Data Disclosures and Data Use Agreements (DUAs)

Data Disclosures and Data Use Agreements (DUAs)

The Centers for Medicare & Medicaid Services (CMS) makes data files available to certain stakeholders as allowed by federal laws and regulations as well as CMS policy. CMS enters into Data Use Agreements (DUAs) with most data requesters for disclosures of protected health information (PHI) and/or personally identifiable information (PII) to ensure that data requesters adhere to CMS privacy and security requirements and data release policies. The Enterprise Privacy Policy Engine (EPPE) is the system that tracks all disclosures of CMS data. For additional information about EPPE, please visit the EPPE page located on the navigation bar.  

CMS maintains three different categories of data files: identifiable data files, limited data set files, and public use files. The privacy level of the data file determines whether a DUA is needed as well as the request process and the level of review required:

  1. Identifiable Data Files (IDFs) — IDFs contain PHI and/or PII and are only available to certain stakeholders. Requests for IDFs require a DUA with CMS.
  2. Limited Data Set (LDS) — LDS files also contain PHI, but they do not contain specific direct identifiers as defined in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. LDS files are only available for research use. Requests for LDS files require a DUA with CMS.
  3. Public Use Files (PUFs) — PUFs (also called non-identifiable data files) do not contain information that could be used to identify individuals. In general, PUFs contain aggregate level information. PUF requests do not require a DUA and are available on CMS websites (e.g.,

Please use the navigation bar on the left to learn more about how to request data or to update an existing DUA. For additional information on the differences between these types of files, please visit the Research Data Assistance Center (ResDAC) website at Differences between RIF, LDS, and PUF Data Files.

Please direct questions to

General Guidelines for Requesting DUAs

The below guidelines and restrictions should be followed when requesting a new DUA or for any requests related to an existing DUA:

  • CMS does not accept personal e-mail addresses (@yahoo, @gmail, @outlook, etc.). The e-mail must be associated with an employer, organization, or university.
  • CMS does not accept P.O. Box or foreign addresses.  Data will only be shipped to addresses within the United States.
  • Organizations listed on a DUA should be at the company or university level as opposed to a department or component level.
  • If a DUA expires, it is important to note that ALL open DUAs for that organization will be frozen. This means that no actions (processing new DUAs, adding data, changing contacts, or extending existing DUAs) can proceed for any DUA held by your organization until the expired DUA is either extended or closed.
Page Last Modified:
09/06/2023 04:57 PM