Form Cms R 0235St – Fill Out and Use This PDF

	DEPARTMENT OF HEALTH AND HUMAN SERVICES	Form Approved
	CENTERS FOR MEDICARE & MEDICAID SERVICES	OMB No. 0938-0734
		DATA USE AGREEMENT

BETWEEN CENTERS FOR MEDICARE & MEDICAID SERVICES (CMS)

AND THE STATE OF_____________________________________

AGREEMENT FOR USE OF CMS DATA

CONTAINING INDIVIDUAL-SPECIFIC INFORMATION

In order to secure data that resides in a CMS Privacy Act System of Records, and in order to ensure the integrity, security, and confidentiality of information maintained by CMS, and to permit appropriate disclosure and use of such data as permitted by law, CMS and _______________________________, enter into this

agreement to comply with the following specific paragraphs.

1.This Agreement is by and between CMS, a component of the U.S. Department of Health and Human Services (DHHS), and ___________________________, hereinafter termed “User.”

2.This Agreement addresses the conditions under which CMS will disclose and the User will obtain and use the CMS Enrollment Database (EDB) Customized State File specified in section 5. This Agreement supersedes any and all agreements between the parties with respect to the use of the EDB Customized State File, and preempts and overrides any instructions, directions, agreements, or other understanding in or pertaining to any grant award or other prior communication from the Department of Health and Human Services or any of its components with respect to the data specified herein. Further, the terms of this Agreement can be changed only by a written modification to this Agreement, or by the parties adopting a new agreement. The parties agree further that instructions or interpretations issued to the User concerning this Agreement or the data specified herein, shall not be valid unless issued in writing by the CMS point- of-contact specified in section 18, or the CMS signatory to this Agreement shown in section 18.

3.The parties mutually agree that CMS retains all ownership rights to the data file(s) referred to in this Agreement, and that the User does not obtain any right, title, or interest in any of the data furnished by CMS.

4.The User represents, and in furnishing the EDB Customized State File, CMS relies upon such representation, that this file(s) will be used solely for the purpose(s) outlined below.

The EDB Customized State File is used for the following:

A.To enable the User to identify Medicare individuals who are potentially eligible for inclusion in a State Buy-In account, including Qualified Medicare Beneficiaries (QMBs), and

B.To identify Medicare/Medicaid dually eligible individuals for whom Medicaid has secondary payer liability by:

(1)Obtaining a beneficiary’s correct health insurance claim number (HICN),

(2)Verifying a beneficiary’s name, date of birth and address, social security number, State buy-in code, Railroad Board indicator code,

(3)Avoiding duplicate claims payments by screening pre-payment of Medicaid claims, and

(4)Enabling recoupment of payments by reviewing post payment of Medicaid claims.

C.To support the development of risk adjustment factors which are a necessary element in establishing capitation rates or prospective payment levels, and which contribute to sound fiscal planning and the evaluation of future program initiatives.

The User represents further that, except as specified in an Enclosure to this Agreement or except as CMS shall authorize in writing, the User shall not disclose, release, reveal, show, sell, rent, lease, loan, or otherwise grant

Form CMS-R-0235ST (03/06)

1

access to the data covered by this Agreement to any person(s). The User agrees that, within the User organization, access to the data covered by this Agreement shall be limited to the minimum number of individuals necessary to achieve the purpose stated in this section and to those individuals on a need-to-know basis only.

Disclosure of this data is made pursuant to:

ｳ฀ Freedom of Information Act (5 U.S.C. Section 552) ｳ฀ Privacy Act (5 U.S.C. Section 552a)

ｳ฀ Section 1106 of the Social Security Act (42 U.S.C. Section 1306)

ｳ฀ Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503) ｳ฀ Section 1843 of the Social Security Act (42 U.S.C. Section 1395v)

5.CMS will provide the User with the EDB Customized State File, which is an extract from the Health Insurance Master Record (HIMR), System Number 09-07-0502. CMS warrants that the file is accurate to the extent possible. Beneficiaries included in the EDB Customized State File will vary from State to State depending on the number of Medicare beneficiaries residing in the State, present or past and on the size of the finder file submitted for the given month. The following files are covered under this Agreement:

