Skip to Main Content


On March 20, 2014, the Appendix J Privacy Controls slide presentation were presented at the Security Center of Excellence (SCOE) meeting.  The draft version of the Risk Management Handbook (RMH) for Privacy was last updated on April 2, 2014.  More information on the CMS implementation of the Appendix J Privacy Controls will be published on this website as it becomes available.

Refer to our "What's New" page regarding the use of digital signatures on DUA forms.  

Welcome to CMS' Senior Official for Privacy (SOP) website

The CMS Senior Official for Privacy website, hereafter referred to as the CMS Privacy Office, disseminates CMS privacy policy and guidance.  On this site, you will find links to all CMS privacy policies, standards, procedures, and guidelines as well as privacy training and complete instructions on reporting a suspected security incident.  

CMS Privacy Office - Mission Statement

We ensure privacy protections are afforded to all beneficiaries of CMS programs by developing and applying privacy policies that comply with law and regulations and are integrated and implemented within the operations of all CMS programs.


  • Coordinate CMS privacy-related activities
  • Comply with Federal privacy laws and regulations
  • Develop CMS privacy policy and procedures
  • Develop CMS privacy awareness training and education
  • Communicate evolving Federal, OMB, and DHHS privacy requirements to CMS staff
  • Report on CMS privacy compliance

Key Privacy Areas of Interest at CMS:

  • Agency Privacy Management per FISMA, OMB and DHHS requirements 
  • Overview and Requirements
  • Privacy Policy and Guidance
  • Privacy Act Implementation
    • Systems of Records (SOR)
    • Data Use Agreements (DUA)
    • Computer Matching Agreements (CMA)
  • Assignment of Privacy Responsibilities 
  • Privacy Impact Assessments (PIAs)
  • Web Privacy
  • Incident Breach Response
  • Privacy Training Resources

Please review our "What's New" page to find recently changed policies, procedures and news events.

Security Incidents - Known or suspected security incidents involving CMS data must be reported immediately to the CMS IT Service Desk by calling 410-786-2580 or 1-800-562-1963 or via e-mail to  Even if you are not positive, but only suspect that it might be a security incident, you must still submit a report and allow the experts to determine whether or not it is a security incident.  Any suspected loss or unauthorized disclosure of CMS data protected by the Privacy Act must be reported immediately.  For additional information, refer to the "Privacy Act Implementation & Breach Notification Policy".