«This Agreement is needed to ensure that the disclosure and use of Limited Data Sets derived from a CMS Privacy Act System of Records comply with the ...»
DEPARTMENT OF HEALTH AND HUMAN SERVICES
CENTERS FOR MEDICARE & MEDICAID SERVICES
This Agreement is needed to ensure that the disclosure and use of Limited Data Sets derived from a CMS
Privacy Act System of Records comply with the Privacy Act of 1974 (5 U.S.C. § 522a) and the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (45 C.F.R Parts 160 and 164).
Directions for the completion of the agreement follow:
Before completing the DUA, please note the language contained in this agreement cannot be altered in any form.
A. First paragraph, enter the Requestor’s/User’s Organization Name.
B. Section #1, enter the Requestor’s/User’s Organization Name.
C. Section #3, enter the study and/or project name and CMS contract number, if applicable, for which the file(s) will be used. Include both a summary of the purpose and a detailed explanation of the research study or project. The detailed explanation describing your research purpose must be attached to the agreement. Attached to this Agreement are the Research Application Guidelines that should be followed in preparing your detailed explanation. CMS evaluates the purpose for which the limited data set file will be used to determine whether: 1) the purpose requires identifiable records; 2) the project is of sufficient importance to justify the risk on beneficiary privacy; 3) there is reasonable probability that the use of data will accomplish the purpose, i.e., the project is soundly designed; and 4) the purpose demonstrates the potential to improve the quality of life for Medicare beneficiaries or improve the administration of the Medicare program, including payment related projects. If the Research Application provided by the Requesting Organization contains proprietary information, a statement to that effect must be included in the Research Application submitted to CMS. Proprietary information is exempt from release under the Freedom of Information Act if it falls within the scope of Exemption 4, 5 U.S.C.
D. Section #4 should delineate the limited data set files and years of data the Requestor/User is requesting.
Specific filenames should be specified. If these filenames are unknown, you may contact a CMS representative.
E. Section #6, complete by entering the projected completion date of the study or project.
F. Section #14 is to be completed by the Requestor/User.
G. Section #15, enter the Custodian Name, Company/Organization, Address, Phone Number (including area code), and E-Mail Address (if applicable). The Custodian of the files (name and position/title) is defined as the person who will have actual possession of and responsibility for the limited data set files.
This section should be completed even if the Custodian and Requestor/User are the same.
H. Section #16 will be completed by a CMS representative.
I. Section #17 will be completed by a CMS representative.
For assistance or questions in completing this Agreement, please contact the Division of Privacy Compliance Help Line at 410-786-3690.
In order to ensure that the disclosure and use of Limited Data Sets derived from a CMS Privacy Act System of Records comply with the Privacy Act of 1974 (5 U.S.C. § 522a) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (45 C.F.R.
Parts 160 and 164), CMS and ________________________________________________________________ enter into this Agreement:
1. This Agreement is by and between the Centers for Medicare & Medicaid Services (CMS), a component of the U.S. Department of Health and Human Services (DHHS), and ____________________________
________________________________________, hereinafter termed “User.”
2. The parties mutually agree that CMS retains all ownership rights to the limited data set file(s) referred to in this Agreement, and that the User does not obtain any right, title, or interest in any of the data furnished by CMS. The parties further agree that CMS makes no representation or warranty, either implied or express, with respect to the accuracy of any data in the limited data set file(s).
Name of Study/Project
CMS Contract No. (If applicable)
The User must provide a detailed explanation of the research purpose which is incorporated by reference into this Agreement. The research purpose must demonstrate the potential to improve the quality of life for Medicare beneficiaries or improve the administration of the Medicare program, including paymentrelated projects. The User represents further that the facts and statements made in this explanation are complete and accurate. Research Application Guidelines are attached as ‘Attachment A’ and are incorporated by reference to this Agreement.
4. The following CMS limited data set file(s) is/are covered under this Agreement.
Form CMS-R-0235L (02/08) 2
5. The User shall not attempt to identify or contact any specific individual whose record is included in the limited data set file(s) specified in section 4. Absent written authorization from CMS, the User shall not attempt to link records included in the file(s) specified in section 4 to any other beneficiary-specific source of information.
6. The parties mutually agree that the aforesaid file(s) (and/or any derivative file(s)) including those files that indirectly identify individuals and those that can be used in concert with other information to identify individuals may be retained by the User until ________________, hereinafter known as the “Retention Date.” The User agrees to notify CMS within 30 days of the completion of the purpose specified in section 4 if the purpose is completed before the aforementioned retention date. Upon such notice or retention date, whichever occurs sooner, the User must destroy such data. The User agrees to destroy and send written certification of the destruction of the files to CMS within 30 days. The User agrees not to retain CMS files or any parts thereof, after the aforementioned file(s) are destroyed.
7. The User shall not use, disclose, market, release, show, sell, rent, lease, loan, or otherwise grant access to the limited data set files specified in section 4 of this Agreement, except as expressly permitted by this Agreement or otherwise required by law.
