CMS Computer Matching Agreement (CMA)

What is a Computer Matching Agreement (CMA)?

A Computer Matching Agreement (CMA) is a written agreement establishing the conditions, safeguards, and procedures under which a federal agency agrees to disclose data with another federal or state agency.  

The Computer Matching and Privacy Protection Act of 1988 requires agencies engaged in computer matching activities to provide notice to individuals if their information is being computer matched with information held by other federal and state agencies. This allows individuals the opportunity to refute adverse information before having a benefit denied or terminated. 

The Department of Health and Human Services (HHS) maintains an online database of all current CMS Computer Matching Agreements (CMAs). 

CMAs at CMS

The Privacy Office at ISPG works with federal and state agencies to create and renew CMAs on behalf of CMS. If you have any questions about a new or current CMA, contact the Privacy Office for assistance. 

There are three phases in the life cycle of CMAs: Establishment, Renewal, and Re-Establishment. A Computer Matching Agreement technically covers the matching program for a total of 30 months, which includes an initial 18-month Establishment CMA and the option for renewing the agreement for an additional 12 months. After this 30-month period the CMA may be re-established.

Computer Matching Agreement Establishment

A CMA is established when CMS participates in a matching program with an initial effective period of 18 months. The CMA Establishment requires that a Cost Benefit Analysis (CBA) be developed and approved by each federal agency’s Data Integrity Board (DIB). CMAs with state-level stakeholders are approved by HHS DIB and any relevant state-approving officials, because generally states do not have a DIB. Congress and OMB must be notified of the matching program. Lastly, the notice of the matching program requires publication in the Federal Register. The CMA becomes effective after the duration of a 30-day comment period in the Federal Register.

The CMA Establishment Template is required to create a new CMA. Contact the Privacy Office to receive a copy of the template to begin the process of creating a new CMA. 

Computer Matching Agreement Renewal

A CMA Renewal is a 12-month extension of the CMA Establishment or Re-establishment. A CMA Renewal requires parties to attest that (1) the matching program will continue without any significant changes and (2) the program has been conducted in compliance with the agreement.

The CMA Renewal requires approval and signature by the DIB Chairperson, but does not require a vote by the DIB. Also, notice to OMB and Congress and publication in the Federal Register are not required. More information on the CMA Renewal is found in the CMA Renewal Frequently Asked Questions as well as the workflow process. Click here to access the CMA Renewal Template. 

The CMA Renewal Template is required to create a new CMA. Contact the Privacy Office to receive a copy of the template to begin the process of renewing an existing CMA. 

Computer Matching Agreement Re-Establishment 

A CMA is re-established if the matching program continues past the 12-month CMA Renewal period, or if there are significant changes to the matching program (e.g., change in the authority to conduct the matching program or expansion of the categories of individuals whose records are used in the matching program). The CMA is re-established for a period of 18 months, and then may be renewed again for 12 months. 

Similar to the requirements for an Establishment CMA, CMA Re-establishments require development of a Cost Benefit Analysis (CBA), OMB and Congress notification, and publication of the notice in the Federal Register. After the 30-day comment period ends for the public to review the notice in the Federal Register, the agreement may become effective. More information on the CMA Re-Establishment is found in the CMA Frequently Asked Questions as well as the workflow process. 

The CMA Re-establishment Template is required to create a new CMA. Contact the Privacy Office to receive a copy of the template to begin the process of re-establishing your CMA.  

CMA process and artifacts

When finalizing a CMA, a complete package is required to be developed and submitted to the HHS DIB, and subsequently to OMB and Congress. After OMB and Congress reviews, a notice is published in the Federal Register for 30 days. Typically, the recipient agency is responsible for completing the CMA package and submitting the artifacts to OMB and Congress as well as publication in the Federal Register. However, if it is mutually agreed, the source agency can act in this capacity. 

The following artifacts are required for an 18-month Establishment or Re-establishment CMA: 

1. Computer Matching Agreement (CMA) 

The agreement follows a template outlined in OMB Circular A-108. 

