Form CMS-R-0235L (02/08) 1
DEPARTMENT OF HEALTH AND HUMAN SERVICES
CENTERS FOR MEDICARE & MEDICAID SERVICES
INSTRUCTIONS FOR COMPLETING THE LIMITED DATA SET
DATA USE AGREEMENT (DUA) (CMS-R-0235L)
This Agreement is needed to ensure that the disclosure and use of Limited Data Sets derived from a CMS
Privacy Act System of Records comply with the Privacy Act of 1974 (5 U.S.C. § 522a) and the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (45 C.F.R Parts 160 and 164).
Directions for the completion of the agreement follow:
Before completing the DUA, please note the language contained in this agreement cannot be altered in
any form.
A. First paragraph, enter the Requestors/Users Organization Name.
B. Section #1, enter the Requestors/Users Organization Name.
C. Section #3, enter the study and/or project name and CMS contract number, if applicable, for which the
file(s) will be used. Include both a summary of the purpose and a detailed explanation of the research
study or project. The detailed explanation describing your research purpose must be attached to the
agreement. Attached to this Agreement are the Research Application Guidelines that should be followed
in preparing your detailed explanation. CMS evaluates the purpose for which the limited data set file
will be used to determine whether: 1) the purpose requires identifiable records; 2) the project is of
sufficient importance to justify the risk on beneficiary privacy; 3) there is reasonable probability that the
use of data will accomplish the purpose, i.e., the project is soundly designed; and 4) the purpose
demonstrates the potential to improve the quality of life for Medicare beneficiaries or improve the
administration of the Medicare program, including payment related projects. If the Research Application
provided by the Requesting Organization contains proprietary information, a statement to that effect
must be included in the Research Application submitted to CMS. Proprietary information is exempt
from release under the Freedom of Information Act if it falls within the scope of Exemption 4, 5 U.S.C.
§ 552(b)(4).
D. Section #4 should delineate the limited data set files and years of data the Requestor/User is requesting.
Specific filenames should be specified. If these filenames are unknown, you may contact a CMS
representative.
E. Section #6, complete by entering the projected completion date of the study or project.
F. Section #14 is to be completed by the Requestor/User.
G. Section #15, enter the Custodian Name, Company/Organization, Address, Phone Number (including
area code), and E-Mail Address (if applicable). The Custodian of the files (name and position/title) is
defined as the person who will have actual possession of and responsibility for the limited data set files.
This section should be completed even if the Custodian and Requestor/User are the same.
H. Section #16 will be completed by a CMS representative.
I. Section #17 will be completed by a CMS representative.
For assistance or questions in completing this Agreement, please contact the Division of Privacy Compliance
Help Line at 410-786-3690.
Form CMS-R-0235L (02/08) 2
DEPARTMENT OF HEALTH AND HUMAN SERVICES
CENTERS FOR MEDICARE & MEDICAID SERVICES
Form Approved
OMB No. 0938-0734
DATA USE AGREEMENT
DUA #
AGREEMENT FOR USE OF CENTERS FOR MEDICARE & MEDICAID SERVICES (CMS)
LIMITED DATA SETS
In order to ensure that the disclosure and use of Limited Data Sets derived from a CMS Privacy Act
System of Records comply with the Privacy Act of 1974 (5 U.S.C. § 522a) and the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (45 C.F.R. Parts 160 and 164), CMS and
________________________________________________________________ enter into this Agreement:
1. This Agreement is by and between the Centers for Medicare & Medicaid Services (CMS), a component
of the U.S. Department of Health and Human Services (DHHS), and ____________________________
________________________________________, hereinafter termed “User.”
2. The parties mutually agree that CMS retains all ownership rights to the limited data set file(s) referred to
in this Agreement, and that the User does not obtain any right, title, or interest in any of the data furnished
by CMS. The parties further agree that CMS makes no representation or warranty, either implied or
express, with respect to the accuracy of any data in the limited data set file(s).
3. The User represents that the limited data set files in section 4 above will be used solely for the following
research purpose (provide a brief summary of the purpose below):
Name of Study/Project
CMS Contract No. (If applicable)
The User must provide a detailed explanation of the research purpose which is incorporated by reference
into this Agreement. The research purpose must demonstrate the potential to improve the quality of life
for Medicare beneficiaries or improve the administration of the Medicare program, including payment-
related projects. The User represents further that the facts and statements made in this explanation are complete
and accurate. Research Application Guidelines are attached as ‘Attachment Aand are incorporated by
reference to this Agreement.
