Download: docx | pdf

Supporting Statement for Paperwork Reduction Act Submissions

Data Use Agreement (DUA) Form, Research Identifiable Files Request Packet, and Data Management Plan

(CMS R-235; OMB 0938-0734)

1. Background

The Privacy Act of 1974, §552a requires the Centers for Medicare & Medicaid Services (CMS) to track all disclosures of the agency’s Personally Identifiable Information (PII). CMS is also required by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Federal Information Security Management Act (FISMA) of 2002 to properly protect all Protected Health Information (PHI) data maintained by the agency and account for the disclosure of PHI. When entities, such as academic, federal or state agency researchers or CMS contractors request CMS PII/PHI data, they enter into a Data Use Agreement (DUA) with CMS. The DUA stipulates that the recipient of CMS data must properly protect the data according to all applicable data security standards and also provide for its appropriate destruction at the completion of the project/study or the expiration date of the DUA. The DUA form enables the data recipient and CMS to document the request and approval for release of CMS data. The form requires the submitter to provide the Requestor’s organization; project/study name; CMS contract number (if applicable); data descriptions and the years of the data; retention date; attachments to the agreement; name, title, contact information to include address, city, state, zip code, phone, e- mail, signature and date signed by the requester and custodian; disclosure provision; name of Federal Agency sponsor; Federal Representative name, title, contact information, signature, date; CMS representative name, title, contact information, signature and date; and concurrence/non-concurrence signatures and dates from 3 CMS System Managers or Business Owners.

CMS is permitted to disclose data files for approved research purposes in compliance with 45 45 CFR 164.512(i). Researchers requesting research identifiable files (RIF) must, as part of the request process, complete a research request packet that provides CMS with information pertaining to the research study, including describing how the research results/findings will be disseminated, as well as the data files being requested. Should CMS approve the research request, the data requestor enters into a Data Use Agreement (DUA). This data collection is necessary to ensure that disclosures of data for research purposes comply with federal laws and regulations as well as CMS policy.

Researchers requesting RIF files also must complete a Data Management Plan Self-Attestation Questionnaire (DMP SAQ). A DMP SAQ is required each time a DUA is established. Both the DUA and the DMP SAQ forms are valid for one year from the date of approval and are renewable at expiration. If the environment described in a DMP SAQ is the same for multiple DUAs from a single organization, the same DMP SAQ can be used across the DUAs, provided it has not expired.

The DMP SAQ is a technical, evidence-based questionnaire that DUA users must complete as part of the data request packet. The DMP SAQ will enable CMS to evaluate researcher data systems to ensure that CMS data are adequately secured and appropriately protected, as per the Privacy Act and the HIPAA Privacy Rule. The DMP SAQ also allows CMS to measure compliance through the implementation of security and privacy controls as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53 and the Centers for Medicare & Medicaid Services (CMS) Information Security and Acceptable Risk Safeguards (ARS). The second component of the DMP SAQ is to provide ongoing oversight. All organizations will be subject to routine audits of the environments used to store and process CMS data, as described in their organizational-level DMP SAQ.

The DMP SAQ is currently covered under OMB Control Number 0938-1411 with an expiration of 2/28/2025. The DMP SAQ is being added to this package and once approved, 0938-1411 will be discontinued.

This Revision request is to update the approved collection CMS R-235 to include the RIF request packet and the DMP SAQ. The information collected in the RIF request packet allows CMS to determine if the research disclosure complies with federal laws and regulations, as well as CMS policy. If the request is approved, CMS enters into a DUA with the research requester. The information collected in the DMP SAQ enables CMS to evaluate researcher data systems to ensure that CMS data are adequately secured and appropriately protected, as per the Privacy Act and the HIPAA Privacy Rule.

Wage estimates in section 12 have been updated to provide the burden estimate for completion of each form within the RIF request packet and the DMP SAQ. In addition, we updated burden estimates in section 14 as there is a burden estimate for review of each form within the RIF, LDS request packets and DMP SAQ. We have also reduced the number of respondents using Form 0235 DUA and Form 0235l Limited Data Set (LDS) DUA.

