DUA - Federal Contracts-Grants
NOTE: All DUAs which are sponsored by a federal agency, (i.e. all Federal, CMS and non-CMS, contractors and grantees) must submit all requests for DUA actions through their federal sponsor, specifically their Contracting Officer Representative (COR), Government Task Lead (GTL) or Project Officer (PO), prior to submission to DataUseAgreement@cms.hhs.gov for processing.
Effective June 1, 2012, all DUA request submissions must follow the e-mail Subject line instructions below.
Responsibilities of the COR/GTL/PO
- Contractors/grantees are performing work on behalf of the federal government and therefore shall follow all CMS information security and privacy policies
- All required documentation and procedures are followed for their contractor to gain access to CMS data
- Contractors/grantees are only approved to access the minimum data necessary to perform the functions of their contract/grant
- At the end of the contract, all CMS data is returned or destroyed as required by the Data Use Agreement (DUA)
Federal Agency Contractors and Grantees - the initial request for a DUA must be submitted through ResDAC (Researcher Data Assistance Center) a CMS contractor that provides free assistance to anyone interested in using Medicare and/or Medicaid data for their project/study. After the DUA is created, requests for changes to the DUA requesters, custodians, recipients, sub-contractors, extensions and changes to the federal contact must be routed through their federal Project Officer (PO) via e-mail for approval prior to being sent to CMS. Refer to the table below. For the initial DUA creation and updating of files in the DUA, contact ResDAC via:
Federal Agency and CMS Contractors and Grantees
All requests must originate with an e-mail from the contractor/grantee DUA Requester/Custodian to the COR/GTL/PO. Do NOT include the DataUseAgreement@cms.hhs.gov address in any e-mail being sent to the COR/GTL/PO.
The COR/GTL/PO shall forward the Requester/Custodian e-mail toDataUseAgreement@cms.hhs.gov stating their approval of the request.
Signing DUA forms - the COR/GTL/PO must sign the DUA forms as follows:
- DUA Form-0235, PO complete and sign Section 19 and CMS COR/GTL complete section 20 and sign section 20a with their manager completing Section 20b, and for CMS contracts the COR/GTL must secure the signature of all applicable Business Owner representatives for data being requested from their System of Records (SOR)
- DUA Addendum Form-0235a, sign in the "Signature of CMS Project Officer" section
- DUA Update Form-0235u, section 5 along with their manager and for CMS contracts the COR/GTL must secure the signature of all applicable Business Owner representatives for data being requested from their System of Records (SOR)
- DUA Certification of Disposition Form-10252 the COR/GTL/PO are no longer required to sign this form
The COR/GTL/PO must then scan and attachment to an e-mail and send to DataUseAgreement@cms.hhs.gov. The e-mail subject line must state:
|Request Type||Subject Line (do not include parenthesis)|
|New DUA||New DUA (contractor Organization)|
|Add files (DUA Update form) to existing DUA||DUA ##### Update|
|Requester change or add Custodian(s)/Recipient(s)||DUA ##### Addendum|
|Extension||DUA ##### Extension|
|Closure||DUA ##### Closure|
|Remove Custodian(s)/Recipient(s)||DUA ##### Remove contacts|
|Change federal contact||DUA ##### Federal contact change|
|Replace CMS contact on all currently open DUAs||CMS Contact (name) global replacement|
|Correct contact information||Contact (name) information update|
For requests that do not include a form, such as to remove contacts from a DUA, in the body of the e-mail state "request approved".
Data Extract System (DESY) and Integrated Data Repository (IDR) requests must be submitted via e-mail to DataUseAgreement@cms.hhs.gov by the COR/GTL. Provide the DUA #, User Id and name of individual requiring access. IDR requests must also state to which data description the individual is to be granted access.