4. The following CMS limited data set file(s) is/are covered under this Agreement.
File Year(s)
Form CMS-R-0235L (02/08) 3
5.
6.
7.
8.
9.
The User shall not attempt to identify or contact any specific individual whose record is included in the
limited data set file(s) specified in section 4. Absent written authorization from CMS, the User shall not
attempt to link records included in the file(s) specified in section 4 to any other beneficiary-specific
source of information.
The parties mutually agree that the aforesaid file(s) (and/or any derivative file(s)) including those files
that indirectly identify individuals and those that can be used in concert with other information to
identify individuals may be retained by the User until ________________, hereinafter known as the
“Retention Date.” The User agrees to notify CMS within 30 days of the completion of the purpose
specified in section 4 if the purpose is completed before the aforementioned retention date. Upon such
notice or retention date, whichever occurs sooner, the User must destroy such data. The User agrees to
destroy and send written certification of the destruction of the files to CMS within 30 days. The User
agrees not to retain CMS files or any parts thereof, after the aforementioned file(s) are destroyed.
The User shall not use, disclose, market, release, show, sell, rent, lease, loan, or otherwise grant access to
the limited data set files specified in section 4 of this Agreement, except as expressly permitted by this
Agreement or otherwise required by law.
a. The User agrees that any use of CMS data in the creation of any document (manuscript, table, chart,
study, report, etc.) concerning the purpose specified in section 4 (regardless of whether the report or
other writing expressly refers to such purpose, to CMS, or to the files specified in section 5 or any data
derived from such files) must adhere to CMS’ current cell size suppression policy. This policy
stipulates that no cell (eg. admittances, discharges, patients) less than 11 may be displayed. Also, no
use of percentages or other mathematical formulas may be used if they result in the display of a cell
less than 11. By signing this Agreement you hereby agree to abide by these rules and, therefore, will
not be required to submit any written documents for CMS review. If you are unsure if you meet the
above criteria, you may submit your written products for CMS review. CMS agrees to make a
determination about approval and to notify the user within 4 to 6 weeks after receipt of findings. CMS
may withhold approval for publication only if it determines that the format in which data are presented
may result in identification of individual beneficiaries.
b. The User may not disclose the limited data set file(s) specified in section 4 of this Agreement to a
Secondary User until and unless the Secondary User enters into a DUA with CMS. CMS will only enter
into a DUA with a Secondary User if the purpose for which the secondary use of the limited data set
file(s) is consistent with the purpose specified in Section 3 of this Agreement.
The User agrees to establish appropriate administrative, technical, and physical safeguards to protect the
confidentiality of the limited data set file(s) and to prevent unauthorized use or access to it. The safeguards
shall provide a level and scope of security that is not less than the level and scope of security established by
the Office of Management and Budget (OMB) in OMB Circular No. A–130, Appendix III—Security of
Federal Automated Information Systems http://www.whitehouse.gov/omb/circulars/a130/a130.html), which
sets forth guidelines for security plans for automated information systems in Federal agencies. The User
acknowledges that the use of unsecured telecommunications, including the Internet, to transmit individually
identifiable or deducible information derived from the limited data set file(s) specified in section 4 is
prohibited. Further, the User agrees that the limited data set file(s) must not be physically moved or
electronically transmitted in any way from the site indicated in section 15 without prior written approval
from CMS.
10. For each limited data set file, the User shall reimburse CMS for all associated processing fees.
Form CMS-R-0235L (02/08) 4
11. The User shall promptly report to CMS any use or disclosure of the information not provided for by this
Data Use Agreement of which it becomes aware. CMS in its sole discretion may require the User to: (a)
promptly investigate and respond to CMS concerns regarding any alleged disclosure; (b) promptly
resolve any problems identified by the investigation; (c) submit a corrective action plan with steps
designed to prevent any future unauthorized disclosures; and/or (d) require that all limited data set files
be immediately returned.
12. The User acknowledges that penalties under § 1106(a) of the Social Security Act [42 U.S.C. § 1306(a)],
including possible imprisonment, may apply with respect to any disclosure of information in the files(s)
that is inconsistent with the terms of the Agreement. The User further acknowledges that criminal penalties
under the Privacy Act [5 U.S.C. § 552a(i)(3)] apply if it is determined that the User, or any individual
employed or affiliated therewith, knowingly and willfully obtained the file(s) under false pretenses. The
User also acknowledges that criminal penalties may be imposed under 18 U.S.C. § 641.
