Please review our "What's New" page to find out how CMS Data Use Agreements (DUA) have changed recently including the reassignment of DUA expiration dates.

What are Data Use Agreements (DUA)?  The Privacy Act of 1975 requires the Centers for Medicare & Medicaid Services (CMS) to account for all disclosures of personally identifiable information (PII).  CMS uses the DUA to account for all such disclosures.  This Privacy web site provides all the relevant information regarding CMS DUAs, the CMS Privacy Office and CMS' System of Records.

ResDAC (Researcher Data Assistance Center) is a CMS contractor that provides free assistance to anyone interested in using Medicare and/or Medicaid data for their project/study. All requests from Providers and Researchers must be submitted via ResDAC for submission to CMS. Contact ResDAC via:

Expired DUAs -- any organization requesting CMS data that has an EXPIRED CMS DUA will not receive authorization to obtain any new data until their expired DUA has been resolved. See the link to the left for DUA Extensions and Closures.

The "Privacy" web pages provide the processes for requesting CMS data that contains PII and that is protected by the Privacy Act of 1974 and/or the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and which is releasable to:

            1. Oversight Agencies 

            2. Federal Agencies (and their Contractors)

            3. State Agencies

            4. Researchers (Academic Institutions/Private Sector/Providers)

CMS policy regarding the use of Medicare and Medicaid data is to maximize the amount of data that is available while assuring adherence to data security requirements that protect the interests of our Medicare and Medicaid beneficiaries and individual physicians.  

            1. Limited Data Sets (LDS)

            2. Disproportionate Share Hospital (DSH) Rate Data

            3. Identifiable Data

            4. Eligibility Database (EDB) Customized State File

            5. Long Term Care Minimum Data Set (LTCMDS)

            6. Outcome and Assessment Information Set (OASIS)  

Security Incidents - Known or suspected security incidents involving CMS data must be reported immediately to the CMS IT Service Desk by calling 410-786-2580 or 1-800-562-1963 or via e-mail to  Even if you are not positive, but only suspect that it might be a security incident, you must still submit a report and allow the experts to determine whether or not it is a security incident.  Any suspected loss or unauthorized disclosure of CMS data protected by the Privacy Act must be reported immediately.  For additional information, refer to the "Privacy Act Implementation & Breach Notification Policy".