Data Sharing Agreements

Submitted by mburgess on
Short Description

Agreements that establish how data will be managed and protected when shared between CMS and another agency

Roles
Information System Security Officer (ISSO)
System / Business Owner
Resource Type
General Information
Topics
Privacy
Contact Name
Privacy Office
Contact Email
privacy@cms.hhs.gov
Slack Channel(s)
#ispg-privacy-agreement-consults
Section
Text Block

What is a Data Sharing Agreement?

Whenever information or data will be shared between CMS and another agency, there are formal agreements that establish how the information will be shared and how it will be protected. 

What type of agreement do I need?

The CMS Privacy Office can help you determine the kind of agreement you need, based on the type of data that is being shared and the purpose for the sharing or comparing of data between agencies. The following guidance can get you started in the right direction.

When PII / PHI is involved

If the data that will be shared includes protected health information (PHI) and/or personally identifiable information (PII), it’s likely that the CMS Privacy Office will be your point of contact to establish the required agreement. Email them at privacy@cms.hhs.gov to confirm what kind of agreement you need.

Computer Matching Agreement (CMA)

You might need a Computer Matching Agreement (CMA) if:

  • A computer matching program is being proposed
  • Two or more automated systems of record are being compared between agencies
  • The data comparison will have an impact on individuals’ federal benefits
  • The data comparison will be used to recoup payments, investigate fraud, or verify compliance with federal benefits programs

Learn more about CMAs here.

Information Exchange Agreement (IEA)

You might need an Information Exchange Agreement (IEA) if:

  • CMS PII will be exchanged with another HHS OpDiv, or with a federal or state agency
  • There is no adverse impact on an individual’s federal benefits

Learn more about IEAs here.

Data Use Agreement (DUA)

You might need a Data Use Agreement (DUA) if:

  • Another agency is asking for disclosure of PII and/or PHI from CMS

When requests for disclosures of protected health information (PHI) and/or personally identifiable information (PII) are made to CMS, a Data Use Agreement (DUA) is signed to ensure that data requesters adhere to CMS privacy and security requirements and data release policies. Learn more about Data Disclosures and Data Use Agreements on cms.gov.

DUAs are not managed by the CMS Privacy Office. They are administered by the CMS Office of Enterprise Data and Analytics. To learn more or get help with a DUA, email: DataUseAgreement@cms.hhs.gov.

Note: There are times when a DUA must be accompanied by an IEA.

When PII / PHI is not involved

For data sharing that does not include protected health information (PHI) and/or personally identifiable information (PII), it is likely you need an agreement that is not managed by the CMS Privacy Office. Several types of agreements are listed below, along with the appropriate CMS Office to contact for more information.

Inter-Agency/Intra-Agency Agreements (IAA)

This is a written contract in which a Federal agency agrees to provide to, purchase from, or exchange with another Federal agency:

  • Services (including data)
  • Supplies
  • Equipment

Inter-agency agreements are between at least one component within DHHS and another Federal agency or component thereof. Intra-agency agreements are between two or more agencies within DHHS. Many federal agencies use IAAs as the mechanism for paying data fees. 

IAAs are not managed by the CMS Privacy Office. They are administered by the CMS Office of Acquisition and Grants Management. To learn about the agreements available from OAGM (including IAAs), email: InterAgencyAgreements@cms.hhs.gov 

Memorandum of Understanding (MOU)

A Memorandum of Understanding (MOU) is an important part of any formal arrangement for cooperation between two or more federal agencies. It serves as a statement of intent between the participating organizations to work together to achieve a shared goal.

Many CMS systems share data with other systems within CMS and across different agencies. To safeguard the data they share, it often makes sense for connected systems to enter into security agreements. An MOU is signed between two or more systems approved under the same Authorization Official (AO) at CMS.

If your data sharing partner is located outside CMS and their system is approved by a different Authorization Official (AO), you will need an Interconnection Security Agreement (ISA) instead of a MOU.

MOUs are not managed by the CMS Privacy Office. They are administered by the CMS Office of Acquisition and Grants Management. To learn about the agreements available from OAGM (including MOUs), email: InterAgencyAgreements@cms.hhs.gov.

Are you looking for information about Memorandum of Agreement (MOA)? This is the same thing as an MOU. At CMS, Memorandum of Agreement has been replaced by Memorandum of Understanding, although some legacy MOAs still remain in use.

Related resources
Resource Title
CMS Information Exchange Agreement (IEA)
Resource Title
CMS Computer Matching Agreement (CMA)