CMS Data Use Agreement (DUA)

What is a Data Use Agreement (DUA)?

When requests for disclosures of protected health information (PHI) and/or personally identifiable information (PII) are made to CMS, a Data Use Agreement (DUA) is signed to ensure that data requesters adhere to CMS privacy and security requirements and data release policies.

CMS employs contractors to provide a wide range of services and makes data available to these contractors to support their assigned work. A DUA is used to create a traceable record of what data is being accessed by each CMS contractor. All CMS contractors requiring access to PHI/PII as well as their Contracting Officer Representatives (COR) must create and maintain their CMS DUA(s) through the Enterprise Privacy Policy Engine (EPPE).

There are three different categories of data files with different privacy levels. The privacy level of the data file determines whether a DUA is needed and defines the request process and the level of review required:

Identifiable Data Files (IDFs) — IDFs contain PHI and/or PII and are only available to certain stakeholders. Requests for IDFs require a DUA with CMS.

Limited Data Set (LDS) — LDS files also contain PHI, but they do not contain specific direct identifiers as defined in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. LDS files are only available for research use. Requests for LDS files require a DUA with CMS.

Public Use Files (PUFs) — PUFs (also called non-identifiable data files) do not contain information that could be used to identify individuals. In general, PUFs contain aggregate-level information. PUF requests do not require a DUA and are available on CMS websites (e.g., data.cms.gov).

For more information on data files, visit the Differences between RIF, LDS, and PUF Data Files site for more details.

DUA Frequently Asked Questions

When do I need a DUA? 

When CMS data containing PII or PHI is being disclosed outside of the agency for research or contracted purposes, a DUA is required. This ensures adherence to CMS security and privacy policies.  See Data Disclosures and Data Use Agreements page on CMS.gov for more details.

Who completes DUAs?

Organizations (including CMS contractors) requesting protected data are required to complete a DUA before accessing any CMS data containing PHI or PII See Data Disclosures page to learn more.

How do I complete a DUA?

For Contractors: Contractors and Contracting Officer’s Representatives (COR) can access resources on the Data Disclosures and Data Use Agreements (DUA) Contractor page.

For Researchers: Researchers can begin their request process at https://resdac.org/. 

Public Use Files do not require a DUA and can be found on data.cms.gov.

Resources for Contractors and Contracting Officer’s Representatives

A contract is being renewed. Does the contractor need to close this DUA, and open a new one? 

If the contract is awarded to the same contractor, a new DUA is not required. The contract number and the contract end date can be updated on the DUA in EPPE. If the contract is awarded to a new contractor, the DUA will need to be closed and a new DUA created for the new contractor.

What's the difference between the Data Custodian and Data Requester roles?

The Data Custodian is the individual who will be responsible for ensuring that the environment in which the CMS data is stored complies with all applicable CMS data privacy and security requirements, including the establishment and maintenance of security arrangements to safeguard CMS data.  

The Data Requester is the individual authorized to sign agreements on behalf of the requesting organization. This person is often referred to as the ‘legal signatory’. This person accepts all terms and conditions in the DUA and attests that all the information contained in the request is accurate.

How long is a Contractor DUA valid at CMS?

Contractor DUAs are valid for one year and can be extended each year for the contract’s full period of performance.

How can I view my Contractor DUA?

To view your Contractor DUA, you must create an account in the Enterprise Privacy Policy Engine (EPPE) via CMS Enterprise Portal. EPPE is the CMS system used to track disclosures of data containing Protected Health Information (PHI) or Personally Identifiable Information (PII).  

You can find more information about registration and use at the EPPE page on CMS.gov.

Do I need a DUA or an Information Exchange Agreement (IEA)?

If you have specific questions about which agreement is appropriate, see the contacts below:

• Information Exchange Agreements (IEA): Privacy@cms.hhs.gov
• Data Use Agreements (DUA): datauseagreement@cms.hhs.gov