8. a. The User agrees that any use of CMS data in the creation of any document (manuscript, table, chart, study, report, etc.) concerning the purpose specified in section 4 (regardless of whether the report or other writing expressly refers to such purpose, to CMS, or to the files specified in section 5 or any data derived from such files) must adhere to CMS’ current cell size suppression policy. This policy stipulates that no cell (eg. admittances, discharges, patients) less than 11 may be displayed. Also, no use of percentages or other mathematical formulas may be used if they result in the display of a cell less than 11. By signing this Agreement you hereby agree to abide by these rules and, therefore, will not be required to submit any written documents for CMS review. If you are unsure if you meet the above criteria, you may submit your written products for CMS review. CMS agrees to make a determination about approval and to notify the user within 4 to 6 weeks after receipt of findings. CMS may withhold approval for publication only if it determines that the format in which data are presented may result in identification of individual beneficiaries.
b. The User may not disclose the limited data set file(s) specified in section 4 of this Agreement to a Secondary User until and unless the Secondary User enters into a DUA with CMS. CMS will only enter into a DUA with a Secondary User if the purpose for which the secondary use of the limited data set file(s) is consistent with the purpose specified in Section 3 of this Agreement.
9. The User agrees to establish appropriate administrative, technical, and physical safeguards to protect the confidentiality of the limited data set file(s) and to prevent unauthorized use or access to it. The safeguards shall provide a level and scope of security that is not less than the level and scope of security established by the Office of Management and Budget (OMB) in OMB Circular No. A–130, Appendix III—Security of Federal Automated Information Systems http://www.whitehouse.gov/omb/circulars/a130/a130.html), which sets forth guidelines for security plans for automated information systems in Federal agencies. The User acknowledges that the use of unsecured telecommunications, including the Internet, to transmit individually identifiable or deducible information derived from the limited data set file(s) specified in section 4 is prohibited. Further, the User agrees that the limited data set file(s) must not be physically moved or electronically transmitted in any way from the site indicated in section 15 without prior written approval from CMS.
10. For each limited data set file, the User shall reimburse CMS for all associated processing fees.
Form CMS-R-0235L (02/08) 3
11. The User shall promptly report to CMS any use or disclosure of the information not provided for by this Data Use Agreement of which it becomes aware. CMS in its sole discretion may require the User to: (a) promptly investigate and respond to CMS concerns regarding any alleged disclosure; (b) promptly resolve any problems identified by the investigation; (c) submit a corrective action plan with steps designed to prevent any future unauthorized disclosures; and/or (d) require that all limited data set files be immediately returned.
12. The User acknowledges that penalties under § 1106(a) of the Social Security Act [42 U.S.C. § 1306(a)], including possible imprisonment, may apply with respect to any disclosure of information in the files(s) that is inconsistent with the terms of the Agreement. The User further acknowledges that criminal penalties under the Privacy Act [5 U.S.C. § 552a(i)(3)] apply if it is determined that the User, or any individual employed or affiliated therewith, knowingly and willfully obtained the file(s) under false pretenses. The User also acknowledges that criminal penalties may be imposed under 18 U.S.C. § 641.
13. By signing this Agreement, the User agrees to abide by all provisions set out in this Agreement for protection of the limited data set file(s) specified in section 4, and acknowledges having received notice of potential criminal, civil, and/or administrative penalties for violation of the terms of the Agreement.
14. The undersigned individual hereby attests that he or she is authorized to enter into this Agreement on behalf of the User and agrees to all the terms specified herein.
15. The parties mutually agree that the following named individual is designated as Custodian of the limited data set file(s) on behalf of the User and the person shall oversee and comply to the observance of all conditions of use and the establishment and maintenance of security arrangements as specified in this Agreement to prevent unauthorized use. The User agrees to notify CMS within fifteen (15) days of any change of custodianship. The parties mutually agree that CMS may disapprove the appointment of a custodian or may require the appointment of a new custodian at any time.
According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number.
The valid OMB control number for this information collection is 0938-0734. The time required to complete this information collection is estimated to average 30 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection.
If you have any comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: Reports Clearance Officer, Baltimore, Maryland 21244-1850.
■ Provide a detailed explanation of the research purpose of the project. The purpose must demonstrate the potential to improve the quality of life for Medicare beneficiaries or improve the administration of the Medicare program, including payment related projects. Under the Privacy Rule, permitted purposes include research, public health and/or health care operations.
■ What are the potential uses of this project to Medicare providers of service?
2. Project Issues and Methods
• List and describe the key issues to be studied.
• Statement of whether any of the methodology or tools contain proprietary information [proprietary information is exempt from release requirements under the Freedom of Information Act if it falls within the scope of Exemption 4, 5 U.S.C. § 552(b)(4)].
3. Data Management Safeguards
• Describe the procedures that will be used to protect the privacy and identity of an individual. For example, how will the privacy of information of beneficiaries in the files be safeguarded and guaranteed?
• Describe safeguards that would be followed for permitted disclosures of data, if applicable.
4. Key personnel
• List staff that will have access to the limited data set file(s) and their role in the project.
• Describe how the findings will be used
• Describe the type of data that will be disseminated, if applicable.
6. Proprietary Information
• If the Research Application provided by the Requesting Organization contains proprietary information, a statement to that effect must be included in the Research Application submitted to CMS. Proprietary information is exempt from release under the Freedom of Information Act if it falls within the scope of Exemption 4, 5 U.S.C. § 552(b)(4).