13. By signing this Agreement, the User agrees to abide by all provisions set out in this Agreement for protection
of the limited data set file(s) specified in section 4, and acknowledges having received notice of potential
criminal, civil, and/or administrative penalties for violation of the terms of the Agreement.
14. The undersigned individual hereby attests that he or she is authorized to enter into this Agreement on
behalf of the User and agrees to all the terms specified herein.
Name and Title of User (typed or printed)
Company/Organization
Street Address
City State ZIP Code
Telephone (Include Area Code) E-Mail Address (If applicable)
Signature Date
15. The parties mutually agree that the following named individual is designated as Custodian of the limited
data set file(s) on behalf of the User and the person shall oversee and comply to the observance of all
conditions of use and the establishment and maintenance of security arrangements as specified in this
Agreement to prevent unauthorized use. The User agrees to notify CMS within fifteen (15) days of any
change of custodianship. The parties mutually agree that CMS may disapprove the appointment of a
custodian or may require the appointment of a new custodian at any time.
Name of Custodian (typed or printed)
Company/Organization
Street Address
City State ZIP Code
Office Telephone (Include Area Code) E-Mail Address (If applicable)
Signature Date
Form CMS-R-0235L (02/08) 5
16. The disclosure provision(s) that allow(s) the discretionary release of CMS data for the purpose(s) stated
in section 3 follow(s). (To be completed by CMS staff.)_______________________________________
17. The undersigned individual hereby attest that they are authorized to enter into this Agreement on behalf
of CMS and agree to all the terms specified herein. (To be completed by CMS staff.)
Name of CMS Representative (typed or printed)
Title/Component Mail Stop
Street Address
City State ZIP Code
Office Telephone (Include Area Code) E-Mail Address (If applicable)
Signature Date
According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number.
The valid OMB control number for this information collection is 0938-0734. The time required to complete this information collection is estimated to average 30 minutes
per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection.
If you have any comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard,
Attn: Reports Clearance Officer, Baltimore, Maryland 21244-1850.
Form CMS-R-0235L (02/08) 6
DEPARTMENT OF HEALTH AND HUMAN SERVICES
CENTERS FOR MEDICARE & MEDICAID SERVICES
Form Approved
OMB No. 0938-0734
ATTACHMENT A
Centers for Medicare & Medicaid Services (CMS)
Research Application Guidelines for Requesting Limited Data Sets
1. Introduction
Title.
Purpose:
Provide a detailed explanation of the research purpose of the project. The purpose must demonstrate
the potential to improve the quality of life for Medicare beneficiaries or improve the administration
of the Medicare program, including payment related projects. Under the Privacy Rule, permitted
purposes include research, public health and/or health care operations.
What are the potential uses of this project to Medicare providers of service?
2. Project Issues and Methods
• List and describe the key issues to be studied.
• Describe the plan to analyze the data for the project, including the methodology and procedures
that will be used.
• Provide an outline of project reports, including types of tabulations, aggregations, and other
data presentations.
• Statement of whether any of the methodology or tools contain proprietary information [proprietary
information is exempt from release requirements under the Freedom of Information Act if it falls
within the scope of Exemption 4, 5 U.S.C. § 552(b)(4)].
3. Data Management Safeguards
• Describe the procedures that will be used to protect the privacy and identity of an individual. For
example, how will the privacy of information of beneficiaries in the files be safeguarded and guaranteed?
• Describe safeguards that would be followed for permitted disclosures of data, if applicable.
4. Key personnel
• List staff that will have access to the limited data set file(s) and their role in the project.
5. Dissemination/Implementation
• Describe how the findings will be used
• Briefly describe any data dissemination plan that includes how the findings and any reported data
elements will be aggregated to a level that does not permit the identification of the individual.
• Describe the type of data that will be disseminated, if applicable.
6. Proprietary Information
• If the Research Application provided by the Requesting Organization contains proprietary information,
a statement to that effect must be included in the Research Application submitted to CMS. Proprietary
information is exempt from release under the Freedom of Information Act if it falls within the scope of
Exemption 4, 5 U.S.C. § 552(b)(4).