2. Justification

1 . Need and Legal Basis

The Privacy Act of 1974 allows for discretionary releases of data maintained in Privacy Act protected systems of records under §552a(b) (Conditions of Disclosure). The mandate to account for disclosures of data under the Privacy Act is found at §552a(c)(Accounting of Certain Disclosures). This section states that certain information must be maintained regarding disclosures made by each agency. This information is: Date, Nature, Purpose, and Name/Address of Recipient. Section 552a(e) sets the overall Agency Requirements that each agency must meet in order to maintain records under the Privacy Act. The Data Use Agreement (DUA) form is needed as part of the review of each CMS data request to ensure compliance with the requirements of the Privacy Act for disclosures that contain PII. The DUA form also provides data requestors and custodians with a formal means to agree to the data protection and destruction statutory and regulatory requirements of CMS’ PII data. The Health Insurance Portability and Accountability Act (HIPAA) of 1996, §1173(d) (Security Standards for Health Information) requires CMS to protect Protected Health Information (PHI). Additionally, Federal Information Security Management Act (FISMA), 44 U.S.C. § 3541-3549, as amended by the Federal Information Security Modernization Act of 2014 (Pub. L. 113-283) also requires CMS to develop policies and procedures for the protection and destruction of sensitive data to include PII. In addition, HIPAA permits the disclosure of CMS data for research purposes if the requirements at 45 CFR 45 CFR 164.512(i) are met. The information collected in the RIF request packets ensures that CMS receives the information needed to determine whether the research disclosure complies with federal laws and regulations as well as CMS policy.

2. Information Users

The information collected by the DUA form is used by CMS to track disclosures, conditions for disclosure, accounting of disclosures and agency requirements dictated by the Privacy Act, HIPAA and FISMA.

The information collected from the research request packet is used by CMS to ensure that research disclosures comply with federal laws and regulations as well as CMS policy.

The information collected by the DMP SAQ form is used by CMS to conduct reviews and audits to ensure that research organization’s computing environments have security and privacy controls in place to protect CMS data to comply with NIST SP 800-53, Rev. 4 and CMS ARS 3.1.

2. Use of Information Technology

The DUA forms for contractors and researchers requesting Limited Datasets (LDS) and the LDS request packet are completed online through the Enterprise Privacy Policy Engine (EPPE). EPPE is the system that tracks all disclosures of CMS data.

The DUA form and request packets for research identifiable files (RIFs) are filled out and submitted via email to the CMS Research Data Assistance Center. Disclosures of CMS disclosure of data for RIF research requests are tracked in EPPE.

The DMP SAQ form, downloadable from the CMS website as well as provided by the Research Data Assistance Center, is completed by requesters/users of CMS data and submitted via email to the CMS Data Privacy Safeguard Program (DPSP). The DMP SAQ form addresses the computing environment and security and privacy controls of users of CMS data based on the following frameworks: CMS Acceptable Risk Safeguards (ARS),Version 3.1, and National Institute of Standards of Technology (NIST) Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.

CMS accepts digital signatures on all of the forms.

2. Duplication of Efforts

This information collection does not duplicate any other effort and the information cannot be obtained from any other source

2. Small Businesses

No special considerations are given to small businesses; however, the burden to any User/Requestor of data is minimal.

2. Less Frequent Collection

Data is collected only once at the onset of the study/project and then only again if there are changes initiated by the requestor. There are no additional means for reducing the data collection burden and still be compliant with all applicable statutory and regulatory requirements, as well as CMS policies/procedures. The information collected is necessary to make the determination whether the CMS disclosures for research purposes comply with federal laws and regulations, as well as CMS policy. Yearly, the organization will attest that there are no changes via email to the DMP SAQ.

2. Special Circumstances

There are no special circumstances that would require an information collection to be conducted in a manner that requires respondents to:

• Report information to the agency more often than quarterly;

• Prepare a written response to a collection of information in fewer than 30 days after receipt of it;

• Submit more than an original and two copies of any document;

• Retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years;

• Collect data in connection with a statistical survey that is not designed to produce valid and reliable results that can be generalized to the universe of study,

• Use a statistical data classification that has not been reviewed and approved by OMB;

• Include a pledge of confidentiality that is not supported by authority established in statute or regulation that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or

• Submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law.

2. Federal Register/Outside Consultation

The 60-day Federal Register notice published in the Federal Register on 11/1/2021 (86 FR 60245).

No comments were received

The 30-day Federal Register notice published in the Federal Register on 4/25/2022 (87 FR 24308)

Outside Consultation

A DMP SAQ pilot was conducted to test the new security and privacy requirements associated with the use of data for research purposes. Six organizations completed the pilot program. During the process, CMS solicited feedback from the participating organizations on two occasions — midway through the pilot and at the end, after each DMP SAQ was completed and submitted for review. The primary takeaway from both surveys was a need to enhance the user-friendliness. CMS took into account that the DMP SAQ form is technical and would require input from the organization’s IT staff members. As a result, the form was updated to speak to an audience of both researchers and IT staff, enhance readability, streamline questions to limit redundancy, and to consolidate document requirements.

