The Privacy Act of 1976, ?552a
requires the Centers for Medicare & Medicaid Services (CMS) to
track all disclosures of the agency's Personally Identifiable
Information (PII) and the exceptions for these data releases. CMS
is also required by the Health Insurance Portability and
Accountability Act (HIPAA) of 1996 and the Federal Information
Security Management Act (FISMA) of 2002 to properly protect all PII
data maintained by the agency. Part of this protection mandates
that the data be destroyed when no longer required in a manner that
prevents any unauthorized disclosure. When entities request CMS PII
data, they enter into a Data Use Agreement (DUA) with CMS. The DUA
stipulates that the recipient of CMS PII data must properly protect
the data according to FISMA and also provide for its appropriate
destruction at the completion of the project/study or the
expiration date of the DUA. However, under certain circumstances,
the data may be approved in writing by CMS for re-use in an
additional or follow-on project/study. The DUA Certificate of
Disposition (COD) form provides the data recipient to document
accordingly this variance in the disposition of the data or the
outright destruction of the data. The "Data Use Agreement (DUA)
Certificate of Disposition (COD) for Data Acquired from the Centers
for Medicare & Medicaid Services (CMS)" will be used by
recipients of CMS data to certify that they have properly disposed
of the data that they have received through a CMS DUA. The form
requires the submitter to provide the Requestor's organization; DUA
number; identification by initials as to the actual disposition of
the data; listing of the data descriptions and the years of the
data; printed name, phone number and e-mail address of the
individual signing the form; signature and date signed; and
optional point of contact name, phone number and e-mail
address.
Kayla Williams 410 786-5887
kayla.williams@cms.hhs.gov
No
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.