CMS maintains three different categories of data files: identifiable data files, limited data set files, and public use files. The privacy level of the data file determines whether a DUA is needed as well as the request process and the level of review required:
- Identifiable Data Files (IDFs) — IDFs contain PHI and/or PII and are only available to certain stakeholders. Requests for IDFs require a DUA with CMS.
- Limited Data Set (LDS) — LDS files also contain PHI, but they do not contain specific direct identifiers as defined in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. LDS files are only available for research use. Requests for LDS files require a DUA with CMS.
- Public Use Files (PUFs) — PUFs (also called non-identifiable data files) do not contain information that could be used to identify individuals. In general, PUFs contain aggregate level information. PUF requests do not require a DUA and are available on CMS websites (e.g., data.cms.gov).
Please use the navigation bar on the left to learn more about how to request data or to update an existing DUA. For additional information on the differences between these types of files, please visit the Research Data Assistance Center (ResDAC) website at Differences between RIF, LDS, and PUF Data Files.
Please direct questions to DataUseAgreement@cms.hhs.gov.
General Guidelines for Requesting DUAs
The below guidelines and restrictions should be followed when requesting a new DUA or for any requests related to an existing DUA:
- CMS does not accept personal e-mail addresses (@yahoo, @gmail, @outlook, etc.). The e-mail must be associated with an employer, organization, or university.
- CMS does not accept P.O. Box or foreign addresses. Data will only be shipped to addresses within the United States.
- Organizations listed on a DUA should be at the company or university level as opposed to a department or component level.
- If a DUA expires, it is important to note that ALL open DUAs for that organization will be frozen. This means that no actions (processing new DUAs, adding data, changing contacts, or extending existing DUAs) can proceed for any DUA held by your organization until the expired DUA is either extended or closed.