Privacy

Effective January 1, 2012, all Data Use Agreements (DUA) requests must be submitted to CMS via e-mail with any required documentation signed and attached to the e-mail.  This includes all requests for new DUAs, changes to the Requestor/Custodian(s), updates to the files included in the DUA, and DUA extension and closure requests.  The signed and scanned documentation must be attached to the e-mails as .pdf .jpg .tif or bitmap images. Requests which require initial processing via ResDAC must still be submitted to ResDAC

Previous changes to CMS DUA policy and procedures, use the link to the left for What's New.

ResDAC (Researcher Data Assistance Center) is a CMS contractor that provides free assistance to anyone interested in using Medicare and/or Medicaid data for their project/study. All requests from Providers and Researchers must be submitted via ResDAC for submission to CMS. Contact ResDAC via:

• e-mail ResDAC@umn.edu
• toll-free 1-888-973-7322
• on-line www.ResDAC.org

Expired DUAs -- any organization requesting CMS data that has an EXPIRED CMS DUAs will not receive authorization to obtain any new data until their expired DUA has been resolved. See the link to the left for DUA Extensions and Closures.

The "Privacy" web pages provide the processes for requesting CMS data that contains PII and that is protected by the Privacy Act of 1974 and/or the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and which is releasable to:

            1. Oversight Agencies 

            2. Federal Agencies (and their Contractors)

            3. State Agencies

            4. Providers

            5. Researchers (Academic Institutions/Private Sector)

CMS policy regarding the use of Medicare and Medicaid data is to maximize the amount of data that is available while assuring adherence to data security requirements that protect the interests of our Medicare and Medicaid beneficiaries and individual physicians.  See the links on the left side menu for the most commonly requested types of data:

            1. Limited Data Sets (LDS)

            2. Disproportionate Share Hospital (DSH) Rate Data

            3. Identifiable Data

            4. Eligibility Database (EDB) Customized State File

            5. Long Term Care Minimum Data Set (LTCMDS)

            6. Outcome and Assessment Information Set (OASIS)  

Security Incidents - Known or suspected security incidents involving CMS data must be reported immediately to the CMS IT Service Desk by calling 410-786-2580 or 1-800-562-1963 or via e-mail to CMS_IT_Service_Desk@cms.hhs.gov.  Even if you are not positive, but only suspect that it might be a security incident, you must still submit a report and allow the experts to determine whether or not it is a security incident.  Any suspected loss or unauthorized disclosure of CMS data protected by the Privacy Act must be reported immediately.  For additional information, refer to the "Privacy Act Implementation & Breach Notification Policy".