The CMS Data Principles are a shared set of values for data management at the agency. They establish a foundation that allows CMS to maximize our use of data in decision-making. Each principle is accompanied by several Operating Norms. These norms describe practices that CMS will adopt to achieve the principle. While some of the Operating Norms describe practices that CMS already has in place, many of them will require CMS to change culture, policies, processes, and contracts.
Efficiency
Data is one of CMS’ greatest strategic assets. As a result, CMS considers enterprise needs and anticipates future needs when investing in data collection, data systems and integration, data analytics, and other data management activities with the goals of maximizing reusability and minimizing redundancy. To achieve this principle, CMS will ensure that:
- Contracts that include data collection, systems, integration, and analytics are tracked and information about relevant tasks is available to all CMS staff in a repository.
- Contracts that include data collection, systems, integration, and analytics have a technical resource who can assess the quality of the contractor’s work.
- All code, data, and systems generated under a contract or licensing agreement with CMS are:
- Owned by the agency,
- Accessible to CMS throughout the duration of the contract, and
- Returned to the agency or transferred to a new awardee by the end of the contract.
- CMS uses open-source tools, where feasible.
Accessibilityi
CMS data are a critical part of the planning and decision-making process for CMS and our partners. As a result, CMS provides timely access to data for which staff and contractors are authorized. Where appropriate and permitted by law, CMS supports the seamless sharing of data with our partners and encourages the use of standards to promote interoperability. To achieve this principle, CMS will ensure that:
- All CMS staff can get timely access to the data they need to do their jobs. Contractors can get timely access to the data CMS determines are needed to complete contracted work.
- If access to CMS data needs to be limited, there is a well-documented and timely process for staff and contractors to request access to this data.
- When converting CMS data into a new format for sharing with external partners, CMS uses industry standard formats (e.g., Fast Healthcare Interoperability Resources (FHIR®)), where feasible.
Usability
CMS programs require the collection of an enormous amount of data and each data collection has its own complexities. To ensure all CMS data assets are findable and useable, CMS maintains robust metadata and documentation that staff and contracted resources can access in a shared location. To achieve this principle, CMS will ensure that:
- Data assets have comprehensive and machine-readable metadata and documentation.
- Data assets have a CMS owner.
- Metadata and documentation for data assets are accessible to all authorized CMS staff and contractors.
Quality
CMS uses data to inform public policy decisions and operations and monitor agency performance. To make accurate, reliable, and equitable decisions, CMS takes steps to understand, document, and improve the quality of CMS data. To achieve this principle, CMS will ensure that:
- Each CMS data asset offers a feedback mechanism for submitting issues regarding data quality and a communication mechanism for reporting data quality issues to end users.
- When developing data products or analyses, CMS staff or contractors conduct an evaluation of the data quality.
- When a new issue regarding data quality is discovered after a data product or analysis is finalized, CMS staff or contractors conduct an Agile retrospective.
Responsibility
CMS collects sensitive data on individuals and entities that must be handled in accordance with law and protected from misuse or improper disclosure. To protect this information, CMS employs sound data privacy and security practices, applies the Health Insurance Portability and Accountability Act of 1996 (HIPAA) minimum necessary standard to protect individual privacy, maintains confidentiality as appropriate, and complies with all applicable statutory and regulatory requirements. To achieve this principle, CMS will ensure that:
- Use of non-public CMS data by staff and contractors:
- Is only for purposes that support legitimate job functions and the mission of CMS;
- Limited to the minimum data needed;
- Complies with applicable statutory or regulatory limitations on use.
- Disclosures of non-public CMS data are:
- Covered by a CMS-approved contract, agreement, or attestation that includes data privacy and security requirements;
- In compliance with applicable statutory and/or regulatory disclosure limitations (including HIPAA and the Privacy Act of 1974, where applicable).
Transparency
CMS data is a public good. Where appropriate and permitted by law, CMS makes data collected by the agency available to the public in a machine-readable, de-identified format. To achieve this principle, CMS will ensure that:
- Public disclosures of CMS data:
- Comply with applicable statutory and/or regulatory disclosure limitations;
- Do not contain confidential information;
- Are de-identified in accordance with HIPAA requirements and adhere to the CMS cell size suppression policyii;
- Limit duplicative content from other public products.
- Publicly posted CMS data complies with relevant metadata standards, is freely available and machine readable, and has robust documentation and an up-to-date point of contact.
- All publicly available CMS data is posted (or at a minimum indexed) on data.cms.gov.
iThese operating norms are focused on data, so they do not address information technology (IT) accessibility issues (e.g., 508 compliance). Other CMS activities are focused on IT accessibility issues.
iiMore information on the CMS cell size suppression policy can be found on the CMS Research Data Assistance Center (ResDAC) website at https://resdac.org/articles/cms-cell-size-suppression-policy.