CMS Information Exchange Agreement (IEA)
Business Owners and Privacy Advisors working together to determine the terms of sharing PII with other federal or state agencies
CMS Slack Channel- #ispg-privacy-agreement-consults
What is an Information Exchange Agreement (IEA)?
The Privacy Act of 1974 established the Information Exchange Agreement (IEA). The IEA is a document used when CMS discloses Personally Identifiable Information (PII) to a Department of Health and Human Services (HHS) Operating Division (OpDiv), another federal agency, or a state agency. The IEA states the terms and conditions for the data exchange between CMS and the other party, including the privacy and security safeguards to ensure that the information is protected.
An IEA is required when exchanging information with outside agencies. It is similar to an Interconnection Security Agreement (ISA) but does not include technical details and specific boundaries of the system. An ISA may be required in addition to an IEA, depending on the method used to transfer data.
The CMS Privacy Office coordinates the development of an IEA with CMS Business Owners and participating agency whose program activities involve data sharing. Active participation by those whose business operations have the legal authority to support data sharing is key to drafting an IEA. IEAs are signed by the CMS Program Official and the CMS Senior Official for Privacy. IEAs are valid for five years after they are initiated and the Privacy Office works to renew required IEAs before they expire.
The Privacy Office can assist if you have specific questions about IEAs and provide you with the IEA Template.
IEA Frequently Asked Questions
When do I need an IEA?
An IEA is needed when CMS PII will be exchanged with another HHS OpDiv, or with a federal or state agency, and there is no adverse impact on an individual’s federal benefits.
How long does it take to complete an IEA?
An IEA takes approximately 8 months from initial request to final sign off.
What is the role of the CMS Business Owner in developing an IEA?
The Business Owner is responsible for drafting the IEA, including the purpose section (see the IEA template for more information). The Business Owner also coordinates with the external agency, any internal stakeholders and CMS Privacy Staff. Finally, the Business Owner collects signatures from the appropriate program officials and participating agency.
How do I initiate an IEA?
Email privacy@cms.hhs.gov. CMS Privacy Staff will respond and set up a time to discuss your data exchange and walk through the process and materials for creating an IEA.
What is the role of CMS Privacy Staff during the IEA process?
CMS Privacy Staff will provide the Business Owner with the IEA template and additional guidance for developing the IEA.
How long does an IEA remain in effect?
Depending on the business requirement(s), an IEA may be in effect from one to five years (not to exceed five years).
Must a Data Use Agreement (DUA) always be accompanied by an IEA?
In addition to the IEA, a DUA is usually created to track the data disclosure. Please contact datauseagreement@cms.hhs.gov for more details.
Where can I find the CMS IEA Template?
Please contact the Privacy Office to receive a copy of the IEA Template.
Related documents and resources
Defining how Protected Health Information (PHI) will be disclosed to organizations requesting data from CMS
Defining the relationship between CMS information systems and external systems
How CMS satisfies federal requirements for the encryption of data to keep sensitive information safe