Skip to main content
U.S. flag

An official website of the United States government

Return to Search

Federal Regulations Governing the Release of CMS Data

Guidance for Federal Regulations Governing the Release of CMS Data Web Page

Issued by: Centers for Medicare & Medicaid Services (CMS)

Issue Date: January 01, 2020

Purpose

This article describes the Federal Regulations that govern the release of CMS data for research.

Current Version Date:
05/23/17
Overview

Data with personal identifiers are subject to the Privacy Act of 1974HIPAA, and other Federal government rules and regulations. As such, CMS treats beneficiary information as confidential.  CMS maintains a list of all the data that CMS collects called the “Systems of Records” (SOR).  For each System of Record, CMS provides the primary purpose for the data collection and the reasons under which the data can be released.

The “Research” release provision allows external entities to request CMS data.  Research is defined by the Privacy Act (45 CFR 164.501) as “…a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”

Regulations by File Type

Research Identifiable Files (RIF)

Research Identifiable Files contain beneficiary level protected health information (PHI). Requests for RIF data require a Data Use Agreement (DUA) and a CMS Privacy Board review. The CMS Privacy Board members review the request to ensure that the data are adequately protected, the need is justified, and the request meets CMS criteria for release, which outlines how the data can be used.

Limited Data Sets (LDS)

LDS files are defined by the Privacy Act (45 CFR 164.514 (e)(2)) as “…protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:…” The Privacy Act lists sixteen different personal identifiers that must be excluded from a limited data set, such as name, address, telephone and social security number. Requests for a limited data set for research purposes require an LDS DUA, but do not go through a CMS Privacy Board review.

Public Use Files (PUF)

A Public Use File (PUF), also known as a Non-Identifiable File, is a file that has been stripped of any personal identifying information.  PUFs provide aggregate or summarized information. Because a PUF does not include protected health information, it can be requested and used without a Data Use Agreement (DUA).

Article Information

Level: Introduction Topic: Policy Program: Medicare, Medicaid
Disclaimer The process and materials mentioned as part of this KnowledgeBase article are current, as of the publication date on the article, to the best of our knowledge. The examples provided are correct in the aggregate but may not apply to every subgroup or circumstance that a researcher may wish to study. It is up to the researcher to conduct analysis and confirm that the patterns described in this KnowledgeBase article apply to his/her particular study. If your research findings appear to contradict the advice provided, please contact ResDAC at resdac@umn.edu.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.