Limited Data Set (LDS) Data Use Agreement (DUA)
This Data Use Agreement (Agreement) is entered into by and between the Centers for Medicare & Medicaid Services (CMS), a component of the U.S. Department of Health and Human Services (HHS), and the organization requesting data from CMS (Requesting Organization). This Agreement covers the CMS Limited Data Set (LDS) files that the Requesting Organization requested from CMS and the corresponding purposes for their use, as specified in the LDS Request Application and submitted via the CMS Enterprise Privacy Policy Engine (EPPE) system.
CMS LDS Data Request: CMS agrees to provide the Requesting Organization with the LDS files specified in the LDS Request Worksheet, set forth in Attachment B, which reside in a CMS Privacy Act System of Records. In exchange, the Requesting Organization agrees to:
Pay any applicable fees.
Use the LDS files, including any back-up data or derivative data (collectively, the Data), only for purposes that support the Requesting Organization’s research project, as specified in the LDS Request Application, which CMS has determined to be valuable in helping CMS monitor, manage, and/or improve the quality of life for Medicare beneficiaries/Medicaid recipients/Health Insurance Exchange consumers (collectively, Beneficiaries) or improve the administration of CMS programs;
Contribute to generalizable knowledge by publishing the research results to a medium that is publicly available; and
Ensure the integrity, security, and confidentiality of the Data by complying with the terms of this Agreement and any applicable law(s), including the Privacy Act of 1974 (5 U.S.C. § 552a) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (45 C.F.R. Part 160 and Part 164, Subparts A and E).
Data Ownership: The parties mutually agree that CMS retains all ownership rights to the Data specified in the Agreement, and that the Requesting Organization may only use and redisclose the Data as described in this Agreement. The parties further agree that CMS makes no representation or warranty, either implied or express, with respect to the accuracy of the Data. The Requesting Organization acknowledges that CMS receives this Data for operational purposes and that certain Data may not provide complete information. CMS is not liable for any damages or loss resulting from errors in information provided to the Requesting Organization under this Agreement.
Requesting Organization Requirements: Upon execution of this Agreement, the Requesting Organization represents and warrants the following:
The Data will only be used, accessed, viewed, or received by the Requester, Data
Custodian, Data Recipient, or other data users under the direct oversight of the Data
Custodian. The parties acknowledge that the Requester is set forth in Attachment A, LDS
Request Application; the Data Custodian is set forth in Attachment C, Data Management
Plan Self-Attestation Questionnaire; and the Data Recipient is set forth in Attachment D, Signature Addendum.
Entities who do not have a formal business relationship with the Requesting
Organization will only be permitted to use, access, or view the Data if their organization is a Collaborating Organization on this Agreement as set forth in EPPE.
The LDS Request Application contains a detailed description of the entirety of the research and describes how the research could not practicably be conducted without the Data, and that the Data is the minimum necessary to achieve the stated research purpose(s). The Requesting Organization is permitted to make modifications to the LDS Request Application, provided the Requesting Organization submits a request and receives prior CMS approval.
The LDS Request Application contains a viable plan for the public dissemination of the research findings.
If commercial products or tools will be created from the research findings, the LDS
Request Application contains detailed information on the applicable products or tools.
The Requesting Organization has an adequate plan to destroy the Data, in accordance with Section 8 of this Agreement.
The facts and statements made as part of LDS Request Application are a complete and accurate description of the use(s) to which the Data will be put if the requested disclosure is approved by CMS.
Identification of Beneficiaries: As a condition of its receipt of the Data, the Requesting Organization affirms that it will:
Not use any Data received under this Agreement or allow others to use such Data, either alone or in combination with other available data, to identify, contact or attempt to identify or contact any individual Beneficiaries.
Ensure that its own use, and any contractors, agents, and/or Collaborating Organizations use, of any Data received under this Agreement and other documents governing this Data in the creation of any document (manuscript, table, chart, study, report, etc.) will be de-identified under the HIPAA Privacy Rule as described at 45 C.F.R. § 164.514(b) and adhere to CMS policy for cell size suppression. This policy stipulates that no
Beneficiary(ies)-related data cell (e.g., admittances, discharges, patients) with a size of 110 will be used in publication or other forms of dissemination; and
Ensure that no percentages or other mathematical formulas will be used in publications or other forms of dissemination if they result in the display of a Beneficiary(ies)-related data cell with a size of 1-10.
Identification of Providers or Suppliers: As a condition of its receipt of the Data, the Requesting Organization further affirms that it will ensure no Tax Identification Numbers (TINs) will be used in any publications or other forms of dissemination.
Linking Data: Absent express written permission from CMS, the Requesting Organization agrees not to link or attempt to link records included in the Data to any other source of information. An LDS Request Application that includes linkage to specific files that has been approved in advance by CMS constitutes express authorization from CMS to link the Data.
Use and Disclosure of Data: The Requesting Organization agrees to not use or further disclose, market, release, show, sell, rent, lease, loan, or otherwise grant access to the Data, except as permitted by this Agreement or as otherwise required by law. The Requesting Organization is not authorized to use or further disclose the information in a manner that would violate the requirements of 45 C.F.R. § 164.514(e)(4)(ii)(A), if done by CMS.
