Supporting Statement – Part A Data Use Agreement (DUA)
Limited Data Set (LDS) Forms
Research Identifiable Files (FIF) Forms
(CMS-R-235; CMS-0938-0734)
The Privacy Act of 1974, §552a requires the Centers for Medicare & Medicaid Services (CMS) to track all disclosures of the agency’s Personally Identifiable Information (PII). CMS is also required by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Federal Information Security Management Act (FISMA) of 2002 to properly protect all Protected Health Information (PHI) data maintained by the agency and account for the disclosure of PHI.
When entities, such as academic, federal or state agency researchers or CMS contractors request CMS PII/PHI data, they enter into a Data Use Agreement (DUA) with CMS. The DUA stipulates that the recipient of CMS data must properly protect the data according to all applicable data security standards and provide for its appropriate destruction at the completion of the project/study or the expiration date of the DUA. The DUA form enables the data recipient and CMS to document the request and approval for release of CMS data. The form requires the submitter to provide the Requestor’s organization; project/study name; CMS contract number (if applicable); data descriptions and the years of the data; retention date; attachments to the agreement; name, title, contact information to include address, city, state, zip code, phone, e- mail, signature and date signed by the requester and custodian; disclosure provision; name of Federal Agency sponsor; Federal Representative name, title, contact information, signature, date; CMS representative name, title, contact information, signature and date; and concurrence/non-concurrence signatures and dates from 3 CMS System Managers or Business Owners.
CMS is permitted to disclose data files for approved research purposes in compliance with 45 CFR 164.512(i). Researchers requesting limited data set files (LDS) must, as part of the request process, complete a research request packet that provides CMS with information pertaining to the research study, including describing how the research results/findings will be disseminated, as well as the data files being requested. Should CMS approve the research request, the data requestor enters into a Data Use Agreement (DUA). This data collection is necessary to ensure that disclosures of data for research purposes comply with federal laws and regulations as well as CMS policy.
This Revision request to OMB is to update the approved collection CMS-R-235 to include the
LDS request packet, RIF request package, and the DMP SAQ. The information collected in the LDS request packet allows CMS to determine if the research disclosure complies with federal laws and regulations, as well as CMS policy. The information collected in the DMP SAQ enables CMS to evaluate researcher data systems to ensure that CMS data are adequately secured and appropriately protected, as per the Privacy Act and the HIPAA Privacy Rule.
Wage estimates in section 12 have been updated to provide the burden estimate for completion of each form within the LDS and RIF request packets and the DMP SAQ. In addition, we updated burden estimates in section 14 as there is a burden estimate for review of each form within the LDS and RIF request packets and DMP SAQ.
The Privacy Act of 1974 allows for discretionary releases of data maintained in Privacy Act protected systems of records under §552a(b) (Conditions of Disclosure). The mandate to account for disclosures of data under the Privacy Act is found at §552a(c) (Accounting of Certain Disclosures). This section states that certain information must be maintained regarding disclosures made by each agency. This information is: Date, Nature, Purpose, and Name/Address of Recipient. Section 552a(e) sets the overall Agency Requirements that each agency must meet to maintain records under the Privacy Act. The Data Use Agreement (DUA) form is needed as part of the review of each CMS data request to ensure compliance with the requirements of the Privacy Act for disclosures that contain PII. The DUA form also provides data requestors and custodians with a formal means to agree to the data protection and destruction statutory and regulatory requirements of CMS’ PII data. The Health Insurance
Portability and Accountability Act (HIPAA) of 1996, §1173(d) (Security Standards for Health
Information) requires CMS to protect Protected Health Information (PHI). Additionally, Federal Information Security Management Act (FISMA), 44 U.S.C. § 3541-3549, as amended by the Federal Information Security Modernization Act of 2014 (Pub. L. 113-283) also requires CMS to develop policies and procedures for the protection and destruction of sensitive data to include PII. In addition, HIPAA permits the disclosure of CMS data for research purposes if the requirements at 45 CFR 45 CFR 164.512(i) are met. The information collected in the LDS request packets ensures that CMS receives the information needed to determine whether the research disclosure complies with federal laws and regulations as well as CMS policy.