2. Payments/Gifts to Respondents

There are no payments/gifts provided to respondents for their participation or usage of the forms. The DUA form is used to help CMS track disclosures, conditions for disclosure, accounting of disclosures and agency requirements. The request packets for research identifiable files (RIFs) and limited datasets (LDS) are used to ensure CMS data disclosures comply with federal laws and regulations as well as CMS policy.

The DMP SAQ, through the review of technical and physical safeguards in place at an organization, allows CMS to ensure that patient data is adequately protected, as per the Privacy Act, the Privacy Rule and CMS data release policies. The DMP SAQ must be completed prior to the release of, or access to, specified data files containing protected health information and individual identifiers. It also allows organizations to verify that they are using industry-level best practices and standards to secure data. As needed, the CMS contractor will provide additional guidance to researchers on implementing effective measures that protect CMS data.

2. Confidentiality

The files are maintained electronically in the Enterprise Privacy Policy Engine.

2. Sensitive Questions

There are no sensitive questions arising from this data collection.

2. Burden Estimates (Hours & Wages)

Wages

To derive average costs, we used data from the U.S. Bureau of Labor Statistics’ May 2020 National Occupational Employment and Wage Estimates for all salary estimates (http://www.bls.gov/oes/current/oes_nat.htm). In this regard, the following table presents the mean hourly wage, the cost of fringe benefits and overhead (calculated at 100 percent of salary), and the adjusted hourly wage.

Occupation Titles and Wage Rates*

Occupation Title	Occupation Code	Mean Hourly Wage($/hr)*	Fringe Benefit ($/hr)	Adjusted Hourly Wage($/hr)
Business Operations Specialist	13-1000	37.66	37.66	75.32

As indicated, we are adjusting our employee hourly wage estimates by a factor of 100 percent. This is necessarily a rough adjustment, both because fringe benefits and overhead costs vary significantly from employer to employer, and because methods of estimating these costs vary widely from study to study. We believe that doubling the hourly wage to estimate total cost is a reasonably accurate estimation method.

Requirements and Associated Burden

Forms in the RIF Request Packet

1. Form 0235 DUA - We estimate the time to complete the DUA form is 30 minutes per requestor. We estimate that it will take 25 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 700 DUA forms for an annual total of 350 hours burden for a total annual cost burden of $26,362.

2. RIF DUA Attachment A – RIF Request Application – This form provides information on the research study, the minimum data necessary to support the research study, and how the research results will be made publicly available. We estimate the time to complete the RIF DUA Attachment A – RIF Request Application is 60 minutes. We estimate that it will take 55 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 400 RIF Request Applications for an annual total of 400 burden hours for a total annual cost burden of $30,128.

3. State Agency Supplement – We estimate the time to complete the State Agency Supplement is 20 minutes. The State Agency Supplement to the RIF Application provides information on data reuse and re-disclosure that is specific to State Agencies conducting research. We estimate that it will take 15 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 5 State Agency Supplements per year for an annual total of 1.65 hours for a total annual cost burden of $124.28.

4. Innovator Supplement – This form collects information specific to researchers that will be utilizing the Virtual Research Data Center, secure CMS environment that provides researchers with direct access to approved privacy-protected data files to conduct their research analyses. We estimate the time to complete the Innovator Supplement is 30 minutes. We estimate that it will take 25 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 100 Innovator Supplements per year for an annual total of 50 hours for a total annual cost burden of $3,766.

5. Collaborator Supplement – This form provides information on any collaborating organizations that will be assisting the research requester with the research study. We estimate the time to complete the Collaborator Supplement is 20 minutes. We estimate that it will take 15 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 500 Collaborator Supplements per year for an annual total of 165 hours for a total annual cost burden of $12,427.80.

6. Key Personnel – This form provides information on the individuals that play key roles in the research study. We estimate the time to complete the Key Personnel Form is 20 minutes. We estimate that it will take 15 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 400 Key Personnel Supplement per year for an annual total of 132 hours for a total annual cost burden of $9,942.24.

7. Amendment Request Form – This form allows a requester to amend an existing DUA, such as add new data. We estimate the time to complete the Amendment Request Form is 15 minutes. We estimate it will take 10 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 600 amendment requests per year for an annual total 150 hours for a total annual cost burden of $11,298.

LDS DUA

8. Form 0235l Limited Data Set (LDS) DUA – We estimate the time to complete the LDS DUA is 30 minutes per requestor. We estimate that it will take 25 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 350 LDS DUAs for an annual total of 175 hours burden for a total cost burden of $13,181

Forms Used to Update DUA Information

9. Form 0235a Addendum - We estimate the time to complete the Addendum form is 10 minutes per requestor. We estimate that it will take 5 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 4,000 Addendums for an annual total of 680 hours burden for a total cost burden of $51,217.60.

