Track Change - LDS DUA

Limited Data Set (LDS) Data Use Agreement (DUA)
This Data Use Agreement (Agreement) is entered into by and between the Centers for Medicare &
Medicaid Services (CMS), a component of the U.S. Department of Health and Human Services (HHS), and
the requesting organization requesting data from CMS (Requesting OrganizationRequester). This
Agreement covers the CMS Limited Data Set (LDS) files that the Requesting Organization you requested
from CMS and the corresponding purposes for their use, as specified in the CMS Enterprise Privacy Policy
Engine (EPPE) system.
1. CMS LDS Data Request: CMS agrees to provide the Requesting Organization Requester with the
LDS data files specified in the LDS Request Application, set forth in AppendixAttachment A,
which reside in a CMS Privacy Act System of Records (SOR). In exchange, the Requesting
Organization Requester agrees to:
a)a. Pay any applicable fees;.
b)b.Use the LDS data, including any back-up data or derivative data (collectively, the Data)
only for purposes that support the Requesting OrganizationRequester’s research project,
as specified in the LDS Request Application, which CMS has determined to be valuable in
helping CMS monitor, manage, and/or improve the quality of life for Medicare
beneficiaries/Medicaid recipients/Health Insurance Exchange consumers (collectively,
Beneficiaries) or improve the administration of CMS programs;.

Formatted: Underline

Formatted: Numbered + Level: 1 + Numbering Style:
a, b, c, … + Start at: 1 + Alignment: Left + Aligned at:
0.75" + Indent at: 1"

c)c. Publish the research results to a medium that is publicly available; and.
d)d.Ensure the integrity, security, and confidentiality of the Ddata by complying with the
terms of this Agreement and any applicable law(s), including the Privacy Act of 1974 (5
U.S.C. § 552a) and the Health Insurance Portability and Accountability Act of 1996
(HIPAA) Privacy Rule, (45 C.F.R. Part 160 and Part 164, Subparts A and E).
2. Data Ownership: The parties mutually agree that CMS retains all ownership rights to the Data
specified in the Agreement, and that the Requesting Organization Requester may only use and
redisclose the Data as described in this Agreement. The parties further agree that CMS makes no
representation or warranty, either implied or express, with respect to the accuracy of the Data.
The Requesting Organization Requester acknowledges that CMS receives this Data for
operational purposes and that certain Data may not provide complete information. CMS is not
liable for any damages or loss resulting from errors in information provided to the Requesting
Organization Requester under this Agreement.
3. Requesting Organization Requester Requirements: Upon execution of this Agreement, the
Requesting Organization Requester represents and warrants the following:
a. The Data requested will be used solely for research as defined in 45 CFRC.F.R. § 164.501
and as described in the LDS Request Application. The Data may not be redisclosed to
any party as specified in section 6 of this Agreement. The Requesting
OrganizationRequester may make modifications to the LDS Request Application by
submitting a request and receiving CMS approval.
1

Formatted: Underline
Formatted: Underline

Limited Data Set (LDS) Data Use Agreement (DUA)
b. The Data may only be used, accessed, viewed, or received by the Requesting
OrganizationRequester, Data Custodian, Data Recipient, or other data users under the
direct oversight of the Data Custodian. The parties acknowledge that the Requesting
Organization as well as the individuals acting as the Requesting OrganizationRequester,,
Data Custodian and Data Recipient are set forth in the Attachment DE, entitled
“Signature Addendum.” Data users from outside/collaborating organizations must have
their organization added as a Collaborating Organization to the Agreement and be under
the direct oversight of the Data Custodian in order toto use, access, or view the Data.
c. The LDS Request Application contains a detailed description of the entirety of the
research and describes how the research could not practicably be conducted without
the Data, and that the Data is the minimum necessary to achieve the stated research
purpose(s).
d. As described in the LDS Request Application, the researcher believes that the study
demonstrates the potential to improve the quality of life for Medicare
beneficiaries/Medicaid recipients/Health Insurance Exchange consumersBeneficiaries or
improve the administration of CMS programs.
e. As described in the LDS Request Application, the researcher believes that the research
will contribute to generalizable knowledge as set forth in the HIPAA definition of
“research” at 45 C.F.R. § 164.501, and the researcher has established a viable plan for
the public dissemination of the research findings.
f.

The Data may not be disclosed to any party, except as specified in sections 2, 3, and 6 of
this Agreement.

f.g. The researcher has an adequate plan to destroy the Data, in accordance with Section 9 8
of this Agreement.
g.h. If commercial products or tools will be created from the research findings, the
researcher must provide detailed information on the products or tools in the LDS
Request Application.
i.

