CMS Restricted-Use Data Access Procedures


The procedures described in this section support the University’s Registration and Protection of Systems Policy and Data Classification Policy with respect to the University’s obligation to safeguard data provided by the U.S. Centers of Medicare and Medicaid Services (“CMS”) to researchers at the University. Any researcher who wishes to have access to Restricted Use NCHS-CMS Medicare Data (“CMS Restricted-Use Data”) or to permit others to have access to such Data must follow these procedures. For more information on the definition of CMS Restricted-Use Data see

Each of the Principal Investigator of a research study (”PI”), his/her department, and the department’s Executive Manager (as defined in the University Information Security Charter) are responsible for ensuring that these procedures are followed. The department must also ensure that the relevant Certified IT Group (“CITG”) is involved.

Access to CMS Restricted-Use Data

Data Use Agreement Review

Prior to finalizing a Data Use Agreement (“DUA”) with CMS, Sponsored Projects Administration must review the DUA with the PI.

Granting Access to CMS Restricted-Use Data

Any PI who wishes to have access to CMS Restricted-Use Data or to permit others to have access to such Data must work with his/her CITG to ensure the CITG’s assistance in safeguarding such data. In such a case, the following steps should be undertaken:

  1. Prior to granting access to CMS Restricted-Use Data to the PI or others, the CITG must check with SPA to determine whether the individual who will have access has been approved by CMS.
  2. SPA will notify the CITG that it is permissible to release data only if SPA has received approval of such access from CMS and that a DUA or an amendment to a DUA has been executed by CMS and the University.
  3. The first time that CITG receives such notification, if it has not already done so, the CITG will establish sufficient security safeguards with respect to the CMS Restricted-Use Data that are consistent with the applicable DUA. If the requirements of the DUA cannot be met by the CITG, the CITG will alert the PI and SPA. In such a case, it is the responsibility of the PI and his/her department to work with CUIMC IT or another CITG to make the necessary arrangements to establish such appropriate security safeguards.
  4. Any subsequent requests for new individuals to access the CMS Restricted-Use Data must follow the same steps.