Skip to Main Content

What's New

Enterprise Privacy Policy Engine (EPPE) - see the link in the left-hand navigation menu

Although some of the DUA forms have been updated to allow for the usage of digital signatures, CMS is currently not accepting digital signatures on DUA forms.  We will post a notice on this website when digital signatures will be allowed on DUA forms.  

Effective January 1, 2015, CMS will no longer accept DUA Certificates of Disposition (COD) forms from anyone other than the DUA Requestor as currently listed in the CMS DUA database.  When the DUA Requestor is unable to provide the signed COD form, a Custodian listed on the DUA may submit the COD form.  The following request for exception statement must be included in the email that is submitted with the COD form.

     The current DUA Requestor for the DUA listed on the attached Certificate of Disposition (COD) form is no longer available to submit this COD form.  I am submitting this COD form on behalf of the Requestor's organization.  My full contact information is:

     Name - 

     Organization - 

     Title -

     Phone -

     Email -

Effective April 9, 2014 CMS is no longer encrypting physician identifiers, e.g., National Provider Identifiers (NPIs), on the Standard Analytical Files (SAFs).  All new SAF files for 2012 data and later, will include the NPI rather than an encrypted physician identifier.  Researchers who have already purchased SAFs and have an active Data Use Agreement (DUA) with CMS may request a crosswalk linking encrypted physician identifiers to NPIs/Unique Physician Identification Number (UPINs).  For more information on how to request the crosswalk visit the DUAs – Limited Data Set (LDS).

Data Use Agreement (DUA) Training  test your connection to the webinar site here

Anytime Webinars Slide Presentation
New DUA Expiration Policy (7:40 minutes) Expiration Policy (.pdf - 83 kb)
DUA Extension Requests (12:46 minutes) DUA Extensions (.pdf - 160 kb)
DUA Closure Requests (11:32 minutes) DUA Closures (.pdf - 384 kb)

Effective January 1, 2012, all requests for DUA actions must be submitted via e-mail to DataUseAgreement@cms.hhs.gov with any required documentation signed, scanned (.pdf, .jpg, .tif or .bmp images) and attached to the e-mail.  Hardcopy requests will no longer be accepted.  Federal agencies, federal grantees and CMS contractors, please follow the directions as provided on the DUA - Federal Contracts-Grants page.  States must route their e-mail through their appropriate CMS Regional Office, except for research studies.  CMS will not accept requests which have been uploaded and encrypted to a third-party vendor site.  Your organization's information technology (IT) support services may assistance you with encrypting your files containing signatures.  

Effective October 1, 2011, the CMS policy for DUA expiration dates has changed.  CMS has determined that in response to the ever increasing cyber attacks against computer systems/networks operated by the Federal government as well as the private sector, CMS is refining and further restricting our policy for the retention of CMS data via a DUA.  DUAs will expire every 365 days.   

Expired DUAs -- any organization requesting CMS data that has an EXPIRED CMS DUA will not receive authorization to obtain any new data until their expired DUA has been resolved. See the link to the left for DUA Extensions and Closures.

Effective July 1, 2011, CMS implemented the Data Privacy Safeguard Program (DPSP).  The DPSP will affect any requests for CMS data from Researchers.  The DPSP reflects CMS' priorities to both improve data stewardship and protect CMS data containing personally identifiable information (PII).  Contact ResDAC for further information.

Effective May 1, 2011, CMS implemented a nominal administrative fee of $600.00 for all new Limited Data Set (LDS) reuse or re-release DUAs.  See the DUA page for requesting LDS DUAs.

Effective January 1, 2011, CMS will now accept submission of documentation for DUAs via e-mail.

Effective March 1, 2010, CMS is requiring all payments for CMS data files to be submit via www.Pay.gov.  Pay.gov was developed for making secure electronic payments to Federal Government Agencies.  If payment for your data is required, after your DUA has been processed, you will receive instructions for making your payment using Pay.gov.

Effective January 1, 2009, CMS data Reuse Policies changed. This policy only applies to files with PII.  Many researchers request permission to reuse CMS data from one study to another.  Due to security issues, CMS no longer permits a Researcher to reuse data originally acquired by another organization (cross-institutional reuse).