The facts and statements made as part of LDS Request Application are a complete and
accurate description of the use(s) to which the Data will be put if the requested
disclosure is approved by CMS.

.
5.4. Identification of Beneficiaries: As a condition of its receipt of the Data specified in section 3,; the
Requesting Organization Requester affirms that it will:
a. Not use any Data received under this Agreement or allow others to use such Data, either
alone or in combination with other available data, to identify, contact or attempt to
identify or contact any individual Beneficiaries;
2

Formatted: No underline

Limited Data Set (LDS) Data Use Agreement (DUA)
b. Absent express written permission from CMS, the Requesting Organization agrees not to
link or attempt to link Beneficiary-level records included in the Data file(s) listed in EPPE
to any other source of information;
a.

Formatted: Indent: Left: 1", No bullets or numbering

b.c. Ensure that its own use, and any contractors, agents, and/or collaborators use, of any
Data received under this Agreement and other documents governing this Data in the
creation of any document (manuscript, table, chart, study, report, etc.) will be deidentified under the HIPAA Privacy Rule as described at 45 C.F.R. § 164.514(b) and
adhere to CMS policy for cell size suppression. This policy stipulates that no
Beneficiary(ies)-related data cell (e.g., admittances, discharges, patients) with a size of 110 will be used in publication or other forms of dissemination; and
c.d. Ensure that no percentages or other mathematical formulas will be used in publications
or other forms of dissemination if they result in the display of a Beneficiary(ies)-related
data cell with a size of 1-10.
6.5. Identification of Providers or Suppliers: As a condition of its receipt of the Data, specified in
section 3 the Requesting Organization Requester further affirms that it will:
a. Comply with the terms and conditions of this Agreement and any other agreement
relevant to the information at issue, including ensuring that any provider- or supplieridentifiable information (including individual physician-level data) that is published or
otherwise disseminated, will be patient de-identified data as that concept is understood
under the HIPAA Privacy Rule’s definition of de-identified data at 45 C.F.R. § 164.514(b)
and CMS policy reflected in section 45(b) of this Agreement, and ensure that no Tax
Identification Numbers (TINs) will be used in publications or other forms of
dissemination.
b. Absent express written authorization permission from CMS, the Requester agrees not to
link or attempt to link Beneficiary-level records included in the Data file(s) listed in EPPE
to any other source of information.
7.6. Use and Disclosure of Data: The Requesting Organizationer agrees to not use or further disclose,
market, release, show, sell, rent, lease, loan, or otherwise grant access to the Data specified in
the LDS Request Application, except as permitted by sections 2, 3, 4, 4 5, and 6 of this
Agreement or as otherwise required by law. The Requesting Organizationer is not authorized to
use or further disclose the information in a manner that would violate the requirements of 45
C.F.R. § 164.514(e)(4)(ii)(A), if done by CMS.
8.7. Retention of Data: The parties mutually agree that the Data may only be retained by the
Requesting Organizationer for one year following the date the this Agreement is approved by
CMS in EPPEis finalized, hereinafter known as the “Expiration Date.” However, should the
purpose specified in section 3the LDS Request Application be completed prior to that date, the
Requesting Organizationer affirms that it will notify CMS within 30 days of such completion, at
3

Formatted: Highlight

Limited Data Set (LDS) Data Use Agreement (DUA)
which time the Expiration Date of the DUA Agreement will become the date specified in such
notice. The Requesting Organization Requester may request to extend the Expiration Date of the
DUAAgreement, but each request may only be to extend the DUA Agreement by up to one year.
Such extension must be approved by CMS and will only allow continued use of the approved
Data for the research as described in the LDS Request Application.
9.8. Destruction of Data: The Requesting Organization Requester must destroy all Data by the
Expiration Date specified in the LDS Request Application. Such destruction must include any
original, derivative, or back-up files. The Requesting Organization Requester may retain
aggregate data results for its own use beyond the Expiration Date if such Data is de-identified in
accordance with 45 C.F.R. § 164.514(b) and complies with the limits in this section and those in
sections 3, 5 and 6 of this Agreement. For all other Ddata, the Requesting Organization
Requester agrees to complete the required destruction and attestation of destruction within 30
days of the Expiration Date.
10.9.
Security Requirements: If the Requesting Organization Requester is receiving Data that is
not aggregated and de- identified as described in 45(b) and (c) above, Tthe Requesting
Organization Requester agrees to, and will submit with the request, a Data Management Plan
Self-Attestation Questionnaire (DMP SAQ), as set forth in AppendixAttachment C, with CMS that
ensures the Requesting Organization Requester adheres to the appropriate administrative,
technical, and physical safeguards to protect the confidentiality of the Data and to prevent
unauthorized use, access to, or disclosures of the Data in accordance with this Agreement and
applicable law.
Agents: The Requesting Organization Requester will contractually bind any contractors,
11.10.
agents, and/or collaborators (collectively, Agents) to the same terms and conditions of this
Agreement prior to granting them access to the Data and limit such access to that required to
carry out the project described in the LDS Request Application. The Requesting Organization
Requester further agrees that access to the Data will be limited to the minimum amount of data
and minimum number of individuals necessary to achieve the purpose specified in section
3stated ofin the Agreementthe LDS Request Application.
12.11.
Violation of the Terms of this Agreement: The Requesting Organization Requester agrees
that in the event CMS determines or has a reasonable belief that the Requesting Organization
Requester or its Agents, have made or may have made a use, reuse, or disclosure of the Data
that is not authorized by this Agreement, the Requesting Organization Requester will cease use
of all Data specified in this Agreement while CMS investigates the potential incident or violation.
As part of its investigation, the Requesting Organization Requester agrees that CMS, in its sole
discretion, may require the Requesting Organization Requester to: (a)
a)a. Promptly investigate and report to CMS the Requesting OrganizationRequester’s
determinations regarding any alleged or actual unauthorized use, reuse or disclosure of
Data.

