Skip to Main Content

Data Disclosures and Data Use Agreements (DUAs)

The Centers for Medicare & Medicaid Services (CMS) makes data files available to certain stakeholders as allowed by federal laws and regulations as well as CMS policy. CMS enters into Data Use Agreements (DUAs) with most data requestors for disclosures of protected health information (PHI) and/or personally identifiable information (PII) to ensure that data requestors adhere to CMS privacy and security requirements and data release policies. The Enterprise Privacy Policy Engine (EPPE) is the system that tracks all disclosures of CMS data. For additional information about EPPE, please visit the EPPE page located on the navigation bar.  

CMS maintains three different categories of data files: identifiable data files, limited data set files, and public use files. The privacy level of the data file determines whether a DUA is needed as well as the request process and the level of review required:

  1. Identifiable Data Files (IDFs) — IDFs contain PHI and/or PII and are only available to certain stakeholders. IDFs are available as custom extracts that can be shipped to a requestor or accessed virtually. Requests for IDFs generally require a DUA with CMS.
  2. Limited Data Set (LDS) — LDS files also contain PHI, but they do not contain specific direct identifiers as defined in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. LDS files are available for research use. All requestors must complete a DUA with CMS.
  3. Public Use Files (PUFs) PUFs (also called non-identifiable data files) do not contain information that could be used to identify individuals. In general, PUFs contain aggregate level information on Medicare beneficiary or provider utilization. PUF requests do not require a DUA.

Please use the navigation bar to the left to learn more about how to request data or update an existing DUA. For additional information on the differences between these types of files, please visit the Research Data Assistance Center website at Differences between RIF, LDS, and PUF Data Files.


General Guidelines for Submission of DUAs

The below guidelines and restrictions should be followed when submitting a new DUA or for any requests related to an existing DUA:

  • You must submit each type of request in a separate e-mail.  For example, you cannot submit a contact change request in the same e-mail as an order for additional data.
  • We do not accept personal e-mail addresses (@yahoo, @gmail, @outlook, etc.). Your e-mail must be associated with your employer, organization, or university.
  • We do not accept P.O. Box addresses.
  • You must open your new DUA under the name of your employer, organization, or university, regardless of the department to which you belong. For example, if you are working for a university, you must open the DUA under the name of the university, not your department.
  • If a DUA for your employer, organization, or university expires, it is important to note that ALL open DUAs for that organization will be frozen. This means that no actions (processing new DUAs as well as adding data, changing contacts, or extending existing DUAs) can proceed for any DUA held by your organization until the expired DUA is either extended or closed.

If you have any questions regarding these requirements, please send them to datauseagreement@cms.hhs.gov.