Categories: News, Newsletter, Newsletter Issue 2024:2

Brief on CMS Attempt to Restrict Data Access

By Colleen Carey, Lauren Nicholas, and Eric Roberts

The Centers for Medicare and Medicaid Services (CMS) recently announced plans to severely curtail access to Medicare and Medicaid data, changing access policies that would be cost-prohibitive for many researchers. The proposed plan was intended to protect data integrity in response to privacy and data security concerns. After much pushback (including a letter signed by nearly 300 health economists), CMS announced that they would pause the implementation of this new data policy and reconsider ways to maintain the security of these important datasets. In this article, the authors of that letter, Colleen Carey, Lauren Nicholas, and Eric Roberts, outline what nearly happened and what may transpire in the future.

  1. What data were at risk of having access restricted by CMS?

CMS’ proposed policies pertained to Medicare and Medicaid data that report beneficiary-level information about beneficiary demographics, coverage, health service utilization, and related information. These files are sometimes called “research identifiable files” because they contain potentially sensitive individual-level information, including beneficiary ages and dates of birth, geographic identifiers (e.g., zip code of residence), types and dates of health services used, and diagnoses captured when beneficiaries used care.

  1. Why was CMS planning to restrict or modify access to the data?

CMS was concerned about the security of research identifiable files and the potential that confidential data could be disclosed because of a security breach. The security of CMS data is a high priority for both CMS and the research community, and many universities have invested extensively in secure data infrastructure. Nevertheless, a growing number of data security breaches, including but not limited to academic institutions, prompted CMS to reconsider how it granted researchers access to research identifiable files.

Consequently, CMS proposed a rule that would have required all researchers to access research identifiable files through its secure data enclave, known as the Virtual Research Data Center (VRDC). This would have required all researchers to move to the VRDC environment (potentially at great cost), even if they were previously approved to use CMS data on a secure computing platform maintained by their university. After hearing feedback from the research community, CMS ultimately decided to pause the implementation of this rule. Conversations are continuing between the research community and federal officials about a sustainable long-term solution for maintaining the security of CMS data.

  1. What about these restrictions caused so much concern among the health economics community? What type of research would no longer be able to happen, or would be limited in a substantial way?

These restrictions could abruptly end a lot of health economics research.  For one, the cost of moving to the enclave is infeasible for many researchers.  In addition, the limited storage space, computing capabilities, and restrictions on data uploads and transmission that characterize the enclave mean that many types of work that economists do, like linking large, sensitive, non-CMS data to CMS data and estimating structural models would not be possible.

  1. This proposal by CMS received a lot of pushback. One part of that pushback was a letter signed by hundreds of health economists. What were the key points in the letter and why was it effective?

Our letter raised the concerns noted above and other issues especially relevant to health economics research.  One of the comments that came up in our work and many other comments is the benefit that this research produces for Medicare and Medicaid beneficiaries.  Many in the scientific and policy communities worry about the ways that CMS programs and beneficiaries could suffer from stopping scientific discovery.  In addition to discussing the cost and feasibility barriers associated with a move to the VRDC, we also made suggestions about ways that CMS could make data available in high-security environments like the Census RDCs that already partner with organizations and greater use of the SAQ program overseeing institutional investments in protecting CMS data.  Finally, we noted ASHEcon’s willingness to participate in discussions moving forward to help find solutions that enable research progress while safeguarding sensitive information. 

  1. CMS has halted, for now, this plan to severely restrict access to the data. Where do we go from here—what is still on the table, is access to the data still at risk, is there a timeline for a final decision, and what could sway CMS’s decision making?

First of all, if you hold a CMS DUA and did not submit a response to CMS’s Request for Information (, please consider doing so (even though the original May 15 deadline has passed). In addition, if you have federal funding, you may want to ensure your project officer is aware of the importance of CMS data to your research.

CMS will now be considering the large amount of feedback it received from professional organizations such as ASHEcon as well as in individual responses to the request for information. Many individuals and organizations have proposed alternative ways to meet CMS’s data security requirements while supporting research, and so we expect that CMS will consider such potential solutions carefully. Please watch for announcements from ASHEcon to learn if there are further opportunities for comment.

At this time, researchers can continue to apply for new use or reuse of CMS data and use the data at their home institutions. New rules, and potentially new fees, will be announced soon and could come into effect as early as 2025.

  1. Is there anything else that is important to know?

If you currently hold a DUA with CMS, you may be accustomed to receiving reminders to renew the DUA annually on its expiration date. Those emails are no longer being sent, so you should proactively renew your DUA before its expiration date. Renewals are now being handled by the Research Data Assistance Center; you can find the instructions at  Note that you will need at least 30 days remaining in the approval of your data management self-attestation questionnaire, so coordinate with your IT team early.