The information collected by the DUA form is used by CMS to track disclosures, conditions for disclosure, accounting of disclosures and agency requirements dictated by the Privacy Act, HIPAA and FISMA.
The information collected from the research request packet is used by CMS to ensure that research disclosures comply with federal laws and regulations as well as CMS policy.
The information collected by the DMP SAQ form is used by CMS to conduct reviews and audits to ensure that research organization’s computing environments have security and privacy controls in place to protect CMS data to comply with NIST SP 800-53, Rev. 4 and CMS 5.0.
The DUA forms for researchers requesting Limited Datasets (LDS) and the LDS request packet are completed online through the Enterprise Privacy Policy Engine (EPPE). EPPE is the system that tracks all disclosures of CMS data.
The DMP SAQ form, downloadable from the CMS website as well as provided by the Research Data Assistance Center, is completed by requesters/users of CMS data, and submitted via email to the CMS Data Privacy Safeguard Program (DPSP). The DMP SAQ form addresses the computing environment and security and privacy controls of users of CMS data based on the following frameworks: CMS Acceptable Risk Safeguards (ARS), Version 5.0, and National Institute of Standards of Technology (NIST) Special Publication (SP) 80053 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.
CMS accepts digital signatures on all the forms.
4. Duplication of Efforts
This information collection does not duplicate any other effort, and the information cannot be obtained from any other source.
No special considerations are given to small businesses; however, the burden to any User/Requestor of data is minimal.
Data is collected only once at the onset of the study/project and then only again if there are changes initiated by the Requester. There are no additional means for reducing the data collection burden and still be compliant with all applicable statutory and regulatory requirements, as well as CMS policies/procedures. The information collected is necessary to make the determination whether the CMS disclosures for research purposes comply with federal laws and regulations, as well as CMS policy. Yearly, the organization will attest that there are no changes via email to the DMP SAQ.
There are no special circumstances that would require an information collection to be conducted in a manner that requires respondents to:
Prepare a written response to a collection of information in fewer than 30 days after receipt of it.
Submit more than an original and two copies of any document.
Retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years.
Collect data in connection with a statistical survey that is not designed to produce valid and reliable results that can be generalized to the universe of study,
Use a statistical data classification that has not been reviewed and approved by OMB.
Include a pledge of confidentiality that is not supported by authority established in statute or regulation that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or
Submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law.
8. Federal Register/Outside Consultation
The 60-day notice published in the Federal Register 1/14/2025 (90 FR 3220).
No comments were submitted.
The 30-day notice published in the Federal Register 5/28/2025 (90 FR 22490).
9. Payments/Gifts to Respondents
There are no payments/gifts provided to respondents for their participation or usage of the forms. The DUA form is used to help CMS track disclosures, conditions for disclosure, accounting of disclosures and agency requirements. The request packets for research identifiable files (RIFs) and limited datasets (LDS) are used to ensure CMS data disclosures comply with federal laws and regulations as well as CMS policy.
The DMP SAQ, through the review of technical and physical safeguards in place at an organization, allows CMS to ensure that patient data is adequately protected, as per the Privacy Act, the Privacy Rule and CMS data release policies. The DMP SAQ must be completed prior to the release of, or access to, specified data files containing protected health information and individual identifiers. It also allows organizations to verify that they are using industry-level best practices and standards to secure data. As needed, the CMS contractor will provide additional guidance to researchers on implementing effective measures that protect CMS data.
Confidentiality
The files are maintained electronically in the Enterprise Privacy Policy Engine.
Sensitive Questions
There are no sensitive questions arising from this data collection.
