CMS Computer Matching Agreement (CMA)

What is a Computer Matching Agreement (CMA)?

A Computer Matching Agreement (CMA) is a written agreement that establishes the terms and conditions for sharing data between a federal agency and another federal or state agency when two or more automated systems of records are compared. CMAs are required by the Privacy Act of 1974. They are a type of Data Sharing Agreement.

Computer Matching Agreements are used to:

• Establish or verify eligibility for federal benefits
• Verify compliance with federal benefit programs
• Recoup payments or delinquent debts
• Investigate potential fraud, waste, and abuse

CMAs include safeguards and procedures to protect the use of Personally Identifiable Information (PII) and Protected Health Information (PHI). If there is PHI involved, then PII will be involved also. 

CMAs also require agencies to provide individuals with notice and opportunity to contest findings if their information is being computer matched with information being held by other federal and state agencies. This allows people the opportunity to refute adverse information before having a benefit denied or terminated. The Department of Health and Human Services (HHS) maintains all current CMS Computer Matching Agreements.

CMAs at CMS

The Privacy Office at ISPG works with federal and state agencies to create and renew CMAs on behalf of CMS. If you have any questions about a new or current CMA, contact the Privacy Office for assistance: privacy@cms.hhs.gov.

When finalizing a CMA, a complete package must be developed and submitted to the Office of Management and Budget (OMB) and to Congress, where it is reviewed and then published in the Federal Register. Typically, the agency receiving the shared information is responsible for completing the CMA package and submitting the artifacts for review (as well as ensuring publication in the Federal Register). However, if it is mutually agreed, the agency who is sharing the information can act in this capacity. 

When do I need a CMA?

A CMA is needed when CMS data will be compared with data from another federal agency or a state agency, and the results of the comparison may adversely impact an individual’s federal benefits. The Privacy Office can assist you in confirming your need for a CMA and starting the process. Get in touch at: privacy@cms.hhs.gov.

How long does a CMA remain in effect?

There are three phases in the life cycle of CMAs: Establishment, Renewal, and Re-Establishment. Once a CMA is established, it’s valid for 12 months and can then be renewed for another 18 months — meaning that a CMA can technically cover the matching program for a total of 30 months. At that point the CMA can be re-established if the matching program is still needed.

How long does it take to complete or renew a CMA?

Establishing or re-establishing a CMA takes about 1 year from initial request to final sign-off. Renewing a CMA takes about 10 months from initial request to final sign-off. 

If you compare this with the amount of time a CMA remains in effect (above), you’ll see that you need to start preparing for Renewal soon after your CMA is established. And you need to start preparing for Re-establishment soon after the renewal, if the matching program needs to continue.

How do I initiate a CMA?

First, review the information on this page to get familiar with the process for CMA Establishment, Renewal, and Re-establishment. Then, contact the Privacy Office to get started: privacy@cms.hhs.gov

CMA establishment process

A CMA is established when CMS participates in a matching program with an initial effective period of 18 months. 

The process for CMA Establishment is described below. (The process is the same for CMA Re-establishment.) Establishing or re-establishing a CMA takes about 1 year from initial request to final sign-off. 

1. Checklist & prep

Estimated time to complete: 7 - 10 business days

• Business Owner reviews the CMA Checklist to get familiar with the needed artifacts and what to expect from the process
• Business Owner gathers materials and information that will be needed to complete CMA artifacts (such as the Cost-Benefit Analysis)

2. Intake & kickoff

Estimated time to complete: 10 - 15 business days

• Business Owner contacts the Privacy Office to request a CMA Establishment or Re-establishment
• Privacy Office validates the need for a CMA and schedules a kickoff meeting with the Business Owner
• Privacy Office and Business Owner conduct a review of the CMA requirements and the artifacts that will be needed

3. Drafting & internal review

Estimated time to complete: 40 business days

• Business Owner collaborates with Privacy Office to draft the CMA (working from the CMA template provided by the Privacy Office). Artifacts include the CMA Establishment or Re-establishment document and the Cost Benefit Analysis.
• Business Owner coordinates internal stakeholder review of the CMA draft and incorporates any feedback

4. External review

Estimated time to complete: 40 business days

• Business Owner provides CMA draft to external stakeholders for review
• Once feedback is received and incorporated, Business Owner returns the CMA draft to the Privacy Office

