Skip to Main Content


Refer to our "What's New" page regarding the use of digital signatures on DUA forms.   

Effective June 1, 2012, all DUA request submissions must follow the e-mail Subject line instructions located on the DUA-Forms page (use the link in the left hand menu).

Effective July 1, 2011, CMS implemented the Data Privacy Safeguard Program (DPSP).  The DPSP will affect any requests for CMS data from Providers and Researchers.  The DPSP reflects CMS' priorities to both improve data stewardship and protect CMS data containing Personally Identifiable Information (PII).  The DPSP consists of two main components, the first being a revised Data Management Plan which is part of the Executive Summary. The second component of the DPSP is for CMS to conduct a number of ongoing remote and on-site reviews. External organizations that are selected for reviews will be notified in advance. Selection of sites for review will be based on such factors as the scope and use of the data as described in the Data Management Plan.  Use the link below for ResDAC.

The criteria for the release of CMS Medicare and/or Medicaid data to researchers is:

1.  All requests, except as listed below, must be e-mailed to the Research Data Assistance Center (ResDAC) for initial review to  Once your data request has been reviewed by ResDAC and applicable changes made, your final documents will be submitted to CMS for you by ResDAC.  The only exceptions are for:

            a.  Limited Data Sets (LDS),

            b.  Disproportionate Share Hospital (DSH) Rate Data,

            c.  State Agencies requesting

                        (i)  Outcome and Assessment Information Set (OASIS),

                        (ii)  Long-Term Care Minimum Data Set (LTCMDS),

                        (iii)  Eligibility Database (EDB) Customized State Files, or

    (iv)  CMS sponsored programs for the States.

2.  Only CMS data that is authorized for disclosure under the Privacy Act of 1974 and has been published as a System of Records (SOR) notice in the Federal Register will be available for release. The Privacy Act of 1974 and the published SOR notice are CMS' legal authorization to release the data and these legal requirements protect the confidentiality of individually identifiable data.

3.  The research protocol outlines a strong research design, which clearly states the objectives and the significance of the study, and provides a credible, straightforward argument for the importance of the project. The research protocol shall address the following areas: hypotheses/study issues, data limitations, data management (describe in detail the measures that will be implemented to safeguard the data and protect the privacy of CMS beneficiaries), analysis plan, analysis methods, description of the tasks, time schedule, and the qualifications of key staff.

4.  The scope and subject matter of the project must assist CMS in monitoring, managing, and improving the Medicare and Medicaid programs or the services provided to beneficiaries. CMS must balance the potential risk to beneficiary confidentiality with the probable benefits gained from the completed research.

5.  The requestor must demonstrate their expertise and experience to conduct and complete the study.

6.  The requestor must sign a CMS Data Use Agreement (DUA). Additionally, the DUA requires the requestor to obtain permission before attempting to link any other data files to CMS databases. The specific inclusion of an intention to link other data files to CMS data in a study protocol approved by CMS is considered approval from CMS. Finally, the CMS DUA also defines the process that must be followed for the destruction of the data at the conclusion of the project/study.

7.  Unless a researcher is receiving data under the innovator research program, a researcher cannot use CMS data to create a product or tool that a researcher intends to market.

8.  The User agrees not to disclose direct findings, listings, or information derived from the file(s) specified in section 5 of the DUA, with or without direct identifiers, if such findings, listings, or information can, by themselves or in combination with other data, be used to deduce an individual's identity. Examples of such data elements include, but are not limited to geographic location, age if > 89, sex, diagnosis and procedure, admission/discharge date(s), or date of death. 

9.  The User agrees that any use of CMS data in the creation of any document (manuscript, table, chart, study, report, etc.) concerning the purpose specified in section 4 of the DUA (regardless of whether the report or other writing expressly refers to such purpose, to CMS, or to the files specified in section 5 of the DUA or any data derived from such files) must adhere to CMS' current cell size suppression policy. This policy stipulates that no cell (e.g. admissions, discharges, patients, services) 10 or less may be displayed. Also, no use of percentages or other mathematical formulas may be used if they result in the display of a cell 10 or less. The users agrees by signing the DUA that they will agree to abide by these rules and, therefore, will not be required to submit any written documents for CMS review. If a user is unsure if they meet the above criteria, they may submit your written products for CMS review as an attachment to an e-mail sent to CMS will make a determination about approval and to notify the user via e-mail within 4 to 6 weeks after receipt of the document. CMS may withhold approval for publication only if it determines that the format in which data are presented may result in identification of individual beneficiaries.

10.  Researchers must contact the ResDAC for free assistance in requesting CMS data.  Requests submitted directly to CMS will not be accepted.  Contact ResDAC via: