Updated research request forms and data security approval requirement effective 4/24/23
Data with personal identifiers are subject to the Privacy Act of 1974, HIPAA, and other Federal government rules and regulations. As such, CMS treats beneficiary information as confidential. CMS maintains a list of all the data that CMS collects called the “Systems of Records” (SOR). For each System of Record, CMS provides the primary purpose for the data collection and the reasons under which the data can be released.
The “Research” release provision allows external entities to request CMS data. Research is defined by the Privacy Act (45 CFR 164.501) as “…a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”
Research Identifiable Files (RIF)
Research Identifiable Files contain beneficiary level protected health information (PHI). Requests for RIF data require a Data Use Agreement (DUA) and a CMS Privacy Board review. The CMS Privacy Board members review the request to ensure that the data are adequately protected, the need is justified, and the request meets CMS criteria for release, which outlines how the data can be used.
Limited Data Sets (LDS)
LDS files are defined by the Privacy Act (45 CFR 164.514 (e)(2)) as “…protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:…” The Privacy Act lists sixteen different personal identifiers that must be excluded from a limited data set, such as name, address, telephone and social security number. Requests for a limited data set for research purposes require an LDS DUA, but do not go through a CMS Privacy Board review.
Public Use Files (PUF)
A Public Use File (PUF), also known as a Non-Identifiable File, is a file that has been stripped of any personal identifying information. PUFs provide aggregate or summarized information. Because a PUF does not include protected health information, it can be requested and used without a Data Use Agreement (DUA).