5. HHS Privacy Act Officer review

Estimated time to complete: 40 business days

• Privacy Office submits the CMA to HHS Privacy Act Officer (PAO) for review
• Privacy Office works with the Business Owner and the external party to address comments from the HHS PAO
• CMA document is finalized

6. Sign-off

Estimated time to complete: 75 business days

• Privacy Office submits CMA to Business Owner for sign-off by Program Officials
• Privacy Office obtains signature from CMS Senior Official for Privacy (SOP)
• Privacy Office sends CMA to external parties for sign-off
• Privacy Office sends CMA to the HHS Data Integrity Board (DIB) for signature and approval, while the external agency submits the CMA to its respective DIB
  • Note: CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB.
• CMA is returned to the CMS Privacy Office once all signatures are obtained

7. OMB & Congress review

Estimated time to complete: 30 business days

• Recipient agency (who is receiving the data) sends the signed CMA to the Office of Management and Budget (OMB) and Congress for a 30-day review period
• Recipient agency also sends letters of notification to the Office of Management and Budget (OMB) and Congress (these are called Transmittal Letters)

8. Federal Register publication

Estimated time to complete: 30 business days

• Recipient agency (who is receiving the data) submits notice for publication in Federal Register
• The CMA becomes effective after 30 days of being available for public review and comment in the Federal Register

9. Distribution / completion

Estimated time to complete: 30 business days

• Party requesting match notifies all parties of the CMA effective date (the CMA will be effective for 18 months, with an option to renew for another 12 months)
• CMS accessibility team conducts review on the CMA to ensure 508 compliance
• HHS Privacy Act Official posts the approved, 508-compliant CMA and Federal Register notice on the HHS website
• Privacy Office uploads final CMA to Sharepoint site

CMA renewal process

An existing CMA (after being established or re-established) can be renewed with a 12-month extension. A CMA Renewal requires parties to attest that (1) the matching program will continue without any significant changes and (2) the program has been conducted in compliance with the agreement. The process for CMA Renewal is similar to CMA Establishment or Re-establishment, with some differences:

• There is a separate template for CMA Renewal.
• Cost Benefit Analysis (CBA) is not required.
• HHS review and comment on the CMA Renewal draft is not required.
• CMA Renewal requires approval and signature by the Data Integrity Board (DIB) Chairperson, but does not require a vote by the DIB. 
• Notice to OMB and Congress and publication in the Federal Register are not required.

The complete process for CMA Renewal is described below. Renewing a CMA takes about 10 months from initial request to final sign-off.

1. Intake and kickoff

Estimated time to complete: 25 business days

• Typically, the Privacy Office contacts the Business Owner to let them know the CMA will need to be renewed if the matching program is to continue
• Kickoff meeting is scheduled to discuss the renewal process
• Privacy Office conducts a review to confirm there are no substantive changes to the existing matching program

2. Drafting & internal review

Estimated time to complete: 40 business days

• Business Owner collaborates with Privacy Office to draft the CMA Renewal document using the CMA Renewal Template
• Business Owner coordinates internal stakeholder review of the CMA Renewal draft

3. External review

Estimated time to complete: 55 business days

• Business Owner provides CMA Renewal draft to external stakeholders for review
• Once feedback is received and incorporated, Business Owner returns the draft to the Privacy Office
• Privacy Office works with Business Owner and external party to finalize the Renewal CMA

4. Sign-off

Estimated time to complete: 80 business days

• Privacy Office submits Renewal CMA to Business Owner for sign-off by Program Officials
• Privacy Office obtains signature from CMS Senior Official for Privacy (SOP)
• Privacy Office sends Renewal CMA to external parties for sign-off
• Privacy Office sends Renewal CMA to the HHS Data Integrity Board (DIB) for signature and approval, while the external agency submits the CMA to its respective DIB
  • Note: The Renewal CMA can’t be submitted to the HHS DIB for signature unless the established CMA is within three months of expiring.
  • Note: CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB.
• Renewal CMA is returned to the CMS Privacy Office once all signatures are obtained

5. Distribution / completion

Estimated time to complete: 10 business days

• Party requesting match notifies all parties of the Renewal CMA effective date (the Renewal CMA will be effective for 12 months, with an option to Re-establish the CMA after that)
• HHS Privacy Act Officer updates the CMA effective dates on the HHS website
• Privacy Office uploads Renewal CMA to Sharepoint site

CMA re-establishment process

A CMA is re-established if the matching program continues past the 12-month CMA Renewal period, or if there are significant changes to the matching program (e.g., change in the authority to conduct the matching program or expansion of the categories of individuals whose records are used in the matching program). 