FILE	YEAR(S)
EDB Customized State File	Current

6.The parties mutually agree that the aforesaid file(s) (and/or any derivative file(s) [includes any file that maintains or continues identification of individuals]) may be retained by the User only for the period of time required for any processing related to matching under this Agreement. The User agrees to notify CMS within 30 days of the completion of the purpose specified above in section 4. Upon such notice, CMS will notify the User either to return all data files to CMS at the User’s expense, or to destroy such data. If CMS elects to have the User destroy the data, the User agrees to certify the destruction of the files in writing within 30 days of CMS’s instruction. A statement certifying this action must be sent to CMS. If CMS elects to have the data returned, the User agrees to return all files to CMS within 30 days of receiving notice to that effect. The User agrees that no data from CMS records, or any parts thereof, shall be retained when the aforementioned file(s) are returned or destroyed unless authorization in writing for the retention of such file(s) has been received from the appropriate Systems Manager or the person designated in section 20 of this Agreement. The User acknowledges that stringent adherence to the aforementioned information outlined in this paragraph is required. The User further acknowledges that the EDB Customized State File received for any previous periods, and all copies thereof, must be destroyed upon receipt of an updated version, and verification made to CMS. Certification of the destruction of these files is required in writing within 30 days of such destruction.

7.The User agrees to establish appropriate administrative, technical, and physical safeguards to protect the confidentiality of the data, and to prevent its unauthorized use or access. The safeguards shall provide a level and scope of security that is not less than the level and scope of security established by the Office of Management and Budget (OMB) in OMB Circular No. A-130, Appendix III--Security of Federal Automated Information Systems (http://www.whitehouse.gov/omb/circulars/a130/a130.html), which sets forth guidelines for security plans for automated information systems in Federal agencies. The User acknowledges that the use of unsecured telecommunications, including the Internet, to transmit individually identifiable or deducible information derived from the file(s) specified above in section 5 is strictly prohibited. Further, the User agrees that the data must not be physically moved or transmitted in any way from the site indicated above in section 17, without written approval from CMS.

8.The User agrees that the authorized representatives of CMS, DHHS Office of the Inspector General or Comptroller General, will be granted access to premises where the aforesaid file(s) are kept for the purpose of inspecting security arrangements confirming whether the User is in compliance with the security requirements specified in section 7 above.

Form CMS-R-0235ST (03/06)

2

9.The User agrees that no findings, listing, or information derived from the file(s) specified in section 5, with or without identifiers, may be released if such findings, listing, or information contain any combination of data elements that might allow the deduction of a beneficiary’s identification, without first obtaining written authorization from the appropriate System Manager or the person designated in section 20 of this Agreement. (Examples of such data elements include, but are not limited to, address, sex, age, medical diagnosis, procedure,admission/discharge dates, date of death, etc.) The User agrees further that CMS shall be the sole judge as to whether any finding, listing, or information, or any combination of data extracted or derived from CMS’s files identifies or would, with reasonable effort, permit one to identify an individual or to deduce the identity of an individual with a reasonable degree of certainty.

10.The User agrees that, absent express written authorization from the appropriate System Manager or the person designated in section 18 to do so or as outlined in this agreement, the User shall make no attempt to link records included in the file(s) specified in section 5 to any other identifiable source of information. This includes attempts to link to other CMS data files.

11.The User understands and agrees that they may not reuse original or derivative data file(s) without prior written approval from the appropriate System Manager or the person designated in section 20 of this Agreement.

12.The parties mutually agree that the following specified Enclosures are part of this Agreement: _________

______________________________________________________________________________________

______________________________________________________________________________________

13.The User agrees that in the event CMS determines or has a reasonable belief that the User has made or may have made disclosure of the aforesaid file(s) that is not authorized by this Agreement, or other written authorization from the appropriate Systems Manager or the person designated in section 18, CMS in its sole discretion may require the User to: (a) promptly investigate and report to CMS the User’s determinations regarding any alleged or actual unauthorized disclosure, (b) promptly resolve any problems identified by the investigation; (c) if requested by CMS, submit a formal written response to an allegation of unauthorized disclosure; (d) if requested by CMS, submit a corrective action plan with steps designed to prevent any future unauthorized disclosures; and (e) if requested by CMS, return data files to CMS immediately. The User understands that as a result of CMS’s determination or reasonable belief that unauthorized disclosures have taken place, CMS may refuse to release further CMS data to the User for a period of time to be determined by CMS.

