What's New

Data Use Agreement (DUA) Training, is available as listed below. No advanced registration is required. 

Test your connection to the webinar site here           

Tentatively in July 2012 we will provide webinars regarding using Digital Signatures on CMS' New DUA Forms

Effective June 1, 2012, all DUA request submissions must follow the new e-mail Subject line instructions outlined on the DUA-Forms page.

Effective March 16, 2012, CMS now has available for release the Disproportionate Share (DSH) data for 2006-2009.  Please follow the new requesting directions outlined on the DUA-DSH page. 

Effective January 1, 2012, all DUA requests must be submitted via e-mail to DataUseAgreement@cms.hhs.gov with any required documentation signed and attached to the e-mail.  

    a)  This includes all requests for new DUAs, changes to the Requestor/Custodian(s), updates to the files included in the DUA, and DUA extension and closure requests.  The signed and scanned documentation may be attached to the e-mails as .pdf .jpg .tif or .bmp images.  

    b)  Hardcopy requests will no longer be accepted and will be returned to the Custodian listed on the request.  

    c)  DUAs for federal agencies, federal grantees and CMS contractors, please follow the new requesting directions as provided on the DUA - Federal Contracts-Grants page.  

    d)  DUAs for States, excluding their own individual research studies, must route their e-mail through their appropriate CMS Regional Offices.  

    e)  CMS will not accept requests which have been uploaded and encrypted to a third-party vendor site.  If you wish to protect the documents from unauthorized disclosure, you probably already have the capability to password protect or encrypt your documents using your operating software compression utility (e.g. WINzip) or your desktop software (e.g. MS-Office).  Refer to your organization's information technology (IT) support services for assistance.  

    f)  New and update requests by researchers, excluding LDS requests, must continue to be routed through ResDAC via:

• e-mail ResDAC@umn.edu
• toll-free 1-888-973-7322
• on-line www.ResDAC.org

Effective October 1, 2011, the CMS policy for DUA expiration dates has changed.  CMS has determined that in response to the ever increasing cyber attacks against computer systems/networks operated by the Federal government as well as the private sector, CMS is refining and further restricting our policy for the retention of CMS data via a DUA. The new DUA policy stipulates that:

1. All DUAs will have an expiration date, regardless of the type of DUA, no exceptions
2. All DUAs will have an initial expiration date of no more than 365 days from the creation date
3. All DUAs must be revalidated annually by the DUA Requestor stating that the data continues to be needed for their Project/Study as originally requested
4. All DUA extensions will be granted for no more than 365 days from the current date
5. There will no longer be a maximum number of allowable extensions for a DUA as long as item #3 above is validated annually
6. Currently open DUAs that previously had an expiration date on or after October 2, 2012 have been assigned/reassigned with a new expiration date on or before October 1, 2012.

Please follow the new requesting directions for DUA extensions and closures outlined on the DUA - Extensions & Closures page.

The CMS Policy for Privacy Act Implementation and Breach Notification regarding DUA expiration dates is currently under revision and will be available soon.  

Effective July 1, 2011, CMS implemented the Data Privacy Safeguard Program (DPSP).  The DPSP will affect any requests for CMS data from Providers and Researchers.  The DPSP reflects CMS' priorities to both improve data stewardship and protect CMS data containing personally identifiable information (PII).  The DPSP consists of two main components, the first being a revised Data Management Plan which is part of the Executive Summary. The second component of the DPSP is for CMS to conduct a number of ongoing remote and on-site reviews. External organizations that are selected for reviews will be notified in advance. Selection of sites for review will be based on such factors as the scope and use of the data as described in the Data Management Plan.  Contact ResDAC for further information.

Effective May 1, 2011, CMS implemented a nominal administrative fee of $600.00 for all new Limited Data Set (LDS) reuse or re-release DUAs.  Please follow the new requesting directions as outlined on the DUA - Limited Data Sets (LDS) page.

Effective January 1, 2011, CMS will now accept submission of documentation for DUAs via e-mail.  See the entry above for January 1, 2012.   

Effective March 1, 2010, CMS is requiring all payments for CMS data files to be submit via www.Pay.gov.  Pay.gov was developed for making secure electronic payments to Federal Government Agencies.  If payment for your data is required, after your DUA has been processed, you will receive instructions for making your payment using Pay.gov.

Effective January 1, 2009, CMS data Reuse Policies changed. This policy only applies to files with PII.  Many researchers request permission to reuse CMS data from one study to another.  Due to security issues, CMS no longer permits a Researcher to reuse data originally acquired by another organization (cross-institutional reuse).  For more information see the DUA - Reuse page.