The CMA is re-established for a period of 18 months, and then may be renewed again for 12 months. The process for CMA Re-establishment is the same as for CMA Establishment.

CMA checklist

Checklist for Business Owners to review when preparing for a CMA

Establishing or re-establishing a CMA requires a complete package to be developed and submitted to the Office of Management and Budget (OMB) and Congress. At CMS, much of this process is handled by the Privacy Office, but collaboration with the Business Owner is required to complete the initial documents. 

Business Owners should review this checklist before contacting the Privacy Office to start the CMA process. Gather any data or documents in advance that will be helpful in completing the following artifacts, which are required for CMA Establishment or Re-establishment.

Computer Matching Agreement (CMA) document

What it is:

The CMA document describes all aspects of the proposed computer matching program. The document is developed using the CMS Computer Matching Agreement Template, which aligns with the guidance for Computer Matching Agreements published by HHS (PDF link).

The Privacy Office and the Business Owner work together to complete the template and develop the CMA document. Ahead of time, the Business Owner should look over the guidance from HHS (linked above) and start compiling information that will be used to complete the following sections of the CMA document:

Purpose

What it is:

The start of the CMA document requires a description of why the matching program is needed and how the matching data will be used. Additionally, the first section of the CMA requires a listing of:

• Source agency (the agency disclosing the records that will be used)
• Recipient agency (the agency receiving the records to be used)
• Which agency will publish the matching program in the Federal Register
• The name/designation and/or component(s) responsible for the matching activity (for example, "The responsible NIH component for the match is the National Cancer Institute (NCI).")

Business Owner responsibility:

Before working with the Privacy Office to draft the CMA, Business Owners should write a statement that describes in detail:

• Why the matching program is being proposed
• All purposes and uses for the match data
• Purpose of all matching activities between all agencies involved (there may be more than one matching activity covered in the agreement)

The more complete your statement is, the less likely you will need amendments or new approvals after establishing the CMA.

Legal authorities

What it is:

This section of the matching agreement cites any specific federal or state statute or regulatory basis for the operation of the matching program. Keep in mind:

• If no specific statute or regulation addresses the use of information to be obtained in the match, general program authorities that permit the matching activities may be cited instead.
• Citations to the Privacy Act should not be included, as it doesn’t provide independent authority to conduct a match. However, the routine use section of the Privacy Act, 5 U.S.C. 552a(b)(3) can be cited as authority where appropriate.
• Questions on appropriateness of selected legal authority should be directed to your program attorney in the Office of General Counsel (OGC).

Business Owner responsibility:

Before working with the Privacy Office to draft the CMA, Business Owners should write a statement listing the legal authority for their proposed matching program. The text below is for example purposes only:

This agreement provides for information matching necessary to implement the information provisions of section 6103(l)(12) of the Internal Revenue Code (IRC) (25 U.S.C. § 6103(l)(12)) and section 1862(b)(5) of the Social Security Act (42 U.S.C.§ 1395y(b)(5)). The legal authority for the disclosure of IRS and SSA data under this agreement is found at section 1106 of the Social Security Act (42 U.S.C. § 1306 and in routine uses published in relevant IRS and SSA SORNs pursuant to 5 U.S.C. § 552a(b)(3). 

Terms and definitions

What it is:

For clarity and shared understanding among the parties participating in the agreement, the CMA includes a list of definitions of terms relative to the proposed matching program. Some of these are common terms at CMS (for example, terms like “breach”, “incident”, “Medicaid”, and “PII”). There will likely be other terms specific to the systems, data, and operations of the proposed matching program. 

Business Owner responsibility:

Before working with the Privacy Office to draft the CMA, Business Owners should complete a list of terms related to their proposed matching program. The Privacy Office will provide the terms and definitions that are commonly used at CMS.

Cost-Benefit Analysis (CBA)

What it is:

The CBA analyzes the benefits and costs of a matching program. This helps prove that the proposed matching program is an effective use of federal resources. The cost-benefit analysis is included as an attachment in the final CMA package. The cost-benefit analysis is required for CMA Establishment and Re-establishment, but not for CMA Renewal. 

