CMS's Data Privacy Safeguard Program (DPSP)

To document the security and privacy controls that have been implemented by the research organization, CMS requires the research organization to complete an evidence-based data management plan, now known as the Data Management Plan Self-Attestation Questionnaire (DMP SAQ). The DMP SAQ asks research organizations to attest that the organization complies with CMS ARS security and privacy controls imbedded within the questionnaire. The primary function of the DPSP is to review and audit requesters' DMP SAQ submissions and provide guidance to researchers on how to implement effective, reasonable, and appropriate measures that protect CMS data. Other functions of the DPSP include training, education, and guidance.

The DPSP has prepared several supporting documents to help organizations complete the DMP SAQ including the DMP SAQ Requirements & Guidance for Security & Privacy Controls.

Additional DMP SAQ instructions documents and an FAQ can be found here and include the following:

• How to Establish a DMP SAQ
• How to Prepare for a DMP SAQ
• The DMP SAQ Process - Start to Finish
• How to Renew a DMP SAQ
• Crosswalking the DMP to the DMP SAQ
• How to Update the DMP SAQ
• How to Identify the Data Custodian for the DMP SAQ
• DMP SAQ Frequently Asked Questions

The DPSP team is available to assist when organizations have questions that cannot be answered by the guidance materials. The DPSP team can be reached at dpsp@cms.hhs.gov.