Skip to main content
U.S. flag

An official website of the United States government

Return to Search

Limited Data Set (LDS) Files: General Information and Policies

Guidance for Limited Data Set Files : General information, Policies and registration instructions

Issued by: Centers for Medicare & Medicaid Services (CMS)

Issue Date: June 30, 2020

LDS: General Information

The Centers for Medicare & Medicaid Services (CMS) makes Limited Data Set (LDS) files available to researchers as allowed by federal laws and regulations as well as CMS policy. LDS files contain beneficiary-level health information and are considered identifiable files, but they do not contain specific direct identifiers as defined in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. For information on available LDS files, please visit the CMS LDS website at /Research-Statistics-Data-and-Systems/Files-for-Order/LimitedDataSets/index

All disclosures of LDS files require a signed LDS Data Use Agreement (DUA) between CMS and the LDS requester. Requesters are also required to provide a research purpose as part of their request. The research purpose must relate to projects that could improve the U.S. healthcare delivery system. This includes projects related to improving the quality of life for CMS beneficiaries or improving the administration of CMS programs, including payment related projects and the creation of analytical reports. In addition, these research projects must contribute to generalizable knowledge. Please note, if you are requesting files for the sole purpose of commenting on CMS proposed or final rules, then your comments will fulfill the generalizable knowledge requirement.

LDS requests are submitted via a CMS tracking system called EPPE. Please refer to the EPPE registration instructions and training materials below to use EPPE to request a new LDS DUA or add LDS files to an existing LDS DUA. Questions about LDS files or the process for requesting LDS files can be sent to datauseagreement@cms.hhs.gov.

 

[Return to Top]

LDS: Policies

You must adhere to all LDS policies in the LDS DUA Form 0235L (PDF) at all times. These policies include, but are not limited to:

  1. Cell Suppression: The CMS’ cell suppression policy stipulates that no data cell (e.g., admittances, discharges, patients) less than 11 may be published or otherwise displayed. Additional guidance about the CMS cell suppression policy can be found at the following link: https://www.resdac.org/articles/cms-cell-size-suppression-policy
  2. Adding Custodians or Collaborators: It is important to note that additional Custodians or Collaborating organizations cannot be added to a DUA for the sole purpose of allowing them to view data that does not comply with the CMS cell suppression policy, including data on their own patients.  All organizations on the DUA must be involved with the actual research study as outlined in the Attachment A Study Protocol.
  3. Research and Generalizable Knowledge: CMS is permitted to disclose LDS files for research purposes. Research is defined in HIPAA as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” (See 45 CFR 164.501) CMS interprets generalizable knowledge to mean that results of the research are made publicly available. Therefore, information must be included in the Attachment A Study Protocol that describes how the results of the research will be made publicly available. Please note if you are requesting files for the sole purpose of commenting on CMS proposed or final rules, then your comments will fulfill the generalizable knowledge requirement.
  4. Data Storage: You must store your LDS data in the location you listed on your Attachment A Study Protocol.  CMS data cannot be moved unless you notify and receive approval from CMS. Please e-mail DataUseAgreement@cms.hhs.gov for additional information if you need to move LDS data.
  5. Data Copies: You may not make duplicate copies of CMS data.
  6. Data Shipping: CMS will only ship LDS data to a Requester or Custodian on the DUA, and only to an address that relates to the security requirements outlined in the Research Protocol. For all requests, a written description of how the address listed on the “Payment and Shipping” tab of the LDS worksheet meets required data security protections must be provided. Data security measures may include, but are not limited to, the following:
    • The custodian (or any other user) will not transfer CMS data to any equipment other than that provided by the custodian’s organization.
    • The new shipping address is physically secure at all times (e.g., doors and windows are locked).
    • All devices, including systems and hard drives associated with CMS data, are in a secure location when not in use (e.g., locked cabinet, safe, locked closet.).
    • The work session/laptop locks out after 15 minutes of inactivity.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.