CMS Information Exchange Agreement (IEA)

Short Description

Business Owners and Privacy Advisors working together to determine the terms of sharing PII with other federal or state agencies

Resource Type
Contact Name
Privacy Office
Contact Email
privacy@cms.hhs.gov
Slack Channel(s)
#ispg-privacy-agreement-consults
Section
Text Block

What is an Information Exchange Agreement (IEA)?

The Privacy Act of 1974 established the Information Exchange Agreement (IEA). It is a document used when CMS discloses Personally Identifiable Information (PII) to an HHS Operating Division (OpDiv), another federal agency, or a state agency.

The IEA states the terms and conditions for the data exchange between CMS and the other party, including the privacy and security safeguards to ensure that the information is protected.  

If the data sharing involves a matching program which could adversely impact an individual’s benefits with respect to a federal benefit program, a different data sharing agreement may be appropriate instead of an IEA.

Learn about the different types of Data Sharing Agreements at CMS here. (Note that a Data Use Agreement (DUA) is usually created along with an IEA to track the data disclosure.)

IEAs at CMS

The CMS Privacy Office coordinates the development of an IEA with CMS Business Owners whose program activities involve data sharing. Active participation by those whose business operations have the legal authority to support data sharing is key to drafting an IEA. 

When do I need an IEA?

An IEA is needed when both of these are true:

  • CMS PII will be exchanged with another HHS OpDiv, or with a federal or state agency
  • There is no adverse impact on an individual’s federal benefits

How long does an IEA remain in effect?

Depending on the business requirement(s), an IEA may be in effect from one to five years (not to exceed five years). When an IEA is about to expire, the Privacy Office will contact the Business Owner to see if the agreement needs to be renewed or if there are any changes needed.

How long does it take to complete an IEA?

An IEA takes approximately 8 months from initial request to final sign-off.

How do I initiate an IEA?

First, review the information on this page to get familiar with the process for IEA and what the Business Owner is responsible for. Then, email the Privacy Office to get started: privacy@cms.hhs.gov. CMS Privacy Staff will respond and set up a time to discuss your data exchange and the materials needed to create an IEA.

IEA process

Establishing an Information Exchange Agreement takes about 8 months from initial request to final sign-off. It remains in effect for one to five years (depending on business requirements). 

The process for establishing an IEA is described below. Follow the same process to renew an existing IEA.

1. Gather required information

Estimated time to complete: 10 - 15 business days

  • Business Owner reviews the IEA Checklist to get familiar with the information that will be required to draft the agreement
  • Business Owner gathers information about the data sharing activity that will be needed to complete the IEA document

2. Intake & consultation

Estimated time to complete: 15 - 20 business days

  • Business Owner contacts the Privacy Office to request a new IEA or to regenerate an IEA
  • Privacy Office validates the need for an IEA and schedules a consultation meeting with the Business Owner
  • Privacy Office and Business Owner conduct a review of the IEA template and process, along with any information the Business Owner has prepared in advance
  • The Privacy Office provides the CMS IEA Template to the Business Owner, who will use it to draft the IEA document  
    • Note: If the Business Owner is already familiar with the IEA process, Privacy Office staff may choose to skip the consultation, and send the IEA Template to the Business Owner upon request.

3. Drafting & internal review

Estimated time to complete: 40 business days

  • Business Owner uses the IEA template to draft the IEA document, working with any stakeholders as needed. Business Owner may consult with their program’s attorney if necessary.
  • Business Owner coordinates internal stakeholder review of the IEA draft and incorporates any feedback.

4. External review & signature

Estimated time to complete: 40 business days

  • Business Owner provides IEA draft to external party (agency or OpDiv) for review
  • Once feedback is received and incorporated, external party signs the IEA

5. Sign-off & completion

Estimated time to complete: 20 business days

  • Business Owner obtains Program Official’s sign-off 
  • Business Owner sends the IEA to the Privacy Office for signing by the Senior Official for Privacy (SOP)
  • SOP signs the IEA, which is then sent back to the Business Owner
  • Business Owner provides a copy of the signed IEA to the external party
  • Signed IEA is retained by all parties

IEA checklist

Checklist for Business Owners to review when preparing for an IEA

Establishing or renewing an IEA requires the completion of the IEA template, which is provided by the Privacy Office. Ahead of time, Business Owners can prepare by drafting the information that will be needed for the IEA (listed below).

Purpose

The first part of the IEA explains who will be participating in the data sharing and why it is needed. The Business Owner provides:

  • What agency or OpDiv will be receiving the data from CMS
  • Description of the program activities that require the exchange Personally Identifiable Information (PII)
  • Purpose for which the PII will be used

Legal authorities

This section of the IEA cites any specific federal or state statute or regulatory basis for the data disclosure. The Privacy Act is included in this list by default. The Business Owner provides citations to any of the following that provide legal authority to conduct the program underlying the data exchange:

  • Federal or state statues
  • Executive Orders
  • Programmatic authority

Terms and definitions

For clarity and shared understanding among the parties participating in the agreement, the IEA includes a list of definitions of terms relative to the program requiring the data disclosure. Some of these are common terms at CMS (for example, terms like “breach”, “incident”, “Medicaid”, and “PII”).

There will likely be other terms specific to the systems, data, and operations of the program requiring the data disclosure.

Description of data

This section of the IEA requires a description of the data that may be disclosed as part of the agreement. The Business Owner provides:

  • Data covered by this agreement
    • List and describe the exchanges of data that correspond with the purposes and legal authority provided in those sections above
  • How many records will be used in this agreement?
    • Be precise about the number of records to be used, so both parties are clear about the exchange of data that is being proposed.
  • System(s) of Records (SOR)
    • List all the CMS Systems of Record (with notice information and routine use information) from which CMS will be sharing information as part of the agreement
    • Example: Enrollment Data Base (EDB), System No. 09-70-0502; last modified at 73 FR 10249 (February 26, 2008), as amended at April 23, 2013 (78 FR 23938), February 18, 2016 (81 FR 8204) and February 14, 2018 (83 FR 6591). Data maintained in the EDB will be released pursuant to routine use number 2 and 10, as set forth in the SORN.