4

Formatted: Highlight
Formatted: Underline

Formatted: Numbered + Level: 1 + Numbering Style:
a, b, c, … + Start at: 1 + Alignment: Left + Aligned at:
0.5" + Indent at: 0.75"

Limited Data Set (LDS) Data Use Agreement (DUA)
b)b.Promptly resolve any problems identified by the investigation.
c)c. If requested by CMS, submit a formal response to an allegation of unauthorized use, reuse or
disclosure.
d)d.If requested by CMS, submit a corrective action plan with steps designed to mitigate the illeffects of and prevent any future unauthorized uses, reuses or disclosures.
e)e. If requested by CMS, return or destroy the Data specified in this Agreement.
In the event the Requesting Organization Requester discovers any use, reuse or disclosure of the
aforesaid Data file(s) that may be in violation of this Agreement, the Requesting Organization
Requester affirms that it will report the incident or breach by email to both the CMS IT Service
Desk (cms_it_service_desk@cms.hhs.gov) and the CMS DUA Mailbox
(DataUseAgreement@cms.hhs.gov) within one hour of discovery and cooperate fully in the
federal security incident response. While CMS retains all ownership rights to the data file(s), as
outlined in sSection 2 of this Agreement, the Requesting Organization Requester agrees to bear
the cost of and liability for any incidents involving or breaches of Personally Identifiable
Information (PII) and/or Protected Health Information from the Data while they are entrusted to
the Requesting OrganizationRequester. Furthermore, if CMS determines that the risk of harm
requires notification of affected individual persons of the security incident or breach and/or
other mitigation activities, the Requesting Organization Requester affirms as a condition of
receiving the Data that it will carry out those CMS-defined notifications and/or mitigation
activities without cost to CMS or its Beneficiaries.
13.12.
Penalties: The Requesting Organization Requester acknowledges that penalties under §
section 1106(a) of the Social Security Act ([42 U.S.C. § 1306(a))], including possible
imprisonment, may apply with respect to any disclosure of information in the Data(s) that is
inconsistent with the terms of the Agreement. The Requesting Organization Requester further
acknowledges that criminal penalties under the Privacy Act [5 U.S.C. § 552a(i)(3))] apply if it is
determined that the Requesting Organization, Requester, or any individual employed or affiliated
therewith, knowingly, and willfully obtained the data file(s) under false pretenses. In addition,
the Requesting Organization Requester acknowledges criminal penalties under 42 U.S.C. §
290dd-2(f) and 18 U.S.C. § 641.

Formatted: Underline

14.13.
Entire Agreement; Amendment. : This Agreement, including all attachmentsappendices,
constitutes the entire agreement between the parties. Any amendments to the appendices
attachments are incorporated herein by reference. In the event of a conflict between this
Agreement and any appendicesany attachments, the terms of this Agreement will control.

Formatted: Underline

15.14.
By agreeing to the Terms and Conditions andBy clicking “Submit,” I you attest that I am a
representative of the Requesting Organization (Requester) and am you are authorized to legally
bind the Requesting Organization Requester listed in the LDS Data Request Application and agree
to all the terms specified herein.

5

Limited Data Set (LDS) Data Use Agreement (DUA)

APPENDICESAttachments
Appendix Attachment A – LDS Data Request Application
Appendix Attachment B - LDS Request Worksheet
Appendix Attachment C - Data Management Plan Self-Attestation Questionnaire (DMP SAQ)
Appendix Attachment D: LDS Reuse
Appendix Attachment ED -: Signature Addendum

6