Wages
To derive average costs, we used data from the U.S. Bureau of Labor Statistics’ May 2023
National Occupational Employment and Wage Estimates for all salary estimates
(https://www.bls.gov/oes/current/oes_nat.htm). In this regard, the following table presents the mean hourly wage, the cost of fringe benefits and overhead (calculated at 100 percent of salary), and the adjusted hourly wage.
Occupation Titles and Wage Rates – May 2023
Occupation Title |
Occupation Code |
Mean Hourly Wage ($/hr.) |
Fringe Benefit ($/hr.) |
Adjusted Hourly Wage ($/hr.) |
Business Ops Specialist |
13-1000 |
42.85 |
42.85 |
85.70 |
As indicated, we are adjusting our employee hourly wage estimates by a factor of 100 percent. This is necessarily a rough adjustment, both because fringe benefits and overhead costs vary significantly from employer to employer, and because methods of estimating these costs vary widely from study to study. We believe that doubling the hourly wage to estimate total cost is a reasonably accurate estimation method.
Requirements and Associated Burden:
Attachment A – LDS Request Application: This form provides information on the research study, the minimum data necessary to support the research study, and how the research results will be made publicly available. We estimate the time to complete the Request Application is 60 minutes per requester. We estimate that will take 55 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 150 LDS Request Applications for an annual total of 150 burden hours for a total annual cost burden of $12,855.
DUA Signature Addendums: Requesters are required to complete and sign the DUA
Addendum (PDF) form as part of the EPPE process. While the requester adds individuals to a DUA directly in EPPE, CMS still needs a signed copy of the DUA Addendum form for legal purposes. We estimate the time to complete the Addendum form is 10 minutes per requestor. We estimate that it will take 5 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 2200 (RIF, 480; LDS, 480; Contractor, 1200; Qualified Entity (QE), 10; NDTR, 30) Addendums for an annual total of 374 hours burden for a total cost burden of $32,052.
Attachment A – RIF Request Application: This form provides information on the research study, the minimum data necessary to support the research study, and how the research results will be made publicly available. We estimate that it will take 55 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 400 RIF Request Applications for an annual total of 400 burden hours for a total annual cost burden of $34,280.
RIF Data Use Agreement (DUA): Amendment Request– This form allows a requester to amend an existing DUA, such as add new data. We estimate the time to complete the Amendment Request Form is 15 minutes. We estimate it will take 10 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 600 amendment requests per year for an annual total 150 hours for a total annual cost burden of $12,855.
Certificate of Disposition (COD): This form is used to close a DUA and certify that data is destroyed. The form was updated to request information on different destruction approaches and consider the different ways to access CMS data. We estimate the time to complete the Certificates of Disposition is 10 minutes per requestor. We estimate that it will take 5 minutes to complete and submit the form and an additional 5 minutes for filing. On an annual basis, we expect to receive an average of 600 Certificates of Disposition for an annual total of 102 hours burden for a total cost burden of $8,741.40.
RIF Extension: This form is used to request an extension of a RIF DUA. A DUA is valid for one year and then requires an extension. The disclosure of data for research purposes requires the research findings contribute to generalizable knowledge. The extension form captures the research findings publication plan and where findings are published. We estimate the time to complete the extension form is 25 minutes and 5 min for filing. On an annual basis, we expect to receive 1,450 RIF DUA extension for an annual total of 725 hours burden for a total cost burden of $62,132.50.
Data Management Plan Self-Attestation Questionnaire (DMP-SAQ): The DMP SAQ will enable CMS to evaluate researcher data systems to ensure that CMS data are adequately secured and appropriately protected, as per the Privacy Act and the HIPAA Privacy Rule. The DMP SAQ Questionnaire was updated to add secondary contact information. We estimate the time to complete the DMP SAQ form is 1.5 hours. We estimate that it will take 1 hour and 25 min to complete the form and 5 min for filing. On an annual basis, we expect to receive an average of 1,000 DMP SAQ forms for an annual total of 1,500 hours burden for a total cost burden of $128,550.
