Skip to Main Content

Enterprise Privacy Policy Engine (EPPE)

  Want to be notified with updates on CMS data files?  Sign up for the CMS EPPE listserv! 

  Email us at, DataUseAgreement@cms.hhs.gov, and ask to be added to the EPPE Listserv.





What is EPPE?

EPPE is a system that CMS uses to process CMS Data Use Agreements (DUAs).

What is the goal of EPPE?

The goal of EPPE is to standardize and automate the CMS DUA process and reduce the amount of time from when you request a DUA to when you receive one.   As a result, the objective of the EPPE system is to transition from the current paper-based system to EPPE, an electronic information system designed to facilitate the DUA process and provide a traceable record of CMS data disclosures.  Part of this transition is the adoption of Remote Identity Proofing (RIDP) and Multi-Factor Authentication (MFA) services to verify the identity of anyone requesting access to the EPPE system.  This transition will help improve CMS’ ability to reduce fraud and ensure system security.

How do I access EPPE?

EPPE is accessible through the CMS portal homepage at https://portal.cms.gov.

For detailed instructions on how to request access to EPPE, view the User Registration Process.  It includes the following topics:

  1. Creating an Enterprise Identity Management (EIDM) User ID
  2. Requesting Access to EPPE
  3. Logging into EPPE and Selecting a Role
  4. Awaiting Approval of the Role from the EPPE Administrator
  5. Accessing EPPE

The following roles are currently available in the system:

  • Requester (view only) - A person who requests data from CMS and who is authorized to legally bind their organization to the terms specified in the data use agreement (DUA).
  • DUA Viewer (View and Search DUAs) - Users that can search, view, save, and print DUAs within their organization.
  • Non-DUA Viewer (View and Search Other Types of Disclosures) - Users that can search, view, save, and print a non-DUA tracking disclosure.
  • Data Entry - Members of the DUA Management Team who enter approved DUAs on behalf of the Contractors, Researchers and Limited Data Set (LDS) users.
  • Non DUA Data Entry - CMS employees and their administrative contractors who enter approved disclosures into the Non-DUA tracking workflow.
  • CMS Contact (COR) - The CMS employee responsible for overseeing CMS contracts/programs.
  • Payment Coordinator - The CMS employee who enters the payment amount and date(s) for Researcher and LDS DUAs.
  • Extractor - An employee or contractor of CMS responsible for gathering the specific data indicated in the data use agreement (DUA) for dissemination to the requesting entity.
  • Shipper - An employee or contractor of CMS responsible for the physical and/or digital delivery of the requested data files to the requesting entity.
  • Administrator - Members of the DUA Management Team who may perform advanced actions in the system, including approving EPPE access requests, user roles, and organizations.

What is available in EPPE?

The following types of disclosures are housed in EPPE:

  • Contractor DUAs
  • Researcher DUAs
  • Limited Data Sets (LDS)
  • Non-DUA Tracking Requests

Training Materials

In the summer of 2018, Requesters with Contractor DUAs will be able to create and update their DUAs in EPPE. Below are the slide decks for Contractors to learn how to create, update, extend and close DUAs. Requesters may also manage access to EPPE and assign a proxy to create and update DUAs on their behalf.

NOTE:  Webinar training is required in order to be approved for the Requester and CMS Contact (COR) roles in EPPE.  Please contact the EPPE Help Desk at  844-EPPE-DUA (844-377-3382) or email EPPE@cms.hhs.gov if you require one of the roles, but have not been sent an e-mail regarding Contractor training sessions.

Contractor DUA - Requester Role

Contracting Officer’s Representatives (CORs) will be required to approve newly created and updated DUA requests submitted by their Contractors. Below are the slide decks for CORs to learn how to approve DUA updates, manage access and assign a proxy to approve DUAs on their behalf.

Contractor DUA - CMS COR

How do I submit new DUA requests or updates to existing DUAs?

Once the Contractor DUA Workflow goes live, the process for submitting Contractor DUAs will change. Contractors who are registered in EPPE may create and update DUAs in EPPE. Please check with your COR to ensure that they are registered in EPPE.

Submitting LDS and Researcher DUA actions will not change.  Please continue to follow the instructions outlined on the Privacy web pages at https://www.cms.gov/Research-Statistics-Data-and-Systems/Files-for-Order/Data-Disclosures-Data-Agreements/Overview.html, and submit actions for LDS and Researcher DUAs to DataUseAgreement@cms.hhs.gov.

Who do I contact if I need help with EPPE?

View EPPE FAQs.  If you are unable to find the answer to your question, contact the EPPE Help Desk at 844-EPPE-DUA (844-377-3382) or email EPPE@cms.hhs.gov

.