10. Form 0235u Update DUA – We estimate the time to complete the Update DUA is 10 minutes per requestor. We estimate that it will take 5 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 1,000 Update DUAs for an annual total of 170 hours burden for a total cost burden of $12,804.40.

11. DUA Certificate of Disposition (10 minutes) - We estimate the time to complete the Certificates of Disposition is 10 minutes per requestor. We estimate that it will take 5 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 600 Certificates of Disposition for an annual total of 102 hours burden for a total cost burden of $7,682.64.

DMP SAQ

(l) DMP SAQ- We estimate the time to complete the DMP SAQ form is 1.5 hours. We estimate that it will take 1 hour and 25 min to complete the form and 5 min for filing. On an annual basis, we expect to receive an average of 1,000 DMP SAQ forms for an annual total of 1,500 hours burden for a total cost burden of $112,980.

Burden Summary

Summary	No. Respondents		Response s (per Responde nt)	Total Response s	Time (per response) (hours)	Total time (hours) *	Labor Rate ($/hr)	Total Cost ($)
Form 0235 DUA	700		1	700	.5	350	75.32	26,362
RIF DUA Attachment A	400		1	400	1	400	75.32	30,128
State Agency Supplement	5		1	5	.33	1.65	75.32	124.28
Innovator Supplement	100		1	100	.5	50	75.32	3,766
Collaborator Supplement	500		1	500	.33	165	75.32	12,427.80
Key Personnel	400		1	400	.33	132	75.32	9,942.24
Amendment Request Form	600		1	600	.25	150	75.32	11,298
Sub-Total for RIF Request Package						1,248.65	75.32	94,048.32
Form 0235l Limited Data Set (LDS) DUA	350	1		350	.5	175	75.32	13,181
Form 0235a Addendum	4,000		1	4,000	.17	680	75.32	51,217.60
Form 0235u Update DUA	1,000		1	1,000	.17	170	75.32	12,804.40
Certificate of Disposition	600		1	600	.17	102	75.32	7,682.64
DMP SAQ	1,000		1	1,000	1.5	1,5000	75.32	112,980
Total	9,655			9655		3,875.65	75.32	291,913.96

2. Capital Costs

There are no capital costs.

2. Cost to Federal Government

To derive average costs, we used the General Schedule (GS) 13 step 5 pay scale with locality pay adjustment for the Washington/Baltimore/Northern Virginian (https://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/salary-tables/pdf/2020/DCB_h.pdf). In this regard, the following table presents the mean hourly wage, the cost of fringe benefits (calculated at 100 percent of salary), and the adjusted hourly wage.

Occupation Titles and Wage Rates

Occupation Title	Mean Hourly Wage($/hr)*	Fringe Benefit ($/hr)	Adjusted Hourly Wage($/hr)
GS-13 (step 5)	56.31	56.31	112.62

1. Form 0235 DUA - We estimate the time to review and process the DUA form is 30 minutes per request. On an annual basis, we expect to receive an average of 700 DUA forms for an annual total of 350 hours burden for a total annual cost burden of $39,417.

2. RIF DUA Attachment A – RIF Request Application – We estimate the time to review and process the RIF DUA Attachment A form is 1hr per request. On an annual basis, we expect to receive an average of 400 RIF DUA Attachment A forms for an annual total of 400 hours burden for a total cost of $45,048.

3. State Agency Supplement – We estimate the time to review and process the State Agency Supplement is 10 minutes per request. On an annual basis, we expect to receive an average of 5 State Agency Supplement forms per year for an annual total of .85 hours burden for a total cost of $95.73

4. Innovator Supplement – We estimate the time to review and process the VRDC Supplement is 30 minutes per request. On an annual basis, we expect to receive an average of 100 Innovator Supplements for an annual total of 50 hours burden for a total cost of $5,631.

5. Collaborator Supplement – We estimate the time to review and process the Collaborator Supplement is 15 minutes per request. On an annual basis, we expect to receive an average of 500 Collaborator Supplement forms for an annual total of 125 hours burden for a total cost of $14,077.50

6. Key Personnel – We estimate the time to review and process the Key Personnel form is 15 minutes per request. On an annual basis, we expect to receive an average of 400 Key Personnel forms for an annual total of 100 hours burden for a total cost of $11,262

7. Amendment Request Form – We estimate the time to review and process the Amendment Request Form is 15 minutes per request. On annual basis, we expect to receive an average of 600 Amendment requests for an annual total of 150 hours burden for a total cost of $116,893.