Burden Summary
Summary |
# of Respondents |
Responses (per Respondent) |
Total Responses |
Time (per response hours) |
Total Time (hours) |
Labor Rate ($/hr) |
Total Cost ($) |
Attachment A - LDS |
150 |
1 |
150 |
1 |
150 |
85.7 |
12,855 |
LDS DUA |
350 |
1 |
350 |
0.17 |
59.5 |
85.7 |
5,099 |
Signature Addendums |
2200 |
1 |
2200 |
0.17 |
374 |
85.7 |
32,052 |
DMP-SAQ |
1,000 |
1 |
1,000 |
1.5 |
1,500 |
85.7 |
128,550 |
RIF Extension |
1450 |
1 |
1450 |
0.5 |
725 |
85.7 |
62,133 |
Attachment A – RIF Application |
400 |
1 |
400 |
1 |
400 |
85.7 |
34,280 |
RIF - Amendment |
600 |
1 |
600 |
0.25 |
150 |
85.7 |
12,855 |
State Agency Supplement |
5 |
1 |
5 |
0.33 |
1.65 |
85.7 |
141 |
Innovator Supplement |
100 |
1 |
100 |
0.5 |
50 |
85.7 |
4,285 |
Collaborator Supplement |
500 |
1 |
500 |
0.33 |
165 |
85.7 |
14,141 |
Key Personnel |
400 |
1 |
400 |
0.33 |
132 |
85.7 |
11,312 |
COD |
600 |
1 |
600 |
0.17 |
102 |
85.7 |
8,570 |
TOTAL |
7755 |
12 |
7755 |
6.25 |
3,810 |
|
326,273 |
13. Capital Costs
There is no capital cost associated with preparing the Application or Reapplication.
To derive average costs, we used the General Schedule (GS) 13 step 5 pay scale with locality pay adjustment for the Washington/Baltimore/Northern Virginian (https://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/salarytables/pdf/2024/DCB.pdf). In this regard, the following table presents the mean hourly wage, the cost of fringe benefits (calculated at 100 percent of salary), and the adjusted hourly wage.
Occupation Titles and Wage Rates
Occupation Title |
Mean Hourly Wage ($/hr.) |
Fringe Benefit ($/hr.) |
Adjusted Hourly Wage ($/hr.) |
GS-13 (Step 5) |
64.06 |
64.06 |
128.12 |
The total burden for the federal government being requested in this package is $10,814 with a total hour burden to CMS staff of 84.41.
The total cost burden for respondents being requested in this package is $326,273 and the total hour burden of 3,707. The total burden for the federal government being requested in this package is $10,814 with a total hour burden to CMS staff of 84.41.
The burden to respondents has increased as follows:
Cost - $309,800.73 to $326,273, an increase of $16,473
Time (hours) – 3,876 to 3,809, a decrease of 66 hours
The increased cost burden to the federal government reflects the use of the 2024 GS rate pay tables for federal employees. There are changes that impact the time burden for respondents and the federal government. First, the number of DUA forms has increased to include the forms in the research request packet that provide CMS with information pertaining to the research study. The language in the LDS DUA has been revised to clarify CMS data release policies, rules, regulations, and updated data security requirements. Second, this package includes the addition of six (6) new forms: Signature Addendums for all five (5) types of DUAs, and the Attachment A - LDS DUA Request Application. The new Signature Addendums will be used in place of the soon-to-be discontinued general DUA Signature Addendum. The new addendums were created and tailored to accompany specific types of DUAs, versus a general version used for all DUAs. Each type of DUA requires different forms, and not all forms in this package will be used when a respondent submits a DUA request.
Publication/Tabulation Dates
There are no publication and tabulation dates associated with this collection.
Expiration Date
The expiration date will be displayed once approved.
There are no exceptions to the certification statement.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | CMS |
| File Modified | 0000-00-00 |
| File Created | 2025-06-18 |