Federal Regulations Relating to the Release of CMS Data

Federal Regulations Relating to the Release of CMS Data

Current Version Date: 


Data with beneficiary or physician identifiers are subject to the Privacy Act of 1974, HIPAA, and other Federal government rules and regulations. As such, the information is confidential and is to be used only for reasons compatible with the purpose(s) for which the data are collected.  CMS maintains a list of all the data that CMS collects and the provisions of release within the “Systems of Records” (SOR).  For each System of Record, CMS provides the primary purpose for the data collection and the reasons under which the data can be released.

The “Research” provision of release governs how external entities can request the use of CMS data.  A Summary of the HIPAA Privacy Rule provides an overview of HIPAA and states under the “Permitted Uses and Disclosures” that “”Research” is any systematic investigation designed to develop or contribute to generalizable knowledge.”  The privacy level of the requested file (identifiable or limited data set) determines the documentation that is required and the review process. 

Research Identifiable Files (RIF)

RIF data contain beneficiary level protected health information (PHI). Requests for RIF data require a Data Use Agreement (DUA) and are reviewed by CMS’s Privacy Board to ensure that the beneficiary’s privacy is protected and the need for identifiable data is justified. Further, CMS provides the criteria for the release of CMS identifiable data, which provides researchers with a list of how the data can be used and what the CMS Privacy Board expects as part of the data request.

Limited Data Sets (LDS)

LDS files are defined by HIPAA as “…protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set.” (Found under “Permitted Uses and Disclosures” section of the Summary of the HIPAA Privacy Rule).

Public Use Files (PUF)

A PUF, also known as a Non-Identifiable File, is a file that has been stripped of any personal identifying information.  PUFs provide aggregate or summarized information on utilization, payment, and/or charges.  Because a PUF does not include protected health information, these files can be requested and used without a Data Use Agreement (DUA).

Article Number: 
This work was performed under CMS Contract Number HHSM-500-2005-00027I.