8. Form 0235l Limited Data Set (LDS) DUA – We estimate the time to review and process the LDS DUA is 30 minutes per request. On an annual basis, we expect to receive an average of 350 LDS DUAs for an annual total of 175 hours burden for a total cost burden of $19,708.50.

9. Form 0235a Addendum - We estimate the time to review and process the Addendum form is 15 minutes per request. On an annual basis, we expect to receive an average of 4,000 Addendums for an annual total of 1,000 hours burden for a total cost burden of $112,620.

10. Form 0235u Update DUA – We estimate the time to review and process the Update DUA is 15 minutes per request. On an annual basis, we expect to receive an average of 1,000 Update DUAs for an annual total of 250 hours burden for a total cost burden of $28,155.

11. Certificate of Disposition - We estimate the time to review and process the Certificate of Disposition is 15 minutes per request. On an annual basis, we expect to receive an average of 600 Certificates of Disposition for an annual total of 150 hours burden for a total cost burden of $16,893.

Summary	No. Respond ents	Response s (per Responde nt)	Total Response s	Time (per response) (hours)	Total time (hours) *	Labor Rate ($/hr)	Total Cost ($)
Form 0235 DUA	700	1	700	.5	350	112.62	39,417
RIF DUA Attachment A – RIF Request Application	400	1	400	1	400	112.62	45,048
State Agency Supplement	5	1	5	.17	.85	112.62	95.73
Innovator Supplement	100	1	100	.5	50	112.62	5,631
Collaborator Supplement	500	1	500	.25	125	112.62	14,077.50
Key Personnel	400	1	400	.25	100	112.62	11,262
Amendment Request Form	600	1	600	.25	150	112.62	16,893
Sub -Total for RIF Requests					1,175.85	112.62	132,424.23
Form 0235l Limited Data Set (LDS) DUA	350	1	350	.5	175	112.62	19,708.50
Form 0235a Addendum	4,000	1	4,000	.25	1,000	112.62	112,620
Form 0235u Update DUA	1,000	1	1,000	.25	250	112.62	28,155
Certificate of Disposition	600	1	600	.25	150	112.62	16,893
Total					2,2,750.85	112.62	309,800.73

In addition to CMS staff time, we use a CMS contractor, ResDAC, to assist researchers preparing a RIF request packet and to review the packet prior to submitting it to CMS. The contractor cost for this is approximately $960,000 annually. We also use a CMS contractor, MBL Technologies, to receive/review the DMP SAQ forms and perform audits based on the DMP SAQ. The contractor cost for this is approximately $1,635,000 annually.

2. Changes to Burden

The total burden for respondents being requested in this package is $291,913.96 with a total hour burden of 3,875.65. The total burden for respondents for the last package was $206,015 with a total hour burden of 2,900. The total burden for the federal government being requested in this package is $2,904,800.73 with a total hour burden to CMS staff of 2,750.85. The total burden for the federal government in the last package was $254,429 with an annual hour burden for CMS staff of 2,408 hours.

The change in burden to the federal government reflects the use of the 2021 GS rate pay tables for federal employees. It also includes the contractor costs for assisting researchers in completing the RIF request packet and reviewing the RIF request packet prior to submission to CMS and the contractor costs for DMP SAQ reviews and audits.

There also have been other changes that impact the burden for respondents and the federal government. First, the number of DUA forms has increased to include the forms in the research request packet that provide CMS with information pertaining to the research study. The language in the DUA has been revised to clarify CMS data release policies and updated data security requirements. Second, this package also now includes the DMP SAQ that was previously approved in a separate PRA package. The DMP SAQ was updated to collect information on a second point of contact. Third, there has been a decrease in the number of requesters for LDS datasets and therefore the number of respondents using Form 0235l DUA has been reduced. There has also been a decrease in the use of the Form 0235 DUA as many of the CMS programs that have historically used the form have transitioned to program specific documents that are tailored to the uses and disclosures for a specific CMS program. Finally, the May 2020 National Occupational Employment and Wage Estimates were used to calculate respondents’ salary estimates. The hourly burden estimates have been updated to include the forms used in the RIF research request packets and the DMP SAQ. These updates have resulted in an increase burden of $85,898.96 from the previous package and an increase in burden hours of 975.65.

2. Publication/Tabulation Dates

There are no publication and tabulation dates associated with this collection.

2. Expiration Date

This expiration date will be displayed on all documents once approved.

2. Certification Statement

There are no exceptions to the certification statement.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified	0000-00-00
File Created	2022-04-28