Retention of Data: The parties mutually agree that the Data may only be retained by the Requesting Organization for one year following the date this Agreement is approved by CMS in
EPPE, hereinafter known as the “Expiration Date.” However, should the purpose specified in the LDS Request Application be completed prior to that date, the Requesting Organization affirms that it will notify CMS within 30 days of such completion, at which time the Expiration Date of the Agreement will become the date specified in such notice. The Requesting Organization may request to extend the Expiration Date of the Agreement, but each request may only be to extend the Agreement by up to one year. Such extension must be approved by CMS and will only allow continued use of the approved Data for the research as described in the LDS Request Application.
Destruction of Data: The Requesting Organization must destroy all Data by the Expiration Date. Such destruction must include any original, derivative, or back-up files. The Requesting
Organization may retain aggregate data results for its own use beyond the Expiration Date if such Data is de-identified in accordance with 45 C.F.R. § 164.514(b) and complies with the limits in this Agreement. For all other Data, the Requesting Organization agrees to complete the required destruction and attestation of destruction within 30 days of the Expiration Date.
Security Requirements: The Requesting Organization agrees to, and will submit with the request, a data management plan included in the Data Management Plan Self Attestation Questionnaire, set forth in Attachment C, with CMS that ensures the Requesting Organization adheres to the appropriate administrative, technical, and physical safeguards to protect the confidentiality of the Data and to prevent unauthorized use, access to, or disclosures of the Data in accordance with this Agreement and applicable law.
Agents: The Requesting Organization will contractually bind any contractors, agents, and/or collaborators (collectively, Agents) to the same terms and conditions of this Agreement prior to granting them access to the Data and limit such access to that required to carry out the project described in the LDS Request Application. The Requesting Organization further agrees that access to the Data will be limited to the minimum amount of data and minimum number of individuals necessary to achieve the purpose specified in the LDS Request Application.
Violation of the Terms of this Agreement: The Requesting Organization agrees that in the event CMS determines or has a reasonable belief that the Requesting Organization or its Agents, have made or may have made a use, reuse, or disclosure of the Data that is not authorized by this Agreement, the Requesting Organization will cease use of all Data specified in this Agreement while CMS investigates the potential incident or violation. As part of its investigation, the Requesting Organization agrees that CMS, in its sole discretion, may require the Requesting Organization to:
Promptly investigate and report to CMS the Requesting Organization’s determinations regarding any alleged or actual unauthorized use, reuse or disclosure of Data.
Promptly resolve any problems identified by the investigation.
Submit a formal response to an allegation of unauthorized use, reuse or disclosure.
Submit a corrective action plan with steps designed to mitigate the ill-effects of and prevent any future unauthorized uses, reuses or disclosures.
Return or destroy the Data specified in this Agreement.
In the event the Requesting Organization discovers any use, reuse or disclosure of the aforesaid Data file(s) that may be in violation of this Agreement, the Requesting Organization affirms that it will report the incident or breach by email to both the CMS IT Service Desk
(cms_it_service_desk@cms.hhs.gov) and the CMS DUA Mailbox
(DataUseAgreement@cms.hhs.gov) within one hour of discovery and cooperate fully in the federal security incident response. While CMS retains all ownership rights to the data file(s), as outlined in section 2 of this Agreement, the Requesting Organization agrees to bear the cost of and liability for any incidents involving or breaches of Personally Identifiable Information and/or Protected Health Information from the Data while they are entrusted to the Requesting Organization. Furthermore, if CMS determines that the risk of harm requires notification of affected individual persons of the security incident or breach and/or other mitigation activities, the Requesting Organization affirms as a condition of receiving the Data that it will carry out those CMS-defined notifications and/or mitigation activities without cost to CMS or its Beneficiaries.
Penalties: The Requesting Organization acknowledges that penalties under section 1106(a) of the Social Security Act (42 U.S.C. § 1306(a)), including possible imprisonment, may apply with respect to any disclosure of information in the Data(s) that is inconsistent with the terms of the Agreement. The Requesting Organization further acknowledges that criminal penalties under the Privacy Act 5 U.S.C. § 552a(i)(3)) apply if it is determined that the Requesting Organization, or any individual employed or affiliated therewith, knowingly, and willfully obtained the data file(s) under false pretenses. In addition, the Requesting Organization acknowledges criminal penalties under 42 U.S.C. § 290dd-2(f) and 18 U.S.C. § 641.
Entire Agreement; Amendment: This Agreement, including all attachments, constitutes the entire agreement between the parties. Any amendments to the attachments are incorporated herein by reference. In the event of a conflict between this Agreement and any attachments, the terms of this Agreement will control.
By clicking “Submit,” I attest that I am a representative of the Requesting Organization
(Requester) and am authorized to legally bind the Requesting Organization listed in the LDS Data Request Application and agree to all the terms specified herein.
Attachments:
Attachment A – LDS Data Request Application
Attachment B - LDS Request Worksheet
Attachment C - Data Management Plan Self-Attestation Questionnaire (DMP SAQ) Attachment D - Signature Addendum
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | James Krometis |
| File Modified | 0000-00-00 |
| File Created | 2025-06-18 |