Skip to Main Content

Enterprise Privacy Policy Engine (EPPE)

What is EPPE?

EPPE is a system that tracks disclosures of CMS data.

What types of disclosures are tracked in EPPE?

EPPE tracks the following types of disclosures:

  • Contractor DUAs
  • Researcher DUAs
  • Limited Data Sets (LDS)
  • Non-DUA Tracking Requests

What is the goal of EPPE?

The goal of EPPE is to standardize and automate the process to track disclosures of CMS data, including the process to establish a new CMS DUA or modify an existing DUA. As a result, the objective of the EPPE system is to transition from the current paper-based system to EPPE, an electronic information system designed to facilitate the DUA process and provide a traceable record of CMS data disclosures.  Part of this transition is the adoption of Remote Identity Proofing (RIDP) and Multi-Factor Authentication (MFA) services to verify the identity of anyone requesting access to the EPPE system.  This transition will help improve CMS’ ability to reduce fraud and ensure system security.

Who should be using EPPE to submit DUA actions?

At this time only CMS CORs and contractors associated with the EPPE Contractor Workflow Pilot should be using EPPE to submit DUA actions. Participants in the pilot have already taken EPPE training and have received notification of the approval of their EPPE role.

NEW Contractor Workflow Pilot

CMS recently launched the Contractor DUA Workflow to members of the Contractor Workflow Pilot. For participants in the pilot, this changes the process for submitting actions associated with Contractor DUAs. Pilot participants may now access the EPPE system to request updates, extensions, and closures to existing DUAs as well as request new DUAs. Please check with your COR to ensure that they are registered in EPPE.

Please note: The process for submitting changes to LDS, Researcher, and Contractor DUAs not a part of the pilot remains unchanged, follow the instructions outlined on the Privacy web pages at

Contractor Workflow Training Materials

Below are the slide decks for Contractors to learn how to create, update, extend and close DUAs. Requesters may also manage access to EPPE and assign a proxy to create and update DUAs on their behalf.

NOTE:  Training is required in order to be approved for the Requester and CMS Contact (COR) roles in EPPE.  Please contact the EPPE Help Desk at 844-EPPE-DUA (844-377-3382) or email if you require one of the roles, but have not been sent an e-mail regarding Contractor training sessions.

PDF Training Materials

Contractor DUA - Requester Role

Contracting Officer’s Representatives (CORs) will be required to approve newly created and updated DUA requests submitted by their Contractors. Below are the slide decks for CORs to learn how to approve DUA updates, manage access and assign a proxy to approve DUAs on their behalf.

Contractor DUA - CMS COR

Coming Soon – YouTube Training Videos

CMS is offering a variety of ways you can get training on the Contractor Workflow process. Currently, we have the slide decks for your education requirements. In the near future, CMS will also be offering YouTube videos for your training needs.

I am not in the Contractor workflow, but would still like to access EPPE. How can I do that?

EPPE is accessible through the CMS portal homepage at

For detailed instructions on how to request access to EPPE, view the User Registration Process.  It includes the following topics:

  1. Creating an Enterprise Identity Management (EIDM) User ID
  2. Requesting Access to EPPE
  3. Logging into EPPE and Selecting a Role
  4. Awaiting Approval of the Role from the EPPE Administrator
  5. Accessing EPPE

The following roles are currently available in the system:

  • Requester - A person who requests data from CMS and who is authorized to legally bind their organization to the terms specified in the data use agreement (DUA).
  • DUA Viewer (View and Search DUAs) - Users that can search, view, save, and print DUAs within their organization.
  • Non-DUA Viewer (View and Search Other Types of Disclosures) - Users that can search, view, save, and print a non-DUA tracking disclosure.
  • Data Entry - Members of the DUA Management Team who enter approved DUAs on behalf of the Contractors, Researchers and Limited Data Set (LDS) users.
  • Non DUA Data Entry - CMS employees and their administrative contractors who enter approved disclosures into the Non-DUA tracking workflow.
  • CMS Contact (COR) - The CMS employee responsible for overseeing CMS contracts/programs.
  • Payment Coordinator - The CMS employee who enters the payment amount and date(s) for Researcher and LDS DUAs.
  • Extractor - An employee or contractor of CMS responsible for gathering the specific data indicated in the data use agreement (DUA) for dissemination to the requesting entity.
  • Shipper - An employee or contractor of CMS responsible for the physical and/or digital delivery of the requested data files to the requesting entity.
  • Administrator - Members of the DUA Management Team who may perform advanced actions in the system, including approving EPPE access requests, user roles, and organizations.

Who do I contact if I need help with EPPE?

View EPPE FAQs.  If you are unable to find the answer to your question, contact the EPPE Help Desk at 844-EPPE-DUA (844-377-3382) or email