2. Cost Benefit Analysis (CBA) 

The CBA assesses and analyzes the benefits and costs of a matching program. The CBA serves as an attachment to be included within the agreement and is required for the 18-month Establishment or Re-establishment of the matching program. The Renewal of the matching program for 12 months does not require a CBA to be included. 

3. Narrative Statement 

The narrative statement provides a brief overview of the proposed matching program, by referring to other materials in the report without restating information provided in those materials. 

4. Federal Register Matching Notice 

The matching notice describes the matching program for publication in the Federal Register. The Privacy Act requires the agency to notify the public by publishing a notice in the Federal Register of the establishment or alteration of a computer matching program. 

5. HHS Transmittal Letters (House, Senate, OMB) 

The letter to the House of Representatives is based on the transmittal letter template and is addressed to the Chairman for the Committee on Oversight and Government Reform. The letter to the Senate is based on the transmittal letter template and is addressed to the Chairman for the Committee on Homeland Security and Governmental Affairs. 

The letter to the OMB is based on the transmittal letter template and is addressed to the Administrator of the Office of Information and Regulatory Affairs within OMB. 

CMA Frequently Asked Questions 

When do I need a CMA? 

A CMA is needed when CMS data will be compared with data from another federal agency or a state agency, and the results of the comparison may adversely impact an individual’s federal benefits. 

How long does it take to complete a CMA? 

A new CMA, Establishment or a Re-establishment, both take approximately one year from initial request to final sign off. 

What is the role of the CMS Business Owner in developing a CMA? 

The Business Owner is responsible for drafting the CMA, including the purpose section (see the CMA Template for more information). The Business Owner also coordinates with the external Centers for Medicare & Medicaid Services Computer Matching Agreement (CMA) agency, any internal stakeholders, and CMS Privacy Staff. Finally, the Business Owner collects signatures from the appropriate program officials and participating agency. 

Who do I contact to initiate a CMA? 

Email the Privacy Office: privacy@cms.hhs.gov. CMS Privacy Staff will respond and set up a time to discuss your matching program and walk through the process and materials for creating a CMA. 

What is the role of the CMS Privacy Staff during the CMA process?

CMS Privacy Staff provides the CMA template and any additional guidance to the Business Owner for developing the CMA. 

How long does a CMA remain in effect? 

A CMA expires at 18 months, and may be renewed for an additional 12 months. 

Where can I find the CMA Template? 

Contact the Privacy Office to access the CMA Template.

How long does it take to complete a CMA Renewal? 

A CMA Renewal takes approximately 10 months from initial request to final sign off. 

What is the role of the CMS Business Owner in developing a CMA Renewal? 

The Business Owner is responsible for drafting the CMA Renewal (see the CMA Renewal template for more information). The Business Owner also coordinates with the external agency, any internal stakeholders, and CMS Privacy Staff. Finally, the Business Owner collects signatures from the appropriate program officials and participating agency. 

Who do I contact to initiate a CMA Renewal? 

Email the Privacy Office: privacy@cms.hhs.gov. CMS Privacy Staff will respond and set up a time to discuss your existing matching program and walk through the process and materials for creating a CMA Renewal. 

What is the role of the CMS Privacy Staff during the CMA Renewal process? 

CMS Privacy Staff provides the CMA template and any additional guidance to the Business Owner for developing the CMA Renewal. 

How long does a CMA Renewal remain in effect? 

A CMA Renewal lasts for 12 months. If the parties agree to continue the matching program after the renewal period, a CMA Re-establishment will be needed to maintain the matching program.

Where can I find current CMAs?

CMAs are uploaded and stored within CFACTS under the Security Tab. 

How do CMAs relate to Privacy Impact Assessments (PIAs)?

The Privacy Impact Assessment (PIA) is a critical part of the ATO process. If a CMA exists for a system, it must be included in the PIA.