-day period for CMS to review and, if necessary,
request modifications or veto the data request. If CMS does not provide an approval or denial within 30 days, then the
request is automatically approved, but such automatic approval will not negate the obligations laid out in the preceding
paragraphs, and will not be construed as confirmation of conformance with such paragraphs.

LOG OF STATE AGENCIES AND OTHER ORGANIZATIONS USING CMS DATA
This section specifically identifies each state agency or state-contracted organization that is, at the time of application, expected to
be using the data or seeing individual level data elements or output of analyses. If a State chooses to opt-in to data sharing, updated
copies of this log must be supplied to CMS ([email protected]) on a quarterly basis (or thirty days prior to an anticipated
data release if the second sentence of the preceding paragraph is triggered). States that do not opt-in to data sharing do not need to
complete this log.
State Department
(or contractor)

Summary of Research Plans Using Medicare or Medicaid Data

Access Method*

*If the data will be housed in a separate location from that identified in the DUA, please note the separate location here. If the data will be
accessed via VPN at the location in the DUA, please note it.

~ s.
OfflCF

or L.,,. . ,..,u o.ou & .,.unocs

3


File Typeapplication/pdf
File TitleState Agency Supplement
SubjectState Agency Supplement
AuthorCMS
File Modified2022-04-01
File Created2022-03-29

© 2024 OMB.report | Privacy Policy