Data Use Agreement (DUA) Form, Research Identifiable Files Request Packet Packet, and Data Management Plan (CMS-R-235)

he Privacy Act of 1976, ?552a requires the Centers for Medicare & Medicaid Services (CMS) to track all disclosures of the agency's Personally Identifiable Information (PII) and the exceptions for these data releases. CMS is also required by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Federal Information Security Management Act (FISMA) of 2002 to properly protect all PII data maintained by the agency. When entities request CMS PII data, they enter into a Data Use Agreement (DUA) with CMS. The DUA stipulates that the recipient of CMS PII data must properly protect the data according to FISMA and also provide for its appropriate destruction at the completion of the project/study or the expiration date of the DUA. The DUA form enables the data recipient and CMS to document the request and approval for release of CMS PII data. The form requires the submitter to provide the Requestor's organization; project/study name; CMS contract number (if applicable); data descriptions and the years of the data; retention date; attachments to the agreement; name, title, contact information to include address, city, state, zip code, phone, e-mail, signature and date signed by the requester and custodian; disclosure provision; name of Federal Agency sponsor; Federal Representative name, title, contact information, signature, date; CMS representative name, title, contact information, signature and date; and concurrence/non-concurrence signatures and dates from 3 CMS System Manager or Business Owners. While the data elements collected are not subject to change, the individualized clauses that are incorporated into any specific DUA are subject to change based on a specific case or situation such as disclosures to states, oversight agencies or DUAs for disproportionate share hospital (DSH) data requests as well as updates to DUAs with additional data descriptions, changes to the requestor or adding custodians to current DUAs.

The latest form for Data Use Agreement (DUA) Form, Research Identifiable Files Request Packet Packet, and Data Management Plan (CMS-R-235) expires 2023-06-30 and can be found here.