CMS's Data Privacy Safeguard Program (DPSP)

Purpose

The Centers for Medicare & Medicaid Services (CMS) seeks to ensure the protection of CMS data disclosed to external organizations for research purposes. To accomplish this, CMS has developed the Data Privacy Safeguard Program (DPSP). The DPSP reflects the CMS priorities to both improve data stewardship and to protect the privacy and security of CMS research identifiable files (RIF) that are made available for conducting important research studies.

Current Version Date:
09/25/2023
Overview of the DPSP

To document the security and privacy controls that have been implemented by the research organization, CMS requires the research organization to complete an evidence-based data management plan, now known as the Data Management Plan Self-Attestation Questionnaire (DMP SAQ). The DMP SAQ asks research organizations to attest that the organization complies with CMS ARS security and privacy controls imbedded within the questionnaire. The primary function of the DPSP is to review and audit requesters' DMP SAQ submissions and provide guidance to researchers on how to implement effective, reasonable, and appropriate measures that protect CMS data. Other functions of the DPSP include training, education, and guidance.

The DPSP has prepared several supporting documents to help organizations complete the DMP SAQ including the DMP SAQ Requirements & Guidance for Security & Privacy Controls.

Additional DMP SAQ instructions documents and an FAQ can be found here and include the following:

Additional Assistance

The DPSP team is available to assist when organizations have questions that cannot be answered by the guidance materials. The DPSP team can be reached at dpsp@cms.hhs.gov.