14.The User hereby acknowledges that criminal penalties under 1106(a) of the Social Security Act (42 U.S.C. 1306(a)), including a fine not exceeding $10,000 or imprisonment not exceeding 5 years, or both, may apply to disclosures of information that are covered by 1106 and that are not authorized by regulation or by Federal law. The User further acknowledges that criminal penalties under the Privacy Act (5 U.S.C. 552a(i) (3)) may apply if it is determined that the Requestor or Custodian, or any individual employed or affiliated therewith, knowingly and willfully obtained the file(s) under false pretenses. Any person found guilty under the Privacy Act shall be guilty of a misdemeanor and fined not more than $5,000. Finally, the User acknowledges that criminal penalties may be imposed under 18 U.S.C. 641 if it is determined that the User, or any individual employed or affiliated therewith, has taken or converted to his own use data file(s), or received the file(s) knowing that they were stolen or converted. Under such circumstances, they shall be fined under Title 18 or imprisoned not more than ten years, or both.

15.By signing this Agreement, the User agrees to abide by all provisions set out in this Agreement for protection of the data file(s) specified in section 5, and acknowledges having received notice of potential criminal and administrative penalties for violation of the terms of the Agreement.

Form CMS-R-0235ST (03/06)

3

16.On behalf of the User, the undersigned individual hereby attests that he or she is authorized to enter into this Agreement and agrees to all the terms specified herein. This agreement shall be effective 40 days after notice of routine use is sent to Congress and OMB, or 30 days after publication of this notice in the Federal Register, or upon signature by both parties, whichever is latest. The duration of this Agreement is two years from the effective date. The User also acknowledges that this agreement may be terminated at any time with the consent of both parties involved. Either party may independently terminate the agreement upon written request to the other party, in which case the termination shall be effective 90 days after the date of the notice, or at a later date specified in the notice.

Name/Title of User (typed or printed)

State Agency/Organization

Street Address

City	State	ZIP Code
Phone Number (including area code)	E-mail Address (if applicable)
Signature	Date

17.The parties mutually agree that the following named individual is designated as“Custodian” of the file(s) on behalf of the User, and will be personally responsible for the observance of all conditions of use and for establishment and maintenance of security arrangements as specified in this Agreement to prevent unauthorized use. The User agrees to notify CMS within fifteen (15) days of any change of custodianship. The parties mutually agree that CMS may disapprove the appointment of a custodian, or may require the appointment of a new custodian at any time.

The Custodian hereby acknowledges his/her appointment as Custodian of the aforesaid file(s) on behalf of the User, and agrees personally and in a representative capacity to comply with all of the provisions of this Agreement on behalf of the User.

Name of Custodian (typed or printed)

Company/Organization

Street Address

City	State	ZIP Code
Phone Number (including area code)	E-mail Address (if applicable)
Signature	Date

Form CMS-R-0235ST (03/06)

4

18.The parties mutually agree that the following named individual will be designated as “point-of-contact” (or “System Manager”) for the Agreement on behalf of CMS.

On behalf of CMS, the undersigned individual hereby attests that he or she is authorized to enter into this Agreement and agrees to all the terms specified herein.

Name of Custodian (typed or printed)

Company/Organization

Street Address

According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938-0734. The time required to complete this information collection is estimated to average 30 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have any comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: Reports Clearance Officer, Baltimore, Maryland 21244-1850.

Form CMS-R-0235ST (03/06)

5

DEPARTMENT OF HEALTH AND HUMAN SERVICES

CENTERS FOR MEDICARE & MEDICAID SERVICES

INSTRUCTIONS FOR COMPLETING THE DATA USE AGREEMENT (DUA)

This agreement is needed in order for you to receive the Enrollment Database Customized State File to ensure compliance to the requirements of the Privacy Act, and must be completed prior to the release of file.

Directions for the completion of the agreement follow:

ｳ฀ First paragraph, enter the Name of the State Agency. ｳ฀ Item #1, enter the Name of the State Agency.

ｳ฀ Item #4, enter the Custodian Name, State Agency Department/Organization, Address, Phone Number (including area code), and E-Mail Address (if applicable). The Custodian of files is defined as that person who will have actual possession of and responsibility for the data files. This section should be completed even if the Custodian and Requestor are the same.

ｳ฀ Item #18 is to be completed by Requestor. ｳ฀ Item #19 is to be completed by Custodian.

ｳ฀ Item #20 will be completed by the CMS representative.

If you have any questions about the DUA or need any assistance completing the DUA, please contact Kim Elmo on (410) 786-0161. Submit the original signed DUA and request letter to:

Rebecca (Goldy) Rogers

S3-13-15

7500 Security Boulevard

Baltimore, MD 21244-1850

Form CMS-R-0235ST (03/06)

6