Note that a CBA is only one of several factors affecting the decision to approve a matching program. Sometimes the cost-benefit analysis is waived due to statutory exception, lack of reliable data, or other factors. In those cases, the Computer Matching Agreement still includes a section for justifying the matching program and summarizing the anticipated results.

Business Owner responsibility:

Business Owners should review the CMA guidelines provided by HHS (PDF link), including the detailed instructions on how to prepare a cost-benefit analysis. Consider and document the resources that will be required to manage the matching program (such as IT costs, pay rates, etc.). Also document the anticipated benefits of the matching program (cost savings, increased efficiency, better service to beneficiaries, etc.).

The cost-benefit analysis follows a template that includes the following elements and sub-elements. All of them must be mentioned by name in the CBA, even if only to note that certain parts are not applicable to the specific program.

Identify

Costs

Costs for all stages and all major activities

Key element 1: Personnel Costs

• For agencies (source agency, recipient agencies, and justice agencies)
• For clients
• For third parties
• For the general public

Key element 2: Agencies Computer Costs

• For agencies (source agency, recipient agencies, and justice agencies)

Benefits

Key element 3: Avoidance of future improper payments 

• To agencies (source agency, recipient agencies, and justice agencies)
• To clients
• To the general public

Key element 4: Recovery of improper payments and debts 

• To agencies (source agency, recipient agencies, and justice agencies) 
• To clients 
• To the general public

Records description

What it is:

This part of the CMA describes the records that will be shared between agencies for the matching program, and states that the records will be protected in accordance with the Privacy Act and other applicable laws. 

Who has responsibilities:

The Privacy Office works with the Business Owner to fill out the following sections about records. It is useful for the Business Owner to be prepared with information specific to the matching program (such as the number of records involved, or the specific data elements that will be used).

• Systems of Records: For both agencies participating in the matching program (both CMS and the partner agency), a System of Records Notice (SORN) must be listed that authorizes the disclosure of identifying information about individuals as part of the matching program.
• Number of records involved: Describe the volume of data that will be involved in the matching program (for example, number of cases or number of individual records). If agencies are exchanging data, both agencies need to include this information. A table may be useful for visualization of large datasets.
• Specified data elements used in the match: Provide the specific data elements that will be used for the matching program. The data elements can be from either agency participating in the program. They can be included in a separate document as an attachment or listed within the CMA document.
  • For example: “Attachment 2, “SSA Finder File,” and Attachment 3, “CMS LTC/MDS Response File,” contain the data elements used in this computer matching program.”
• Frequency of data exchanges: Explain how often data will be exchanged between agencies for the duration of the matching program. 
  • For example: “CMS will provide SSA with a finder file on a monthly basis. SSA will submit its response file to CMS no later than 21 days after receipt of the CMS finder file.”

Besides the requirements listed above, the CMA template contains various other sections that the Privacy Office can assist with filling out. These include security procedures, verification and disposition of records, restrictions on how the records can be used, and other information required for Computer Matching Agreements.

Privacy Office responsibilities

In addition to working with the Business Owner on the Computer Matching Agreement document, the Privacy Office is responsible for several artifacts that are submitted as part of the CMA package:

Narrative statement

The narrative statement provides a brief overview of the proposed matching program, by referring to other materials in the report without restating information provided in those materials. The Privacy Office drafts the Narrative Statement and includes it in the CMA package.

Federal Register matching notice

The matching notice describes the matching program for publication in the Federal Register. This is submitted by whichever agency is requesting the matching program. The Privacy Act requires the agency to notify the public by publishing a notice in the Federal Register of the establishment or alteration of a computer matching program.

HHS transmittal letters (House, Senate, OMB)

As described in the process for CMA Establishment and Re-establishment, Congress and OMB must be notified of the matching program. This is the responsibility of the recipient agency (the agency receiving the data). 

If CMS is the recipient agency, this step is done by the Privacy Office.

• The letter to the House of Representatives is based on the transmittal letter template and is addressed to the Chairman for the Committee on Oversight and Government Reform. 
• The letter to the Senate is based on the transmittal letter template and is addressed to the Chairman for the Committee on Homeland Security and Governmental Affairs. 
• The letter to the OMB is based on the transmittal letter template and is addressed to the Administrator of the Office of Information and Regulatory Affairs within OMB.