Skip to Main Content

Data Privacy and Release

This page contains information about the protection of MDS data privacy and confidentiality.

System of Record

A "Notice of New System of Records" was published on February 13, 2002 in the Federal Register. This System of Records is entitled "Long Term Care Minimum Data Set (LTC MDS) and includes:

  • The purpose(s) of the system;
  • Routine use of records maintained in the system, including categories of users and the purposes of such uses;
  • Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system;
  • Safeguards.

Please refer to the February 13, 2002 Federal Register as the repository of the "official" Notice of New System of Records for the Long-Term Care MDS. See Downloads to view the document published in the Federal Register.

Users should read the Privacy Act Statement for information on releasing of MDS data.  See Downloads to view the Privacy Act Statement.

Important Information for Long Term Care Providers
about Contractual Agreements Involving MDS Data

While the requirement to automate MDS data introduces a new method for information transmission and storage, it does not change the fundamental requirements that Long Term Care (LTC) providers must currently employ to protect resident information in hardcopy format: electronic information about individuals should be protected to the same extent that hard copy information is protected. Providers should keep this caveat in mind when entering contractual agreements that involve the MDS data.

MDS data are considered to be a part of the resident's clinical record, and as such, are protected from improper disclosure by facilities under the 42 CFR 483.10(e). Facilities are required to keep confidential all information contained in the resident's record and to maintain safeguards against the unauthorized use of resident clinical information, regardless of storage method. By regulation, release of information from the residents clinical record is permissible only when required by:

  1. by transfer to another health care institution,
  2. by law, (both State and federal)
  3. by the resident.

A facility may not release resident identifiable information to the public. Providers, who are part of a chain, may release data to their corporate office or parent company but not to other providers within their chain. The parent company is required to "act" in the same manner as the facility and permitted to use data only to the extent the facility is permitted to do so (as described above).

Resident Identifiable Data

A facility may not release resident identifiable information to the public. Stripping obvious demographic identifiers (name, birth date, CMS number) from records does not necessarily insure record anonymity. The large number of items that comprise the MDS greatly increases the likelihood for the creation of a subset of semi-identifiers that would render a record identifiable, especially when the aggregates for a particular cell yield fewer than 10 observations. Providers pursuing the release of aggregate data must insure it is not resident identifiable. Providers can contact CMS for further guidance regarding the release of aggregate data.

Contractual Agreements

The release of data by a facility to another person or entity (e.g. physical therapist, occupational therapist, software vendors) under contract and who has a need to know the MDS information in order to develop plans of care and/or handle MDS data for administrative reasons, such as for transmission to the State repository or to develop quality indicator reports for the facility, requires the agent to "act" in the same manner as the facility. Agents under contract must therefore adhere to requirements of 42 CFR 483.10(e).

In the case where a facility submits MDS data to the State through a contractor or through its corporate office, the contractor or corporate office has the same rights and restrictions as the facility does under the regulations with respect to maintaining resident data, keeping such data confidential, and making disclosures of such data. This means that a contractor may maintain a database but may not use the data in a manner in which the facility itself would be prohibited from using it. Moreover, the fact that there may have been a change of ownership of a facility that has been transferring data through a contractor should not alter the contractor's rights and responsibilities; presumably, the new owner has assumed existing contractual rights and obligations, including those under the contract for submitting MDS information.

All contractual, regardless of their type, agreements involving the MDS data should not violate the requirements of participation in the Medicare and/or Medicaid program or any applicable State laws.