Data Disclosures and Data Use Agreements (DUAs)

The Centers for Medicare & Medicaid Services (CMS) makes data files available to certain stakeholders as allowed by federal laws and regulations as well as CMS policy. CMS enters into Data Use Agreements (DUAs) with most data requesters for disclosures of protected health information (PHI) and/or personally identifiable information (PII) to ensure that data requesters adhere to CMS privacy and security requirements and data release policies. The Enterprise Privacy Policy Engine (EPPE) is the system that tracks all disclosures of CMS data. For additional information about EPPE, please visit the EPPE page located on the navigation bar.  

CMS maintains three different categories of data files: identifiable data files, limited data set files, and public use files. The privacy level of the data file determines whether a DUA is needed as well as the request process and the level of review required:

1. Identifiable Data Files (IDFs) — IDFs contain protected health information (PHI) and/or personally identifiable information (PII) and are only available to certain stakeholders. IDFs can be physically shipped to a requester or accessed virtually. Research Identifiable Files (RIFs) are a type of IDF that are exclusively disclosed for research purposes in compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule requirements at 45 C.F.R. § 164.512(i) and other applicable laws. IDFs/ requests generally require a DUA with CMS.
2. Limited Data Set (LDS) — LDS files contain PHI, but do not contain specific direct identifiers as set forth in the HIPAA Privacy Rule at 45 C.F.R. § 164.514(e)(2). CMS LDS files are only available for research purposes and require a DUA with CMS. 
3. Public Use Files (PUFs) — PUFs (also called non-identifiable data files) do not contain PHI, PII or other information that could be used to identify individuals. PUF requests do not require a DUA and are not tracked by CMS.  PUFs can be accessed freely on CMS’ open data websites such as data.cms.gov and data.medicaid.gov.

Please use the navigation bar on the left to learn more about how to request data or to update an existing DUA. For additional information on the differences between these types of files, please visit the Research Data Assistance Center (ResDAC) website at Differences between RIF, LDS, and PUF Data Files.

Please direct questions to DataUseAgreement@cms.hhs.gov.

General Guidelines for Requesting DUAs

The below guidelines and restrictions should be followed when requesting a new DUA or for any requests related to an existing DUA:

• CMS does not accept personal e-mail addresses (@yahoo, @gmail, @outlook, etc.). The e-mail must be associated with an employer, organization, or university.
• CMS does not accept P.O. Box or foreign addresses.  Data will only be shipped to addresses within the United States.
• Organizations listed on a DUA should be at the company or university level as opposed to a department or component level.
• If a DUA expires, it is important to note that ALL open DUAs for that organization will be frozen. This means that no actions (processing new DUAs, adding data, changing contacts, or extending existing DUAs) can proceed for any DUA held by your organization until the expired DUA is either extended or closed.