Data Sharing Agreements

Computer Matching Agreements (CMAs)

A Computer Matching Agreement (CMA) is the form of agreement required when using Privacy Act records (records about individuals retrieved by personal identifier) to conduct matching activity with another federal agency or a state agency that falls within the Privacy Act’s “matching program” definition.  For access to HHS CMAs, visit HHS CMA website.

Information Exchange Agreements (IEAs)

An Information Exchange Agreement (IEA) is used when CMS discloses Personally Identifiable Information (PII) or other types of information requiring confidentiality protection to another HHS Operating Division (OpDiv), another federal agency, or a state agency (unless a Computer Matching Agreement (CMA) is required). The IEA states the terms and conditions for the data exchange between CMS and the other party, including the privacy and security safeguards to ensure that the information is protected.  

An IEA is required when exchanging information with outside agencies. It is similar to an Interconnection Security Agreement (ISA) but does not include technical details and specific boundaries of the system. An ISA may be required in addition to an IEA, depending on the method used to transfer data.